Tags

Tags give the ability to mark specific points in history as being important

v2.2.1

dea7da59 · Merge pull request #12677 from dmcgowan/prepare-2.2.1 · Dec 18, 2025

containerd 2.2.1

Welcome to the v2.2.1 release of containerd!

The first patch release for containerd 2.2 contains various fixes and improvements.

### Highlights

#### Container Runtime Interface (CRI)

* **Redact all query parameters in CRI error logs** ([#12546](https://github.com/containerd/containerd/pull/12546))

#### Image Distribution

* **Fix image defaults on Darwin to usable configuration** ([#12544](https://github.com/containerd/containerd/pull/12544))
* **Fix possible panic from WithMediaTypeKeyPrefix** ([#12516](https://github.com/containerd/containerd/pull/12516))

#### Runtime

* **Update runc binary to v1.3.4** ([#12593](https://github.com/containerd/containerd/pull/12593))
* **Fix parsing of hugetlb.<size>.events files** ([containerd/cgroups#379](https://github.com/containerd/cgroups/pull/379))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Krisztian Litkey
* Markus Lehtonen
* Akihiro Suda
* Mike Brown
* Sebastiaan van Stijn
* Derek McGowan
* Heran Yang
* Wei Fu
* Phil Estes
* Samuel Karp
* Austin Vazquez
* Sascha Grunert
* Akhil Mohan
* Andrey Noskov
* Brian Goff
* CrazyMax
* Davanum Srinivas
* Gaurav Ghildiyal
* Neeraj Krishna Gopalakrishna
* Paweł Gronowski
* Tariq Ibrahim
* TomerLev
* Tõnis Tiigi
* bo.jiang
* ningmingxiao

### Changes
<details><summary>53 commits</summary>
<p>

* Prepare release notes for v2.2.1 ([#12677](https://github.com/containerd/containerd/pull/12677))
  * [`f6bae1f88`](https://github.com/containerd/containerd/commit/f6bae1f8807a099a0b101e584f1f8aabddab91a6) Prepare release notes for v2.2.1
* cri,nri: bump NRI dependencies to v0.11.0 ([#12701](https://github.com/containerd/containerd/pull/12701))
  * [`c22cf5d49`](https://github.com/containerd/containerd/commit/c22cf5d49819a2996f184db954c53c2060916314) cri,nri: pass any linux security profile to plugins.
  * [`d7532de75`](https://github.com/containerd/containerd/commit/d7532de751f81eee4f03001bb46e49d76a1607fb) cri,nri: pass any linux RDT constraints to plugins.
  * [`ef36e6181`](https://github.com/containerd/containerd/commit/ef36e6181456ebb9919d2a51d786f416f85f780b) cri,nri: pass any linux net devices to plugins.
  * [`d56faf426`](https://github.com/containerd/containerd/commit/d56faf4261b5f946caa92c4869963f89f63a9b22) cri,nri: pass any linux scheduler attributes to plugins.
  * [`e1824d261`](https://github.com/containerd/containerd/commit/e1824d2613d32793cf1fd7282f0b9f5f6f622613) cri,nri: pass any linux I/O priority to plugins.
  * [`01d5490ae`](https://github.com/containerd/containerd/commit/01d5490ae26a05b1a73ca9e253761005c7286754) go.{mod,sum}: bump NRI deps to v0.11.0, re-vendor.
* pkg/tracing: HTTPStatusCodeAttributes: remove use of deprecated SemConv const ([#12697](https://github.com/containerd/containerd/pull/12697))
  * [`58d23ab63`](https://github.com/containerd/containerd/commit/58d23ab63830dc41d7c2e1035a9c0a7a28b6fed2) pkg/tracing: HTTPStatusCodeAttributes: remove use of deprecated SemConv const
* cri/nri: short-circuit nil adjustment. ([#12672](https://github.com/containerd/containerd/pull/12672))
  * [`05ccbb3a7`](https://github.com/containerd/containerd/commit/05ccbb3a7eb10a72427c722155a2eacdc2908a61) cri/nri: short-circuit nil adjustment.
* go.{mod,sum}: bump CDI deps to v1.1.0. ([#12664](https://github.com/containerd/containerd/pull/12664))
  * [`c166a577d`](https://github.com/containerd/containerd/commit/c166a577d0638de704d6c9f999858ed47cf06a60) go.{mod,sum} bump CDI deps to v1.1.0.
* go.mod: containerd/zfs v2.0.0; remove exclude rules ([#12654](https://github.com/containerd/containerd/pull/12654))
  * [`73a08aa00`](https://github.com/containerd/containerd/commit/73a08aa00dc98a0662a40d45ed50dac534dce1e6) go.mod: remove exclude rules
  * [`cee08c8af`](https://github.com/containerd/containerd/commit/cee08c8af836002863b30e2ef8cd3c45b6ae56ad) build(deps): bump github.com/containerd/zfs/v2 from 2.0.0-rc.0 to 2.0.0
* go.mod: github.com/containernetworking/plugins v1.9.0 ([#12658](https://github.com/containerd/containerd/pull/12658))
  * [`8a5fc8641`](https://github.com/containerd/containerd/commit/8a5fc86416926d2a2189861391cd77b07d7f4443) go.mod: github.com/containernetworking/plugins v1.9.0
* go.mod: golang.org/x/crypto v0.45.0 ([#12638](https://github.com/containerd/containerd/pull/12638))
  * [`55c93d6fb`](https://github.com/containerd/containerd/commit/55c93d6fb85333d4988122b2ae97b947bcde02b7) go.mod: golang.org/x/crypto v0.45.0
* ci :bump Go 1.24.11, 1.25.5 ([#12625](https://github.com/containerd/containerd/pull/12625))
  * [`aedd29bb4`](https://github.com/containerd/containerd/commit/aedd29bb4ecabfae1d8806dc1011a347a3401fb2) ci: bump Go 1.24.11, 1.25.5
  * [`26628f139`](https://github.com/containerd/containerd/commit/26628f1397f991a9ee2fe7de32a6a2df70ab89bd) ci: bump Go 1.24.10, 1.25.4
  * [`8bb0e9be6`](https://github.com/containerd/containerd/commit/8bb0e9be6ceebc1ad1d76c88a661bacf84921b3d) ci(release): set GO_VERSION in Dockerfile
* core/runtime/v2: remove uses of otelgrpc.UnaryClientInterceptor ([#12622](https://github.com/containerd/containerd/pull/12622))
  * [`ed19c5420`](https://github.com/containerd/containerd/commit/ed19c542003cc00988760b0f72e487c20dc198a0) core/runtime/v2: remove uses of otelgrpc.UnaryClientInterceptor
* ci: update CIFuzz actions to support Ubuntu 24.04 ([#12632](https://github.com/containerd/containerd/pull/12632))
  * [`952237d9b`](https://github.com/containerd/containerd/commit/952237d9ba4390f4fa740f3832492e3870f0f9f9) ci: update CIFuzz actions to support Ubuntu 24.04
* Update runc binary to v1.3.4 ([#12593](https://github.com/containerd/containerd/pull/12593))
  * [`fb5b818a9`](https://github.com/containerd/containerd/commit/fb5b818a9a34ad4fe3b0901c73cd7432ae4bb8bc) runc: Update runc binary to v1.3.4
* : update containerd/cgroups from v3.1.0 to v3.1.2 ([#12598](https://github.com/containerd/containerd/pull/12598))
  * [`51582ed27`](https://github.com/containerd/containerd/commit/51582ed27b13941f6bbf1526d909a00deadfcc0f) bump containerd/cgroups to v3.1.2
  * [`50d0e4fd4`](https://github.com/containerd/containerd/commit/50d0e4fd4cb909829d9965d9da5be04ee812fe29) build(deps): bump github.com/containerd/cgroups/v3 from 3.1.0 to 3.1.1
* core/mount: should not call removeLoop when set autoclear ([#12587](https://github.com/containerd/containerd/pull/12587))
  * [`41a69eb0d`](https://github.com/containerd/containerd/commit/41a69eb0d19cafbf40e03c36ef6be259a52d6f5e) core/mount: should not call removeLoop when set autoclear
* build(deps): bump github.com/opencontainers/selinux ([#12589](https://github.com/containerd/containerd/pull/12589))
  * [`e3bf2b80b`](https://github.com/containerd/containerd/commit/e3bf2b80b9ca3280fd64a2bd0436fcdb894c4410) build(deps): bump github.com/opencontainers/selinux
* .github: skip 5 critest cases for window-2022 ([#12584](https://github.com/containerd/containerd/pull/12584))
  * [`da8e846f9`](https://github.com/containerd/containerd/commit/da8e846f97a081f580eccc4a7384f3f050dd5b5e) .github: skip 5 critest cases in window CI pipeline
* Fix image defaults on Darwin to usable configuration ([#12544](https://github.com/containerd/containerd/pull/12544))
  * [`d154e234b`](https://github.com/containerd/containerd/commit/d154e234b29c5bed4f14a72d605e92e4728415a2) Update the ctr pull defaults when using the transfer service
  * [`09364216d`](https://github.com/containerd/containerd/commit/09364216de92aab056118507da59fabf642d88ac) Fix transfer unpack defaults on darwin
  * [`2055d3c62`](https://github.com/containerd/containerd/commit/2055d3c62e85350642c4b031c35a63b22e2ec6f7) Update default differs on darwin
  * [`9da97686d`](https://github.com/containerd/containerd/commit/9da97686d151da046d5512bb9f7f1d67ea4c8393) Use default writable size in erofs snapshotter for non-Linux hosts
  * [`eeb0f889a`](https://github.com/containerd/containerd/commit/eeb0f889aed826b58a3033a5a5b14dff6ccd1979) Update default erofs block size on macOS during erofs diff
* Redact all query parameters in CRI error logs ([#12546](https://github.com/containerd/containerd/pull/12546))
  * [`c707f771a`](https://github.com/containerd/containerd/commit/c707f771a872f9dd22ad8f2f827317a800e4a74f) fix: redact all query parameters in CRI error logs
* Revert "Implement io.ReaderAt on docker fetch reader" ([#12542](https://github.com/containerd/containerd/pull/12542))
  * [`678f944dd`](https://github.com/containerd/containerd/commit/678f944dd16601d08ecbb19e350acc027728b656) Revert "Implement io.ReaderAt on docker fetch reader"
* Fix possible panic from WithMediaTypeKeyPrefix ([#12516](https://github.com/containerd/containerd/pull/12516))
  * [`8b73c2de3`](https://github.com/containerd/containerd/commit/8b73c2de310e95fe3a143473b511fcf99d03692f) remotes: fix possible panic from WithMediaTypeKeyPrefix
</p>
</details>

### Changes from containerd/cgroups
<details><summary>13 commits</summary>
<p>

* ci: bump golangci-lint to v2.6.2 ([containerd/cgroups#382](https://github.com/containerd/cgroups/pull/382))
  * [`a302e56`](https://github.com/containerd/cgroups/commit/a302e56b258f818a3dacb6e282907904f17ea239) ci: bump golangci-lint to v2.6.2
  * [`731cf7a`](https://github.com/containerd/cgroups/commit/731cf7a96296e8eccffe9b986aece85ec4ab9b5b) ci: suppress errcheck
  * [`9bee663`](https://github.com/containerd/cgroups/commit/9bee663879fd7f5b873fa40f61a837309c4be8b0) utils: move Close() to defer block
  * [`9d7647c`](https://github.com/containerd/cgroups/commit/9d7647ce3bae2f67cc4ecfe1df51796caba49d52) rdma: use strings.Cut in Go 1.18
  * [`109f063`](https://github.com/containerd/cgroups/commit/109f063d1c6cefbc3def1a8e0a169b746f7f5f0a) memory_test: apply De Morgan's law
  * [`e6fcf3f`](https://github.com/containerd/cgroups/commit/e6fcf3fda4200609bb6323428e2d1f24f712e62e) memory_test: omit type from declaration
* build(deps): bump actions/checkout from 5 to 6 ([containerd/cgroups#381](https://github.com/containerd/cgroups/pull/381))
  * [`4e30098`](https://github.com/containerd/cgroups/commit/4e3009894821335455c4b804600eb9667b818f81) build(deps): bump actions/checkout from 5 to 6
* Fix parsing of hugetlb.<size>.events files ([containerd/cgroups#379](https://github.com/containerd/cgroups/pull/379))
  * [`2ad7a12`](https://github.com/containerd/cgroups/commit/2ad7a1241827ef1bc4f964fe8a5248b073f2db82) hugetlb: correctly parse hugetlb.<size>.events files
* go.mod: github.com/opencontainers/runtime-spec v1.3.0 ([containerd/cgroups#376](https://github.com/containerd/cgroups/pull/376))
  * [`34ef430`](https://github.com/containerd/cgroups/commit/34ef430d727e569c31b4f2bbc7d83bffeb1c0165) go.mod: github.com/opencontainers/runtime-spec v1.3.0
</p>
</details>

### Changes from containerd/nri
<details><summary>79 commits</summary>
<p>

* adaptation: allow compiling out WASM support altogether. ([containerd/nri#253](https://github.com/containerd/nri/pull/253))
  * [`ab88fe6`](https://github.com/containerd/nri/commit/ab88fe680c11b35234c38c7d4eac72335721c78d) adaptation: allow compiling out WASM support altogether.
* Support direct editing of the intelRdt config ([containerd/nri#215](https://github.com/containerd/nri/pull/215))
  * [`8c0c9f6`](https://github.com/containerd/nri/commit/8c0c9f67a905fb24682239a4d6d94b0dd52c13e7) Implement removal of RDT
  * [`dfbae8a`](https://github.com/containerd/nri/commit/dfbae8a616b80037798e3cfb8315d70f3f2eff7e) plugins: add sample rdt plugin
  * [`d05dd81`](https://github.com/containerd/nri/commit/d05dd818ed26c3dbeae0fce88289387b62e4665c) pkg/adaptation: support new RDT fields
  * [`725289b`](https://github.com/containerd/nri/commit/725289b256878de8e965327ab6e70dc883ea771b) pkg/runtime-tools/generate: support new RDT fields
  * [`a7832a2`](https://github.com/containerd/nri/commit/a7832a241411573e03982490197d7eb98a1c9d29) api: add rdt
* update wazero/wazero version to v1.10.1 ([containerd/nri#252](https://github.com/containerd/nri/pull/252))
  * [`9eb9a0f`](https://github.com/containerd/nri/commit/9eb9a0f0f6e223e6060805b55957f117f159f5cc) update tetratelabs/wazero version to v1.10.1
* support specifying a custom NRI socket path ([containerd/nri#249](https://github.com/containerd/nri/pull/249))
  * [`2df6565`](https://github.com/containerd/nri/commit/2df656516e73b31e013257f713a1df5baa7fdcb0) [plugins] support specifying a custom NRI socket path
* pkg/api: add OptionalRepeatedString type ([containerd/nri#212](https://github.com/containerd/nri/pull/212))
  * [`687c1a6`](https://github.com/containerd/nri/commit/687c1a6a8b5c75056acd176dc89c45251926d0bb) pkg/api: add OptionalRepeatedString type
* api,adaptation,generate: allow setting kernel scheduling policy attributes. ([containerd/nri#160](https://github.com/containerd/nri/pull/160))
  * [`6a371ac`](https://github.com/containerd/nri/commit/6a371ac5e7afcd185ee575828f4822d779f0ded9) device-injector: add scheduling policy adjustment.
  * [`e06369e`](https://github.com/containerd/nri/commit/e06369e8d1cad80f12eaf6f2c0da19c7ac78396c) api,adaptation,generate: allow setting scheduler attributes.
* device-injector: always log injection summary. ([containerd/nri#246](https://github.com/containerd/nri/pull/246))
  * [`14cc2e2`](https://github.com/containerd/nri/commit/14cc2e2fb6b9504c5241e3156b24b1055ed4e3ed) device-injector: always log injection summary.
* api,adaptation,generate: allow adjusting linux net devices ([containerd/nri#157](https://github.com/containerd/nri/pull/157))
  * [`5145c92`](https://github.com/containerd/nri/commit/5145c92e7c215ce3969805005ebdb0f37749e68b) device-injector: add network device injection.
  * [`8a03823`](https://github.com/containerd/nri/commit/8a03823fe8afbca00b30f669805c911414c58803) api,adaptation,generate: allow adjusting linux net devices.
* Add support for sysctl adjustment ([containerd/nri#248](https://github.com/containerd/nri/pull/248))
  * [`914fbf3`](https://github.com/containerd/nri/commit/914fbf3faf42da144376c133541c37211d2f9200) default-validator: restrict sysctl adjustment
  * [`a418956`](https://github.com/containerd/nri/commit/a4189560f80f7c02579eec252ae43034bf21cb8a) api: apply sysctl adjustments
  * [`8705f9b`](https://github.com/containerd/nri/commit/8705f9b1eb3107ad8bc422978b0412527e3fd236) api: add sysctl container adjustment
* feat: Make logger a configurable struct member for stub ([containerd/nri#239](https://github.com/containerd/nri/pull/239))
  * [`08a891a`](https://github.com/containerd/nri/commit/08a891a81d90b03b5e5ae14734f5ad74e74c264b) feat: Make logger a configurable struct member for stub
* Drop dependency on opencontainers/runtime-tools ([containerd/nri#247](https://github.com/containerd/nri/pull/247))
  * [`5e5c2be`](https://github.com/containerd/nri/commit/5e5c2be5f57436228f2762e0deb2c4f9873f3e9b) Drop dependency on opencontainers/runtime-tools
* deps: bump runtime-spec to v1.3.0. ([containerd/nri#243](https://github.com/containerd/nri/pull/243))
  * [`29c5811`](https://github.com/containerd/nri/commit/29c581117267cb5d2289ff08902a93ff263caf0e) (v0.1.0) examples: lock NRI, runtime spec deps.
  * [`d812952`](https://github.com/containerd/nri/commit/d8129529588cca090c972aa5e5f7775162af59da) v010-adapter: lock NRI, runtime spec and tools deps.
  * [`7dd7c7f`](https://github.com/containerd/nri/commit/7dd7c7f8b21c08242de41634b12ab2ee71b91000) api,runtime-tools: adjust for runtime-spec v1.3.0.
  * [`5d5d4c4`](https://github.com/containerd/nri/commit/5d5d4c4c877fdef4fe0938e627b11b97234195b8) go.{mod,sum}: update runtime-tools, runtime-spec to v1.3.0.
* adaptation: ensure sync'ed plugins are fully registered in tests. ([containerd/nri#234](https://github.com/containerd/nri/pull/234))
  * [`c840397`](https://github.com/containerd/nri/commit/c84039771e9c2cee68952b4b7cc52cba1909784e) adaptation: ensure sync'ed plugins are fully registered in tests.
* Fix wasm example ([containerd/nri#237](https://github.com/containerd/nri/pull/237))
  * [`44b2861`](https://github.com/containerd/nri/commit/44b2861a26c8e392229cd8b27a20cf689925f176) Fix wasm example
* Makefile: build proto files unconditionally ([containerd/nri#229](https://github.com/containerd/nri/pull/229))
  * [`d99f960`](https://github.com/containerd/nri/commit/d99f96028e5226c004f94a3394be82190980c4bd) Fix dockerized proto build
  * [`9623748`](https://github.com/containerd/nri/commit/9623748f543343bfe6b2312df47a7ed9000d47fe) Makefile: build proto files unconditionally
  * [`25d9391`](https://github.com/containerd/nri/commit/25d9391690a7158d851364ef011e1f56fd607a70) build: ensure we use correct version of protoc and its deps.
* adaptation: test with populated initial resources. ([containerd/nri#231](https://github.com/containerd/nri/pull/231))
  * [`b6b98b5`](https://github.com/containerd/nri/commit/b6b98b56a60df29da312cc1e1e070697dec43583) adaptation: test with populated initial resources.
* Install protoc locally in the source tree ([containerd/nri#232](https://github.com/containerd/nri/pull/232))
  * [`2394daa`](https://github.com/containerd/nri/commit/2394daa45f1c7c0fcf28e9e39895c8b871a7445c) Install protoc locally in the source tree
* plugins/logger: fix default event subscription mask. ([containerd/nri#158](https://github.com/containerd/nri/pull/158))
  * [`33b1db1`](https://github.com/containerd/nri/commit/33b1db1add2e9a603f7c47e1efa95d386f4af560) logger: fix default event subscription mask.
* extract memory and CPU resource helpers ([containerd/nri#210](https://github.com/containerd/nri/pull/210))
  * [`7afb32a`](https://github.com/containerd/nri/commit/7afb32a3a444fd0a24e36988e0906ad35590c672) extract memory and CPU resource helpers
* api: expose container user/group ID to plugins. ([containerd/nri#230](https://github.com/containerd/nri/pull/230))
  * [`22aeb46`](https://github.com/containerd/nri/commit/22aeb467e553bffd7650930b3bc6c28b95a2dee5) docs: update README with container uid/gid info.
  * [`71b0335`](https://github.com/containerd/nri/commit/71b0335fdc262451ab2ff71591f1126c8a036265) api,adaptation: add container uid/gid info.
* contrib: add example for enabling per-container RDT monitoring ([containerd/nri#228](https://github.com/containerd/nri/pull/228))
  * [`91fbf06`](https://github.com/containerd/nri/commit/91fbf06ed654e46629cb7aefb11856953720c9cf) contrib: add example for enabling per-container RDT monitoring
* ci: enable image signing ([containerd/nri#224](https://github.com/containerd/nri/pull/224))
  * [`fb54916`](https://github.com/containerd/nri/commit/fb5491601ca84bf52b70e75d0e99ddc4dfe6a922) ci: enable image signing
* golangci: disable QF1008 from staticcheck linter ([containerd/nri#226](https://github.com/containerd/nri/pull/226))
  * [`0b3b577`](https://github.com/containerd/nri/commit/0b3b5770d1f6845d3a3e52ccb5218f2b3ce1f34e) golangci: disable QF1008 from staticcheck linter
* ci: bump golangci-lint to v2.4 ([containerd/nri#225](https://github.com/containerd/nri/pull/225))
  * [`9787127`](https://github.com/containerd/nri/commit/9787127c0f3e69726b968e12b29dae31e35e250b) Bump golangci-lint to v2.4
  * [`1a50ff5`](https://github.com/containerd/nri/commit/1a50ff585624f01763fd20aafaeaa92aa8b27c46) Add nolint directives
  * [`00fa1a1`](https://github.com/containerd/nri/commit/00fa1a124e605590d3ceea1e687600785ae6518d) Add and fix comments for exported types
  * [`ac21da7`](https://github.com/containerd/nri/commit/ac21da7be8f991a8699cef41acba8783dee5351e) pkg/api/seccomp: add comments for exported functions
  * [`3aff986`](https://github.com/containerd/nri/commit/3aff986af5f8abefda8552edae991608782df46c) pkg/runtime-tools/generate: remove embedded field "Generator"
  * [`c0c4bb6`](https://github.com/containerd/nri/commit/c0c4bb648ae46207f47d5b18bf447f7d5b32e26b) pkg/api/validate: add comments for exported methods
  * [`c0ba9da`](https://github.com/containerd/nri/commit/c0ba9da712934c860a64af54d96b5cfc74672ff5) adaptation/builtin: add comment for exported symbols
* .gitignore: revert hastily reviewed editor-specific addition. ([containerd/nri#221](https://github.com/containerd/nri/pull/221))
  * [`02376f3`](https://github.com/containerd/nri/commit/02376f371c707718144dd509172618c69ce6670c) .gitignore: add comment about global gitignore.
  * [`9336a79`](https://github.com/containerd/nri/commit/9336a7933c666dbe6da09fe3cb46e80b478fb268) Revert "nit: Add .idea folder to gitignore"
* nit: Add .idea folder to gitignore ([containerd/nri#218](https://github.com/containerd/nri/pull/218))
  * [`f578ea2`](https://github.com/containerd/nri/commit/f578ea2804642f2cd59594edc17b59d995289223) nit: Add .idea folder to gitignore
* chore: clean and unify nolint directives ([containerd/nri#217](https://github.com/containerd/nri/pull/217))
  * [`21741b9`](https://github.com/containerd/nri/commit/21741b9ee40d69eb9ee3d5688e45b0b022c32738) chore: clean and unify nolint directives
* Downgrade go to require 1.24.0 ([containerd/nri#214](https://github.com/containerd/nri/pull/214))
  * [`d26e910`](https://github.com/containerd/nri/commit/d26e910702c62126decc6befe835e7315cd738a9) Downgrade go to require 1.24.0
* Add dockerized target for building proto files ([containerd/nri#211](https://github.com/containerd/nri/pull/211))
  * [`13fcc07`](https://github.com/containerd/nri/commit/13fcc0773d23520ff44d54549122ec78c8f1e473) Add dockerized target for building proto files
</p>
</details>

### Changes from containerd/zfs
<details><summary>11 commits</summary>
<p>

* go.mod: update to stable containerd v2.0 ([containerd/zfs#89](https://github.com/containerd/zfs/pull/89))
  * [`f11f891`](https://github.com/containerd/zfs/commit/f11f891ff42b3f8cd6f15d0fb18b2644a002bb85) go.mod: update to stable containerd v2.0
* ci: update actions, test against go1.23, fix linting, and update golangci-lint ([containerd/zfs#88](https://github.com/containerd/zfs/pull/88))
  * [`662ad3c`](https://github.com/containerd/zfs/commit/662ad3cefa596775e20a44a1c6b1037b0a0d539d) gha: update golangci/golangci-lint-action@v9, golangci-lint v2.7
  * [`b0b2584`](https://github.com/containerd/zfs/commit/b0b25847ac875af99d62e9d4f83b2875a2f39df9) remove nolint comments
  * [`7c4274b`](https://github.com/containerd/zfs/commit/7c4274bfa0a0df14d66fabb51269bfdfbf4e0b06) fix error capitalization
  * [`24ce1b9`](https://github.com/containerd/zfs/commit/24ce1b93f0579fe5ecaec4bd55290ff7e2f456db) fix inconsistent receiver name
  * [`c8545c3`](https://github.com/containerd/zfs/commit/c8545c33c3c9f4d881c45a22688be49f4ff1502a) gha: update actions/checkout@v6
  * [`d23ec04`](https://github.com/containerd/zfs/commit/d23ec046338e9a5761083cef373be2bab1551995) gha: update actions/setup-go@v6
  * [`bb45f6e`](https://github.com/containerd/zfs/commit/bb45f6e4d3965616dcaae6eaab9342af0e4c1cad) gha: update containerd/project-checks@v1.2.2
  * [`65bc451`](https://github.com/containerd/zfs/commit/65bc451f6abab9d7133abd7c227be227ad6b1f0d) gha: test against go1.23
</p>
</details>

### Dependency Changes

* **github.com/containerd/cgroups/v3**                  v3.1.0 -> v3.1.2
* **github.com/containerd/nri**                         v0.10.0 -> v0.11.0
* **github.com/containerd/zfs/v2**                      v2.0.0-rc.0 -> v2.0.0
* **github.com/containernetworking/plugins**            v1.8.0 -> v1.9.0
* **github.com/cyphar/filepath-securejoin**             v0.5.1 **_new_**
* **github.com/opencontainers/runtime-spec**            v1.2.1 -> v1.3.0
* **github.com/opencontainers/runtime-tools**           0ea5ed0382a2 -> edf4cb3d2116
* **github.com/opencontainers/selinux**                 v1.12.0 -> v1.13.1
* **github.com/tetratelabs/wazero**                     v1.9.0 -> v1.10.1
* **golang.org/x/crypto**                               v0.41.0 -> v0.45.0
* **golang.org/x/net**                                  v0.43.0 -> v0.47.0
* **golang.org/x/sync**                                 v0.17.0 -> v0.18.0
* **golang.org/x/sys**                                  v0.37.0 -> v0.38.0
* **golang.org/x/term**                                 v0.34.0 -> v0.37.0
* **golang.org/x/text**                                 v0.28.0 -> v0.31.0
* **tags.cncf.io/container-device-interface**           v1.0.1 -> v1.1.0
* **tags.cncf.io/container-device-interface/specs-go**  v1.0.0 -> v1.1.0

Previous release can be found at [v2.2.0](https://github.com/containerd/containerd/releases/tag/v2.2.0)
### Which file should I download?
* `containerd-<VERSION>-<OS>-<ARCH>.tar.gz`:         ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04).
* `containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz`:  Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent.

In addition to containerd, typically you will have to install [runc](https://github.com/opencontainers/runc/releases)
and [CNI plugins](https://github.com/containernetworking/plugins/releases) from their official sites too.

See also the [Getting Started](https://github.com/containerd/containerd/blob/main/docs/getting-started.md) documentation.

Unverified

v2.1.6

c74fd878 · Merge pull request #12653 from dmcgowan/prepare-2.1.6 · Dec 17, 2025

containerd 2.1.6

Welcome to the v2.1.6 release of containerd!

The sixth patch release for containerd 2.1 contains various fixes and updates.

### Highlights

#### Runtime

* **Update runc binary to v1.3.4** ([#12618](https://github.com/containerd/containerd/pull/12618))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Akihiro Suda
* Derek McGowan
* Mike Brown
* Phil Estes
* Austin Vazquez
* Kirtana Ashok
* Andrey Noskov
* CrazyMax
* Davanum Srinivas
* Krisztian Litkey
* Maksym Pavlenko
* Michael Weibel
* Paweł Gronowski
* Sebastiaan van Stijn
* Wei Fu

### Changes
<details><summary>28 commits</summary>
<p>

* Prepare release notes for v2.1.6 ([#12653](https://github.com/containerd/containerd/pull/12653))
  * [`93f79087a`](https://github.com/containerd/containerd/commit/93f79087acf3fc3f01e80b354fbe2cea771304b6) Prepare release notes for v2.1.6
* go.mod: containerd/zfs v2.0.0 ([#12655](https://github.com/containerd/containerd/pull/12655))
  * [`7e75db3a9`](https://github.com/containerd/containerd/commit/7e75db3a929414f46a3e7c8790ea0eec3288e394) build(deps): bump github.com/containerd/zfs/v2 from 2.0.0-rc.0 to 2.0.0
* cri/nri: short-circuit nil adjustment. ([#12673](https://github.com/containerd/containerd/pull/12673))
  * [`2b8e11b12`](https://github.com/containerd/containerd/commit/2b8e11b12b97ada3d9741ebb29d0d8088ee3cbb8) cri/nri: short-circuit nil adjustment.
* go.mod: github.com/containernetworking/plugins v1.9.0 ([#12659](https://github.com/containerd/containerd/pull/12659))
  * [`69efd067c`](https://github.com/containerd/containerd/commit/69efd067caca778588edd945a5e9f2a4feb156a6) go.mod: github.com/containernetworking/plugins v1.9.0
* go.mod: golang.org/x/crypto v0.45.0 (drop support for Go 1.23) ([#12639](https://github.com/containerd/containerd/pull/12639))
  * [`e81678853`](https://github.com/containerd/containerd/commit/e816788537ca2b9484aa86da58391923e873f571) go.mod: golang.org/x/crypto v0.45.0
  * [`55a2d8c8d`](https://github.com/containerd/containerd/commit/55a2d8c8d0bf6c5a7481c8922eb5a351f82f9344) CI: drop Go 1.23
  * [`fd8e3c39b`](https://github.com/containerd/containerd/commit/fd8e3c39b952b2fb9278df64f9de4e46fa78dd36) Update Go requirements in BUILDING
* core/runtime/v2: remove uses of otelgrpc.UnaryClientInterceptor ([#12623](https://github.com/containerd/containerd/pull/12623))
  * [`a4454c49a`](https://github.com/containerd/containerd/commit/a4454c49a66b48309c0d9a1f5c386daf5d692614) core/runtime/v2: remove uses of otelgrpc.UnaryClientInterceptor
* Update runc binary to v1.3.4 ([#12618](https://github.com/containerd/containerd/pull/12618))
  * [`251f0a285`](https://github.com/containerd/containerd/commit/251f0a2854f7831ca040d7ba2dab181fd02f2240) runc: Update runc binary to v1.3.4
* ci: bump Go 1.24.11, 1.25.5 ([#12626](https://github.com/containerd/containerd/pull/12626))
  * [`c07c29bca`](https://github.com/containerd/containerd/commit/c07c29bca60eeff9454b005e9856acfb12cfd68c) ci: bump Go 1.24.11, 1.25.5
  * [`e52817652`](https://github.com/containerd/containerd/commit/e528176522bc3df790ea923cfac15c18336ae429) ci: bump Go 1.24.10, 1.25.4
  * [`04bbb66e4`](https://github.com/containerd/containerd/commit/04bbb66e408602872693282063c080bb2e9e6cf9) ci(release): set GO_VERSION in Dockerfile
* ci: update CIFuzz actions to support Ubuntu 24.04 ([#12633](https://github.com/containerd/containerd/pull/12633))
  * [`492987ccc`](https://github.com/containerd/containerd/commit/492987cccf044c4015ec35ce161606cc514de75e) ci: update CIFuzz actions to support Ubuntu 24.04
* build(deps): bump github.com/opencontainers/selinux ([#12590](https://github.com/containerd/containerd/pull/12590))
  * [`55a25ec6e`](https://github.com/containerd/containerd/commit/55a25ec6efa335cdb9e6b56207643f33277be4d4) build(deps): bump github.com/opencontainers/selinux
* Redact all query parameters in CRI error logs ([#12547](https://github.com/containerd/containerd/pull/12547))
  * [`b72d0dfe0`](https://github.com/containerd/containerd/commit/b72d0dfe0458e1b5f1e67ba70476fc4887ee5f08) fix: redact all query parameters in CRI error logs
* Update 2.1 branch to no longer build as latest ([#12487](https://github.com/containerd/containerd/pull/12487))
  * [`ecd58bd65`](https://github.com/containerd/containerd/commit/ecd58bd6507cb6c566c68b440ceea5d7d99b3260) Update 2.1 branch to no longer build as latest
</p>
</details>

### Changes from containerd/platforms
<details><summary>5 commits</summary>
<p>

* use windowsMatchComparer for OSVersion match order ([containerd/platforms#25](https://github.com/containerd/platforms/pull/25))
  * [`8c0d9f9`](https://github.com/containerd/platforms/commit/8c0d9f9835bbe848b9c6f6f4a3a23f7dc97de927) use windowsMatchComparer for OSVersion match order
* Add WS2025 to Windows matcher and code optimizations ([containerd/platforms#24](https://github.com/containerd/platforms/pull/24))
  * [`8447b0a`](https://github.com/containerd/platforms/commit/8447b0ad126eb97a40c5bde800d38370a39ba52f) Update ci.yml
  * [`4549974`](https://github.com/containerd/platforms/commit/4549974181760492ffc528fae4d7f29620a2c67c) Add WS2025 to Windows matcher and code optimizations
</p>
</details>

### Dependency Changes

* **github.com/containerd/platforms**         v1.0.0-rc.1 -> v1.0.0-rc.2
* **github.com/containerd/zfs/v2**            v2.0.0-rc.0 -> v2.0.0
* **github.com/containernetworking/plugins**  v1.7.1 -> v1.9.0
* **github.com/coreos/go-systemd/v22**        v22.5.0 -> v22.6.0
* **github.com/cyphar/filepath-securejoin**   v0.5.1 **_new_**
* **github.com/go-logr/logr**                 v1.4.2 -> v1.4.3
* **github.com/opencontainers/selinux**       v1.12.0 -> v1.13.1
* **github.com/vishvananda/netlink**          0e7078ed04c8 -> v1.3.1
* **golang.org/x/crypto**                     v0.36.0 -> v0.45.0
* **golang.org/x/mod**                        v0.24.0 -> v0.29.0
* **golang.org/x/net**                        v0.38.0 -> v0.47.0
* **golang.org/x/sync**                       v0.14.0 -> v0.18.0
* **golang.org/x/sys**                        v0.33.0 -> v0.38.0
* **golang.org/x/term**                       v0.30.0 -> v0.37.0
* **golang.org/x/text**                       v0.23.0 -> v0.31.0
* **google.golang.org/protobuf**              v1.36.6 -> v1.36.7

Previous release can be found at [v2.1.5](https://github.com/containerd/containerd/releases/tag/v2.1.5)
### Which file should I download?
* `containerd-<VERSION>-<OS>-<ARCH>.tar.gz`:         ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04).
* `containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz`:  Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent.

In addition to containerd, typically you will have to install [runc](https://github.com/opencontainers/runc/releases)
and [CNI plugins](https://github.com/containernetworking/plugins/releases) from their official sites too.

See also the [Getting Started](https://github.com/containerd/containerd/blob/main/docs/getting-started.md) documentation.

Unverified

v1.7.30

71c1c866 · Merge pull request #12652 from dmcgowan/prepare-1.7.30 · Dec 17, 2025

containerd 1.7.30

Welcome to the v1.7.30 release of containerd!

The thirtieth patch release for containerd 1.7 contains various fixes
and updates.

### Highlights

#### Container Runtime Interface (CRI)

* **Fix NRI dropping requested CDI devices silently** ([#12650](https://github.com/containerd/containerd/pull/12650))
* **Redact all query parameters in CRI error logs** ([#12551](https://github.com/containerd/containerd/pull/12551))

#### Runtime

* **Update runc binary to v1.3.4** ([#12619](https://github.com/containerd/containerd/pull/12619))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Derek McGowan
* Akihiro Suda
* Austin Vazquez
* Mike Brown
* Wei Fu
* Andrey Noskov
* CrazyMax
* Davanum Srinivas
* Jin Dong
* Krisztian Litkey
* Maksym Pavlenko
* Paweł Gronowski
* Phil Estes
* Samuel Karp

### Changes
<details><summary>26 commits</summary>
<p>

* Prepare release notes for v1.7.30 ([#12652](https://github.com/containerd/containerd/pull/12652))
  * [`3d0ca6d2e`](https://github.com/containerd/containerd/commit/3d0ca6d2e7ba597bf0423e5f5f49e47b81c1e7a0) Prepare release notes for v1.7.30
* Fix NRI dropping requested CDI devices silently ([#12650](https://github.com/containerd/containerd/pull/12650))
  * [`0bc74f47e`](https://github.com/containerd/containerd/commit/0bc74f47e708bd843e676c5a8617f0498ea6459a) cri,nri: don't drop requested CDI devices silently.
* script/setup/install-cni: install CNI plugins v1.9.0 ([#12660](https://github.com/containerd/containerd/pull/12660))
  * [`7db16b562`](https://github.com/containerd/containerd/commit/7db16b5627a550caf05d9a902e16cb0d04bf1ee1) script/setup/install-cni: install CNI plugins v1.9.0
* go.mod: golang.org/x/crypto v0.45.0 (drop support for Go 1.23) ([#12640](https://github.com/containerd/containerd/pull/12640))
  * [`bca897b47`](https://github.com/containerd/containerd/commit/bca897b4739fef9b6a34c54ac6050d1621e53f92) go.mod: golang.org/x/crypto v0.45.0
  * [`37cbd2224`](https://github.com/containerd/containerd/commit/37cbd2224e674c317e25b03bbf4ab5a9ed644a5d) CI: drop Go 1.23
  * [`ee49d1747`](https://github.com/containerd/containerd/commit/ee49d1747c357cd45119750d4db464f957f4d793) Update Go requirements in BUILDING
* ci: bump Go 1.24.11, 1.25.5 ([#12627](https://github.com/containerd/containerd/pull/12627))
  * [`145978224`](https://github.com/containerd/containerd/commit/1459782247cc3eb2a6a2693a614766a86bcf6826) ci: bump Go 1.24.11, 1.25.5
  * [`3dbadfaa1`](https://github.com/containerd/containerd/commit/3dbadfaa158ebff9862606fe14a454f668a41d49) ci: bump Go 1.24.10, 1.25.4
  * [`2bac971f0`](https://github.com/containerd/containerd/commit/2bac971f0c91a1668bf1ec9c5ec1aa3f0484bd03) ci(release): set GO_VERSION in Dockerfile
* Update runc binary to v1.3.4 ([#12619](https://github.com/containerd/containerd/pull/12619))
  * [`34b89a574`](https://github.com/containerd/containerd/commit/34b89a5744330f098774356cc592bcc38f3279d8) runc: Update runc binary to v1.3.4
* ci: update CIFuzz actions to support Ubuntu 24.04 ([#12635](https://github.com/containerd/containerd/pull/12635))
  * [`6e0dd8956`](https://github.com/containerd/containerd/commit/6e0dd89566553cc1be1cd4823df5d5faeb839b31) ci: update CIFuzz actions to support Ubuntu 24.04
* build(deps): bump github.com/opencontainers/selinux ([#12591](https://github.com/containerd/containerd/pull/12591))
  * [`3eea2a4af`](https://github.com/containerd/containerd/commit/3eea2a4af8b7e20c6c299551782aeccab0a10c0a) build(deps): bump github.com/opencontainers/selinux
* remove sha256-simd ([#12576](https://github.com/containerd/containerd/pull/12576))
  * [`1194f5128`](https://github.com/containerd/containerd/commit/1194f5128f342d40b3ef0c3a4baea3d5ecf15d3b) remove sha256-simd
* .github: skip 5 critest cases for window-2022 ([#12586](https://github.com/containerd/containerd/pull/12586))
  * [`ce2d3a67f`](https://github.com/containerd/containerd/commit/ce2d3a67f2b4e3dc2e804bb9ecde609f04e1e1f6) .github: skip 5 critest cases in window CI pipeline
* Redact all query parameters in CRI error logs ([#12551](https://github.com/containerd/containerd/pull/12551))
  * [`65271ea89`](https://github.com/containerd/containerd/commit/65271ea895cd62016f2baf0e758b1cd7388344e7) fix: redact all query parameters in CRI error logs
</p>
</details>

### Dependency Changes

* **github.com/cyphar/filepath-securejoin**  v0.5.1 **_new_**
* **github.com/opencontainers/selinux**      v1.11.0 -> v1.13.1
* **golang.org/x/crypto**                    v0.40.0 -> v0.45.0
* **golang.org/x/mod**                       v0.26.0 -> v0.29.0
* **golang.org/x/net**                       v0.42.0 -> v0.47.0
* **golang.org/x/sync**                      v0.16.0 -> v0.18.0
* **golang.org/x/sys**                       v0.34.0 -> v0.38.0
* **golang.org/x/term**                      v0.33.0 -> v0.37.0
* **golang.org/x/text**                      v0.27.0 -> v0.31.0

Previous release can be found at [v1.7.29](https://github.com/containerd/containerd/releases/tag/v1.7.29)

Unverified

v2.2.0

1c4457e0 · Merge pull request #12473 from dmcgowan/prepare-v2.2.0 · Nov 05, 2025

containerd 2.2.0

Welcome to the v2.2.0 release of containerd!

The second minor release of containerd 2.x focuses on continued stability alongside
new features and improvements. This is the second time-based released for containerd.

### Highlights

* **Add mount manager** ([#12063](https://github.com/containerd/containerd/pull/12063))

  The mount manager is a new service that provides lifecycle management for filesystem mounts
  to support more advanced use cases, such as:
  * **Device formatting** to create formatted filesystems (xfs, ext4) on-demand
  * **Mount activation** to prepare devices such as loopbacks or network fileystems
  * **Mount transformation** to allow mount arguments to be filled in dynamically from previous mounts
  * **Garbage collection** of mounts to ensure temporary mounts are never leaked
* **Add conf.d include in the default config** ([#12323](https://github.com/containerd/containerd/pull/12323))
* **Add support for back references in the garbage collector** ([#12025](https://github.com/containerd/containerd/pull/12025))

#### Container Runtime Interface (CRI)

* **Pod Sandbox Metrics** ([#10691](https://github.com/containerd/containerd/pull/10691))

  Full implementation of Kubernetes CRI pod-level metrics API
  * **ListPodSandboxMetrics**: Query metrics for  running pods/sandboxes
  * **ListMetricsDescriptors**: Discover available metrics and their descriptions
* **Support image volume mount subpath** ([#11578](https://github.com/containerd/containerd/pull/11578))

#### Go client

* **Update pkg/oci to use fs.FS interface and os.OpenRoot** ([#12245](https://github.com/containerd/containerd/pull/12245))

#### Image Distribution

* **Parallel Unpack**  ([#12332](https://github.com/containerd/containerd/pull/12332))

  Adds support for unpacking layers in parallel during pull operations. This feature is supported with overlayfs and EROFS snapshotters.
* **OCI Referrers Support** ([#12309](https://github.com/containerd/containerd/pull/12309))

  Adds new referrers fetcher to remote registry interface using the [new referrers endpoint added in OCI distribution-spec 1.1](https://github.com/opencontainers/distribution-spec/blob/v1.1.0/spec.md#listing-referrers)
* **Tar unpack progress through transfer service** ([#11921](https://github.com/containerd/containerd/pull/11921))

#### Image Storage

* **EROFS enhancements using mount manager** ([#12333](https://github.com/containerd/containerd/pull/12333))

  Improvements to EROFS snapshotter using the new mount manager service
  * **Quota Support**: Support for sized block devices as the upper layer for overlayfs
  * **Mount Lifecycle**: Loopback setup, block device creation, and overlayfs argument formatting is moved to the
     mount  manager to be performed on-demand or within the runtime.
  * **Mount handler**: To allow optimization of EROFS mount types based on the current system
  * **macOS Support**: EROFS snapshotter can now be used on Darwin to natively allow image pulls
  * **Tar index mode**: Efficiently generate EROFS metadata backed by original tar content ([#11919](https://github.com/containerd/containerd/pull/11919))
* **Add snapshotter and differ for block CIMs** ([#12050](https://github.com/containerd/containerd/pull/12050))

#### Node Resource Interface (NRI)

* **Enable otel traces in NRI** ([#12082](https://github.com/containerd/containerd/pull/12082))
* **Add WASM plugin support** ([containerd/nri#121](https://github.com/containerd/nri/pull/121))

#### Runtime

* **Improve shim load time after restart by loading in parallel** ([#12142](https://github.com/containerd/containerd/pull/12142))
* **Fix pidfd leak in UnshareAfterEnterUserns** ([#12167](https://github.com/containerd/containerd/pull/12167))

#### Deprecations

* **Deprecate cgroup v1** ([#12445](https://github.com/containerd/containerd/pull/12445))
* **Postpone v2.2 deprecation items to v2.3** ([#12417](https://github.com/containerd/containerd/pull/12417))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Derek McGowan
* Phil Estes
* Akihiro Suda
* Maksym Pavlenko
* Wei Fu
* Krisztian Litkey
* Mike Brown
* Akhil Mohan
* Markus Lehtonen
* Samuel Karp
* Sebastiaan van Stijn
* ningmingxiao
* Austin Vazquez
* yashsingh74
* Gao Xiang
* Kirtana Ashok
* Jin Dong
* Chris Henzie
* Aadhar Agarwal
* Etienne Champetier
* Henry Wang
* Rodrigo Campos
* Sascha Grunert
* Aleksa Sarai
* Eric Mountain
* Keith Mattix II
* Paweł Gronowski
* Tõnis Tiigi
* Adrien Delorme
* Apurv Barve
* Enji Cooper
* Kohei Tokunaga
* Max Jonas Werner
* Rehan Khan
* Yang Yang
* jinda.ljd
* jokemanfire
* Amit Barve
* Andrew Halaney
* Antonio Ojea
* Brian Goff
* Carlos Eduardo Arango Gutierrez
* Chenyang Yan
* Dawei Wei
* Divya Rani
* Evan Anderson
* Fabiano Fidêncio
* Iceber Gu
* Jared Ledvina
* Jonathan Perkin
* Jose Fernandez
* Karl Baumgartner
* Michael Weibel
* Osama Abdelkader
* Radostin Stoyanov
* Ruidong Cao
* Sameer
* Sergey Kanzhelev
* Swagat Bora
* Sylvain MOUQUET
* Tom Wieczorek
* Tycho Andersen
* Wuyue (Tony) Sun
* suranmiao
* tanhuaan
* wheat2018
* zounengren

### Dependency Changes

* **dario.cat/mergo**                                                    v1.0.1 -> v1.0.2
* **github.com/Microsoft/hcsshim**                                       v0.13.0-rc.3 -> v0.14.0-rc.1
* **github.com/StackExchange/wmi**                                       cbe66965904d **_new_**
* **github.com/checkpoint-restore/checkpointctl**                        v1.3.0 -> v1.4.0
* **github.com/containerd/cgroups/v3**                                   v3.0.5 -> v3.1.0
* **github.com/containerd/console**                                      v1.0.4 -> v1.0.5
* **github.com/containerd/containerd/api**                               v1.9.0 -> v1.10.0
* **github.com/containerd/go-cni**                                       v1.1.12 -> v1.1.13
* **github.com/containerd/nri**                                          v0.8.0 -> v0.10.0
* **github.com/containerd/platforms**                                    v1.0.0-rc.1 -> v1.0.0-rc.2
* **github.com/containernetworking/plugins**                             v1.7.1 -> v1.8.0
* **github.com/coreos/go-systemd/v22**                                   v22.5.0 -> v22.6.0
* **github.com/cpuguy83/go-md2man/v2**                                   v2.0.5 -> v2.0.7
* **github.com/emicklei/go-restful/v3**                                  v3.11.0 -> v3.13.0
* **github.com/fxamacker/cbor/v2**                                       v2.7.0 -> v2.9.0
* **github.com/go-jose/go-jose/v4**                                      v4.0.5 -> v4.1.2
* **github.com/go-logr/logr**                                            v1.4.2 -> v1.4.3
* **github.com/go-ole/go-ole**                                           v1.2.6 **_new_**
* **github.com/golang/groupcache**                                       41bb18bfe9da -> 2c02b8208cf8
* **github.com/google/certtostore**                                      v1.0.6 **_new_**
* **github.com/google/deck**                                             105ad94aa8ae **_new_**
* **github.com/gorilla/websocket**                                       v1.5.0 -> e064f32e3674
* **github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus**  v1.0.1 -> v1.1.0
* **github.com/hashicorp/errwrap**                                       v1.1.0 **_new_**
* **github.com/intel/goresctrl**                                         v0.8.0 -> v0.10.0
* **github.com/klauspost/compress**                                      v1.18.0 -> v1.18.1
* **github.com/knqyf263/go-plugin**                                      v0.9.0 **_new_**
* **github.com/moby/sys/capability**                                     v0.4.0 **_new_**
* **github.com/modern-go/reflect2**                                      v1.0.2 -> 35a7c28c31ee
* **github.com/opencontainers/runtime-tools**                            2e043c6bd626 -> 0ea5ed0382a2
* **github.com/prometheus/client_golang**                                v1.22.0 -> v1.23.2
* **github.com/prometheus/client_model**                                 v0.6.1 -> v0.6.2
* **github.com/prometheus/common**                                       v0.62.0 -> v0.66.1
* **github.com/prometheus/procfs**                                       v0.15.1 -> v0.16.1
* **github.com/stretchr/testify**                                        v1.10.0 -> v1.11.1
* **github.com/tchap/go-patricia/v2**                                    v2.3.2 -> v2.3.3
* **github.com/tetratelabs/wazero**                                      v1.9.0 **_new_**
* **github.com/urfave/cli/v2**                                           v2.27.6 -> v2.27.7
* **github.com/vishvananda/netlink**                                     0e7078ed04c8 -> v1.3.1
* **go.etcd.io/bbolt**                                                   v1.4.0 -> v1.4.3
* **go.opentelemetry.io/otel**                                           v1.35.0 -> v1.37.0
* **go.opentelemetry.io/otel/metric**                                    v1.35.0 -> v1.37.0
* **go.opentelemetry.io/otel/sdk**                                       v1.35.0 -> v1.37.0
* **go.opentelemetry.io/otel/trace**                                     v1.35.0 -> v1.37.0
* **go.uber.org/goleak**                                                 v1.3.0 **_new_**
* **go.yaml.in/yaml/v2**                                                 v2.4.2 **_new_**
* **golang.org/x/crypto**                                                v0.36.0 -> v0.41.0
* **golang.org/x/mod**                                                   v0.24.0 -> v0.29.0
* **golang.org/x/net**                                                   v0.38.0 -> v0.43.0
* **golang.org/x/oauth2**                                                v0.27.0 -> v0.30.0
* **golang.org/x/sync**                                                  v0.14.0 -> v0.17.0
* **golang.org/x/sys**                                                   v0.33.0 -> v0.37.0
* **golang.org/x/term**                                                  v0.30.0 -> v0.34.0
* **golang.org/x/text**                                                  v0.23.0 -> v0.28.0
* **golang.org/x/time**                                                  v0.7.0 -> v0.14.0
* **google.golang.org/genproto/googleapis/api**                          56aae31c358a -> a7a43d27e69b
* **google.golang.org/genproto/googleapis/rpc**                          56aae31c358a -> a7a43d27e69b
* **google.golang.org/grpc**                                             v1.72.0 -> v1.76.0
* **google.golang.org/protobuf**                                         v1.36.6 -> v1.36.10
* **k8s.io/api**                                                         v0.32.3 -> v0.34.1
* **k8s.io/apimachinery**                                                v0.32.3 -> v0.34.1
* **k8s.io/client-go**                                                   v0.32.3 -> v0.34.1
* **k8s.io/cri-api**                                                     v0.32.3 -> v0.34.1
* **k8s.io/utils**                                                       3ea5e8cea738 -> 4c0f3b243397
* **sigs.k8s.io/json**                                                   9aa6b5e7a4b3 -> cfa47c3a1cc8
* **sigs.k8s.io/randfill**                                               v1.0.0 **_new_**
* **sigs.k8s.io/structured-merge-diff/v6**                               v6.3.0 **_new_**
* **sigs.k8s.io/yaml**                                                   v1.4.0 -> v1.6.0

Previous release can be found at [v2.1.0](https://github.com/containerd/containerd/releases/tag/v2.1.0)
### Which file should I download?
* `containerd-<VERSION>-<OS>-<ARCH>.tar.gz`:         ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04).
* `containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz`:  Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent.

In addition to containerd, typically you will have to install [runc](https://github.com/opencontainers/runc/releases)
and [CNI plugins](https://github.com/containernetworking/plugins/releases) from their official sites too.

See also the [Getting Started](https://github.com/containerd/containerd/blob/main/docs/getting-started.md) documentation.

Unverified

v2.1.5

fcd43222 · Merge pull request #12483 from austinvazquez/prep_2_1_5 · Nov 05, 2025

containerd 2.1.5

Welcome to the v2.1.5 release of containerd!

The fifth patch release for containerd 2.1 contains various fixes and updates.

### Security Updates

* **containerd**
  * [**GHSA-pwhc-rpq9-4c8w**](https://github.com/containerd/containerd/security/advisories/GHSA-pwhc-rpq9-4c8w)
  * [**GHSA-m6hq-p25p-ffr2**](https://github.com/containerd/containerd/security/advisories/GHSA-m6hq-p25p-ffr2)

* **runc**
  * [**GHSA-qw9x-cqr3-wc7r**](https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r)
  * [**GHSA-cgrx-mc8f-2prm**](https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm)
  * [**GHSA-9493-h29p-rfm2**](https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2)

### Highlights

#### Container Runtime Interface (CRI)

* **Disable event subscriber during task cleanup** ([#12410](https://github.com/containerd/containerd/pull/12410))
* **Add SystemdCgroup to default runtime options** ([#12253](https://github.com/containerd/containerd/pull/12253))
* **Fix userns with container image VOLUME mounts that need copy** ([#12242](https://github.com/containerd/containerd/pull/12242))

#### Image Distribution

* **Ensure errContentRangeIgnored error when range-get request is ignored** ([#12312](https://github.com/containerd/containerd/pull/12312))

#### Runtime

* **Update runc binary to v1.3.3** ([#12478](https://github.com/containerd/containerd/pull/12478))

#### Deprecations

* **Postpone v2.2 deprecation items to v2.3** ([#12431](https://github.com/containerd/containerd/pull/12431))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Phil Estes
* Akihiro Suda
* Derek McGowan
* Austin Vazquez
* Rodrigo Campos
* Maksym Pavlenko
* Wei Fu
* ningmingxiao
* Akhil Mohan
* Henry Wang
* Andrew Halaney
* Divya Rani
* Jose Fernandez
* Swagat Bora
* wheat2018

### Changes
<details><summary>58 commits</summary>
<p>

* Prepare release notes for v2.1.5 ([#12483](https://github.com/containerd/containerd/pull/12483))
  * [`fc5bdfeac`](https://github.com/containerd/containerd/commit/fc5bdfeacefc7ff2a4f6bafaa2ed6453dbb8c472) Prepare release notes for v2.1.5
  * [`c578c26bf`](https://github.com/containerd/containerd/commit/c578c26bf9e9d3368e87edb837b706053c3ef30e) Update mailmap
  * [`46a4a03fb`](https://github.com/containerd/containerd/commit/46a4a03fb4131739e948f983af8c984eb0c36d61) Merge commit from fork
  * [`232786c90`](https://github.com/containerd/containerd/commit/232786c906a11dae0c1ef5059653d4164345401f) Fix directory permissions
  * [`239ab877d`](https://github.com/containerd/containerd/commit/239ab877db8edf31ffb2ae63d83919d1c242e8d2) Merge commit from fork
  * [`0766796e8`](https://github.com/containerd/containerd/commit/0766796e8e95ffdbf6d2b4fb08bda536c03d444c) fix goroutine leak of container Attach
* Update runc binary to v1.3.3 ([#12478](https://github.com/containerd/containerd/pull/12478))
  * [`3d713d3d0`](https://github.com/containerd/containerd/commit/3d713d3d0db35b9e0d587e482498c891cc6fa3f2) runc: Update runc binary to v1.3.3
* Update GHA runners to use latest images for basic binaries build ([#12470](https://github.com/containerd/containerd/pull/12470))
  * [`de4221cb7`](https://github.com/containerd/containerd/commit/de4221cb7fb5f3ebb2fb5b2bdecfa907cdce94fb) Update GHA runners to use latest images for basic binaries build
* ci: bump Go 1.24.9, 1.25.3 ([#12467](https://github.com/containerd/containerd/pull/12467))
  * [`2045b1920`](https://github.com/containerd/containerd/commit/2045b1920f150e1591ed5d6e146ff280abb18be0) ci: bump Go 1.24.9, 1.25.3
* Update GHA runners to use latest image for most jobs ([#12468](https://github.com/containerd/containerd/pull/12468))
  * [`21ec7cc7d`](https://github.com/containerd/containerd/commit/21ec7cc7d15d031e9d798971486237097173babe) Update GHA runners to use latest image for most jobs
* CI: update Fedora to 43 ([#12449](https://github.com/containerd/containerd/pull/12449))
  * [`893b5f92e`](https://github.com/containerd/containerd/commit/893b5f92e3fd9a75e3f4f9aa824287b97107b390) CI: update Fedora to 43
* Postpone v2.2 deprecation items to v2.3 ([#12431](https://github.com/containerd/containerd/pull/12431))
  * [`6374a8f9d`](https://github.com/containerd/containerd/commit/6374a8f9d7123bc380a060586c387508069b3cea) Postpone v2.2 deprecation items to v2.3
* CI: skip ubuntu-24.04-arm on private repos ([#12427](https://github.com/containerd/containerd/pull/12427))
  * [`98e0e73de`](https://github.com/containerd/containerd/commit/98e0e73de78c18bbb15f2e3194a7837c20a6eff4) CI: skip ubuntu-24.04-arm on private repos
* Disable event subscriber during task cleanup ([#12410](https://github.com/containerd/containerd/pull/12410))
  * [`a3770cf83`](https://github.com/containerd/containerd/commit/a3770cf83bc55558977b669495f5b6ed8abcc978) cri/server/podsandbox: disable event subscriber
* Fix lost container logs from quickly closing io ([#12377](https://github.com/containerd/containerd/pull/12377))
  * [`7d9f09ba0`](https://github.com/containerd/containerd/commit/7d9f09ba048da562cdc0a971be439641c87aedcf) bugfix:fix container logs lost because io close too quickly
* ci: bump Go 1.24.8 ([#12360](https://github.com/containerd/containerd/pull/12360))
  * [`d1cab3cc5`](https://github.com/containerd/containerd/commit/d1cab3cc58c001d314d638419032c0de0a8c1eb1) ci: bump Go 1.24.8
* Prevent goroutine hangs during ProgressTracker shutdown ([#12336](https://github.com/containerd/containerd/pull/12336))
  * [`9b57a4d35`](https://github.com/containerd/containerd/commit/9b57a4d35a9728ccb99a03b1a27cca8b431e99ab) Prevent goroutine hangs during ProgressTracker shutdown
* Ensure errContentRangeIgnored error when range-get request is ignored ([#12312](https://github.com/containerd/containerd/pull/12312))
  * [`ca3de4fe7`](https://github.com/containerd/containerd/commit/ca3de4fe7b3219d1d2f8ac9482b93b0e63b52801) Ensure errContentRangeIgnored error when range-get request is ignored by registry
* Remove additional fuzzers from instrumentation repo ([#12313](https://github.com/containerd/containerd/pull/12313))
  * [`dfffe3d9c`](https://github.com/containerd/containerd/commit/dfffe3d9c59f85151bf3a2eceeca1c6e61f5e8a0) Remove additional fuzzers from CI
* update release builds to 1.24.7 and add 1.25.1 to CI ([#12258](https://github.com/containerd/containerd/pull/12258))
  * [`c54585ba7`](https://github.com/containerd/containerd/commit/c54585ba72f68ff3df49c16ecc19793d8d872e88) update release builds to 1.24.7 and add 1.25.1 to CI
* runc:Update runc binary to v1.3.1 ([#12277](https://github.com/containerd/containerd/pull/12277))
  * [`f0a48ce38`](https://github.com/containerd/containerd/commit/f0a48ce38a34730ce56d8e97436c2b92e9fd7156) runc:Update runc binary to v1.3.1
* Add SystemdCgroup to default runtime options ([#12253](https://github.com/containerd/containerd/pull/12253))
  * [`f13f8c431`](https://github.com/containerd/containerd/commit/f13f8c4313c18b99f8d5e6f71cf9257a0b8d2f64) add SystemdCgroup to default runtime options
* install-runhcs-shim: fetch target commit instead of tags ([#12256](https://github.com/containerd/containerd/pull/12256))
  * [`42bb71e1e`](https://github.com/containerd/containerd/commit/42bb71e1e5bd40299d1ca58335d108ca64dbc203) install-runhcs-shim: fetch target commit instead of tags
* Fix userns with container image VOLUME mounts that need copy ([#12242](https://github.com/containerd/containerd/pull/12242))
  * [`10944e19f`](https://github.com/containerd/containerd/commit/10944e19f78c0286327838728dac0e3ee2bbb0a1) integration: Add test for directives with userns
  * [`41d74aee2`](https://github.com/containerd/containerd/commit/41d74aee202409a8b15029615a9c0a95ef1a9f29) cri: Fix userns with Dockerfile VOLUME mounts that need copy
* Fix overlayfs issues related to user namespace ([#12222](https://github.com/containerd/containerd/pull/12222))
  * [`f40bfc46b`](https://github.com/containerd/containerd/commit/f40bfc46b0b680f07299c05623d7383cd4204bcb) core/mount: Retry unmounting idmapped directories
  * [`1f51d2dea`](https://github.com/containerd/containerd/commit/1f51d2deada6bf493214c78069d93e94dc226091) core/mount: Test cleanup of DoPrepareIDMappedOverlay()
  * [`8fbf8c503`](https://github.com/containerd/containerd/commit/8fbf8c503ef9ebf837f82a40b9ea54f98d9dccbe) core/mount: Properly cleanup on doPrepareIDMappedOverlay errors
  * [`b9d678e15`](https://github.com/containerd/containerd/commit/b9d678e15e27ab45a7cfa9876a46f88afeaca90c) core/mount: Don't call nil function on errors
  * [`583fe2d24`](https://github.com/containerd/containerd/commit/583fe2d244568d585c9b5688d42a24e2cf407709) core/mount: Only idmap once per overlayfs, not per layer
* Add documentation for cgroup_writable field ([#12229](https://github.com/containerd/containerd/pull/12229))
  * [`4832b4d15`](https://github.com/containerd/containerd/commit/4832b4d1541ab01b35e087afda266cef8a66416c) Add documentation for cgroup_writable field
* fix: create bootstrap.json with 0644 permission ([#12183](https://github.com/containerd/containerd/pull/12183))
  * [`3c174cf64`](https://github.com/containerd/containerd/commit/3c174cf64e5b4e6cdae6f06e091e458120390fe7) fix: create bootstrap.json with 0644 permission
* ci: bump Go 1.23.12, 1.24.6 ([#12186](https://github.com/containerd/containerd/pull/12186))
  * [`74b0505eb`](https://github.com/containerd/containerd/commit/74b0505ebd86e8e27f80606322a8c3af73f00e33) ci: bump Go 1.23.12, 1.24.6
* sys: fix pidfd leak in UnshareAfterEnterUserns ([#12179](https://github.com/containerd/containerd/pull/12179))
  * [`5ef6ea747`](https://github.com/containerd/containerd/commit/5ef6ea7470dd18e3c93f21c2ea5004f6e72b0642) sys: fix pidfd leak in UnshareAfterEnterUserns
</p>
</details>

### Dependency Changes

This release has no dependency changes

Previous release can be found at [v2.1.4](https://github.com/containerd/containerd/releases/tag/v2.1.4)
### Which file should I download?
* `containerd-<VERSION>-<OS>-<ARCH>.tar.gz`:         ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04).
* `containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz`:  Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent.

In addition to containerd, typically you will have to install [runc](https://github.com/opencontainers/runc/releases)
and [CNI plugins](https://github.com/containernetworking/plugins/releases) from their official sites too.

See also the [Getting Started](https://github.com/containerd/containerd/blob/main/docs/getting-started.md) documentation.

Unverified

v2.0.7

4ac6c20c · Merge pull request #12482 from austinvazquez/prep_2_0_7 · Nov 05, 2025

containerd 2.0.7

Welcome to the v2.0.7 release of containerd!

The seventh patch release for containerd 2.0 includes various bug fixes and updates.

### Security Updates

* **containerd**
  * [**GHSA-pwhc-rpq9-4c8w**](https://github.com/containerd/containerd/security/advisories/GHSA-pwhc-rpq9-4c8w)
  * [**GHSA-m6hq-p25p-ffr2**](https://github.com/containerd/containerd/security/advisories/GHSA-m6hq-p25p-ffr2)

* **runc**
  * [**GHSA-qw9x-cqr3-wc7r**](https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r)
  * [**GHSA-cgrx-mc8f-2prm**](https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm)
  * [**GHSA-9493-h29p-rfm2**](https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2)

### Highlights

#### Container Runtime Interface (CRI)

* **Disable event subscriber during task cleanup** ([#12406](https://github.com/containerd/containerd/pull/12406))
* **Add SystemdCgroup to default runtime options** ([#12254](https://github.com/containerd/containerd/pull/12254))
* **Fix userns with container image VOLUME mounts that need copy** ([#12241](https://github.com/containerd/containerd/pull/12241))

#### Image Distribution

* **Add dial timeout field to hosts toml configuration** ([#12136](https://github.com/containerd/containerd/pull/12136))

#### Runtime

* **Update runc binary to v1.3.3** ([#12479](https://github.com/containerd/containerd/pull/12479))
* **Fix lost container logs from quickly closing io** ([#12376](https://github.com/containerd/containerd/pull/12376))
* **Create bootstrap.json with 0644 permission** ([#12184](https://github.com/containerd/containerd/pull/12184))
* **Fix pidfd leak in UnshareAfterEnterUserns** ([#12178](https://github.com/containerd/containerd/pull/12178))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Austin Vazquez
* Phil Estes
* Rodrigo Campos
* Wei Fu
* Akihiro Suda
* Derek McGowan
* Maksym Pavlenko
* ningmingxiao
* Kirtana Ashok
* Akhil Mohan
* Andrew Halaney
* Jin Dong
* Jose Fernandez
* Mike Baynton
* Philip Laine
* Swagat Bora
* wheat2018

### Changes
<details><summary>56 commits</summary>
<p>

* Prepare release notes for v2.0.7 ([#12482](https://github.com/containerd/containerd/pull/12482))
  * [`4931e24f1`](https://github.com/containerd/containerd/commit/4931e24f169091cb4e425b7bfdd4fb0d3c20543b) Prepare release notes for v2.0.7
  * [`205bc4f2d`](https://github.com/containerd/containerd/commit/205bc4f2dbce3df32d2d5140a3d039332b02dbe6) Update mailmap
  * [`5f708b76a`](https://github.com/containerd/containerd/commit/5f708b76a41a1cf56e167971e271c7581cb2f8cb) Merge commit from fork
  * [`8cd112d82`](https://github.com/containerd/containerd/commit/8cd112d8295bafcf4a992816ff9e07f5a78ff71b) Fix directory permissions
  * [`05290b5bc`](https://github.com/containerd/containerd/commit/05290b5bc8fd938c8f77856927a280a1d5eec7b6) Merge commit from fork
  * [`4d1edf4ad`](https://github.com/containerd/containerd/commit/4d1edf4addf8c31b096680f04fee499cabc75439) fix goroutine leak of container Attach
* Update runc binary to v1.3.3 ([#12479](https://github.com/containerd/containerd/pull/12479))
  * [`b46dc6a67`](https://github.com/containerd/containerd/commit/b46dc6a67cc575a83db083f71dcdbc722605c841) runc: Update runc binary to v1.3.3
* ci: bump Go 1.24.9; 1.25.3 ([#12361](https://github.com/containerd/containerd/pull/12361))
  * [`5e9c82178`](https://github.com/containerd/containerd/commit/5e9c821780ff705c47406bf7a72d476da398135c) Update GHA runners to use latest images for basic binaries build
  * [`7f59248dc`](https://github.com/containerd/containerd/commit/7f59248dcd66cb0c418669a880e0c1d7e48e0dfa) Update GHA runners to use latest image for most jobs
  * [`e1373e8a8`](https://github.com/containerd/containerd/commit/e1373e8a8abf94b28507972694f8aea17f1b10c5) ci: bump Go 1.24.9, 1.25.3
  * [`e1a910a6a`](https://github.com/containerd/containerd/commit/e1a910a6a989b2cb0ed1ae4fda42eacbb6361e4b) ci: bump Go 1.24.8; 1.25.2
  * [`fd04b7f17`](https://github.com/containerd/containerd/commit/fd04b7f176ec52d17e0014d07d045d6fa79bd620) move exclude-dirs to issues.exclude-dirs
  * [`b49377975`](https://github.com/containerd/containerd/commit/b493779751d070255648e6b1e75dc9af8516c347) update golangci-lint to v1.64.2
  * [`6e45022a1`](https://github.com/containerd/containerd/commit/6e45022a1e01fd1c78217df3b271d7735b8c4440) build(deps): bump golangci/golangci-lint-action from 6.3.2 to 6.5.0
  * [`09ce0f2a1`](https://github.com/containerd/containerd/commit/09ce0f2a1ee5b1524c95c3831ed124e5d4fd0a2b) build(deps): bump golangci/golangci-lint-action from 6.2.0 to 6.3.2
  * [`de63a740b`](https://github.com/containerd/containerd/commit/de63a740b8108c62bf018cf1f508bb9e5842bfd2) build(deps): bump golangci/golangci-lint-action from 6.1.1 to 6.2.0
* Fix lost container logs from quickly closing io ([#12376](https://github.com/containerd/containerd/pull/12376))
  * [`f953ee8a3`](https://github.com/containerd/containerd/commit/f953ee8a3c1feeaa60a3c9d386afa424040d56de) bugfix:fix container logs lost because io close too quickly
* CI: update Fedora to 43 ([#12448](https://github.com/containerd/containerd/pull/12448))
  * [`f6f15f513`](https://github.com/containerd/containerd/commit/f6f15f5135d313309a76fc6545e7cf86653d2f6e) CI: update Fedora to 43
* Disable event subscriber during task cleanup ([#12406](https://github.com/containerd/containerd/pull/12406))
  * [`2a2329cbd`](https://github.com/containerd/containerd/commit/2a2329cbd02dc5e1a3010730fab01c618dad768c) cri/server/podsandbox: disable event subscriber
* CI: skip ubuntu-24.04-arm on private repos ([#12428](https://github.com/containerd/containerd/pull/12428))
  * [`dfb954743`](https://github.com/containerd/containerd/commit/dfb95474370ef22c4555178a3d7cc34df2a3f5bc) CI: skip ubuntu-24.04-arm on private repos
* Remove additional fuzzers from instrumentation repo ([#12420](https://github.com/containerd/containerd/pull/12420))
  * [`f6b02f6bb`](https://github.com/containerd/containerd/commit/f6b02f6bb81dc079f60d421347c931c73d4227e7) Remove additional fuzzers from CI
* runc:Update runc binary to v1.3.1 ([#12275](https://github.com/containerd/containerd/pull/12275))
  * [`75c13ee3f`](https://github.com/containerd/containerd/commit/75c13ee3fc3657ee419395e20820d1cbd4bb2f88) runc:Update runc binary to v1.3.1
* Add SystemdCgroup to default runtime options ([#12254](https://github.com/containerd/containerd/pull/12254))
  * [`427cdd06c`](https://github.com/containerd/containerd/commit/427cdd06c9d093ede03384c550a440b0522e44ba) add SystemdCgroup to default runtime options
* install-runhcs-shim: fetch target commit instead of tags ([#12255](https://github.com/containerd/containerd/pull/12255))
  * [`0b35e19fb`](https://github.com/containerd/containerd/commit/0b35e19fb118b5144a75397522e476d0571ae9ef) install-runhcs-shim: fetch target commit instead of tags
* Fix userns with container image VOLUME mounts that need copy ([#12241](https://github.com/containerd/containerd/pull/12241))
  * [`3212afc2f`](https://github.com/containerd/containerd/commit/3212afc2f2d464157bcb24663360ee7dfa7207e6) integration: Add test for directives with userns
  * [`b855c6e10`](https://github.com/containerd/containerd/commit/b855c6e10372eb43d51186ab156cdce3d9eefb04) cri: Fix userns with Dockerfile VOLUME mounts that need copy
* Fix overlayfs issues related to user namespace ([#12223](https://github.com/containerd/containerd/pull/12223))
  * [`05c0c99f4`](https://github.com/containerd/containerd/commit/05c0c99f432b341152b54ce49d9b43c5cf3d131f) core/mount: Retry unmounting idmapped directories
  * [`afdede4ce`](https://github.com/containerd/containerd/commit/afdede4ced8c848191062b31dfcff1352161a844) core/mount: Test cleanup of DoPrepareIDMappedOverlay()
  * [`47205f814`](https://github.com/containerd/containerd/commit/47205f814d552a4eea9935375dd2f0874e107e5b) core/mount: Properly cleanup on doPrepareIDMappedOverlay errors
  * [`6f4abd970`](https://github.com/containerd/containerd/commit/6f4abd970aeea241f07edc1e0fd74f69a9a05979) core/mount: Don't call nil function on errors
  * [`a2f0d65d7`](https://github.com/containerd/containerd/commit/a2f0d65d78871832da6d2aa452aeeb180cd6d8f5) core/mount: Only idmap once per overlayfs, not per layer
  * [`1c32accd7`](https://github.com/containerd/containerd/commit/1c32accd71d34e3cb5798214adf26911609d11f1) Make ovl idmap mounts read-only
* ci: bump Go 1.23.12, 1.24.6 ([#12187](https://github.com/containerd/containerd/pull/12187))
  * [`9e72e91e6`](https://github.com/containerd/containerd/commit/9e72e91e63a75147f2a082565fc580babee8af06) ci: bump Go 1.23.12, 1.24.6
* Create bootstrap.json with 0644 permission ([#12184](https://github.com/containerd/containerd/pull/12184))
  * [`009622e04`](https://github.com/containerd/containerd/commit/009622e0424fa4234d67272339fb7e282c302190) fix: create bootstrap.json with 0644 permission
* Fix pidfd leak in UnshareAfterEnterUserns ([#12178](https://github.com/containerd/containerd/pull/12178))
  * [`5bec0a332`](https://github.com/containerd/containerd/commit/5bec0a33297ad485f96116efb333ea750a27c926) sys: fix pidfd leak in UnshareAfterEnterUserns
* Fix windows test failures ([#12120](https://github.com/containerd/containerd/pull/12120))
  * [`2a2488131`](https://github.com/containerd/containerd/commit/2a2488131e3602bbbecf4afa11d0f3e4135f01a4) Fix intermittent test failures on Windows CIs
  * [`018470948`](https://github.com/containerd/containerd/commit/018470948db89512760e9c25d4c5da9c7bef5321) Remove WS2025 from CIs due to regression
* Add dial timeout field to hosts toml configuration ([#12136](https://github.com/containerd/containerd/pull/12136))
  * [`b50cbbc98`](https://github.com/containerd/containerd/commit/b50cbbc98550580b2baf5565ec5f1a3ded422b0e) Add dial timeout field to hosts toml configuration
</p>
</details>

### Dependency Changes

This release has no dependency changes

Previous release can be found at [v2.0.6](https://github.com/containerd/containerd/releases/tag/v2.0.6)
### Which file should I download?
* `containerd-<VERSION>-<OS>-<ARCH>.tar.gz`:         ✅Recommended. Dynamically linked with glibc 2.31 (Ubuntu 20.04).
* `containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz`:  Statically linked. Expected to be used on non-glibc Linux distributions. Not position-independent.

In addition to containerd, typically you will have to install [runc](https://github.com/opencontainers/runc/releases)
and [CNI plugins](https://github.com/containernetworking/plugins/releases) from their official sites too.

See also the [Getting Started](https://github.com/containerd/containerd/blob/main/docs/getting-started.md) documentation.

Unverified

v1.7.29

442cb34b · Merge commit from fork · Nov 05, 2025

containerd 1.7.29

Welcome to the v1.7.29 release of containerd!

The twenty-ninth patch release for containerd 1.7 contains various fixes
and updates including security patches.

### Security Updates

* **containerd**
  * [**GHSA-pwhc-rpq9-4c8w**](https://github.com/containerd/containerd/security/advisories/GHSA-pwhc-rpq9-4c8w)
  * [**GHSA-m6hq-p25p-ffr2**](https://github.com/containerd/containerd/security/advisories/GHSA-m6hq-p25p-ffr2)

* **runc**
  * [**GHSA-qw9x-cqr3-wc7r**](https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r)
  * [**GHSA-cgrx-mc8f-2prm**](https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm)
  * [**GHSA-9493-h29p-rfm2**](https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2)

### Highlights

#### Image Distribution

* **Update differ to handle zstd media types** ([#12018](https://github.com/containerd/containerd/pull/12018))

#### Runtime

* **Update runc binary to v1.3.3** ([#12480](https://github.com/containerd/containerd/pull/12480))
* **Fix lost container logs from quickly closing io** ([#12375](https://github.com/containerd/containerd/pull/12375))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Derek McGowan
* Akihiro Suda
* Phil Estes
* Austin Vazquez
* Sebastiaan van Stijn
* ningmingxiao
* Maksym Pavlenko
* StepSecurity Bot
* wheat2018

### Changes
<details><summary>38 commits</summary>
<p>

  * [`442cb34bd`](https://github.com/containerd/containerd/commit/442cb34bda9a6a0fed82a2ca7cade05c5c749582) Merge commit from fork
  * [`0450f046e`](https://github.com/containerd/containerd/commit/0450f046e6942e513d0ebf1ef5c2aff13daa187f) Fix directory permissions
  * [`e5cb6ddb7`](https://github.com/containerd/containerd/commit/e5cb6ddb7a7730c24253a94d7fdb6bbe13dba6f7) Merge commit from fork
  * [`c575d1b5f`](https://github.com/containerd/containerd/commit/c575d1b5f4011f33b32f71ace75367a92b08c750) fix goroutine leak of container Attach
* Prepare release notes for v1.7.29 ([#12486](https://github.com/containerd/containerd/pull/12486))
  * [`1fc2daaf3`](https://github.com/containerd/containerd/commit/1fc2daaf3ed53f4c9e76fbc5786a6f1ae3bb885f) Prepare release notes for v1.7.29
* Update runc binary to v1.3.3 ([#12480](https://github.com/containerd/containerd/pull/12480))
  * [`3f5f9f872`](https://github.com/containerd/containerd/commit/3f5f9f872707a743563d316e85e530193a2e30ac) runc: Update runc binary to v1.3.3
* Update GHA images and bump Go 1.24.9; 1.25.3 ([#12471](https://github.com/containerd/containerd/pull/12471))
  * [`667409fb6`](https://github.com/containerd/containerd/commit/667409fb63098cb80280940ab06038114e7712da) ci: bump Go 1.24.9, 1.25.3
  * [`294f8c027`](https://github.com/containerd/containerd/commit/294f8c027b607c4450b3e52f44280581a737a73f) Update GHA runners to use latest images for basic binaries build
  * [`cf66b4141`](https://github.com/containerd/containerd/commit/cf66b4141defb757dee0fc5653bfd0a7ba1e8fed) Update GHA runners to use latest image for most jobs
  * [`fa3e6fa18`](https://github.com/containerd/containerd/commit/fa3e6fa18aa8dc7e699428958e1fb1d38e832e15) pkg/epoch: extract parsing SOURCE_DATE_EPOCH to a function
  * [`ac334bffc`](https://github.com/containerd/containerd/commit/ac334bffc4e759f188afb58efd74a603ade0855a) pkg/epoch: fix tests on macOS
  * [`d04b8721f`](https://github.com/containerd/containerd/commit/d04b8721fc5bff2677beadb4f3d15d7c0ec989ca) pkg/epoch: replace some fmt.Sprintfs with strconv
* CI: update Fedora to 43 ([#12450](https://github.com/containerd/containerd/pull/12450))
  * [`5cfedbf52`](https://github.com/containerd/containerd/commit/5cfedbf52300d09f77a51f02a0c784c37284302c) CI: update Fedora to 43
* CI: skip ubuntu-24.04-arm on private repos ([#12429](https://github.com/containerd/containerd/pull/12429))
  * [`cf99a012d`](https://github.com/containerd/containerd/commit/cf99a012d6f7fcb51afdea641d87474dae95f50d) CI: skip ubuntu-24.04-arm on private repos
* runc:Update runc binary to v1.3.1 ([#12276](https://github.com/containerd/containerd/pull/12276))
  * [`4c77b8d07`](https://github.com/containerd/containerd/commit/4c77b8d078a65a5e99e40847a9eaa18a944ff68e) runc:Update runc binary to v1.3.1
* Fix lost container logs from quickly closing io ([#12375](https://github.com/containerd/containerd/pull/12375))
  * [`d30024db2`](https://github.com/containerd/containerd/commit/d30024db25590e6ec74b639746a5dc792f5c1403) bugfix:fix container logs lost because io close too quickly
* ci: bump Go 1.24.8 ([#12362](https://github.com/containerd/containerd/pull/12362))
  * [`f4b3d96f3`](https://github.com/containerd/containerd/commit/f4b3d96f3d83a0ac7bde03ae9eec749aa1936a59) ci: bump Go 1.24.8
  * [`334fd8e4b`](https://github.com/containerd/containerd/commit/334fd8e4b974d88ebea43a998d76760aad49773a) update golangci-lint to v1.64.2
  * [`8a67abc4c`](https://github.com/containerd/containerd/commit/8a67abc4cac67bf806da0b2b55ac7159e91f6996) Drop inactivated linter exportloopref
  * [`e4dbf08f0`](https://github.com/containerd/containerd/commit/e4dbf08f0ff3dc9f6b2a9a36eab71d73ac707956) build(deps): bump golangci/golangci-lint-action from 6.3.2 to 6.5.0
  * [`d7db2ba06`](https://github.com/containerd/containerd/commit/d7db2ba063385d06132ec80890eb6c1fe4126692) build(deps): bump golangci/golangci-lint-action from 6.2.0 to 6.3.2
  * [`d7182888f`](https://github.com/containerd/containerd/commit/d7182888f0071cce86d40fcf09cd9a247ac15c41) build(deps): bump golangci/golangci-lint-action from 6.1.1 to 6.2.0
  * [`4be6c7e3b`](https://github.com/containerd/containerd/commit/4be6c7e3b5d5da7be8c1c87e1c16450b7ea8dadb) build(deps): bump actions/cache from 4.1.2 to 4.2.0
  * [`a2e097e86`](https://github.com/containerd/containerd/commit/a2e097e865887382c2fc29ee0cea0053e6152a12) build(deps): bump actions/checkout from 4.2.1 to 4.2.2
  * [`6de404d11`](https://github.com/containerd/containerd/commit/6de404d11b8e237a7867c7fbe535579c5736bfde) build(deps): bump actions/cache from 4.1.1 to 4.1.2
  * [`038a25584`](https://github.com/containerd/containerd/commit/038a25584e7f66272114ec0801b071e6149ef841) [StepSecurity] ci: Harden GitHub Actions
* Update differ to handle zstd media types ([#12018](https://github.com/containerd/containerd/pull/12018))
  * [`eaeb4b6ac`](https://github.com/containerd/containerd/commit/eaeb4b6ac581c0704bed0ff96ee7e53170345e84) Update differ to handle zstd media types
* ci: bump Go 1.23.12, 1.24.6 ([#12188](https://github.com/containerd/containerd/pull/12188))
  * [`83c535339`](https://github.com/containerd/containerd/commit/83c535339bbe253ce9e7a616a90f770994b754e5) ci: bump Go 1.23.12, 1.24.6
</p>
</details>

### Dependency Changes

This release has no dependency changes

Previous release can be found at [v1.7.28](https://github.com/containerd/containerd/releases/tag/v1.7.28)

Unverified

api/v1.10.0

8b34ce39 · Merge pull request #12472 from dmcgowan/prepare-api-v1.10.0 · Nov 05, 2025

containerd api/v1.10.0

Welcome to the api/v1.10.0 release of containerd!

The 11th release for the containerd 1.x API aligns with the containerd 2.2 release.

### Highlights

* **Add mount manager**

  The mount manager is a new service that provides lifecycle management for filesystem mounts
  to support more advanced use cases, such as:
  * **Device formatting** to create formatted filesystems (xfs, ext4) on-demand
  * **Mount activation** to prepare devices such as loopbacks or network fileystems
  * **Mount transformation** to allow mount arguments to be filled in dynamically from previous mounts
  * **Garbage collection** of mounts to ensure temporary mounts are never leaked ([#12063](https://github.com/containerd/containerd/pull/12063))

#### Image Distribution

* **Parallel Unpack**

  Adds support for unpacking layers in parallel during pull operations. This feature is supported with overlayfs and EROFS snapshotters. ([#12332](https://github.com/containerd/containerd/pull/12332))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Derek McGowan
* Akihiro Suda
* Henry Wang
* Phil Estes
* Wei Fu

### Changes
<details><summary>14 commits</summary>
<p>

* Prepare release notes for api/v1.10.0 ([#12472](https://github.com/containerd/containerd/pull/12472))
  * [`69c855bb5`](https://github.com/containerd/containerd/commit/69c855bb54f53311cd5f8854719d8428dd692f96) Prepare release notes for api/v1.10.0
* api/go.mod: golang.org/x/net v0.38.0 ([#12430](https://github.com/containerd/containerd/pull/12430))
  * [`4c7b94fce`](https://github.com/containerd/containerd/commit/4c7b94fce7bd19abce9b78538e3218b572f98127) api/go.mod: golang.org/x/net v0.38.0
* Prepare release notes for api/v1.10.0-rc.0 ([#12408](https://github.com/containerd/containerd/pull/12408))
  * [`fbc7848f2`](https://github.com/containerd/containerd/commit/fbc7848f2378afa2cf58c868bfcab1467f3ccccd) Prepare release notes for api/v1.10.0-rc.0
* Add parallel unpack support ([#12332](https://github.com/containerd/containerd/pull/12332))
  * [`0198b87fc`](https://github.com/containerd/containerd/commit/0198b87fcfb31492c23de83059291efc0f06a1f9) Implement parallel unpack
* Prepare release notes for api/v1.10.0-beta.0 ([#12346](https://github.com/containerd/containerd/pull/12346))
  * [`aa571f63c`](https://github.com/containerd/containerd/commit/aa571f63c6529d827bfef02956a8db9bee57ab8c) Prepare release notes for api/v1.10.0-beta.0
* Add mount manager ([#12063](https://github.com/containerd/containerd/pull/12063))
  * [`8db301086`](https://github.com/containerd/containerd/commit/8db3010865ae9926aed6c5e476a7c6b2413b44d5) Add mounts api service
  * [`67fbf9db9`](https://github.com/containerd/containerd/commit/67fbf9db9cbf6ae83df58d18a19f32b28ebc0017) Generate and vendor proto changes
  * [`c5097ac63`](https://github.com/containerd/containerd/commit/c5097ac63fd704213c507a2b712fa2db7744090b) Add mount manager to protobuf services and types
</p>
</details>

### Dependency Changes

* **golang.org/x/net**  v0.37.0 -> v0.38.0

Previous release can be found at [api/v1.9.0](https://github.com/containerd/containerd/releases/tag/api/v1.9.0)

Unverified

v2.2.0-rc.1

8bcea102 · Merge pull request #12458 from dmcgowan/fix-referrers-manifest-size · Nov 03, 2025

containerd 2.2.0-rc.1

Welcome to the v2.2.0-rc.1 release of containerd!
*This is a pre-release of containerd*

The second minor release of containerd 2.x focuses on continued stability alongside
new features and improvements. This is the second time-based released for containerd.

### Highlights

* Add mount manager ([#12063](https://github.com/containerd/containerd/pull/12063))
* Add conf.d include in the default config ([#12323](https://github.com/containerd/containerd/pull/12323))
* Add support for back references in the garbage collector ([#12025](https://github.com/containerd/containerd/pull/12025))

#### Container Runtime Interface (CRI)

* Implement CRI ListPodSandboxMetrics ([#10691](https://github.com/containerd/containerd/pull/10691))
* Support image volume mount subpath ([#11578](https://github.com/containerd/containerd/pull/11578))

#### Go client

* Update pkg/oci to use fs.FS interface and os.OpenRoot ([#12245](https://github.com/containerd/containerd/pull/12245))

#### Image Distribution

* Add parallel unpack support ([#12332](https://github.com/containerd/containerd/pull/12332))
* Add referrers fetcher to remotes ([#12309](https://github.com/containerd/containerd/pull/12309))
* Tar unpack progress through transfer service ([#11921](https://github.com/containerd/containerd/pull/11921))

#### Image Storage

* Update erofs snapshotter to use mount manager ([#12333](https://github.com/containerd/containerd/pull/12333))
* Add snapshotter and differ for block CIMs ([#12050](https://github.com/containerd/containerd/pull/12050))
* Add tar index mode to erofs snapshotter ([#11919](https://github.com/containerd/containerd/pull/11919))

#### Node Resource Interface (NRI)

* Enable otel traces in NRI ([#12082](https://github.com/containerd/containerd/pull/12082))
* Add WASM plugin support ([containerd/nri#121](https://github.com/containerd/nri/pull/121))

#### Runtime

* Improve shim load time after restart by loading in parallel ([#12142](https://github.com/containerd/containerd/pull/12142))
* Fix pidfd leak in UnshareAfterEnterUserns ([#12167](https://github.com/containerd/containerd/pull/12167))

#### Deprecations

* Deprecate cgroup v1 ([#12445](https://github.com/containerd/containerd/pull/12445))
* Postpone v2.2 deprecation items to v2.3 ([#12417](https://github.com/containerd/containerd/pull/12417))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Derek McGowan
* Phil Estes
* Akihiro Suda
* Maksym Pavlenko
* Wei Fu
* Krisztian Litkey
* Mike Brown
* Akhil Mohan
* Markus Lehtonen
* Samuel Karp
* Sebastiaan van Stijn
* ningmingxiao
* Austin Vazquez
* yashsingh74
* Gao Xiang
* Jin Dong
* Chris Henzie
* Kirtana Ashok
* Aadhar Agarwal
* Etienne Champetier
* Henry Wang
* Rodrigo Campos
* Sascha Grunert
* Aleksa Sarai
* Eric Mountain
* Keith Mattix II
* Paweł Gronowski
* Tõnis Tiigi
* Adrien Delorme
* Apurv Barve
* Enji Cooper
* Kohei Tokunaga
* Max Jonas Werner
* Rehan Khan
* Yang Yang
* jinda.ljd
* jokemanfire
* Amit Barve
* Andrew Halaney
* Antonio Ojea
* Brian Goff
* Carlos Eduardo Arango Gutierrez
* Chenyang Yan
* Dawei Wei
* Divya Rani
* Evan Anderson
* Fabiano Fidêncio
* Iceber Gu
* Jared Ledvina
* Jonathan Perkin
* Jose Fernandez
* Karl Baumgartner
* Osama Abdelkader
* Radostin Stoyanov
* Ruidong Cao
* Sameer
* Sergey Kanzhelev
* Swagat Bora
* Sylvain MOUQUET
* Tom Wieczorek
* Tycho Andersen
* Ubuntu
* Wuyue (Tony) Sun
* suranmiao
* tanhuaan
* zounengren

### Dependency Changes

* **dario.cat/mergo**                                                    v1.0.1 -> v1.0.2
* **github.com/Microsoft/hcsshim**                                       v0.13.0-rc.3 -> v0.14.0-rc.1
* **github.com/StackExchange/wmi**                                       cbe66965904d **_new_**
* **github.com/checkpoint-restore/checkpointctl**                        v1.3.0 -> v1.4.0
* **github.com/containerd/cgroups/v3**                                   v3.0.5 -> v3.1.0
* **github.com/containerd/console**                                      v1.0.4 -> v1.0.5
* **github.com/containerd/containerd/api**                               v1.9.0 -> v1.10.0-rc.0
* **github.com/containerd/go-cni**                                       v1.1.12 -> v1.1.13
* **github.com/containerd/nri**                                          v0.8.0 -> v0.10.0
* **github.com/containernetworking/plugins**                             v1.7.1 -> v1.8.0
* **github.com/coreos/go-systemd/v22**                                   v22.5.0 -> v22.6.0
* **github.com/cpuguy83/go-md2man/v2**                                   v2.0.5 -> v2.0.7
* **github.com/emicklei/go-restful/v3**                                  v3.11.0 -> v3.13.0
* **github.com/fxamacker/cbor/v2**                                       v2.7.0 -> v2.9.0
* **github.com/go-jose/go-jose/v4**                                      v4.0.5 -> v4.1.2
* **github.com/go-logr/logr**                                            v1.4.2 -> v1.4.3
* **github.com/go-ole/go-ole**                                           v1.2.6 **_new_**
* **github.com/golang/groupcache**                                       41bb18bfe9da -> 2c02b8208cf8
* **github.com/google/certtostore**                                      v1.0.6 **_new_**
* **github.com/google/deck**                                             105ad94aa8ae **_new_**
* **github.com/gorilla/websocket**                                       v1.5.0 -> e064f32e3674
* **github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus**  v1.0.1 -> v1.1.0
* **github.com/hashicorp/errwrap**                                       v1.1.0 **_new_**
* **github.com/intel/goresctrl**                                         v0.8.0 -> v0.9.0
* **github.com/klauspost/compress**                                      v1.18.0 -> v1.18.1
* **github.com/knqyf263/go-plugin**                                      v0.9.0 **_new_**
* **github.com/moby/sys/capability**                                     v0.4.0 **_new_**
* **github.com/modern-go/reflect2**                                      v1.0.2 -> 35a7c28c31ee
* **github.com/opencontainers/runtime-tools**                            2e043c6bd626 -> 0ea5ed0382a2
* **github.com/prometheus/client_golang**                                v1.22.0 -> v1.23.2
* **github.com/prometheus/client_model**                                 v0.6.1 -> v0.6.2
* **github.com/prometheus/common**                                       v0.62.0 -> v0.66.1
* **github.com/prometheus/procfs**                                       v0.15.1 -> v0.16.1
* **github.com/stretchr/testify**                                        v1.10.0 -> v1.11.1
* **github.com/tchap/go-patricia/v2**                                    v2.3.2 -> v2.3.3
* **github.com/tetratelabs/wazero**                                      v1.9.0 **_new_**
* **github.com/urfave/cli/v2**                                           v2.27.6 -> v2.27.7
* **github.com/vishvananda/netlink**                                     0e7078ed04c8 -> v1.3.1
* **go.etcd.io/bbolt**                                                   v1.4.0 -> v1.4.3
* **go.opentelemetry.io/otel**                                           v1.35.0 -> v1.37.0
* **go.opentelemetry.io/otel/metric**                                    v1.35.0 -> v1.37.0
* **go.opentelemetry.io/otel/sdk**                                       v1.35.0 -> v1.37.0
* **go.opentelemetry.io/otel/trace**                                     v1.35.0 -> v1.37.0
* **go.uber.org/goleak**                                                 v1.3.0 **_new_**
* **go.yaml.in/yaml/v2**                                                 v2.4.2 **_new_**
* **golang.org/x/crypto**                                                v0.36.0 -> v0.41.0
* **golang.org/x/mod**                                                   v0.24.0 -> v0.29.0
* **golang.org/x/net**                                                   v0.38.0 -> v0.43.0
* **golang.org/x/oauth2**                                                v0.27.0 -> v0.30.0
* **golang.org/x/sync**                                                  v0.14.0 -> v0.17.0
* **golang.org/x/sys**                                                   v0.33.0 -> v0.37.0
* **golang.org/x/term**                                                  v0.30.0 -> v0.34.0
* **golang.org/x/text**                                                  v0.23.0 -> v0.28.0
* **golang.org/x/time**                                                  v0.7.0 -> v0.14.0
* **google.golang.org/genproto/googleapis/api**                          56aae31c358a -> a7a43d27e69b
* **google.golang.org/genproto/googleapis/rpc**                          56aae31c358a -> a7a43d27e69b
* **google.golang.org/grpc**                                             v1.72.0 -> v1.76.0
* **google.golang.org/protobuf**                                         v1.36.6 -> v1.36.10
* **k8s.io/api**                                                         v0.32.3 -> v0.34.1
* **k8s.io/apimachinery**                                                v0.32.3 -> v0.34.1
* **k8s.io/client-go**                                                   v0.32.3 -> v0.34.1
* **k8s.io/cri-api**                                                     v0.32.3 -> v0.34.1
* **k8s.io/utils**                                                       3ea5e8cea738 -> 4c0f3b243397
* **sigs.k8s.io/json**                                                   9aa6b5e7a4b3 -> cfa47c3a1cc8
* **sigs.k8s.io/randfill**                                               v1.0.0 **_new_**
* **sigs.k8s.io/structured-merge-diff/v6**                               v6.3.0 **_new_**
* **sigs.k8s.io/yaml**                                                   v1.4.0 -> v1.6.0

Previous release can be found at [v2.1.0](https://github.com/containerd/containerd/releases/tag/v2.1.0)
### Which file should I download?
* `containerd-<VERSION>-<OS>-<ARCH>.tar.gz`:         ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04).
* `containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz`:  Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent.

In addition to containerd, typically you will have to install [runc](https://github.com/opencontainers/runc/releases)
and [CNI plugins](https://github.com/containernetworking/plugins/releases) from their official sites too.

See also the [Getting Started](https://github.com/containerd/containerd/blob/main/docs/getting-started.md) documentation.

Unverified

v2.2.0-rc.0

870bb7c8 · Merge pull request #12413 from dmcgowan/prepare-v2.2.0-rc.0 · Oct 29, 2025

containerd 2.2.0-rc.0

Welcome to the v2.2.0-rc.0 release of containerd!
*This is a pre-release of containerd*

The second minor release of containerd 2.x focuses on continued stability alongside
new features and improvements. This is the second time-based released for containerd.

### Highlights

* Add mount manager ([#12063](https://github.com/containerd/containerd/pull/12063))
* Add conf.d include in the default config ([#12323](https://github.com/containerd/containerd/pull/12323))
* Add support for back references in the garbage collector ([#12025](https://github.com/containerd/containerd/pull/12025))

#### Container Runtime Interface (CRI)

* Implement CRI ListPodSandboxMetrics ([#10691](https://github.com/containerd/containerd/pull/10691))
* Support image volume mount subpath ([#11578](https://github.com/containerd/containerd/pull/11578))

#### Go client

* Update pkg/oci to use fs.FS interface and os.OpenRoot ([#12245](https://github.com/containerd/containerd/pull/12245))

#### Image Distribution

* Add parallel unpack support ([#12332](https://github.com/containerd/containerd/pull/12332))
* Add referrers fetcher to remotes ([#12309](https://github.com/containerd/containerd/pull/12309))
* Tar unpack progress through transfer service ([#11921](https://github.com/containerd/containerd/pull/11921))

#### Image Storage

* Update erofs snapshotter to use mount manager ([#12333](https://github.com/containerd/containerd/pull/12333))
* Add snapshotter and differ for block CIMs ([#12050](https://github.com/containerd/containerd/pull/12050))
* Add tar index mode to erofs snapshotter ([#11919](https://github.com/containerd/containerd/pull/11919))

#### Node Resource Interface (NRI)

* Enable otel traces in NRI ([#12082](https://github.com/containerd/containerd/pull/12082))
* Add WASM plugin support ([containerd/nri#121](https://github.com/containerd/nri/pull/121))

#### Runtime

* Improve shim load time after restart by loading in parallel ([#12142](https://github.com/containerd/containerd/pull/12142))
* Fix pidfd leak in UnshareAfterEnterUserns ([#12167](https://github.com/containerd/containerd/pull/12167))

#### Deprecations

* Postpone v2.2 deprecation items to v2.3 ([#12417](https://github.com/containerd/containerd/pull/12417))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Derek McGowan
* Phil Estes
* Akihiro Suda
* Maksym Pavlenko
* Krisztian Litkey
* Wei Fu
* Mike Brown
* Markus Lehtonen
* Sebastiaan van Stijn
* Samuel Karp
* ningmingxiao
* Akhil Mohan
* Austin Vazquez
* yashsingh74
* Gao Xiang
* Jin Dong
* Chris Henzie
* Kirtana Ashok
* Aadhar Agarwal
* Etienne Champetier
* Henry Wang
* Rodrigo Campos
* Sascha Grunert
* Aleksa Sarai
* Eric Mountain
* Keith Mattix II
* Paweł Gronowski
* Tõnis Tiigi
* Adrien Delorme
* Apurv Barve
* Enji Cooper
* Kohei Tokunaga
* Max Jonas Werner
* Rehan Khan
* Yang Yang
* jinda.ljd
* jokemanfire
* Amit Barve
* Andrew Halaney
* Antonio Ojea
* Brian Goff
* Carlos Eduardo Arango Gutierrez
* Chenyang Yan
* Dawei Wei
* Divya Rani
* Evan Anderson
* Fabiano Fidêncio
* Iceber Gu
* Jared Ledvina
* Jonathan Perkin
* Jose Fernandez
* Karl Baumgartner
* Osama Abdelkader
* Radostin Stoyanov
* Ruidong Cao
* Sameer
* Sergey Kanzhelev
* Swagat Bora
* Sylvain MOUQUET
* Tom Wieczorek
* Tycho Andersen
* Ubuntu
* Wuyue (Tony) Sun
* suranmiao
* tanhuaan
* zounengren

### Dependency Changes

* **dario.cat/mergo**                                                    v1.0.1 -> v1.0.2
* **github.com/Microsoft/hcsshim**                                       v0.13.0-rc.3 -> v0.14.0-rc.1
* **github.com/StackExchange/wmi**                                       cbe66965904d **_new_**
* **github.com/checkpoint-restore/checkpointctl**                        v1.3.0 -> v1.4.0
* **github.com/containerd/cgroups/v3**                                   v3.0.5 -> v3.1.0
* **github.com/containerd/console**                                      v1.0.4 -> v1.0.5
* **github.com/containerd/containerd/api**                               v1.9.0 -> v1.10.0-rc.0
* **github.com/containerd/go-cni**                                       v1.1.12 -> v1.1.13
* **github.com/containerd/nri**                                          v0.8.0 -> v0.10.0
* **github.com/containernetworking/plugins**                             v1.7.1 -> v1.8.0
* **github.com/coreos/go-systemd/v22**                                   v22.5.0 -> v22.6.0
* **github.com/cpuguy83/go-md2man/v2**                                   v2.0.5 -> v2.0.7
* **github.com/emicklei/go-restful/v3**                                  v3.11.0 -> v3.13.0
* **github.com/fxamacker/cbor/v2**                                       v2.7.0 -> v2.9.0
* **github.com/go-jose/go-jose/v4**                                      v4.0.5 -> v4.1.2
* **github.com/go-logr/logr**                                            v1.4.2 -> v1.4.3
* **github.com/go-ole/go-ole**                                           v1.2.6 **_new_**
* **github.com/golang/groupcache**                                       41bb18bfe9da -> 2c02b8208cf8
* **github.com/google/certtostore**                                      v1.0.6 **_new_**
* **github.com/google/deck**                                             105ad94aa8ae **_new_**
* **github.com/gorilla/websocket**                                       v1.5.0 -> e064f32e3674
* **github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus**  v1.0.1 -> v1.1.0
* **github.com/hashicorp/errwrap**                                       v1.1.0 **_new_**
* **github.com/intel/goresctrl**                                         v0.8.0 -> v0.9.0
* **github.com/klauspost/compress**                                      v1.18.0 -> v1.18.1
* **github.com/knqyf263/go-plugin**                                      v0.9.0 **_new_**
* **github.com/moby/sys/capability**                                     v0.4.0 **_new_**
* **github.com/modern-go/reflect2**                                      v1.0.2 -> 35a7c28c31ee
* **github.com/opencontainers/runtime-tools**                            2e043c6bd626 -> 0ea5ed0382a2
* **github.com/prometheus/client_golang**                                v1.22.0 -> v1.23.2
* **github.com/prometheus/client_model**                                 v0.6.1 -> v0.6.2
* **github.com/prometheus/common**                                       v0.62.0 -> v0.66.1
* **github.com/prometheus/procfs**                                       v0.15.1 -> v0.16.1
* **github.com/stretchr/testify**                                        v1.10.0 -> v1.11.1
* **github.com/tchap/go-patricia/v2**                                    v2.3.2 -> v2.3.3
* **github.com/tetratelabs/wazero**                                      v1.9.0 **_new_**
* **github.com/urfave/cli/v2**                                           v2.27.6 -> v2.27.7
* **github.com/vishvananda/netlink**                                     0e7078ed04c8 -> v1.3.1
* **go.etcd.io/bbolt**                                                   v1.4.0 -> v1.4.3
* **go.opentelemetry.io/otel**                                           v1.35.0 -> v1.37.0
* **go.opentelemetry.io/otel/metric**                                    v1.35.0 -> v1.37.0
* **go.opentelemetry.io/otel/sdk**                                       v1.35.0 -> v1.37.0
* **go.opentelemetry.io/otel/trace**                                     v1.35.0 -> v1.37.0
* **go.uber.org/goleak**                                                 v1.3.0 **_new_**
* **go.yaml.in/yaml/v2**                                                 v2.4.2 **_new_**
* **golang.org/x/crypto**                                                v0.36.0 -> v0.41.0
* **golang.org/x/mod**                                                   v0.24.0 -> v0.29.0
* **golang.org/x/net**                                                   v0.38.0 -> v0.43.0
* **golang.org/x/oauth2**                                                v0.27.0 -> v0.30.0
* **golang.org/x/sync**                                                  v0.14.0 -> v0.17.0
* **golang.org/x/sys**                                                   v0.33.0 -> v0.37.0
* **golang.org/x/term**                                                  v0.30.0 -> v0.34.0
* **golang.org/x/text**                                                  v0.23.0 -> v0.28.0
* **golang.org/x/time**                                                  v0.7.0 -> v0.14.0
* **google.golang.org/genproto/googleapis/api**                          56aae31c358a -> a7a43d27e69b
* **google.golang.org/genproto/googleapis/rpc**                          56aae31c358a -> a7a43d27e69b
* **google.golang.org/grpc**                                             v1.72.0 -> v1.76.0
* **google.golang.org/protobuf**                                         v1.36.6 -> v1.36.10
* **k8s.io/api**                                                         v0.32.3 -> v0.34.1
* **k8s.io/apimachinery**                                                v0.32.3 -> v0.34.1
* **k8s.io/client-go**                                                   v0.32.3 -> v0.34.1
* **k8s.io/cri-api**                                                     v0.32.3 -> v0.34.1
* **k8s.io/utils**                                                       3ea5e8cea738 -> 4c0f3b243397
* **sigs.k8s.io/json**                                                   9aa6b5e7a4b3 -> cfa47c3a1cc8
* **sigs.k8s.io/randfill**                                               v1.0.0 **_new_**
* **sigs.k8s.io/structured-merge-diff/v6**                               v6.3.0 **_new_**
* **sigs.k8s.io/yaml**                                                   v1.4.0 -> v1.6.0

Previous release can be found at [v2.1.0](https://github.com/containerd/containerd/releases/tag/v2.1.0)
### Which file should I download?
* `containerd-<VERSION>-<OS>-<ARCH>.tar.gz`:         ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04).
* `containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz`:  Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent.

In addition to containerd, typically you will have to install [runc](https://github.com/opencontainers/runc/releases)
and [CNI plugins](https://github.com/containernetworking/plugins/releases) from their official sites too.

See also the [Getting Started](https://github.com/containerd/containerd/blob/main/docs/getting-started.md) documentation.

Unverified

api/v1.10.0-rc.0

4f0b20fe · Merge pull request #12408 from dmcgowan/prepare-api-v1.10.0-rc.0 · Oct 24, 2025

containerd api/v1.10.0-rc.0

Welcome to the api/v1.10.0-rc.0 release of containerd!
*This is a pre-release of containerd*

The 11th release for the containerd 1.x API aligns with the containerd 2.2 release.

### Highlights

* Add mount manager ([#12063](https://github.com/containerd/containerd/pull/12063))

#### Image Distribution

* Add parallel unpack support ([#12332](https://github.com/containerd/containerd/pull/12332))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Derek McGowan
* Henry Wang
* Wei Fu

### Changes
<details><summary>10 commits</summary>
<p>

* Prepare release notes for api/v1.10.0-rc.0 ([#12408](https://github.com/containerd/containerd/pull/12408))
  * [`fbc7848f2`](https://github.com/containerd/containerd/commit/fbc7848f2378afa2cf58c868bfcab1467f3ccccd) Prepare release notes for api/v1.10.0-rc.0
* Add parallel unpack support ([#12332](https://github.com/containerd/containerd/pull/12332))
  * [`0198b87fc`](https://github.com/containerd/containerd/commit/0198b87fcfb31492c23de83059291efc0f06a1f9) Implement parallel unpack
* Prepare release notes for api/v1.10.0-beta.0 ([#12346](https://github.com/containerd/containerd/pull/12346))
  * [`aa571f63c`](https://github.com/containerd/containerd/commit/aa571f63c6529d827bfef02956a8db9bee57ab8c) Prepare release notes for api/v1.10.0-beta.0
* Add mount manager ([#12063](https://github.com/containerd/containerd/pull/12063))
  * [`8db301086`](https://github.com/containerd/containerd/commit/8db3010865ae9926aed6c5e476a7c6b2413b44d5) Add mounts api service
  * [`67fbf9db9`](https://github.com/containerd/containerd/commit/67fbf9db9cbf6ae83df58d18a19f32b28ebc0017) Generate and vendor proto changes
  * [`c5097ac63`](https://github.com/containerd/containerd/commit/c5097ac63fd704213c507a2b712fa2db7744090b) Add mount manager to protobuf services and types
</p>
</details>

### Dependency Changes

This release has no dependency changes

Previous release can be found at [api/v1.9.0](https://github.com/containerd/containerd/releases/tag/api/v1.9.0)

Unverified

v2.2.0-beta.2

995d9718 · Merge pull request #12311 from tonistiigi/referrers-support · Oct 21, 2025

containerd 2.2.0-beta.2

Welcome to the v2.2.0-beta.2 release of containerd!
*This is a pre-release of containerd*

The second minor release of containerd 2.x focuses on continued stability alongside
new features and improvements. This is the second time-based released for containerd.

This is a beta release and some functionality is still under development.

### Highlights

* Update erofs snapshotter to use mount manager ([#12333](https://github.com/containerd/containerd/pull/12333))
* Add mount manager ([#12063](https://github.com/containerd/containerd/pull/12063))
* Add conf.d include in the default config ([#12323](https://github.com/containerd/containerd/pull/12323))
* Add support for back references in the garbage collector ([#12025](https://github.com/containerd/containerd/pull/12025))

#### Go client

* Update pkg/oci to use fs.FS interface and os.OpenRoot ([#12245](https://github.com/containerd/containerd/pull/12245))

#### Image Distribution

* Add referrers fetcher to remotes ([#12309](https://github.com/containerd/containerd/pull/12309))
* Tar unpack progress through transfer service ([#11921](https://github.com/containerd/containerd/pull/11921))

#### Image Storage

* Add snapshotter and differ for block CIMs ([#12050](https://github.com/containerd/containerd/pull/12050))
* Add tar index mode to erofs snapshotter ([#11919](https://github.com/containerd/containerd/pull/11919))

#### Node Resource Interface (NRI)

* Enable otel traces in NRI ([#12082](https://github.com/containerd/containerd/pull/12082))
* Add WASM plugin support ([containerd/nri#121](https://github.com/containerd/nri/pull/121))

#### Runtime

* Improve shim load time after restart by loading in parallel ([#12142](https://github.com/containerd/containerd/pull/12142))
* Fix pidfd leak in UnshareAfterEnterUserns ([#12167](https://github.com/containerd/containerd/pull/12167))

#### Deprecations

* 1.6 is EOL ([#12348](https://github.com/containerd/containerd/pull/12348))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Derek McGowan
* Phil Estes
* Maksym Pavlenko
* Akihiro Suda
* Krisztian Litkey
* Mike Brown
* Wei Fu
* Markus Lehtonen
* Sebastiaan van Stijn
* Samuel Karp
* ningmingxiao
* Austin Vazquez
* yashsingh74
* Jin Dong
* Chris Henzie
* Gao Xiang
* Kirtana Ashok
* Aadhar Agarwal
* Etienne Champetier
* Rodrigo Campos
* Akhil Mohan
* Sascha Grunert
* Henry Wang
* Aleksa Sarai
* Eric Mountain
* Keith Mattix II
* Paweł Gronowski
* Adrien Delorme
* Apurv Barve
* Enji Cooper
* Kohei Tokunaga
* Max Jonas Werner
* Rehan Khan
* Tõnis Tiigi
* Yang Yang
* jinda.ljd
* jokemanfire
* Amit Barve
* Andrew Halaney
* Antonio Ojea
* Brian Goff
* Carlos Eduardo Arango Gutierrez
* Chenyang Yan
* Dawei Wei
* Divya Rani
* Fabiano Fidêncio
* Iceber Gu
* Jared Ledvina
* Jonathan Perkin
* Jose Fernandez
* Karl Baumgartner
* Osama Abdelkader
* Radostin Stoyanov
* Ruidong Cao
* Sameer
* Sergey Kanzhelev
* Swagat Bora
* Sylvain MOUQUET
* Tom Wieczorek
* Tycho Andersen
* Ubuntu
* Wuyue (Tony) Sun
* suranmiao
* tanhuaan
* zounengren

### Dependency Changes

* **dario.cat/mergo**                                                    v1.0.1 -> v1.0.2
* **github.com/Microsoft/hcsshim**                                       v0.13.0-rc.3 -> v0.14.0-rc.1
* **github.com/StackExchange/wmi**                                       cbe66965904d **_new_**
* **github.com/checkpoint-restore/checkpointctl**                        v1.3.0 -> v1.4.0
* **github.com/containerd/console**                                      v1.0.4 -> v1.0.5
* **github.com/containerd/containerd/api**                               v1.9.0 -> v1.10.0-beta.1
* **github.com/containerd/go-cni**                                       v1.1.12 -> v1.1.13
* **github.com/containerd/nri**                                          v0.8.0 -> v0.10.0
* **github.com/containernetworking/plugins**                             v1.7.1 -> v1.8.0
* **github.com/coreos/go-systemd/v22**                                   v22.5.0 -> v22.6.0
* **github.com/cpuguy83/go-md2man/v2**                                   v2.0.5 -> v2.0.7
* **github.com/emicklei/go-restful/v3**                                  v3.11.0 -> v3.13.0
* **github.com/fxamacker/cbor/v2**                                       v2.7.0 -> v2.9.0
* **github.com/go-jose/go-jose/v4**                                      v4.0.5 -> v4.1.2
* **github.com/go-logr/logr**                                            v1.4.2 -> v1.4.3
* **github.com/go-ole/go-ole**                                           v1.2.6 **_new_**
* **github.com/golang/groupcache**                                       41bb18bfe9da -> 2c02b8208cf8
* **github.com/google/certtostore**                                      v1.0.6 **_new_**
* **github.com/google/deck**                                             105ad94aa8ae **_new_**
* **github.com/gorilla/websocket**                                       v1.5.0 -> e064f32e3674
* **github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus**  v1.0.1 -> v1.1.0
* **github.com/hashicorp/errwrap**                                       v1.1.0 **_new_**
* **github.com/intel/goresctrl**                                         v0.8.0 -> v0.9.0
* **github.com/klauspost/compress**                                      v1.18.0 -> v1.18.1
* **github.com/knqyf263/go-plugin**                                      v0.9.0 **_new_**
* **github.com/moby/sys/capability**                                     v0.4.0 **_new_**
* **github.com/modern-go/reflect2**                                      v1.0.2 -> 35a7c28c31ee
* **github.com/opencontainers/runtime-tools**                            2e043c6bd626 -> 0ea5ed0382a2
* **github.com/prometheus/client_golang**                                v1.22.0 -> v1.23.2
* **github.com/prometheus/client_model**                                 v0.6.1 -> v0.6.2
* **github.com/prometheus/common**                                       v0.62.0 -> v0.66.1
* **github.com/prometheus/procfs**                                       v0.15.1 -> v0.16.1
* **github.com/stretchr/testify**                                        v1.10.0 -> v1.11.1
* **github.com/tchap/go-patricia/v2**                                    v2.3.2 -> v2.3.3
* **github.com/tetratelabs/wazero**                                      v1.9.0 **_new_**
* **github.com/urfave/cli/v2**                                           v2.27.6 -> v2.27.7
* **github.com/vishvananda/netlink**                                     0e7078ed04c8 -> v1.3.1
* **go.etcd.io/bbolt**                                                   v1.4.0 -> v1.4.3
* **go.opentelemetry.io/otel**                                           v1.35.0 -> v1.37.0
* **go.opentelemetry.io/otel/metric**                                    v1.35.0 -> v1.37.0
* **go.opentelemetry.io/otel/sdk**                                       v1.35.0 -> v1.37.0
* **go.opentelemetry.io/otel/trace**                                     v1.35.0 -> v1.37.0
* **go.uber.org/goleak**                                                 v1.3.0 **_new_**
* **go.yaml.in/yaml/v2**                                                 v2.4.2 **_new_**
* **golang.org/x/crypto**                                                v0.36.0 -> v0.41.0
* **golang.org/x/mod**                                                   v0.24.0 -> v0.29.0
* **golang.org/x/net**                                                   v0.38.0 -> v0.43.0
* **golang.org/x/oauth2**                                                v0.27.0 -> v0.30.0
* **golang.org/x/sync**                                                  v0.14.0 -> v0.17.0
* **golang.org/x/sys**                                                   v0.33.0 -> v0.37.0
* **golang.org/x/term**                                                  v0.30.0 -> v0.34.0
* **golang.org/x/text**                                                  v0.23.0 -> v0.28.0
* **golang.org/x/time**                                                  v0.7.0 -> v0.9.0
* **google.golang.org/genproto/googleapis/api**                          56aae31c358a -> a7a43d27e69b
* **google.golang.org/genproto/googleapis/rpc**                          56aae31c358a -> a7a43d27e69b
* **google.golang.org/grpc**                                             v1.72.0 -> v1.76.0
* **google.golang.org/protobuf**                                         v1.36.6 -> v1.36.10
* **k8s.io/api**                                                         v0.32.3 -> v0.34.1
* **k8s.io/apimachinery**                                                v0.32.3 -> v0.34.1
* **k8s.io/client-go**                                                   v0.32.3 -> v0.34.1
* **k8s.io/cri-api**                                                     v0.32.3 -> v0.34.1
* **k8s.io/utils**                                                       3ea5e8cea738 -> 4c0f3b243397
* **sigs.k8s.io/json**                                                   9aa6b5e7a4b3 -> cfa47c3a1cc8
* **sigs.k8s.io/randfill**                                               v1.0.0 **_new_**
* **sigs.k8s.io/structured-merge-diff/v6**                               v6.3.0 **_new_**
* **sigs.k8s.io/yaml**                                                   v1.4.0 -> v1.6.0

Previous release can be found at [v2.1.0](https://github.com/containerd/containerd/releases/tag/v2.1.0)
### Which file should I download?
* `containerd-<VERSION>-<OS>-<ARCH>.tar.gz`:         ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04).
* `containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz`:  Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent.

In addition to containerd, typically you will have to install [runc](https://github.com/opencontainers/runc/releases)
and [CNI plugins](https://github.com/containernetworking/plugins/releases) from their official sites too.

See also the [Getting Started](https://github.com/containerd/containerd/blob/main/docs/getting-started.md) documentation.

Unverified

v2.2.0-beta.1

d94e514f · Merge pull request #12310 from aadhar-agarwal/aadagarwal/add_tar_index_tests · Oct 09, 2025

containerd 2.2.0-beta.1

Welcome to the v2.2.0-beta.1 release of containerd!
*This is a pre-release of containerd*

The second minor release of containerd 2.x focuses on continued stability alongside
new features and improvements. This is the second time-based released for containerd.

This is a beta release and some functionality is still under development.

### Highlights

* Add mount manager ([#12063](https://github.com/containerd/containerd/pull/12063))
* Add conf.d include in the default config ([#12323](https://github.com/containerd/containerd/pull/12323))
* Add support for back references in the garbage collector ([#12025](https://github.com/containerd/containerd/pull/12025))

#### Go client

* Update pkg/oci to use fs.FS interface and os.OpenRoot ([#12245](https://github.com/containerd/containerd/pull/12245))

#### Image Distribution

* Add referrers fetcher to remotes ([#12309](https://github.com/containerd/containerd/pull/12309))
* Tar unpack progress through transfer service ([#11921](https://github.com/containerd/containerd/pull/11921))

#### Image Storage

* Add snapshotter and differ for block CIMs ([#12050](https://github.com/containerd/containerd/pull/12050))
* Add tar index mode to erofs snapshotter ([#11919](https://github.com/containerd/containerd/pull/11919))

#### Node Resource Interface (NRI)

* Enable otel traces in NRI ([#12082](https://github.com/containerd/containerd/pull/12082))
* Add WASM plugin support ([containerd/nri#121](https://github.com/containerd/nri/pull/121))

#### Runtime

* Fix pidfd leak in UnshareAfterEnterUserns ([#12167](https://github.com/containerd/containerd/pull/12167))

#### Deprecations

* 1.6 is EOL ([#12348](https://github.com/containerd/containerd/pull/12348))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Derek McGowan
* Phil Estes
* Maksym Pavlenko
* Krisztian Litkey
* Akihiro Suda
* Mike Brown
* Wei Fu
* Markus Lehtonen
* Sebastiaan van Stijn
* Samuel Karp
* Austin Vazquez
* ningmingxiao
* yashsingh74
* Jin Dong
* Kirtana Ashok
* Aadhar Agarwal
* Chris Henzie
* Etienne Champetier
* Rodrigo Campos
* Akhil Mohan
* Gao Xiang
* Sascha Grunert
* Henry Wang
* Aleksa Sarai
* Eric Mountain
* Keith Mattix II
* Paweł Gronowski
* Adrien Delorme
* Apurv Barve
* Enji Cooper
* Kohei Tokunaga
* Rehan Khan
* Yang Yang
* jokemanfire
* Amit Barve
* Andrew Halaney
* Antonio Ojea
* Brian Goff
* Carlos Eduardo Arango Gutierrez
* Chenyang Yan
* Dawei Wei
* Divya Rani
* Fabiano Fidêncio
* Iceber Gu
* Jared Ledvina
* Jonathan Perkin
* Jose Fernandez
* Karl Baumgartner
* Osama Abdelkader
* Radostin Stoyanov
* Ruidong Cao
* Sameer
* Sergey Kanzhelev
* Swagat Bora
* Sylvain MOUQUET
* Tom Wieczorek
* Tycho Andersen
* Tõnis Tiigi
* Wuyue (Tony) Sun
* jinda.ljd
* tanhuaan
* zounengren

### Dependency Changes

* **dario.cat/mergo**                                                    v1.0.1 -> v1.0.2
* **github.com/Microsoft/hcsshim**                                       v0.13.0-rc.3 -> v0.14.0-rc.1
* **github.com/StackExchange/wmi**                                       cbe66965904d **_new_**
* **github.com/checkpoint-restore/checkpointctl**                        v1.3.0 -> v1.4.0
* **github.com/containerd/console**                                      v1.0.4 -> v1.0.5
* **github.com/containerd/containerd/api**                               v1.9.0 -> v1.10.0-beta.1
* **github.com/containerd/go-cni**                                       v1.1.12 -> v1.1.13
* **github.com/containerd/nri**                                          v0.8.0 -> v0.10.0
* **github.com/containernetworking/plugins**                             v1.7.1 -> v1.8.0
* **github.com/coreos/go-systemd/v22**                                   v22.5.0 -> v22.6.0
* **github.com/cpuguy83/go-md2man/v2**                                   v2.0.5 -> v2.0.7
* **github.com/emicklei/go-restful/v3**                                  v3.11.0 -> v3.13.0
* **github.com/fxamacker/cbor/v2**                                       v2.7.0 -> v2.9.0
* **github.com/go-jose/go-jose/v4**                                      v4.0.5 -> v4.1.2
* **github.com/go-logr/logr**                                            v1.4.2 -> v1.4.3
* **github.com/go-ole/go-ole**                                           v1.2.6 **_new_**
* **github.com/golang/groupcache**                                       41bb18bfe9da -> 2c02b8208cf8
* **github.com/google/certtostore**                                      v1.0.6 **_new_**
* **github.com/google/deck**                                             105ad94aa8ae **_new_**
* **github.com/gorilla/websocket**                                       v1.5.0 -> e064f32e3674
* **github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus**  v1.0.1 -> v1.1.0
* **github.com/hashicorp/errwrap**                                       v1.1.0 **_new_**
* **github.com/intel/goresctrl**                                         v0.8.0 -> v0.9.0
* **github.com/knqyf263/go-plugin**                                      v0.9.0 **_new_**
* **github.com/moby/sys/capability**                                     v0.4.0 **_new_**
* **github.com/modern-go/reflect2**                                      v1.0.2 -> 35a7c28c31ee
* **github.com/opencontainers/runtime-tools**                            2e043c6bd626 -> 0ea5ed0382a2
* **github.com/prometheus/client_golang**                                v1.22.0 -> v1.23.2
* **github.com/prometheus/client_model**                                 v0.6.1 -> v0.6.2
* **github.com/prometheus/common**                                       v0.62.0 -> v0.66.1
* **github.com/prometheus/procfs**                                       v0.15.1 -> v0.16.1
* **github.com/stretchr/testify**                                        v1.10.0 -> v1.11.1
* **github.com/tchap/go-patricia/v2**                                    v2.3.2 -> v2.3.3
* **github.com/tetratelabs/wazero**                                      v1.9.0 **_new_**
* **github.com/urfave/cli/v2**                                           v2.27.6 -> v2.27.7
* **github.com/vishvananda/netlink**                                     0e7078ed04c8 -> v1.3.1
* **go.etcd.io/bbolt**                                                   v1.4.0 -> v1.4.3
* **go.opentelemetry.io/otel**                                           v1.35.0 -> v1.37.0
* **go.opentelemetry.io/otel/metric**                                    v1.35.0 -> v1.37.0
* **go.opentelemetry.io/otel/sdk**                                       v1.35.0 -> v1.37.0
* **go.opentelemetry.io/otel/trace**                                     v1.35.0 -> v1.37.0
* **go.uber.org/goleak**                                                 v1.3.0 **_new_**
* **go.yaml.in/yaml/v2**                                                 v2.4.2 **_new_**
* **golang.org/x/crypto**                                                v0.36.0 -> v0.41.0
* **golang.org/x/mod**                                                   v0.24.0 -> v0.28.0
* **golang.org/x/net**                                                   v0.38.0 -> v0.43.0
* **golang.org/x/oauth2**                                                v0.27.0 -> v0.30.0
* **golang.org/x/sync**                                                  v0.14.0 -> v0.17.0
* **golang.org/x/sys**                                                   v0.33.0 -> v0.36.0
* **golang.org/x/term**                                                  v0.30.0 -> v0.34.0
* **golang.org/x/text**                                                  v0.23.0 -> v0.28.0
* **golang.org/x/time**                                                  v0.7.0 -> v0.9.0
* **google.golang.org/genproto/googleapis/api**                          56aae31c358a -> a7a43d27e69b
* **google.golang.org/genproto/googleapis/rpc**                          56aae31c358a -> a7a43d27e69b
* **google.golang.org/grpc**                                             v1.72.0 -> v1.76.0
* **google.golang.org/protobuf**                                         v1.36.6 -> v1.36.10
* **k8s.io/api**                                                         v0.32.3 -> v0.34.1
* **k8s.io/apimachinery**                                                v0.32.3 -> v0.34.1
* **k8s.io/client-go**                                                   v0.32.3 -> v0.34.1
* **k8s.io/cri-api**                                                     v0.32.3 -> v0.34.1
* **k8s.io/utils**                                                       3ea5e8cea738 -> 4c0f3b243397
* **sigs.k8s.io/json**                                                   9aa6b5e7a4b3 -> cfa47c3a1cc8
* **sigs.k8s.io/randfill**                                               v1.0.0 **_new_**
* **sigs.k8s.io/structured-merge-diff/v6**                               v6.3.0 **_new_**
* **sigs.k8s.io/yaml**                                                   v1.4.0 -> v1.6.0

Previous release can be found at [v2.1.0](https://github.com/containerd/containerd/releases/tag/v2.1.0)
### Which file should I download?
* `containerd-<VERSION>-<OS>-<ARCH>.tar.gz`:         ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04).
* `containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz`:  Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent.

In addition to containerd, typically you will have to install [runc](https://github.com/opencontainers/runc/releases)
and [CNI plugins](https://github.com/containernetworking/plugins/releases) from their official sites too.

See also the [Getting Started](https://github.com/containerd/containerd/blob/main/docs/getting-started.md) documentation.

Unverified

api/v1.10.0-beta.1

ea46953f · Merge pull request #12356 from dmcgowan/fix-api-release · Oct 07, 2025

containerd api/v1.10.0-beta.1

Welcome to the api/v1.10.0-beta.1 release of containerd!
*This is a pre-release of containerd*

The 11th release for the containerd 1.x API aligns with the containerd 2.2 release.

### Highlights

* Add mount manager ([#12063](https://github.com/containerd/containerd/pull/12063))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Derek McGowan
* Wei Fu

### Changes
<details><summary>6 commits</summary>
<p>

* Prepare release notes for api/v1.10.0-beta.0 ([#12346](https://github.com/containerd/containerd/pull/12346))
  * [`aa571f63c`](https://github.com/containerd/containerd/commit/aa571f63c6529d827bfef02956a8db9bee57ab8c) Prepare release notes for api/v1.10.0-beta.0
* Add mount manager ([#12063](https://github.com/containerd/containerd/pull/12063))
  * [`8db301086`](https://github.com/containerd/containerd/commit/8db3010865ae9926aed6c5e476a7c6b2413b44d5) Add mounts api service
  * [`67fbf9db9`](https://github.com/containerd/containerd/commit/67fbf9db9cbf6ae83df58d18a19f32b28ebc0017) Generate and vendor proto changes
  * [`c5097ac63`](https://github.com/containerd/containerd/commit/c5097ac63fd704213c507a2b712fa2db7744090b) Add mount manager to protobuf services and types
</p>
</details>

### Dependency Changes

This release has no dependency changes

Previous release can be found at [api/v1.9.0](https://github.com/containerd/containerd/releases/tag/api/v1.9.0)

Unverified

api/v1.10.0-beta.0

7669bb4f · Merge pull request #12348 from SergeyKanzhelev/patch-3 · Oct 06, 2025

containerd api/v1.10.0-beta.0

Welcome to the api/v1.10.0-beta.0 release of containerd!
*This is a pre-release of containerd*

The 11th release for the containerd 1.x API aligns with the containerd 2.2 release.

### Highlights

* Add mount manager ([#12063](https://github.com/containerd/containerd/pull/12063))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Derek McGowan
* Wei Fu

### Changes
<details><summary>6 commits</summary>
<p>

* Prepare release notes for api/v1.10.0-beta.0 ([#12346](https://github.com/containerd/containerd/pull/12346))
  * [`aa571f63c`](https://github.com/containerd/containerd/commit/aa571f63c6529d827bfef02956a8db9bee57ab8c) Prepare release notes for api/v1.10.0-beta.0
* Add mount manager ([#12063](https://github.com/containerd/containerd/pull/12063))
  * [`8db301086`](https://github.com/containerd/containerd/commit/8db3010865ae9926aed6c5e476a7c6b2413b44d5) Add mounts api service
  * [`67fbf9db9`](https://github.com/containerd/containerd/commit/67fbf9db9cbf6ae83df58d18a19f32b28ebc0017) Generate and vendor proto changes
  * [`c5097ac63`](https://github.com/containerd/containerd/commit/c5097ac63fd704213c507a2b712fa2db7744090b) Add mount manager to protobuf services and types
</p>
</details>

### Dependency Changes

This release has no dependency changes

Previous release can be found at [api/v1.9.0](https://github.com/containerd/containerd/releases/tag/api/v1.9.0)

Unverified

v2.2.0-beta.0

5bcf77a5 · Merge pull request #12293 from dmcgowan/prepare-v2.2.0-beta.0 · Sep 18, 2025

containerd 2.2.0-beta.0

Welcome to the v2.2.0-beta.0 release of containerd!
*This is a pre-release of containerd*

The second minor release of containerd 2.x focuses on continued stability alongside
new features and improvements. This is the second time-based released for containerd.

This is a beta release and some functionality is still under development.

### Highlights

* Add support for back references in the garbage collector ([#12025](https://github.com/containerd/containerd/pull/12025))

#### Go client

* Update pkg/oci to use fs.FS interface and os.OpenRoot ([#12245](https://github.com/containerd/containerd/pull/12245))

#### Image Distribution

* Tar unpack progress through transfer service ([#11921](https://github.com/containerd/containerd/pull/11921))

#### Image Storage

* Add snapshotter and differ for block CIMs ([#12050](https://github.com/containerd/containerd/pull/12050))
* Add tar index mode to erofs snapshotter ([#11919](https://github.com/containerd/containerd/pull/11919))

#### Node Resource Interface (NRI)

* Enable otel traces in NRI ([#12082](https://github.com/containerd/containerd/pull/12082))
* Add WASM plugin support ([containerd/nri#121](https://github.com/containerd/nri/pull/121))

#### Runtime

* Fix pidfd leak in UnshareAfterEnterUserns ([#12167](https://github.com/containerd/containerd/pull/12167))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Phil Estes
* Derek McGowan
* Krisztian Litkey
* Akihiro Suda
* Maksym Pavlenko
* Mike Brown
* Wei Fu
* Markus Lehtonen
* Samuel Karp
* Sebastiaan van Stijn
* Austin Vazquez
* ningmingxiao
* yashsingh74
* Jin Dong
* Kirtana Ashok
* Etienne Champetier
* Rodrigo Campos
* Akhil Mohan
* Chris Henzie
* Gao Xiang
* Sascha Grunert
* Aleksa Sarai
* Eric Mountain
* Keith Mattix II
* Paweł Gronowski
* Adrien Delorme
* Enji Cooper
* Kohei Tokunaga
* Yang Yang
* jokemanfire
* Aadhar Agarwal
* Amit Barve
* Andrew Halaney
* Antonio Ojea
* Brian Goff
* Chenyang Yan
* Dawei Wei
* Divya Rani
* Fabiano Fidêncio
* Henry Wang
* Iceber Gu
* Jared Ledvina
* Jonathan Perkin
* Jose Fernandez
* Karl Baumgartner
* Radostin Stoyanov
* Rehan Khan
* Ruidong Cao
* Sameer
* Swagat Bora
* Sylvain MOUQUET
* Tom Wieczorek
* Tycho Andersen
* Ubuntu
* Wuyue (Tony) Sun
* jinda.ljd
* tanhuaan
* zounengren

### Dependency Changes

* **dario.cat/mergo**                                                    v1.0.1 -> v1.0.2
* **github.com/Microsoft/hcsshim**                                       v0.13.0-rc.3 -> v0.14.0-rc.1
* **github.com/checkpoint-restore/checkpointctl**                        v1.3.0 -> v1.4.0
* **github.com/containerd/console**                                      v1.0.4 -> v1.0.5
* **github.com/containerd/go-cni**                                       v1.1.12 -> v1.1.13
* **github.com/containerd/nri**                                          v0.8.0 -> v0.10.0
* **github.com/containernetworking/plugins**                             v1.7.1 -> v1.8.0
* **github.com/coreos/go-systemd/v22**                                   v22.5.0 -> v22.6.0
* **github.com/cpuguy83/go-md2man/v2**                                   v2.0.5 -> v2.0.7
* **github.com/emicklei/go-restful/v3**                                  v3.11.0 -> v3.13.0
* **github.com/fxamacker/cbor/v2**                                       v2.7.0 -> v2.9.0
* **github.com/go-jose/go-jose/v4**                                      v4.0.5 -> v4.1.1
* **github.com/go-logr/logr**                                            v1.4.2 -> v1.4.3
* **github.com/golang/groupcache**                                       41bb18bfe9da -> 2c02b8208cf8
* **github.com/gorilla/websocket**                                       v1.5.0 -> e064f32e3674
* **github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus**  v1.0.1 -> v1.1.0
* **github.com/intel/goresctrl**                                         v0.8.0 -> v0.9.0
* **github.com/knqyf263/go-plugin**                                      v0.9.0 **_new_**
* **github.com/modern-go/reflect2**                                      v1.0.2 -> 35a7c28c31ee
* **github.com/prometheus/client_golang**                                v1.22.0 -> v1.23.2
* **github.com/prometheus/client_model**                                 v0.6.1 -> v0.6.2
* **github.com/prometheus/common**                                       v0.62.0 -> v0.66.1
* **github.com/prometheus/procfs**                                       v0.15.1 -> v0.16.1
* **github.com/stretchr/testify**                                        v1.10.0 -> v1.11.1
* **github.com/tchap/go-patricia/v2**                                    v2.3.2 -> v2.3.3
* **github.com/tetratelabs/wazero**                                      v1.9.0 **_new_**
* **github.com/urfave/cli/v2**                                           v2.27.6 -> v2.27.7
* **github.com/vishvananda/netlink**                                     0e7078ed04c8 -> v1.3.1
* **go.etcd.io/bbolt**                                                   v1.4.0 -> v1.4.3
* **go.opentelemetry.io/otel**                                           v1.35.0 -> v1.37.0
* **go.opentelemetry.io/otel/metric**                                    v1.35.0 -> v1.37.0
* **go.opentelemetry.io/otel/sdk**                                       v1.35.0 -> v1.37.0
* **go.opentelemetry.io/otel/trace**                                     v1.35.0 -> v1.37.0
* **go.uber.org/goleak**                                                 v1.3.0 **_new_**
* **go.yaml.in/yaml/v2**                                                 v2.4.2 **_new_**
* **golang.org/x/crypto**                                                v0.36.0 -> v0.41.0
* **golang.org/x/mod**                                                   v0.24.0 -> v0.28.0
* **golang.org/x/net**                                                   v0.38.0 -> v0.43.0
* **golang.org/x/oauth2**                                                v0.27.0 -> v0.30.0
* **golang.org/x/sync**                                                  v0.14.0 -> v0.17.0
* **golang.org/x/sys**                                                   v0.33.0 -> v0.36.0
* **golang.org/x/term**                                                  v0.30.0 -> v0.34.0
* **golang.org/x/text**                                                  v0.23.0 -> v0.28.0
* **golang.org/x/time**                                                  v0.7.0 -> v0.9.0
* **google.golang.org/genproto/googleapis/api**                          56aae31c358a -> 8d1bb00bc6a7
* **google.golang.org/genproto/googleapis/rpc**                          56aae31c358a -> 8d1bb00bc6a7
* **google.golang.org/grpc**                                             v1.72.0 -> v1.75.1
* **google.golang.org/protobuf**                                         v1.36.6 -> v1.36.9
* **k8s.io/api**                                                         v0.32.3 -> v0.34.1
* **k8s.io/apimachinery**                                                v0.32.3 -> v0.34.1
* **k8s.io/client-go**                                                   v0.32.3 -> v0.34.1
* **k8s.io/cri-api**                                                     v0.32.3 -> v0.34.1
* **k8s.io/utils**                                                       3ea5e8cea738 -> 4c0f3b243397
* **sigs.k8s.io/json**                                                   9aa6b5e7a4b3 -> cfa47c3a1cc8
* **sigs.k8s.io/randfill**                                               v1.0.0 **_new_**
* **sigs.k8s.io/structured-merge-diff/v6**                               v6.3.0 **_new_**
* **sigs.k8s.io/yaml**                                                   v1.4.0 -> v1.6.0

Previous release can be found at [v2.1.0](https://github.com/containerd/containerd/releases/tag/v2.1.0)
### Which file should I download?
* `containerd-<VERSION>-<OS>-<ARCH>.tar.gz`:         ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04).
* `containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz`:  Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent.

In addition to containerd, typically you will have to install [runc](https://github.com/opencontainers/runc/releases)
and [CNI plugins](https://github.com/containernetworking/plugins/releases) from their official sites too.

See also the [Getting Started](https://github.com/containerd/containerd/blob/main/docs/getting-started.md) documentation.

Unverified

v2.1.4

75cb2b71 · Merge pull request #12159 from dmcgowan/prepare-v2.1.4 · Jul 30, 2025

containerd 2.1.4

Welcome to the v2.1.4 release of containerd!

The fourth patch release for containerd 2.1 contains various fixes and updates.

### Highlights

#### Container Runtime Interface (CRI)

* Fix containerd panic when sandbox extension is missing ([#12076](https://github.com/containerd/containerd/pull/12076))
* Update status response to return stable order for runtime handlers ([#12054](https://github.com/containerd/containerd/pull/12054))

#### Go client

* Fix lazy gRPC connection mode waiting for connect on client creation ([#12079](https://github.com/containerd/containerd/pull/12079))

#### Image Distribution

* Fix resolve deadlock issue in docker fetcher open ([#12127](https://github.com/containerd/containerd/pull/12127))

#### Image Storage

* Update erofs snapshotter to make immutable optional ([#12091](https://github.com/containerd/containerd/pull/12091))
* Fix erofs filesystem UUID for tar-converted layers ([#12058](https://github.com/containerd/containerd/pull/12058))

#### Runtime

* Fix close container io not closed when runtime create failed ([#12009](https://github.com/containerd/containerd/pull/12009))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Derek McGowan
* Phil Estes
* Eric Mountain
* Maksym Pavlenko
* Gao Xiang
* Kirtana Ashok
* ningmingxiao
* Akihiro Suda
* Austin Vazquez
* Paweł Gronowski
* Sebastiaan van Stijn
* Wei Fu
* jinda.ljd

### Changes
<details><summary>26 commits</summary>
<p>

* Prepare release notes for v2.1.4 ([#12159](https://github.com/containerd/containerd/pull/12159))
  * [`112e41363`](https://github.com/containerd/containerd/commit/112e41363bc25216c46fe4f3070f7f8b6d982cf2) Add release notes for v2.1.4
* Fix resolve deadlock issue in docker fetcher open ([#12127](https://github.com/containerd/containerd/pull/12127))
  * [`add2dcf86`](https://github.com/containerd/containerd/commit/add2dcf8688019158fc1c015dddffe54c6610e24) Ensure fetcher always closes body and properly calls release
  * [`34a1cb1dd`](https://github.com/containerd/containerd/commit/34a1cb1dd1962520f6821b7273debf06a740ed6d) fix(dockerFetcher): resolve deadlock issue in dockerFetcher open
* ci: bump Go 1.23.11, 1.24.5 ([#12115](https://github.com/containerd/containerd/pull/12115))
  * [`82c4d6875`](https://github.com/containerd/containerd/commit/82c4d68755b6bb6749b8b328ec70fe0b7b776e1c) ci: bump Go 1.23.11, 1.24.5
* Backport windows test fixes ([#12119](https://github.com/containerd/containerd/pull/12119))
  * [`6cc2a8d77`](https://github.com/containerd/containerd/commit/6cc2a8d779e29045f279cef041bec3d0569e75db) Fix intermittent test failures on Windows CIs
  * [`6adc69312`](https://github.com/containerd/containerd/commit/6adc69312f8f929f5e285d8fd3806c269853e850) Remove WS2025 from CIs due to regression
* Update erofs snapshotter to make immutable optional ([#12091](https://github.com/containerd/containerd/pull/12091))
  * [`8d194c19f`](https://github.com/containerd/containerd/commit/8d194c19febc6fd51c91ea5e43c720225cf553a0) erofs-snapshotter: make IMMUTABLE_FL optional
* Fix lazy gRPC connection mode waiting for connect on client creation ([#12079](https://github.com/containerd/containerd/pull/12079))
  * [`2df7175d7`](https://github.com/containerd/containerd/commit/2df7175d71d1e71c3b27f9c0879db4050b183fce) client/New: Don't unlazy the gRPC connection implicitly
* backport: update go-md2man binary to v2.0.7 ([#12074](https://github.com/containerd/containerd/pull/12074))
  * [`4902adb92`](https://github.com/containerd/containerd/commit/4902adb92fa3fb6c7764128eda5dc7ba2b596511) update go-md2man binary to v2.0.7
* Fix containerd panic when sandbox extension is missing ([#12076](https://github.com/containerd/containerd/pull/12076))
  * [`02298e1a0`](https://github.com/containerd/containerd/commit/02298e1a03b92d36dba899c8aba82fc3c50422cd) cri:fix containerd panic when can't find sandbox extension
* Fix erofs filesystem UUID for tar-converted layers ([#12058](https://github.com/containerd/containerd/pull/12058))
  * [`583133e71`](https://github.com/containerd/containerd/commit/583133e7103145fcc338b695b2e6456c69fc52ee) erofs-differ: fix filesystem UUID for tar-converted layers
* Update status response to return stable order for runtime handlers ([#12054](https://github.com/containerd/containerd/pull/12054))
  * [`57db13d50`](https://github.com/containerd/containerd/commit/57db13d50de6d0c8a4587bc166d0a4ebee1dad02) Amend runtime handler test for stable order
  * [`d822c9048`](https://github.com/containerd/containerd/commit/d822c90480c0403d57cead351e8e53c063d07c1a) CRI: Stable sort for RuntimeHandlers
  * [`a2fd70639`](https://github.com/containerd/containerd/commit/a2fd70639e6a2aa82429ed2f4ce4967c15a03c3c) Test showing RuntimeHandlers in Status() are unordered
* Fix close container io not closed when runtime create failed ([#12009](https://github.com/containerd/containerd/pull/12009))
  * [`b74268f86`](https://github.com/containerd/containerd/commit/b74268f8674647234f6a08c005f84b38ba1adf63) bugfix:close container io when runtime create failed
</p>
</details>

### Dependency Changes

This release has no dependency changes

Previous release can be found at [v2.1.3](https://github.com/containerd/containerd/releases/tag/v2.1.3)
### Which file should I download?
* `containerd-<VERSION>-<OS>-<ARCH>.tar.gz`:         ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04).
* `containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz`:  Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent.

In addition to containerd, typically you will have to install [runc](https://github.com/opencontainers/runc/releases)
and [CNI plugins](https://github.com/containernetworking/plugins/releases) from their official sites too.

See also the [Getting Started](https://github.com/containerd/containerd/blob/main/docs/getting-started.md) documentation.

Unverified

v2.0.6

991cc336 · Merge pull request #12145 from austinvazquez/release-v2.0.6 · Jul 30, 2025

containerd 2.0.6

Welcome to the v2.0.6 release of containerd!

The sixth patch release for containerd 2.0 includes various bug fixes and updates.

### Highlights

* Update containerd config dump to reflect plugin config migrations ([#11772](https://github.com/containerd/containerd/pull/11772))

#### Container Runtime Interface (CRI)

* Fix containerd panic when sandbox extension is missing ([#12077](https://github.com/containerd/containerd/pull/12077))
* Fix the panic caused by the failure of RunPodSandbox ([#12047](https://github.com/containerd/containerd/pull/12047))
* Add extension to sandbox metadata store on create sandbox ([#11808](https://github.com/containerd/containerd/pull/11808))
* Fix issue where Prometheus metric names changed for CRI ([#11750](https://github.com/containerd/containerd/pull/11750))
* Fix issue preventing some v2 shims from shutting down properly ([#11741](https://github.com/containerd/containerd/pull/11741))

#### Go client

* Fix lazy gRPC connection mode waiting for connect on client creation ([#12080](https://github.com/containerd/containerd/pull/12080))

#### Image Distribution

* Fix cross-repo mount fallback after authorization failure ([#11832](https://github.com/containerd/containerd/pull/11832))

#### Runtime

* Fix container io to close after runtime create failure ([#12051](https://github.com/containerd/containerd/pull/12051))
* Fix incompatibility with some pre-v3 shims ([#11973](https://github.com/containerd/containerd/pull/11973))
* Update runc binary to v1.3.0 ([#11801](https://github.com/containerd/containerd/pull/11801))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Derek McGowan
* Phil Estes
* Austin Vazquez
* Wei Fu
* Akihiro Suda
* Maksym Pavlenko
* Samuel Karp
* Yang Yang
* Akhil Mohan
* ningmingxiao
* Alberto Garcia Hierro
* Chris Henzie
* HirazawaUi
* Jin Dong
* Kirtana Ashok
* Paweł Gronowski
* Vinayak Goyal

### Changes
<details><summary>49 commits</summary>
<p>

* Prepare release notes for v2.0.6 ([#12145](https://github.com/containerd/containerd/pull/12145))
  * [`d94b0fee6`](https://github.com/containerd/containerd/commit/d94b0fee617968ed919816d7c68d4583578dd697) Prepare release notes for v2.0.6
* ci: bump Go 1.23.11, 1.24.5 ([#12116](https://github.com/containerd/containerd/pull/12116))
  * [`f901e3c81`](https://github.com/containerd/containerd/commit/f901e3c819c9a0f4d7c89258b754557029fa4d93) ci: bump Go 1.23.11, 1.24.5
* go.mod: golang.org/x/* latest ([#12097](https://github.com/containerd/containerd/pull/12097))
  * [`7e4ac4761`](https://github.com/containerd/containerd/commit/7e4ac47612160a2038163a99048942e951fadd29) go.mod: golang.org/x/* latest
* Fix lazy gRPC connection mode waiting for connect on client creation ([#12080](https://github.com/containerd/containerd/pull/12080))
  * [`bed6d1401`](https://github.com/containerd/containerd/commit/bed6d1401087abe707a05da15eaae9626d43fc2a) client/New: Don't unlazy the gRPC connection implicitly
* Fix containerd panic when sandbox extension is missing ([#12077](https://github.com/containerd/containerd/pull/12077))
  * [`8094fa21a`](https://github.com/containerd/containerd/commit/8094fa21a62d67ee70369e1bb3e2973134de18a2) cri:fix containerd panic when can't find sandbox extension
* Fix container io to close after runtime create failure ([#12051](https://github.com/containerd/containerd/pull/12051))
  * [`552f717be`](https://github.com/containerd/containerd/commit/552f717be4dc2ec67c99afa0a2d305bf8a2b55f8) bugfix:close container io when runtime create failed
* Fix the panic caused by the failure of RunPodSandbox ([#12047](https://github.com/containerd/containerd/pull/12047))
  * [`c4394d05a`](https://github.com/containerd/containerd/commit/c4394d05a152b3382b9ecd0bc21c6be915b41216) Fix the panic caused by the failure of RunPodSandbox
* ci: bump golang [1.23.10, 1.24.4] in build and release ([#11969](https://github.com/containerd/containerd/pull/11969))
  * [`54f923a30`](https://github.com/containerd/containerd/commit/54f923a301e0b17712d0580eff032c43cf9edc98) ci: bump golang [1.23.10, 1.24.4] in build and release
  * [`2de777dfe`](https://github.com/containerd/containerd/commit/2de777dfe1372d025688f34110d05c2d7c4649ac) ci: bump golang [1.23.9, 1.24.3] in build and release
* Enable CIs to run on WS2022 and WS2025 ([#11970](https://github.com/containerd/containerd/pull/11970))
  * [`9724cd5ea`](https://github.com/containerd/containerd/commit/9724cd5eaccf15cfa292273dd2eaf2970433400b) Enable CIs to run on WS2022 and WS2025
* Fix incompatibility with some pre-v3 shims ([#11973](https://github.com/containerd/containerd/pull/11973))
  * [`7fc3151fc`](https://github.com/containerd/containerd/commit/7fc3151fca7e0f7548aa7cf2aa76010e8f70b6a8) *: properly shutdown non-groupable shims to prevent resource leaks
  * [`4396336a1`](https://github.com/containerd/containerd/commit/4396336a11c306064ef2bc3358a157fda538400e) core/runtime: should invoke shim binary
  * [`10bcc6929`](https://github.com/containerd/containerd/commit/10bcc6929552f75f8bcbc90447b977ec10edc671) Revert "not set sandbox id when use podsandbox type"
  * [`f38eb62b6`](https://github.com/containerd/containerd/commit/f38eb62b63b5b5a209399a0d9301e4960ef17a12) integration: add testcase to recover ungroupable shim
  * [`2358561d5`](https://github.com/containerd/containerd/commit/2358561d5258624c56f21969fcbfe8c57f189fe3) Update release upgrade tests to test 1.7 and 2.0
  * [`8931b1464`](https://github.com/containerd/containerd/commit/8931b14647cf4c0ca750fd12ebb44d074ea04f73) Fix upgrade test runtime config
* Fetch image with default platform only in TestExportAndImportMultiLayer ([#11944](https://github.com/containerd/containerd/pull/11944))
  * [`fc9235910`](https://github.com/containerd/containerd/commit/fc9235910d4dca7cd6189bb54f522d396c80db51) Fetch image with default platform only in TestExportAndImportMultiLayer
* Add extension to sandbox metadata store on create sandbox ([#11808](https://github.com/containerd/containerd/pull/11808))
  * [`f8679737e`](https://github.com/containerd/containerd/commit/f8679737eb84ac2808599376089f7f28be22a897) store extension when create sandbox in store
* Fix cross-repo mount fallback after authorization failure ([#11832](https://github.com/containerd/containerd/pull/11832))
  * [`cbfa66223`](https://github.com/containerd/containerd/commit/cbfa662234d8ebe78e35a8b6da46dfe5a50ff5c7) fix(docker pusher): if authorizing a cross-repo mount fails, fall back
* .github: do not mark 2.0 releases as latest ([#11820](https://github.com/containerd/containerd/pull/11820))
  * [`7bf4d0a40`](https://github.com/containerd/containerd/commit/7bf4d0a401b8160f2a5ba5c2fe57ef8df60aaa6e) .github: do not mark 2.0 releases as latest
* Update runc binary to v1.3.0 ([#11801](https://github.com/containerd/containerd/pull/11801))
  * [`fa5a08244`](https://github.com/containerd/containerd/commit/fa5a082442f308c5f6664ce178325fdebfe13200) Update runc binary to v1.3.0
* Revert "disable portmap test in ubuntu-22 to make CI happy" ([#11784](https://github.com/containerd/containerd/pull/11784))
  * [`7cf3c604e`](https://github.com/containerd/containerd/commit/7cf3c604eb0bf0b8776f60b7e841476be727c32b) fix unbound SKIP_TEST variable error
  * [`827be7c9d`](https://github.com/containerd/containerd/commit/827be7c9dd805fad6f3e94ca0070045935c38051) Revert "disable portmap test in ubuntu-22 to make CI happy"
* Update containerd config dump to reflect plugin config migrations ([#11772](https://github.com/containerd/containerd/pull/11772))
  * [`626a57dd7`](https://github.com/containerd/containerd/commit/626a57dd72c64ea22fc67f55b0cc8d42e94ba055) fix: update containerd config dump to reflect plugin config migrations.
* core/transfer/local: should not mark completed if it's not found ([#11768](https://github.com/containerd/containerd/pull/11768))
  * [`983dd336f`](https://github.com/containerd/containerd/commit/983dd336f840de2ab7e64ed334adfc40b4f1458e) core/transfer/local: should not mark complete if it's not found
* Fix issue where Prometheus metric names changed for CRI ([#11750](https://github.com/containerd/containerd/pull/11750))
  * [`d2a30ea0c`](https://github.com/containerd/containerd/commit/d2a30ea0caab6bda8dc1dca5823d9d462c3d1b96) Revert criserver metrics subsystem back to cri
* Fix issue preventing some v2 shims from shutting down properly ([#11741](https://github.com/containerd/containerd/pull/11741))
  * [`e9804ee0e`](https://github.com/containerd/containerd/commit/e9804ee0e9d85788648b589c17e67a024a93151e) not set sandbox id when use podsandbox type
* [CI] Fix vagrant ([#11740](https://github.com/containerd/containerd/pull/11740))
  * [`9ddeff7f7`](https://github.com/containerd/containerd/commit/9ddeff7f7df90a7b1a732e2b48a5fcdef199def1) Fix vagrant setup
</p>
</details>

### Dependency Changes

* **golang.org/x/crypto**  v0.36.0 -> v0.40.0
* **golang.org/x/exp**     aacd6d4b4611 -> 6ae5c78190dc
* **golang.org/x/mod**     v0.21.0 -> v0.26.0
* **golang.org/x/net**     v0.37.0 -> v0.42.0
* **golang.org/x/oauth2**  v0.28.0 -> v0.30.0
* **golang.org/x/sync**    v0.12.0 -> v0.16.0
* **golang.org/x/sys**     v0.31.0 -> v0.34.0
* **golang.org/x/term**    v0.30.0 -> v0.33.0
* **golang.org/x/text**    v0.23.0 -> v0.27.0
* **golang.org/x/time**    v0.3.0 -> v0.12.0

Previous release can be found at [v2.0.5](https://github.com/containerd/containerd/releases/tag/v2.0.5)
### Which file should I download?
* `containerd-<VERSION>-<OS>-<ARCH>.tar.gz`:         ✅Recommended. Dynamically linked with glibc 2.31 (Ubuntu 20.04).
* `containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz`:  Statically linked. Expected to be used on non-glibc Linux distributions. Not position-independent.

In addition to containerd, typically you will have to install [runc](https://github.com/opencontainers/runc/releases)
and [CNI plugins](https://github.com/containernetworking/plugins/releases) from their official sites too.

See also the [Getting Started](https://github.com/containerd/containerd/blob/main/docs/getting-started.md) documentation.

Unverified

v1.7.28

b98a3aac · Merge pull request #12134 from austinvazquez/release-v1.7.28 · Jul 25, 2025

containerd 1.7.28

Welcome to the v1.7.28 release of containerd!

The twenty-eighth patch release for containerd 1.7 contains various fixes
and updates.

### Highlights

#### Image Distribution

* Refresh OAuth tokens when they expire during registry operations ([#11721](https://github.com/containerd/containerd/pull/11721))
* Set default differ for the default unpack config of transfer service ([#11689](https://github.com/containerd/containerd/pull/11689))

#### Runtime

* Update runc binary to v1.3.0 ([#11800](https://github.com/containerd/containerd/pull/11800))
* Remove invalid error log when stopping container after containerd restart ([#11620](https://github.com/containerd/containerd/pull/11620))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Akhil Mohan
* Akihiro Suda
* Austin Vazquez
* Maksym Pavlenko
* Phil Estes
* Derek McGowan
* Kirtana Ashok
* Henry Wang
* Iain Macdonald
* Jin Dong
* Swagat Bora
* Wei Fu
* Yang Yang
* madraceee

### Changes
<details><summary>57 commits</summary>
<p>

* Prepare release notes for v1.7.28 ([#12134](https://github.com/containerd/containerd/pull/12134))
  * [`b01b809f8`](https://github.com/containerd/containerd/commit/b01b809f89a27e19ff7531e1b88df07d2f40de97) Prepare release notes for v1.7.28
* ci: bump Go 1.23.11, 1.24.5 ([#12117](https://github.com/containerd/containerd/pull/12117))
  * [`ce2373176`](https://github.com/containerd/containerd/commit/ce2373176b0db7cdcc3e289f57aeb59927ad0efb) ci: bump Go 1.23.11, 1.24.5
* Backport windows test fixes ([#12121](https://github.com/containerd/containerd/pull/12121))
  * [`3c06bcc4d`](https://github.com/containerd/containerd/commit/3c06bcc4d2f5b55c501f9c5333596c5a6d0a980a) Fix intermittent test failures on Windows CIs
  * [`c6c0c6854`](https://github.com/containerd/containerd/commit/c6c0c6854ff663deb46363a8884a9015598c9f9b) Remove WS2025 from CIs due to regression
* ci: use fedora 39 archive ([#12123](https://github.com/containerd/containerd/pull/12123))
  * [`6d7e021cf`](https://github.com/containerd/containerd/commit/6d7e021cf0f0f6ba1d14f0b4f76ecdf7a005feaa) ci: use fedora/39-cloud-base image from archive
* update runners to ubuntu 24.04 ([#11802](https://github.com/containerd/containerd/pull/11802))
  * [`c362e18cc`](https://github.com/containerd/containerd/commit/c362e18ccd613b5baf04fff87832b871edfdecd5) CI: install OVMF for Vagrant
  * [`1d99bec21`](https://github.com/containerd/containerd/commit/1d99bec213063acdad8d7ad96ea4cbb78ab6b560) CI: fix "Unable to find a source package for vagrant" error
  * [`dafa3c48d`](https://github.com/containerd/containerd/commit/dafa3c48dffaff915bea2293eecd949fbdd94228) add debian sources for ubuntu-24
  * [`b03301d85`](https://github.com/containerd/containerd/commit/b03301d851a5492808f36e5233a808a39575a1a0) partial: enable ubuntu 24 runners
  * [`13fbc5f97`](https://github.com/containerd/containerd/commit/13fbc5f970d1dee5425443a9b346d56ccc98db45) update release runners to ubuntu 24.04
* go.mod: golang.org/x/* latest ([#12096](https://github.com/containerd/containerd/pull/12096))
  * [`da5d1a371`](https://github.com/containerd/containerd/commit/da5d1a3714ac06f6280740f668ebe95c62863c01) go.mod: golang.org/x/* latest
* Remove additional fuzzers from instrumentation repo ([#12099](https://github.com/containerd/containerd/pull/12099))
  * [`5fef123ba`](https://github.com/containerd/containerd/commit/5fef123ba77e3d9fd83f78fd34bdb80549034756) Remove additional fuzzers from CI
* backport windows runner and golang toolchain updates ([#11972](https://github.com/containerd/containerd/pull/11972))
  * [`a35978f5a`](https://github.com/containerd/containerd/commit/a35978f5af147f279280b34082c3781904bfd4cd) ci: bump golang [1.23.10, 1.24.4] in build and release
  * [`df035aa3e`](https://github.com/containerd/containerd/commit/df035aa3ef3d98eb48310d548439eb59c8b6d887) ci: bump golang [1.23.9, 1.24.3] in build and release
  * [`2a6d9fc71`](https://github.com/containerd/containerd/commit/2a6d9fc71e97ff0d742b21d0f62a05a70126aa21) use go1.23.8 as the default go version
  * [`15d4d6eba`](https://github.com/containerd/containerd/commit/15d4d6eba30565274e1ade4d545abab2dbbcf1f9) update to go 1.24.2, 1.23.8
  * [`1613a3b1a`](https://github.com/containerd/containerd/commit/1613a3b1addf8fb8a50cef46860a1b7642d81589) Enable CIs to run on WS2022 and WS2025
* test: added runc v1 tests using vagrant ([#11896](https://github.com/containerd/containerd/pull/11896))
  * [`60e73122c`](https://github.com/containerd/containerd/commit/60e73122c1f74524178ff1ea819a893d7cdb4372) test: added runc v1 tests using vagrant
* Revert "disable portmap test in ubuntu-22 to make CI happy" ([#11803](https://github.com/containerd/containerd/pull/11803))
  * [`10e1b515e`](https://github.com/containerd/containerd/commit/10e1b515ec9c497bcfd7b0758bff3f6c840b303a) Revert "Disable port mapping tests in CRI-in-UserNS"
  * [`7a680e884`](https://github.com/containerd/containerd/commit/7a680e88494d90896322e09d4070ed86d221e25b) fix unbound SKIP_TEST variable error
  * [`e5f8cc995`](https://github.com/containerd/containerd/commit/e5f8cc9953f28f1abdc2f7975a9f5833cc83ee9c) Revert "disable portmap test in ubuntu-22 to make CI happy"
* Update runc binary to v1.3.0 ([#11800](https://github.com/containerd/containerd/pull/11800))
  * [`b001469c7`](https://github.com/containerd/containerd/commit/b001469c70a4489c1453cfe856055b15c536645f) Update runc binary to v1.3.0
* Refresh OAuth tokens when they expire during registry operations ([#11721](https://github.com/containerd/containerd/pull/11721))
  * [`a6421da84`](https://github.com/containerd/containerd/commit/a6421da84bb59dcf3680eb472b78f2eae8086f9b) remotes/docker/authorizer.go: invalidate auth tokens when they expire.
* [CI] Fix vagrant ([#11739](https://github.com/containerd/containerd/pull/11739))
  * [`effc49e8b`](https://github.com/containerd/containerd/commit/effc49e8b096bebfd73effb9257ad4fd80aa4e84) Fix vagrant setup
* Fix CI ([#11722](https://github.com/containerd/containerd/pull/11722))
  * [`d3e7dd716`](https://github.com/containerd/containerd/commit/d3e7dd716a7988bf49f92972998a5260fd538505) Skip criu on Arms
  * [`7cf9ebe94`](https://github.com/containerd/containerd/commit/7cf9ebe94676a443f5df2802f2c784a93dba6b9a) Disable port mapping tests in CRI-in-UserNS
  * [`42657a4ed`](https://github.com/containerd/containerd/commit/42657a4ed1bcc2a5162264cb820d97bdd0a56a6b) disable portmap test in ubuntu-22 to make CI happy
  * [`b300fd37b`](https://github.com/containerd/containerd/commit/b300fd37b840dcad8c0635e1f8ce848413441445) add option to skip tests in critest
  * [`6f4ffad27`](https://github.com/containerd/containerd/commit/6f4ffad27695c7e297c0052091b0d5e7fad7e48a) Address cgroup mountpoint does not exist
  * [`cef298331`](https://github.com/containerd/containerd/commit/cef2983317494d0a7b67e89ef81e083f75102066) Update Ubuntu to 24
  * [`2dd9be16e`](https://github.com/containerd/containerd/commit/2dd9be16e71e97b922ae42b05a7ae837c28563ca) ci: update GitHub Actions release runner to ubuntu-24.04
* Set default differ for the default unpack config of transfer service ([#11689](https://github.com/containerd/containerd/pull/11689))
  * [`e40e59e4e`](https://github.com/containerd/containerd/commit/e40e59e4ee8e7fb00213065c6fabbec8d4e7fc7f) Set default differ for the default unpack config of transfer service
* silence govulncheck false positives ([#11679](https://github.com/containerd/containerd/pull/11679))
  * [`ff097d5a4`](https://github.com/containerd/containerd/commit/ff097d5a4c1a427d10fa989895d05f78c0b52893) silence govulncheck false positives
* vendor: github.com/go-jose/go-jose/v3 v3.0.4 ([#11619](https://github.com/containerd/containerd/pull/11619))
  * [`52dd4dc51`](https://github.com/containerd/containerd/commit/52dd4dc51070fc93f13f048d3a919ccbf2b042aa) vendor: github.com/go-jose/go-jose/v3 v3.0.4
* Remove invalid error log when stopping container after containerd restart ([#11620](https://github.com/containerd/containerd/pull/11620))
  * [`24f41d2d5`](https://github.com/containerd/containerd/commit/24f41d2d5c6514e2f0a6f553f80183ff274ec230) use shimCtx for fifo copy
* Update runc binary to v1.2.6 ([#11584](https://github.com/containerd/containerd/pull/11584))
  * [`1e1e78ad7`](https://github.com/containerd/containerd/commit/1e1e78ad7cab8d6f50be6bcf0ef7178a2ba3e207) Update runc binary to v1.2.6
* Use RWMutex in NSMap and reduce lock area ([#11556](https://github.com/containerd/containerd/pull/11556))
  * [`9a8d1d44a`](https://github.com/containerd/containerd/commit/9a8d1d44a1dee8f805ad0b071b686887222a1fe7) Use RWMutex in NSMap and reduce lock area
</p>
</details>

### Dependency Changes

* **github.com/go-jose/go-jose/v3**  v3.0.3 -> v3.0.4
* **golang.org/x/crypto**            v0.31.0 -> v0.40.0
* **golang.org/x/mod**               v0.17.0 -> v0.26.0
* **golang.org/x/net**               v0.33.0 -> v0.42.0
* **golang.org/x/oauth2**            v0.11.0 -> v0.30.0
* **golang.org/x/sync**              v0.10.0 -> v0.16.0
* **golang.org/x/sys**               v0.28.0 -> v0.34.0
* **golang.org/x/term**              v0.27.0 -> v0.33.0
* **golang.org/x/text**              v0.21.0 -> v0.27.0
* **golang.org/x/time**              90d013bbcef8 -> v0.12.0

Previous release can be found at [v1.7.27](https://github.com/containerd/containerd/releases/tag/v1.7.27)

Unverified

v1.6.39

b4506601 · Merge pull request #12045 from austinvazquez/release-v1.6.39 · Jul 22, 2025

containerd 1.6.39

Welcome to the v1.6.39 release of containerd!

The thirty-ninth patch release for containerd 1.6 contains various fixes
and updates.

### Highlights

#### Runtime

* Fix close container io not closed when runtime create failed ([#12052](https://github.com/containerd/containerd/pull/12052))
* Update runc binary to v1.3.0 ([#11799](https://github.com/containerd/containerd/pull/11799))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Akihiro Suda
* Austin Vazquez
* Phil Estes
* Derek McGowan
* Kirtana Ashok
* Akhil Mohan
* Maksym Pavlenko
* Mike Brown
* madraceee
* ningmingxiao
* zounengren

### Changes
<details><summary>33 commits</summary>
<p>

* Prepare release notes for v1.6.39 ([#12045](https://github.com/containerd/containerd/pull/12045))
  * [`22134cbfe`](https://github.com/containerd/containerd/commit/22134cbfea295649f9c43212c1fb14444cfe93ed) Prepare release notes for v1.6.39
* ci: bump Go 1.23.11, 1.24.5 ([#12118](https://github.com/containerd/containerd/pull/12118))
  * [`067a639f6`](https://github.com/containerd/containerd/commit/067a639f6076d3a655533edf470aa0534930eb0d) ci: bump Go 1.23.11, 1.24.5
* Backport windows test fixes ([#12122](https://github.com/containerd/containerd/pull/12122))
  * [`9cc952fb0`](https://github.com/containerd/containerd/commit/9cc952fb0b8e092b40c6187209dc9624377cb6cd) Fix intermittent test failures on Windows CIs
  * [`555a34af0`](https://github.com/containerd/containerd/commit/555a34af0511f64eafcc1141b5a0a0e996f2751e) Remove WS2025 from CIs due to regression
* ci: use fedora 39 archive ([#12125](https://github.com/containerd/containerd/pull/12125))
  * [`b58df07d6`](https://github.com/containerd/containerd/commit/b58df07d680e1872bd598b48c4b304c81d6697e4) ci: use fedora 39 archive
* go.mod: github.com/containerd/btrfs v1.0.1 ([#12105](https://github.com/containerd/containerd/pull/12105))
  * [`fa4b325e0`](https://github.com/containerd/containerd/commit/fa4b325e079be2b2b859f8dc8d6d1bab4ea14d29) go.mod: github.com/containerd/btrfs v1.0.1
* go.mod:  golang.org/x/* latest,  github.com/go-jose/go-jose/v3 v3.0.4 ([#12095](https://github.com/containerd/containerd/pull/12095))
  * [`2c9f5778f`](https://github.com/containerd/containerd/commit/2c9f5778f04dc51ffa26f9dc9fae2bdd8b9699c8) Fix lint failures
  * [`b2576bb82`](https://github.com/containerd/containerd/commit/b2576bb82454a36b0f3f65e906d1365f44003d61) go.mod: github.com/go-jose/go-jose/v3 v3.0.4
  * [`262e98e90`](https://github.com/containerd/containerd/commit/262e98e90504eca34a2420003d3eaaffd353cd46) go.mod: golang.org/x/* latest
* Fix close container io not closed when runtime create failed ([#12052](https://github.com/containerd/containerd/pull/12052))
  * [`22f669a7c`](https://github.com/containerd/containerd/commit/22f669a7c0bc30beaa7337a02646ec882d3f2174) bugfix:close container io when runtime create failed
* backport windows runner and golang toolchain updates ([#12005](https://github.com/containerd/containerd/pull/12005))
  * [`c165cc68b`](https://github.com/containerd/containerd/commit/c165cc68beec6ab59f037da8cfb37fe768e98848) ci: bump Go 1.24.4 in CI
  * [`ffacabc05`](https://github.com/containerd/containerd/commit/ffacabc054b3fc21eea11482aff2f56f732c0526) ci: bump golang [1.23.9, 1.24.3] in build and release
  * [`3ec9965e8`](https://github.com/containerd/containerd/commit/3ec9965e8e5669cdd10813d4f5dc71df46547fbf) use go1.23.8 as the default go version
  * [`e62a059a2`](https://github.com/containerd/containerd/commit/e62a059a2a0b2b63c60bac0130d4053eb1b4207a) update to go 1.24.2, 1.23.8
  * [`d430f3277`](https://github.com/containerd/containerd/commit/d430f3277ea945385d408e6b1ffde9ab7e8ac9f5) Enable CIs to run on WS2022 and WS2025
* Update runc binary to v1.3.0 ([#11799](https://github.com/containerd/containerd/pull/11799))
  * [`d00ccf523`](https://github.com/containerd/containerd/commit/d00ccf523dfee664e2ec158a19f88d731fdff237) Update runc binary to v1.3.0
* test: added runc v1 support in vagrant ([#11913](https://github.com/containerd/containerd/pull/11913))
  * [`9e49725bf`](https://github.com/containerd/containerd/commit/9e49725bf455606d0843360268acb549b0da7967) test: added runc v1 support in vagrant
* : Fix CI ([#11804](https://github.com/containerd/containerd/pull/11804))
  * [`57250c719`](https://github.com/containerd/containerd/commit/57250c7197b60b6a06d65f2c1a9b07b0b8605a83) Skip criu on Arms
  * [`9d350bbbd`](https://github.com/containerd/containerd/commit/9d350bbbdabb45ea248cd5266322965874290ed2) Address cgroup mountpoint does not exist
  * [`78cbefc95`](https://github.com/containerd/containerd/commit/78cbefc954ec04caa26e7e09b8d8de12960988a0) ci: update GitHub Actions release runner to ubuntu-24.04
* Update runc binary to v1.2.6 ([#11585](https://github.com/containerd/containerd/pull/11585))
  * [`2325157ed`](https://github.com/containerd/containerd/commit/2325157ed07ac38f8fe260063c1cd52d73a36a01) Update runc binary to v1.2.6
</p>
</details>

### Changes from containerd/btrfs
<details><summary>12 commits</summary>
<p>

* Fix `error: implicit declaration of function ‘memcpy’` ([containerd/btrfs#44](https://github.com/containerd/btrfs/pull/44))
  * [`3fb5c91`](https://github.com/containerd/btrfs/commit/3fb5c91f016ebdfc72a0c64e81889defdb1dd51d) CI: update (Go 1.23, etc.)
  * [`cab79ec`](https://github.com/containerd/btrfs/commit/cab79ec9ea7e1b910e9aef01afbf87efb57ee674) CI: enable jobs for release/1.0
  * [`12b3998`](https://github.com/containerd/btrfs/commit/12b3998bdd04e4c8b36d69faf5e65d8157be94c8) Fix `error: implicit declaration of function ‘memcpy’`
* Update GitHub actions CI workflow ([containerd/btrfs#38](https://github.com/containerd/btrfs/pull/38))
  * [`5d1f727`](https://github.com/containerd/btrfs/commit/5d1f7270e597460ff18660b50a5fbc96d81dd6d6) Update GitHub actions CI workflow
* Upgrade Go compiler from Go 1.16 to Go 1.19 ([containerd/btrfs#39](https://github.com/containerd/btrfs/pull/39))
  * [`d16e22b`](https://github.com/containerd/btrfs/commit/d16e22bc2cf48d71f14ee79d1c3a6d8c944dd759) Upgrade Go compiler from Go 1.16 to Go 1.19
* replace pkg/errors ([containerd/btrfs#35](https://github.com/containerd/btrfs/pull/35))
  * [`9933796`](https://github.com/containerd/btrfs/commit/9933796ae83cea9d4d9b239c76440c1ff14c4e7b) replace pkg/errors
* Branch rename for GH Actions ([containerd/btrfs#33](https://github.com/containerd/btrfs/pull/33))
  * [`1aff978`](https://github.com/containerd/btrfs/commit/1aff97820a2be844266702bb611b1767d4cfcc00) Branch rename for GH Actions
</p>
</details>

### Dependency Changes

* **cloud.google.com/go/compute/metadata**  v0.2.3 -> v0.3.0
* **github.com/containerd/btrfs**           v1.0.0 -> v1.0.1
* **github.com/go-jose/go-jose/v3**         v3.0.3 -> v3.0.4
* **golang.org/x/crypto**                   v0.21.0 -> v0.40.0
* **golang.org/x/net**                      v0.23.0 -> v0.42.0
* **golang.org/x/oauth2**                   v0.11.0 -> v0.30.0
* **golang.org/x/sync**                     v0.3.0 -> v0.16.0
* **golang.org/x/sys**                      v0.18.0 -> v0.34.0
* **golang.org/x/term**                     v0.18.0 -> v0.33.0
* **golang.org/x/text**                     v0.14.0 -> v0.27.0
* **golang.org/x/time**                     1f47c861a9ac -> v0.12.0

Previous release can be found at [v1.6.38](https://github.com/containerd/containerd/releases/tag/v1.6.38)

Unverified