Tags

Tags give the ability to mark specific points in history as being important

  • v2.3.0

    2976f38c · Merge pull request #13325 from dmcgowan/prepare-v2.3.0 · 
    containerd 2.3.0

Welcome to the v2.3.0 release of containerd!

The third minor release of containerd 2.x focuses on continued stability alongside
new features and improvements. This is the third time-based release for containerd.

Starting with containerd 2.3, the project has moved to release cadence aligned with
the Kubernetes release schedule, with new minor releases about every 4 months. The
containerd 2.3 release is also the first annual LTS (Long Term Stable) release under
this new schedule, with support planned for at least two years. Direct upgrades
between sequential LTS releases (e.g., 1.7 to 2.3) will be tested and supported.

### Highlights

* Add transfer types for container filesystem copy ([#13165](https://github.com/containerd/containerd/pull/13165))
* Add option to inject trace ID to logs ([#13117](https://github.com/containerd/containerd/pull/13117))
* Propagate OpenTelemetry traces in outgoing RPCs from plugin clients ([#13113](https://github.com/containerd/containerd/pull/13113))
* Update plugin config migration to run on load ([#12608](https://github.com/containerd/containerd/pull/12608))
* Update sandbox API to include spec field ([#12840](https://github.com/containerd/containerd/pull/12840))

#### Container Runtime Interface (CRI)

* Allow containers to use user namespaces with host networking ([#12518](https://github.com/containerd/containerd/pull/12518))
* Wire UpdatePodSandboxResources to Sandbox API ([#13118](https://github.com/containerd/containerd/pull/13118))
* Unpack images with per-layer labels for specific runtime ([#12835](https://github.com/containerd/containerd/pull/12835))
* Populate ImageId field in container status ([#12787](https://github.com/containerd/containerd/pull/12787))
* Set annotations parameter in CreateSandbox request ([#12566](https://github.com/containerd/containerd/pull/12566))
* Add background stats collector to calculate UsageNanoCores for containers and pod sandboxes ([#12629](https://github.com/containerd/containerd/pull/12629))

#### Image Distribution

* Support zstd-wrapped EROFS layers ([#13185](https://github.com/containerd/containerd/pull/13185))
* Add os.features support for EROFS native container images ([#13091](https://github.com/containerd/containerd/pull/13091))
* Add EROFS layer media type ([#12567](https://github.com/containerd/containerd/pull/12567))

#### Image Storage

* Add dmverity support to the erofs snapshotter ([#12502](https://github.com/containerd/containerd/pull/12502))
* Use fsmount API to avoid PAGE_SIZE limit for erofs ([#12783](https://github.com/containerd/containerd/pull/12783))

#### Node Resource Interface (NRI)

* Pass container user (uid, gids) to plugins ([#12769](https://github.com/containerd/containerd/pull/12769))
* Pass seccomp policy to plugins ([#12768](https://github.com/containerd/containerd/pull/12768))
* Pass any POSIX rlimits to plugins ([#12765](https://github.com/containerd/containerd/pull/12765))
* Pass extended container status to NRI. ([#12770](https://github.com/containerd/containerd/pull/12770))
* Pass injected CDI devices to plugins ([#12767](https://github.com/containerd/containerd/pull/12767))
* Pass linux sysctl to plugins ([#12766](https://github.com/containerd/containerd/pull/12766))
* Use dedicated RPC calls for all pod and container life-cycle events via the NRI wire protocol ([containerd/nri#274](https://github.com/containerd/nri/pull/274))
* Add basic metrics collection for the NRI framework ([containerd/nri#277](https://github.com/containerd/nri/pull/277))
* Exchange NRI versions between plugins and the runtime during registration ([containerd/nri#271](https://github.com/containerd/nri/pull/271))
* Enable adjusting Linux memory policy from NRI plugins ([containerd/nri#166](https://github.com/containerd/nri/pull/166))
* Close plugins if initial synchronization fails to prevent unregistered connections ([containerd/nri#279](https://github.com/containerd/nri/pull/279))
* Accumulate owners for OCI hook adjustments, disallowing commas in plugin names ([containerd/nri#264](https://github.com/containerd/nri/pull/264))
* Add nri_no_wasm build tag to allow disabling WASM support at compile time ([containerd/nri#253](https://github.com/containerd/nri/pull/253))
* Support direct adjustment of the intelRdt container configuration ([containerd/nri#215](https://github.com/containerd/nri/pull/215))
* Allow setting kernel scheduling policy attributes via NRI ([containerd/nri#160](https://github.com/containerd/nri/pull/160))
* Allow adjusting Linux network devices via NRI ([containerd/nri#157](https://github.com/containerd/nri/pull/157))
* Add support for sysctl adjustment via NRI ([containerd/nri#248](https://github.com/containerd/nri/pull/248))
* Expose container user, group, and supplemental group IDs to plugins ([containerd/nri#230](https://github.com/containerd/nri/pull/230))

#### Runtime

* Add configured socket directory to shim bootstrap protocol ([#12785](https://github.com/containerd/containerd/pull/12785))
* Introduce shim bootstrap protocol ([#12786](https://github.com/containerd/containerd/pull/12786))
* Fix binary logging driver not blocking container start on failure ([#12595](https://github.com/containerd/containerd/pull/12595))
* Use new filtered cgroups stats API ([#12901](https://github.com/containerd/containerd/pull/12901))
* Update OOMKilled event handling ([#12714](https://github.com/containerd/containerd/pull/12714))

#### Snapshotters

* Propagate parent chain ID and diff ID via labels during snapshot preparation ([#13071](https://github.com/containerd/containerd/pull/13071))

#### ctr development tool

* Detect vendor in CDI specs to generate device IDs for --gpus in ctr ([#12839](https://github.com/containerd/containerd/pull/12839))

#### Breaking

* Accumulate owners for OCI hook adjustments, disallowing commas in plugin names ([containerd/nri#264](https://github.com/containerd/nri/pull/264))

#### Deprecations

* Deprecate shim.Command ([#13319](https://github.com/containerd/containerd/pull/13319))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Maksym Pavlenko
* Derek McGowan
* Sebastiaan van Stijn
* Krisztian Litkey
* Samuel Karp
* Wei Fu
* Akihiro Suda
* Phil Estes
* Mike Brown
* Markus Lehtonen
* Hudson Zhu
* Davanum Srinivas
* Chris Henzie
* Gao Xiang
* Chengyu Zhu
* Akhil Mohan
* Kazuyoshi Kato
* Sergey Kanzhelev
* Austin Vazquez
* ningmingxiao
* Aadhar Agarwal
* Andrew Halaney
* Apurv Barve
* Bing Hongtao
* Brian Goff
* Michael Zappa
* Paweł Gronowski
* Fabiano Fidêncio
* Hasan Siddiqui
* Jintao Zhang
* Paulo Oliveira
* Shiv Tyagi
* Albin Kerouanton
* Alex Lyn
* Avinesh Singh
* Danny Canter
* Esteban Ginez
* Henry Wang
* Jin Dong
* Jérôme Poulin
* Laura Lorenz
* Luke Hinds
* Mark Dodgson
* Sascha Grunert
* Tianon Gravi
* majianhan
* qiuxue
* Adrien Delorme
* Alessio Biancalana
* Alex Chernyakhovsky
* Andrey Noskov
* Andrey Smirnov
* Annie Cherkaev
* Antti Kervinen
* Anuj Singh
* Benjamin Elder
* Bo Jiang
* Cameron McDermott
* Chris Adeniyi-Jones
* Chris Chang
* Chris Henderson
* Cindy Li
* CrazyMax
* Eldon Stegall
* Evan Lezar
* Fletcher Woodruff
* Gaurav Ghildiyal
* Harsh Rawat
* Hayato Kiwata
* Joseph Zhang
* Justin Chadwell
* Kaleab Ayenew
* Manuel de Brito Fontes
* Mikhail Dmitrichenko
* Mujib Ahasan
* Neeraj Krishna Gopalakrishna
* Pierluigi Lenoci
* Ricardo Branco
* Rob Murray
* Rodrigo Campos
* Sameer
* Sameer Saeed
* Sanil Khurana
* Shachar Tal
* Shaobao Feng
* Shiming Zhang
* Sreeram Venkitesh
* Tariq Ibrahim
* Tim Windelschmidt
* Tõnis Tiigi
* Wade Simmons
* Weixie Cui
* Will Jordan
* William Myers
* Yohei Yamamoto
* You Binhao
* Youfu Zhang
* Yuanliang Zhang
* delthas
* guodong
* jinda.ljd
* jokemanfire
* pandaWall

### Dependency Changes

* **cyphar.com/go-pathrs**                                                         v0.2.1 **_new_**
* **github.com/Microsoft/go-winio**                                                v0.6.2 -> ad3df93bed29
* **github.com/Microsoft/hcsshim**                                                 v0.14.0-rc.1 -> v0.15.0-rc.1
* **github.com/cenkalti/backoff/v5**                                               v5.0.3 **_new_**
* **github.com/checkpoint-restore/checkpointctl**                                  v1.4.0 -> v1.5.0
* **github.com/containerd/cgroups/v3**                                             v3.1.0 -> v3.1.3
* **github.com/containerd/containerd/api**                                         v1.10.0 -> v1.11.0
* **github.com/containerd/continuity**                                             v0.4.5 -> v0.5.0
* **github.com/containerd/go-dmverity**                                            v0.1.0 **_new_**
* **github.com/containerd/imgcrypt/v2**                                            v2.0.1 -> v2.0.2
* **github.com/containerd/nri**                                                    v0.10.0 -> v0.12.0
* **github.com/containerd/platforms**                                              v1.0.0-rc.2 -> v1.0.0-rc.4
* **github.com/containerd/plugin**                                                 v1.0.0 -> v1.1.0
* **github.com/containerd/ttrpc**                                                  v1.2.7 -> v1.2.8
* **github.com/containerd/zfs/v2**                                                 v2.0.0-rc.0 -> v2.0.0
* **github.com/containernetworking/plugins**                                       v1.8.0 -> v1.9.1
* **github.com/coreos/go-systemd/v22**                                             v22.6.0 -> v22.7.0
* **github.com/cyphar/filepath-securejoin**                                        v0.6.0 **_new_**
* **github.com/davecgh/go-spew**                                                   v1.1.1 -> d8f796af33cc
* **github.com/erofs/go-erofs**                                                    v0.3.0 **_new_**
* **github.com/go-jose/go-jose/v4**                                                v4.1.2 -> v4.1.4
* **github.com/grpc-ecosystem/grpc-gateway/v2**                                    v2.26.1 -> v2.28.0
* **github.com/intel/goresctrl**                                                   v0.10.0 -> v0.12.0
* **github.com/klauspost/compress**                                                v1.18.1 -> v1.18.5
* **github.com/moby/spdystream**                                                   v0.5.0 -> v0.5.1
* **github.com/opencontainers/runtime-spec**                                       v1.2.1 -> v1.3.0
* **github.com/opencontainers/runtime-tools**                                      0ea5ed0382a2 -> edf4cb3d2116
* **github.com/opencontainers/selinux**                                            v1.12.0 -> v1.13.1
* **github.com/pelletier/go-toml/v2**                                              v2.2.4 -> v2.3.0
* **github.com/pmezard/go-difflib**                                                v1.0.0 -> 5d4384ee4fb2
* **github.com/prometheus/common**                                                 v0.66.1 -> v0.67.5
* **github.com/prometheus/procfs**                                                 v0.16.1 -> v0.19.2
* **github.com/sirupsen/logrus**                                                   v1.9.3 -> v1.9.4
* **github.com/tetratelabs/wazero**                                                v1.9.0 -> v1.11.0
* **go.opentelemetry.io/auto/sdk**                                                 v1.1.0 -> v1.2.1
* **go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc**  v0.60.0 -> v0.68.0
* **go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp**                v0.60.0 -> v0.68.0
* **go.opentelemetry.io/otel**                                                     v1.37.0 -> v1.43.0
* **go.opentelemetry.io/otel/exporters/otlp/otlptrace**                            v1.35.0 -> v1.43.0
* **go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc**              v1.35.0 -> v1.43.0
* **go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp**              v1.35.0 -> v1.43.0
* **go.opentelemetry.io/otel/metric**                                              v1.37.0 -> v1.43.0
* **go.opentelemetry.io/otel/sdk**                                                 v1.37.0 -> v1.43.0
* **go.opentelemetry.io/otel/trace**                                               v1.37.0 -> v1.43.0
* **go.opentelemetry.io/proto/otlp**                                               v1.5.0 -> v1.10.0
* **go.yaml.in/yaml/v2**                                                           v2.4.2 -> v2.4.3
* **golang.org/x/crypto**                                                          v0.41.0 -> v0.49.0
* **golang.org/x/mod**                                                             v0.29.0 -> v0.35.0
* **golang.org/x/net**                                                             v0.43.0 -> v0.52.0
* **golang.org/x/oauth2**                                                          v0.30.0 -> v0.35.0
* **golang.org/x/sync**                                                            v0.17.0 -> v0.20.0
* **golang.org/x/sys**                                                             v0.37.0 -> v0.43.0
* **golang.org/x/term**                                                            v0.34.0 -> v0.41.0
* **golang.org/x/text**                                                            v0.28.0 -> v0.35.0
* **golang.org/x/time**                                                            v0.14.0 -> v0.15.0
* **google.golang.org/genproto/googleapis/api**                                    a7a43d27e69b -> 9d38bb4040a9
* **google.golang.org/genproto/googleapis/rpc**                                    a7a43d27e69b -> 6f92a3bedf2d
* **google.golang.org/grpc**                                                       v1.76.0 -> v1.80.0
* **google.golang.org/protobuf**                                                   v1.36.10 -> f2248ac996af
* **k8s.io/api**                                                                   v0.34.1 -> v0.36.0
* **k8s.io/apimachinery**                                                          v0.34.1 -> v0.36.0
* **k8s.io/client-go**                                                             v0.34.1 -> v0.36.0
* **k8s.io/component-base**                                                        v0.36.0 **_new_**
* **k8s.io/cri-api**                                                               v0.34.1 -> v0.36.0
* **k8s.io/cri-client**                                                            v0.36.0 **_new_**
* **k8s.io/cri-streaming**                                                         v0.36.0 **_new_**
* **k8s.io/klog/v2**                                                               v2.130.1 -> v2.140.0
* **k8s.io/kube-openapi**                                                          5883c5ee87b9 **_new_**
* **k8s.io/streaming**                                                             v0.36.0 **_new_**
* **k8s.io/utils**                                                                 4c0f3b243397 -> 28399d86e0b5
* **sigs.k8s.io/json**                                                             cfa47c3a1cc8 -> 2d320260d730
* **sigs.k8s.io/structured-merge-diff/v6**                                         v6.3.0 -> v6.3.2
* **tags.cncf.io/container-device-interface**                                      v1.0.1 -> v1.1.0
* **tags.cncf.io/container-device-interface/specs-go**                             v1.0.0 -> v1.1.0

Previous release can be found at [v2.2.0](https://github.com/containerd/containerd/releases/tag/v2.2.0)
### Which file should I download?
* `containerd-<VERSION>-<OS>-<ARCH>.tar.gz`:         ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04).
* `containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz`:  Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent.

In addition to containerd, typically you will have to install [runc](https://github.com/opencontainers/runc/releases)
and [CNI plugins](https://github.com/containernetworking/plugins/releases) from their official sites too.

See also the [Getting Started](https://github.com/containerd/containerd/blob/main/docs/getting-started.md) documentation.
    Unverified

  • api/v1.11.0

    f49640ec · Merge pull request #13321 from dmcgowan/remove-erofs-fsmerge-threshold · 
    containerd api/v1.11.0

Welcome to the api/v1.11.0 release of containerd!

The 12th release for the containerd 1.x API aligns with the containerd 2.3 release.

### Highlights

* Add transfer types for container filesystem copy ([#13165](https://github.com/containerd/containerd/pull/13165))
* Update sandbox API to include spec field ([#12840](https://github.com/containerd/containerd/pull/12840))

#### Image Distribution

* Add os.features support for EROFS native container images ([#13091](https://github.com/containerd/containerd/pull/13091))

#### Runtime

* Add configured socket directory to shim bootstrap protocol ([#12785](https://github.com/containerd/containerd/pull/12785))
* Introduce shim bootstrap protocol ([#12786](https://github.com/containerd/containerd/pull/12786))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Maksym Pavlenko
* Derek McGowan
* Wei Fu
* Akihiro Suda
* Gao Xiang
* Sebastiaan van Stijn

### Changes
<details><summary>47 commits</summary>
<p>

* Prepare release notes for api/v1.11.0 ([#13322](https://github.com/containerd/containerd/pull/13322))
  * [`8f2fce4ce`](https://github.com/containerd/containerd/commit/8f2fce4ce57fd3a5772d479d5cbee1707ef7b3b4) Prepare release notes for v1.11.0
* Prepare api/v1.11.0-rc.0 ([#13306](https://github.com/containerd/containerd/pull/13306))
  * [`bf502662a`](https://github.com/containerd/containerd/commit/bf502662a508667b83b15b2bbe8658129c1dfec3) Prepare api/v1.11.0-rc.0
* Make shim socket directory use configured directory ([#12785](https://github.com/containerd/containerd/pull/12785))
  * [`d806373fe`](https://github.com/containerd/containerd/commit/d806373feb1bf9e753a4beaf5b092c5176baa2c3) Make shim socket directory use configured state
* Update bootstrap API log level definition ([#13208](https://github.com/containerd/containerd/pull/13208))
  * [`2c102c6cb`](https://github.com/containerd/containerd/commit/2c102c6cbebbc1dabe31eb0740a1803fcce56c4e) Update bootstrap API log level definition
* Add transfer types for container filesystem copy ([#13165](https://github.com/containerd/containerd/pull/13165))
  * [`121f3a21e`](https://github.com/containerd/containerd/commit/121f3a21e438cd8c18c6d76cbab1514ee2a8d8d2) Add transfer types for container filesystem copy
* Introduce shim bootstrap protocol ([#12786](https://github.com/containerd/containerd/pull/12786))
  * [`16b7ce254`](https://github.com/containerd/containerd/commit/16b7ce254959e62927896aecc033e86b0a10dc31) Address code review suggestions
  * [`9bf65dcf0`](https://github.com/containerd/containerd/commit/9bf65dcf0275341a75b9e56454e5ebe599bcc90f) Use enums instead of strings for capabilities and log level
  * [`9dc864fd0`](https://github.com/containerd/containerd/commit/9dc864fd0feefd907aba16ba98cf453dd16df694) Switch to proto instead of json
  * [`3fbdb132b`](https://github.com/containerd/containerd/commit/3fbdb132bf4fb2f59995b9fc632c0ad507ff98f6) Fix module path
  * [`1852a4758`](https://github.com/containerd/containerd/commit/1852a4758ea70e12ada6bc98c45258a001c9f6bc) Remove testify dependency from api
  * [`0f55bdd49`](https://github.com/containerd/containerd/commit/0f55bdd49c41ba2a43d6595bdd827b6ba4ed4987) Fix extensions API and update tests
  * [`d957b1bf5`](https://github.com/containerd/containerd/commit/d957b1bf53914443e28a3a7ab63824ea2e6c22ed) Use log level instead of debug flag
  * [`31d0bbbad`](https://github.com/containerd/containerd/commit/31d0bbbad7723c8555b299f1dc12f7173390b2ec) Include containerd version when launching shim
  * [`f71c2e421`](https://github.com/containerd/containerd/commit/f71c2e4211c9cbae06c582222d200c8756a84845) Reformat and clean proto files
  * [`9e9a095fe`](https://github.com/containerd/containerd/commit/9e9a095feb43c6b6a84fe1f4b2331977ebb92b91) Read spec annotations from file
  * [`3831fc806`](https://github.com/containerd/containerd/commit/3831fc80630879870327fde99f66b12959c973f0) Fix reading from stdin
  * [`5ea993b48`](https://github.com/containerd/containerd/commit/5ea993b48d29e620dba6f90746a98ff0a4a29f65) Pass runc options as a separate extension
  * [`e72145b19`](https://github.com/containerd/containerd/commit/e72145b192de6542dfb86554cda512e37f46eb5e) Update vendor
  * [`790b0ead7`](https://github.com/containerd/containerd/commit/790b0ead7bc4e234b5ce90b9a1225b60bad34d75) Implement shim bootstrap protocol
* Add `os.features` support for EROFS native container images ([#13091](https://github.com/containerd/containerd/pull/13091))
  * [`146930e91`](https://github.com/containerd/containerd/commit/146930e91de7598fa93161cb96d16208f1eff866) api: add `os_features` to api/types/platform.proto
* build(deps): bump google.golang.org/grpc from 1.59.0 to 1.79.3 in /api ([#13099](https://github.com/containerd/containerd/pull/13099))
  * [`d323efc2b`](https://github.com/containerd/containerd/commit/d323efc2bfaf8425c8a2f1ceeb34e8230eb16f8d) build(deps): bump google.golang.org/grpc from 1.59.0 to 1.79.3 in /api
* Prepare release notes for api/v1.11.0-beta.0 ([#13045](https://github.com/containerd/containerd/pull/13045))
  * [`aac6b5348`](https://github.com/containerd/containerd/commit/aac6b53488f05253f88fb061fed6674630feb41f) Prepare release notes for api/v1.11.0-beta.0
* api: regenerate and re-vendor protos ([#12913](https://github.com/containerd/containerd/pull/12913))
  * [`4b4eb6715`](https://github.com/containerd/containerd/commit/4b4eb67150b724e0c0450cc92f295b8d6582ca9a) api: regenerate and re-vendor protos
* Remove Container field from sandbox metadata ([#12840](https://github.com/containerd/containerd/pull/12840))
  * [`8ccf18724`](https://github.com/containerd/containerd/commit/8ccf18724f691f7f5503faf0b004334eb9f92cf3) Update sandbox API to include spec field
* Use buf to format proto files ([#12841](https://github.com/containerd/containerd/pull/12841))
  * [`ca1c5b2d3`](https://github.com/containerd/containerd/commit/ca1c5b2d3db8c620c26ab9674b7ccb9a4b023a63) Reformat and revendor proto files
  * [`2a87c9d7d`](https://github.com/containerd/containerd/commit/2a87c9d7d29a5d947fa671a0d7b52f449835fd11) Add .editorconfig for proto files
* Generate api/next.txtpb and name module ([#12815](https://github.com/containerd/containerd/pull/12815))
  * [`472e0a8e7`](https://github.com/containerd/containerd/commit/472e0a8e7ada278b7aa376173eca20ad0a0348be) Generate next.txtpb to replace next.pb.txt
  * [`f58dbbda0`](https://github.com/containerd/containerd/commit/f58dbbda0b34bea75f714e82463eb0706c06d30d) Add buf.build repository name for publishing API
* Migrate from protobuild to buf ([#12762](https://github.com/containerd/containerd/pull/12762))
  * [`dac9721fa`](https://github.com/containerd/containerd/commit/dac9721faf891205ed46105cd38340bc3bceabcb) Drop outdated pb.txt files
  * [`6a6283193`](https://github.com/containerd/containerd/commit/6a6283193b6f865c35529717068259bf54ccc307) Update pb files
  * [`57782b717`](https://github.com/containerd/containerd/commit/57782b7175f743489010c348a8f59da720140722) Move buf configuration under api/
  * [`39991b661`](https://github.com/containerd/containerd/commit/39991b6617041c8c5b471f11f08461f36cc6719f) Use relative import intead of GOPATH style imports
  * [`eb586b5ef`](https://github.com/containerd/containerd/commit/eb586b5ef2e20c5f845f28d5e9cd5f5e8e10885d) Regenerate proto files
</p>
</details>

### Dependency Changes

* **golang.org/x/net**                           v0.38.0 -> v0.48.0
* **golang.org/x/sys**                           v0.31.0 -> v0.39.0
* **golang.org/x/text**                          v0.23.0 -> v0.32.0
* **google.golang.org/genproto/googleapis/rpc**  c3f982113cda -> ff82c1b0f217
* **google.golang.org/grpc**                     v1.59.0 -> v1.79.3
* **google.golang.org/protobuf**                 v1.33.0 -> v1.36.10

Previous release can be found at [api/v1.10.0](https://github.com/containerd/containerd/releases/tag/api/v1.10.0)
    Unverified

  • v2.3.0-rc.1

    1d7b73d5 · Merge pull request #13315 from dmcgowan/update-containerd-dependencies · 
    containerd 2.3.0-rc.1

Welcome to the v2.3.0-rc.1 release of containerd!
*This is a pre-release of containerd*

The third minor release of containerd 2.x focuses on continued stability alongside
new features and improvements. This is the third time-based release for containerd.

Starting with containerd 2.3, the project has moved to release cadence aligned with
the Kubernetes release schedule, with new minor releases about every 4 months. The
containerd 2.3 release is also the first annual LTS (Long Term Stable) release under
this new schedule, with support planned for at least two years. Direct upgrades
between sequential LTS releases (e.g., 1.7 to 2.3) will be tested and supported.

This is a beta release and some functionality is still under development.

### Highlights

* Add transfer types for container filesystem copy ([#13165](https://github.com/containerd/containerd/pull/13165))
* Introduce shim bootstrap protocol ([#12786](https://github.com/containerd/containerd/pull/12786))
* Add option to inject trace ID to logs ([#13117](https://github.com/containerd/containerd/pull/13117))
* Propagate OpenTelemetry traces in outgoing RPCs from plugin clients ([#13113](https://github.com/containerd/containerd/pull/13113))
* Update plugin config migration to run on load ([#12608](https://github.com/containerd/containerd/pull/12608))
* Detect vendor in cdi specs to generate device IDs for --gpus ([#12839](https://github.com/containerd/containerd/pull/12839))
* Update sandbox API to include spec field ([#12840](https://github.com/containerd/containerd/pull/12840))
* api: fix OCI hook ownership tracking. ([containerd/nri#264](https://github.com/containerd/nri/pull/264))

#### Container Runtime Interface (CRI)

* Allow containers to use user namespaces with host networking ([#12518](https://github.com/containerd/containerd/pull/12518))
* Unpack images with per-layer labels for specific runtime ([#12835](https://github.com/containerd/containerd/pull/12835))
* Populate ImageId field in container status ([#12787](https://github.com/containerd/containerd/pull/12787))
* Set annotations parameter in CreateSandbox request ([#12566](https://github.com/containerd/containerd/pull/12566))

#### Image Distribution

* Support zstd-wrapped EROFS layers ([#13185](https://github.com/containerd/containerd/pull/13185))
* Add EROFS layer media type ([#12567](https://github.com/containerd/containerd/pull/12567))

#### Image Storage

* Use fsmount API to avoid PAGE_SIZE limit for erofs ([#12783](https://github.com/containerd/containerd/pull/12783))

#### Node Resource Interface (NRI)

* Pass container user (uid, gids) to plugins ([#12769](https://github.com/containerd/containerd/pull/12769))
* Pass seccomp policy to plugins ([#12768](https://github.com/containerd/containerd/pull/12768))
* Pass any POSIX rlimits to plugins ([#12765](https://github.com/containerd/containerd/pull/12765))
* Pass extended container status to NRI. ([#12770](https://github.com/containerd/containerd/pull/12770))
* Pass injected CDI devices to plugins ([#12767](https://github.com/containerd/containerd/pull/12767))
* Pass linux sysctl to plugins ([#12766](https://github.com/containerd/containerd/pull/12766))

#### Runtime

* Add configured socket directory to shim bootstrap protocol ([#12785](https://github.com/containerd/containerd/pull/12785))
* Fix binary logging driver not blocking container start on failure ([#12595](https://github.com/containerd/containerd/pull/12595))
* Use new filtered cgroups stats API ([#12901](https://github.com/containerd/containerd/pull/12901))
* Update OOMKilled event handling ([#12714](https://github.com/containerd/containerd/pull/12714))

#### Snapshotters

* Propagate parent chain ID and diff ID via labels during snapshot preparation ([#13071](https://github.com/containerd/containerd/pull/13071))

#### Breaking

* api: fix OCI hook ownership tracking. ([containerd/nri#264](https://github.com/containerd/nri/pull/264))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Maksym Pavlenko
* Derek McGowan
* Sebastiaan van Stijn
* Krisztian Litkey
* Samuel Karp
* Wei Fu
* Akihiro Suda
* Phil Estes
* Mike Brown
* Markus Lehtonen
* Hudson Zhu
* Davanum Srinivas
* Chris Henzie
* Gao Xiang
* Chengyu Zhu
* Akhil Mohan
* Kazuyoshi Kato
* Sergey Kanzhelev
* Austin Vazquez
* ningmingxiao
* Aadhar Agarwal
* Andrew Halaney
* Apurv Barve
* Brian Goff
* HirazawaUi
* Michael Zappa
* Paweł Gronowski
* Fabiano Fidêncio
* Hasan Siddiqui
* Jintao Zhang
* Paulo Oliveira
* Shiv Tyagi
* Albin Kerouanton
* Alex Lyn
* Avinesh Singh
* Danny Canter
* Esteban Ginez
* Henry Wang
* Jin Dong
* Jérôme Poulin
* Laura Lorenz
* Luke Hinds
* Sascha Grunert
* Tianon Gravi
* majianhan
* markdodgson
* qiuxue
* Adrien Delorme
* Alessio Biancalana
* Alex Chernyakhovsky
* Andrey Noskov
* Andrey Smirnov
* Annie Cherkaev
* Antti Kervinen
* Anuj Singh
* Benjamin Elder
* Champ-Goblem
* Chris Adeniyi-Jones
* Chris Chang
* Cindia-blue
* CrazyMax
* Eldon Stegall
* Evan Lezar
* Fletcher Woodruff
* Gaurav Ghildiyal
* Harsh Rawat
* Hayato Kiwata
* Joseph Zhang
* Justin Chadwell
* Kal
* Manuel de Brito Fontes
* Mikhail Dmitrichenko
* Mujib Ahasan
* Neeraj Krishna Gopalakrishna
* Pierluigi Lenoci
* Ricardo Branco
* Rob Murray
* Rodrigo Campos
* Sameer
* Sameer
* Sanil Khurana
* Shachar Tal
* Shaobao Feng
* Shiming Zhang
* Tariq Ibrahim
* Tim Windelschmidt
* Tõnis Tiigi
* Wade Simmons
* Weixie Cui
* Will Jordan
* William Myers
* Yohei Yamamoto
* You Binhao
* Youfu Zhang
* Yuanliang Zhang
* apurv15
* bo.jiang
* chris-henderson-alation
* delthas
* guodong
* jinda.ljd
* jokemanfire
* pandaWall
* sreeram-venkitesh

### Dependency Changes

* **cyphar.com/go-pathrs**                                                         v0.2.1 **_new_**
* **github.com/Microsoft/go-winio**                                                v0.6.2 -> ad3df93bed29
* **github.com/Microsoft/hcsshim**                                                 v0.14.0-rc.1 -> v0.15.0-rc.1
* **github.com/cenkalti/backoff/v5**                                               v5.0.3 **_new_**
* **github.com/checkpoint-restore/checkpointctl**                                  v1.4.0 -> v1.5.0
* **github.com/containerd/cgroups/v3**                                             v3.1.0 -> v3.1.3
* **github.com/containerd/containerd/api**                                         v1.10.0 -> v1.11.0-rc.0
* **github.com/containerd/continuity**                                             v0.4.5 -> v0.5.0
* **github.com/containerd/go-dmverity**                                            v0.1.0 **_new_**
* **github.com/containerd/imgcrypt/v2**                                            v2.0.1 -> v2.0.2
* **github.com/containerd/nri**                                                    v0.10.0 -> v0.12.0
* **github.com/containerd/platforms**                                              v1.0.0-rc.2 -> v1.0.0-rc.4
* **github.com/containerd/plugin**                                                 v1.0.0 -> v1.1.0
* **github.com/containerd/ttrpc**                                                  v1.2.7 -> v1.2.8
* **github.com/containerd/zfs/v2**                                                 v2.0.0-rc.0 -> v2.0.0
* **github.com/containernetworking/plugins**                                       v1.8.0 -> v1.9.1
* **github.com/coreos/go-systemd/v22**                                             v22.6.0 -> v22.7.0
* **github.com/cyphar/filepath-securejoin**                                        v0.6.0 **_new_**
* **github.com/davecgh/go-spew**                                                   v1.1.1 -> d8f796af33cc
* **github.com/erofs/go-erofs**                                                    v0.3.0 **_new_**
* **github.com/go-jose/go-jose/v4**                                                v4.1.2 -> v4.1.4
* **github.com/grpc-ecosystem/grpc-gateway/v2**                                    v2.26.1 -> v2.28.0
* **github.com/intel/goresctrl**                                                   v0.10.0 -> v0.12.0
* **github.com/klauspost/compress**                                                v1.18.1 -> v1.18.5
* **github.com/moby/spdystream**                                                   v0.5.0 -> v0.5.1
* **github.com/opencontainers/runtime-spec**                                       v1.2.1 -> v1.3.0
* **github.com/opencontainers/runtime-tools**                                      0ea5ed0382a2 -> edf4cb3d2116
* **github.com/opencontainers/selinux**                                            v1.12.0 -> v1.13.1
* **github.com/pelletier/go-toml/v2**                                              v2.2.4 -> v2.3.0
* **github.com/pmezard/go-difflib**                                                v1.0.0 -> 5d4384ee4fb2
* **github.com/prometheus/common**                                                 v0.66.1 -> v0.67.5
* **github.com/prometheus/procfs**                                                 v0.16.1 -> v0.19.2
* **github.com/sirupsen/logrus**                                                   v1.9.3 -> v1.9.4
* **github.com/tetratelabs/wazero**                                                v1.9.0 -> v1.11.0
* **go.opentelemetry.io/auto/sdk**                                                 v1.1.0 -> v1.2.1
* **go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc**  v0.60.0 -> v0.68.0
* **go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp**                v0.60.0 -> v0.68.0
* **go.opentelemetry.io/otel**                                                     v1.37.0 -> v1.43.0
* **go.opentelemetry.io/otel/exporters/otlp/otlptrace**                            v1.35.0 -> v1.43.0
* **go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc**              v1.35.0 -> v1.43.0
* **go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp**              v1.35.0 -> v1.43.0
* **go.opentelemetry.io/otel/metric**                                              v1.37.0 -> v1.43.0
* **go.opentelemetry.io/otel/sdk**                                                 v1.37.0 -> v1.43.0
* **go.opentelemetry.io/otel/trace**                                               v1.37.0 -> v1.43.0
* **go.opentelemetry.io/proto/otlp**                                               v1.5.0 -> v1.10.0
* **go.yaml.in/yaml/v2**                                                           v2.4.2 -> v2.4.3
* **golang.org/x/crypto**                                                          v0.41.0 -> v0.49.0
* **golang.org/x/mod**                                                             v0.29.0 -> v0.35.0
* **golang.org/x/net**                                                             v0.43.0 -> v0.52.0
* **golang.org/x/oauth2**                                                          v0.30.0 -> v0.35.0
* **golang.org/x/sync**                                                            v0.17.0 -> v0.20.0
* **golang.org/x/sys**                                                             v0.37.0 -> v0.43.0
* **golang.org/x/term**                                                            v0.34.0 -> v0.41.0
* **golang.org/x/text**                                                            v0.28.0 -> v0.35.0
* **golang.org/x/time**                                                            v0.14.0 -> v0.15.0
* **google.golang.org/genproto/googleapis/api**                                    a7a43d27e69b -> 9d38bb4040a9
* **google.golang.org/genproto/googleapis/rpc**                                    a7a43d27e69b -> 6f92a3bedf2d
* **google.golang.org/grpc**                                                       v1.76.0 -> v1.80.0
* **google.golang.org/protobuf**                                                   v1.36.10 -> f2248ac996af
* **k8s.io/api**                                                                   v0.34.1 -> v0.36.0
* **k8s.io/apimachinery**                                                          v0.34.1 -> v0.36.0
* **k8s.io/client-go**                                                             v0.34.1 -> v0.36.0
* **k8s.io/component-base**                                                        v0.36.0 **_new_**
* **k8s.io/cri-api**                                                               v0.34.1 -> v0.36.0
* **k8s.io/cri-client**                                                            v0.36.0 **_new_**
* **k8s.io/cri-streaming**                                                         v0.36.0 **_new_**
* **k8s.io/klog/v2**                                                               v2.130.1 -> v2.140.0
* **k8s.io/kube-openapi**                                                          5883c5ee87b9 **_new_**
* **k8s.io/streaming**                                                             v0.36.0 **_new_**
* **k8s.io/utils**                                                                 4c0f3b243397 -> 28399d86e0b5
* **sigs.k8s.io/json**                                                             cfa47c3a1cc8 -> 2d320260d730
* **sigs.k8s.io/structured-merge-diff/v6**                                         v6.3.0 -> v6.3.2
* **tags.cncf.io/container-device-interface**                                      v1.0.1 -> v1.1.0
* **tags.cncf.io/container-device-interface/specs-go**                             v1.0.0 -> v1.1.0

Previous release can be found at [v2.2.0](https://github.com/containerd/containerd/releases/tag/v2.2.0)
### Which file should I download?
* `containerd-<VERSION>-<OS>-<ARCH>.tar.gz`:         ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04).
* `containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz`:  Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent.

In addition to containerd, typically you will have to install [runc](https://github.com/opencontainers/runc/releases)
and [CNI plugins](https://github.com/containernetworking/plugins/releases) from their official sites too.

See also the [Getting Started](https://github.com/containerd/containerd/blob/main/docs/getting-started.md) documentation.
    Unverified

  • api/v1.11.0-rc.0

    bc69a526 · Merge pull request #13167 from lauralorenz/10681-ctr-image-export-oci-ref-name · 
    containerd api/v1.11.0-rc.0

Welcome to the api/v1.11.0-rc.0 release of containerd!
*This is a pre-release of containerd*

The 12th release for the containerd 1.x API aligns with the containerd 2.3 release.

### Highlights

* Add transfer types for container filesystem copy ([#13165](https://github.com/containerd/containerd/pull/13165))
* Introduce shim bootstrap protocol ([#12786](https://github.com/containerd/containerd/pull/12786))
* Update sandbox API to include spec field ([#12840](https://github.com/containerd/containerd/pull/12840))

#### Runtime

* Add configured socket directory to shim bootstrap protocol ([#12785](https://github.com/containerd/containerd/pull/12785))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Maksym Pavlenko
* Derek McGowan
* Wei Fu
* Akihiro Suda
* Gao Xiang
* Sebastiaan van Stijn

### Changes
<details><summary>45 commits</summary>
<p>

* Prepare api/v1.11.0-rc.0 ([#13306](https://github.com/containerd/containerd/pull/13306))
  * [`bf502662a`](https://github.com/containerd/containerd/commit/bf502662a508667b83b15b2bbe8658129c1dfec3) Prepare api/v1.11.0-rc.0
* Make shim socket directory use configured directory ([#12785](https://github.com/containerd/containerd/pull/12785))
  * [`d806373fe`](https://github.com/containerd/containerd/commit/d806373feb1bf9e753a4beaf5b092c5176baa2c3) Make shim socket directory use configured state
* Update bootstrap API log level definition ([#13208](https://github.com/containerd/containerd/pull/13208))
  * [`2c102c6cb`](https://github.com/containerd/containerd/commit/2c102c6cbebbc1dabe31eb0740a1803fcce56c4e) Update bootstrap API log level definition
* Add transfer types for container filesystem copy ([#13165](https://github.com/containerd/containerd/pull/13165))
  * [`121f3a21e`](https://github.com/containerd/containerd/commit/121f3a21e438cd8c18c6d76cbab1514ee2a8d8d2) Add transfer types for container filesystem copy
* Introduce shim bootstrap protocol ([#12786](https://github.com/containerd/containerd/pull/12786))
  * [`16b7ce254`](https://github.com/containerd/containerd/commit/16b7ce254959e62927896aecc033e86b0a10dc31) Address code review suggestions
  * [`9bf65dcf0`](https://github.com/containerd/containerd/commit/9bf65dcf0275341a75b9e56454e5ebe599bcc90f) Use enums instead of strings for capabilities and log level
  * [`9dc864fd0`](https://github.com/containerd/containerd/commit/9dc864fd0feefd907aba16ba98cf453dd16df694) Switch to proto instead of json
  * [`3fbdb132b`](https://github.com/containerd/containerd/commit/3fbdb132bf4fb2f59995b9fc632c0ad507ff98f6) Fix module path
  * [`1852a4758`](https://github.com/containerd/containerd/commit/1852a4758ea70e12ada6bc98c45258a001c9f6bc) Remove testify dependency from api
  * [`0f55bdd49`](https://github.com/containerd/containerd/commit/0f55bdd49c41ba2a43d6595bdd827b6ba4ed4987) Fix extensions API and update tests
  * [`d957b1bf5`](https://github.com/containerd/containerd/commit/d957b1bf53914443e28a3a7ab63824ea2e6c22ed) Use log level instead of debug flag
  * [`31d0bbbad`](https://github.com/containerd/containerd/commit/31d0bbbad7723c8555b299f1dc12f7173390b2ec) Include containerd version when launching shim
  * [`f71c2e421`](https://github.com/containerd/containerd/commit/f71c2e4211c9cbae06c582222d200c8756a84845) Reformat and clean proto files
  * [`9e9a095fe`](https://github.com/containerd/containerd/commit/9e9a095feb43c6b6a84fe1f4b2331977ebb92b91) Read spec annotations from file
  * [`3831fc806`](https://github.com/containerd/containerd/commit/3831fc80630879870327fde99f66b12959c973f0) Fix reading from stdin
  * [`5ea993b48`](https://github.com/containerd/containerd/commit/5ea993b48d29e620dba6f90746a98ff0a4a29f65) Pass runc options as a separate extension
  * [`e72145b19`](https://github.com/containerd/containerd/commit/e72145b192de6542dfb86554cda512e37f46eb5e) Update vendor
  * [`790b0ead7`](https://github.com/containerd/containerd/commit/790b0ead7bc4e234b5ce90b9a1225b60bad34d75) Implement shim bootstrap protocol
* Add `os.features` support for EROFS native container images ([#13091](https://github.com/containerd/containerd/pull/13091))
  * [`146930e91`](https://github.com/containerd/containerd/commit/146930e91de7598fa93161cb96d16208f1eff866) api: add `os_features` to api/types/platform.proto
* build(deps): bump google.golang.org/grpc from 1.59.0 to 1.79.3 in /api ([#13099](https://github.com/containerd/containerd/pull/13099))
  * [`d323efc2b`](https://github.com/containerd/containerd/commit/d323efc2bfaf8425c8a2f1ceeb34e8230eb16f8d) build(deps): bump google.golang.org/grpc from 1.59.0 to 1.79.3 in /api
* Prepare release notes for api/v1.11.0-beta.0 ([#13045](https://github.com/containerd/containerd/pull/13045))
  * [`aac6b5348`](https://github.com/containerd/containerd/commit/aac6b53488f05253f88fb061fed6674630feb41f) Prepare release notes for api/v1.11.0-beta.0
* api: regenerate and re-vendor protos ([#12913](https://github.com/containerd/containerd/pull/12913))
  * [`4b4eb6715`](https://github.com/containerd/containerd/commit/4b4eb67150b724e0c0450cc92f295b8d6582ca9a) api: regenerate and re-vendor protos
* Remove Container field from sandbox metadata ([#12840](https://github.com/containerd/containerd/pull/12840))
  * [`8ccf18724`](https://github.com/containerd/containerd/commit/8ccf18724f691f7f5503faf0b004334eb9f92cf3) Update sandbox API to include spec field
* Use buf to format proto files ([#12841](https://github.com/containerd/containerd/pull/12841))
  * [`ca1c5b2d3`](https://github.com/containerd/containerd/commit/ca1c5b2d3db8c620c26ab9674b7ccb9a4b023a63) Reformat and revendor proto files
  * [`2a87c9d7d`](https://github.com/containerd/containerd/commit/2a87c9d7d29a5d947fa671a0d7b52f449835fd11) Add .editorconfig for proto files
* Generate api/next.txtpb and name module ([#12815](https://github.com/containerd/containerd/pull/12815))
  * [`472e0a8e7`](https://github.com/containerd/containerd/commit/472e0a8e7ada278b7aa376173eca20ad0a0348be) Generate next.txtpb to replace next.pb.txt
  * [`f58dbbda0`](https://github.com/containerd/containerd/commit/f58dbbda0b34bea75f714e82463eb0706c06d30d) Add buf.build repository name for publishing API
* Migrate from protobuild to buf ([#12762](https://github.com/containerd/containerd/pull/12762))
  * [`dac9721fa`](https://github.com/containerd/containerd/commit/dac9721faf891205ed46105cd38340bc3bceabcb) Drop outdated pb.txt files
  * [`6a6283193`](https://github.com/containerd/containerd/commit/6a6283193b6f865c35529717068259bf54ccc307) Update pb files
  * [`57782b717`](https://github.com/containerd/containerd/commit/57782b7175f743489010c348a8f59da720140722) Move buf configuration under api/
  * [`39991b661`](https://github.com/containerd/containerd/commit/39991b6617041c8c5b471f11f08461f36cc6719f) Use relative import intead of GOPATH style imports
  * [`eb586b5ef`](https://github.com/containerd/containerd/commit/eb586b5ef2e20c5f845f28d5e9cd5f5e8e10885d) Regenerate proto files
</p>
</details>

### Dependency Changes

* **golang.org/x/net**                           v0.38.0 -> v0.48.0
* **golang.org/x/sys**                           v0.31.0 -> v0.39.0
* **golang.org/x/text**                          v0.23.0 -> v0.32.0
* **google.golang.org/genproto/googleapis/rpc**  c3f982113cda -> ff82c1b0f217
* **google.golang.org/grpc**                     v1.59.0 -> v1.79.3
* **google.golang.org/protobuf**                 v1.33.0 -> v1.36.10

Previous release can be found at [api/v1.10.0](https://github.com/containerd/containerd/releases/tag/api/v1.10.0)
    Unverified

  • v2.3.0-rc.0

    135a6715 · Merge pull request #13302 from dmcgowan/prepare-v2.3.0-rc · 
    containerd 2.3.0-rc.0

Welcome to the v2.3.0-rc.0 release of containerd!
*This is a pre-release of containerd*

The third minor release of containerd 2.x focuses on continued stability alongside
new features and improvements. This is the third time-based release for containerd.

Starting with containerd 2.3, the project has moved to release cadence aligned with
the Kubernetes release schedule, with new minor releases about every 4 months. The
containerd 2.3 release is also the first annual LTS (Long Term Stable) release under
this new schedule, with support planned for at least two years. Direct upgrades
between sequential LTS releases (e.g., 1.7 to 2.3) will be tested and supported.

This is a beta release and some functionality is still under development.

### Highlights

* Add transfer types for container filesystem copy ([#13165](https://github.com/containerd/containerd/pull/13165))
* Introduce shim bootstrap protocol ([#12786](https://github.com/containerd/containerd/pull/12786))
* Add option to inject trace ID to logs ([#13117](https://github.com/containerd/containerd/pull/13117))
* Propagate OpenTelemetry traces in outgoing RPCs from plugin clients ([#13113](https://github.com/containerd/containerd/pull/13113))
* Update plugin config migration to run on load ([#12608](https://github.com/containerd/containerd/pull/12608))
* Detect vendor in cdi specs to generate device IDs for --gpus ([#12839](https://github.com/containerd/containerd/pull/12839))
* Update sandbox API to include spec field ([#12840](https://github.com/containerd/containerd/pull/12840))

#### Container Runtime Interface (CRI)

* Allow containers to use user namespaces with host networking ([#12518](https://github.com/containerd/containerd/pull/12518))
* Unpack images with per-layer labels for specific runtime ([#12835](https://github.com/containerd/containerd/pull/12835))
* Populate ImageId field in container status ([#12787](https://github.com/containerd/containerd/pull/12787))
* Set annotations parameter in CreateSandbox request ([#12566](https://github.com/containerd/containerd/pull/12566))

#### Image Distribution

* Support zstd-wrapped EROFS layers ([#13185](https://github.com/containerd/containerd/pull/13185))
* Add EROFS layer media type ([#12567](https://github.com/containerd/containerd/pull/12567))

#### Image Storage

* Use fsmount API to avoid PAGE_SIZE limit for erofs ([#12783](https://github.com/containerd/containerd/pull/12783))

#### Node Resource Interface (NRI)

* Pass container user (uid, gids) to plugins ([#12769](https://github.com/containerd/containerd/pull/12769))
* Pass seccomp policy to plugins ([#12768](https://github.com/containerd/containerd/pull/12768))
* Pass any POSIX rlimits to plugins ([#12765](https://github.com/containerd/containerd/pull/12765))
* Pass extended container status to NRI. ([#12770](https://github.com/containerd/containerd/pull/12770))
* Pass injected CDI devices to plugins ([#12767](https://github.com/containerd/containerd/pull/12767))
* Pass linux sysctl to plugins ([#12766](https://github.com/containerd/containerd/pull/12766))

#### Runtime

* Add configured socket directory to shim bootstrap protocol ([#12785](https://github.com/containerd/containerd/pull/12785))
* Fix binary logging driver not blocking container start on failure ([#12595](https://github.com/containerd/containerd/pull/12595))
* Use new filtered cgroups stats API ([#12901](https://github.com/containerd/containerd/pull/12901))
* Update OOMKilled event handling ([#12714](https://github.com/containerd/containerd/pull/12714))

#### Snapshotters

* Propagate parent chain ID and diff ID via labels during snapshot preparation ([#13071](https://github.com/containerd/containerd/pull/13071))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Maksym Pavlenko
* Derek McGowan
* Sebastiaan van Stijn
* Wei Fu
* Krisztian Litkey
* Samuel Karp
* Phil Estes
* Akihiro Suda
* Mike Brown
* Markus Lehtonen
* Davanum Srinivas
* Gao Xiang
* Chengyu Zhu
* Akhil Mohan
* Chris Henzie
* Hudson Zhu
* Kazuyoshi Kato
* Sergey Kanzhelev
* ningmingxiao
* Aadhar Agarwal
* Andrew Halaney
* Apurv Barve
* Brian Goff
* HirazawaUi
* Michael Zappa
* Paweł Gronowski
* Fabiano Fidêncio
* Hasan Siddiqui
* Jintao Zhang
* Paulo Oliveira
* Shiv Tyagi
* Albin Kerouanton
* Alex Lyn
* Austin Vazquez
* Avinesh Singh
* Esteban Ginez
* Henry Wang
* Jin Dong
* Jérôme Poulin
* Luke Hinds
* Sascha Grunert
* Tianon Gravi
* majianhan
* markdodgson
* qiuxue
* Adrien Delorme
* Alex Chernyakhovsky
* Andrey Noskov
* Andrey Smirnov
* Annie Cherkaev
* Anuj Singh
* Champ-Goblem
* Chris Adeniyi-Jones
* Chris Chang
* Cindia-blue
* CrazyMax
* Danny Canter
* Evan Lezar
* Fletcher Woodruff
* Gaurav Ghildiyal
* Harsh Rawat
* Hayato Kiwata
* Joseph Zhang
* Justin Chadwell
* Kal
* Manuel de Brito Fontes
* Mujib Ahasan
* Neeraj Krishna Gopalakrishna
* Pierluigi Lenoci
* Ricardo Branco
* Rob Murray
* Rodrigo Campos
* Sanil2108
* Shachar Tal
* Shaobao Feng
* Shiming Zhang
* Tariq Ibrahim
* Tim Windelschmidt
* Tõnis Tiigi
* Wade Simmons
* Weixie Cui
* Will Jordan
* William Myers
* Yohei Yamamoto
* You Binhao
* Youfu Zhang
* apurv15
* bo.jiang
* chris-henderson-alation
* delthas
* jinda.ljd
* jokemanfire
* sreeram-venkitesh
* zylxjtu

### Dependency Changes

* **cyphar.com/go-pathrs**                                                         v0.2.1 **_new_**
* **github.com/Microsoft/go-winio**                                                v0.6.2 -> ad3df93bed29
* **github.com/Microsoft/hcsshim**                                                 v0.14.0-rc.1 -> v0.15.0-rc.1
* **github.com/cenkalti/backoff/v5**                                               v5.0.3 **_new_**
* **github.com/checkpoint-restore/checkpointctl**                                  v1.4.0 -> v1.5.0
* **github.com/containerd/cgroups/v3**                                             v3.1.0 -> v3.1.3
* **github.com/containerd/containerd/api**                                         v1.10.0 -> v1.11.0-beta.2
* **github.com/containerd/go-dmverity**                                            e097b6cc4a33 **_new_**
* **github.com/containerd/imgcrypt/v2**                                            v2.0.1 -> v2.0.2
* **github.com/containerd/nri**                                                    v0.10.0 -> v0.11.0
* **github.com/containerd/platforms**                                              v1.0.0-rc.2 -> v1.0.0-rc.4
* **github.com/containerd/ttrpc**                                                  v1.2.7 -> v1.2.8
* **github.com/containerd/zfs/v2**                                                 v2.0.0-rc.0 -> v2.0.0
* **github.com/containernetworking/plugins**                                       v1.8.0 -> v1.9.1
* **github.com/coreos/go-systemd/v22**                                             v22.6.0 -> v22.7.0
* **github.com/cyphar/filepath-securejoin**                                        v0.6.0 **_new_**
* **github.com/davecgh/go-spew**                                                   v1.1.1 -> d8f796af33cc
* **github.com/erofs/go-erofs**                                                    v0.3.0 **_new_**
* **github.com/go-jose/go-jose/v4**                                                v4.1.2 -> v4.1.4
* **github.com/grpc-ecosystem/grpc-gateway/v2**                                    v2.26.1 -> v2.28.0
* **github.com/intel/goresctrl**                                                   v0.10.0 -> v0.12.0
* **github.com/klauspost/compress**                                                v1.18.1 -> v1.18.5
* **github.com/moby/spdystream**                                                   v0.5.0 -> v0.5.1
* **github.com/opencontainers/runtime-spec**                                       v1.2.1 -> v1.3.0
* **github.com/opencontainers/runtime-tools**                                      0ea5ed0382a2 -> edf4cb3d2116
* **github.com/opencontainers/selinux**                                            v1.12.0 -> v1.13.1
* **github.com/pelletier/go-toml/v2**                                              v2.2.4 -> v2.3.0
* **github.com/pmezard/go-difflib**                                                v1.0.0 -> 5d4384ee4fb2
* **github.com/prometheus/common**                                                 v0.66.1 -> v0.67.5
* **github.com/prometheus/procfs**                                                 v0.16.1 -> v0.19.2
* **github.com/sirupsen/logrus**                                                   v1.9.3 -> v1.9.4
* **github.com/tetratelabs/wazero**                                                v1.9.0 -> v1.10.1
* **go.opentelemetry.io/auto/sdk**                                                 v1.1.0 -> v1.2.1
* **go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc**  v0.60.0 -> v0.67.0
* **go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp**                v0.60.0 -> v0.67.0
* **go.opentelemetry.io/otel**                                                     v1.37.0 -> v1.43.0
* **go.opentelemetry.io/otel/exporters/otlp/otlptrace**                            v1.35.0 -> v1.43.0
* **go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc**              v1.35.0 -> v1.43.0
* **go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp**              v1.35.0 -> v1.43.0
* **go.opentelemetry.io/otel/metric**                                              v1.37.0 -> v1.43.0
* **go.opentelemetry.io/otel/sdk**                                                 v1.37.0 -> v1.43.0
* **go.opentelemetry.io/otel/trace**                                               v1.37.0 -> v1.43.0
* **go.opentelemetry.io/proto/otlp**                                               v1.5.0 -> v1.10.0
* **go.yaml.in/yaml/v2**                                                           v2.4.2 -> v2.4.3
* **golang.org/x/crypto**                                                          v0.41.0 -> v0.49.0
* **golang.org/x/mod**                                                             v0.29.0 -> v0.35.0
* **golang.org/x/net**                                                             v0.43.0 -> v0.52.0
* **golang.org/x/oauth2**                                                          v0.30.0 -> v0.35.0
* **golang.org/x/sync**                                                            v0.17.0 -> v0.20.0
* **golang.org/x/sys**                                                             v0.37.0 -> v0.43.0
* **golang.org/x/term**                                                            v0.34.0 -> v0.41.0
* **golang.org/x/text**                                                            v0.28.0 -> v0.35.0
* **golang.org/x/time**                                                            v0.14.0 -> v0.15.0
* **google.golang.org/genproto/googleapis/api**                                    a7a43d27e69b -> 9d38bb4040a9
* **google.golang.org/genproto/googleapis/rpc**                                    a7a43d27e69b -> 9d38bb4040a9
* **google.golang.org/grpc**                                                       v1.76.0 -> v1.80.0
* **google.golang.org/protobuf**                                                   v1.36.10 -> f2248ac996af
* **k8s.io/api**                                                                   v0.34.1 -> v0.36.0
* **k8s.io/apimachinery**                                                          v0.34.1 -> v0.36.0
* **k8s.io/client-go**                                                             v0.34.1 -> v0.36.0
* **k8s.io/component-base**                                                        v0.36.0 **_new_**
* **k8s.io/cri-api**                                                               v0.34.1 -> v0.36.0
* **k8s.io/cri-client**                                                            v0.36.0 **_new_**
* **k8s.io/cri-streaming**                                                         v0.36.0 **_new_**
* **k8s.io/klog/v2**                                                               v2.130.1 -> v2.140.0
* **k8s.io/kube-openapi**                                                          5883c5ee87b9 **_new_**
* **k8s.io/streaming**                                                             v0.36.0 **_new_**
* **k8s.io/utils**                                                                 4c0f3b243397 -> 28399d86e0b5
* **sigs.k8s.io/json**                                                             cfa47c3a1cc8 -> 2d320260d730
* **sigs.k8s.io/structured-merge-diff/v6**                                         v6.3.0 -> v6.3.2
* **tags.cncf.io/container-device-interface**                                      v1.0.1 -> v1.1.0
* **tags.cncf.io/container-device-interface/specs-go**                             v1.0.0 -> v1.1.0

Previous release can be found at [v2.2.0](https://github.com/containerd/containerd/releases/tag/v2.2.0)
### Which file should I download?
* `containerd-<VERSION>-<OS>-<ARCH>.tar.gz`:         ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04).
* `containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz`:  Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent.

In addition to containerd, typically you will have to install [runc](https://github.com/opencontainers/runc/releases)
and [CNI plugins](https://github.com/containernetworking/plugins/releases) from their official sites too.

See also the [Getting Started](https://github.com/containerd/containerd/blob/main/docs/getting-started.md) documentation.
    Unverified

  • v2.3.0-beta.2

    8a533731 · Merge pull request #13239 from dmcgowan/prepare-v2.3.0-beta.2 · 
    containerd 2.3.0-beta.2

Welcome to the v2.3.0-beta.2 release of containerd!
*This is a pre-release of containerd*

The third minor release of containerd 2.x focuses on continued stability alongside
new features and improvements. This is the third time-based release for containerd.

Starting with containerd 2.3, the project has moved to release cadence aligned with
the Kubernetes release schedule, with new minor releases about every 4 months. The
containerd 2.3 release is also the first annual LTS (Long Term Stable) release under
this new schedule, with support planned for at least two years. Direct upgrades
between sequential LTS releases (e.g., 1.7 to 2.3) will be tested and supported.

This is a beta release and some functionality is still under development.

### Highlights

* Add transfer types for container filesystem copy ([#13165](https://github.com/containerd/containerd/pull/13165))
* Introduce shim bootstrap protocol ([#12786](https://github.com/containerd/containerd/pull/12786))
* Add option to inject trace ID to logs ([#13117](https://github.com/containerd/containerd/pull/13117))
* Propagate OpenTelemetry traces in outgoing RPCs from plugin clients ([#13113](https://github.com/containerd/containerd/pull/13113))
* Update plugin config migration to run on load ([#12608](https://github.com/containerd/containerd/pull/12608))
* Detect vendor in cdi specs to generate device IDs for --gpus ([#12839](https://github.com/containerd/containerd/pull/12839))
* Update sandbox API to include spec field ([#12840](https://github.com/containerd/containerd/pull/12840))

#### Container Runtime Interface (CRI)

* Allow containers to use user namespaces with host networking ([#12518](https://github.com/containerd/containerd/pull/12518))
* Unpack images with per-layer labels for specific runtime ([#12835](https://github.com/containerd/containerd/pull/12835))
* Populate ImageId field in container status ([#12787](https://github.com/containerd/containerd/pull/12787))
* Set annotations parameter in CreateSandbox request ([#12566](https://github.com/containerd/containerd/pull/12566))

#### Image Distribution

* Support zstd-wrapped EROFS layers ([#13185](https://github.com/containerd/containerd/pull/13185))
* Add EROFS layer media type ([#12567](https://github.com/containerd/containerd/pull/12567))

#### Image Storage

* Use fsmount API to avoid PAGE_SIZE limit for erofs ([#12783](https://github.com/containerd/containerd/pull/12783))

#### Node Resource Interface (NRI)

* Pass container user (uid, gids) to plugins ([#12769](https://github.com/containerd/containerd/pull/12769))
* Pass seccomp policy to plugins ([#12768](https://github.com/containerd/containerd/pull/12768))
* Pass any POSIX rlimits to plugins ([#12765](https://github.com/containerd/containerd/pull/12765))
* Pass extended container status to NRI. ([#12770](https://github.com/containerd/containerd/pull/12770))
* Pass injected CDI devices to plugins ([#12767](https://github.com/containerd/containerd/pull/12767))
* Pass linux sysctl to plugins ([#12766](https://github.com/containerd/containerd/pull/12766))

#### Runtime

* Add configured socket directory to shim bootstrap protocol ([#12785](https://github.com/containerd/containerd/pull/12785))
* Fix binary logging driver not blocking container start on failure ([#12595](https://github.com/containerd/containerd/pull/12595))
* Use new filtered cgroups stats API ([#12901](https://github.com/containerd/containerd/pull/12901))
* Update OOMKilled event handling ([#12714](https://github.com/containerd/containerd/pull/12714))

#### Snapshotters

* Propagate parent chain ID and diff ID via labels during snapshot preparation ([#13071](https://github.com/containerd/containerd/pull/13071))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Maksym Pavlenko
* Derek McGowan
* Sebastiaan van Stijn
* Krisztian Litkey
* Wei Fu
* Samuel Karp
* Akihiro Suda
* Phil Estes
* Markus Lehtonen
* Mike Brown
* Davanum Srinivas
* Gao Xiang
* ChengyuZhu6
* Akhil Mohan
* Chris Henzie
* Hudson Zhu
* Kazuyoshi Kato
* Sergey Kanzhelev
* ningmingxiao
* Aadhar Agarwal
* Andrew Halaney
* Apurv Barve
* HirazawaUi
* Michael Zappa
* Paweł Gronowski
* Brian Goff
* Fabiano Fidêncio
* Hasan Siddiqui
* Jintao Zhang
* Paulo Oliveira
* Shiv Tyagi
* Austin Vazquez
* Avinesh Singh
* Esteban Ginez
* Henry Wang
* Jin Dong
* Jérôme Poulin
* Luke Hinds
* Sascha Grunert
* majianhan
* markdodgson
* Adrien Delorme
* Albin Kerouanton
* Alex Chernyakhovsky
* Andrey Noskov
* Andrey Smirnov
* Annie Cherkaev
* Anuj Singh
* Champ-Goblem
* Chris Adeniyi-Jones
* Cindia-blue
* CrazyMax
* Danny Canter
* Evan Lezar
* Fletcher Woodruff
* Gaurav Ghildiyal
* Harsh Rawat
* Hayato Kiwata
* Joseph Zhang
* Justin Chadwell
* Kal
* Manuel de Brito Fontes
* Neeraj Krishna Gopalakrishna
* Pierluigi Lenoci
* Ricardo Branco
* Rob Murray
* Rodrigo Campos
* Shachar Tal
* Shaobao Feng
* Shiming Zhang
* Tariq Ibrahim
* Tim Windelschmidt
* Tõnis Tiigi
* Wade Simmons
* Weixie Cui
* Will Jordan
* Yohei Yamamoto
* You Binhao
* Youfu Zhang
* apurv15
* bo.jiang
* chris-henderson-alation
* jinda.ljd
* qiuxue

### Changes
<details><summary>758 commits</summary>
<p>

* Prepare v2.3.0-beta.2 release ([#13239](https://github.com/containerd/containerd/pull/13239))
  * [`367937295`](https://github.com/containerd/containerd/commit/36793729584ece2c3c52c25b6f2495837fcb9c3c) Update API to use latest beta tag
* Parameterize K8s version in node-e2e workflow ([#13234](https://github.com/containerd/containerd/pull/13234))
  * [`270916ad1`](https://github.com/containerd/containerd/commit/270916ad1564e4e1329994b29a1dbece1d7fe6ce) Parameterize K8s version in node-e2e workflow
* Add check for status code for GET requests ([#12262](https://github.com/containerd/containerd/pull/12262))
  * [`bf5fe06f8`](https://github.com/containerd/containerd/commit/bf5fe06f8d8a5279fc3b8a2cf6d60ba41fda62a5) Use len for stripping http://
  * [`2e856be03`](https://github.com/containerd/containerd/commit/2e856be0398a722e0c4c91fe0685f246306e9903) Check for error status code on response to a get request
* Add support for conditional gc references in metadata ([#12398](https://github.com/containerd/containerd/pull/12398))
  * [`046421ab7`](https://github.com/containerd/containerd/commit/046421ab781ffa2c4a63b0ef220d51fb7946c6b7) Breakout arguments to sendLabelRefs in gc
  * [`bd02dc1d7`](https://github.com/containerd/containerd/commit/bd02dc1d7b5ff245cc0f0446057b8831934a42ba) Add support for conditional gc references in metadata
* build(deps): bump actions/cache from 5.0.4 to 5.0.5 ([#13227](https://github.com/containerd/containerd/pull/13227))
  * [`34884e99d`](https://github.com/containerd/containerd/commit/34884e99d5b625360d13d31bc86a78e4747312c1) build(deps): bump actions/cache from 5.0.4 to 5.0.5
* Make shim socket directory use configured directory ([#12785](https://github.com/containerd/containerd/pull/12785))
  * [`e07a1aa49`](https://github.com/containerd/containerd/commit/e07a1aa4910addb4e5ed6ce7ed40e2b4889fa77d) Add configuration for socket directory to the shim manager
  * [`59c3464a0`](https://github.com/containerd/containerd/commit/59c3464a011e216949d82c5c9ebc8592f44ed26e) Remove the unnecessary mkdir on the default state directory
  * [`d806373fe`](https://github.com/containerd/containerd/commit/d806373feb1bf9e753a4beaf5b092c5176baa2c3) Make shim socket directory use configured state
* ctr: add EROFS image conversion support ([#12555](https://github.com/containerd/containerd/pull/12555))
  * [`64a2e62b5`](https://github.com/containerd/containerd/commit/64a2e62b5259168ee0f8f99d88a61f5799d5e3e7) erofs: wire os.features into conversion and selection
  * [`b320d3c85`](https://github.com/containerd/containerd/commit/b320d3c855270374dc45f230f76b72c17eb7426c) ctr: add EROFS image conversion support
* snapshotter/erofs: avoid using overlay if fsmerge is enabled and no upperdir ([#13213](https://github.com/containerd/containerd/pull/13213))
  * [`3b357da49`](https://github.com/containerd/containerd/commit/3b357da49691a1b030d986c0b0306293fab19136) snapshotter/erofs: avoid using overlay if fsmerge is enabled and no upperdir
* build(deps): bump softprops/action-gh-release from 2.6.1 to 3.0.0 ([#13225](https://github.com/containerd/containerd/pull/13225))
  * [`a9acbcaae`](https://github.com/containerd/containerd/commit/a9acbcaaedd2681363c0eadf0500df7edebd9eab) build(deps): bump softprops/action-gh-release from 2.6.1 to 3.0.0
* build(deps): bump github.com/erofs/go-erofs from 0.2.0 to 0.2.1 ([#13232](https://github.com/containerd/containerd/pull/13232))
  * [`a9e958070`](https://github.com/containerd/containerd/commit/a9e9580709773499ba69a9834b13a214289d2b98) build(deps): bump github.com/erofs/go-erofs from 0.2.0 to 0.2.1
* build(deps): bump actions/github-script from 8.0.0 to 9.0.0 ([#13226](https://github.com/containerd/containerd/pull/13226))
  * [`54bb41881`](https://github.com/containerd/containerd/commit/54bb41881260a270330ee953a066afbd4024c0d1) build(deps): bump actions/github-script from 8.0.0 to 9.0.0
* build(deps): bump the golang-x group with 2 updates ([#13228](https://github.com/containerd/containerd/pull/13228))
  * [`ef692c986`](https://github.com/containerd/containerd/commit/ef692c98653cf5b2008a2be4a8c5b2e16ba5ceda) build(deps): bump the golang-x group with 2 updates
* update github.com/moby/spdystream v0.5.1 ([#13215](https://github.com/containerd/containerd/pull/13215))
  * [`d15a46927`](https://github.com/containerd/containerd/commit/d15a46927447eab0764a516cdef1efa3609a6357) update github.com/moby/spdystream v0.5.1
* erofs-differ: support zstd-wrapped EROFS layers ([#13185](https://github.com/containerd/containerd/pull/13185))
  * [`b9445fb9e`](https://github.com/containerd/containerd/commit/b9445fb9ef900e4724aba735eebe90592eebb5de) erofs-differ: support zstd-wrapped EROFS layers
* core/remotes/docker: use SystemCertPool on Windows ([#13128](https://github.com/containerd/containerd/pull/13128))
  * [`dc609cf4b`](https://github.com/containerd/containerd/commit/dc609cf4b4bfe91e21e5d984530a4e8ce5cfd993) core/remotes/docker: use SystemCertPool on Windows
* update runhcs to v0.15.0-rc.1 ([#13211](https://github.com/containerd/containerd/pull/13211))
  * [`915fd256a`](https://github.com/containerd/containerd/commit/915fd256a6c646ec230cc78110311dcc277f9399) update runhcs to v0.15.0-rc.1
* For Exec format error on Windows, compile cri-integration.test binary with .exe suffix ([#13210](https://github.com/containerd/containerd/pull/13210))
  * [`d8906ac6c`](https://github.com/containerd/containerd/commit/d8906ac6c6705a910da31f2cbfa7a5690a2bf06e) Update Makefile
  * [`c41939a4c`](https://github.com/containerd/containerd/commit/c41939a4c0cdb47ddb6c8ccabacee08b115d8357) For Exec format error on Windows, compile cri-integration.test binary with .exe suffix
* build(deps): bump docker/login-action from 4.0.0 to 4.1.0 ([#13168](https://github.com/containerd/containerd/pull/13168))
  * [`244d59f79`](https://github.com/containerd/containerd/commit/244d59f79f98d63dd76e70d14ba53c7ea68277d4) build(deps): bump docker/login-action from 4.0.0 to 4.1.0
* Prepare v2.3.0 beta.1 release ([#13209](https://github.com/containerd/containerd/pull/13209))
  * [`d11731c74`](https://github.com/containerd/containerd/commit/d11731c74f366914e5941c7c32a3021fc0b1352b) Update vendored api to v1.11.0-beta.1
  * [`c6f83d3bc`](https://github.com/containerd/containerd/commit/c6f83d3bc28ceee618c4126ac33d49e7c0106475) Update mailmap for Chris Henzie
* Update bootstrap API log level definition ([#13208](https://github.com/containerd/containerd/pull/13208))
  * [`2c102c6cb`](https://github.com/containerd/containerd/commit/2c102c6cbebbc1dabe31eb0740a1803fcce56c4e) Update bootstrap API log level definition
* Bump cri-api to v0.36.0-rc.0 ([#13207](https://github.com/containerd/containerd/pull/13207))
  * [`a6311a163`](https://github.com/containerd/containerd/commit/a6311a163d6bb738d75af83abedf5457ab561b49) Bump cri-api to v0.36.0-rc.0
* Make utils.sh nounset-safe by never expanding unset CGROUP_DRIVER on Windows ([#13205](https://github.com/containerd/containerd/pull/13205))
  * [`743210e40`](https://github.com/containerd/containerd/commit/743210e40c3044815b91a59b5ec4d51fed132097) Make utils.sh nounset-safe by never expanding unset CGROUP_DRIVER on Windows.
* fix(windows): verify pipe readiness before returning shim address ([#13202](https://github.com/containerd/containerd/pull/13202))
  * [`01e5fa616`](https://github.com/containerd/containerd/commit/01e5fa616f8ea26c387346675359de2568e4d061) fix: address review feedback on awaitPipeReady
  * [`1e98ebaf0`](https://github.com/containerd/containerd/commit/1e98ebaf0e97e4beb3133e5f8f3df4acd67a291a) fix(windows): verify pipe readiness before returning shim address
* Document shim bootstrap behavior ([#13192](https://github.com/containerd/containerd/pull/13192))
  * [`fcb23002b`](https://github.com/containerd/containerd/commit/fcb23002b45f3524296da077c7159159579ed6a2) Document shim bootstrap protocol behavior
* Temporarily disable uploading logs to GCP for windows periodic tests until GCP credentials are renewed ([#13173](https://github.com/containerd/containerd/pull/13173))
  * [`6ba507ba7`](https://github.com/containerd/containerd/commit/6ba507ba768534c596695f70feb58cb5704919d5) Temporarily disable windows periodic tests until GCP credentials are renewed.
* build(deps): bump github.com/Microsoft/hcsshim from 0.14.0-rc.1 to 0.15.0-rc.1 ([#13170](https://github.com/containerd/containerd/pull/13170))
  * [`affe09319`](https://github.com/containerd/containerd/commit/affe09319da22ea74c267f23c2808bd7dec63c3e) build(deps): bump github.com/Microsoft/hcsshim
* Support reading readonly overlays without mounting ([#12865](https://github.com/containerd/containerd/pull/12865))
  * [`c61c4e8da`](https://github.com/containerd/containerd/commit/c61c4e8dab7cb4fd683ffe03d3b183edf695a112) pkg/oci: update fs error handling to use errors.Is
  * [`30951c6f0`](https://github.com/containerd/containerd/commit/30951c6f03d496b9d538088e7a11dc69ab75352a) Add overlay symlink resolution using ReadLinkFS
  * [`21d666cfb`](https://github.com/containerd/containerd/commit/21d666cfbcc3315a65ac03f085d449bf953bbb96) Update fsview to allow type registration
  * [`a77c757f1`](https://github.com/containerd/containerd/commit/a77c757f15806218bdfbc1799655a18fced1f4ec) internal/fsview: update overlay to handle file replacing directory
  * [`2fe15d7c8`](https://github.com/containerd/containerd/commit/2fe15d7c87012e0cd7d4546c81e885d174453685) internal/fsview: add support for suffixes in formatted mounts
  * [`a5df2782d`](https://github.com/containerd/containerd/commit/a5df2782d4c17d14632328843ba471c9b385c49e) pkg/oci: remove darwin guards from user/group spec opts
  * [`f384d2eb6`](https://github.com/containerd/containerd/commit/f384d2eb6c0275d368ba449fd434e2147a7466ec) pkg/oci: update OCI with user to try mount for Darwin
  * [`c1eb9430a`](https://github.com/containerd/containerd/commit/c1eb9430af0cffcca8238475f3021c90e28ff067) pkg/oci: update OCI spec generation to use fsview if available
  * [`04b7b495f`](https://github.com/containerd/containerd/commit/04b7b495f9db65fad9a0859bb1b5a9365f655906) internal/fsview: add fsview package for reading snapshot mounts
* diff/walking: enable mount manager ([#13186](https://github.com/containerd/containerd/pull/13186))
  * [`47cfd1138`](https://github.com/containerd/containerd/commit/47cfd1138b469e753b5035d2df8074aa523255b0) diff/walking: enable mount manager
* Add transfer types for container filesystem copy ([#13165](https://github.com/containerd/containerd/pull/13165))
  * [`121f3a21e`](https://github.com/containerd/containerd/commit/121f3a21e438cd8c18c6d76cbab1514ee2a8d8d2) Add transfer types for container filesystem copy
* build(deps): bump the otel group with 6 updates ([#13169](https://github.com/containerd/containerd/pull/13169))
  * [`69f3860f4`](https://github.com/containerd/containerd/commit/69f3860f49987d0316b1839137ea983e5574cf22) build(deps): bump the otel group with 6 updates
* Introduce shim bootstrap protocol ([#12786](https://github.com/containerd/containerd/pull/12786))
  * [`75afbe155`](https://github.com/containerd/containerd/commit/75afbe155a819c8e8786c2b961b4b87293dea66b) Update vendor
  * [`16b7ce254`](https://github.com/containerd/containerd/commit/16b7ce254959e62927896aecc033e86b0a10dc31) Address code review suggestions
  * [`45b7de283`](https://github.com/containerd/containerd/commit/45b7de2837b7c76ac6ce97efbf46c7753c5f2c9f) Limit amount of bytes read from stdin
  * [`3c0e8a55b`](https://github.com/containerd/containerd/commit/3c0e8a55b6e240045b0c80b46b93cf472e5aa738) Update comments wording about when to deprecate and remove the old path
  * [`9bf65dcf0`](https://github.com/containerd/containerd/commit/9bf65dcf0275341a75b9e56454e5ebe599bcc90f) Use enums instead of strings for capabilities and log level
  * [`9dc864fd0`](https://github.com/containerd/containerd/commit/9dc864fd0feefd907aba16ba98cf453dd16df694) Switch to proto instead of json
  * [`73edc8045`](https://github.com/containerd/containerd/commit/73edc804513e5c5711efe38f0e96e7c43909f94c) Format code after cherry pick
  * [`243cab594`](https://github.com/containerd/containerd/commit/243cab594ee6d5edab591a43e399786ff07faab8) Deprecate old pkg/shim interfaces
  * [`3fbdb132b`](https://github.com/containerd/containerd/commit/3fbdb132bf4fb2f59995b9fc632c0ad507ff98f6) Fix module path
  * [`1852a4758`](https://github.com/containerd/containerd/commit/1852a4758ea70e12ada6bc98c45258a001c9f6bc) Remove testify dependency from api
  * [`eea1fa651`](https://github.com/containerd/containerd/commit/eea1fa6516e0d4e27b0227cb24de7902aa09f22c) Do not fail when failed to parse log level
  * [`281fb85a9`](https://github.com/containerd/containerd/commit/281fb85a9c1bc9d2dd942f9ea375a33914cf9cc7) Fix Makefile
  * [`2005e01f0`](https://github.com/containerd/containerd/commit/2005e01f068b656b2b3aecc4ed7bd0bcf59b6fe1) Run tests from api
  * [`0f55bdd49`](https://github.com/containerd/containerd/commit/0f55bdd49c41ba2a43d6595bdd827b6ba4ed4987) Fix extensions API and update tests
  * [`58022a748`](https://github.com/containerd/containerd/commit/58022a748ad7e92f23ef444031742ae700823c88) Parse log level when starting shim instance
  * [`d957b1bf5`](https://github.com/containerd/containerd/commit/d957b1bf53914443e28a3a7ab63824ea2e6c22ed) Use log level instead of debug flag
  * [`31d0bbbad`](https://github.com/containerd/containerd/commit/31d0bbbad7723c8555b299f1dc12f7173390b2ec) Include containerd version when launching shim
  * [`f71c2e421`](https://github.com/containerd/containerd/commit/f71c2e4211c9cbae06c582222d200c8756a84845) Reformat and clean proto files
  * [`b7ef291ed`](https://github.com/containerd/containerd/commit/b7ef291edcc5d4beac49f8748e0606d32d83ca0c) Provide bootstrap params when launching shims
  * [`acb8c8ea1`](https://github.com/containerd/containerd/commit/acb8c8ea1ef1f79f0b9c49ef25f8b5e87dd8d7c9) Update vendor
  * [`9e9a095fe`](https://github.com/containerd/containerd/commit/9e9a095feb43c6b6a84fe1f4b2331977ebb92b91) Read spec annotations from file
  * [`fa02acee2`](https://github.com/containerd/containerd/commit/fa02acee2094494436d4e6dcf5a800286d60726a) Generate shim CLI flags under Command
  * [`fc8062f37`](https://github.com/containerd/containerd/commit/fc8062f3792e7bc056c874b4d93ecf911360da71) Rename CommandConfig field to better reflect their purpose
  * [`3831fc806`](https://github.com/containerd/containerd/commit/3831fc80630879870327fde99f66b12959c973f0) Fix reading from stdin
  * [`5ea993b48`](https://github.com/containerd/containerd/commit/5ea993b48d29e620dba6f90746a98ff0a4a29f65) Pass runc options as a separate extension
  * [`e72145b19`](https://github.com/containerd/containerd/commit/e72145b192de6542dfb86554cda512e37f46eb5e) Update vendor
  * [`7f39b2d93`](https://github.com/containerd/containerd/commit/7f39b2d9338b86e84b3c794eef10572b90f35a1b) Update shim to support new bootstrap api
  * [`790b0ead7`](https://github.com/containerd/containerd/commit/790b0ead7bc4e234b5ce90b9a1225b60bad34d75) Implement shim bootstrap protocol
* Bump Go to 1.26.2 ([#13177](https://github.com/containerd/containerd/pull/13177))
  * [`8b396c768`](https://github.com/containerd/containerd/commit/8b396c768d470226f120605ee5ad38d1a764bf81) Bump Go to 1.26.2
* Add registry host namespace query parameter to mirror push requests ([#12206](https://github.com/containerd/containerd/pull/12206))
  * [`e95b75305`](https://github.com/containerd/containerd/commit/e95b753058b2c420374626c3eb9aca8e7a7cc125) Add namespace to push requests
* releases: revive 2.0 ([#13158](https://github.com/containerd/containerd/pull/13158))
  * [`a3ac81ff9`](https://github.com/containerd/containerd/commit/a3ac81ff96886f52eb1d90fb6e6fb58375dd4a4a) releases: revive 2.0
* replace one more k8s.io/apimachinery/ reference ([#13157](https://github.com/containerd/containerd/pull/13157))
  * [`1615e07bb`](https://github.com/containerd/containerd/commit/1615e07bb845fe9f951830f374bb208efaaf07a2) replace one more k8s.io/apimachinery/ reference
* integration/images: add s390x builds for volume test images ([#13166](https://github.com/containerd/containerd/pull/13166))
  * [`72919fbd6`](https://github.com/containerd/containerd/commit/72919fbd6693a18ca59231dd886152fd3f5ef8df) integration/images: add s390x builds for volume test images
* Fix binary logging driver not blocking container start on failure ([#12595](https://github.com/containerd/containerd/pull/12595))
  * [`cf772973c`](https://github.com/containerd/containerd/commit/cf772973cfbe52eba6d7650960351990777cdcc9) process/io: ignore SIGTERM exit in cancel() to fix flaky test
  * [`22e6e1541`](https://github.com/containerd/containerd/commit/22e6e1541c2f272541888dbbfe79bf5fcd78f1b3) Add binary-v2 logging readiness scheme
* content: use descriptor digest algorithm instead of assuming sha256 ([#13036](https://github.com/containerd/containerd/pull/13036))
  * [`2a14c4254`](https://github.com/containerd/containerd/commit/2a14c4254580ee47659a8ef991ab873123f0de8a) pkg/oci: fix fake image digest computation in tests
  * [`9423378f6`](https://github.com/containerd/containerd/commit/9423378f641ec3dd765d09ed7289634e4e483096) content: use descriptor digest algorithm instead of assuming sha256
* Move runtime v2 docs to ./docs ([#13163](https://github.com/containerd/containerd/pull/13163))
  * [`169e00038`](https://github.com/containerd/containerd/commit/169e0003896817c679016761c1c45ebec7851a58) Move runtime v2 docs to ./docs
* Honor stderrthreshold when logtostderr is enabled ([#13132](https://github.com/containerd/containerd/pull/13132))
  * [`2a69c0d2c`](https://github.com/containerd/containerd/commit/2a69c0d2c80b0baf58565b78d5e1178666482248) Honor stderrthreshold when logtostderr is enabled
* script/setup: update runc binary to v1.4.2 ([#13155](https://github.com/containerd/containerd/pull/13155))
  * [`143c566fc`](https://github.com/containerd/containerd/commit/143c566fcc67e38762c6a0616f8bc0666f6077a5) update runc binary to v1.4.2
* pause image 3.10.1 -> 3.10.2 for add Windows Server 2025 (ltsc2025) s… ([#13156](https://github.com/containerd/containerd/pull/13156))
  * [`05d3b3158`](https://github.com/containerd/containerd/commit/05d3b31586fbb61a0a908073d70740f4ee7c03ee) pause image 3.10.1 -> 3.10.2 for add Windows Server 2025 (ltsc2025) support
* Use latest k8s 1.36 ([#13076](https://github.com/containerd/containerd/pull/13076))
  * [`1fc92e63d`](https://github.com/containerd/containerd/commit/1fc92e63ddde9d15f65b314560bc517f44086eeb) switch from `internal/cri/streamingserver` to `k8s.io/cri-streaming`
  * [`1b67e7854`](https://github.com/containerd/containerd/commit/1b67e78540fd8240409e9a031f4b40da6237de54) switch from k8s.io/apimachinery/pkg/util/httpstream to k8s.io/streaming/pkg/httpstream
* Skip TestExportAndImportMultiLayer on s390x ([#13149](https://github.com/containerd/containerd/pull/13149))
  * [`2b7085767`](https://github.com/containerd/containerd/commit/2b7085767c4966871eec29ea1d3dd065b6fd2461) Skip TestExportAndImportMultiLayer on s390x
* fix: handle nil spec for hostNetwork containers ([#13131](https://github.com/containerd/containerd/pull/13131))
  * [`b32cecd31`](https://github.com/containerd/containerd/commit/b32cecd3181d5cfc4f688d106270600a47f7f6fd) fix: handle nil spec for hostNetwork containers
* Add `os.features` support for EROFS native container images ([#13091](https://github.com/containerd/containerd/pull/13091))
  * [`940076477`](https://github.com/containerd/containerd/commit/940076477e581c28307ad326b3cd8244ba6cb8e4) client/image: check if the snapshotter supports forcely if `os.feature` is set
  * [`f8367b8ad`](https://github.com/containerd/containerd/commit/f8367b8ad260095a55661aaa87af8f3e1adc6af6) client: remove toPlatforms()
  * [`cb93966b9`](https://github.com/containerd/containerd/commit/cb93966b9f952c5f8f9aff0ba44b13ce6e26b8a8) transfer: Default to the EROFS snapshotter and differ for EROFS images
  * [`146930e91`](https://github.com/containerd/containerd/commit/146930e91de7598fa93161cb96d16208f1eff866) api: add `os_features` to api/types/platform.proto
  * [`56a6fdbe5`](https://github.com/containerd/containerd/commit/56a6fdbe5b70e708ab0e28713eba4687c6836a9b) Update github.com/containerd/platforms to v1.0.0-rc.4
* build(deps): bump github/codeql-action from 4.33.0 to 4.35.1 ([#13141](https://github.com/containerd/containerd/pull/13141))
  * [`1be404a95`](https://github.com/containerd/containerd/commit/1be404a9551ee3bc4f1f74f6bc8dee58aee6332b) build(deps): bump github/codeql-action from 4.33.0 to 4.35.1
* build(deps): bump github.com/pelletier/go-toml/v2 from 2.2.4 to 2.3.0 ([#13142](https://github.com/containerd/containerd/pull/13142))
  * [`44f01d4e7`](https://github.com/containerd/containerd/commit/44f01d4e717b9f9a2ec8f9309fa19a7e0d4ab593) build(deps): bump github.com/pelletier/go-toml/v2 from 2.2.4 to 2.3.0
* build(deps): bump actions/upload-artifact from 6.0.0 to 7.0.0 ([#12962](https://github.com/containerd/containerd/pull/12962))
  * [`12cbacee6`](https://github.com/containerd/containerd/commit/12cbacee693c2ffdd8261652c559f61c58136655) build(deps): bump actions/upload-artifact from 6.0.0 to 7.0.0
* build(deps): bump actions/attest-build-provenance from 3.2.0 to 4.1.0 ([#12964](https://github.com/containerd/containerd/pull/12964))
  * [`77a623118`](https://github.com/containerd/containerd/commit/77a623118175b0bc7dccaa9b2a00db5c201f7071) build(deps): bump actions/attest-build-provenance from 3.2.0 to 4.1.0
* Add dmverity support to the erofs snapshotter using go-dmverity ([#12502](https://github.com/containerd/containerd/pull/12502))
  * [`50f5461fb`](https://github.com/containerd/containerd/commit/50f5461fb715f217187181deefae3890edf87e84) Add dmverity support to the erofs snapshotter using veritysetup-go
* Bump Go to 1.26.0 ([#13090](https://github.com/containerd/containerd/pull/13090))
  * [`0130ae9aa`](https://github.com/containerd/containerd/commit/0130ae9aa8514b49a3e16f6c75ae51c80aca2a2f) Bump Go to 1.26.0
* Update crun version to 1.27 and enable in mount options test ([#13144](https://github.com/containerd/containerd/pull/13144))
  * [`9f62f84c5`](https://github.com/containerd/containerd/commit/9f62f84c5d97700d1fba3b2edf0e3c476f2f92df) Update crun version to 1.27 and enable in mount options test
* core/remotes: MakeRefKey: update godoc and change Warn to Debug logs ([#13134](https://github.com/containerd/containerd/pull/13134))
  * [`55f622c76`](https://github.com/containerd/containerd/commit/55f622c763832044f971f17efff6216da924281b) core/remotes: MakeRefKey: update godoc and change Warn to Debug logs
* tracing: add option to inject trace ID into logrus fields ([#13117](https://github.com/containerd/containerd/pull/13117))
  * [`10c30fb74`](https://github.com/containerd/containerd/commit/10c30fb74a520412c809d8c7f0ff1b676052d0bc) tracing: add option to inject trace ID into logrus fields
* build(deps): bump azure/CLI from 2.2.0 to 3.0.0 ([#13140](https://github.com/containerd/containerd/pull/13140))
  * [`0ffd99a0e`](https://github.com/containerd/containerd/commit/0ffd99a0e001a33cb60c750f5cc5a1af625097f2) build(deps): bump azure/CLI from 2.2.0 to 3.0.0
* build(deps): bump azure/login from 2.3.0 to 3.0.0 ([#13105](https://github.com/containerd/containerd/pull/13105))
  * [`5f813b59c`](https://github.com/containerd/containerd/commit/5f813b59cde98cfa583b3e0dbd5917dfb543eedb) build(deps): bump azure/login from 2.3.0 to 3.0.0
* build(deps): bump actions/cache from 5.0.3 to 5.0.4 ([#13106](https://github.com/containerd/containerd/pull/13106))
  * [`3248957cf`](https://github.com/containerd/containerd/commit/3248957cf8a3793743eea6634df42b7ad7c37680) build(deps): bump actions/cache from 5.0.3 to 5.0.4
* cri: mirror cadvisor UsageNanoCores semantics ([#13138](https://github.com/containerd/containerd/pull/13138))
  * [`66a1d3a60`](https://github.com/containerd/containerd/commit/66a1d3a6076093bfb271f3724dcb2535c16e1f75) cri: mirror cadvisor UsageNanoCores semantics
* fix: hide `go-cmp` library from the non-test code path ([#12175](https://github.com/containerd/containerd/pull/12175))
  * [`ea945443a`](https://github.com/containerd/containerd/commit/ea945443acf62c4b5b1357c6b3c768a4b8344fc7) fix: hide `go-cmp` library from the non-test code path
* feat: Allow containers to use both host network and user namespace ([#12518](https://github.com/containerd/containerd/pull/12518))
  * [`339b0cc17`](https://github.com/containerd/containerd/commit/339b0cc17119f4354be1156fe099ecf9f838719c) add integration test
  * [`7d7c56357`](https://github.com/containerd/containerd/commit/7d7c56357a425eb05e888b6d6193df5c2d6fb9ca) add unit tests
  * [`93cf5418b`](https://github.com/containerd/containerd/commit/93cf5418b9ac498163b9fb15efedaea951a0309d) Allow user namespace with hostNetwork in container
* allow to pass multiple extra arguments to critest ([#13114](https://github.com/containerd/containerd/pull/13114))
  * [`7ea6bb604`](https://github.com/containerd/containerd/commit/7ea6bb604b6fb323f6b896bb17cb35159ddcdc3e) allow to pass multiple extra arguments to critest
* Tweak mount info for overlayfs in case of parallel unpack ([#13115](https://github.com/containerd/containerd/pull/13115))
  * [`3382fb716`](https://github.com/containerd/containerd/commit/3382fb71624bdea558b18f5ff77c55e02af0e504) Tweak mount info for overlayfs in case of parallel unpack
  * [`68e128cf0`](https://github.com/containerd/containerd/commit/68e128cf033d5e5e8a329417dda1a21645872710) Add integration test for issue 13030
* fix: avoid content storage pollution by limiting the fallback on ref resolution ([#13017](https://github.com/containerd/containerd/pull/13017))
  * [`9b7fa6131`](https://github.com/containerd/containerd/commit/9b7fa61316205b0d92fca50fc2d97e6860253852) fix:avoid content storage pollution by limiting the fallback on ref resolution
* chore: Add explicit digest requirement to docker pusher ([#12861](https://github.com/containerd/containerd/pull/12861))
  * [`4f35b756e`](https://github.com/containerd/containerd/commit/4f35b756e2ec6094154c749f0cfd14bc0126beee) chore: Add explicit digest requirement to docker pusher
* Fix send stream data with EOF ([#12968](https://github.com/containerd/containerd/pull/12968))
  * [`da5e548ef`](https://github.com/containerd/containerd/commit/da5e548ef36f97fd733ce206f066a9145c122892) Add fix for send stream encountering EOF with data
  * [`cd15c253d`](https://github.com/containerd/containerd/commit/cd15c253dcbc0fdc079dfb116febd1b85f4176e5) Add test for streaming EOF with data
* core/mount: Reject X-containerd.* options before kernel mount ([#12557](https://github.com/containerd/containerd/pull/12557))
  * [`6f7bb4862`](https://github.com/containerd/containerd/commit/6f7bb48624be0d9e1e3007c010a276e78c626fa5) core/mount: Filter X-containerd.* options before kernel mount
* Wire UpdatePodSandboxResources to Sandbox API ([#13118](https://github.com/containerd/containerd/pull/13118))
  * [`33db836a8`](https://github.com/containerd/containerd/commit/33db836a8b06000e8afb5bba947c299ae721878a) Wire UpdatePodSandboxResources to Sandbox API
  * [`e6c7f3723`](https://github.com/containerd/containerd/commit/e6c7f37235b30a3e697a3411045a9d00ab876c63) Add unit tests for CRI resource updates
* Propagate OpenTelemetry traces in outgoing RPCs from plugin clients ([#13113](https://github.com/containerd/containerd/pull/13113))
  * [`dc5806cd9`](https://github.com/containerd/containerd/commit/dc5806cd949178f776dec8dc83e51dd1feea65a3) Propagate OpenTelemetry traces in outgoing RPCs from plugin clients
* Preserve cgroup mount options for privileged containers ([#12952](https://github.com/containerd/containerd/pull/12952))
  * [`0eef29a1a`](https://github.com/containerd/containerd/commit/0eef29a1a92474f9dfb9c21e70790b25221cabdc) Add integration test for privileged container cgroup mounts
  * [`d2f67d399`](https://github.com/containerd/containerd/commit/d2f67d399022ed170f0fa836c01b47c72f434c35) Forward RUNC_FLAVOR env var down to integration tests
  * [`f84ddfa4f`](https://github.com/containerd/containerd/commit/f84ddfa4fbb9741633bf722ceea943ded2205b15) Preserve host cgroup mount options for privileged containers
  * [`e15141a1f`](https://github.com/containerd/containerd/commit/e15141a1fd920da2eb02e9f5f634dcd43592dc8c) Move cgroup namespace placement higher in spec builder
* build(deps): bump the k8s group with 3 updates ([#13107](https://github.com/containerd/containerd/pull/13107))
  * [`46bd9a75c`](https://github.com/containerd/containerd/commit/46bd9a75cd93612396f496018379d70a95d2ccbc) build(deps): bump the k8s group with 3 updates
* build(deps): bump the otel group across 1 directory with 5 updates ([#13109](https://github.com/containerd/containerd/pull/13109))
  * [`ca88ae583`](https://github.com/containerd/containerd/commit/ca88ae583c71616b96ae8ff4523e161a65e3b961) build(deps): bump the otel group across 1 directory with 5 updates
* build(deps): bump github.com/klauspost/compress from 1.18.4 to 1.18.5 ([#13110](https://github.com/containerd/containerd/pull/13110))
  * [`68ba0d02c`](https://github.com/containerd/containerd/commit/68ba0d02c948d43e777167d4c18049246bd7d661) build(deps): bump github.com/klauspost/compress from 1.18.4 to 1.18.5
* build(deps): bump github.com/containerd/platforms from 1.0.0-rc.2 to 1.0.0-rc.3 ([#13108](https://github.com/containerd/containerd/pull/13108))
  * [`b39efcb82`](https://github.com/containerd/containerd/commit/b39efcb82e35df58716134c8a3553ec46d226f89) build(deps): bump github.com/containerd/platforms
* transfer: fix the differ selection if differ is "" ([#13080](https://github.com/containerd/containerd/pull/13080))
  * [`dc9cb1dfd`](https://github.com/containerd/containerd/commit/dc9cb1dfd5b45546be45f6f26a10fddeddc343da) transfer: fix the differ selection if differ is ""
* Propagate parent chain ID and diff ID via labels during snapshot preparation ([#13071](https://github.com/containerd/containerd/pull/13071))
  * [`ca7461cbe`](https://github.com/containerd/containerd/commit/ca7461cbe135cc7964727ef98ec7ed09fb485438) Propagate diff ID and parent chain ID via labels in Prepare RPC
* runc-shim: fix exec PID error message and fmt verb ([#13088](https://github.com/containerd/containerd/pull/13088))
  * [`ee7441ddf`](https://github.com/containerd/containerd/commit/ee7441ddfc1d1c42c18fa16656223ba13d12fd2a) runc-shim: fix exec PID error message and fmt verb
* build(deps): bump google.golang.org/grpc from 1.59.0 to 1.79.3 in /api ([#13099](https://github.com/containerd/containerd/pull/13099))
  * [`d323efc2b`](https://github.com/containerd/containerd/commit/d323efc2bfaf8425c8a2f1ceeb34e8230eb16f8d) build(deps): bump google.golang.org/grpc from 1.59.0 to 1.79.3 in /api
* Add section about AI and automation in contributor's guide ([#13092](https://github.com/containerd/containerd/pull/13092))
  * [`ac4806383`](https://github.com/containerd/containerd/commit/ac48063835ccf894edec168f9292e4cb71a1558a) Add section about AI and automation in contributor's guide
* build(deps): bump google.golang.org/grpc from 1.79.2 to 1.79.3 ([#13098](https://github.com/containerd/containerd/pull/13098))
  * [`6d31c1875`](https://github.com/containerd/containerd/commit/6d31c1875c845f0a75c1d7d588653ee8d53f5133) build(deps): bump google.golang.org/grpc from 1.79.2 to 1.79.3
* script/setup: update critools to v1.35.0 ([#13093](https://github.com/containerd/containerd/pull/13093))
  * [`c873059d0`](https://github.com/containerd/containerd/commit/c873059d00c9b2bb632674f8217bcc7fc3a624fa) script/setup: update critools to v1.35.0
* fix linter issues ([#13089](https://github.com/containerd/containerd/pull/13089))
  * [`27f0b1293`](https://github.com/containerd/containerd/commit/27f0b12937b7c8fc04b8a638143b9880f6b2e88d) fix linter issues
* readme: remove announcement for 2.0 ([#13073](https://github.com/containerd/containerd/pull/13073))
  * [`56288d42b`](https://github.com/containerd/containerd/commit/56288d42b904dbee2378de891df0fd7d52badf11) readme: remove announcement for 2.0
* releases: clarify extended support for 1.7 ([#13067](https://github.com/containerd/containerd/pull/13067))
  * [`7eedcb4d9`](https://github.com/containerd/containerd/commit/7eedcb4d949c8b5339d65010108d9147f73a2f3f) releases: clarify extended support for 1.7
* update runc binary to v1.4.1 ([#13057](https://github.com/containerd/containerd/pull/13057))
  * [`a865de1b4`](https://github.com/containerd/containerd/commit/a865de1b43bc9d447edbfda32729ce9941fd6dcf) update runc binary to v1.4.1
* Fix vagrant on CI ([#13055](https://github.com/containerd/containerd/pull/13055))
  * [`85dedefa0`](https://github.com/containerd/containerd/commit/85dedefa091b2dea4a949bcb6146dcef2a81c8cf) Ignore NOCHANGE error
* Prepare release notes for v2.3.0-beta.0 ([#13048](https://github.com/containerd/containerd/pull/13048))
  * [`86d41cdd1`](https://github.com/containerd/containerd/commit/86d41cdd158b0905ae0bc718907607db1e543cf8) Prepare release notes for v2.3.0-beta.0
  * [`93ee55d86`](https://github.com/containerd/containerd/commit/93ee55d86618cfaee8812859cbd6623ba0181da5) Update api version to use v1.11.0-beta.0
  * [`34a6756fa`](https://github.com/containerd/containerd/commit/34a6756fa44be8a7985adfd0a0e7cf1a044427ff) Update mailmap before release
* pkg/shim: Fix NewSocket directory permissions ([#12960](https://github.com/containerd/containerd/pull/12960))
  * [`8f44dc45e`](https://github.com/containerd/containerd/commit/8f44dc45eacd4f66483bb556aff56062ec5cf57e) pkg/shim: Remove Darwin-specific socket permissions
  * [`910631704`](https://github.com/containerd/containerd/commit/910631704eeb5ac337d46c9f8fbf0d117f17e68a) pkg/shim: Fix NewSocket directory permissions
  * [`31c630726`](https://github.com/containerd/containerd/commit/31c6307262aa0562929000c6bffddde6cab7da81) pkg/shim: Add unit tests
* build(deps): bump github.com/containernetworking/plugins from 1.9.0 to 1.9.1 ([#13042](https://github.com/containerd/containerd/pull/13042))
  * [`8c1fe6744`](https://github.com/containerd/containerd/commit/8c1fe67445cde2a066325a1bf450cffd28148355) build(deps): bump github.com/containernetworking/plugins
* build(deps): bump github.com/intel/goresctrl from 0.11.0 to 0.12.0 ([#13043](https://github.com/containerd/containerd/pull/13043))
  * [`4bcb190bf`](https://github.com/containerd/containerd/commit/4bcb190bf60d1c9766ed5c006a8bf89be98e1285) build(deps): bump github.com/intel/goresctrl from 0.11.0 to 0.12.0
* Prepare release notes for api/v1.11.0-beta.0 ([#13045](https://github.com/containerd/containerd/pull/13045))
  * [`aac6b5348`](https://github.com/containerd/containerd/commit/aac6b53488f05253f88fb061fed6674630feb41f) Prepare release notes for api/v1.11.0-beta.0
* Permission denied when attempting os.Chmod the config.Root during server startup ([#12521](https://github.com/containerd/containerd/pull/12521))
  * [`713d21281`](https://github.com/containerd/containerd/commit/713d212811453dde463eed9c2af47417445acd35) containerd operating without root permissions receives a permissions denied error
* golangci-lint: enable modernize linter, and fix modernize for other GOOS ([#13047](https://github.com/containerd/containerd/pull/13047))
  * [`6b58f1344`](https://github.com/containerd/containerd/commit/6b58f13443c0042b13374b85236c596f21bc7a5e) replace some uses of `interface{}` in (go)docs
  * [`bded42c57`](https://github.com/containerd/containerd/commit/bded42c57d43538bcf99906a16b0dae01ad04ee8) golangci-lint: enable modernize linter
  * [`a5cfa74d5`](https://github.com/containerd/containerd/commit/a5cfa74d5e94c5dd0458dd79b8dbbf3494381a6a) integration: modernize: omitzero
  * [`22fd63994`](https://github.com/containerd/containerd/commit/22fd63994e42340129ded0adf845845c50f70800) *: modernize: stringscutprefix
  * [`860d97854`](https://github.com/containerd/containerd/commit/860d97854f594470c0510cbf2986ed148cab74fa) plugins: modernize: plusbuild
  * [`9bdcacc45`](https://github.com/containerd/containerd/commit/9bdcacc45f543ef10737f1701621689142dd58a4) *: modernize: waitgroup
  * [`24012ef8f`](https://github.com/containerd/containerd/commit/24012ef8f6077a9cac726dbfbec2902b8f6733f4) *: modernize: stringscut, stringsseq, slicescontains, fmtappendf
  * [`4dd7c13ac`](https://github.com/containerd/containerd/commit/4dd7c13ac43c700242bdb67f185ee3e4d215d1a6) *: modernize: stringscut, stringsseq
  * [`49a524969`](https://github.com/containerd/containerd/commit/49a5249692e99b97d83646e7847fa32355702344) internal/cri/nri: modernize: mapsloop
  * [`1ed2b15c0`](https://github.com/containerd/containerd/commit/1ed2b15c084ff0e43922ce6b5a52b0364818742c) *: modernize: minmax
  * [`8fcf3a3cf`](https://github.com/containerd/containerd/commit/8fcf3a3cf192f58fc1f4e2b7579a73a5d968e933) *: modernize: rangeint
  * [`9ee303d70`](https://github.com/containerd/containerd/commit/9ee303d70e502b15750f7de834a0ed0e23a21f3d) *: modernize: any
  * [`33dfe461c`](https://github.com/containerd/containerd/commit/33dfe461c265324fe8c336af501f01cb1415becd) internal: modernize: any
  * [`a122afe13`](https://github.com/containerd/containerd/commit/a122afe13bcad816c84823b42f0c982da5e3cac3) cmd: modernize: any
  * [`5ccb35662`](https://github.com/containerd/containerd/commit/5ccb356620fc2b1564f76bbca91b096ff3a49a87) plugins: modernize: any
  * [`73c96c54e`](https://github.com/containerd/containerd/commit/73c96c54eda0783e4967518ac887d442e4fcc400) pkg: modernize: any
* build(deps): bump actions/download-artifact from 8.0.0 to 8.0.1 ([#13040](https://github.com/containerd/containerd/pull/13040))
  * [`f1771b336`](https://github.com/containerd/containerd/commit/f1771b3363fdfbe088e1ec8ee66529d12ac77524) build(deps): bump actions/download-artifact from 8.0.0 to 8.0.1
* build(deps): bump golang.org/x/mod from 0.33.0 to 0.34.0 in the golang-x group ([#13038](https://github.com/containerd/containerd/pull/13038))
  * [`e1cb8b372`](https://github.com/containerd/containerd/commit/e1cb8b372dd53771f4899e3e7dbb15d91cefa2b6) build(deps): bump golang.org/x/mod in the golang-x group
* internal/cri/setutils: remove unused, deprecated utils ([#13031](https://github.com/containerd/containerd/pull/13031))
  * [`177241be5`](https://github.com/containerd/containerd/commit/177241be5fc092e4ab4de68f1562d6b181457b0f) internal/cri/setutils: remove unused, deprecated utils
  * [`be7846652`](https://github.com/containerd/containerd/commit/be7846652c064202415504160c3c18ebda481f04) internal/cri/util: replace uses of deprecated String set
* build(deps): bump github/codeql-action from 4.32.6 to 4.33.0 ([#13039](https://github.com/containerd/containerd/pull/13039))
  * [`44474600b`](https://github.com/containerd/containerd/commit/44474600bac162d0de2c8d7569e574b8d6500fc2) build(deps): bump github/codeql-action from 4.32.6 to 4.33.0
* build(deps): bump softprops/action-gh-release from 2.5.0 to 2.6.1 ([#13041](https://github.com/containerd/containerd/pull/13041))
  * [`b5dba0fbc`](https://github.com/containerd/containerd/commit/b5dba0fbc88fdadf10ad236b68eecbb37fdfc654) build(deps): bump softprops/action-gh-release from 2.5.0 to 2.6.1
* *: modernize code ([#13022](https://github.com/containerd/containerd/pull/13022))
  * [`c2da6482e`](https://github.com/containerd/containerd/commit/c2da6482ebde5964ef55eb350e704dd31fe4a7f5) core: go fix "inline"
  * [`9f016e381`](https://github.com/containerd/containerd/commit/9f016e381a9ee7758d7d297908e3d373f72fb276) core: modernize: omitzero
  * [`a499b17f2`](https://github.com/containerd/containerd/commit/a499b17f21f2e98267eaa673c78a3c970d6d8b12) *: modernize: stringscutprefix
  * [`fc3165188`](https://github.com/containerd/containerd/commit/fc3165188e47a89d7644475a9209a8e9f93c18a6) core: modernize: stringsbuilder
  * [`9a46e30a2`](https://github.com/containerd/containerd/commit/9a46e30a25c75b6a088d7bebc9a2d852e5a40b35) internal: modernize: slicessort
  * [`16e340f32`](https://github.com/containerd/containerd/commit/16e340f3269acaadcbb8e8b44e01391dad590090) *: modernize: plusbuild
  * [`2fd5da21e`](https://github.com/containerd/containerd/commit/2fd5da21ed2357283c8411e9db2e192d1816a362) *: modernize: waitgroup
  * [`78f40c714`](https://github.com/containerd/containerd/commit/78f40c714e06612a58e23ad3d6c9c8db572eaf6f) integration: modernize: any
  * [`26c2ae590`](https://github.com/containerd/containerd/commit/26c2ae5900dec4f9a45336cb566afaf54d57728d) internal: modernize: any
  * [`828c2119e`](https://github.com/containerd/containerd/commit/828c2119e52122d7e2a026d7f3cdaf8141aaed98) pkg: modernize: any
  * [`4b6cc97c4`](https://github.com/containerd/containerd/commit/4b6cc97c4d2bad7f3155bd131618397de56a0036) plugins: modernize: any
  * [`92b0b289e`](https://github.com/containerd/containerd/commit/92b0b289e3a215eee5dfba929b21c493db732419) core: modernize: any
  * [`29030ff92`](https://github.com/containerd/containerd/commit/29030ff927f8f18789da520a1595aa12b779a3ce) cmd: modernize: any
  * [`ff8a70cc0`](https://github.com/containerd/containerd/commit/ff8a70cc0f94cdf77fe2c454e5fc424900ce28e3) client: modernize: any
  * [`cd3d63d91`](https://github.com/containerd/containerd/commit/cd3d63d913390d15b83f086f635bd4b6d860fe9a) *: modernize: fmtappendf
  * [`18c74abd5`](https://github.com/containerd/containerd/commit/18c74abd562c3cdd39f53d27de664e8ade65716f) *: modernize: slicescontains
  * [`1754af311`](https://github.com/containerd/containerd/commit/1754af311e00382a7023d9513650c95a57abcf2a) *: modernize: stringsseq
  * [`b050f47ef`](https://github.com/containerd/containerd/commit/b050f47efc7f1a6b4c017ed6ee512e64fcb71b79) *: modernize: testingcontext
  * [`0ecd8f43e`](https://github.com/containerd/containerd/commit/0ecd8f43edd46e7efabd38ab9f7be1bf2bd9205d) core: modernize: stringscut
  * [`09f7154db`](https://github.com/containerd/containerd/commit/09f7154dbd81b06d445249b93e646ecc6f8b915d) *: modernize: mapsloop
  * [`bc5681028`](https://github.com/containerd/containerd/commit/bc56810287248ced07ea9aebddbf3028bcdef723) client: modernize: mapsloop
  * [`656c48f0e`](https://github.com/containerd/containerd/commit/656c48f0e5f813784b287823565ded40b0b61920) internal: modernize: mapsloop
  * [`7bea4fa95`](https://github.com/containerd/containerd/commit/7bea4fa95420343b44860e78f91d0cbf29c5e538) core: modernize: mapsloop
  * [`5dd377a6a`](https://github.com/containerd/containerd/commit/5dd377a6aedeb8710f1f13e5edcbb733f953c54c) pkg: modernize: mapsloop
  * [`0d0e77640`](https://github.com/containerd/containerd/commit/0d0e77640862c607a5c8a6b81311637e6403f655) internal: modernize: minmax
  * [`73e83de4b`](https://github.com/containerd/containerd/commit/73e83de4b9a1bcf8dee47e6e7a229335ca3b536d) *: modernize: rangeint
  * [`3723a6709`](https://github.com/containerd/containerd/commit/3723a67092680f389ef6a6a007d4bfbb3617cf2d) core: modernize: rangeint
  * [`b35d9ea92`](https://github.com/containerd/containerd/commit/b35d9ea9298ae6dfa2b2f576a3ebd967764fce5c) plugins: modernize: rangeint
  * [`96326ad1f`](https://github.com/containerd/containerd/commit/96326ad1f710b46f047facf42b9eec5979009d53) internal: modernize: rangeint
  * [`335422129`](https://github.com/containerd/containerd/commit/3354221293c0e6dd842f70eda4e3a6b2ba1c8ba4) pkg: modernize: rangeint
* fix: correct typos found by codespell ([#13018](https://github.com/containerd/containerd/pull/13018))
  * [`aa600f65d`](https://github.com/containerd/containerd/commit/aa600f65dd8f1e3447e9730e6f0bc0c3cc69a325) fix: correct typos found by codespell
* nri: add dependency on internal tracing plugin ([#12947](https://github.com/containerd/containerd/pull/12947))
  * [`3e9f21c43`](https://github.com/containerd/containerd/commit/3e9f21c4390d9cc5553b8cccc875a981874261c3) nri: add dependency on internal tracing plugin
* Update EROFS snapshotter documentation ([#13029](https://github.com/containerd/containerd/pull/13029))
  * [`255ed2c18`](https://github.com/containerd/containerd/commit/255ed2c18383d1f8eb1c231bd683b66566b6c232) snapshots/erofs: Update EROFS snapshotter documentation
* Avoid ineffective chown on create snapshot when in erofs snapshotter ([#13028](https://github.com/containerd/containerd/pull/13028))
  * [`b2eeb8635`](https://github.com/containerd/containerd/commit/b2eeb8635ebe90dc3a851849604eb93475536a63) snapshotter/erofs: avoid ineffective chown on create snapshot when in block mode
* core/remotes/docker: include "method" and "url" in logs, and sanitize URLs in logs/errors ([#12859](https://github.com/containerd/containerd/pull/12859))
  * [`642be181d`](https://github.com/containerd/containerd/commit/642be181dce56fceaef63a4e432195a1019e124b) core/remotes/docker: include "method" and "url" in logs
  * [`64cc8cdec`](https://github.com/containerd/containerd/commit/64cc8cdec1b022197eef44a196b0c19db8d684df) core/remotes/docker: add request.sanitizedURL for logging and errors
* build(deps): bump crazy-max/ghaction-github-runtime from 3.1.0 to 4.0.0 ([#12965](https://github.com/containerd/containerd/pull/12965))
  * [`5d6032f8a`](https://github.com/containerd/containerd/commit/5d6032f8a2f914728b3de59c69e49a487da4fd0c) build(deps): bump crazy-max/ghaction-github-runtime from 3.1.0 to 4.0.0
* Update plugin config migration to run on load ([#12608](https://github.com/containerd/containerd/pull/12608))
  * [`0d7fee062`](https://github.com/containerd/containerd/commit/0d7fee0623430b8bf8ad6d48cd217b7b92ff1979) Update plugin config migration to run on load
* fix(oci): apply absolute symlink resolution to /etc/group ([#12925](https://github.com/containerd/containerd/pull/12925))
  * [`fc406dbc5`](https://github.com/containerd/containerd/commit/fc406dbc5ce50d05e37557e58eb00106d416b014) fix(oci): apply absolute symlink resolution to /etc/group
* build(deps): bump the k8s group across 1 directory with 4 updates ([#13003](https://github.com/containerd/containerd/pull/13003))
  * [`c8039838e`](https://github.com/containerd/containerd/commit/c8039838ee7983978da522412a0db440660720c0) build(deps): bump the k8s group across 1 directory with 4 updates
* build(deps): bump github/codeql-action from 4.32.5 to 4.32.6 ([#13001](https://github.com/containerd/containerd/pull/13001))
  * [`78777c33a`](https://github.com/containerd/containerd/commit/78777c33a62732cc7b910cc2eb69148afea09892) build(deps): bump github/codeql-action from 4.32.5 to 4.32.6
* build(deps): bump the golang-x group with 3 updates ([#13002](https://github.com/containerd/containerd/pull/13002))
  * [`f6957abcb`](https://github.com/containerd/containerd/commit/f6957abcb8e96a5219fc48c42d87c1cbe9772254) build(deps): bump the golang-x group with 3 updates
* build(deps): bump docker/login-action from 3.7.0 to 4.0.0 ([#13000](https://github.com/containerd/containerd/pull/13000))
  * [`b77ab0238`](https://github.com/containerd/containerd/commit/b77ab0238165fa15552ab7eeb02c6b6ade684382) build(deps): bump docker/login-action from 3.7.0 to 4.0.0
* build(deps): bump google.golang.org/grpc from 1.79.1 to 1.79.2 ([#13004](https://github.com/containerd/containerd/pull/13004))
  * [`8e13c9df6`](https://github.com/containerd/containerd/commit/8e13c9df655f88e65076bf0e3c80961cffbfdf7f) build(deps): bump google.golang.org/grpc from 1.79.1 to 1.79.2
* deprecations: delay to 2.4 per Upgrade Path rules ([#13009](https://github.com/containerd/containerd/pull/13009))
  * [`b0eb3e51b`](https://github.com/containerd/containerd/commit/b0eb3e51b9195b5627c987506db54e8da2d68f5b) deprecations: delay to 2.4 per Upgrade Path rules
* docs: update outdated content fetch help text ([#13016](https://github.com/containerd/containerd/pull/13016))
  * [`01d094d66`](https://github.com/containerd/containerd/commit/01d094d663386d8e8fcb2a2943f2e4bd11e7a664) docs: update outdated content fetch help text
* update to go1.25.8, test go1.26.1 ([#12985](https://github.com/containerd/containerd/pull/12985))
  * [`38b3e4c4a`](https://github.com/containerd/containerd/commit/38b3e4c4aa6b39518c7eb2e86376099fe195ea82) update to go1.25.8, test go1.26.1
* build(deps): bump docker/setup-buildx-action from 3.12.0 to 4.0.0 ([#12999](https://github.com/containerd/containerd/pull/12999))
  * [`0a3d8ba54`](https://github.com/containerd/containerd/commit/0a3d8ba54d69832fe9934900287854b1750db62e) build(deps): bump docker/setup-buildx-action from 3.12.0 to 4.0.0
* streaming io: fix connection residual after stream closed ([#10458](https://github.com/containerd/containerd/pull/10458))
  * [`b84751126`](https://github.com/containerd/containerd/commit/b84751126e66937a4c1d4d452d538f9b41a01866) streaming io: fix connection residual after stream closed
* fix migrated cri image config when using registry ([#12617](https://github.com/containerd/containerd/pull/12617))
  * [`1d77b68f0`](https://github.com/containerd/containerd/commit/1d77b68f0e6f5fa93d93b66c45322eb20edec476) set default config_path in plugin init
* Update ttrpc to v1.2.8 ([#12977](https://github.com/containerd/containerd/pull/12977))
  * [`d6808b71a`](https://github.com/containerd/containerd/commit/d6808b71a11527071ff33680a6e832f182d97ed9) Update ttrpc to v1.2.8
* Introduce Windows Arm64 build in CI workflow ([#12974](https://github.com/containerd/containerd/pull/12974))
  * [`62f479a53`](https://github.com/containerd/containerd/commit/62f479a53c2bcee076e7198bb2d7143385d47d50) Introduce Windows Arm64 build in CI workflow
* build(deps): bump github/codeql-action from 4.32.4 to 4.32.5 ([#12966](https://github.com/containerd/containerd/pull/12966))
  * [`44b885251`](https://github.com/containerd/containerd/commit/44b8852514c8e2ddd5612eaece1a726425878c4d) build(deps): bump github/codeql-action from 4.32.4 to 4.32.5
* Fix TOCTOU race bug in tar extraction ([#12961](https://github.com/containerd/containerd/pull/12961))
  * [`ba50a5645`](https://github.com/containerd/containerd/commit/ba50a5645c1d84b23501499c386010400b66a893) Fix TOCTOU race bug in tar extraction
* release: update per 2026 proposal ([#12830](https://github.com/containerd/containerd/pull/12830))
  * [`988c06f3c`](https://github.com/containerd/containerd/commit/988c06f3c06ecda9a97919ab146fb68bb40f2b7b) release: update per 2026 proposal
* build(deps): bump actions/download-artifact from 7.0.0 to 8.0.0 ([#12967](https://github.com/containerd/containerd/pull/12967))
  * [`fa804247e`](https://github.com/containerd/containerd/commit/fa804247e61ec823d58aee10f69047e7571ac375) build(deps): bump actions/download-artifact from 7.0.0 to 8.0.0
* build(deps): bump github/codeql-action from 4.32.3 to 4.32.4 ([#12934](https://github.com/containerd/containerd/pull/12934))
  * [`8384fb8db`](https://github.com/containerd/containerd/commit/8384fb8db2ab4d5e99a1543d92f32faa0f0adee7) build(deps): bump github/codeql-action from 4.32.3 to 4.32.4
* ci: modprobe xt_comment on almalinux ([#12950](https://github.com/containerd/containerd/pull/12950))
  * [`428749270`](https://github.com/containerd/containerd/commit/4287492700821c7ee8dab3ef8d099174d1654fda) ci: modprobe xt_comment on almalinux
* ci: fix critools version used in windows tests ([#12845](https://github.com/containerd/containerd/pull/12845))
  * [`6464c7a2c`](https://github.com/containerd/containerd/commit/6464c7a2c9a0eae2ff67a16cc6f87a69c0a89958) ci: use common cri-tools version for windows tests
* core/mount: fix getUnprivilegedMountFlags iterating over indices instead of values ([#12941](https://github.com/containerd/containerd/pull/12941))
  * [`1466c5319`](https://github.com/containerd/containerd/commit/1466c531960cdbc7cb5e2837fa0b209deb432d83) core/mount: add test for getUnprivilegedMountFlags
  * [`5d3b3447c`](https://github.com/containerd/containerd/commit/5d3b3447c7667d826eec59f9580c947ff24ecec6) core/mount: fix getUnprivilegedMountFlags iterating over indices instead of values
* Use new filtered cgroups stats API ([#12901](https://github.com/containerd/containerd/pull/12901))
  * [`d7d7b10f9`](https://github.com/containerd/containerd/commit/d7d7b10f99d950990b1d6a56e468e186970a2e53) Use new filtered cgroup stats API
* build(deps): bump actions/stale from 10.1.1 to 10.2.0 ([#12935](https://github.com/containerd/containerd/pull/12935))
  * [`4f2b8e455`](https://github.com/containerd/containerd/commit/4f2b8e455a8c98138702b6a20f8ae147b0a4135f) build(deps): bump actions/stale from 10.1.1 to 10.2.0
* Unpack images with per-layer labels for specific runtime ([#12835](https://github.com/containerd/containerd/pull/12835))
  * [`871d58ca8`](https://github.com/containerd/containerd/commit/871d58ca8203caa5e53539e60927372bad7d8a8c) cri: unpack images with per-layer labels for runtime-specific snapshotters
* api: regenerate and re-vendor protos ([#12913](https://github.com/containerd/containerd/pull/12913))
  * [`4b4eb6715`](https://github.com/containerd/containerd/commit/4b4eb67150b724e0c0450cc92f295b8d6582ca9a) api: regenerate and re-vendor protos
* fix: propagate `context deadline exceeded` error properly ([#12821](https://github.com/containerd/containerd/pull/12821))
  * [`f078cebbd`](https://github.com/containerd/containerd/commit/f078cebbd11b16cd52559598e7bd778b1cc06e2a) fix: propagate `context deadline exceeded` error properly
* cri: propagate runtime-specific snapshotters to image service ([#12836](https://github.com/containerd/containerd/pull/12836))
  * [`e9622481f`](https://github.com/containerd/containerd/commit/e9622481f067ef09ba590a80b30628185fb28935) cri: propagate runtime-specific snapshotters to image service
* Makefile: assorted cleanups ([#12916](https://github.com/containerd/containerd/pull/12916))
  * [`d63c1dd1f`](https://github.com/containerd/containerd/commit/d63c1dd1f06a8c4464fbb6385e227d89a1181f0a) Makefile: use "-C" flag, and evaluate once
  * [`43cf58a28`](https://github.com/containerd/containerd/commit/43cf58a289a9a63af5262fac5df670f7a1adeede) Makefile: fix indentation
  * [`1f0f18f92`](https://github.com/containerd/containerd/commit/1f0f18f92c694379fd27ab3f5446221158ec652d) Makefile: remove redundant grep for vendor, integration
  * [`7ffccac5c`](https://github.com/containerd/containerd/commit/7ffccac5cc3a06488a18d0aa192d699de525e025) Makefile: remove trailing slash from ROOTDIR
* Make linter for release branches happy ([#12928](https://github.com/containerd/containerd/pull/12928))
  * [`ce1c42baa`](https://github.com/containerd/containerd/commit/ce1c42baa788317fff97a80c7ebb05d1064ce638) make linter happy in release
* Remove image service dependency from podsandbox controller ([#12849](https://github.com/containerd/containerd/pull/12849))
  * [`151f82e57`](https://github.com/containerd/containerd/commit/151f82e57cd3ce4d0719ace3c806952690dbea4e) Fix ambiguous selector c.Config
  * [`842528d86`](https://github.com/containerd/containerd/commit/842528d86f5c7ff9554686e2313332b66cce008a) Move pause container pulling to CRI
  * [`dc897c5b2`](https://github.com/containerd/containerd/commit/dc897c5b285d8cb7bb2f9c68f255d3949129674e) Remove LocalResolve dependency from Controller
  * [`01a85de2c`](https://github.com/containerd/containerd/commit/01a85de2c6a20795de67305b327d19ca4569602b) Fetch image from containerd store instead of CRI in-memory store
  * [`13e791ef8`](https://github.com/containerd/containerd/commit/13e791ef8e9a87bdc8ed027279efa96453a0eda3) Remove GetImage dependency from Controller
* Fix CNI issue where CNI DEL is never executed ([#12923](https://github.com/containerd/containerd/pull/12923))
  * [`96dee5f64`](https://github.com/containerd/containerd/commit/96dee5f6440d147042aa61d7da2a7d10bcabbce5) add integration test for cni result nil
  * [`1092b85a8`](https://github.com/containerd/containerd/commit/1092b85a8ce13fb0ec72b1e232b6a781ccef9214) address comment
  * [`0b8471953`](https://github.com/containerd/containerd/commit/0b8471953764e4e490a11d77db0386ec622c6642) fix issue where cni del is never executed
* Detect vendor in cdi specs to generate device IDs for --gpus ([#12839](https://github.com/containerd/containerd/pull/12839))
  * [`090def056`](https://github.com/containerd/containerd/commit/090def05676db0c6518c3c2adaad7da49bb06161) Remove vendor lister and update tests
  * [`7035fe813`](https://github.com/containerd/containerd/commit/7035fe813d042c01f99fcd458c61eca493d97f61) Add unit tests for gpuDeviceNames anddetectGPUVendor
  * [`ab1a24989`](https://github.com/containerd/containerd/commit/ab1a24989f0abb70c8aebf82d7b27998b42b058f) Detect vendor in cdi specs to generate deviceIDs for --gpus
* cmd: fix inconsistencies in command-line flags, and add missing `--version` flags ([#12868](https://github.com/containerd/containerd/pull/12868))
  * [`e5ae0a882`](https://github.com/containerd/containerd/commit/e5ae0a8828e830b75bc51905bdfb5f11ef7d5f6d) cmd/shim: containerd-shim-runc-v2: add long-form '--version' flag
  * [`0edde8fde`](https://github.com/containerd/containerd/commit/0edde8fde85e8a6a38fb1e2f870b0a45d2d1955c) cmd/containerd-stress: enable '--version' flag
  * [`5fde7662f`](https://github.com/containerd/containerd/commit/5fde7662f1a5ec0ee776abe77dbec032f3957510) cmd/*: don't print default value for '--help' and '--version'
* add check on version of drop in configs ([#12891](https://github.com/containerd/containerd/pull/12891))
  * [`d40192b64`](https://github.com/containerd/containerd/commit/d40192b64af82c112fa7ee091ecd25c829066da1) assert exact error while loading drop in config
  * [`21248d007`](https://github.com/containerd/containerd/commit/21248d00762ec572772c41e3bbb69a518e0a0eaf) add check on version of drop in configs
* Don't bail out if no image verifiers available ([#12893](https://github.com/containerd/containerd/pull/12893))
  * [`634401d24`](https://github.com/containerd/containerd/commit/634401d24c46cb8598cd3ea3fc0b500679ff83f5) Don't bail out if no image verifiers available
* cmd/protoc-gen-go-fieldpath: add support for optional fields ([#12915](https://github.com/containerd/containerd/pull/12915))
  * [`5ef537b38`](https://github.com/containerd/containerd/commit/5ef537b3876bca101789a0ceba7d0265510843bc) cmd/protoc-gen-go-fieldpath: add support for optional fields
* contrib/apparmor: fix /proc/sys rule ([#12904](https://github.com/containerd/containerd/pull/12904))
  * [`509882742`](https://github.com/containerd/containerd/commit/50988274259ca48c3b3716bd756a7cf7ad8c1cef) contrib/apparmor: fix /proc/sys rule
* Remove Container field from sandbox metadata ([#12840](https://github.com/containerd/containerd/pull/12840))
  * [`58c5ab444`](https://github.com/containerd/containerd/commit/58c5ab44423bfc69b395eb5a67723067463af7a9) Update proto
  * [`528a2bada`](https://github.com/containerd/containerd/commit/528a2bada6686fa8f3506ae3bbf72a4821618b49) Add lifecycle workaround to NRI
  * [`7474a0b2b`](https://github.com/containerd/containerd/commit/7474a0b2b53a4f61d2106d12fc1759e0cab7a6ad) Fix fetching sandbox metadata
  * [`8ccf18724`](https://github.com/containerd/containerd/commit/8ccf18724f691f7f5503faf0b004334eb9f92cf3) Update sandbox API to include spec field
  * [`41f92ec37`](https://github.com/containerd/containerd/commit/41f92ec37ca07567e891283a995884c0e68a5fa8) Remove sandbox Container field from metadata
* ci: add build/test go1.26.0, drop go1.24 ([#12844](https://github.com/containerd/containerd/pull/12844))
  * [`1f84d27c3`](https://github.com/containerd/containerd/commit/1f84d27c307f6f7fb151c65460567b6890ce4869) update golangci-lint to v2.9.0 with go1.26 support
  * [`e4320e6cf`](https://github.com/containerd/containerd/commit/e4320e6cf5b12b23bf1fa28f453f815c1c8b315b) remove windows/arm from cross build
  * [`9a0c5f1f0`](https://github.com/containerd/containerd/commit/9a0c5f1f025bed70ff839a1915aff455be203980) ci: build/test go1.26.0
* contrib/apparmor: remove non-matching rules for /proc/mem, /proc/kmem ([#12905](https://github.com/containerd/containerd/pull/12905))
  * [`f45a70121`](https://github.com/containerd/containerd/commit/f45a70121c344c88852566c3b6c0378491eb1fd0) contrib/apparmor: remove non-matching rules for /proc/mem, /proc/kmem
* build(deps): bump github/codeql-action from 4.32.2 to 4.32.3 ([#12910](https://github.com/containerd/containerd/pull/12910))
  * [`0737b36c7`](https://github.com/containerd/containerd/commit/0737b36c7004f8c765118efb88a322fcdc61f3d5) build(deps): bump github/codeql-action from 4.32.2 to 4.32.3
* build(deps): bump google.golang.org/grpc from 1.78.0 to 1.79.1 ([#12912](https://github.com/containerd/containerd/pull/12912))
  * [`968dccdfc`](https://github.com/containerd/containerd/commit/968dccdfc7e79deafdea16a395192fefb2306638) build(deps): bump google.golang.org/grpc from 1.78.0 to 1.79.1
* build(deps): bump github.com/containerd/cgroups/v3 from 3.1.2 to 3.1.3 ([#12911](https://github.com/containerd/containerd/pull/12911))
  * [`ddeef9938`](https://github.com/containerd/containerd/commit/ddeef99380a0e7a6d8db62db59d0053a985fe12f) build(deps): bump github.com/containerd/cgroups/v3 from 3.1.2 to 3.1.3
* install-dev-tools: update protoc-gen-go-ttrpc to v1.2.7 ([#12914](https://github.com/containerd/containerd/pull/12914))
  * [`102bf8626`](https://github.com/containerd/containerd/commit/102bf8626ad6d9f9b0c2a5153178f6ee1693a6d5) install-dev-tools: update protoc-gen-go-ttrpc to v1.2.7
* Fix dupwords ([#12909](https://github.com/containerd/containerd/pull/12909))
  * [`3c64bf76d`](https://github.com/containerd/containerd/commit/3c64bf76d085a975f9ea8e9320d25df4fd90cb3d) docs: fix dupword
  * [`912a34ad0`](https://github.com/containerd/containerd/commit/912a34ad06d23a870b19adc6ed3e30befb32f753) script/test: fix dupword
  * [`ebb6908bf`](https://github.com/containerd/containerd/commit/ebb6908bf6bc62cace69b926a1a9f3e43a063e08) integration: fix dupword
* integration: Fix TestImageLoad() failure on CI ([#12903](https://github.com/containerd/containerd/pull/12903))
  * [`fafbfcb8c`](https://github.com/containerd/containerd/commit/fafbfcb8c7cbc9db7fd51b679432e188fe603dce) integration: Fix TestImageLoad() failure on CI
* build(deps): bump github.com/klauspost/compress from 1.18.3 to 1.18.4 ([#12879](https://github.com/containerd/containerd/pull/12879))
  * [`a46ab1811`](https://github.com/containerd/containerd/commit/a46ab1811d3f8afc58453b37dcda8be0b21816fb) build(deps): bump github.com/klauspost/compress from 1.18.3 to 1.18.4
* build(deps): bump the golang-x group with 2 updates ([#12878](https://github.com/containerd/containerd/pull/12878))
  * [`4514f47be`](https://github.com/containerd/containerd/commit/4514f47bea67d33ce8355c23a1d6ddc376a49061) build(deps): bump the golang-x group with 2 updates
* cri: Fix image volumes with user namespaces ([#12816](https://github.com/containerd/containerd/pull/12816))
  * [`db9546b6d`](https://github.com/containerd/containerd/commit/db9546b6df3671efe1a5727f43ba925531362354) cri: Fix image volumes with user namespaces
* build(deps): bump github/codeql-action from 4.32.1 to 4.32.2 ([#12880](https://github.com/containerd/containerd/pull/12880))
  * [`7505e768d`](https://github.com/containerd/containerd/commit/7505e768de6fe992da7edc03c6a903896b720aec) build(deps): bump github/codeql-action from 4.32.1 to 4.32.2
* build(deps): bump actions/attest-build-provenance from 3.1.0 to 3.2.0 ([#12823](https://github.com/containerd/containerd/pull/12823))
  * [`cf9b7d4fb`](https://github.com/containerd/containerd/commit/cf9b7d4fbfef4b04d5a540a3b9e797420fe0c217) build(deps): bump actions/attest-build-provenance from 3.1.0 to 3.2.0
* apparmor: explicitly set abi/3.0 ([#12864](https://github.com/containerd/containerd/pull/12864))
  * [`a6f03a7d5`](https://github.com/containerd/containerd/commit/a6f03a7d56411648c2e97085ae8e120120c06b6b) apparmor: explicitly set abi/3.0
* contrib/Dockerfile: remove proto3 (protobuf) stage ([#12866](https://github.com/containerd/containerd/pull/12866))
  * [`8ad06b278`](https://github.com/containerd/containerd/commit/8ad06b27840f9e734dedbfadb284f61d0fb08131) contrib/Dockerfile: remove proto3 (protobuf) stage
* update to go1.24.13, go1.25.7 ([#12869](https://github.com/containerd/containerd/pull/12869))
  * [`1551986af`](https://github.com/containerd/containerd/commit/1551986af47067488deaa7428d04e6f89d3b6d36) update to go1.24.13, go1.25.7
* build(deps): bump github.com/checkpoint-restore/checkpointctl from 1.4.0 to 1.5.0 ([#12825](https://github.com/containerd/containerd/pull/12825))
  * [`3aac3eaef`](https://github.com/containerd/containerd/commit/3aac3eaefff6da3468bb426fc253ab801806ca0e) build(deps): bump github.com/checkpoint-restore/checkpointctl
* Use buf to format proto files ([#12841](https://github.com/containerd/containerd/pull/12841))
  * [`ca1c5b2d3`](https://github.com/containerd/containerd/commit/ca1c5b2d3db8c620c26ab9674b7ccb9a4b023a63) Reformat and revendor proto files
  * [`2a87c9d7d`](https://github.com/containerd/containerd/commit/2a87c9d7d29a5d947fa671a0d7b52f449835fd11) Add .editorconfig for proto files
  * [`3defa1229`](https://github.com/containerd/containerd/commit/3defa1229beed8b664b8c18b83d3806d6405ea26) Use buf to format proto files
* cri: use mount manager when image has volumes ([#12847](https://github.com/containerd/containerd/pull/12847))
  * [`eeb50b0e9`](https://github.com/containerd/containerd/commit/eeb50b0e9ad2932fed1ee05f42165d627a0230ed) cri: use mount manager when image has volumes
* script/critest.sh: always skip OOMKilled on systemd cgroup ([#12819](https://github.com/containerd/containerd/pull/12819))
  * [`c3ba452cf`](https://github.com/containerd/containerd/commit/c3ba452cf03ab23bbefed000248cb8a46b3933e1) script/critest.sh: always skip OOMKilled on systemd cgroup
* build(deps): bump docker/login-action from 3.6.0 to 3.7.0 ([#12852](https://github.com/containerd/containerd/pull/12852))
  * [`3f32d77ee`](https://github.com/containerd/containerd/commit/3f32d77ee090cdec6a7fa6fa495627cfebc333fb) build(deps): bump docker/login-action from 3.6.0 to 3.7.0
* build(deps): bump github/codeql-action from 4.31.10 to 4.32.1 ([#12850](https://github.com/containerd/containerd/pull/12850))
  * [`e00bd606d`](https://github.com/containerd/containerd/commit/e00bd606d8dfd76775dc38b73c66080840df40bc) build(deps): bump github/codeql-action from 4.31.10 to 4.32.1
* build(deps): bump actions/cache from 5.0.2 to 5.0.3 ([#12851](https://github.com/containerd/containerd/pull/12851))
  * [`0be2e1b50`](https://github.com/containerd/containerd/commit/0be2e1b50f4492d2db0c57bd597464bfbf3a9b5a) build(deps): bump actions/cache from 5.0.2 to 5.0.3
* build(deps): bump github.com/coreos/go-systemd/v22 from 22.6.0 to 22.7.0 ([#12854](https://github.com/containerd/containerd/pull/12854))
  * [`74b21a939`](https://github.com/containerd/containerd/commit/74b21a93931e7f2f6cb708e081e21b0e57fbc5e7) build(deps): bump github.com/coreos/go-systemd/v22 from 22.6.0 to 22.7.0
* pkg/sys: Create user namespace as the container's initial user namesp… ([#12317](https://github.com/containerd/containerd/pull/12317))
  * [`59cc4cc49`](https://github.com/containerd/containerd/commit/59cc4cc49dbcec791c981548ea849578cb445bf2) pkg/sys: Let more environments create user namespace as the initial user
  * [`42ce92b22`](https://github.com/containerd/containerd/commit/42ce92b2220012180207c5706dbece34436aad5f) pkg/sys: Create user namespace as the container's initial user namespace user
* ci: add retry logic for Fedora Vagrant box download ([#12856](https://github.com/containerd/containerd/pull/12856))
  * [`e1ab55296`](https://github.com/containerd/containerd/commit/e1ab55296a754e50f4b23f7dbff3ea6121c57a70) ci: add retry logic for Fedora Vagrant box download
* ci: set fetch-depth for containerd to 0 for version parsing ([#12855](https://github.com/containerd/containerd/pull/12855))
  * [`3f133acd4`](https://github.com/containerd/containerd/commit/3f133acd427066b37e51dcd8252afac00ddfebdc) set fetch-depth for containerd to 0 for version parsing
* ci: bump go 1.24.12, 1.25.6 ([#12843](https://github.com/containerd/containerd/pull/12843))
  * [`bde3deac7`](https://github.com/containerd/containerd/commit/bde3deac7e4699c5041f2b35916388f4ea6171c4) ci: bump go 1.24.12, 1.25.6
* Fix ctr image mount failing with no such device ([#12581](https://github.com/containerd/containerd/pull/12581))
  * [`776e50aa2`](https://github.com/containerd/containerd/commit/776e50aa219c6c7684dc08980c084722a9ab942f) core/mount/manager: fix bind mount missing rbind option
  * [`d2593b647`](https://github.com/containerd/containerd/commit/d2593b64778a22e8c516051ac99ba4429f0d3e9b) core/mount/manager: add tests for WithTemporary option
* erofs: Log mkfs command at Debug level ([#12826](https://github.com/containerd/containerd/pull/12826))
  * [`220108e1c`](https://github.com/containerd/containerd/commit/220108e1cfbd8f14f3d3f8aafe60802df87c1869) erofs: Log mkfs command at Debug level
* CI: add almalinux/10 ([#12827](https://github.com/containerd/containerd/pull/12827))
  * [`ff0c2d172`](https://github.com/containerd/containerd/commit/ff0c2d17293b03cbbfdeb566681d398de4770a7f) CI: add almalinux/10
* .github: re-enable windows image pull/list tests ([#12818](https://github.com/containerd/containerd/pull/12818))
  * [`ce9f3ad8e`](https://github.com/containerd/containerd/commit/ce9f3ad8e48b76fa44b83ab39b4901f1efd73ed5) .github: re-enable windows image pull/list tests
* Populate ImageId field in container status ([#12787](https://github.com/containerd/containerd/pull/12787))
  * [`2470af56e`](https://github.com/containerd/containerd/commit/2470af56e40bb2c8a3f854025bcdfbb42fb9cab5) Update TestToCRIContainer test
  * [`b8c76199d`](https://github.com/containerd/containerd/commit/b8c76199d1e5064f9bc41e8701199500b17bb8da) cri: populate ImageId field in container status
* Generate api/next.txtpb and name module ([#12815](https://github.com/containerd/containerd/pull/12815))
  * [`472e0a8e7`](https://github.com/containerd/containerd/commit/472e0a8e7ada278b7aa376173eca20ad0a0348be) Generate next.txtpb to replace next.pb.txt
  * [`f58dbbda0`](https://github.com/containerd/containerd/commit/f58dbbda0b34bea75f714e82463eb0706c06d30d) Add buf.build repository name for publishing API
* Fix go mod replace and sync with latest api changes ([#12789](https://github.com/containerd/containerd/pull/12789))
  * [`992597bfe`](https://github.com/containerd/containerd/commit/992597bfe9ffb750ec01d956f3ff515d51025043) Fix TTRPC prefix
  * [`8c782cd19`](https://github.com/containerd/containerd/commit/8c782cd1971e4f3442f78cfad063b9c30edc129e) Revendor latest api changes
  * [`c895e1ed4`](https://github.com/containerd/containerd/commit/c895e1ed40090fe4ec10c17b769fe5d6962419a3) Remove check-api-descriptors target
  * [`ce045ca2f`](https://github.com/containerd/containerd/commit/ce045ca2f5f6ca307733c221b510c90fdf636259) Fix go mod replace
* stability: multipart fetch pool ([#12205](https://github.com/containerd/containerd/pull/12205))
  * [`e86523ecd`](https://github.com/containerd/containerd/commit/e86523ecdbabb675969bb683047defe526595fdf) multipart fetch stability fixes
* erofs-differ: use same UUID append style in tar index mode as tar conversion mode ([#12782](https://github.com/containerd/containerd/pull/12782))
  * [`52a92e83f`](https://github.com/containerd/containerd/commit/52a92e83f0cc9ff262e4fe2f64e7454ed3959682) erofs-differ: use same UUID append style in tar index mode as tar conversion mode
* erofs: Move immutable file handling before storage.Remove ([#12807](https://github.com/containerd/containerd/pull/12807))
  * [`cf7cb3c35`](https://github.com/containerd/containerd/commit/cf7cb3c35e72531ceae9929b8ad8ea008a01bb8f) erofs: Move immutable file handling before storage.Remove
* fix: sanitize error before gRPC return to prevent credential leak in pod events ([#12801](https://github.com/containerd/containerd/pull/12801))
  * [`7b11d6cae`](https://github.com/containerd/containerd/commit/7b11d6cae471a6e33d70ed662dfd781594838aaf) fix: sanitize error before gRPC return to prevent credential leak in pod events
* build(deps): bump github.com/klauspost/compress from 1.18.2 to 1.18.3 ([#12797](https://github.com/containerd/containerd/pull/12797))
  * [`92955bf4c`](https://github.com/containerd/containerd/commit/92955bf4c39bfd35ce51bc4ee563e253c9f3e8a8) build(deps): bump github.com/klauspost/compress from 1.18.2 to 1.18.3
* build(deps): bump actions/cache from 5.0.1 to 5.0.2 ([#12798](https://github.com/containerd/containerd/pull/12798))
  * [`7a0c8d906`](https://github.com/containerd/containerd/commit/7a0c8d906e4fc220d77cbb029a09f6c6e407b67b) build(deps): bump actions/cache from 5.0.1 to 5.0.2
* build(deps): bump github.com/sirupsen/logrus from 1.9.3 to 1.9.4 ([#12799](https://github.com/containerd/containerd/pull/12799))
  * [`94de254cb`](https://github.com/containerd/containerd/commit/94de254cbc3e8e9a8c690049c8494f52710a8d02) build(deps): bump github.com/sirupsen/logrus from 1.9.3 to 1.9.4
* Use fsmount API to avoid PAGE_SIZE limit for erofs ([#12783](https://github.com/containerd/containerd/pull/12783))
  * [`f873e4d3c`](https://github.com/containerd/containerd/commit/f873e4d3c2b36b05fd2244940ea80672e618bb88) plugins/mount/erofs: use fsmount API to avoid PAGE_SIZE limit
* fix: typo in comment ([#12795](https://github.com/containerd/containerd/pull/12795))
  * [`e066861ac`](https://github.com/containerd/containerd/commit/e066861ac7e23d1fe3715ac4146accef77a776d8) fix: typo in comment
*  cri/podsandbox: reduce dependencies to internal CRI APIs ([#12773](https://github.com/containerd/containerd/pull/12773))
  * [`7ef50accc`](https://github.com/containerd/containerd/commit/7ef50acccf917a7d006a6069dced7d9de2e26a07) Reduce ImageService interface dependencies
* fix(oci): handle absolute symlinks in rootfs user lookup ([#12732](https://github.com/containerd/containerd/pull/12732))
  * [`9bbb1309f`](https://github.com/containerd/containerd/commit/9bbb1309f051e54b51484fa0efbfe93e26223a2d) test(oci): use fstest and mock fs for better symlink coverage
  * [`85b5418ef`](https://github.com/containerd/containerd/commit/85b5418ef5a6adeac95c910bf8c33ae0fb7bbecb) fix(oci): handle absolute symlinks in rootfs user lookup
* command: show help and exit on unknown positional arguments ([#12748](https://github.com/containerd/containerd/pull/12748))
  * [`677e991bb`](https://github.com/containerd/containerd/commit/677e991bb539858a954b95e7a8e2980c3ec96f57) command: show help and exit on unknown positional arguments
* content: ensure root directory exists before checking fs-verity support ([#12416](https://github.com/containerd/containerd/pull/12416))
  * [`5f0f0dcaa`](https://github.com/containerd/containerd/commit/5f0f0dcaac13a5370a28a42ada9fd6be246ee807) content: ensure root directory exists before checking fs-verity support
* snapshotservice: add WithParent handling for Commit + tests ([#12755](https://github.com/containerd/containerd/pull/12755))
  * [`01fa05731`](https://github.com/containerd/containerd/commit/01fa05731f1abaa2ef5d230ab0b7cbde9eed57c1) Add Parent option handling in Commit method and tests
* Pass container user (uid, gids) to plugins ([#12769](https://github.com/containerd/containerd/pull/12769))
  * [`b0bd04b04`](https://github.com/containerd/containerd/commit/b0bd04b0469b28ed0cb1f4d21682e34caf7e45f3) cri,nri: pass container user (uid, gids) to plugins.
* cri: fix create container panic if originalAnnotations is nil ([#12763](https://github.com/containerd/containerd/pull/12763))
  * [`9018c75d5`](https://github.com/containerd/containerd/commit/9018c75d5d720175d438fa1c8ee08803c451737c) cri: fix create container panic if originalAnnotations is nil when restore container
* Detect breaking API changes in proto files ([#12776](https://github.com/containerd/containerd/pull/12776))
  * [`1b4f588f3`](https://github.com/containerd/containerd/commit/1b4f588f3f8e263049cc91d764b3693ac672f12b) Detect breaking API changes in protos
* build(deps): bump the golang-x group with 2 updates ([#12778](https://github.com/containerd/containerd/pull/12778))
  * [`ddb6b166e`](https://github.com/containerd/containerd/commit/ddb6b166e320805b92b74aff9a5ae8f999abc7dc) build(deps): bump the golang-x group with 2 updates
* build(deps): bump github/codeql-action from 4.31.9 to 4.31.10 ([#12779](https://github.com/containerd/containerd/pull/12779))
  * [`ac70789ec`](https://github.com/containerd/containerd/commit/ac70789ec8c72cb74dcf98152ae2e85c6f826abc) build(deps): bump github/codeql-action from 4.31.9 to 4.31.10
* Pass seccomp policy to plugins ([#12768](https://github.com/containerd/containerd/pull/12768))
  * [`cfec4b30a`](https://github.com/containerd/containerd/commit/cfec4b30a72d8a37f39d1981ccfcf3e3e82bebc9) cri,nri: pass seccomp policy to plugins.
* cri,nri: pass any POSIX rlimits to plugins. ([#12765](https://github.com/containerd/containerd/pull/12765))
  * [`7b85525cf`](https://github.com/containerd/containerd/commit/7b85525cfee51d0b306cd1e1278e21365077213a) cri,nri: pass any POSIX rlimits to plugins.
* cri: fix checkpoint failed with short id ([#12758](https://github.com/containerd/containerd/pull/12758))
  * [`0dc958229`](https://github.com/containerd/containerd/commit/0dc9582295d8df173c714f762375a4b624185ae9) cri: fix checkpoint failed with short id
* Pass extended container status to NRI. ([#12770](https://github.com/containerd/containerd/pull/12770))
  * [`695c91324`](https://github.com/containerd/containerd/commit/695c91324a2bf5d908bfca9f0235c6ed2b198cd9) cri,nri: pass extended container status to NRI.
* Remove protoc dependency from BUILDING.md ([#12771](https://github.com/containerd/containerd/pull/12771))
  * [`19f39fee6`](https://github.com/containerd/containerd/commit/19f39fee6f40889e8072fdeec9fefc2887eff432) Remove protoc dependency from BUILDING.md
* Pass injected CDI devices to plugins ([#12767](https://github.com/containerd/containerd/pull/12767))
  * [`98a2e8876`](https://github.com/containerd/containerd/commit/98a2e8876737883e7603f2c5ad9125c17dfb57a7) cri,nri: pass injected CDI devices to plugins.
* cri,nri: pass linux sysctl to plugins. ([#12766](https://github.com/containerd/containerd/pull/12766))
  * [`250388dcd`](https://github.com/containerd/containerd/commit/250388dcd919346ee9da3d382cd1833ad8e7f733) cri,nri: pass linux sysctl to plugins.
* Migrate from protobuild to buf ([#12762](https://github.com/containerd/containerd/pull/12762))
  * [`f87550d06`](https://github.com/containerd/containerd/commit/f87550d0686a0db65ff40b2e527da2caf7385331) Install buf from install-dev-tools
  * [`dac9721fa`](https://github.com/containerd/containerd/commit/dac9721faf891205ed46105cd38340bc3bceabcb) Drop outdated pb.txt files
  * [`6a6283193`](https://github.com/containerd/containerd/commit/6a6283193b6f865c35529717068259bf54ccc307) Update pb files
  * [`57782b717`](https://github.com/containerd/containerd/commit/57782b7175f743489010c348a8f59da720140722) Move buf configuration under api/
  * [`248ee80fa`](https://github.com/containerd/containerd/commit/248ee80faba967270dd68e0f341bc85febd9e7e7) Remove GOPATH workaround from Makefile
  * [`39991b661`](https://github.com/containerd/containerd/commit/39991b6617041c8c5b471f11f08461f36cc6719f) Use relative import intead of GOPATH style imports
  * [`edb3e0869`](https://github.com/containerd/containerd/commit/edb3e0869706fa0d058f8530f7b563af9310eec3) Remove protobuf
  * [`aca62ae10`](https://github.com/containerd/containerd/commit/aca62ae10d7a26a7fbf9c178e4c458ffd746db5d) Install buf on demand via go install
  * [`eb586b5ef`](https://github.com/containerd/containerd/commit/eb586b5ef2e20c5f845f28d5e9cd5f5e8e10885d) Regenerate proto files
  * [`e63f1d3ab`](https://github.com/containerd/containerd/commit/e63f1d3ab40ae351f85461265978a9c58ebffba1) Use buf to generate proto code
* Add erofs idmap support ([#12433](https://github.com/containerd/containerd/pull/12433))
  * [`9b50650d5`](https://github.com/containerd/containerd/commit/9b50650d5c492962f5da15ff261c7d168736e741) snapshots/erofs: Support idmap mounts
  * [`552500360`](https://github.com/containerd/containerd/commit/552500360870ba8706a9f3c9939242f449106f81) core/mount/*linux: Do idmap bind mounts as private and recursive
  * [`44751e28b`](https://github.com/containerd/containerd/commit/44751e28b378ec8d1bc45ea9d8f1444d75fe0186) core/mount: Don't apply uidmap/gidmap during ro instrospection
* Tracing: add spans in task/metadata and sandbox paths ([#12737](https://github.com/containerd/containerd/pull/12737))
  * [`fb295b9d4`](https://github.com/containerd/containerd/commit/fb295b9d4f8a23d9729472d43ae1180f1a9c3f32) Tracing: add spans in task/metadata and sandbox paths
* UpdatePodSandboxResources CRI API handler ([#11406](https://github.com/containerd/containerd/pull/11406))
  * [`de5b622bd`](https://github.com/containerd/containerd/commit/de5b622bd99823f3b6a9119270f0c8246b707d17) Persist pod sandbox resource updates
  * [`ffd3691c9`](https://github.com/containerd/containerd/commit/ffd3691c92f42fffadf1f835f3ecc82512e4b9a3) Implement UpdatePodSandboxResources CRI API handler
* Update OOMKilled event handling ([#12714](https://github.com/containerd/containerd/pull/12714))
  * [`016f4a636`](https://github.com/containerd/containerd/commit/016f4a6360503adcc88bcc4239c217744bdc2338) *: move new oom package into internal
  * [`bdff34ef6`](https://github.com/containerd/containerd/commit/bdff34ef61f1ae9df65af6f9e8dc506cd3b52f68) *: skip critest OOMKilled testcase for systemd cgroup
  * [`cbb1b13a8`](https://github.com/containerd/containerd/commit/cbb1b13a8131041911b0cb85070d392e045c2334) cri-integration: add stress test for TestOOMEventMonitor
  * [`aa3c50792`](https://github.com/containerd/containerd/commit/aa3c507925649f5357cf8d8bcdb18b959742c251) internal/cri/server: check if OOM event occurred before update status
  * [`8ac7e3c06`](https://github.com/containerd/containerd/commit/8ac7e3c06d63b8c3dfc92cba7cdfc250f1b81bd6) cmd/containerd-shim-runc-v2: use experimental OOM package
  * [`21707e6c3`](https://github.com/containerd/containerd/commit/21707e6c3bb6fd2729c9c9829c1f10a43185cf36) cmd/containerd-shim-runc-v2: add experimental OOM package
* Fix ST1005 lint violations: lowercase error strings ([#12666](https://github.com/containerd/containerd/pull/12666))
  * [`d6ee6f69b`](https://github.com/containerd/containerd/commit/d6ee6f69b25578ac91e1486396c4d326c5289586) Fix ST1005 lint violations: lowercase error strings
* Simplify/Cleanup unit tests ([#12746](https://github.com/containerd/containerd/pull/12746))
  * [`253fbe756`](https://github.com/containerd/containerd/commit/253fbe756a42fc83e03edc94c021b237a4225dc9) Cleanup unit tests
* doc: add k8s 1.35 to support matrix ([#12749](https://github.com/containerd/containerd/pull/12749))
  * [`b5ee44fe8`](https://github.com/containerd/containerd/commit/b5ee44fe8efc5a837523a9e3a9cf57c2670a2128) add k8s 1.35 to support matrix
* Add EROFS layer media type ([#12567](https://github.com/containerd/containerd/pull/12567))
  * [`36f8999b9`](https://github.com/containerd/containerd/commit/36f8999b946ed1e078d46496796ca54401423e3f) images: add EROFS layer media type
* cri: update log level to warn for CNI load failure during CRI init  ([#12709](https://github.com/containerd/containerd/pull/12709))
  * [`b66f92f59`](https://github.com/containerd/containerd/commit/b66f92f591edd3b55414edac84bc3bbdd8395eb5) cri: update log level to warn for CNI load failure during init
* simplify selinux dependency in client ([#12702](https://github.com/containerd/containerd/pull/12702))
  * [`6faacd8c7`](https://github.com/containerd/containerd/commit/6faacd8c76b409bb0907302c98964bb0717b0f9f) simplify selinux dependency in client
* Set annotations parameter in CreateSandbox request ([#12566](https://github.com/containerd/containerd/pull/12566))
  * [`53e696d62`](https://github.com/containerd/containerd/commit/53e696d625458a48a383364bc97a7be6b57f219d) set annotations parameter in CreateSandbox request
* build(deps): bump docker/setup-buildx-action from 3.11.1 to 3.12.0 ([#12722](https://github.com/containerd/containerd/pull/12722))
  * [`ddc35aca2`](https://github.com/containerd/containerd/commit/ddc35aca2d13cfb3b60d0651a22fe9f8a2f11e0b) build(deps): bump docker/setup-buildx-action from 3.11.1 to 3.12.0
* build(deps): bump actions/attest-build-provenance from 3.0.0 to 3.1.0 ([#12723](https://github.com/containerd/containerd/pull/12723))
  * [`4d7ce1746`](https://github.com/containerd/containerd/commit/4d7ce17462f0c2f071197ecfa534f9b84391db36) build(deps): bump actions/attest-build-provenance from 3.0.0 to 3.1.0
* build(deps): bump github/codeql-action from 4.31.8 to 4.31.9 ([#12724](https://github.com/containerd/containerd/pull/12724))
  * [`b3fdd83a9`](https://github.com/containerd/containerd/commit/b3fdd83a99d52fb4ef6cee4fa659766ce88ad6f3) build(deps): bump github/codeql-action from 4.31.8 to 4.31.9
* build(deps): bump google.golang.org/grpc from 1.77.0 to 1.78.0 ([#12736](https://github.com/containerd/containerd/pull/12736))
  * [`e7ba3c35c`](https://github.com/containerd/containerd/commit/e7ba3c35c5d49016fe25fd5e05733acd7e6def11) build(deps): bump google.golang.org/grpc from 1.77.0 to 1.78.0
* Add support for EROFS fsmerge feature ([#12374](https://github.com/containerd/containerd/pull/12374))
  * [`9a7500a97`](https://github.com/containerd/containerd/commit/9a7500a974388525a46a51ac7edc994e0334bc5a) Add support for EROFS fsmerge feature
* pkg/oci: add WithUmask for SpecOpts ([#12719](https://github.com/containerd/containerd/pull/12719))
  * [`01fd590a7`](https://github.com/containerd/containerd/commit/01fd590a770a2289e956a424cf27cfbac97de6c6) pkg/oci: add WithUmask for SpecOpts
* cri: emit warning for concurrent CreateContainer ([#12695](https://github.com/containerd/containerd/pull/12695))
  * [`c94b42332`](https://github.com/containerd/containerd/commit/c94b42332b5a1e830e5b198d57895c9ca4c52afb) cri: emit warning for concurrent CreateContainer
* Drop skip for `[Feature:ResourceMetrics]` in node e2e tests ([#12720](https://github.com/containerd/containerd/pull/12720))
  * [`b58f6579c`](https://github.com/containerd/containerd/commit/b58f6579c72aa1ac4d529f788be3557ef8486e49) Drop skip for `[Feature:ResourceMetrics]` in node e2e tests
* cri: Use the runtimeHandler parameter in PullImage ([#12710](https://github.com/containerd/containerd/pull/12710))
  * [`b8ae0412f`](https://github.com/containerd/containerd/commit/b8ae0412ff3503d34a8b1aec6fb0faef1631b48d) cri: Use the runtimeHandler parameter in PullImage
* Ensure ListMetricDescriptors gets tested with latest k/k ([#12704](https://github.com/containerd/containerd/pull/12704))
  * [`a31236b4d`](https://github.com/containerd/containerd/commit/a31236b4d052e6b9a3b4be0c9e4227ba18e2c74b) cri: populate Network.Interfaces in PodSandboxStats on Linux
  * [`635b30143`](https://github.com/containerd/containerd/commit/635b301430a0fa8aa54fe394cde35c377171d144) Ensure ListMetricDescriptors gets tested with latest k/k
* cri: deprecate `enable_cdi`, treat disabled CDI an error for injection requests. ([#12675](https://github.com/containerd/containerd/pull/12675))
  * [`ec8933999`](https://github.com/containerd/containerd/commit/ec89339995a27ac9b4e1a4240fbe37ac9eda2cd5) cri: treat disabled CDI an error for injection requests.
  * [`c49379c38`](https://github.com/containerd/containerd/commit/c49379c38a51bd26f22129cc9eb904bcecb5387c) cri: deprecate the enable_cdi config option.
* cri: move noisy CDI logs to debug level ([#12715](https://github.com/containerd/containerd/pull/12715))
  * [`f2ad3aedb`](https://github.com/containerd/containerd/commit/f2ad3aedbcbf194ef751906d5bafe92c4b139ebb) cri: move noisy CDI logs to debug level
* Uncomment call to add options for pulling encrypted images ([#12705](https://github.com/containerd/containerd/pull/12705))
  * [`c0052e1c6`](https://github.com/containerd/containerd/commit/c0052e1c699bedeb8991a83e1e9b1275101d2309) Reinstate image decryption
* cri,nri: bump NRI dependencies to v0.11.0 ([#12699](https://github.com/containerd/containerd/pull/12699))
  * [`6936558df`](https://github.com/containerd/containerd/commit/6936558df99881d3361f791721cf42662b89c114) cri,nri: pass any linux security profile to plugins.
  * [`f202a6989`](https://github.com/containerd/containerd/commit/f202a6989c1dabf65cd04ada6ae0589035dd8e99) cri,nri: pass any linux RDT constraints to plugins.
  * [`eb616d8ca`](https://github.com/containerd/containerd/commit/eb616d8cab24fcb3c6f2092089542103f840d06c) cri,nri: pass any linux net devices to plugins.
  * [`239f69aa0`](https://github.com/containerd/containerd/commit/239f69aa02a7a72f4689b679cf06f0fb87b4665d) cri,nri: pass any linux scheduler attributes to plugins.
  * [`8e143b2ea`](https://github.com/containerd/containerd/commit/8e143b2eaa4b3a35cf177a074dca2e0694869e1d) cri,nri: pass any linux I/O priority to plugins.
  * [`d674423d3`](https://github.com/containerd/containerd/commit/d674423d315bcd021f16f59290a4e96e7b4225ce) go.{mod,sum}: bump NRI deps to v0.11.0, re-vendor.
* Fix typo in README.md for shim author section ([#12694](https://github.com/containerd/containerd/pull/12694))
  * [`5b184601d`](https://github.com/containerd/containerd/commit/5b184601d3e6acdf811c3b009ac5e6d9fca9ba00) Fix typo in README.md for shim author section
* pkg/tracing: HTTPStatusCodeAttributes: remove use of deprecated SemConv const ([#12605](https://github.com/containerd/containerd/pull/12605))
  * [`0d27fceee`](https://github.com/containerd/containerd/commit/0d27fceeed55785cea12a1ed91bee4e78e47da36) pkg/tracing: HTTPStatusCodeAttributes: remove use of deprecated SemConv const
* build(deps): bump google.golang.org/protobuf from 1.36.10 to 1.36.11 ([#12690](https://github.com/containerd/containerd/pull/12690))
  * [`6879e7e52`](https://github.com/containerd/containerd/commit/6879e7e526b4aec57290853d86583da1c6f37aa2) build(deps): bump google.golang.org/protobuf from 1.36.10 to 1.36.11
* build(deps): bump github/codeql-action from 4.31.7 to 4.31.8 ([#12689](https://github.com/containerd/containerd/pull/12689))
  * [`9322000b9`](https://github.com/containerd/containerd/commit/9322000b92d46bc25bfecc5dd2d78a6c8e208d21) build(deps): bump github/codeql-action from 4.31.7 to 4.31.8
* build(deps): bump actions/download-artifact from 6.0.0 to 7.0.0 ([#12692](https://github.com/containerd/containerd/pull/12692))
  * [`87e014471`](https://github.com/containerd/containerd/commit/87e014471aa55e71c68a719531c803e9abf01c21) build(deps): bump actions/download-artifact from 6.0.0 to 7.0.0
* build(deps): bump the k8s group with 3 updates ([#12687](https://github.com/containerd/containerd/pull/12687))
  * [`026d074b1`](https://github.com/containerd/containerd/commit/026d074b146fb34d8abb7d1303bf204f70d565d9) build(deps): bump the k8s group with 3 updates
* build(deps): bump actions/upload-artifact from 5.0.0 to 6.0.0 ([#12691](https://github.com/containerd/containerd/pull/12691))
  * [`e191976e0`](https://github.com/containerd/containerd/commit/e191976e0c46df679b09df4d646d929d6d83e2d6) build(deps): bump actions/upload-artifact from 5.0.0 to 6.0.0
* build(deps): bump actions/cache from 4.3.0 to 5.0.1 ([#12686](https://github.com/containerd/containerd/pull/12686))
  * [`92c36c22d`](https://github.com/containerd/containerd/commit/92c36c22d9669de90a0109c3bd531665c6b4aae4) build(deps): bump actions/cache from 4.3.0 to 5.0.1
* go.{mod,sum}: bump CDI deps to v1.1.0. ([#12663](https://github.com/containerd/containerd/pull/12663))
  * [`19765c9b7`](https://github.com/containerd/containerd/commit/19765c9b7e4574a91f6d1acfec27f2aa8d356c65) go.{mod,sum} bump CDI deps to v1.1.0.
* build(deps): bump github.com/intel/goresctrl from 0.10.0 to 0.11.0 ([#12657](https://github.com/containerd/containerd/pull/12657))
  * [`2900a8134`](https://github.com/containerd/containerd/commit/2900a8134254b50081b90f2386c4068966d41d47) build(deps): bump github.com/intel/goresctrl from 0.10.0 to 0.11.0
* build(deps): bump github.com/containernetworking/plugins from 1.8.0 to 1.9.0 ([#12656](https://github.com/containerd/containerd/pull/12656))
  * [`90cf47eb8`](https://github.com/containerd/containerd/commit/90cf47eb8549f9f2324651f6c974094dd39b26f3) build(deps): bump github.com/containernetworking/plugins
* cri: Add background stats collector to calculate UsageNanoCores ([#12629](https://github.com/containerd/containerd/pull/12629))
  * [`28f75119b`](https://github.com/containerd/containerd/commit/28f75119baa8f5e32e3dbf59201c1b0911b04151) cri: simplify network stats to only add Timestamp field
  * [`218ef1613`](https://github.com/containerd/containerd/commit/218ef1613efcf91c3dac966c53a546cef2ef8bd0) Removed the circular dependency
  * [`7e5809bcf`](https://github.com/containerd/containerd/commit/7e5809bcfebd25ffea58e26734df83c5cad96ec0) stats_collection_period -> stats_collect_period
  * [`9d5ee6501`](https://github.com/containerd/containerd/commit/9d5ee650146e3a20a687a9ed225d50f7812259a9) cri: Add background stats collector to calculate UsageNanoCores
* build(deps): bump the otel group across 1 directory with 8 updates ([#12647](https://github.com/containerd/containerd/pull/12647))
  * [`8ab6ef83b`](https://github.com/containerd/containerd/commit/8ab6ef83bea358456c25f10714a96dd36bad7841) build(deps): bump the otel group across 1 directory with 8 updates
* build(deps): bump the golang-x group with 3 updates ([#12644](https://github.com/containerd/containerd/pull/12644))
  * [`5c392ae92`](https://github.com/containerd/containerd/commit/5c392ae92e8527811e1e413f4201f4652852aaf1) build(deps): bump the golang-x group with 3 updates
* Prevents triggering of an inactive issue/PR check for forked repository. ([#12592](https://github.com/containerd/containerd/pull/12592))
  * [`80dc40543`](https://github.com/containerd/containerd/commit/80dc405432ff99182f1bde5b7346669ef35f8253) [CI] Prevents triggering of an inactive issue/PR check for forked repository.
* build(deps): bump github/codeql-action from 4.31.6 to 4.31.7 ([#12642](https://github.com/containerd/containerd/pull/12642))
  * [`ca0637f16`](https://github.com/containerd/containerd/commit/ca0637f16ce98be5420c1ffe708eb98b857318fe) build(deps): bump github/codeql-action from 4.31.6 to 4.31.7
* build(deps): bump golangci/golangci-lint-action from 9.0.0 to 9.2.0 ([#12643](https://github.com/containerd/containerd/pull/12643))
  * [`7053b5cd1`](https://github.com/containerd/containerd/commit/7053b5cd10632418750a0bfee1679ddc31eb972a) build(deps): bump golangci/golangci-lint-action from 9.0.0 to 9.2.0
* build(deps): bump actions/stale from 10.1.0 to 10.1.1 ([#12645](https://github.com/containerd/containerd/pull/12645))
  * [`e72ce6215`](https://github.com/containerd/containerd/commit/e72ce62153c5864a77499ee7200b9007789f1b1e) build(deps): bump actions/stale from 10.1.0 to 10.1.1
* build(deps): bump actions/checkout from 6.0.0 to 6.0.1 ([#12646](https://github.com/containerd/containerd/pull/12646))
  * [`b0946006f`](https://github.com/containerd/containerd/commit/b0946006fabd177cb41267fbe8b01038f8bef81a) build(deps): bump actions/checkout from 6.0.0 to 6.0.1
* go.mod: remove exclude rules ([#12649](https://github.com/containerd/containerd/pull/12649))
  * [`216e43e89`](https://github.com/containerd/containerd/commit/216e43e8903f51931cb7c9d2e09cbb5634d6d167) go.mod: remove exclude rules
* build(deps): bump github.com/containerd/zfs/v2 from 2.0.0-rc.0 to 2.0.0 ([#12641](https://github.com/containerd/containerd/pull/12641))
  * [`fb8c01ded`](https://github.com/containerd/containerd/commit/fb8c01ded46d2cdbb99720ed33a9f7eb6dc13dda) build(deps): bump github.com/containerd/zfs/v2 from 2.0.0-rc.0 to 2.0.0
* vendor: go.opentelemetry.io/otel/exporters v1.38.0, go.opentelemetry.io/contrib v0.63.0 ([#12604](https://github.com/containerd/containerd/pull/12604))
  * [`a0fa92530`](https://github.com/containerd/containerd/commit/a0fa92530fca98e2ca0b66158d938275d92295b0) vendor: go.opentelemetry.io/contrib v0.63.0
  * [`2d5a8cc71`](https://github.com/containerd/containerd/commit/2d5a8cc71e2e159d6b995d4ccbd58ec833f0b88c) vendor: go.opentelemetry.io/otel/exporters v1.38.0
* add some log if blob is skipped to download ([#12140](https://github.com/containerd/containerd/pull/12140))
  * [`508f8cac6`](https://github.com/containerd/containerd/commit/508f8cac6d252a01b541cfd6b831e81b6e28440b) add some log if blob is skipped to download
* ci: update CIFuzz actions to support Ubuntu 24.04 ([#12631](https://github.com/containerd/containerd/pull/12631))
  * [`d958fb2a2`](https://github.com/containerd/containerd/commit/d958fb2a27e43829e2a0e4b11e3d9ee7d8e146a8) ci: update CIFuzz actions to support Ubuntu 24.04
* fix: refactor ListPodSandboxMetrics ([#12594](https://github.com/containerd/containerd/pull/12594))
  * [`398154199`](https://github.com/containerd/containerd/commit/398154199a7345ba05b8dbd3e3803402ec49452f) fix: refactor ListPodSandboxMetrics
* build(deps): bump softprops/action-gh-release from 2.4.2 to 2.5.0 ([#12610](https://github.com/containerd/containerd/pull/12610))
  * [`fbb53684f`](https://github.com/containerd/containerd/commit/fbb53684fee225f059bc5dc9525fd4824a6166f6) build(deps): bump softprops/action-gh-release from 2.4.2 to 2.5.0
* ci: bump Go 1.24.11, 1.25.5 ([#12615](https://github.com/containerd/containerd/pull/12615))
  * [`127b16357`](https://github.com/containerd/containerd/commit/127b163577534125a3ad96e2de5539c4cb9c6e04) ci: bump Go 1.24.11, 1.25.5
  * [`65ad60ed9`](https://github.com/containerd/containerd/commit/65ad60ed9a9511adab59b6e8613c94dc414932b6) ci: bump Go 1.24.10, 1.25.4
* build(deps): bump github.com/klauspost/compress from 1.18.1 to 1.18.2 ([#12609](https://github.com/containerd/containerd/pull/12609))
  * [`38e90c471`](https://github.com/containerd/containerd/commit/38e90c4715b759595eee2e314ca32a359defd074) build(deps): bump github.com/klauspost/compress from 1.18.1 to 1.18.2
* build(deps): bump github/codeql-action from 4.31.5 to 4.31.6 ([#12611](https://github.com/containerd/containerd/pull/12611))
  * [`37f18854c`](https://github.com/containerd/containerd/commit/37f18854c51cc8defb608436aa3182667eb55bbd) build(deps): bump github/codeql-action from 4.31.5 to 4.31.6
* Map ctr --gpus requests to NVIDIA CDI device requests ([#12537](https://github.com/containerd/containerd/pull/12537))
  * [`f5cd8d56f`](https://github.com/containerd/containerd/commit/f5cd8d56f4be4359ee2ad48ab784f336f0124642) Map ctr --gpus requests to NVIDIA CDI device requests
* core/runtime/v2: remove uses of otelgrpc.UnaryClientInterceptor ([#12606](https://github.com/containerd/containerd/pull/12606))
  * [`459a95287`](https://github.com/containerd/containerd/commit/459a95287ba66a0cde820435e9883bc3b0d0ab17) core/runtime/v2: remove uses of otelgrpc.UnaryClientInterceptor
* build(deps): bump golang.org/x/crypto from 0.43.0 to 0.45.0 ([#12601](https://github.com/containerd/containerd/pull/12601))
  * [`8fcb918d0`](https://github.com/containerd/containerd/commit/8fcb918d0292f1c946488926c45fc9d0fdf959cd) build(deps): bump golang.org/x/crypto from 0.43.0 to 0.45.0
* runc: Update runc binary to v1.4.0 ([#12603](https://github.com/containerd/containerd/pull/12603))
  * [`fbb42c2a4`](https://github.com/containerd/containerd/commit/fbb42c2a4f1d0aa31b8c7fbf6accf1057e41c488) runc: Update runc binary to v1.4.0
* Avoid using redundant loop devices to run mkfs for mount manager tests. ([#12545](https://github.com/containerd/containerd/pull/12545))
  * [`190ed6b67`](https://github.com/containerd/containerd/commit/190ed6b6776252ba075c8494bcb5ce5a0322b693) Avoid using redundant loop devices to run mkfs for mount manager tests.
* build(deps): bump github.com/opencontainers/selinux from 1.12.0 to 1.13.1 ([#12528](https://github.com/containerd/containerd/pull/12528))
  * [`72b218ee7`](https://github.com/containerd/containerd/commit/72b218ee7a09a69cf7a6e325e12c65e5555cb9dc) build(deps): bump github.com/opencontainers/selinux
* cri/nri: short-circuit nil adjustment. ([#12574](https://github.com/containerd/containerd/pull/12574))
  * [`3a717c175`](https://github.com/containerd/containerd/commit/3a717c175657246dcf24a994f7974035d0c54a0a) cri/nri: short-circuit nil adjustment.
* build(deps): bump actions/checkout from 5.0.1 to 6.0.0 ([#12571](https://github.com/containerd/containerd/pull/12571))
  * [`dfb8bffb9`](https://github.com/containerd/containerd/commit/dfb8bffb9aa02c34c77169661ef24148fcf05ab9) build(deps): bump actions/checkout from 5.0.1 to 6.0.0
* build(deps): bump github/codeql-action from 4.31.3 to 4.31.5 ([#12572](https://github.com/containerd/containerd/pull/12572))
  * [`5a104b967`](https://github.com/containerd/containerd/commit/5a104b96707b41fd33a5606801e7c024671a0faf) build(deps): bump github/codeql-action from 4.31.3 to 4.31.5
* ci(release): set GO_VERSION in Dockerfile ([#12583](https://github.com/containerd/containerd/pull/12583))
  * [`0eac0eeb1`](https://github.com/containerd/containerd/commit/0eac0eeb191c40948d573f6c8e87b97e8fbbf538) ci(release): set GO_VERSION in Dockerfile
* bump containerd/cgroups to v3.1.2 ([#12579](https://github.com/containerd/containerd/pull/12579))
  * [`9d357f5b9`](https://github.com/containerd/containerd/commit/9d357f5b9867910f82ebf8643791cb2d28966617) bump containerd/cgroups to v3.1.2
* .github: skip 5 critest cases for window-2022 ([#12578](https://github.com/containerd/containerd/pull/12578))
  * [`13912cf3b`](https://github.com/containerd/containerd/commit/13912cf3b41b086be68b689bcbbf7b934ba4f703) .github: skip 5 critest cases in window CI pipeline
* ci: use GitHub source for erofs-utils to fix network flakiness ([#12573](https://github.com/containerd/containerd/pull/12573))
  * [`c1089f6ed`](https://github.com/containerd/containerd/commit/c1089f6ed683c3c6154866d6dfb81eb9ba59458f) ci: use GitHub source for erofs-utils
* core/mount.test: should not call removeLoop when set autoclear ([#12561](https://github.com/containerd/containerd/pull/12561))
  * [`a5c84021c`](https://github.com/containerd/containerd/commit/a5c84021c8c1d9f6fe992bee23118c7c9ca5e289) core/mount: should not call removeLoop when set autoclear
* build(deps): bump the golang-x group across 1 directory with 3 updates ([#12524](https://github.com/containerd/containerd/pull/12524))
  * [`dfc2e35b1`](https://github.com/containerd/containerd/commit/dfc2e35b1de2fe7701de23994c85ddd74ba37d12) build(deps): bump the golang-x group across 1 directory with 3 updates
* build(deps): bump softprops/action-gh-release from 2.4.1 to 2.4.2 ([#12500](https://github.com/containerd/containerd/pull/12500))
  * [`e155f0a4b`](https://github.com/containerd/containerd/commit/e155f0a4bb4cc84cb4288d17597c4ecedcc57a6f) build(deps): bump softprops/action-gh-release from 2.4.1 to 2.4.2
* build(deps): bump the k8s group with 3 updates ([#12527](https://github.com/containerd/containerd/pull/12527))
  * [`f2771359f`](https://github.com/containerd/containerd/commit/f2771359f9b31d62ffcd8e16591aa1c4f3741756) build(deps): bump the k8s group with 3 updates
* fix: redact all query parameters in CRI error logs ([#12491](https://github.com/containerd/containerd/pull/12491))
  * [`3e2cee2bf`](https://github.com/containerd/containerd/commit/3e2cee2bf141e8786b6af69b799d1bdadadf60b0) fix: redact all query parameters in CRI error logs
* build(deps): bump github.com/containerd/cgroups/v3 from 3.1.0 to 3.1.1 ([#12465](https://github.com/containerd/containerd/pull/12465))
  * [`13b1f4371`](https://github.com/containerd/containerd/commit/13b1f43712e8341255a792dd9d24740e86c8e9ea) build(deps): bump github.com/containerd/cgroups/v3 from 3.1.0 to 3.1.1
* build(deps): bump actions/checkout from 5.0.0 to 5.0.1 ([#12525](https://github.com/containerd/containerd/pull/12525))
  * [`83a5208a6`](https://github.com/containerd/containerd/commit/83a5208a60367fa0070302df134e745a984ec6e6) build(deps): bump actions/checkout from 5.0.0 to 5.0.1
* build(deps): bump google.golang.org/grpc from 1.76.0 to 1.77.0 ([#12530](https://github.com/containerd/containerd/pull/12530))
  * [`fb92a97d4`](https://github.com/containerd/containerd/commit/fb92a97d43ed8e31a47d980388e16f350ebd5c88) build(deps): bump google.golang.org/grpc from 1.76.0 to 1.77.0
* build(deps): bump github/codeql-action from 4.31.2 to 4.31.3 ([#12526](https://github.com/containerd/containerd/pull/12526))
  * [`0cf656ab9`](https://github.com/containerd/containerd/commit/0cf656ab9474f39849390ffce7326a3ab3401628) build(deps): bump github/codeql-action from 4.31.2 to 4.31.3
* Revert "Implement io.ReaderAt on docker fetch reader" ([#12529](https://github.com/containerd/containerd/pull/12529))
  * [`3c9a0bd31`](https://github.com/containerd/containerd/commit/3c9a0bd31688708793046b4d7f12dcbaf9beda94) Revert "Implement io.ReaderAt on docker fetch reader"
* ctr run: dump OCI config to a file ([#12531](https://github.com/containerd/containerd/pull/12531))
  * [`3b899aa11`](https://github.com/containerd/containerd/commit/3b899aa1118384b6c05c19f6cdb3945520e4b79d) ctr run: dump OCI config to a file
* ctr: allow rlimit-nofile override ([#12532](https://github.com/containerd/containerd/pull/12532))
  * [`ee1f94e4d`](https://github.com/containerd/containerd/commit/ee1f94e4d1f15bb3c3902807c14ffcf66cef36a7) ctr: allow rlimit-nofile override
* Fix image defaults on Darwin to usable configuration ([#12533](https://github.com/containerd/containerd/pull/12533))
  * [`c2b22d6bd`](https://github.com/containerd/containerd/commit/c2b22d6bd6f487e432fc8bb06a6c22071fc06db3) Update the ctr pull defaults when using the transfer service
  * [`487d77ff5`](https://github.com/containerd/containerd/commit/487d77ff50dd895fd23784332929f342a7aec6d5) Fix transfer unpack defaults on darwin
  * [`497f896d6`](https://github.com/containerd/containerd/commit/497f896d653a2bd51e16cd78078e0828e3518b05) Update default differs on darwin
  * [`49888e001`](https://github.com/containerd/containerd/commit/49888e001fc5ee8744e703c7fadc217dfe658b3d) Use default writable size in erofs snapshotter for non-Linux hosts
  * [`01b4c8102`](https://github.com/containerd/containerd/commit/01b4c8102b8805fa2e739b5263cddee40f064b23) Update default erofs block size on macOS during erofs diff
* build(deps): bump github.com/containerd/imgcrypt/v2 from 2.0.1 to 2.0.2 ([#12499](https://github.com/containerd/containerd/pull/12499))
  * [`62e71af73`](https://github.com/containerd/containerd/commit/62e71af73c9b1bd8d3dda7a701405bf4a2753c1b) build(deps): bump github.com/containerd/imgcrypt/v2 from 2.0.1 to 2.0.2
* build(deps): bump golangci/golangci-lint-action from 8.0.0 to 9.0.0 ([#12501](https://github.com/containerd/containerd/pull/12501))
  * [`7f5d9c25b`](https://github.com/containerd/containerd/commit/7f5d9c25bf7523576a415d7483a51bca63cf8fa4) build(deps): bump golangci/golangci-lint-action from 8.0.0 to 9.0.0
* Update RELEASES.md to set 2.0 to EOL ([#12505](https://github.com/containerd/containerd/pull/12505))
  * [`3e0af7de2`](https://github.com/containerd/containerd/commit/3e0af7de2fd1020c94a07e6d987ced3a7b65cd7d) Update RELEASES.md to set 2.0 to EOL
* remotes: fix possible panic from WithMediaTypeKeyPrefix ([#12508](https://github.com/containerd/containerd/pull/12508))
  * [`720db2874`](https://github.com/containerd/containerd/commit/720db287417295a3d15b58860a9dfbf3bd921988) remotes: fix possible panic from WithMediaTypeKeyPrefix
* Fix nil pointer dereference in container spec memory metrics ([#12492](https://github.com/containerd/containerd/pull/12492))
  * [`6b82f034d`](https://github.com/containerd/containerd/commit/6b82f034de52f05124d633b16fa23c548c4ce285) Fix nil pointer dereference in container spec memory metrics
</p>
</details>

### Changes from containerd/go-dmverity
<details><summary>24 commits</summary>
<p>

* tiny fix: fix link in README ([containerd/go-dmverity#8](https://github.com/containerd/go-dmverity/pull/8))
  * [`a7f1a09`](https://github.com/containerd/go-dmverity/commit/a7f1a09f06cd71bc2b4878f620e0616a56f33ed6) tiny fix: fix link in README
* build(deps): bump golang.org/x/sys from 0.38.0 to 0.39.0 in the golang-x group ([containerd/go-dmverity#7](https://github.com/containerd/go-dmverity/pull/7))
  * [`fba2650`](https://github.com/containerd/go-dmverity/commit/fba265074f293d8b2efa795784ac738dbe5c2c55) build(deps): bump golang.org/x/sys in the golang-x group
* build(deps): bump actions/setup-go from 6.0.0 to 6.1.0 ([containerd/go-dmverity#3](https://github.com/containerd/go-dmverity/pull/3))
  * [`8ac0910`](https://github.com/containerd/go-dmverity/commit/8ac091071fbd5b40409d0fd348ab08eae1561106) build(deps): bump actions/setup-go from 6.0.0 to 6.1.0
* build(deps): bump actions/checkout from 5.0.1 to 6.0.0 ([containerd/go-dmverity#1](https://github.com/containerd/go-dmverity/pull/1))
  * [`a2cd4df`](https://github.com/containerd/go-dmverity/commit/a2cd4dfdcb3dd8bce94d22bd3b08bb633a227db3) build(deps): bump actions/checkout from 5.0.1 to 6.0.0
* build(deps): bump golang.org/x/sys from 0.27.0 to 0.38.0 in the golang-x group ([containerd/go-dmverity#2](https://github.com/containerd/go-dmverity/pull/2))
  * [`d6426d9`](https://github.com/containerd/go-dmverity/commit/d6426d974f7c8744b5186d5f810f7f8337704f8d) build(deps): bump golang.org/x/sys in the golang-x group
* fix CI workflow and lint issues ([containerd/go-dmverity#5](https://github.com/containerd/go-dmverity/pull/5))
  * [`61a2dbc`](https://github.com/containerd/go-dmverity/commit/61a2dbce922a4335076f528ec72ed4aaa09d4444) fix: resolve lint issues in verity
  * [`0876d0c`](https://github.com/containerd/go-dmverity/commit/0876d0cd0e9835775edac20396e29b3692924789) ci: correct project job checkout step
* fix CI workflow and lint issues ([containerd/go-dmverity#5](https://github.com/containerd/go-dmverity/pull/5))
  * [`aaacf1e`](https://github.com/containerd/go-dmverity/commit/aaacf1ea3624593897a13b7c809fa723a71d2e38) Align project with containerd sub-project requirements
* build(deps): bump golangci/golangci-lint-action from 6.1.1 to 9.1.0 ([containerd/go-dmverity#4](https://github.com/containerd/go-dmverity/pull/4))
  * [`7ba11d8`](https://github.com/containerd/go-dmverity/commit/7ba11d8fc9d1d74de811be60f2eb601bc42135e1) verity: extract verity operations to pkg
* build(deps): bump actions/setup-go from 6.0.0 to 6.1.0 ([containerd/go-dmverity#3](https://github.com/containerd/go-dmverity/pull/3))
  * [`19ed941`](https://github.com/containerd/go-dmverity/commit/19ed94141fa73cac69d08824aa39378558cb3771) dm: implement dm-verity signature verification
* build(deps): bump golang.org/x/sys from 0.27.0 to 0.38.0 in the golang-x group ([containerd/go-dmverity#2](https://github.com/containerd/go-dmverity/pull/2))
  * [`dab1114`](https://github.com/containerd/go-dmverity/commit/dab1114333773f82bfec64b2f18ba9be08e291fc) verity: add API to get hash tree storage size
* build(deps): bump actions/checkout from 5.0.1 to 6.0.0 ([containerd/go-dmverity#1](https://github.com/containerd/go-dmverity/pull/1))
  * [`687f68c`](https://github.com/containerd/go-dmverity/commit/687f68ce0799394a7b68c5418afbe09935375ba6) add ci
  * [`110acc0`](https://github.com/containerd/go-dmverity/commit/110acc0d4e7d36798f50b818e6f600125aeec415) init veritysetup-go
</p>
</details>

### Changes from containerd/nri
<details><summary>79 commits</summary>
<p>

* adaptation: allow compiling out WASM support altogether. ([containerd/nri#253](https://github.com/containerd/nri/pull/253))
  * [`ab88fe6`](https://github.com/containerd/nri/commit/ab88fe680c11b35234c38c7d4eac72335721c78d) adaptation: allow compiling out WASM support altogether.
* Support direct editing of the intelRdt config ([containerd/nri#215](https://github.com/containerd/nri/pull/215))
  * [`8c0c9f6`](https://github.com/containerd/nri/commit/8c0c9f67a905fb24682239a4d6d94b0dd52c13e7) Implement removal of RDT
  * [`dfbae8a`](https://github.com/containerd/nri/commit/dfbae8a616b80037798e3cfb8315d70f3f2eff7e) plugins: add sample rdt plugin
  * [`d05dd81`](https://github.com/containerd/nri/commit/d05dd818ed26c3dbeae0fce88289387b62e4665c) pkg/adaptation: support new RDT fields
  * [`725289b`](https://github.com/containerd/nri/commit/725289b256878de8e965327ab6e70dc883ea771b) pkg/runtime-tools/generate: support new RDT fields
  * [`a7832a2`](https://github.com/containerd/nri/commit/a7832a241411573e03982490197d7eb98a1c9d29) api: add rdt
* update wazero/wazero version to v1.10.1 ([containerd/nri#252](https://github.com/containerd/nri/pull/252))
  * [`9eb9a0f`](https://github.com/containerd/nri/commit/9eb9a0f0f6e223e6060805b55957f117f159f5cc) update tetratelabs/wazero version to v1.10.1
* support specifying a custom NRI socket path ([containerd/nri#249](https://github.com/containerd/nri/pull/249))
  * [`2df6565`](https://github.com/containerd/nri/commit/2df656516e73b31e013257f713a1df5baa7fdcb0) [plugins] support specifying a custom NRI socket path
* pkg/api: add OptionalRepeatedString type ([containerd/nri#212](https://github.com/containerd/nri/pull/212))
  * [`687c1a6`](https://github.com/containerd/nri/commit/687c1a6a8b5c75056acd176dc89c45251926d0bb) pkg/api: add OptionalRepeatedString type
* api,adaptation,generate: allow setting kernel scheduling policy attributes. ([containerd/nri#160](https://github.com/containerd/nri/pull/160))
  * [`6a371ac`](https://github.com/containerd/nri/commit/6a371ac5e7afcd185ee575828f4822d779f0ded9) device-injector: add scheduling policy adjustment.
  * [`e06369e`](https://github.com/containerd/nri/commit/e06369e8d1cad80f12eaf6f2c0da19c7ac78396c) api,adaptation,generate: allow setting scheduler attributes.
* device-injector: always log injection summary. ([containerd/nri#246](https://github.com/containerd/nri/pull/246))
  * [`14cc2e2`](https://github.com/containerd/nri/commit/14cc2e2fb6b9504c5241e3156b24b1055ed4e3ed) device-injector: always log injection summary.
* api,adaptation,generate: allow adjusting linux net devices ([containerd/nri#157](https://github.com/containerd/nri/pull/157))
  * [`5145c92`](https://github.com/containerd/nri/commit/5145c92e7c215ce3969805005ebdb0f37749e68b) device-injector: add network device injection.
  * [`8a03823`](https://github.com/containerd/nri/commit/8a03823fe8afbca00b30f669805c911414c58803) api,adaptation,generate: allow adjusting linux net devices.
* Add support for sysctl adjustment ([containerd/nri#248](https://github.com/containerd/nri/pull/248))
  * [`914fbf3`](https://github.com/containerd/nri/commit/914fbf3faf42da144376c133541c37211d2f9200) default-validator: restrict sysctl adjustment
  * [`a418956`](https://github.com/containerd/nri/commit/a4189560f80f7c02579eec252ae43034bf21cb8a) api: apply sysctl adjustments
  * [`8705f9b`](https://github.com/containerd/nri/commit/8705f9b1eb3107ad8bc422978b0412527e3fd236) api: add sysctl container adjustment
* feat: Make logger a configurable struct member for stub ([containerd/nri#239](https://github.com/containerd/nri/pull/239))
  * [`08a891a`](https://github.com/containerd/nri/commit/08a891a81d90b03b5e5ae14734f5ad74e74c264b) feat: Make logger a configurable struct member for stub
* Drop dependency on opencontainers/runtime-tools ([containerd/nri#247](https://github.com/containerd/nri/pull/247))
  * [`5e5c2be`](https://github.com/containerd/nri/commit/5e5c2be5f57436228f2762e0deb2c4f9873f3e9b) Drop dependency on opencontainers/runtime-tools
* deps: bump runtime-spec to v1.3.0. ([containerd/nri#243](https://github.com/containerd/nri/pull/243))
  * [`29c5811`](https://github.com/containerd/nri/commit/29c581117267cb5d2289ff08902a93ff263caf0e) (v0.1.0) examples: lock NRI, runtime spec deps.
  * [`d812952`](https://github.com/containerd/nri/commit/d8129529588cca090c972aa5e5f7775162af59da) v010-adapter: lock NRI, runtime spec and tools deps.
  * [`7dd7c7f`](https://github.com/containerd/nri/commit/7dd7c7f8b21c08242de41634b12ab2ee71b91000) api,runtime-tools: adjust for runtime-spec v1.3.0.
  * [`5d5d4c4`](https://github.com/containerd/nri/commit/5d5d4c4c877fdef4fe0938e627b11b97234195b8) go.{mod,sum}: update runtime-tools, runtime-spec to v1.3.0.
* adaptation: ensure sync'ed plugins are fully registered in tests. ([containerd/nri#234](https://github.com/containerd/nri/pull/234))
  * [`c840397`](https://github.com/containerd/nri/commit/c84039771e9c2cee68952b4b7cc52cba1909784e) adaptation: ensure sync'ed plugins are fully registered in tests.
* Fix wasm example ([containerd/nri#237](https://github.com/containerd/nri/pull/237))
  * [`44b2861`](https://github.com/containerd/nri/commit/44b2861a26c8e392229cd8b27a20cf689925f176) Fix wasm example
* Makefile: build proto files unconditionally ([containerd/nri#229](https://github.com/containerd/nri/pull/229))
  * [`d99f960`](https://github.com/containerd/nri/commit/d99f96028e5226c004f94a3394be82190980c4bd) Fix dockerized proto build
  * [`9623748`](https://github.com/containerd/nri/commit/9623748f543343bfe6b2312df47a7ed9000d47fe) Makefile: build proto files unconditionally
  * [`25d9391`](https://github.com/containerd/nri/commit/25d9391690a7158d851364ef011e1f56fd607a70) build: ensure we use correct version of protoc and its deps.
* adaptation: test with populated initial resources. ([containerd/nri#231](https://github.com/containerd/nri/pull/231))
  * [`b6b98b5`](https://github.com/containerd/nri/commit/b6b98b56a60df29da312cc1e1e070697dec43583) adaptation: test with populated initial resources.
* Install protoc locally in the source tree ([containerd/nri#232](https://github.com/containerd/nri/pull/232))
  * [`2394daa`](https://github.com/containerd/nri/commit/2394daa45f1c7c0fcf28e9e39895c8b871a7445c) Install protoc locally in the source tree
* plugins/logger: fix default event subscription mask. ([containerd/nri#158](https://github.com/containerd/nri/pull/158))
  * [`33b1db1`](https://github.com/containerd/nri/commit/33b1db1add2e9a603f7c47e1efa95d386f4af560) logger: fix default event subscription mask.
* extract memory and CPU resource helpers ([containerd/nri#210](https://github.com/containerd/nri/pull/210))
  * [`7afb32a`](https://github.com/containerd/nri/commit/7afb32a3a444fd0a24e36988e0906ad35590c672) extract memory and CPU resource helpers
* api: expose container user/group ID to plugins. ([containerd/nri#230](https://github.com/containerd/nri/pull/230))
  * [`22aeb46`](https://github.com/containerd/nri/commit/22aeb467e553bffd7650930b3bc6c28b95a2dee5) docs: update README with container uid/gid info.
  * [`71b0335`](https://github.com/containerd/nri/commit/71b0335fdc262451ab2ff71591f1126c8a036265) api,adaptation: add container uid/gid info.
* contrib: add example for enabling per-container RDT monitoring ([containerd/nri#228](https://github.com/containerd/nri/pull/228))
  * [`91fbf06`](https://github.com/containerd/nri/commit/91fbf06ed654e46629cb7aefb11856953720c9cf) contrib: add example for enabling per-container RDT monitoring
* ci: enable image signing ([containerd/nri#224](https://github.com/containerd/nri/pull/224))
  * [`fb54916`](https://github.com/containerd/nri/commit/fb5491601ca84bf52b70e75d0e99ddc4dfe6a922) ci: enable image signing
* golangci: disable QF1008 from staticcheck linter ([containerd/nri#226](https://github.com/containerd/nri/pull/226))
  * [`0b3b577`](https://github.com/containerd/nri/commit/0b3b5770d1f6845d3a3e52ccb5218f2b3ce1f34e) golangci: disable QF1008 from staticcheck linter
* ci: bump golangci-lint to v2.4 ([containerd/nri#225](https://github.com/containerd/nri/pull/225))
  * [`9787127`](https://github.com/containerd/nri/commit/9787127c0f3e69726b968e12b29dae31e35e250b) Bump golangci-lint to v2.4
  * [`1a50ff5`](https://github.com/containerd/nri/commit/1a50ff585624f01763fd20aafaeaa92aa8b27c46) Add nolint directives
  * [`00fa1a1`](https://github.com/containerd/nri/commit/00fa1a124e605590d3ceea1e687600785ae6518d) Add and fix comments for exported types
  * [`ac21da7`](https://github.com/containerd/nri/commit/ac21da7be8f991a8699cef41acba8783dee5351e) pkg/api/seccomp: add comments for exported functions
  * [`3aff986`](https://github.com/containerd/nri/commit/3aff986af5f8abefda8552edae991608782df46c) pkg/runtime-tools/generate: remove embedded field "Generator"
  * [`c0c4bb6`](https://github.com/containerd/nri/commit/c0c4bb648ae46207f47d5b18bf447f7d5b32e26b) pkg/api/validate: add comments for exported methods
  * [`c0ba9da`](https://github.com/containerd/nri/commit/c0ba9da712934c860a64af54d96b5cfc74672ff5) adaptation/builtin: add comment for exported symbols
* .gitignore: revert hastily reviewed editor-specific addition. ([containerd/nri#221](https://github.com/containerd/nri/pull/221))
  * [`02376f3`](https://github.com/containerd/nri/commit/02376f371c707718144dd509172618c69ce6670c) .gitignore: add comment about global gitignore.
  * [`9336a79`](https://github.com/containerd/nri/commit/9336a7933c666dbe6da09fe3cb46e80b478fb268) Revert "nit: Add .idea folder to gitignore"
* nit: Add .idea folder to gitignore ([containerd/nri#218](https://github.com/containerd/nri/pull/218))
  * [`f578ea2`](https://github.com/containerd/nri/commit/f578ea2804642f2cd59594edc17b59d995289223) nit: Add .idea folder to gitignore
* chore: clean and unify nolint directives ([containerd/nri#217](https://github.com/containerd/nri/pull/217))
  * [`21741b9`](https://github.com/containerd/nri/commit/21741b9ee40d69eb9ee3d5688e45b0b022c32738) chore: clean and unify nolint directives
* Downgrade go to require 1.24.0 ([containerd/nri#214](https://github.com/containerd/nri/pull/214))
  * [`d26e910`](https://github.com/containerd/nri/commit/d26e910702c62126decc6befe835e7315cd738a9) Downgrade go to require 1.24.0
* Add dockerized target for building proto files ([containerd/nri#211](https://github.com/containerd/nri/pull/211))
  * [`13fcc07`](https://github.com/containerd/nri/commit/13fcc0773d23520ff44d54549122ec78c8f1e473) Add dockerized target for building proto files
</p>
</details>

### Changes from containerd/platforms
<details><summary>22 commits</summary>
<p>

* Add OnlyOS function allow matching any architecture ([containerd/platforms#33](https://github.com/containerd/platforms/pull/33))
  * [`27058a1`](https://github.com/containerd/platforms/commit/27058a1da8e6ba9b9e8ffc6043fb1fabfd7d7683) Add OnlyOS function allow matching any architecture
* Strip the win32k when comparing windows platforms ([containerd/platforms#31](https://github.com/containerd/platforms/pull/31))
  * [`adbf321`](https://github.com/containerd/platforms/commit/adbf32116ad6ded8007706e861b7d0aa10901639) Strip the win32k when comparing windows platforms
* refactor, optimize FormatAll, ParseAll ([containerd/platforms#30](https://github.com/containerd/platforms/pull/30))
  * [`d028ee3`](https://github.com/containerd/platforms/commit/d028ee3f77b032d08f03b20412e6ea27b26dbb04) ParseAll: refactor
  * [`8f5e31a`](https://github.com/containerd/platforms/commit/8f5e31ac5040d9f6b0a6b8d8754338f7c999236d) FormatAll: use a string-builder for formatting os-options
  * [`0165130`](https://github.com/containerd/platforms/commit/01651306b81698ca45b6196e86aa0b82292332eb) modernize --fix
  * [`f453a3a`](https://github.com/containerd/platforms/commit/f453a3a2f0c077cd5de7d20b2e703cc60b1a4704) go.mod: bump minimum go version to go1.24
  * [`042728d`](https://github.com/containerd/platforms/commit/042728d8c89bb01c02e934a842122e121f097041) add benchmark for Parse, FormatAll
  * [`75663cd`](https://github.com/containerd/platforms/commit/75663cddc20b727338f95a89ebac40fea7a1de3e) gofumpt code
* Add encoding to os version and features ([containerd/platforms#28](https://github.com/containerd/platforms/pull/28))
  * [`3cff7fa`](https://github.com/containerd/platforms/commit/3cff7fafd140d8925f405340484fd050dec7318d) Add encoding to os version and features
* Match and Compare platforms with OSFeatures ([containerd/platforms#20](https://github.com/containerd/platforms/pull/20))
  * [`1b8cf34`](https://github.com/containerd/platforms/commit/1b8cf3495f8c2b0b2d297ce0ceb4cf36a0aff8dd) Add compare and matching for OS features
* Add support for OS Features in the format ([containerd/platforms#16](https://github.com/containerd/platforms/pull/16))
  * [`2474351`](https://github.com/containerd/platforms/commit/2474351d1c34fc56cbe611550cbd97f246f28c01) Sort OSFeatures on format
  * [`5b124ef`](https://github.com/containerd/platforms/commit/5b124ef12b7c5ff1c57d5b1c1f18d003f34382cf) Add support for OS Features in the format
* Update GitHub actions ([containerd/platforms#27](https://github.com/containerd/platforms/pull/27))
  * [`7c872f6`](https://github.com/containerd/platforms/commit/7c872f615218b0e17467c01cfd6488a928ee5c07) Update golangci lint
  * [`50e5387`](https://github.com/containerd/platforms/commit/50e5387229bf3d220cd22b0ec08ee1c413053760) Update go version to latest
  * [`a7b4df0`](https://github.com/containerd/platforms/commit/a7b4df003f78432b15238faaf1127bdc59865d1a) Update github runner version
</p>
</details>

### Changes from containerd/ttrpc
<details><summary>22 commits</summary>
<p>

* build(deps): bump actions/setup-go from 6.2.0 to 6.3.0 ([containerd/ttrpc#222](https://github.com/containerd/ttrpc/pull/222))
  * [`6a90ebb`](https://github.com/containerd/ttrpc/commit/6a90ebb67c5327bb94ce8f089dc5bf622eef96b7) build(deps): bump actions/setup-go from 6.2.0 to 6.3.0
* Add missing continue after stream failure ([containerd/ttrpc#223](https://github.com/containerd/ttrpc/pull/223))
  * [`d5b5a20`](https://github.com/containerd/ttrpc/commit/d5b5a200a8a0c06b027df4675eefbf8150dcaec2) Add missing continue after stream failure
* build(deps): bump actions/setup-go from 6.1.0 to 6.2.0 ([containerd/ttrpc#218](https://github.com/containerd/ttrpc/pull/218))
  * [`292893a`](https://github.com/containerd/ttrpc/commit/292893a7c1c8ccf862ad6ddc70ced778e80e5498) build(deps): bump actions/setup-go from 6.1.0 to 6.2.0
* build(deps): bump actions/checkout from 6.0.1 to 6.0.2 ([containerd/ttrpc#219](https://github.com/containerd/ttrpc/pull/219))
  * [`385b968`](https://github.com/containerd/ttrpc/commit/385b968bdf03b8f2ec4bdd9c2c25cbaa4f109d53) build(deps): bump actions/checkout from 6.0.1 to 6.0.2
* Run CI against latest stable version of Go and previous ([containerd/ttrpc#214](https://github.com/containerd/ttrpc/pull/214))
  * [`590622b`](https://github.com/containerd/ttrpc/commit/590622b17b09c827ddeb26a3bf11f6bf08a0b883) Run CI against latest stable version of Go and previous
* build(deps): bump golangci-lint from 1.60.3 to 2.7.2 ([containerd/ttrpc#213](https://github.com/containerd/ttrpc/pull/213))
  * [`027f981`](https://github.com/containerd/ttrpc/commit/027f9814ee35e16c5f8c6db5eb42ffa4e1a55850) Update for golangci-lint v2
  * [`d8d3d84`](https://github.com/containerd/ttrpc/commit/d8d3d8435b3af29f779a2ea59a03d33d0891075f) build(deps): bump golangci-lint from 1.60.3 to 2.7.2
* build(deps): bump actions/checkout from 4.2.2 to 6.0.1 ([containerd/ttrpc#209](https://github.com/containerd/ttrpc/pull/209))
  * [`d6c07cf`](https://github.com/containerd/ttrpc/commit/d6c07cf8ac4cb8fb31a0db0915751fe6adda479d) build(deps): bump actions/checkout from 4.2.2 to 6.0.1
* build(deps): bump actions/setup-go from 5.2.0 to 6.1.0 ([containerd/ttrpc#210](https://github.com/containerd/ttrpc/pull/210))
  * [`1c90f70`](https://github.com/containerd/ttrpc/commit/1c90f70589fcdbd276469e01ff10af682504f72e) build(deps): bump actions/setup-go from 5.2.0 to 6.1.0
* build(deps): bump containerd/project-checks from 1.1.0 to 1.2.2 ([containerd/ttrpc#196](https://github.com/containerd/ttrpc/pull/196))
  * [`9686fd8`](https://github.com/containerd/ttrpc/commit/9686fd8dccef532abffa81660a012247b2d91625) build(deps): bump containerd/project-checks from 1.1.0 to 1.2.2
* Add dependabot and bump up golang and dependency versions ([containerd/ttrpc#178](https://github.com/containerd/ttrpc/pull/178))
  * [`4729a87`](https://github.com/containerd/ttrpc/commit/4729a87007216fea05f67683fbde0aaad643d64c) Upgrade go, dependency, CI versions
  * [`644ecfa`](https://github.com/containerd/ttrpc/commit/644ecfaa4cbfc5a054c105c05a6b450063ac41a0) Add dependabot CI
</p>
</details>

### Dependency Changes

* **cyphar.com/go-pathrs**                                                         v0.2.1 **_new_**
* **github.com/Microsoft/go-winio**                                                v0.6.2 -> ad3df93bed29
* **github.com/Microsoft/hcsshim**                                                 v0.14.0-rc.1 -> v0.15.0-rc.1
* **github.com/cenkalti/backoff/v5**                                               v5.0.3 **_new_**
* **github.com/checkpoint-restore/checkpointctl**                                  v1.4.0 -> v1.5.0
* **github.com/containerd/cgroups/v3**                                             v3.1.0 -> v3.1.3
* **github.com/containerd/containerd/api**                                         v1.10.0 -> v1.11.0-beta.2
* **github.com/containerd/go-dmverity**                                            e097b6cc4a33 **_new_**
* **github.com/containerd/imgcrypt/v2**                                            v2.0.1 -> v2.0.2
* **github.com/containerd/nri**                                                    v0.10.0 -> v0.11.0
* **github.com/containerd/platforms**                                              v1.0.0-rc.2 -> v1.0.0-rc.4
* **github.com/containerd/ttrpc**                                                  v1.2.7 -> v1.2.8
* **github.com/containerd/zfs/v2**                                                 v2.0.0-rc.0 -> v2.0.0
* **github.com/containernetworking/plugins**                                       v1.8.0 -> v1.9.1
* **github.com/coreos/go-systemd/v22**                                             v22.6.0 -> v22.7.0
* **github.com/cyphar/filepath-securejoin**                                        v0.6.0 **_new_**
* **github.com/davecgh/go-spew**                                                   v1.1.1 -> d8f796af33cc
* **github.com/erofs/go-erofs**                                                    v0.2.1 **_new_**
* **github.com/go-jose/go-jose/v4**                                                v4.1.2 -> v4.1.3
* **github.com/grpc-ecosystem/grpc-gateway/v2**                                    v2.26.1 -> v2.28.0
* **github.com/intel/goresctrl**                                                   v0.10.0 -> v0.12.0
* **github.com/klauspost/compress**                                                v1.18.1 -> v1.18.5
* **github.com/moby/spdystream**                                                   v0.5.0 -> v0.5.1
* **github.com/opencontainers/runtime-spec**                                       v1.2.1 -> v1.3.0
* **github.com/opencontainers/runtime-tools**                                      0ea5ed0382a2 -> edf4cb3d2116
* **github.com/opencontainers/selinux**                                            v1.12.0 -> v1.13.1
* **github.com/pelletier/go-toml/v2**                                              v2.2.4 -> v2.3.0
* **github.com/pmezard/go-difflib**                                                v1.0.0 -> 5d4384ee4fb2
* **github.com/prometheus/procfs**                                                 v0.16.1 -> v0.17.0
* **github.com/sirupsen/logrus**                                                   v1.9.3 -> v1.9.4
* **github.com/tetratelabs/wazero**                                                v1.9.0 -> v1.10.1
* **go.opentelemetry.io/auto/sdk**                                                 v1.1.0 -> v1.2.1
* **go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc**  v0.60.0 -> v0.67.0
* **go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp**                v0.60.0 -> v0.67.0
* **go.opentelemetry.io/otel**                                                     v1.37.0 -> v1.43.0
* **go.opentelemetry.io/otel/exporters/otlp/otlptrace**                            v1.35.0 -> v1.43.0
* **go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc**              v1.35.0 -> v1.43.0
* **go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp**              v1.35.0 -> v1.43.0
* **go.opentelemetry.io/otel/metric**                                              v1.37.0 -> v1.43.0
* **go.opentelemetry.io/otel/sdk**                                                 v1.37.0 -> v1.43.0
* **go.opentelemetry.io/otel/trace**                                               v1.37.0 -> v1.43.0
* **go.opentelemetry.io/proto/otlp**                                               v1.5.0 -> v1.10.0
* **go.yaml.in/yaml/v2**                                                           v2.4.2 -> v2.4.3
* **golang.org/x/crypto**                                                          v0.41.0 -> v0.49.0
* **golang.org/x/mod**                                                             v0.29.0 -> v0.35.0
* **golang.org/x/net**                                                             v0.43.0 -> v0.52.0
* **golang.org/x/oauth2**                                                          v0.30.0 -> v0.35.0
* **golang.org/x/sync**                                                            v0.17.0 -> v0.20.0
* **golang.org/x/sys**                                                             v0.37.0 -> v0.43.0
* **golang.org/x/term**                                                            v0.34.0 -> v0.41.0
* **golang.org/x/text**                                                            v0.28.0 -> v0.35.0
* **golang.org/x/time**                                                            v0.14.0 -> v0.15.0
* **google.golang.org/genproto/googleapis/api**                                    a7a43d27e69b -> 9d38bb4040a9
* **google.golang.org/genproto/googleapis/rpc**                                    a7a43d27e69b -> 9d38bb4040a9
* **google.golang.org/grpc**                                                       v1.76.0 -> v1.80.0
* **google.golang.org/protobuf**                                                   v1.36.10 -> f2248ac996af
* **k8s.io/api**                                                                   v0.34.1 -> v0.36.0-rc.0
* **k8s.io/apimachinery**                                                          v0.34.1 -> v0.36.0-rc.0
* **k8s.io/client-go**                                                             v0.34.1 -> v0.36.0-rc.0
* **k8s.io/cri-api**                                                               v0.34.1 -> v0.36.0-rc.0
* **k8s.io/cri-streaming**                                                         v0.36.0-rc.0 **_new_**
* **k8s.io/klog/v2**                                                               v2.130.1 -> v2.140.0
* **k8s.io/kube-openapi**                                                          5883c5ee87b9 **_new_**
* **k8s.io/streaming**                                                             v0.36.0-rc.0 **_new_**
* **k8s.io/utils**                                                                 4c0f3b243397 -> 28399d86e0b5
* **sigs.k8s.io/json**                                                             cfa47c3a1cc8 -> 2d320260d730
* **sigs.k8s.io/structured-merge-diff/v6**                                         v6.3.0 -> v6.3.2
* **tags.cncf.io/container-device-interface**                                      v1.0.1 -> v1.1.0
* **tags.cncf.io/container-device-interface/specs-go**                             v1.0.0 -> v1.1.0

Previous release can be found at [v2.2.0](https://github.com/containerd/containerd/releases/tag/v2.2.0)
### Which file should I download?
* `containerd-<VERSION>-<OS>-<ARCH>.tar.gz`:         ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04).
* `containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz`:  Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent.

In addition to containerd, typically you will have to install [runc](https://github.com/opencontainers/runc/releases)
and [CNI plugins](https://github.com/containernetworking/plugins/releases) from their official sites too.

See also the [Getting Started](https://github.com/containerd/containerd/blob/main/docs/getting-started.md) documentation.
    Unverified

  • api/v1.11.0-beta.2

    341401c1 · Merge pull request #12785 from dmcgowan/pass-socket-address · 
    containerd api/v1.11.0-beta.2

Welcome to the api/v1.11.0-beta.2 release of containerd!
*This is a pre-release of containerd*

The 12th release for the containerd 1.x API aligns with the containerd 2.3 release.

### Highlights

* Add transfer types for container filesystem copy ([#13165](https://github.com/containerd/containerd/pull/13165))
* Introduce shim bootstrap protocol ([#12786](https://github.com/containerd/containerd/pull/12786))
* Update sandbox API to include spec field ([#12840](https://github.com/containerd/containerd/pull/12840))

#### Runtime

* Add configured socket directory to shim bootstrap protocol ([#12785](https://github.com/containerd/containerd/pull/12785))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Maksym Pavlenko
* Derek McGowan
* Wei Fu
* Akihiro Suda
* Gao Xiang
* Sebastiaan van Stijn

### Changes
<details><summary>43 commits</summary>
<p>

* Make shim socket directory use configured directory ([#12785](https://github.com/containerd/containerd/pull/12785))
  * [`d806373fe`](https://github.com/containerd/containerd/commit/d806373feb1bf9e753a4beaf5b092c5176baa2c3) Make shim socket directory use configured state
* Update bootstrap API log level definition ([#13208](https://github.com/containerd/containerd/pull/13208))
  * [`2c102c6cb`](https://github.com/containerd/containerd/commit/2c102c6cbebbc1dabe31eb0740a1803fcce56c4e) Update bootstrap API log level definition
* Add transfer types for container filesystem copy ([#13165](https://github.com/containerd/containerd/pull/13165))
  * [`121f3a21e`](https://github.com/containerd/containerd/commit/121f3a21e438cd8c18c6d76cbab1514ee2a8d8d2) Add transfer types for container filesystem copy
* Introduce shim bootstrap protocol ([#12786](https://github.com/containerd/containerd/pull/12786))
  * [`16b7ce254`](https://github.com/containerd/containerd/commit/16b7ce254959e62927896aecc033e86b0a10dc31) Address code review suggestions
  * [`9bf65dcf0`](https://github.com/containerd/containerd/commit/9bf65dcf0275341a75b9e56454e5ebe599bcc90f) Use enums instead of strings for capabilities and log level
  * [`9dc864fd0`](https://github.com/containerd/containerd/commit/9dc864fd0feefd907aba16ba98cf453dd16df694) Switch to proto instead of json
  * [`3fbdb132b`](https://github.com/containerd/containerd/commit/3fbdb132bf4fb2f59995b9fc632c0ad507ff98f6) Fix module path
  * [`1852a4758`](https://github.com/containerd/containerd/commit/1852a4758ea70e12ada6bc98c45258a001c9f6bc) Remove testify dependency from api
  * [`0f55bdd49`](https://github.com/containerd/containerd/commit/0f55bdd49c41ba2a43d6595bdd827b6ba4ed4987) Fix extensions API and update tests
  * [`d957b1bf5`](https://github.com/containerd/containerd/commit/d957b1bf53914443e28a3a7ab63824ea2e6c22ed) Use log level instead of debug flag
  * [`31d0bbbad`](https://github.com/containerd/containerd/commit/31d0bbbad7723c8555b299f1dc12f7173390b2ec) Include containerd version when launching shim
  * [`f71c2e421`](https://github.com/containerd/containerd/commit/f71c2e4211c9cbae06c582222d200c8756a84845) Reformat and clean proto files
  * [`9e9a095fe`](https://github.com/containerd/containerd/commit/9e9a095feb43c6b6a84fe1f4b2331977ebb92b91) Read spec annotations from file
  * [`3831fc806`](https://github.com/containerd/containerd/commit/3831fc80630879870327fde99f66b12959c973f0) Fix reading from stdin
  * [`5ea993b48`](https://github.com/containerd/containerd/commit/5ea993b48d29e620dba6f90746a98ff0a4a29f65) Pass runc options as a separate extension
  * [`e72145b19`](https://github.com/containerd/containerd/commit/e72145b192de6542dfb86554cda512e37f46eb5e) Update vendor
  * [`790b0ead7`](https://github.com/containerd/containerd/commit/790b0ead7bc4e234b5ce90b9a1225b60bad34d75) Implement shim bootstrap protocol
* Add `os.features` support for EROFS native container images ([#13091](https://github.com/containerd/containerd/pull/13091))
  * [`146930e91`](https://github.com/containerd/containerd/commit/146930e91de7598fa93161cb96d16208f1eff866) api: add `os_features` to api/types/platform.proto
* build(deps): bump google.golang.org/grpc from 1.59.0 to 1.79.3 in /api ([#13099](https://github.com/containerd/containerd/pull/13099))
  * [`d323efc2b`](https://github.com/containerd/containerd/commit/d323efc2bfaf8425c8a2f1ceeb34e8230eb16f8d) build(deps): bump google.golang.org/grpc from 1.59.0 to 1.79.3 in /api
* Prepare release notes for api/v1.11.0-beta.0 ([#13045](https://github.com/containerd/containerd/pull/13045))
  * [`aac6b5348`](https://github.com/containerd/containerd/commit/aac6b53488f05253f88fb061fed6674630feb41f) Prepare release notes for api/v1.11.0-beta.0
* api: regenerate and re-vendor protos ([#12913](https://github.com/containerd/containerd/pull/12913))
  * [`4b4eb6715`](https://github.com/containerd/containerd/commit/4b4eb67150b724e0c0450cc92f295b8d6582ca9a) api: regenerate and re-vendor protos
* Remove Container field from sandbox metadata ([#12840](https://github.com/containerd/containerd/pull/12840))
  * [`8ccf18724`](https://github.com/containerd/containerd/commit/8ccf18724f691f7f5503faf0b004334eb9f92cf3) Update sandbox API to include spec field
* Use buf to format proto files ([#12841](https://github.com/containerd/containerd/pull/12841))
  * [`ca1c5b2d3`](https://github.com/containerd/containerd/commit/ca1c5b2d3db8c620c26ab9674b7ccb9a4b023a63) Reformat and revendor proto files
  * [`2a87c9d7d`](https://github.com/containerd/containerd/commit/2a87c9d7d29a5d947fa671a0d7b52f449835fd11) Add .editorconfig for proto files
* Generate api/next.txtpb and name module ([#12815](https://github.com/containerd/containerd/pull/12815))
  * [`472e0a8e7`](https://github.com/containerd/containerd/commit/472e0a8e7ada278b7aa376173eca20ad0a0348be) Generate next.txtpb to replace next.pb.txt
  * [`f58dbbda0`](https://github.com/containerd/containerd/commit/f58dbbda0b34bea75f714e82463eb0706c06d30d) Add buf.build repository name for publishing API
* Migrate from protobuild to buf ([#12762](https://github.com/containerd/containerd/pull/12762))
  * [`dac9721fa`](https://github.com/containerd/containerd/commit/dac9721faf891205ed46105cd38340bc3bceabcb) Drop outdated pb.txt files
  * [`6a6283193`](https://github.com/containerd/containerd/commit/6a6283193b6f865c35529717068259bf54ccc307) Update pb files
  * [`57782b717`](https://github.com/containerd/containerd/commit/57782b7175f743489010c348a8f59da720140722) Move buf configuration under api/
  * [`39991b661`](https://github.com/containerd/containerd/commit/39991b6617041c8c5b471f11f08461f36cc6719f) Use relative import intead of GOPATH style imports
  * [`eb586b5ef`](https://github.com/containerd/containerd/commit/eb586b5ef2e20c5f845f28d5e9cd5f5e8e10885d) Regenerate proto files
</p>
</details>

### Dependency Changes

* **golang.org/x/net**                           v0.38.0 -> v0.48.0
* **golang.org/x/sys**                           v0.31.0 -> v0.39.0
* **golang.org/x/text**                          v0.23.0 -> v0.32.0
* **google.golang.org/genproto/googleapis/rpc**  c3f982113cda -> ff82c1b0f217
* **google.golang.org/grpc**                     v1.59.0 -> v1.79.3
* **google.golang.org/protobuf**                 v1.33.0 -> v1.36.10

Previous release can be found at [api/v1.10.0](https://github.com/containerd/containerd/releases/tag/api/v1.10.0)
    Unverified

  • v2.2.3

    77c84241 · Merge pull request #13224 from samuelkarp/prepare-release-2.2.3 · 
    containerd 2.2.3

Welcome to the v2.2.3 release of containerd!

The third patch release for containerd 2.2 contains various fixes
and updates including a security patch.

### Security Updates

* **spdystream**
  * [**CVE-2026-35469**](https://github.com/moby/spdystream/security/advisories/GHSA-pc3f-x583-g7j2)

### Highlights

#### Container Runtime Interface (CRI)

* Preserve cgroup mount options for privileged containers ([#13120](https://github.com/containerd/containerd/pull/13120))
* Ensure UpdatePodSandbox returns Unimplemented instead of a generic error ([#13023](https://github.com/containerd/containerd/pull/13023))

#### Go client

* Handle absolute symlinks in rootfs user lookup to fix regressions when using Go 1.24 ([#13015](https://github.com/containerd/containerd/pull/13015))

#### Image Distribution

* Enable mount manager in diff walking to fix layer extraction errors with some snapshotters (e.g., EROFS) ([#13198](https://github.com/containerd/containerd/pull/13198))
* Apply hardening to prevent TOCTOU race during tar extraction ([#12971](https://github.com/containerd/containerd/pull/12971))

#### Runtime

* Restore support for client-mounted roots in Windows containers using process isolation ([#13195](https://github.com/containerd/containerd/pull/13195))
* Update runc to v1.3.5 ([#13061](https://github.com/containerd/containerd/pull/13061))
* Apply absolute symlink resolution to /etc/group in OCI spec to fix lookups on NixOS-style systems ([#13019](https://github.com/containerd/containerd/pull/13019))
* Handle absolute symlinks in rootfs user lookup to fix regressions when using Go 1.24 ([#13015](https://github.com/containerd/containerd/pull/13015))

#### Snapshotters

* Fix bug that caused whiteouts to be ignored when parallel unpack was used ([#13125](https://github.com/containerd/containerd/pull/13125))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Samuel Karp
* Sebastiaan van Stijn
* Maksym Pavlenko
* Chris Henzie
* Derek McGowan
* Paulo Oliveira
* Henry Wang
* Phil Estes
* Wei Fu
* Akihiro Suda
* Gao Xiang
* Ricardo Branco
* Shachar Tal

### Changes
<details><summary>40 commits</summary>
<p>

* Prepare release notes for v2.2.3 ([#13224](https://github.com/containerd/containerd/pull/13224))
  * [`8a0f4ed5d`](https://github.com/containerd/containerd/commit/8a0f4ed5d360171d62ca625bc93f393a36241189) Prepare release notes for v2.2.3
* update github.com/moby/spdystream v0.5.1 ([#13217](https://github.com/containerd/containerd/pull/13217))
  * [`31bd34a06`](https://github.com/containerd/containerd/commit/31bd34a064dc7136413efde09b99a2bdd14dabe9) update github.com/moby/spdystream v0.5.1
* vendor: github.com/klauspost/compress v1.18.5 ([#13197](https://github.com/containerd/containerd/pull/13197))
  * [`1336f6c45`](https://github.com/containerd/containerd/commit/1336f6c45d25c674963e5cb86ee1ea522e6f513e) vendor: github.com/klauspost/compress v1.18.5
* diff/walking: enable mount manager ([#13198](https://github.com/containerd/containerd/pull/13198))
  * [`409f75be8`](https://github.com/containerd/containerd/commit/409f75be8791d53e2e4e96ab060d8db56fd46b1e) diff/walking: enable mount manager
* update runhcs to v0.14.1 ([#13195](https://github.com/containerd/containerd/pull/13195))
  * [`3f33146c1`](https://github.com/containerd/containerd/commit/3f33146c1c199f1d9479d791b105197cebf7b1bc) update runhcs to v0.14.1
* vendor: github.com/Microsoft/hcsshim v0.14.1 ([#13196](https://github.com/containerd/containerd/pull/13196))
  * [`8bd1b74e5`](https://github.com/containerd/containerd/commit/8bd1b74e5dbcd6aad671666e13861a6c8a7bf13c) vendor: github.com/Microsoft/hcsshim v0.14.1
  * [`c6b0be8e1`](https://github.com/containerd/containerd/commit/c6b0be8e1317166d53a05c308db3223293f36f85) vendor: github.com/Microsoft/hcsshim v0.14.0
* update to Go 1.25.9, 1.26.2 ([#13190](https://github.com/containerd/containerd/pull/13190))
  * [`2ecde8cfe`](https://github.com/containerd/containerd/commit/2ecde8cfe12320fefd05e08c83e413a4046bb72c) update to Go 1.25.9, 1.26.2
* Skip TestExportAndImportMultiLayer on s390x ([#13154](https://github.com/containerd/containerd/pull/13154))
  * [`be554f478`](https://github.com/containerd/containerd/commit/be554f478ceb629d3dc3fbd5331b9167cc7a4870) Skip TestExportAndImportMultiLayer on s390x
* Tweak mount info for overlayfs in case of parallel unpack ([#13125](https://github.com/containerd/containerd/pull/13125))
  * [`660de195b`](https://github.com/containerd/containerd/commit/660de195b07db576cbe8aab53a4b6e87cc931347) Tweak mount info for overlayfs in case of parallel unpack
  * [`bc9274a4b`](https://github.com/containerd/containerd/commit/bc9274a4b05342ba1096c73ce6ce8a505ce243ce) Add integration test for issue 13030
* Preserve cgroup mount options for privileged containers ([#13120](https://github.com/containerd/containerd/pull/13120))
  * [`c387890b5`](https://github.com/containerd/containerd/commit/c387890b582324c4cf11e940efe4268a21524ed6) Add integration test for privileged container cgroup mounts
  * [`047a335a6`](https://github.com/containerd/containerd/commit/047a335a69d66e673ddc155fed779152e00a5652) Forward RUNC_FLAVOR env var down to integration tests
  * [`9b2d72ee0`](https://github.com/containerd/containerd/commit/9b2d72ee03b548c8344cd243670e06f863a701a2) Preserve host cgroup mount options for privileged containers
  * [`5b66cd6a0`](https://github.com/containerd/containerd/commit/5b66cd6a0902b7927eeb8107bb5a30d78436eaa3) Move cgroup namespace placement higher in spec builder
* update runc binary to v1.3.5 ([#13061](https://github.com/containerd/containerd/pull/13061))
  * [`584205c2f`](https://github.com/containerd/containerd/commit/584205c2fa986334d22b840293b1060b10ab724e) [release/2.2] update runc binary to v1.3.5
* Fix vagrant on CI ([#13066](https://github.com/containerd/containerd/pull/13066))
  * [`77c6886df`](https://github.com/containerd/containerd/commit/77c6886df6510bf1ac9326436e7b371a28eb5678) Ignore NOCHANGE error
* Fix TOCTOU race bug in tar extraction ([#12971](https://github.com/containerd/containerd/pull/12971))
  * [`fbed68b8f`](https://github.com/containerd/containerd/commit/fbed68b8fb97b778b0caf68167cb0c4ab4af27df) Fix TOCTOU race bug in tar extraction
* cri: UpdatePodSandbox should return Unimplemented ([#13023](https://github.com/containerd/containerd/pull/13023))
  * [`a83510103`](https://github.com/containerd/containerd/commit/a835101036b106386be8e5b433d5ca0f1f0529cd) cri: UpdatePodSandbox should return Unimplemented
* fix(oci): apply absolute symlink resolution to /etc/group ([#13019](https://github.com/containerd/containerd/pull/13019))
  * [`ee4179e52`](https://github.com/containerd/containerd/commit/ee4179e5212c09e7bc4c429bf5b77eabb2b84662) fix(oci): apply absolute symlink resolution to /etc/group
* fix(oci): handle absolute symlinks in rootfs user lookup ([#13015](https://github.com/containerd/containerd/pull/13015))
  * [`fd061b848`](https://github.com/containerd/containerd/commit/fd061b84887177b969e8f8e2499e780341cde0ae) test(oci): use fstest and mock fs for better symlink coverage
  * [`5d44d2c22`](https://github.com/containerd/containerd/commit/5d44d2c220d6296156c1c4fe3a500958667a3708) fix(oci): handle absolute symlinks in rootfs user lookup
* update to go1.25.8, test go1.26.1 ([#13011](https://github.com/containerd/containerd/pull/13011))
  * [`00c776f07`](https://github.com/containerd/containerd/commit/00c776f075f06e4eeb4bfd97e23b3331c5c96bbc) update to go1.25.8, test go1.26.1
</p>
</details>

### Dependency Changes

* **github.com/Microsoft/hcsshim**   v0.14.0-rc.1 -> v0.14.1
* **github.com/klauspost/compress**  v1.18.1 -> v1.18.5
* **github.com/moby/spdystream**     v0.5.0 -> v0.5.1

Previous release can be found at [v2.2.2](https://github.com/containerd/containerd/releases/tag/v2.2.2)
### Which file should I download?
* `containerd-<VERSION>-<OS>-<ARCH>.tar.gz`:         ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04).
* `containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz`:  Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent.

In addition to containerd, typically you will have to install [runc](https://github.com/opencontainers/runc/releases)
and [CNI plugins](https://github.com/containernetworking/plugins/releases) from their official sites too.

See also the [Getting Started](https://github.com/containerd/containerd/blob/main/docs/getting-started.md) documentation.
    Unverified

  • v2.0.8

    d2f61adb · Merge pull request #13235 from samuelkarp/prepare-release-2.0.8 · 
    containerd 2.0.8

Welcome to the v2.0.8 release of containerd!

The eighth patch release for containerd 2.0 includes various bug fixes and updates, including a security fix.

### Security Updates

* **spdystream**
  * [**CVE-2026-35469**](https://github.com/moby/spdystream/security/advisories/GHSA-pc3f-x583-g7j2)

### Highlights

#### Container Runtime Interface (CRI)

* Sanitize error before gRPC return to prevent possible credential leak in pod events ([#13181](https://github.com/containerd/containerd/pull/13181))
* Fix CNI issue where DEL is never executed after a restart ([#13179](https://github.com/containerd/containerd/pull/13179))

#### Runtime

* Update selinux to v1.13.1 ([#13193](https://github.com/containerd/containerd/pull/13193))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Samuel Karp
* Michael Zappa
* Akhil Mohan
* Laura Lorenz
* Phil Estes
* Aadhar Agarwal
* Andrey Noskov
* Chris Henzie
* Davanum Srinivas
* Maksym Pavlenko
* Rodrigo Campos
* Sebastiaan van Stijn
* ningmingxiao
* yashsingh74

### Changes
<details><summary>32 commits</summary>
<p>

* Prepare release notes for v2.0.8 (missed line) ([#13235](https://github.com/containerd/containerd/pull/13235))
  * [`c07b94f19`](https://github.com/containerd/containerd/commit/c07b94f19bc7c473c04105749ee84c27d28bec55) Prepare release notes for v2.0.8 (missed line)
* Prepare release notes for v2.0.8 ([#13222](https://github.com/containerd/containerd/pull/13222))
  * [`c54b69f1a`](https://github.com/containerd/containerd/commit/c54b69f1a1552ac0d579c255a9befde271087898) Prepare release notes for v2.0.8
* update github.com/moby/spdystream v0.5.1 ([#13219](https://github.com/containerd/containerd/pull/13219))
  * [`fde1480df`](https://github.com/containerd/containerd/commit/fde1480df4c6f54a41e447b4ee0ddc90b21802e4) update github.com/moby/spdystream v0.5.1
* update to Go 1.25.9, 1.26.2 ([#13199](https://github.com/containerd/containerd/pull/13199))
  * [`5b2eee8a2`](https://github.com/containerd/containerd/commit/5b2eee8a29366afb5035e0fa814365f16529a1a8) update to Go 1.25.9, 1.26.2
  * [`c579db16e`](https://github.com/containerd/containerd/commit/c579db16e21022d1ccd2df3ae8790319674b06f7) update golangci-lint to v2.9.0 with go1.26 support
  * [`185ddcfd0`](https://github.com/containerd/containerd/commit/185ddcfd0cda36ca0e93a794fb455f5b219f7b0d) remove windows/arm from cross build
  * [`8538158df`](https://github.com/containerd/containerd/commit/8538158dfacc448ef330eb419d816eaec29c7765) Ignore warnings for golangci-lint bump
  * [`1cff32695`](https://github.com/containerd/containerd/commit/1cff32695c410065612ad5f75f74bae43726ef3f) ci: bump golangci from 6.5.2 to 7.0.0
* Updating selinux to v1.13.1 ([#13193](https://github.com/containerd/containerd/pull/13193))
  * [`2e02b8bb3`](https://github.com/containerd/containerd/commit/2e02b8bb316e0a72ee78921ae7090cdb22330a5e) Skip github.com/cyphar/filepath-securejoin license checks
  * [`e71fc560b`](https://github.com/containerd/containerd/commit/e71fc560b19bddbe5c623bdec0446e9f52963f5f) Updating selinux to v1.13.1
* fix: sanitize error before gRPC return to prevent credential leak in pod events ([#13181](https://github.com/containerd/containerd/pull/13181))
  * [`868869eb9`](https://github.com/containerd/containerd/commit/868869eb9eff7a639bee9ba6324bd654a0449232) fix: sanitize error before gRPC return to prevent credential leak in pod events
  * [`40632e4f2`](https://github.com/containerd/containerd/commit/40632e4f2aa7b8996afe29071db2d7ca072df0a6) fix: redact all query parameters in CRI error logs
* CODEOWNERS: mark Sam and Chris as owners for 2.0 ([#13174](https://github.com/containerd/containerd/pull/13174))
  * [`85c3b2b02`](https://github.com/containerd/containerd/commit/85c3b2b0276b1a9786b76d264c16be2fec8e8356) CODEOWNERS: mark Sam and Chris as owners for 2.0
* Update github.com/moby/spdystream v0.4.0->v0.5.0 ([#13182](https://github.com/containerd/containerd/pull/13182))
  * [`902d804c9`](https://github.com/containerd/containerd/commit/902d804c99143d06b8fa0cd569610800e72f885a) Update github.com/moby/spdystream v0.4.0->v0.5.0
* Fix CNI issue where CNI DEL is never executed ([#13179](https://github.com/containerd/containerd/pull/13179))
  * [`e92d7b131`](https://github.com/containerd/containerd/commit/e92d7b131182de4738ef7d6973e20048f9a9f658) make linter happy in release
  * [`12fc0e6ca`](https://github.com/containerd/containerd/commit/12fc0e6ca205bae9c97ef4e6ad534549818a8456) add integration test for cni result nil
  * [`8d912c6a2`](https://github.com/containerd/containerd/commit/8d912c6a2be3546e5de0b221d9beb76e62c148ed) address comment
  * [`742f8b8f6`](https://github.com/containerd/containerd/commit/742f8b8f60a2d5e806ea858265d491d9b4930eab) fix issue where cni del is never executed
* Cherry-picks to fix CI ([#13175](https://github.com/containerd/containerd/pull/13175))
  * [`f24653597`](https://github.com/containerd/containerd/commit/f246535975c99ad48b3c7f5faa3eed9cfc2aa728) Ignore NOCHANGE error
  * [`9c656fab4`](https://github.com/containerd/containerd/commit/9c656fab42dc6a14a929f09bc4e6e24f8fe1a7b1) ci: update CIFuzz actions to support Ubuntu 24.04
  * [`c71c4a091`](https://github.com/containerd/containerd/commit/c71c4a091aebff6af86c107e26235ead10cf9b4b) integration: Fix TestImageLoad() failure on CI
  * [`bfee29999`](https://github.com/containerd/containerd/commit/bfee299990b409f709d03d026b74393cf6396cc9) ci: modprobe xt_comment on almalinux
</p>
</details>

### Dependency Changes

* **github.com/cyphar/filepath-securejoin**  v0.5.1 **_new_**
* **github.com/moby/spdystream**             v0.4.0 -> v0.5.1
* **github.com/opencontainers/selinux**      v1.11.1 -> v1.13.1

Previous release can be found at [v2.0.7](https://github.com/containerd/containerd/releases/tag/v2.0.7)
### Which file should I download?
* `containerd-<VERSION>-<OS>-<ARCH>.tar.gz`:         ✅Recommended. Dynamically linked with glibc 2.31 (Ubuntu 20.04).
* `containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz`:  Statically linked. Expected to be used on non-glibc Linux distributions. Not position-independent.

In addition to containerd, typically you will have to install [runc](https://github.com/opencontainers/runc/releases)
and [CNI plugins](https://github.com/containernetworking/plugins/releases) from their official sites too.

See also the [Getting Started](https://github.com/containerd/containerd/blob/main/docs/getting-started.md) documentation.
    Unverified

  • v2.1.7

    07ad9c70 · Merge pull request #13223 from samuelkarp/prepare-release-2.1.7 · 
    containerd 2.1.7

Welcome to the v2.1.7 release of containerd!

The seventh patch release for containerd 2.1 contains various fixes
and updates including a security patch.

### Security Updates

* **spdystream**
  * [**CVE-2026-35469**](https://github.com/moby/spdystream/security/advisories/GHSA-pc3f-x583-g7j2)

### Highlights

#### Container Runtime Interface (CRI)

* Preserve host cgroup mount options for privileged containers ([#13119](https://github.com/containerd/containerd/pull/13119))
* Fix image volumes when using user namespaces in CRI ([#12894](https://github.com/containerd/containerd/pull/12894))
* Fix issue where CNI DEL was never executed after a restart ([#12930](https://github.com/containerd/containerd/pull/12930))
* Hardening: sanitize errors before returning via gRPC to prevent possible credential leaks in pod events ([#12803](https://github.com/containerd/containerd/pull/12803))
* Enable options for pulling encrypted images in CRI ([#12713](https://github.com/containerd/containerd/pull/12713))

#### Image Distribution

* Fix possible panic from WithMediaTypeKeyPrefix ([#13135](https://github.com/containerd/containerd/pull/13135))

#### Runtime

* Update runc binary to v1.3.5 ([#13060](https://github.com/containerd/containerd/pull/13060))
* Hardening: fix possible TOCTOU race bug in tar extraction ([#12969](https://github.com/containerd/containerd/pull/12969))
* Fix unintended dropping of mount flags for read-only bind-mounts in user namespaces ([#12943](https://github.com/containerd/containerd/pull/12943))
* Explicitly set AppArmor ABI to 3.0 ([#12898](https://github.com/containerd/containerd/pull/12898))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* yashsingh74
* Samuel Karp
* Maksym Pavlenko
* Phil Estes
* Wei Fu
* Akhil Mohan
* Chris Henzie
* Sebastiaan van Stijn
* Akihiro Suda
* Rodrigo Campos
* user.email
* Aadhar Agarwal
* Alex Chernyakhovsky
* Chris Adeniyi-Jones
* Derek McGowan
* Justin Alvarez
* Michael Zappa
* Ricardo Branco
* Shachar Tal
* Tõnis Tiigi
* ningmingxiao

### Changes
<details><summary>67 commits</summary>
<p>

* Prepare release notes for v2.1.7 ([#13223](https://github.com/containerd/containerd/pull/13223))
  * [`3a06b6847`](https://github.com/containerd/containerd/commit/3a06b6847e1e285c1f08bd579ac871130e62f8fb) Prepare release notes for v2.1.7
* update github.com/moby/spdystream v0.5.1 ([#13218](https://github.com/containerd/containerd/pull/13218))
  * [`82910b8c1`](https://github.com/containerd/containerd/commit/82910b8c115af227e469a6ea060c7d5188360a43) update github.com/moby/spdystream v0.5.1
* update to Go 1.25.9, 1.26.2 ([#13189](https://github.com/containerd/containerd/pull/13189))
  * [`295bdbbff`](https://github.com/containerd/containerd/commit/295bdbbff7348c99126f726fdf0738f910c9ea92) update to Go 1.25.9, 1.26.2
* Skip TestExportAndImportMultiLayer on s390x ([#13153](https://github.com/containerd/containerd/pull/13153))
  * [`8d0c87494`](https://github.com/containerd/containerd/commit/8d0c874949e54adc16fa94705dcecdbe4a4d4a06) Skip TestExportAndImportMultiLayer on s390x
* Fix possible panic from WithMediaTypeKeyPrefix ([#13135](https://github.com/containerd/containerd/pull/13135))
  * [`fe316cc1f`](https://github.com/containerd/containerd/commit/fe316cc1f8cad5cd9246e2f4eadd6806b94d866d) remotes: fix possible panic from WithMediaTypeKeyPrefix
* Preserve cgroup mount options for privileged containers ([#13119](https://github.com/containerd/containerd/pull/13119))
  * [`c5ee417ab`](https://github.com/containerd/containerd/commit/c5ee417abb903f9c3b5e0c47cae29182d821e4cf) Add integration test for privileged container cgroup mounts
  * [`a5d5a70ed`](https://github.com/containerd/containerd/commit/a5d5a70edda5455286a870b4f7557c24822107fd) Forward RUNC_FLAVOR env var down to integration tests
  * [`515c7f98d`](https://github.com/containerd/containerd/commit/515c7f98d8ca0cc203fc5a459ec2403d94588e92) Preserve host cgroup mount options for privileged containers
  * [`ffd9b61c9`](https://github.com/containerd/containerd/commit/ffd9b61c9e6da45d1ec69d17499afb2392c591d6) Move cgroup namespace placement higher in spec builder
* update runc binary to v1.3.5 ([#13060](https://github.com/containerd/containerd/pull/13060))
  * [`2f025ff8e`](https://github.com/containerd/containerd/commit/2f025ff8ee66f1abb3d76a3a41450eef4a960021) [release/2.1] update runc binary to v1.3.5
* Fix vagrant on CI ([#13065](https://github.com/containerd/containerd/pull/13065))
  * [`f198b7f87`](https://github.com/containerd/containerd/commit/f198b7f8775d887f93e1a024696b095805440e9d) Ignore NOCHANGE error
* Fix TOCTOU race bug in tar extraction ([#12969](https://github.com/containerd/containerd/pull/12969))
  * [`aecfb3dc6`](https://github.com/containerd/containerd/commit/aecfb3dc641561a46a8d7dd6d444163cbae5ff88) Fix TOCTOU race bug in tar extraction
* update to go1.25.8, test go1.26.1 ([#13013](https://github.com/containerd/containerd/pull/13013))
  * [`b71360b59`](https://github.com/containerd/containerd/commit/b71360b59b70e06a43ed3087b1fe178eeaea70aa) update to go1.25.8, test go1.26.1
  * [`ec7320b8b`](https://github.com/containerd/containerd/commit/ec7320b8bb051d054e463f07074757d16d43c70f) update golangci-lint to v2.9.0 with go1.26 support
  * [`01606226e`](https://github.com/containerd/containerd/commit/01606226e6bce9eec8368de8ad8b70f3ff75eb1f) remove windows/arm from cross build
  * [`e082c2e05`](https://github.com/containerd/containerd/commit/e082c2e0572e328f3845a44a200943ce8e3bbe9b) ci: build/test go1.26.0
* update golangci-lint to v2.1.5 ([#13012](https://github.com/containerd/containerd/pull/13012))
  * [`f9528d2d9`](https://github.com/containerd/containerd/commit/f9528d2d958c99132881910940c19e0289f4a97c) build(deps): bump golangci/golangci-lint-action from 9.0.0 to 9.2.0
  * [`de0d60a17`](https://github.com/containerd/containerd/commit/de0d60a17a32e267849b37c344ed844f0b4e51d9) build(deps): bump golangci/golangci-lint-action from 8.0.0 to 9.0.0
  * [`1b240d0e0`](https://github.com/containerd/containerd/commit/1b240d0e0687f66304adb8de1ec4095982d6eb64) build(deps): bump golangci/golangci-lint-action from 6.5.2 to 8.0.0
  * [`67ec314fa`](https://github.com/containerd/containerd/commit/67ec314fa854e2cdf72f74f12a83f980f861dd62) ci: bump golangci from 6.5.2 to 7.0.0
  * [`7fe19a6b2`](https://github.com/containerd/containerd/commit/7fe19a6b26d8a3b288d5a259e9b91b65350e6240) Disable ST1003: struct field Uid should be UID (staticcheck)
  * [`88470c519`](https://github.com/containerd/containerd/commit/88470c51901efcb0db417c046be4313161fcc377) Disable QF1003: could use tagged switch on base (staticcheck)
  * [`1ea353741`](https://github.com/containerd/containerd/commit/1ea353741ee6033a3deebe720a72df1b0fe1dc86) fix: Used nolint to ignore the static checks
  * [`f6ddff11b`](https://github.com/containerd/containerd/commit/f6ddff11bbc321a1cba2cf747aea2767c48a3faf) fix: ST1001: should not use dot imports (staticcheck)
  * [`4ed50edce`](https://github.com/containerd/containerd/commit/4ed50edce7c2d5f1444830471958c3340fd7b787) fix: ST1019: removed the duplicate imports
  * [`808c623d1`](https://github.com/containerd/containerd/commit/808c623d19ea9a2b68643cfc0cb05fe2f804bf08) fix: QF1012: Use of fmt.Fprintln(...)
  * [`e98bc32cd`](https://github.com/containerd/containerd/commit/e98bc32cd51f6014415739924ff58408326be0e2) fix: QF1001: could apply De Morgan's law (staticcheck)
  * [`cebb3583e`](https://github.com/containerd/containerd/commit/cebb3583e1585842f00f46eeefe6a9c3149a57f6) fix: ST1005: error strings should not end with punctuation or newlines
  * [`1852b5d07`](https://github.com/containerd/containerd/commit/1852b5d07e362ab0d5768710f0b65c0de3c5cc2c) fix: QF1004: strings.ReplaceAll instead (staticcheck)
  * [`9b0b270cd`](https://github.com/containerd/containerd/commit/9b0b270cdf7665d734fb021e886951c87674f974) fix: QF1002: could use tagged switch on host (staticcheck)
* cri: Fix image volumes with user namespaces ([#12894](https://github.com/containerd/containerd/pull/12894))
  * [`8d5351929`](https://github.com/containerd/containerd/commit/8d5351929995719667e375a89a55e6463a6957bb) cri: Fix image volumes with user namespaces
* ci: modprobe xt_comment on almalinux ([#12958](https://github.com/containerd/containerd/pull/12958))
  * [`37a98b239`](https://github.com/containerd/containerd/commit/37a98b239c27f32343cf6a11ad5cb431ca74010a) ci: modprobe xt_comment on almalinux
* core/mount: fix getUnprivilegedMountFlags iterating over indices instead of values ([#12943](https://github.com/containerd/containerd/pull/12943))
  * [`74e575ce8`](https://github.com/containerd/containerd/commit/74e575ce8ce95c2616acbffd3711c684757807b5) core/mount: add test for getUnprivilegedMountFlags
  * [`c62466642`](https://github.com/containerd/containerd/commit/c624666429168da3a308697c90e3842681a7a9e8) core/mount: fix getUnprivilegedMountFlags iterating over indices instead of values
* Fix CNI issue where CNI DEL is never executed ([#12930](https://github.com/containerd/containerd/pull/12930))
  * [`9710aed4a`](https://github.com/containerd/containerd/commit/9710aed4a05c964b7fbcee9a13d2ae58a6ee08c2) fix issue where cni del is never executed
* apparmor: explicitly set abi/3.0 ([#12898](https://github.com/containerd/containerd/pull/12898))
  * [`735fcb316`](https://github.com/containerd/containerd/commit/735fcb3164349f11fe2f4615b2e7d26abe25b2d4) apparmor: explicitly set abi/3.0
* integration: Fix TestImageLoad() failure on CI ([#12907](https://github.com/containerd/containerd/pull/12907))
  * [`51a63212f`](https://github.com/containerd/containerd/commit/51a63212ffd7ec0ecf05bd46429561b2fc847896) integration: Fix TestImageLoad() failure on CI
* update to go1.24.13, go1.25.7 ([#12872](https://github.com/containerd/containerd/pull/12872))
  * [`e13f28dbd`](https://github.com/containerd/containerd/commit/e13f28dbdfffdb04a5950ecb0d0e2f16959d5d33) update to go1.24.13, go1.25.7
  * [`c0f18dd59`](https://github.com/containerd/containerd/commit/c0f18dd596374320bb885292218acb840b752837) ci: bump go 1.24.12, 1.25.6
* fix: sanitize error before gRPC return to prevent credential leak in pod events ([#12803](https://github.com/containerd/containerd/pull/12803))
  * [`b65f34e15`](https://github.com/containerd/containerd/commit/b65f34e15c8a5b00dba6f18b976bb65202edfc1b) fix: sanitize error before gRPC return to prevent credential leak in pod events
* build(deps): bump google.golang.org/grpc from 1.72.2 to 1.78.0 ([#12750](https://github.com/containerd/containerd/pull/12750))
  * [`2e5ab3f84`](https://github.com/containerd/containerd/commit/2e5ab3f84da79520198cb8e5068a0ae6a7dc5f99) build(deps): bump google.golang.org/grpc from 1.72.2 to 1.78.0
* cri: emit warning for concurrent CreateContainer ([#12743](https://github.com/containerd/containerd/pull/12743))
  * [`5ef24ddd2`](https://github.com/containerd/containerd/commit/5ef24ddd2773a6a1f681cf0eec5bdb5188b80fe6) cri: emit warning for concurrent CreateContainer
* cri: move noisy CDI logs to debug level ([#12716](https://github.com/containerd/containerd/pull/12716))
  * [`6acd41e02`](https://github.com/containerd/containerd/commit/6acd41e02b94dbcb8d1e5fed63d3716f3529b81b) cri: move noisy CDI logs to debug level
* Uncomment call to add options for pulling encrypted images ([#12713](https://github.com/containerd/containerd/pull/12713))
  * [`3477d705d`](https://github.com/containerd/containerd/commit/3477d705d01962b0c66ed6979e0481e852a517aa) Reinstate image decryption
</p>
</details>

### Dependency Changes

* **github.com/go-jose/go-jose/v4**              v4.0.5 -> v4.1.3
* **github.com/moby/spdystream**                 v0.5.0 -> v0.5.1
* **github.com/stretchr/testify**                v1.10.0 -> v1.11.1
* **go.opentelemetry.io/auto/sdk**               v1.1.0 -> v1.2.1
* **go.opentelemetry.io/otel**                   v1.35.0 -> v1.38.0
* **go.opentelemetry.io/otel/metric**            v1.35.0 -> v1.38.0
* **go.opentelemetry.io/otel/sdk**               v1.35.0 -> v1.38.0
* **go.opentelemetry.io/otel/trace**             v1.35.0 -> v1.38.0
* **golang.org/x/oauth2**                        v0.27.0 -> v0.32.0
* **google.golang.org/genproto/googleapis/api**  56aae31c358a -> ab9386a59fda
* **google.golang.org/genproto/googleapis/rpc**  56aae31c358a -> ab9386a59fda
* **google.golang.org/grpc**                     v1.72.2 -> v1.78.0
* **google.golang.org/protobuf**                 v1.36.7 -> v1.36.10

Previous release can be found at [v2.1.6](https://github.com/containerd/containerd/releases/tag/v2.1.6)
### Which file should I download?
* `containerd-<VERSION>-<OS>-<ARCH>.tar.gz`:         ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04).
* `containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz`:  Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent.

In addition to containerd, typically you will have to install [runc](https://github.com/opencontainers/runc/releases)
and [CNI plugins](https://github.com/containernetworking/plugins/releases) from their official sites too.

See also the [Getting Started](https://github.com/containerd/containerd/blob/main/docs/getting-started.md) documentation.
    Unverified

  • v1.7.31

    96caa5df · Merge pull request #13221 from samuelkarp/prepare-release-1.7.31 · 
    containerd 1.7.31

Welcome to the v1.7.31 release of containerd!

The thirty-first patch release for containerd 1.7 contains various fixes
and updates including a security patch.

### Security Updates

* **spdystream**
  * [**CVE-2026-35469**](https://github.com/moby/spdystream/security/advisories/GHSA-pc3f-x583-g7j2)

### Highlights

#### Container Runtime Interface (CRI)

* Fix CNI issue where DEL is never executed after a restart ([#12931](https://github.com/containerd/containerd/pull/12931))
* Sanitize error before gRPC return to prevent possible credential leak in pod events ([#12805](https://github.com/containerd/containerd/pull/12805))
* Improve error message and add warning when concurrent container creation is detected ([#12744](https://github.com/containerd/containerd/pull/12744))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Samuel Karp
* Maksym Pavlenko
* Akhil Mohan
* Phil Estes
* Sebastiaan van Stijn
* Wei Fu
* Akihiro Suda
* Alex Chernyakhovsky
* Chris Henzie
* Michael Zappa
* Ricardo Branco
* Shachar Tal
* ningmingxiao
* yashsingh74

### Changes
<details><summary>37 commits</summary>
<p>

* Prepare release notes for v1.7.31 ([#13221](https://github.com/containerd/containerd/pull/13221))
  * [`7d2662653`](https://github.com/containerd/containerd/commit/7d2662653cd89ae6d81de962425bfcd264031852) Prepare release notes for v1.7.31
* update github.com/moby/spdystream v0.5.1 ([#13220](https://github.com/containerd/containerd/pull/13220))
  * [`3f795c02a`](https://github.com/containerd/containerd/commit/3f795c02a76abfffd60f82d8b4a384fd86e0d8d1) update github.com/moby/spdystream v0.5.1
* update to Go 1.25.9, 1.26.2 ([#13200](https://github.com/containerd/containerd/pull/13200))
  * [`7b1e1b17b`](https://github.com/containerd/containerd/commit/7b1e1b17be279c810e6fe26a59384e2eb1498826) update to Go 1.25.9, 1.26.2
  * [`b673f2d42`](https://github.com/containerd/containerd/commit/b673f2d421384fcf17c51310005df3d5b8bbab67) update golangci-lint to v2.9.0 with go1.26 support
  * [`d88d8513a`](https://github.com/containerd/containerd/commit/d88d8513aa9e791d4de1016c913b319f2c278cc3) remove windows/arm from cross build
  * [`a763407b5`](https://github.com/containerd/containerd/commit/a763407b5f91c1bbb4420e0b956d8bbb2e993734) Ignore warnings for golangci-lint bump
  * [`03dcd8360`](https://github.com/containerd/containerd/commit/03dcd8360961943189e51c05067ee9c3fae4b201) ci: bump golangci from 6.5.2 to 7.0.0
* Update github.com/moby/spdystream v0.2.0->v0.5.0 ([#13176](https://github.com/containerd/containerd/pull/13176))
  * [`c08711218`](https://github.com/containerd/containerd/commit/c087112183c32edc2ec2527d5b1e0532f4af12bd) Update github.com/moby/spdystream v0.2.0->v0.5.0
* Skip TestExportAndImportMultiLayer on s390x ([#13152](https://github.com/containerd/containerd/pull/13152))
  * [`043548f6d`](https://github.com/containerd/containerd/commit/043548f6d70b0c2c775bb7a9e7c1c47d8ed2068f) Skip TestExportAndImportMultiLayer on s390x
* update runc binary to v1.3.5 ([#13059](https://github.com/containerd/containerd/pull/13059))
  * [`e99bd6050`](https://github.com/containerd/containerd/commit/e99bd60504fd6575c252687d0103e0386e6df205) [release/1.7] update runc binary to v1.3.5
* CODEOWNERS: mark Sam and Chris as owners for 1.7 ([#13069](https://github.com/containerd/containerd/pull/13069))
  * [`3a3103aaf`](https://github.com/containerd/containerd/commit/3a3103aaf7354464c2b69211eb5d533477ac0d5c) CODEOWNERS: mark Sam and Chris as owners for 1.7
* Fix vagrant on CI ([#13064](https://github.com/containerd/containerd/pull/13064))
  * [`9b4cfa271`](https://github.com/containerd/containerd/commit/9b4cfa27113b4117e4d47dfca0fe84075ea2ff45) Ignore NOCHANGE error
* ci: modprobe xt_comment on almalinux ([#12959](https://github.com/containerd/containerd/pull/12959))
  * [`53e9e73f0`](https://github.com/containerd/containerd/commit/53e9e73f0281d7f5060fefd1a0af428e03636d6a) ci: modprobe xt_comment on almalinux
* Fix TOCTOU race bug in tar extraction ([#12970](https://github.com/containerd/containerd/pull/12970))
  * [`61c2733fd`](https://github.com/containerd/containerd/commit/61c2733fde2971d2d5fb3b9d5363d626700350fd) Fix TOCTOU race bug in tar extraction
* Fix CNI issue where CNI DEL is never executed ([#12931](https://github.com/containerd/containerd/pull/12931))
  * [`f854c1890`](https://github.com/containerd/containerd/commit/f854c1890468b12e4517c155eee5840f46b22e59) fix issue where cni del is never executed
* apparmor: explicitly set abi/3.0 ([#12899](https://github.com/containerd/containerd/pull/12899))
  * [`5c091d92e`](https://github.com/containerd/containerd/commit/5c091d92ed5c9c9c8968c0836ede8b427b06ef93) apparmor: explicitly set abi/3.0
* backport: integration: Fix TestImageLoad() failure on CI ([#12908](https://github.com/containerd/containerd/pull/12908))
  * [`177ac10fe`](https://github.com/containerd/containerd/commit/177ac10fee6803c41cb39e67f17357ad843a8fe1) integration: Fix TestImageLoad() failure on CI
* update to go1.24.13, go1.25.7 ([#12873](https://github.com/containerd/containerd/pull/12873))
  * [`56da43d0f`](https://github.com/containerd/containerd/commit/56da43d0fd21b7f58a0d84fbb1a21b05fa0135b1) update to go1.24.13, go1.25.7
  * [`5cb3cb9ba`](https://github.com/containerd/containerd/commit/5cb3cb9bad8a9fbac96e2fe52e8eae70cb788a25) ci: bump go 1.24.12, 1.25.6
* fix: sanitize error before gRPC return to prevent credential leak in pod events ([#12805](https://github.com/containerd/containerd/pull/12805))
  * [`b1fa03843`](https://github.com/containerd/containerd/commit/b1fa038433bba840e3be76c0fb125da4defc17e6) fix: sanitize error before gRPC return to prevent credential leak in pod events
* cri: emit warning for concurrent CreateContainer ([#12744](https://github.com/containerd/containerd/pull/12744))
  * [`e2c93a42c`](https://github.com/containerd/containerd/commit/e2c93a42ca703904df6e1013c883d78f51c7f28a) cri: emit warning for concurrent CreateContainer
</p>
</details>

### Dependency Changes

* **github.com/moby/spdystream**  v0.2.0 -> v0.5.1

Previous release can be found at [v1.7.30](https://github.com/containerd/containerd/releases/tag/v1.7.30)
    Unverified

  • v2.3.0-beta.1

    212b10b2 · Merge pull request #13209 from dmcgowan/prepare-v2.3.0-beta.1 · 
    containerd 2.3.0-beta.1

Welcome to the v2.3.0-beta.1 release of containerd!
*This is a pre-release of containerd*

The third minor release of containerd 2.x focuses on continued stability alongside
new features and improvements. This is the third time-based release for containerd.

Starting with containerd 2.3, the project has moved to release cadence aligned with
the Kubernetes release schedule, with new minor releases about every 4 months. The
containerd 2.3 release is also the first annual LTS (Long Term Stable) release under
this new schedule, with support planned for at least two years. Direct upgrades
between sequential LTS releases (e.g., 1.7 to 2.3) will be tested and supported.

This is a beta release and some functionality is still under development.

### Highlights

* Add transfer types for container filesystem copy ([#13165](https://github.com/containerd/containerd/pull/13165))
* Introduce shim bootstrap protocol ([#12786](https://github.com/containerd/containerd/pull/12786))
* tracing: add option to inject trace ID into logrus fields ([#13117](https://github.com/containerd/containerd/pull/13117))
* Propagate OpenTelemetry traces in outgoing RPCs from plugin clients ([#13113](https://github.com/containerd/containerd/pull/13113))
* Update plugin config migration to run on load ([#12608](https://github.com/containerd/containerd/pull/12608))
* Detect vendor in cdi specs to generate device IDs for --gpus ([#12839](https://github.com/containerd/containerd/pull/12839))
* Update sandbox API to include spec field ([#12840](https://github.com/containerd/containerd/pull/12840))

#### Container Runtime Interface (CRI)

* feat: Allow containers to use both host network and user namespace ([#12518](https://github.com/containerd/containerd/pull/12518))
* Unpack images with per-layer labels for specific runtime ([#12835](https://github.com/containerd/containerd/pull/12835))
* Populate ImageId field in container status ([#12787](https://github.com/containerd/containerd/pull/12787))
* Set annotations parameter in CreateSandbox request ([#12566](https://github.com/containerd/containerd/pull/12566))

#### Image Distribution

* Add EROFS layer media type ([#12567](https://github.com/containerd/containerd/pull/12567))

#### Image Storage

* Use fsmount API to avoid PAGE_SIZE limit for erofs ([#12783](https://github.com/containerd/containerd/pull/12783))

#### Node Resource Interface (NRI)

* Pass container user (uid, gids) to plugins ([#12769](https://github.com/containerd/containerd/pull/12769))
* Pass seccomp policy to plugins ([#12768](https://github.com/containerd/containerd/pull/12768))
* Pass any POSIX rlimits to plugins ([#12765](https://github.com/containerd/containerd/pull/12765))
* Pass extended container status to NRI. ([#12770](https://github.com/containerd/containerd/pull/12770))
* Pass injected CDI devices to plugins ([#12767](https://github.com/containerd/containerd/pull/12767))
* Pass linux sysctl to plugins ([#12766](https://github.com/containerd/containerd/pull/12766))

#### Runtime

* Fix binary logging driver not blocking container start on failure ([#12595](https://github.com/containerd/containerd/pull/12595))
* Use new filtered cgroups stats API ([#12901](https://github.com/containerd/containerd/pull/12901))
* Update OOMKilled event handling ([#12714](https://github.com/containerd/containerd/pull/12714))

#### Snapshotters

* Propagate parent chain ID and diff ID via labels during snapshot preparation ([#13071](https://github.com/containerd/containerd/pull/13071))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Maksym Pavlenko
* Sebastiaan van Stijn
* Derek McGowan
* Krisztian Litkey
* Wei Fu
* Phil Estes
* Akihiro Suda
* Samuel Karp
* Markus Lehtonen
* Mike Brown
* Davanum Srinivas
* Akhil Mohan
* Gao Xiang
* ChengyuZhu6
* Hudson Zhu
* Kazuyoshi Kato
* Chris Henzie
* Sergey Kanzhelev
* ningmingxiao
* Aadhar Agarwal
* Andrew Halaney
* HirazawaUi
* Michael Zappa
* Paweł Gronowski
* Apurv Barve
* Brian Goff
* Fabiano Fidêncio
* Hasan Siddiqui
* Jintao Zhang
* Paulo Oliveira
* Shiv Tyagi
* Austin Vazquez
* Avinesh Singh
* Esteban Ginez
* Henry Wang
* Jin Dong
* Jérôme Poulin
* Luke Hinds
* Sascha Grunert
* majianhan
* Adrien Delorme
* Albin Kerouanton
* Alex Chernyakhovsky
* Andrey Noskov
* Andrey Smirnov
* Annie Cherkaev
* Anuj Singh
* Champ-Goblem
* Chris Adeniyi-Jones
* Cindia-blue
* CrazyMax
* Danny Canter
* Evan Lezar
* Fletcher Woodruff
* Gaurav Ghildiyal
* Harsh Rawat
* Hayato Kiwata
* Joseph Zhang
* Justin Chadwell
* Kal
* Manuel de Brito Fontes
* Neeraj Krishna Gopalakrishna
* Pierluigi Lenoci
* Ricardo Branco
* Rob Murray
* Rodrigo Campos
* Shachar Tal
* Shaobao Feng
* Shiming Zhang
* Tariq Ibrahim
* Tim Windelschmidt
* Tõnis Tiigi
* Wade Simmons
* Weixie Cui
* Will Jordan
* Yohei Yamamoto
* You Binhao
* Youfu Zhang
* bo.jiang
* chris-henderson-alation
* jinda.ljd
* qiuxue

### Dependency Changes

* **cyphar.com/go-pathrs**                                                         v0.2.1 **_new_**
* **github.com/Microsoft/go-winio**                                                v0.6.2 -> ad3df93bed29
* **github.com/Microsoft/hcsshim**                                                 v0.14.0-rc.1 -> v0.15.0-rc.1
* **github.com/cenkalti/backoff/v5**                                               v5.0.3 **_new_**
* **github.com/checkpoint-restore/checkpointctl**                                  v1.4.0 -> v1.5.0
* **github.com/containerd/cgroups/v3**                                             v3.1.0 -> v3.1.3
* **github.com/containerd/containerd/api**                                         v1.10.0 -> v1.11.0-beta.1
* **github.com/containerd/go-dmverity**                                            e097b6cc4a33 **_new_**
* **github.com/containerd/imgcrypt/v2**                                            v2.0.1 -> v2.0.2
* **github.com/containerd/nri**                                                    v0.10.0 -> v0.11.0
* **github.com/containerd/platforms**                                              v1.0.0-rc.2 -> v1.0.0-rc.4
* **github.com/containerd/ttrpc**                                                  v1.2.7 -> v1.2.8
* **github.com/containerd/zfs/v2**                                                 v2.0.0-rc.0 -> v2.0.0
* **github.com/containernetworking/plugins**                                       v1.8.0 -> v1.9.1
* **github.com/coreos/go-systemd/v22**                                             v22.6.0 -> v22.7.0
* **github.com/cyphar/filepath-securejoin**                                        v0.6.0 **_new_**
* **github.com/davecgh/go-spew**                                                   v1.1.1 -> d8f796af33cc
* **github.com/erofs/go-erofs**                                                    v0.2.0 **_new_**
* **github.com/go-jose/go-jose/v4**                                                v4.1.2 -> v4.1.3
* **github.com/grpc-ecosystem/grpc-gateway/v2**                                    v2.26.1 -> v2.28.0
* **github.com/intel/goresctrl**                                                   v0.10.0 -> v0.12.0
* **github.com/klauspost/compress**                                                v1.18.1 -> v1.18.5
* **github.com/opencontainers/runtime-spec**                                       v1.2.1 -> v1.3.0
* **github.com/opencontainers/runtime-tools**                                      0ea5ed0382a2 -> edf4cb3d2116
* **github.com/opencontainers/selinux**                                            v1.12.0 -> v1.13.1
* **github.com/pelletier/go-toml/v2**                                              v2.2.4 -> v2.3.0
* **github.com/pmezard/go-difflib**                                                v1.0.0 -> 5d4384ee4fb2
* **github.com/prometheus/procfs**                                                 v0.16.1 -> v0.17.0
* **github.com/sirupsen/logrus**                                                   v1.9.3 -> v1.9.4
* **github.com/tetratelabs/wazero**                                                v1.9.0 -> v1.10.1
* **go.opentelemetry.io/auto/sdk**                                                 v1.1.0 -> v1.2.1
* **go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc**  v0.60.0 -> v0.67.0
* **go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp**                v0.60.0 -> v0.67.0
* **go.opentelemetry.io/otel**                                                     v1.37.0 -> v1.43.0
* **go.opentelemetry.io/otel/exporters/otlp/otlptrace**                            v1.35.0 -> v1.43.0
* **go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc**              v1.35.0 -> v1.43.0
* **go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp**              v1.35.0 -> v1.43.0
* **go.opentelemetry.io/otel/metric**                                              v1.37.0 -> v1.43.0
* **go.opentelemetry.io/otel/sdk**                                                 v1.37.0 -> v1.43.0
* **go.opentelemetry.io/otel/trace**                                               v1.37.0 -> v1.43.0
* **go.opentelemetry.io/proto/otlp**                                               v1.5.0 -> v1.10.0
* **go.yaml.in/yaml/v2**                                                           v2.4.2 -> v2.4.3
* **golang.org/x/crypto**                                                          v0.41.0 -> v0.49.0
* **golang.org/x/mod**                                                             v0.29.0 -> v0.34.0
* **golang.org/x/net**                                                             v0.43.0 -> v0.52.0
* **golang.org/x/oauth2**                                                          v0.30.0 -> v0.35.0
* **golang.org/x/sync**                                                            v0.17.0 -> v0.20.0
* **golang.org/x/sys**                                                             v0.37.0 -> v0.42.0
* **golang.org/x/term**                                                            v0.34.0 -> v0.41.0
* **golang.org/x/text**                                                            v0.28.0 -> v0.35.0
* **golang.org/x/time**                                                            v0.14.0 -> v0.15.0
* **google.golang.org/genproto/googleapis/api**                                    a7a43d27e69b -> 9d38bb4040a9
* **google.golang.org/genproto/googleapis/rpc**                                    a7a43d27e69b -> 9d38bb4040a9
* **google.golang.org/grpc**                                                       v1.76.0 -> v1.80.0
* **google.golang.org/protobuf**                                                   v1.36.10 -> f2248ac996af
* **k8s.io/api**                                                                   v0.34.1 -> v0.36.0-rc.0
* **k8s.io/apimachinery**                                                          v0.34.1 -> v0.36.0-rc.0
* **k8s.io/client-go**                                                             v0.34.1 -> v0.36.0-rc.0
* **k8s.io/cri-api**                                                               v0.34.1 -> v0.36.0-rc.0
* **k8s.io/cri-streaming**                                                         v0.36.0-rc.0 **_new_**
* **k8s.io/klog/v2**                                                               v2.130.1 -> v2.140.0
* **k8s.io/kube-openapi**                                                          5883c5ee87b9 **_new_**
* **k8s.io/streaming**                                                             v0.36.0-rc.0 **_new_**
* **k8s.io/utils**                                                                 4c0f3b243397 -> 28399d86e0b5
* **sigs.k8s.io/json**                                                             cfa47c3a1cc8 -> 2d320260d730
* **sigs.k8s.io/structured-merge-diff/v6**                                         v6.3.0 -> v6.3.2
* **tags.cncf.io/container-device-interface**                                      v1.0.1 -> v1.1.0
* **tags.cncf.io/container-device-interface/specs-go**                             v1.0.0 -> v1.1.0

Previous release can be found at [v2.2.0](https://github.com/containerd/containerd/releases/tag/v2.2.0)
### Which file should I download?
* `containerd-<VERSION>-<OS>-<ARCH>.tar.gz`:         ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04).
* `containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz`:  Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent.

In addition to containerd, typically you will have to install [runc](https://github.com/opencontainers/runc/releases)
and [CNI plugins](https://github.com/containernetworking/plugins/releases) from their official sites too.

See also the [Getting Started](https://github.com/containerd/containerd/blob/main/docs/getting-started.md) documentation.
    Unverified

  • api/v1.11.0-beta.1

    74b465dc · Merge pull request #13208 from dmcgowan/update-bootstrap-log-levels · 
    containerd api/v1.11.0-beta.1

Welcome to the api/v1.11.0-beta.1 release of containerd!
*This is a pre-release of containerd*

The 12th release for the containerd 1.x API aligns with the containerd 2.3 release.

### Highlights

* Add transfer types for container filesystem copy ([#13165](https://github.com/containerd/containerd/pull/13165))
* Introduce shim bootstrap protocol ([#12786](https://github.com/containerd/containerd/pull/12786))
* Update sandbox API to include spec field ([#12840](https://github.com/containerd/containerd/pull/12840))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Maksym Pavlenko
* Derek McGowan
* Wei Fu
* Gao Xiang
* Sebastiaan van Stijn

### Changes
<details><summary>41 commits</summary>
<p>

* Update bootstrap API log level definition ([#13208](https://github.com/containerd/containerd/pull/13208))
  * [`2c102c6cb`](https://github.com/containerd/containerd/commit/2c102c6cbebbc1dabe31eb0740a1803fcce56c4e) Update bootstrap API log level definition
* Add transfer types for container filesystem copy ([#13165](https://github.com/containerd/containerd/pull/13165))
  * [`121f3a21e`](https://github.com/containerd/containerd/commit/121f3a21e438cd8c18c6d76cbab1514ee2a8d8d2) Add transfer types for container filesystem copy
* Introduce shim bootstrap protocol ([#12786](https://github.com/containerd/containerd/pull/12786))
  * [`16b7ce254`](https://github.com/containerd/containerd/commit/16b7ce254959e62927896aecc033e86b0a10dc31) Address code review suggestions
  * [`9bf65dcf0`](https://github.com/containerd/containerd/commit/9bf65dcf0275341a75b9e56454e5ebe599bcc90f) Use enums instead of strings for capabilities and log level
  * [`9dc864fd0`](https://github.com/containerd/containerd/commit/9dc864fd0feefd907aba16ba98cf453dd16df694) Switch to proto instead of json
  * [`3fbdb132b`](https://github.com/containerd/containerd/commit/3fbdb132bf4fb2f59995b9fc632c0ad507ff98f6) Fix module path
  * [`1852a4758`](https://github.com/containerd/containerd/commit/1852a4758ea70e12ada6bc98c45258a001c9f6bc) Remove testify dependency from api
  * [`0f55bdd49`](https://github.com/containerd/containerd/commit/0f55bdd49c41ba2a43d6595bdd827b6ba4ed4987) Fix extensions API and update tests
  * [`d957b1bf5`](https://github.com/containerd/containerd/commit/d957b1bf53914443e28a3a7ab63824ea2e6c22ed) Use log level instead of debug flag
  * [`31d0bbbad`](https://github.com/containerd/containerd/commit/31d0bbbad7723c8555b299f1dc12f7173390b2ec) Include containerd version when launching shim
  * [`f71c2e421`](https://github.com/containerd/containerd/commit/f71c2e4211c9cbae06c582222d200c8756a84845) Reformat and clean proto files
  * [`9e9a095fe`](https://github.com/containerd/containerd/commit/9e9a095feb43c6b6a84fe1f4b2331977ebb92b91) Read spec annotations from file
  * [`3831fc806`](https://github.com/containerd/containerd/commit/3831fc80630879870327fde99f66b12959c973f0) Fix reading from stdin
  * [`5ea993b48`](https://github.com/containerd/containerd/commit/5ea993b48d29e620dba6f90746a98ff0a4a29f65) Pass runc options as a separate extension
  * [`e72145b19`](https://github.com/containerd/containerd/commit/e72145b192de6542dfb86554cda512e37f46eb5e) Update vendor
  * [`790b0ead7`](https://github.com/containerd/containerd/commit/790b0ead7bc4e234b5ce90b9a1225b60bad34d75) Implement shim bootstrap protocol
* Add `os.features` support for EROFS native container images ([#13091](https://github.com/containerd/containerd/pull/13091))
  * [`146930e91`](https://github.com/containerd/containerd/commit/146930e91de7598fa93161cb96d16208f1eff866) api: add `os_features` to api/types/platform.proto
* build(deps): bump google.golang.org/grpc from 1.59.0 to 1.79.3 in /api ([#13099](https://github.com/containerd/containerd/pull/13099))
  * [`d323efc2b`](https://github.com/containerd/containerd/commit/d323efc2bfaf8425c8a2f1ceeb34e8230eb16f8d) build(deps): bump google.golang.org/grpc from 1.59.0 to 1.79.3 in /api
* Prepare release notes for api/v1.11.0-beta.0 ([#13045](https://github.com/containerd/containerd/pull/13045))
  * [`aac6b5348`](https://github.com/containerd/containerd/commit/aac6b53488f05253f88fb061fed6674630feb41f) Prepare release notes for api/v1.11.0-beta.0
* api: regenerate and re-vendor protos ([#12913](https://github.com/containerd/containerd/pull/12913))
  * [`4b4eb6715`](https://github.com/containerd/containerd/commit/4b4eb67150b724e0c0450cc92f295b8d6582ca9a) api: regenerate and re-vendor protos
* Remove Container field from sandbox metadata ([#12840](https://github.com/containerd/containerd/pull/12840))
  * [`8ccf18724`](https://github.com/containerd/containerd/commit/8ccf18724f691f7f5503faf0b004334eb9f92cf3) Update sandbox API to include spec field
* Use buf to format proto files ([#12841](https://github.com/containerd/containerd/pull/12841))
  * [`ca1c5b2d3`](https://github.com/containerd/containerd/commit/ca1c5b2d3db8c620c26ab9674b7ccb9a4b023a63) Reformat and revendor proto files
  * [`2a87c9d7d`](https://github.com/containerd/containerd/commit/2a87c9d7d29a5d947fa671a0d7b52f449835fd11) Add .editorconfig for proto files
* Generate api/next.txtpb and name module ([#12815](https://github.com/containerd/containerd/pull/12815))
  * [`472e0a8e7`](https://github.com/containerd/containerd/commit/472e0a8e7ada278b7aa376173eca20ad0a0348be) Generate next.txtpb to replace next.pb.txt
  * [`f58dbbda0`](https://github.com/containerd/containerd/commit/f58dbbda0b34bea75f714e82463eb0706c06d30d) Add buf.build repository name for publishing API
* Migrate from protobuild to buf ([#12762](https://github.com/containerd/containerd/pull/12762))
  * [`dac9721fa`](https://github.com/containerd/containerd/commit/dac9721faf891205ed46105cd38340bc3bceabcb) Drop outdated pb.txt files
  * [`6a6283193`](https://github.com/containerd/containerd/commit/6a6283193b6f865c35529717068259bf54ccc307) Update pb files
  * [`57782b717`](https://github.com/containerd/containerd/commit/57782b7175f743489010c348a8f59da720140722) Move buf configuration under api/
  * [`39991b661`](https://github.com/containerd/containerd/commit/39991b6617041c8c5b471f11f08461f36cc6719f) Use relative import intead of GOPATH style imports
  * [`eb586b5ef`](https://github.com/containerd/containerd/commit/eb586b5ef2e20c5f845f28d5e9cd5f5e8e10885d) Regenerate proto files
</p>
</details>

### Dependency Changes

* **golang.org/x/net**                           v0.38.0 -> v0.48.0
* **golang.org/x/sys**                           v0.31.0 -> v0.39.0
* **golang.org/x/text**                          v0.23.0 -> v0.32.0
* **google.golang.org/genproto/googleapis/rpc**  c3f982113cda -> ff82c1b0f217
* **google.golang.org/grpc**                     v1.59.0 -> v1.79.3
* **google.golang.org/protobuf**                 v1.33.0 -> v1.36.10

Previous release can be found at [api/v1.10.0](https://github.com/containerd/containerd/releases/tag/api/v1.10.0)
    Unverified

  • v2.3.0-beta.0

    b0d7bba9 · Merge pull request #13048 from dmcgowan/prepare-2.3.0-beta · 
    containerd 2.3.0-beta.0

Welcome to the v2.3.0-beta.0 release of containerd!
*This is a pre-release of containerd*

The third minor release of containerd 2.x focuses on continued stability alongside
new features and improvements. This is the third time-based release for containerd.

Starting with containerd 2.3, the project has moved to release cadence aligned with
the Kubernetes release schedule, with new minor releases about every 4 months. The
containerd 2.3 release is also the first annual LTS (Long Term Stable) release under
this new schedule, with support planned for at least two years. Direct upgrades
between sequential LTS releases (e.g., 1.7 to 2.3) will be tested and supported.

This is a beta release and some functionality is still under development.

### Highlights

* Update plugin config migration to run on load ([#12608](https://github.com/containerd/containerd/pull/12608))
* Detect vendor in cdi specs to generate device IDs for --gpus ([#12839](https://github.com/containerd/containerd/pull/12839))
* Update sandbox API to include spec field ([#12840](https://github.com/containerd/containerd/pull/12840))

#### Container Runtime Interface (CRI)

* Unpack images with per-layer labels for specific runtime ([#12835](https://github.com/containerd/containerd/pull/12835))
* Populate ImageId field in container status ([#12787](https://github.com/containerd/containerd/pull/12787))
* Set annotations parameter in CreateSandbox request ([#12566](https://github.com/containerd/containerd/pull/12566))

#### Image Distribution

* Add EROFS layer media type ([#12567](https://github.com/containerd/containerd/pull/12567))

#### Image Storage

* Use fsmount API to avoid PAGE_SIZE limit for erofs ([#12783](https://github.com/containerd/containerd/pull/12783))

#### Node Resource Interface (NRI)

* Pass container user (uid, gids) to plugins ([#12769](https://github.com/containerd/containerd/pull/12769))
* Pass seccomp policy to plugins ([#12768](https://github.com/containerd/containerd/pull/12768))
* Pass any POSIX rlimits to plugins ([#12765](https://github.com/containerd/containerd/pull/12765))
* Pass extended container status to NRI. ([#12770](https://github.com/containerd/containerd/pull/12770))
* Pass injected CDI devices to plugins ([#12767](https://github.com/containerd/containerd/pull/12767))
* Pass linux sysctl to plugins ([#12766](https://github.com/containerd/containerd/pull/12766))

#### Runtime

* Use new filtered cgroups stats API ([#12901](https://github.com/containerd/containerd/pull/12901))
* Update OOMKilled event handling ([#12714](https://github.com/containerd/containerd/pull/12714))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Maksym Pavlenko
* Sebastiaan van Stijn
* Krisztian Litkey
* Wei Fu
* Derek McGowan
* Phil Estes
* Akihiro Suda
* Markus Lehtonen
* Mike Brown
* Samuel Karp
* Akhil Mohan
* Davanum Srinivas
* Kazuyoshi Kato
* ningmingxiao
* Aadhar Agarwal
* Andrew Halaney
* Gao Xiang
* Michael Zappa
* Paweł Gronowski
* Fabiano Fidêncio
* Paulo Oliveira
* Shiv Tyagi
* Austin Vazquez
* Avinesh Singh
* ChengyuZhu6
* Chris Henzie
* Jin Dong
* Jérôme Poulin
* Luke Hinds
* Sascha Grunert
* majianhan
* Adrien Delorme
* Albin Kerouanton
* Alex Chernyakhovsky
* Andrey Noskov
* Anuj Singh
* Apurv Barve
* Brian Goff
* Champ-Goblem
* Chris Adeniyi-Jones
* Cindia-blue
* CrazyMax
* Danny Canter
* Evan Lezar
* Gaurav Ghildiyal
* Harsh Rawat
* Hayato Kiwata
* Kal
* Manuel de Brito Fontes
* Neeraj Krishna Gopalakrishna
* Rodrigo Campos
* Shachar Tal
* Shaobao Feng
* Shiming Zhang
* Tariq Ibrahim
* Tim Windelschmidt
* Tõnis Tiigi
* Wade Simmons
* Yohei Yamamoto
* You Binhao
* Youfu Zhang
* bo.jiang
* chris-henderson-alation
* jinda.ljd
* qiuxue

### Dependency Changes

* **cyphar.com/go-pathrs**                                                         v0.2.1 **_new_**
* **github.com/cenkalti/backoff/v5**                                               v5.0.3 **_new_**
* **github.com/checkpoint-restore/checkpointctl**                                  v1.4.0 -> v1.5.0
* **github.com/containerd/cgroups/v3**                                             v3.1.0 -> v3.1.3
* **github.com/containerd/containerd/api**                                         v1.10.0 -> v1.11.0-beta.0
* **github.com/containerd/imgcrypt/v2**                                            v2.0.1 -> v2.0.2
* **github.com/containerd/nri**                                                    v0.10.0 -> v0.11.0
* **github.com/containerd/ttrpc**                                                  v1.2.7 -> v1.2.8
* **github.com/containerd/zfs/v2**                                                 v2.0.0-rc.0 -> v2.0.0
* **github.com/containernetworking/plugins**                                       v1.8.0 -> v1.9.1
* **github.com/coreos/go-systemd/v22**                                             v22.6.0 -> v22.7.0
* **github.com/cyphar/filepath-securejoin**                                        v0.6.0 **_new_**
* **github.com/go-jose/go-jose/v4**                                                v4.1.2 -> v4.1.3
* **github.com/grpc-ecosystem/grpc-gateway/v2**                                    v2.26.1 -> v2.28.0
* **github.com/intel/goresctrl**                                                   v0.10.0 -> v0.12.0
* **github.com/klauspost/compress**                                                v1.18.1 -> v1.18.4
* **github.com/opencontainers/runtime-spec**                                       v1.2.1 -> v1.3.0
* **github.com/opencontainers/runtime-tools**                                      0ea5ed0382a2 -> edf4cb3d2116
* **github.com/opencontainers/selinux**                                            v1.12.0 -> v1.13.1
* **github.com/pmezard/go-difflib**                                                v1.0.0 -> 5d4384ee4fb2
* **github.com/prometheus/procfs**                                                 v0.16.1 -> v0.17.0
* **github.com/sirupsen/logrus**                                                   v1.9.3 -> v1.9.4
* **github.com/tetratelabs/wazero**                                                v1.9.0 -> v1.10.1
* **go.opentelemetry.io/auto/sdk**                                                 v1.1.0 -> v1.2.1
* **go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc**  v0.60.0 -> v0.64.0
* **go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp**                v0.60.0 -> v0.64.0
* **go.opentelemetry.io/otel**                                                     v1.37.0 -> v1.42.0
* **go.opentelemetry.io/otel/exporters/otlp/otlptrace**                            v1.35.0 -> v1.39.0
* **go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc**              v1.35.0 -> v1.39.0
* **go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp**              v1.35.0 -> v1.39.0
* **go.opentelemetry.io/otel/metric**                                              v1.37.0 -> v1.42.0
* **go.opentelemetry.io/otel/sdk**                                                 v1.37.0 -> v1.42.0
* **go.opentelemetry.io/otel/trace**                                               v1.37.0 -> v1.42.0
* **go.opentelemetry.io/proto/otlp**                                               v1.5.0 -> v1.9.0
* **go.yaml.in/yaml/v2**                                                           v2.4.2 -> v2.4.3
* **golang.org/x/crypto**                                                          v0.41.0 -> v0.48.0
* **golang.org/x/mod**                                                             v0.29.0 -> v0.34.0
* **golang.org/x/net**                                                             v0.43.0 -> v0.51.0
* **golang.org/x/oauth2**                                                          v0.30.0 -> v0.35.0
* **golang.org/x/sync**                                                            v0.17.0 -> v0.20.0
* **golang.org/x/sys**                                                             v0.37.0 -> v0.42.0
* **golang.org/x/term**                                                            v0.34.0 -> v0.40.0
* **golang.org/x/text**                                                            v0.28.0 -> v0.34.0
* **golang.org/x/time**                                                            v0.14.0 -> v0.15.0
* **google.golang.org/genproto/googleapis/api**                                    a7a43d27e69b -> 4cfbd4190f57
* **google.golang.org/genproto/googleapis/rpc**                                    a7a43d27e69b -> 4cfbd4190f57
* **google.golang.org/grpc**                                                       v1.76.0 -> v1.79.2
* **google.golang.org/protobuf**                                                   v1.36.10 -> v1.36.11
* **k8s.io/api**                                                                   v0.34.1 -> v0.35.2
* **k8s.io/apimachinery**                                                          v0.34.1 -> v0.35.2
* **k8s.io/client-go**                                                             v0.34.1 -> v0.35.2
* **k8s.io/cri-api**                                                               v0.34.1 -> v0.35.2
* **k8s.io/klog/v2**                                                               v2.130.1 -> v2.140.0
* **k8s.io/kube-openapi**                                                          589584f1c912 **_new_**
* **k8s.io/utils**                                                                 4c0f3b243397 -> bc988d571ff4
* **sigs.k8s.io/json**                                                             cfa47c3a1cc8 -> 2d320260d730
* **tags.cncf.io/container-device-interface**                                      v1.0.1 -> v1.1.0
* **tags.cncf.io/container-device-interface/specs-go**                             v1.0.0 -> v1.1.0

Previous release can be found at [v2.2.0](https://github.com/containerd/containerd/releases/tag/v2.2.0)
### Which file should I download?
* `containerd-<VERSION>-<OS>-<ARCH>.tar.gz`:         ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04).
* `containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz`:  Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent.

In addition to containerd, typically you will have to install [runc](https://github.com/opencontainers/runc/releases)
and [CNI plugins](https://github.com/containernetworking/plugins/releases) from their official sites too.

See also the [Getting Started](https://github.com/containerd/containerd/blob/main/docs/getting-started.md) documentation.
    Unverified

  • api/v1.11.0-beta.0

    cad669b5 · Merge pull request #13045 from dmcgowan/prepare-api-v1.11.0-beta.0 · 
    containerd api/v1.11.0-beta.0

Welcome to the api/v1.11.0-beta.0 release of containerd!
*This is a pre-release of containerd*

The 12th release for the containerd 1.x API aligns with the containerd 2.3 release.

### Highlights

* Update sandbox API to include spec field ([#12840](https://github.com/containerd/containerd/pull/12840))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Maksym Pavlenko
* Derek McGowan
* Sebastiaan van Stijn
* Wei Fu

### Changes
<details><summary>18 commits</summary>
<p>

* Prepare release notes for api/v1.11.0-beta.0 ([#13045](https://github.com/containerd/containerd/pull/13045))
  * [`aac6b5348`](https://github.com/containerd/containerd/commit/aac6b53488f05253f88fb061fed6674630feb41f) Prepare release notes for api/v1.11.0-beta.0
* api: regenerate and re-vendor protos ([#12913](https://github.com/containerd/containerd/pull/12913))
  * [`4b4eb6715`](https://github.com/containerd/containerd/commit/4b4eb67150b724e0c0450cc92f295b8d6582ca9a) api: regenerate and re-vendor protos
* Remove Container field from sandbox metadata ([#12840](https://github.com/containerd/containerd/pull/12840))
  * [`8ccf18724`](https://github.com/containerd/containerd/commit/8ccf18724f691f7f5503faf0b004334eb9f92cf3) Update sandbox API to include spec field
* Use buf to format proto files ([#12841](https://github.com/containerd/containerd/pull/12841))
  * [`ca1c5b2d3`](https://github.com/containerd/containerd/commit/ca1c5b2d3db8c620c26ab9674b7ccb9a4b023a63) Reformat and revendor proto files
  * [`2a87c9d7d`](https://github.com/containerd/containerd/commit/2a87c9d7d29a5d947fa671a0d7b52f449835fd11) Add .editorconfig for proto files
* Generate api/next.txtpb and name module ([#12815](https://github.com/containerd/containerd/pull/12815))
  * [`472e0a8e7`](https://github.com/containerd/containerd/commit/472e0a8e7ada278b7aa376173eca20ad0a0348be) Generate next.txtpb to replace next.pb.txt
  * [`f58dbbda0`](https://github.com/containerd/containerd/commit/f58dbbda0b34bea75f714e82463eb0706c06d30d) Add buf.build repository name for publishing API
* Migrate from protobuild to buf ([#12762](https://github.com/containerd/containerd/pull/12762))
  * [`dac9721fa`](https://github.com/containerd/containerd/commit/dac9721faf891205ed46105cd38340bc3bceabcb) Drop outdated pb.txt files
  * [`6a6283193`](https://github.com/containerd/containerd/commit/6a6283193b6f865c35529717068259bf54ccc307) Update pb files
  * [`57782b717`](https://github.com/containerd/containerd/commit/57782b7175f743489010c348a8f59da720140722) Move buf configuration under api/
  * [`39991b661`](https://github.com/containerd/containerd/commit/39991b6617041c8c5b471f11f08461f36cc6719f) Use relative import intead of GOPATH style imports
  * [`eb586b5ef`](https://github.com/containerd/containerd/commit/eb586b5ef2e20c5f845f28d5e9cd5f5e8e10885d) Regenerate proto files
</p>
</details>

### Dependency Changes

This release has no dependency changes

Previous release can be found at [api/v1.10.0](https://github.com/containerd/containerd/releases/tag/api/v1.10.0)
    Unverified

  • v2.2.2

    301b2dac · Merge pull request #12998 from samuelkarp/prepare-release-2.2.2 · 
    containerd 2.2.2

Welcome to the v2.2.2 release of containerd!

The second patch release for containerd 2.2 contains various fixes and improvements.

### Highlights

#### Container Runtime Interface (CRI)

* Fix migrated CRI image config when using legacy registry mirrors ([#12987](https://github.com/containerd/containerd/pull/12987))
* Unpack images with per-layer labels for runtime-specific snapshotters ([#12936](https://github.com/containerd/containerd/pull/12936))
* Fix CNI issue where DEL is never executed after a restart ([#12926](https://github.com/containerd/containerd/pull/12926))
* Harden error handling to strip potentially-sensitive registry parameters ([#12804](https://github.com/containerd/containerd/pull/12804))
* Fix nil pointer dereference in container spec memory metrics when memory constraints are not fully configured ([#12731](https://github.com/containerd/containerd/pull/12731))
* Use the specified runtime handler when pulling images ([#12721](https://github.com/containerd/containerd/pull/12721))
* Reduce noisy CDI logs ([#12717](https://github.com/containerd/containerd/pull/12717))
* Fix regression for pulling encrypted images ([#12712](https://github.com/containerd/containerd/pull/12712))

#### Runtime

* Fix unintended dropping of mount flags for read-only bind-mounts in user namespaces ([#12944](https://github.com/containerd/containerd/pull/12944))
* Fix AppArmor bug disallowing unix domain sockets on newer kernels ([#12897](https://github.com/containerd/containerd/pull/12897))

#### ctr development tool

* Fix `ctr image mount` failing with "no such device" ([#12831](https://github.com/containerd/containerd/pull/12831))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Maksym Pavlenko
* Akhil Mohan
* Samuel Karp
* Wei Fu
* Michael Zappa
* Phil Estes
* Fabiano Fidêncio
* Jérôme Poulin
* Luke Hinds
* Aadhar Agarwal
* Akihiro Suda
* Alex Chernyakhovsky
* Chris Adeniyi-Jones
* Kazuyoshi Kato
* Rodrigo Campos
* Sebastiaan van Stijn
* You Binhao
* ningmingxiao
* qiuxue

### Changes
<details><summary>48 commits</summary>
<p>

* Prepare release notes for v2.2.2 ([#12998](https://github.com/containerd/containerd/pull/12998))
  * [`7e6ecf434`](https://github.com/containerd/containerd/commit/7e6ecf43421f9cfa64cd7043f86ae224dc7dc0a4) Prepare release notes for v2.2.2
* Fix migrated CRI image config when using legacy registry mirrors ([#12987](https://github.com/containerd/containerd/pull/12987))
  * [`a20dead7c`](https://github.com/containerd/containerd/commit/a20dead7cc644291433b2da4b1efa2f70c8a144f) set default config_path in plugin init
* Unpack images with per-layer labels for runtime-specific snapshotters ([#12936](https://github.com/containerd/containerd/pull/12936))
  * [`a5f83d8c2`](https://github.com/containerd/containerd/commit/a5f83d8c2b419a3f882182d5beca60725387f499) cri: unpack images with per-layer labels for runtime-specific snapshotters
* ci: modprobe xt_comment on almalinux ([#12957](https://github.com/containerd/containerd/pull/12957))
  * [`68855cb0b`](https://github.com/containerd/containerd/commit/68855cb0be5d372fd53c450e91cc3224157abb4b) ci: modprobe xt_comment on almalinux
* Fix unintended dropping of mount flags for read-only bind-mounts in user namespaces ([#12944](https://github.com/containerd/containerd/pull/12944))
  * [`ef7a8beb3`](https://github.com/containerd/containerd/commit/ef7a8beb375c8322b9a09666f50150717b9ae335) core/mount: add test for getUnprivilegedMountFlags
  * [`07b2cc07e`](https://github.com/containerd/containerd/commit/07b2cc07e4f3d553c5ca801c9f0800b55ba7eac2) core/mount: fix getUnprivilegedMountFlags iterating over indices instead of values
* Fix CNI issue where DEL is never executed after a restart ([#12926](https://github.com/containerd/containerd/pull/12926))
  * [`54101116f`](https://github.com/containerd/containerd/commit/54101116fcdf18e21c8d202f86ed93c34a5932af) add integration test for cni result nil
  * [`d44c4384e`](https://github.com/containerd/containerd/commit/d44c4384ec9f7adef9a4598e05f12e0850338fd8) address comment
  * [`f1835270b`](https://github.com/containerd/containerd/commit/f1835270b0b800e4c1ba13391cd4a75617810615) fix issue where cni del is never executed
* Fix AppArmor bug disallowing unix domain sockets on newer kernels ([#12897](https://github.com/containerd/containerd/pull/12897))
  * [`6c05047b4`](https://github.com/containerd/containerd/commit/6c05047b4ba86d2fb857429c6272bb66679e7dee) apparmor: explicitly set abi/3.0
* ci: add build/test go1.26.0, drop go1.24 ([#12917](https://github.com/containerd/containerd/pull/12917))
  * [`5dbf1b915`](https://github.com/containerd/containerd/commit/5dbf1b91596e35247f5928ad202da2a378859703) update golangci-lint to v2.9.0 with go1.26 support
  * [`8ec695ebe`](https://github.com/containerd/containerd/commit/8ec695ebe8b6f8ec4fbd4ebbe658a2aaa35ac857) remove windows/arm from cross build
  * [`b9c22a6e3`](https://github.com/containerd/containerd/commit/b9c22a6e39a937e86723bac0b63e30587cd8e936) ci: build/test go1.26.0
* integration: Fix TestImageLoad() failure on CI ([#12906](https://github.com/containerd/containerd/pull/12906))
  * [`09b876a81`](https://github.com/containerd/containerd/commit/09b876a8198818ab7d59e9037e6592889faea861) integration: Fix TestImageLoad() failure on CI
* cri: Fix image volumes with user namespaces ([#12885](https://github.com/containerd/containerd/pull/12885))
  * [`172ba65b6`](https://github.com/containerd/containerd/commit/172ba65b6a89479865832a7101f10e1b3a323d78) cri: Fix image volumes with user namespaces
* update to go1.24.13, go1.25.7 ([#12871](https://github.com/containerd/containerd/pull/12871))
  * [`b4240ef87`](https://github.com/containerd/containerd/commit/b4240ef8782d274b97554881cec65aa8b1da0d2c) update to go1.24.13, go1.25.7
  * [`94dbfaea7`](https://github.com/containerd/containerd/commit/94dbfaea7295d65c11f36510abc558e6e01c9205) ci: bump go 1.24.12, 1.25.6
* ci: set fetch-depth for containerd to 0 for version parsing ([#12875](https://github.com/containerd/containerd/pull/12875))
  * [`e46a7a286`](https://github.com/containerd/containerd/commit/e46a7a28682e79b9d851ea4de1840eb0dcf555b5) set fetch-depth for containerd to 0 for version parsing
* Fix `ctr image mount` failing with "no such device" ([#12831](https://github.com/containerd/containerd/pull/12831))
  * [`1d7908273`](https://github.com/containerd/containerd/commit/1d79082735d46fe24ded00a55ea6e3a33954593e) core/mount/manager: fix bind mount missing rbind option
  * [`3d509bcd3`](https://github.com/containerd/containerd/commit/3d509bcd335b15cece69ebfa117681d2715df930) core/mount/manager: add tests for WithTemporary option
* Harden error handling to strip potentially-sensitive registry parameters ([#12804](https://github.com/containerd/containerd/pull/12804))
  * [`cb3ae2119`](https://github.com/containerd/containerd/commit/cb3ae211952909a5c4d9fcb274e029286057fc34) fix: sanitize error before gRPC return to prevent credential leak in pod events
* bump google.golang.org/grpc from 1.76.0 to 1.78.0 ([#12739](https://github.com/containerd/containerd/pull/12739))
  * [`533a2552e`](https://github.com/containerd/containerd/commit/533a2552e9e1ff1896868986240f493e9f488920) build(deps): bump google.golang.org/grpc from 1.77.0 to 1.78.0
  * [`b120237fb`](https://github.com/containerd/containerd/commit/b120237fb6af3b65117ba83af204cf92790acff3) build(deps): bump google.golang.org/grpc from 1.76.0 to 1.77.0
* Fix nil pointer dereference in container spec memory metrics when memory constraints are not fully configured ([#12731](https://github.com/containerd/containerd/pull/12731))
  * [`4be4e5156`](https://github.com/containerd/containerd/commit/4be4e5156c1bfdd84f12bb43424261e3b5578208) Fix nil pointer dereference in container spec memory metrics
* cri: emit warning for concurrent CreateContainer ([#12735](https://github.com/containerd/containerd/pull/12735))
  * [`a76eb698a`](https://github.com/containerd/containerd/commit/a76eb698a52f1eb3018fe6126587dcf36fad4e7b) cri: emit warning for concurrent CreateContainer
* Use the specified runtime handler when pulling images ([#12721](https://github.com/containerd/containerd/pull/12721))
  * [`3d2e188b1`](https://github.com/containerd/containerd/commit/3d2e188b15d7db18f87251eaf134da463f36a8c8) cri: Use the runtimeHandler parameter in PullImage
* Reduce noisy CDI logs ([#12717](https://github.com/containerd/containerd/pull/12717))
  * [`633057382`](https://github.com/containerd/containerd/commit/633057382e7bfd16523865928549b38e0aa0b7e2) cri: move noisy CDI logs to debug level
* Fix regression for pulling encrypted images ([#12712](https://github.com/containerd/containerd/pull/12712))
  * [`8a7409e2e`](https://github.com/containerd/containerd/commit/8a7409e2e71fd9486db3504ab804d4419e45af41) Reinstate image decryption
</p>
</details>

### Dependency Changes

* **github.com/go-jose/go-jose/v4**              v4.1.2 -> v4.1.3
* **go.opentelemetry.io/auto/sdk**               v1.1.0 -> v1.2.1
* **go.opentelemetry.io/otel**                   v1.37.0 -> v1.38.0
* **go.opentelemetry.io/otel/metric**            v1.37.0 -> v1.38.0
* **go.opentelemetry.io/otel/sdk**               v1.37.0 -> v1.38.0
* **go.opentelemetry.io/otel/trace**             v1.37.0 -> v1.38.0
* **golang.org/x/oauth2**                        v0.30.0 -> v0.32.0
* **google.golang.org/genproto/googleapis/api**  a7a43d27e69b -> ab9386a59fda
* **google.golang.org/genproto/googleapis/rpc**  a7a43d27e69b -> ab9386a59fda
* **google.golang.org/grpc**                     v1.76.0 -> v1.78.0

Previous release can be found at [v2.2.1](https://github.com/containerd/containerd/releases/tag/v2.2.1)
### Which file should I download?
* `containerd-<VERSION>-<OS>-<ARCH>.tar.gz`:         ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04).
* `containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz`:  Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent.

In addition to containerd, typically you will have to install [runc](https://github.com/opencontainers/runc/releases)
and [CNI plugins](https://github.com/containernetworking/plugins/releases) from their official sites too.

See also the [Getting Started](https://github.com/containerd/containerd/blob/main/docs/getting-started.md) documentation.
    Unverified

  • v2.2.1

    dea7da59 · Merge pull request #12677 from dmcgowan/prepare-2.2.1 · 
    containerd 2.2.1

Welcome to the v2.2.1 release of containerd!

The first patch release for containerd 2.2 contains various fixes and improvements.

### Highlights

#### Container Runtime Interface (CRI)

* **Redact all query parameters in CRI error logs** ([#12546](https://github.com/containerd/containerd/pull/12546))

#### Image Distribution

* **Fix image defaults on Darwin to usable configuration** ([#12544](https://github.com/containerd/containerd/pull/12544))
* **Fix possible panic from WithMediaTypeKeyPrefix** ([#12516](https://github.com/containerd/containerd/pull/12516))

#### Runtime

* **Update runc binary to v1.3.4** ([#12593](https://github.com/containerd/containerd/pull/12593))
* **Fix parsing of hugetlb.<size>.events files** ([containerd/cgroups#379](https://github.com/containerd/cgroups/pull/379))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Krisztian Litkey
* Markus Lehtonen
* Akihiro Suda
* Mike Brown
* Sebastiaan van Stijn
* Derek McGowan
* Heran Yang
* Wei Fu
* Phil Estes
* Samuel Karp
* Austin Vazquez
* Sascha Grunert
* Akhil Mohan
* Andrey Noskov
* Brian Goff
* CrazyMax
* Davanum Srinivas
* Gaurav Ghildiyal
* Neeraj Krishna Gopalakrishna
* Paweł Gronowski
* Tariq Ibrahim
* TomerLev
* Tõnis Tiigi
* bo.jiang
* ningmingxiao

### Changes
<details><summary>53 commits</summary>
<p>

* Prepare release notes for v2.2.1 ([#12677](https://github.com/containerd/containerd/pull/12677))
  * [`f6bae1f88`](https://github.com/containerd/containerd/commit/f6bae1f8807a099a0b101e584f1f8aabddab91a6) Prepare release notes for v2.2.1
* cri,nri: bump NRI dependencies to v0.11.0 ([#12701](https://github.com/containerd/containerd/pull/12701))
  * [`c22cf5d49`](https://github.com/containerd/containerd/commit/c22cf5d49819a2996f184db954c53c2060916314) cri,nri: pass any linux security profile to plugins.
  * [`d7532de75`](https://github.com/containerd/containerd/commit/d7532de751f81eee4f03001bb46e49d76a1607fb) cri,nri: pass any linux RDT constraints to plugins.
  * [`ef36e6181`](https://github.com/containerd/containerd/commit/ef36e6181456ebb9919d2a51d786f416f85f780b) cri,nri: pass any linux net devices to plugins.
  * [`d56faf426`](https://github.com/containerd/containerd/commit/d56faf4261b5f946caa92c4869963f89f63a9b22) cri,nri: pass any linux scheduler attributes to plugins.
  * [`e1824d261`](https://github.com/containerd/containerd/commit/e1824d2613d32793cf1fd7282f0b9f5f6f622613) cri,nri: pass any linux I/O priority to plugins.
  * [`01d5490ae`](https://github.com/containerd/containerd/commit/01d5490ae26a05b1a73ca9e253761005c7286754) go.{mod,sum}: bump NRI deps to v0.11.0, re-vendor.
* pkg/tracing: HTTPStatusCodeAttributes: remove use of deprecated SemConv const ([#12697](https://github.com/containerd/containerd/pull/12697))
  * [`58d23ab63`](https://github.com/containerd/containerd/commit/58d23ab63830dc41d7c2e1035a9c0a7a28b6fed2) pkg/tracing: HTTPStatusCodeAttributes: remove use of deprecated SemConv const
* cri/nri: short-circuit nil adjustment. ([#12672](https://github.com/containerd/containerd/pull/12672))
  * [`05ccbb3a7`](https://github.com/containerd/containerd/commit/05ccbb3a7eb10a72427c722155a2eacdc2908a61) cri/nri: short-circuit nil adjustment.
* go.{mod,sum}: bump CDI deps to v1.1.0. ([#12664](https://github.com/containerd/containerd/pull/12664))
  * [`c166a577d`](https://github.com/containerd/containerd/commit/c166a577d0638de704d6c9f999858ed47cf06a60) go.{mod,sum} bump CDI deps to v1.1.0.
* go.mod: containerd/zfs v2.0.0; remove exclude rules ([#12654](https://github.com/containerd/containerd/pull/12654))
  * [`73a08aa00`](https://github.com/containerd/containerd/commit/73a08aa00dc98a0662a40d45ed50dac534dce1e6) go.mod: remove exclude rules
  * [`cee08c8af`](https://github.com/containerd/containerd/commit/cee08c8af836002863b30e2ef8cd3c45b6ae56ad) build(deps): bump github.com/containerd/zfs/v2 from 2.0.0-rc.0 to 2.0.0
* go.mod: github.com/containernetworking/plugins v1.9.0 ([#12658](https://github.com/containerd/containerd/pull/12658))
  * [`8a5fc8641`](https://github.com/containerd/containerd/commit/8a5fc86416926d2a2189861391cd77b07d7f4443) go.mod: github.com/containernetworking/plugins v1.9.0
* go.mod: golang.org/x/crypto v0.45.0 ([#12638](https://github.com/containerd/containerd/pull/12638))
  * [`55c93d6fb`](https://github.com/containerd/containerd/commit/55c93d6fb85333d4988122b2ae97b947bcde02b7) go.mod: golang.org/x/crypto v0.45.0
* ci :bump Go 1.24.11, 1.25.5 ([#12625](https://github.com/containerd/containerd/pull/12625))
  * [`aedd29bb4`](https://github.com/containerd/containerd/commit/aedd29bb4ecabfae1d8806dc1011a347a3401fb2) ci: bump Go 1.24.11, 1.25.5
  * [`26628f139`](https://github.com/containerd/containerd/commit/26628f1397f991a9ee2fe7de32a6a2df70ab89bd) ci: bump Go 1.24.10, 1.25.4
  * [`8bb0e9be6`](https://github.com/containerd/containerd/commit/8bb0e9be6ceebc1ad1d76c88a661bacf84921b3d) ci(release): set GO_VERSION in Dockerfile
* core/runtime/v2: remove uses of otelgrpc.UnaryClientInterceptor ([#12622](https://github.com/containerd/containerd/pull/12622))
  * [`ed19c5420`](https://github.com/containerd/containerd/commit/ed19c542003cc00988760b0f72e487c20dc198a0) core/runtime/v2: remove uses of otelgrpc.UnaryClientInterceptor
* ci: update CIFuzz actions to support Ubuntu 24.04 ([#12632](https://github.com/containerd/containerd/pull/12632))
  * [`952237d9b`](https://github.com/containerd/containerd/commit/952237d9ba4390f4fa740f3832492e3870f0f9f9) ci: update CIFuzz actions to support Ubuntu 24.04
* Update runc binary to v1.3.4 ([#12593](https://github.com/containerd/containerd/pull/12593))
  * [`fb5b818a9`](https://github.com/containerd/containerd/commit/fb5b818a9a34ad4fe3b0901c73cd7432ae4bb8bc) runc: Update runc binary to v1.3.4
* : update containerd/cgroups from v3.1.0 to v3.1.2 ([#12598](https://github.com/containerd/containerd/pull/12598))
  * [`51582ed27`](https://github.com/containerd/containerd/commit/51582ed27b13941f6bbf1526d909a00deadfcc0f) bump containerd/cgroups to v3.1.2
  * [`50d0e4fd4`](https://github.com/containerd/containerd/commit/50d0e4fd4cb909829d9965d9da5be04ee812fe29) build(deps): bump github.com/containerd/cgroups/v3 from 3.1.0 to 3.1.1
* core/mount: should not call removeLoop when set autoclear ([#12587](https://github.com/containerd/containerd/pull/12587))
  * [`41a69eb0d`](https://github.com/containerd/containerd/commit/41a69eb0d19cafbf40e03c36ef6be259a52d6f5e) core/mount: should not call removeLoop when set autoclear
* build(deps): bump github.com/opencontainers/selinux ([#12589](https://github.com/containerd/containerd/pull/12589))
  * [`e3bf2b80b`](https://github.com/containerd/containerd/commit/e3bf2b80b9ca3280fd64a2bd0436fcdb894c4410) build(deps): bump github.com/opencontainers/selinux
* .github: skip 5 critest cases for window-2022 ([#12584](https://github.com/containerd/containerd/pull/12584))
  * [`da8e846f9`](https://github.com/containerd/containerd/commit/da8e846f97a081f580eccc4a7384f3f050dd5b5e) .github: skip 5 critest cases in window CI pipeline
* Fix image defaults on Darwin to usable configuration ([#12544](https://github.com/containerd/containerd/pull/12544))
  * [`d154e234b`](https://github.com/containerd/containerd/commit/d154e234b29c5bed4f14a72d605e92e4728415a2) Update the ctr pull defaults when using the transfer service
  * [`09364216d`](https://github.com/containerd/containerd/commit/09364216de92aab056118507da59fabf642d88ac) Fix transfer unpack defaults on darwin
  * [`2055d3c62`](https://github.com/containerd/containerd/commit/2055d3c62e85350642c4b031c35a63b22e2ec6f7) Update default differs on darwin
  * [`9da97686d`](https://github.com/containerd/containerd/commit/9da97686d151da046d5512bb9f7f1d67ea4c8393) Use default writable size in erofs snapshotter for non-Linux hosts
  * [`eeb0f889a`](https://github.com/containerd/containerd/commit/eeb0f889aed826b58a3033a5a5b14dff6ccd1979) Update default erofs block size on macOS during erofs diff
* Redact all query parameters in CRI error logs ([#12546](https://github.com/containerd/containerd/pull/12546))
  * [`c707f771a`](https://github.com/containerd/containerd/commit/c707f771a872f9dd22ad8f2f827317a800e4a74f) fix: redact all query parameters in CRI error logs
* Revert "Implement io.ReaderAt on docker fetch reader" ([#12542](https://github.com/containerd/containerd/pull/12542))
  * [`678f944dd`](https://github.com/containerd/containerd/commit/678f944dd16601d08ecbb19e350acc027728b656) Revert "Implement io.ReaderAt on docker fetch reader"
* Fix possible panic from WithMediaTypeKeyPrefix ([#12516](https://github.com/containerd/containerd/pull/12516))
  * [`8b73c2de3`](https://github.com/containerd/containerd/commit/8b73c2de310e95fe3a143473b511fcf99d03692f) remotes: fix possible panic from WithMediaTypeKeyPrefix
</p>
</details>

### Changes from containerd/cgroups
<details><summary>13 commits</summary>
<p>

* ci: bump golangci-lint to v2.6.2 ([containerd/cgroups#382](https://github.com/containerd/cgroups/pull/382))
  * [`a302e56`](https://github.com/containerd/cgroups/commit/a302e56b258f818a3dacb6e282907904f17ea239) ci: bump golangci-lint to v2.6.2
  * [`731cf7a`](https://github.com/containerd/cgroups/commit/731cf7a96296e8eccffe9b986aece85ec4ab9b5b) ci: suppress errcheck
  * [`9bee663`](https://github.com/containerd/cgroups/commit/9bee663879fd7f5b873fa40f61a837309c4be8b0) utils: move Close() to defer block
  * [`9d7647c`](https://github.com/containerd/cgroups/commit/9d7647ce3bae2f67cc4ecfe1df51796caba49d52) rdma: use strings.Cut in Go 1.18
  * [`109f063`](https://github.com/containerd/cgroups/commit/109f063d1c6cefbc3def1a8e0a169b746f7f5f0a) memory_test: apply De Morgan's law
  * [`e6fcf3f`](https://github.com/containerd/cgroups/commit/e6fcf3fda4200609bb6323428e2d1f24f712e62e) memory_test: omit type from declaration
* build(deps): bump actions/checkout from 5 to 6 ([containerd/cgroups#381](https://github.com/containerd/cgroups/pull/381))
  * [`4e30098`](https://github.com/containerd/cgroups/commit/4e3009894821335455c4b804600eb9667b818f81) build(deps): bump actions/checkout from 5 to 6
* Fix parsing of hugetlb.<size>.events files ([containerd/cgroups#379](https://github.com/containerd/cgroups/pull/379))
  * [`2ad7a12`](https://github.com/containerd/cgroups/commit/2ad7a1241827ef1bc4f964fe8a5248b073f2db82) hugetlb: correctly parse hugetlb.<size>.events files
* go.mod: github.com/opencontainers/runtime-spec v1.3.0 ([containerd/cgroups#376](https://github.com/containerd/cgroups/pull/376))
  * [`34ef430`](https://github.com/containerd/cgroups/commit/34ef430d727e569c31b4f2bbc7d83bffeb1c0165) go.mod: github.com/opencontainers/runtime-spec v1.3.0
</p>
</details>

### Changes from containerd/nri
<details><summary>79 commits</summary>
<p>

* adaptation: allow compiling out WASM support altogether. ([containerd/nri#253](https://github.com/containerd/nri/pull/253))
  * [`ab88fe6`](https://github.com/containerd/nri/commit/ab88fe680c11b35234c38c7d4eac72335721c78d) adaptation: allow compiling out WASM support altogether.
* Support direct editing of the intelRdt config ([containerd/nri#215](https://github.com/containerd/nri/pull/215))
  * [`8c0c9f6`](https://github.com/containerd/nri/commit/8c0c9f67a905fb24682239a4d6d94b0dd52c13e7) Implement removal of RDT
  * [`dfbae8a`](https://github.com/containerd/nri/commit/dfbae8a616b80037798e3cfb8315d70f3f2eff7e) plugins: add sample rdt plugin
  * [`d05dd81`](https://github.com/containerd/nri/commit/d05dd818ed26c3dbeae0fce88289387b62e4665c) pkg/adaptation: support new RDT fields
  * [`725289b`](https://github.com/containerd/nri/commit/725289b256878de8e965327ab6e70dc883ea771b) pkg/runtime-tools/generate: support new RDT fields
  * [`a7832a2`](https://github.com/containerd/nri/commit/a7832a241411573e03982490197d7eb98a1c9d29) api: add rdt
* update wazero/wazero version to v1.10.1 ([containerd/nri#252](https://github.com/containerd/nri/pull/252))
  * [`9eb9a0f`](https://github.com/containerd/nri/commit/9eb9a0f0f6e223e6060805b55957f117f159f5cc) update tetratelabs/wazero version to v1.10.1
* support specifying a custom NRI socket path ([containerd/nri#249](https://github.com/containerd/nri/pull/249))
  * [`2df6565`](https://github.com/containerd/nri/commit/2df656516e73b31e013257f713a1df5baa7fdcb0) [plugins] support specifying a custom NRI socket path
* pkg/api: add OptionalRepeatedString type ([containerd/nri#212](https://github.com/containerd/nri/pull/212))
  * [`687c1a6`](https://github.com/containerd/nri/commit/687c1a6a8b5c75056acd176dc89c45251926d0bb) pkg/api: add OptionalRepeatedString type
* api,adaptation,generate: allow setting kernel scheduling policy attributes. ([containerd/nri#160](https://github.com/containerd/nri/pull/160))
  * [`6a371ac`](https://github.com/containerd/nri/commit/6a371ac5e7afcd185ee575828f4822d779f0ded9) device-injector: add scheduling policy adjustment.
  * [`e06369e`](https://github.com/containerd/nri/commit/e06369e8d1cad80f12eaf6f2c0da19c7ac78396c) api,adaptation,generate: allow setting scheduler attributes.
* device-injector: always log injection summary. ([containerd/nri#246](https://github.com/containerd/nri/pull/246))
  * [`14cc2e2`](https://github.com/containerd/nri/commit/14cc2e2fb6b9504c5241e3156b24b1055ed4e3ed) device-injector: always log injection summary.
* api,adaptation,generate: allow adjusting linux net devices ([containerd/nri#157](https://github.com/containerd/nri/pull/157))
  * [`5145c92`](https://github.com/containerd/nri/commit/5145c92e7c215ce3969805005ebdb0f37749e68b) device-injector: add network device injection.
  * [`8a03823`](https://github.com/containerd/nri/commit/8a03823fe8afbca00b30f669805c911414c58803) api,adaptation,generate: allow adjusting linux net devices.
* Add support for sysctl adjustment ([containerd/nri#248](https://github.com/containerd/nri/pull/248))
  * [`914fbf3`](https://github.com/containerd/nri/commit/914fbf3faf42da144376c133541c37211d2f9200) default-validator: restrict sysctl adjustment
  * [`a418956`](https://github.com/containerd/nri/commit/a4189560f80f7c02579eec252ae43034bf21cb8a) api: apply sysctl adjustments
  * [`8705f9b`](https://github.com/containerd/nri/commit/8705f9b1eb3107ad8bc422978b0412527e3fd236) api: add sysctl container adjustment
* feat: Make logger a configurable struct member for stub ([containerd/nri#239](https://github.com/containerd/nri/pull/239))
  * [`08a891a`](https://github.com/containerd/nri/commit/08a891a81d90b03b5e5ae14734f5ad74e74c264b) feat: Make logger a configurable struct member for stub
* Drop dependency on opencontainers/runtime-tools ([containerd/nri#247](https://github.com/containerd/nri/pull/247))
  * [`5e5c2be`](https://github.com/containerd/nri/commit/5e5c2be5f57436228f2762e0deb2c4f9873f3e9b) Drop dependency on opencontainers/runtime-tools
* deps: bump runtime-spec to v1.3.0. ([containerd/nri#243](https://github.com/containerd/nri/pull/243))
  * [`29c5811`](https://github.com/containerd/nri/commit/29c581117267cb5d2289ff08902a93ff263caf0e) (v0.1.0) examples: lock NRI, runtime spec deps.
  * [`d812952`](https://github.com/containerd/nri/commit/d8129529588cca090c972aa5e5f7775162af59da) v010-adapter: lock NRI, runtime spec and tools deps.
  * [`7dd7c7f`](https://github.com/containerd/nri/commit/7dd7c7f8b21c08242de41634b12ab2ee71b91000) api,runtime-tools: adjust for runtime-spec v1.3.0.
  * [`5d5d4c4`](https://github.com/containerd/nri/commit/5d5d4c4c877fdef4fe0938e627b11b97234195b8) go.{mod,sum}: update runtime-tools, runtime-spec to v1.3.0.
* adaptation: ensure sync'ed plugins are fully registered in tests. ([containerd/nri#234](https://github.com/containerd/nri/pull/234))
  * [`c840397`](https://github.com/containerd/nri/commit/c84039771e9c2cee68952b4b7cc52cba1909784e) adaptation: ensure sync'ed plugins are fully registered in tests.
* Fix wasm example ([containerd/nri#237](https://github.com/containerd/nri/pull/237))
  * [`44b2861`](https://github.com/containerd/nri/commit/44b2861a26c8e392229cd8b27a20cf689925f176) Fix wasm example
* Makefile: build proto files unconditionally ([containerd/nri#229](https://github.com/containerd/nri/pull/229))
  * [`d99f960`](https://github.com/containerd/nri/commit/d99f96028e5226c004f94a3394be82190980c4bd) Fix dockerized proto build
  * [`9623748`](https://github.com/containerd/nri/commit/9623748f543343bfe6b2312df47a7ed9000d47fe) Makefile: build proto files unconditionally
  * [`25d9391`](https://github.com/containerd/nri/commit/25d9391690a7158d851364ef011e1f56fd607a70) build: ensure we use correct version of protoc and its deps.
* adaptation: test with populated initial resources. ([containerd/nri#231](https://github.com/containerd/nri/pull/231))
  * [`b6b98b5`](https://github.com/containerd/nri/commit/b6b98b56a60df29da312cc1e1e070697dec43583) adaptation: test with populated initial resources.
* Install protoc locally in the source tree ([containerd/nri#232](https://github.com/containerd/nri/pull/232))
  * [`2394daa`](https://github.com/containerd/nri/commit/2394daa45f1c7c0fcf28e9e39895c8b871a7445c) Install protoc locally in the source tree
* plugins/logger: fix default event subscription mask. ([containerd/nri#158](https://github.com/containerd/nri/pull/158))
  * [`33b1db1`](https://github.com/containerd/nri/commit/33b1db1add2e9a603f7c47e1efa95d386f4af560) logger: fix default event subscription mask.
* extract memory and CPU resource helpers ([containerd/nri#210](https://github.com/containerd/nri/pull/210))
  * [`7afb32a`](https://github.com/containerd/nri/commit/7afb32a3a444fd0a24e36988e0906ad35590c672) extract memory and CPU resource helpers
* api: expose container user/group ID to plugins. ([containerd/nri#230](https://github.com/containerd/nri/pull/230))
  * [`22aeb46`](https://github.com/containerd/nri/commit/22aeb467e553bffd7650930b3bc6c28b95a2dee5) docs: update README with container uid/gid info.
  * [`71b0335`](https://github.com/containerd/nri/commit/71b0335fdc262451ab2ff71591f1126c8a036265) api,adaptation: add container uid/gid info.
* contrib: add example for enabling per-container RDT monitoring ([containerd/nri#228](https://github.com/containerd/nri/pull/228))
  * [`91fbf06`](https://github.com/containerd/nri/commit/91fbf06ed654e46629cb7aefb11856953720c9cf) contrib: add example for enabling per-container RDT monitoring
* ci: enable image signing ([containerd/nri#224](https://github.com/containerd/nri/pull/224))
  * [`fb54916`](https://github.com/containerd/nri/commit/fb5491601ca84bf52b70e75d0e99ddc4dfe6a922) ci: enable image signing
* golangci: disable QF1008 from staticcheck linter ([containerd/nri#226](https://github.com/containerd/nri/pull/226))
  * [`0b3b577`](https://github.com/containerd/nri/commit/0b3b5770d1f6845d3a3e52ccb5218f2b3ce1f34e) golangci: disable QF1008 from staticcheck linter
* ci: bump golangci-lint to v2.4 ([containerd/nri#225](https://github.com/containerd/nri/pull/225))
  * [`9787127`](https://github.com/containerd/nri/commit/9787127c0f3e69726b968e12b29dae31e35e250b) Bump golangci-lint to v2.4
  * [`1a50ff5`](https://github.com/containerd/nri/commit/1a50ff585624f01763fd20aafaeaa92aa8b27c46) Add nolint directives
  * [`00fa1a1`](https://github.com/containerd/nri/commit/00fa1a124e605590d3ceea1e687600785ae6518d) Add and fix comments for exported types
  * [`ac21da7`](https://github.com/containerd/nri/commit/ac21da7be8f991a8699cef41acba8783dee5351e) pkg/api/seccomp: add comments for exported functions
  * [`3aff986`](https://github.com/containerd/nri/commit/3aff986af5f8abefda8552edae991608782df46c) pkg/runtime-tools/generate: remove embedded field "Generator"
  * [`c0c4bb6`](https://github.com/containerd/nri/commit/c0c4bb648ae46207f47d5b18bf447f7d5b32e26b) pkg/api/validate: add comments for exported methods
  * [`c0ba9da`](https://github.com/containerd/nri/commit/c0ba9da712934c860a64af54d96b5cfc74672ff5) adaptation/builtin: add comment for exported symbols
* .gitignore: revert hastily reviewed editor-specific addition. ([containerd/nri#221](https://github.com/containerd/nri/pull/221))
  * [`02376f3`](https://github.com/containerd/nri/commit/02376f371c707718144dd509172618c69ce6670c) .gitignore: add comment about global gitignore.
  * [`9336a79`](https://github.com/containerd/nri/commit/9336a7933c666dbe6da09fe3cb46e80b478fb268) Revert "nit: Add .idea folder to gitignore"
* nit: Add .idea folder to gitignore ([containerd/nri#218](https://github.com/containerd/nri/pull/218))
  * [`f578ea2`](https://github.com/containerd/nri/commit/f578ea2804642f2cd59594edc17b59d995289223) nit: Add .idea folder to gitignore
* chore: clean and unify nolint directives ([containerd/nri#217](https://github.com/containerd/nri/pull/217))
  * [`21741b9`](https://github.com/containerd/nri/commit/21741b9ee40d69eb9ee3d5688e45b0b022c32738) chore: clean and unify nolint directives
* Downgrade go to require 1.24.0 ([containerd/nri#214](https://github.com/containerd/nri/pull/214))
  * [`d26e910`](https://github.com/containerd/nri/commit/d26e910702c62126decc6befe835e7315cd738a9) Downgrade go to require 1.24.0
* Add dockerized target for building proto files ([containerd/nri#211](https://github.com/containerd/nri/pull/211))
  * [`13fcc07`](https://github.com/containerd/nri/commit/13fcc0773d23520ff44d54549122ec78c8f1e473) Add dockerized target for building proto files
</p>
</details>

### Changes from containerd/zfs
<details><summary>11 commits</summary>
<p>

* go.mod: update to stable containerd v2.0 ([containerd/zfs#89](https://github.com/containerd/zfs/pull/89))
  * [`f11f891`](https://github.com/containerd/zfs/commit/f11f891ff42b3f8cd6f15d0fb18b2644a002bb85) go.mod: update to stable containerd v2.0
* ci: update actions, test against go1.23, fix linting, and update golangci-lint ([containerd/zfs#88](https://github.com/containerd/zfs/pull/88))
  * [`662ad3c`](https://github.com/containerd/zfs/commit/662ad3cefa596775e20a44a1c6b1037b0a0d539d) gha: update golangci/golangci-lint-action@v9, golangci-lint v2.7
  * [`b0b2584`](https://github.com/containerd/zfs/commit/b0b25847ac875af99d62e9d4f83b2875a2f39df9) remove nolint comments
  * [`7c4274b`](https://github.com/containerd/zfs/commit/7c4274bfa0a0df14d66fabb51269bfdfbf4e0b06) fix error capitalization
  * [`24ce1b9`](https://github.com/containerd/zfs/commit/24ce1b93f0579fe5ecaec4bd55290ff7e2f456db) fix inconsistent receiver name
  * [`c8545c3`](https://github.com/containerd/zfs/commit/c8545c33c3c9f4d881c45a22688be49f4ff1502a) gha: update actions/checkout@v6
  * [`d23ec04`](https://github.com/containerd/zfs/commit/d23ec046338e9a5761083cef373be2bab1551995) gha: update actions/setup-go@v6
  * [`bb45f6e`](https://github.com/containerd/zfs/commit/bb45f6e4d3965616dcaae6eaab9342af0e4c1cad) gha: update containerd/project-checks@v1.2.2
  * [`65bc451`](https://github.com/containerd/zfs/commit/65bc451f6abab9d7133abd7c227be227ad6b1f0d) gha: test against go1.23
</p>
</details>

### Dependency Changes

* **github.com/containerd/cgroups/v3**                  v3.1.0 -> v3.1.2
* **github.com/containerd/nri**                         v0.10.0 -> v0.11.0
* **github.com/containerd/zfs/v2**                      v2.0.0-rc.0 -> v2.0.0
* **github.com/containernetworking/plugins**            v1.8.0 -> v1.9.0
* **github.com/cyphar/filepath-securejoin**             v0.5.1 **_new_**
* **github.com/opencontainers/runtime-spec**            v1.2.1 -> v1.3.0
* **github.com/opencontainers/runtime-tools**           0ea5ed0382a2 -> edf4cb3d2116
* **github.com/opencontainers/selinux**                 v1.12.0 -> v1.13.1
* **github.com/tetratelabs/wazero**                     v1.9.0 -> v1.10.1
* **golang.org/x/crypto**                               v0.41.0 -> v0.45.0
* **golang.org/x/net**                                  v0.43.0 -> v0.47.0
* **golang.org/x/sync**                                 v0.17.0 -> v0.18.0
* **golang.org/x/sys**                                  v0.37.0 -> v0.38.0
* **golang.org/x/term**                                 v0.34.0 -> v0.37.0
* **golang.org/x/text**                                 v0.28.0 -> v0.31.0
* **tags.cncf.io/container-device-interface**           v1.0.1 -> v1.1.0
* **tags.cncf.io/container-device-interface/specs-go**  v1.0.0 -> v1.1.0

Previous release can be found at [v2.2.0](https://github.com/containerd/containerd/releases/tag/v2.2.0)
### Which file should I download?
* `containerd-<VERSION>-<OS>-<ARCH>.tar.gz`:         ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04).
* `containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz`:  Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent.

In addition to containerd, typically you will have to install [runc](https://github.com/opencontainers/runc/releases)
and [CNI plugins](https://github.com/containernetworking/plugins/releases) from their official sites too.

See also the [Getting Started](https://github.com/containerd/containerd/blob/main/docs/getting-started.md) documentation.
    Unverified

  • v2.1.6

    c74fd878 · Merge pull request #12653 from dmcgowan/prepare-2.1.6 · 
    containerd 2.1.6

Welcome to the v2.1.6 release of containerd!

The sixth patch release for containerd 2.1 contains various fixes and updates.

### Highlights

#### Runtime

* **Update runc binary to v1.3.4** ([#12618](https://github.com/containerd/containerd/pull/12618))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Akihiro Suda
* Derek McGowan
* Mike Brown
* Phil Estes
* Austin Vazquez
* Kirtana Ashok
* Andrey Noskov
* CrazyMax
* Davanum Srinivas
* Krisztian Litkey
* Maksym Pavlenko
* Michael Weibel
* Paweł Gronowski
* Sebastiaan van Stijn
* Wei Fu

### Changes
<details><summary>28 commits</summary>
<p>

* Prepare release notes for v2.1.6 ([#12653](https://github.com/containerd/containerd/pull/12653))
  * [`93f79087a`](https://github.com/containerd/containerd/commit/93f79087acf3fc3f01e80b354fbe2cea771304b6) Prepare release notes for v2.1.6
* go.mod: containerd/zfs v2.0.0 ([#12655](https://github.com/containerd/containerd/pull/12655))
  * [`7e75db3a9`](https://github.com/containerd/containerd/commit/7e75db3a929414f46a3e7c8790ea0eec3288e394) build(deps): bump github.com/containerd/zfs/v2 from 2.0.0-rc.0 to 2.0.0
* cri/nri: short-circuit nil adjustment. ([#12673](https://github.com/containerd/containerd/pull/12673))
  * [`2b8e11b12`](https://github.com/containerd/containerd/commit/2b8e11b12b97ada3d9741ebb29d0d8088ee3cbb8) cri/nri: short-circuit nil adjustment.
* go.mod: github.com/containernetworking/plugins v1.9.0 ([#12659](https://github.com/containerd/containerd/pull/12659))
  * [`69efd067c`](https://github.com/containerd/containerd/commit/69efd067caca778588edd945a5e9f2a4feb156a6) go.mod: github.com/containernetworking/plugins v1.9.0
* go.mod: golang.org/x/crypto v0.45.0 (drop support for Go 1.23) ([#12639](https://github.com/containerd/containerd/pull/12639))
  * [`e81678853`](https://github.com/containerd/containerd/commit/e816788537ca2b9484aa86da58391923e873f571) go.mod: golang.org/x/crypto v0.45.0
  * [`55a2d8c8d`](https://github.com/containerd/containerd/commit/55a2d8c8d0bf6c5a7481c8922eb5a351f82f9344) CI: drop Go 1.23
  * [`fd8e3c39b`](https://github.com/containerd/containerd/commit/fd8e3c39b952b2fb9278df64f9de4e46fa78dd36) Update Go requirements in BUILDING
* core/runtime/v2: remove uses of otelgrpc.UnaryClientInterceptor ([#12623](https://github.com/containerd/containerd/pull/12623))
  * [`a4454c49a`](https://github.com/containerd/containerd/commit/a4454c49a66b48309c0d9a1f5c386daf5d692614) core/runtime/v2: remove uses of otelgrpc.UnaryClientInterceptor
* Update runc binary to v1.3.4 ([#12618](https://github.com/containerd/containerd/pull/12618))
  * [`251f0a285`](https://github.com/containerd/containerd/commit/251f0a2854f7831ca040d7ba2dab181fd02f2240) runc: Update runc binary to v1.3.4
* ci: bump Go 1.24.11, 1.25.5 ([#12626](https://github.com/containerd/containerd/pull/12626))
  * [`c07c29bca`](https://github.com/containerd/containerd/commit/c07c29bca60eeff9454b005e9856acfb12cfd68c) ci: bump Go 1.24.11, 1.25.5
  * [`e52817652`](https://github.com/containerd/containerd/commit/e528176522bc3df790ea923cfac15c18336ae429) ci: bump Go 1.24.10, 1.25.4
  * [`04bbb66e4`](https://github.com/containerd/containerd/commit/04bbb66e408602872693282063c080bb2e9e6cf9) ci(release): set GO_VERSION in Dockerfile
* ci: update CIFuzz actions to support Ubuntu 24.04 ([#12633](https://github.com/containerd/containerd/pull/12633))
  * [`492987ccc`](https://github.com/containerd/containerd/commit/492987cccf044c4015ec35ce161606cc514de75e) ci: update CIFuzz actions to support Ubuntu 24.04
* build(deps): bump github.com/opencontainers/selinux ([#12590](https://github.com/containerd/containerd/pull/12590))
  * [`55a25ec6e`](https://github.com/containerd/containerd/commit/55a25ec6efa335cdb9e6b56207643f33277be4d4) build(deps): bump github.com/opencontainers/selinux
* Redact all query parameters in CRI error logs ([#12547](https://github.com/containerd/containerd/pull/12547))
  * [`b72d0dfe0`](https://github.com/containerd/containerd/commit/b72d0dfe0458e1b5f1e67ba70476fc4887ee5f08) fix: redact all query parameters in CRI error logs
* Update 2.1 branch to no longer build as latest ([#12487](https://github.com/containerd/containerd/pull/12487))
  * [`ecd58bd65`](https://github.com/containerd/containerd/commit/ecd58bd6507cb6c566c68b440ceea5d7d99b3260) Update 2.1 branch to no longer build as latest
</p>
</details>

### Changes from containerd/platforms
<details><summary>5 commits</summary>
<p>

* use windowsMatchComparer for OSVersion match order ([containerd/platforms#25](https://github.com/containerd/platforms/pull/25))
  * [`8c0d9f9`](https://github.com/containerd/platforms/commit/8c0d9f9835bbe848b9c6f6f4a3a23f7dc97de927) use windowsMatchComparer for OSVersion match order
* Add WS2025 to Windows matcher and code optimizations ([containerd/platforms#24](https://github.com/containerd/platforms/pull/24))
  * [`8447b0a`](https://github.com/containerd/platforms/commit/8447b0ad126eb97a40c5bde800d38370a39ba52f) Update ci.yml
  * [`4549974`](https://github.com/containerd/platforms/commit/4549974181760492ffc528fae4d7f29620a2c67c) Add WS2025 to Windows matcher and code optimizations
</p>
</details>

### Dependency Changes

* **github.com/containerd/platforms**         v1.0.0-rc.1 -> v1.0.0-rc.2
* **github.com/containerd/zfs/v2**            v2.0.0-rc.0 -> v2.0.0
* **github.com/containernetworking/plugins**  v1.7.1 -> v1.9.0
* **github.com/coreos/go-systemd/v22**        v22.5.0 -> v22.6.0
* **github.com/cyphar/filepath-securejoin**   v0.5.1 **_new_**
* **github.com/go-logr/logr**                 v1.4.2 -> v1.4.3
* **github.com/opencontainers/selinux**       v1.12.0 -> v1.13.1
* **github.com/vishvananda/netlink**          0e7078ed04c8 -> v1.3.1
* **golang.org/x/crypto**                     v0.36.0 -> v0.45.0
* **golang.org/x/mod**                        v0.24.0 -> v0.29.0
* **golang.org/x/net**                        v0.38.0 -> v0.47.0
* **golang.org/x/sync**                       v0.14.0 -> v0.18.0
* **golang.org/x/sys**                        v0.33.0 -> v0.38.0
* **golang.org/x/term**                       v0.30.0 -> v0.37.0
* **golang.org/x/text**                       v0.23.0 -> v0.31.0
* **google.golang.org/protobuf**              v1.36.6 -> v1.36.7

Previous release can be found at [v2.1.5](https://github.com/containerd/containerd/releases/tag/v2.1.5)
### Which file should I download?
* `containerd-<VERSION>-<OS>-<ARCH>.tar.gz`:         ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04).
* `containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz`:  Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent.

In addition to containerd, typically you will have to install [runc](https://github.com/opencontainers/runc/releases)
and [CNI plugins](https://github.com/containernetworking/plugins/releases) from their official sites too.

See also the [Getting Started](https://github.com/containerd/containerd/blob/main/docs/getting-started.md) documentation.
    Unverified

  • v1.7.30

    71c1c866 · Merge pull request #12652 from dmcgowan/prepare-1.7.30 · 
    containerd 1.7.30

Welcome to the v1.7.30 release of containerd!

The thirtieth patch release for containerd 1.7 contains various fixes
and updates.

### Highlights

#### Container Runtime Interface (CRI)

* **Fix NRI dropping requested CDI devices silently** ([#12650](https://github.com/containerd/containerd/pull/12650))
* **Redact all query parameters in CRI error logs** ([#12551](https://github.com/containerd/containerd/pull/12551))

#### Runtime

* **Update runc binary to v1.3.4** ([#12619](https://github.com/containerd/containerd/pull/12619))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Derek McGowan
* Akihiro Suda
* Austin Vazquez
* Mike Brown
* Wei Fu
* Andrey Noskov
* CrazyMax
* Davanum Srinivas
* Jin Dong
* Krisztian Litkey
* Maksym Pavlenko
* Paweł Gronowski
* Phil Estes
* Samuel Karp

### Changes
<details><summary>26 commits</summary>
<p>

* Prepare release notes for v1.7.30 ([#12652](https://github.com/containerd/containerd/pull/12652))
  * [`3d0ca6d2e`](https://github.com/containerd/containerd/commit/3d0ca6d2e7ba597bf0423e5f5f49e47b81c1e7a0) Prepare release notes for v1.7.30
* Fix NRI dropping requested CDI devices silently ([#12650](https://github.com/containerd/containerd/pull/12650))
  * [`0bc74f47e`](https://github.com/containerd/containerd/commit/0bc74f47e708bd843e676c5a8617f0498ea6459a) cri,nri: don't drop requested CDI devices silently.
* script/setup/install-cni: install CNI plugins v1.9.0 ([#12660](https://github.com/containerd/containerd/pull/12660))
  * [`7db16b562`](https://github.com/containerd/containerd/commit/7db16b5627a550caf05d9a902e16cb0d04bf1ee1) script/setup/install-cni: install CNI plugins v1.9.0
* go.mod: golang.org/x/crypto v0.45.0 (drop support for Go 1.23) ([#12640](https://github.com/containerd/containerd/pull/12640))
  * [`bca897b47`](https://github.com/containerd/containerd/commit/bca897b4739fef9b6a34c54ac6050d1621e53f92) go.mod: golang.org/x/crypto v0.45.0
  * [`37cbd2224`](https://github.com/containerd/containerd/commit/37cbd2224e674c317e25b03bbf4ab5a9ed644a5d) CI: drop Go 1.23
  * [`ee49d1747`](https://github.com/containerd/containerd/commit/ee49d1747c357cd45119750d4db464f957f4d793) Update Go requirements in BUILDING
* ci: bump Go 1.24.11, 1.25.5 ([#12627](https://github.com/containerd/containerd/pull/12627))
  * [`145978224`](https://github.com/containerd/containerd/commit/1459782247cc3eb2a6a2693a614766a86bcf6826) ci: bump Go 1.24.11, 1.25.5
  * [`3dbadfaa1`](https://github.com/containerd/containerd/commit/3dbadfaa158ebff9862606fe14a454f668a41d49) ci: bump Go 1.24.10, 1.25.4
  * [`2bac971f0`](https://github.com/containerd/containerd/commit/2bac971f0c91a1668bf1ec9c5ec1aa3f0484bd03) ci(release): set GO_VERSION in Dockerfile
* Update runc binary to v1.3.4 ([#12619](https://github.com/containerd/containerd/pull/12619))
  * [`34b89a574`](https://github.com/containerd/containerd/commit/34b89a5744330f098774356cc592bcc38f3279d8) runc: Update runc binary to v1.3.4
* ci: update CIFuzz actions to support Ubuntu 24.04 ([#12635](https://github.com/containerd/containerd/pull/12635))
  * [`6e0dd8956`](https://github.com/containerd/containerd/commit/6e0dd89566553cc1be1cd4823df5d5faeb839b31) ci: update CIFuzz actions to support Ubuntu 24.04
* build(deps): bump github.com/opencontainers/selinux ([#12591](https://github.com/containerd/containerd/pull/12591))
  * [`3eea2a4af`](https://github.com/containerd/containerd/commit/3eea2a4af8b7e20c6c299551782aeccab0a10c0a) build(deps): bump github.com/opencontainers/selinux
* remove sha256-simd ([#12576](https://github.com/containerd/containerd/pull/12576))
  * [`1194f5128`](https://github.com/containerd/containerd/commit/1194f5128f342d40b3ef0c3a4baea3d5ecf15d3b) remove sha256-simd
* .github: skip 5 critest cases for window-2022 ([#12586](https://github.com/containerd/containerd/pull/12586))
  * [`ce2d3a67f`](https://github.com/containerd/containerd/commit/ce2d3a67f2b4e3dc2e804bb9ecde609f04e1e1f6) .github: skip 5 critest cases in window CI pipeline
* Redact all query parameters in CRI error logs ([#12551](https://github.com/containerd/containerd/pull/12551))
  * [`65271ea89`](https://github.com/containerd/containerd/commit/65271ea895cd62016f2baf0e758b1cd7388344e7) fix: redact all query parameters in CRI error logs
</p>
</details>

### Dependency Changes

* **github.com/cyphar/filepath-securejoin**  v0.5.1 **_new_**
* **github.com/opencontainers/selinux**      v1.11.0 -> v1.13.1
* **golang.org/x/crypto**                    v0.40.0 -> v0.45.0
* **golang.org/x/mod**                       v0.26.0 -> v0.29.0
* **golang.org/x/net**                       v0.42.0 -> v0.47.0
* **golang.org/x/sync**                      v0.16.0 -> v0.18.0
* **golang.org/x/sys**                       v0.34.0 -> v0.38.0
* **golang.org/x/term**                      v0.33.0 -> v0.37.0
* **golang.org/x/text**                      v0.27.0 -> v0.31.0

Previous release can be found at [v1.7.29](https://github.com/containerd/containerd/releases/tag/v1.7.29)
    Unverified

  • v2.2.0

    1c4457e0 · Merge pull request #12473 from dmcgowan/prepare-v2.2.0 · 
    containerd 2.2.0

Welcome to the v2.2.0 release of containerd!

The second minor release of containerd 2.x focuses on continued stability alongside
new features and improvements. This is the second time-based released for containerd.

### Highlights

* **Add mount manager** ([#12063](https://github.com/containerd/containerd/pull/12063))

  The mount manager is a new service that provides lifecycle management for filesystem mounts
  to support more advanced use cases, such as:
  * **Device formatting** to create formatted filesystems (xfs, ext4) on-demand
  * **Mount activation** to prepare devices such as loopbacks or network fileystems
  * **Mount transformation** to allow mount arguments to be filled in dynamically from previous mounts
  * **Garbage collection** of mounts to ensure temporary mounts are never leaked
* **Add conf.d include in the default config** ([#12323](https://github.com/containerd/containerd/pull/12323))
* **Add support for back references in the garbage collector** ([#12025](https://github.com/containerd/containerd/pull/12025))

#### Container Runtime Interface (CRI)

* **Pod Sandbox Metrics** ([#10691](https://github.com/containerd/containerd/pull/10691))

  Full implementation of Kubernetes CRI pod-level metrics API
  * **ListPodSandboxMetrics**: Query metrics for  running pods/sandboxes
  * **ListMetricsDescriptors**: Discover available metrics and their descriptions
* **Support image volume mount subpath** ([#11578](https://github.com/containerd/containerd/pull/11578))

#### Go client

* **Update pkg/oci to use fs.FS interface and os.OpenRoot** ([#12245](https://github.com/containerd/containerd/pull/12245))

#### Image Distribution

* **Parallel Unpack**  ([#12332](https://github.com/containerd/containerd/pull/12332))

  Adds support for unpacking layers in parallel during pull operations. This feature is supported with overlayfs and EROFS snapshotters.
* **OCI Referrers Support** ([#12309](https://github.com/containerd/containerd/pull/12309))

  Adds new referrers fetcher to remote registry interface using the [new referrers endpoint added in OCI distribution-spec 1.1](https://github.com/opencontainers/distribution-spec/blob/v1.1.0/spec.md#listing-referrers)
* **Tar unpack progress through transfer service** ([#11921](https://github.com/containerd/containerd/pull/11921))

#### Image Storage

* **EROFS enhancements using mount manager** ([#12333](https://github.com/containerd/containerd/pull/12333))

  Improvements to EROFS snapshotter using the new mount manager service
  * **Quota Support**: Support for sized block devices as the upper layer for overlayfs
  * **Mount Lifecycle**: Loopback setup, block device creation, and overlayfs argument formatting is moved to the
     mount  manager to be performed on-demand or within the runtime.
  * **Mount handler**: To allow optimization of EROFS mount types based on the current system
  * **macOS Support**: EROFS snapshotter can now be used on Darwin to natively allow image pulls
  * **Tar index mode**: Efficiently generate EROFS metadata backed by original tar content ([#11919](https://github.com/containerd/containerd/pull/11919))
* **Add snapshotter and differ for block CIMs** ([#12050](https://github.com/containerd/containerd/pull/12050))

#### Node Resource Interface (NRI)

* **Enable otel traces in NRI** ([#12082](https://github.com/containerd/containerd/pull/12082))
* **Add WASM plugin support** ([containerd/nri#121](https://github.com/containerd/nri/pull/121))

#### Runtime

* **Improve shim load time after restart by loading in parallel** ([#12142](https://github.com/containerd/containerd/pull/12142))
* **Fix pidfd leak in UnshareAfterEnterUserns** ([#12167](https://github.com/containerd/containerd/pull/12167))

#### Deprecations

* **Deprecate cgroup v1** ([#12445](https://github.com/containerd/containerd/pull/12445))
* **Postpone v2.2 deprecation items to v2.3** ([#12417](https://github.com/containerd/containerd/pull/12417))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Derek McGowan
* Phil Estes
* Akihiro Suda
* Maksym Pavlenko
* Wei Fu
* Krisztian Litkey
* Mike Brown
* Akhil Mohan
* Markus Lehtonen
* Samuel Karp
* Sebastiaan van Stijn
* ningmingxiao
* Austin Vazquez
* yashsingh74
* Gao Xiang
* Kirtana Ashok
* Jin Dong
* Chris Henzie
* Aadhar Agarwal
* Etienne Champetier
* Henry Wang
* Rodrigo Campos
* Sascha Grunert
* Aleksa Sarai
* Eric Mountain
* Keith Mattix II
* Paweł Gronowski
* Tõnis Tiigi
* Adrien Delorme
* Apurv Barve
* Enji Cooper
* Kohei Tokunaga
* Max Jonas Werner
* Rehan Khan
* Yang Yang
* jinda.ljd
* jokemanfire
* Amit Barve
* Andrew Halaney
* Antonio Ojea
* Brian Goff
* Carlos Eduardo Arango Gutierrez
* Chenyang Yan
* Dawei Wei
* Divya Rani
* Evan Anderson
* Fabiano Fidêncio
* Iceber Gu
* Jared Ledvina
* Jonathan Perkin
* Jose Fernandez
* Karl Baumgartner
* Michael Weibel
* Osama Abdelkader
* Radostin Stoyanov
* Ruidong Cao
* Sameer
* Sergey Kanzhelev
* Swagat Bora
* Sylvain MOUQUET
* Tom Wieczorek
* Tycho Andersen
* Wuyue (Tony) Sun
* suranmiao
* tanhuaan
* wheat2018
* zounengren

### Dependency Changes

* **dario.cat/mergo**                                                    v1.0.1 -> v1.0.2
* **github.com/Microsoft/hcsshim**                                       v0.13.0-rc.3 -> v0.14.0-rc.1
* **github.com/StackExchange/wmi**                                       cbe66965904d **_new_**
* **github.com/checkpoint-restore/checkpointctl**                        v1.3.0 -> v1.4.0
* **github.com/containerd/cgroups/v3**                                   v3.0.5 -> v3.1.0
* **github.com/containerd/console**                                      v1.0.4 -> v1.0.5
* **github.com/containerd/containerd/api**                               v1.9.0 -> v1.10.0
* **github.com/containerd/go-cni**                                       v1.1.12 -> v1.1.13
* **github.com/containerd/nri**                                          v0.8.0 -> v0.10.0
* **github.com/containerd/platforms**                                    v1.0.0-rc.1 -> v1.0.0-rc.2
* **github.com/containernetworking/plugins**                             v1.7.1 -> v1.8.0
* **github.com/coreos/go-systemd/v22**                                   v22.5.0 -> v22.6.0
* **github.com/cpuguy83/go-md2man/v2**                                   v2.0.5 -> v2.0.7
* **github.com/emicklei/go-restful/v3**                                  v3.11.0 -> v3.13.0
* **github.com/fxamacker/cbor/v2**                                       v2.7.0 -> v2.9.0
* **github.com/go-jose/go-jose/v4**                                      v4.0.5 -> v4.1.2
* **github.com/go-logr/logr**                                            v1.4.2 -> v1.4.3
* **github.com/go-ole/go-ole**                                           v1.2.6 **_new_**
* **github.com/golang/groupcache**                                       41bb18bfe9da -> 2c02b8208cf8
* **github.com/google/certtostore**                                      v1.0.6 **_new_**
* **github.com/google/deck**                                             105ad94aa8ae **_new_**
* **github.com/gorilla/websocket**                                       v1.5.0 -> e064f32e3674
* **github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus**  v1.0.1 -> v1.1.0
* **github.com/hashicorp/errwrap**                                       v1.1.0 **_new_**
* **github.com/intel/goresctrl**                                         v0.8.0 -> v0.10.0
* **github.com/klauspost/compress**                                      v1.18.0 -> v1.18.1
* **github.com/knqyf263/go-plugin**                                      v0.9.0 **_new_**
* **github.com/moby/sys/capability**                                     v0.4.0 **_new_**
* **github.com/modern-go/reflect2**                                      v1.0.2 -> 35a7c28c31ee
* **github.com/opencontainers/runtime-tools**                            2e043c6bd626 -> 0ea5ed0382a2
* **github.com/prometheus/client_golang**                                v1.22.0 -> v1.23.2
* **github.com/prometheus/client_model**                                 v0.6.1 -> v0.6.2
* **github.com/prometheus/common**                                       v0.62.0 -> v0.66.1
* **github.com/prometheus/procfs**                                       v0.15.1 -> v0.16.1
* **github.com/stretchr/testify**                                        v1.10.0 -> v1.11.1
* **github.com/tchap/go-patricia/v2**                                    v2.3.2 -> v2.3.3
* **github.com/tetratelabs/wazero**                                      v1.9.0 **_new_**
* **github.com/urfave/cli/v2**                                           v2.27.6 -> v2.27.7
* **github.com/vishvananda/netlink**                                     0e7078ed04c8 -> v1.3.1
* **go.etcd.io/bbolt**                                                   v1.4.0 -> v1.4.3
* **go.opentelemetry.io/otel**                                           v1.35.0 -> v1.37.0
* **go.opentelemetry.io/otel/metric**                                    v1.35.0 -> v1.37.0
* **go.opentelemetry.io/otel/sdk**                                       v1.35.0 -> v1.37.0
* **go.opentelemetry.io/otel/trace**                                     v1.35.0 -> v1.37.0
* **go.uber.org/goleak**                                                 v1.3.0 **_new_**
* **go.yaml.in/yaml/v2**                                                 v2.4.2 **_new_**
* **golang.org/x/crypto**                                                v0.36.0 -> v0.41.0
* **golang.org/x/mod**                                                   v0.24.0 -> v0.29.0
* **golang.org/x/net**                                                   v0.38.0 -> v0.43.0
* **golang.org/x/oauth2**                                                v0.27.0 -> v0.30.0
* **golang.org/x/sync**                                                  v0.14.0 -> v0.17.0
* **golang.org/x/sys**                                                   v0.33.0 -> v0.37.0
* **golang.org/x/term**                                                  v0.30.0 -> v0.34.0
* **golang.org/x/text**                                                  v0.23.0 -> v0.28.0
* **golang.org/x/time**                                                  v0.7.0 -> v0.14.0
* **google.golang.org/genproto/googleapis/api**                          56aae31c358a -> a7a43d27e69b
* **google.golang.org/genproto/googleapis/rpc**                          56aae31c358a -> a7a43d27e69b
* **google.golang.org/grpc**                                             v1.72.0 -> v1.76.0
* **google.golang.org/protobuf**                                         v1.36.6 -> v1.36.10
* **k8s.io/api**                                                         v0.32.3 -> v0.34.1
* **k8s.io/apimachinery**                                                v0.32.3 -> v0.34.1
* **k8s.io/client-go**                                                   v0.32.3 -> v0.34.1
* **k8s.io/cri-api**                                                     v0.32.3 -> v0.34.1
* **k8s.io/utils**                                                       3ea5e8cea738 -> 4c0f3b243397
* **sigs.k8s.io/json**                                                   9aa6b5e7a4b3 -> cfa47c3a1cc8
* **sigs.k8s.io/randfill**                                               v1.0.0 **_new_**
* **sigs.k8s.io/structured-merge-diff/v6**                               v6.3.0 **_new_**
* **sigs.k8s.io/yaml**                                                   v1.4.0 -> v1.6.0

Previous release can be found at [v2.1.0](https://github.com/containerd/containerd/releases/tag/v2.1.0)
### Which file should I download?
* `containerd-<VERSION>-<OS>-<ARCH>.tar.gz`:         ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04).
* `containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz`:  Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent.

In addition to containerd, typically you will have to install [runc](https://github.com/opencontainers/runc/releases)
and [CNI plugins](https://github.com/containernetworking/plugins/releases) from their official sites too.

See also the [Getting Started](https://github.com/containerd/containerd/blob/main/docs/getting-started.md) documentation.
    Unverified