Tags

Tags give the ability to mark specific points in history as being important

v2.1.4

75cb2b71 · Merge pull request #12159 from dmcgowan/prepare-v2.1.4 · Jul 30, 2025

containerd 2.1.4

Welcome to the v2.1.4 release of containerd!

The fourth patch release for containerd 2.1 contains various fixes and updates.

### Highlights

#### Container Runtime Interface (CRI)

* Fix containerd panic when sandbox extension is missing ([#12076](https://github.com/containerd/containerd/pull/12076))
* Update status response to return stable order for runtime handlers ([#12054](https://github.com/containerd/containerd/pull/12054))

#### Go client

* Fix lazy gRPC connection mode waiting for connect on client creation ([#12079](https://github.com/containerd/containerd/pull/12079))

#### Image Distribution

* Fix resolve deadlock issue in docker fetcher open ([#12127](https://github.com/containerd/containerd/pull/12127))

#### Image Storage

* Update erofs snapshotter to make immutable optional ([#12091](https://github.com/containerd/containerd/pull/12091))
* Fix erofs filesystem UUID for tar-converted layers ([#12058](https://github.com/containerd/containerd/pull/12058))

#### Runtime

* Fix close container io not closed when runtime create failed ([#12009](https://github.com/containerd/containerd/pull/12009))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Derek McGowan
* Phil Estes
* Eric Mountain
* Maksym Pavlenko
* Gao Xiang
* Kirtana Ashok
* ningmingxiao
* Akihiro Suda
* Austin Vazquez
* Paweł Gronowski
* Sebastiaan van Stijn
* Wei Fu
* jinda.ljd

### Changes
<details><summary>26 commits</summary>
<p>

* Prepare release notes for v2.1.4 ([#12159](https://github.com/containerd/containerd/pull/12159))
  * [`112e41363`](https://github.com/containerd/containerd/commit/112e41363bc25216c46fe4f3070f7f8b6d982cf2) Add release notes for v2.1.4
* Fix resolve deadlock issue in docker fetcher open ([#12127](https://github.com/containerd/containerd/pull/12127))
  * [`add2dcf86`](https://github.com/containerd/containerd/commit/add2dcf8688019158fc1c015dddffe54c6610e24) Ensure fetcher always closes body and properly calls release
  * [`34a1cb1dd`](https://github.com/containerd/containerd/commit/34a1cb1dd1962520f6821b7273debf06a740ed6d) fix(dockerFetcher): resolve deadlock issue in dockerFetcher open
* ci: bump Go 1.23.11, 1.24.5 ([#12115](https://github.com/containerd/containerd/pull/12115))
  * [`82c4d6875`](https://github.com/containerd/containerd/commit/82c4d68755b6bb6749b8b328ec70fe0b7b776e1c) ci: bump Go 1.23.11, 1.24.5
* Backport windows test fixes ([#12119](https://github.com/containerd/containerd/pull/12119))
  * [`6cc2a8d77`](https://github.com/containerd/containerd/commit/6cc2a8d779e29045f279cef041bec3d0569e75db) Fix intermittent test failures on Windows CIs
  * [`6adc69312`](https://github.com/containerd/containerd/commit/6adc69312f8f929f5e285d8fd3806c269853e850) Remove WS2025 from CIs due to regression
* Update erofs snapshotter to make immutable optional ([#12091](https://github.com/containerd/containerd/pull/12091))
  * [`8d194c19f`](https://github.com/containerd/containerd/commit/8d194c19febc6fd51c91ea5e43c720225cf553a0) erofs-snapshotter: make IMMUTABLE_FL optional
* Fix lazy gRPC connection mode waiting for connect on client creation ([#12079](https://github.com/containerd/containerd/pull/12079))
  * [`2df7175d7`](https://github.com/containerd/containerd/commit/2df7175d71d1e71c3b27f9c0879db4050b183fce) client/New: Don't unlazy the gRPC connection implicitly
* backport: update go-md2man binary to v2.0.7 ([#12074](https://github.com/containerd/containerd/pull/12074))
  * [`4902adb92`](https://github.com/containerd/containerd/commit/4902adb92fa3fb6c7764128eda5dc7ba2b596511) update go-md2man binary to v2.0.7
* Fix containerd panic when sandbox extension is missing ([#12076](https://github.com/containerd/containerd/pull/12076))
  * [`02298e1a0`](https://github.com/containerd/containerd/commit/02298e1a03b92d36dba899c8aba82fc3c50422cd) cri:fix containerd panic when can't find sandbox extension
* Fix erofs filesystem UUID for tar-converted layers ([#12058](https://github.com/containerd/containerd/pull/12058))
  * [`583133e71`](https://github.com/containerd/containerd/commit/583133e7103145fcc338b695b2e6456c69fc52ee) erofs-differ: fix filesystem UUID for tar-converted layers
* Update status response to return stable order for runtime handlers ([#12054](https://github.com/containerd/containerd/pull/12054))
  * [`57db13d50`](https://github.com/containerd/containerd/commit/57db13d50de6d0c8a4587bc166d0a4ebee1dad02) Amend runtime handler test for stable order
  * [`d822c9048`](https://github.com/containerd/containerd/commit/d822c90480c0403d57cead351e8e53c063d07c1a) CRI: Stable sort for RuntimeHandlers
  * [`a2fd70639`](https://github.com/containerd/containerd/commit/a2fd70639e6a2aa82429ed2f4ce4967c15a03c3c) Test showing RuntimeHandlers in Status() are unordered
* Fix close container io not closed when runtime create failed ([#12009](https://github.com/containerd/containerd/pull/12009))
  * [`b74268f86`](https://github.com/containerd/containerd/commit/b74268f8674647234f6a08c005f84b38ba1adf63) bugfix:close container io when runtime create failed
</p>
</details>

### Dependency Changes

This release has no dependency changes

Previous release can be found at [v2.1.3](https://github.com/containerd/containerd/releases/tag/v2.1.3)
### Which file should I download?
* `containerd-<VERSION>-<OS>-<ARCH>.tar.gz`:         ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04).
* `containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz`:  Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent.

In addition to containerd, typically you will have to install [runc](https://github.com/opencontainers/runc/releases)
and [CNI plugins](https://github.com/containernetworking/plugins/releases) from their official sites too.

See also the [Getting Started](https://github.com/containerd/containerd/blob/main/docs/getting-started.md) documentation.

Unverified

v2.0.6

991cc336 · Merge pull request #12145 from austinvazquez/release-v2.0.6 · Jul 30, 2025

containerd 2.0.6

Welcome to the v2.0.6 release of containerd!

The sixth patch release for containerd 2.0 includes various bug fixes and updates.

### Highlights

* Update containerd config dump to reflect plugin config migrations ([#11772](https://github.com/containerd/containerd/pull/11772))

#### Container Runtime Interface (CRI)

* Fix containerd panic when sandbox extension is missing ([#12077](https://github.com/containerd/containerd/pull/12077))
* Fix the panic caused by the failure of RunPodSandbox ([#12047](https://github.com/containerd/containerd/pull/12047))
* Add extension to sandbox metadata store on create sandbox ([#11808](https://github.com/containerd/containerd/pull/11808))
* Fix issue where Prometheus metric names changed for CRI ([#11750](https://github.com/containerd/containerd/pull/11750))
* Fix issue preventing some v2 shims from shutting down properly ([#11741](https://github.com/containerd/containerd/pull/11741))

#### Go client

* Fix lazy gRPC connection mode waiting for connect on client creation ([#12080](https://github.com/containerd/containerd/pull/12080))

#### Image Distribution

* Fix cross-repo mount fallback after authorization failure ([#11832](https://github.com/containerd/containerd/pull/11832))

#### Runtime

* Fix container io to close after runtime create failure ([#12051](https://github.com/containerd/containerd/pull/12051))
* Fix incompatibility with some pre-v3 shims ([#11973](https://github.com/containerd/containerd/pull/11973))
* Update runc binary to v1.3.0 ([#11801](https://github.com/containerd/containerd/pull/11801))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Derek McGowan
* Phil Estes
* Austin Vazquez
* Wei Fu
* Akihiro Suda
* Maksym Pavlenko
* Samuel Karp
* Yang Yang
* Akhil Mohan
* ningmingxiao
* Alberto Garcia Hierro
* Chris Henzie
* HirazawaUi
* Jin Dong
* Kirtana Ashok
* Paweł Gronowski
* Vinayak Goyal

### Changes
<details><summary>49 commits</summary>
<p>

* Prepare release notes for v2.0.6 ([#12145](https://github.com/containerd/containerd/pull/12145))
  * [`d94b0fee6`](https://github.com/containerd/containerd/commit/d94b0fee617968ed919816d7c68d4583578dd697) Prepare release notes for v2.0.6
* ci: bump Go 1.23.11, 1.24.5 ([#12116](https://github.com/containerd/containerd/pull/12116))
  * [`f901e3c81`](https://github.com/containerd/containerd/commit/f901e3c819c9a0f4d7c89258b754557029fa4d93) ci: bump Go 1.23.11, 1.24.5
* go.mod: golang.org/x/* latest ([#12097](https://github.com/containerd/containerd/pull/12097))
  * [`7e4ac4761`](https://github.com/containerd/containerd/commit/7e4ac47612160a2038163a99048942e951fadd29) go.mod: golang.org/x/* latest
* Fix lazy gRPC connection mode waiting for connect on client creation ([#12080](https://github.com/containerd/containerd/pull/12080))
  * [`bed6d1401`](https://github.com/containerd/containerd/commit/bed6d1401087abe707a05da15eaae9626d43fc2a) client/New: Don't unlazy the gRPC connection implicitly
* Fix containerd panic when sandbox extension is missing ([#12077](https://github.com/containerd/containerd/pull/12077))
  * [`8094fa21a`](https://github.com/containerd/containerd/commit/8094fa21a62d67ee70369e1bb3e2973134de18a2) cri:fix containerd panic when can't find sandbox extension
* Fix container io to close after runtime create failure ([#12051](https://github.com/containerd/containerd/pull/12051))
  * [`552f717be`](https://github.com/containerd/containerd/commit/552f717be4dc2ec67c99afa0a2d305bf8a2b55f8) bugfix:close container io when runtime create failed
* Fix the panic caused by the failure of RunPodSandbox ([#12047](https://github.com/containerd/containerd/pull/12047))
  * [`c4394d05a`](https://github.com/containerd/containerd/commit/c4394d05a152b3382b9ecd0bc21c6be915b41216) Fix the panic caused by the failure of RunPodSandbox
* ci: bump golang [1.23.10, 1.24.4] in build and release ([#11969](https://github.com/containerd/containerd/pull/11969))
  * [`54f923a30`](https://github.com/containerd/containerd/commit/54f923a301e0b17712d0580eff032c43cf9edc98) ci: bump golang [1.23.10, 1.24.4] in build and release
  * [`2de777dfe`](https://github.com/containerd/containerd/commit/2de777dfe1372d025688f34110d05c2d7c4649ac) ci: bump golang [1.23.9, 1.24.3] in build and release
* Enable CIs to run on WS2022 and WS2025 ([#11970](https://github.com/containerd/containerd/pull/11970))
  * [`9724cd5ea`](https://github.com/containerd/containerd/commit/9724cd5eaccf15cfa292273dd2eaf2970433400b) Enable CIs to run on WS2022 and WS2025
* Fix incompatibility with some pre-v3 shims ([#11973](https://github.com/containerd/containerd/pull/11973))
  * [`7fc3151fc`](https://github.com/containerd/containerd/commit/7fc3151fca7e0f7548aa7cf2aa76010e8f70b6a8) *: properly shutdown non-groupable shims to prevent resource leaks
  * [`4396336a1`](https://github.com/containerd/containerd/commit/4396336a11c306064ef2bc3358a157fda538400e) core/runtime: should invoke shim binary
  * [`10bcc6929`](https://github.com/containerd/containerd/commit/10bcc6929552f75f8bcbc90447b977ec10edc671) Revert "not set sandbox id when use podsandbox type"
  * [`f38eb62b6`](https://github.com/containerd/containerd/commit/f38eb62b63b5b5a209399a0d9301e4960ef17a12) integration: add testcase to recover ungroupable shim
  * [`2358561d5`](https://github.com/containerd/containerd/commit/2358561d5258624c56f21969fcbfe8c57f189fe3) Update release upgrade tests to test 1.7 and 2.0
  * [`8931b1464`](https://github.com/containerd/containerd/commit/8931b14647cf4c0ca750fd12ebb44d074ea04f73) Fix upgrade test runtime config
* Fetch image with default platform only in TestExportAndImportMultiLayer ([#11944](https://github.com/containerd/containerd/pull/11944))
  * [`fc9235910`](https://github.com/containerd/containerd/commit/fc9235910d4dca7cd6189bb54f522d396c80db51) Fetch image with default platform only in TestExportAndImportMultiLayer
* Add extension to sandbox metadata store on create sandbox ([#11808](https://github.com/containerd/containerd/pull/11808))
  * [`f8679737e`](https://github.com/containerd/containerd/commit/f8679737eb84ac2808599376089f7f28be22a897) store extension when create sandbox in store
* Fix cross-repo mount fallback after authorization failure ([#11832](https://github.com/containerd/containerd/pull/11832))
  * [`cbfa66223`](https://github.com/containerd/containerd/commit/cbfa662234d8ebe78e35a8b6da46dfe5a50ff5c7) fix(docker pusher): if authorizing a cross-repo mount fails, fall back
* .github: do not mark 2.0 releases as latest ([#11820](https://github.com/containerd/containerd/pull/11820))
  * [`7bf4d0a40`](https://github.com/containerd/containerd/commit/7bf4d0a401b8160f2a5ba5c2fe57ef8df60aaa6e) .github: do not mark 2.0 releases as latest
* Update runc binary to v1.3.0 ([#11801](https://github.com/containerd/containerd/pull/11801))
  * [`fa5a08244`](https://github.com/containerd/containerd/commit/fa5a082442f308c5f6664ce178325fdebfe13200) Update runc binary to v1.3.0
* Revert "disable portmap test in ubuntu-22 to make CI happy" ([#11784](https://github.com/containerd/containerd/pull/11784))
  * [`7cf3c604e`](https://github.com/containerd/containerd/commit/7cf3c604eb0bf0b8776f60b7e841476be727c32b) fix unbound SKIP_TEST variable error
  * [`827be7c9d`](https://github.com/containerd/containerd/commit/827be7c9dd805fad6f3e94ca0070045935c38051) Revert "disable portmap test in ubuntu-22 to make CI happy"
* Update containerd config dump to reflect plugin config migrations ([#11772](https://github.com/containerd/containerd/pull/11772))
  * [`626a57dd7`](https://github.com/containerd/containerd/commit/626a57dd72c64ea22fc67f55b0cc8d42e94ba055) fix: update containerd config dump to reflect plugin config migrations.
* core/transfer/local: should not mark completed if it's not found ([#11768](https://github.com/containerd/containerd/pull/11768))
  * [`983dd336f`](https://github.com/containerd/containerd/commit/983dd336f840de2ab7e64ed334adfc40b4f1458e) core/transfer/local: should not mark complete if it's not found
* Fix issue where Prometheus metric names changed for CRI ([#11750](https://github.com/containerd/containerd/pull/11750))
  * [`d2a30ea0c`](https://github.com/containerd/containerd/commit/d2a30ea0caab6bda8dc1dca5823d9d462c3d1b96) Revert criserver metrics subsystem back to cri
* Fix issue preventing some v2 shims from shutting down properly ([#11741](https://github.com/containerd/containerd/pull/11741))
  * [`e9804ee0e`](https://github.com/containerd/containerd/commit/e9804ee0e9d85788648b589c17e67a024a93151e) not set sandbox id when use podsandbox type
* [CI] Fix vagrant ([#11740](https://github.com/containerd/containerd/pull/11740))
  * [`9ddeff7f7`](https://github.com/containerd/containerd/commit/9ddeff7f7df90a7b1a732e2b48a5fcdef199def1) Fix vagrant setup
</p>
</details>

### Dependency Changes

* **golang.org/x/crypto**  v0.36.0 -> v0.40.0
* **golang.org/x/exp**     aacd6d4b4611 -> 6ae5c78190dc
* **golang.org/x/mod**     v0.21.0 -> v0.26.0
* **golang.org/x/net**     v0.37.0 -> v0.42.0
* **golang.org/x/oauth2**  v0.28.0 -> v0.30.0
* **golang.org/x/sync**    v0.12.0 -> v0.16.0
* **golang.org/x/sys**     v0.31.0 -> v0.34.0
* **golang.org/x/term**    v0.30.0 -> v0.33.0
* **golang.org/x/text**    v0.23.0 -> v0.27.0
* **golang.org/x/time**    v0.3.0 -> v0.12.0

Previous release can be found at [v2.0.5](https://github.com/containerd/containerd/releases/tag/v2.0.5)
### Which file should I download?
* `containerd-<VERSION>-<OS>-<ARCH>.tar.gz`:         ✅Recommended. Dynamically linked with glibc 2.31 (Ubuntu 20.04).
* `containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz`:  Statically linked. Expected to be used on non-glibc Linux distributions. Not position-independent.

In addition to containerd, typically you will have to install [runc](https://github.com/opencontainers/runc/releases)
and [CNI plugins](https://github.com/containernetworking/plugins/releases) from their official sites too.

See also the [Getting Started](https://github.com/containerd/containerd/blob/main/docs/getting-started.md) documentation.

Unverified

v1.7.28

b98a3aac · Merge pull request #12134 from austinvazquez/release-v1.7.28 · Jul 25, 2025

containerd 1.7.28

Welcome to the v1.7.28 release of containerd!

The twenty-eighth patch release for containerd 1.7 contains various fixes
and updates.

### Highlights

#### Image Distribution

* Refresh OAuth tokens when they expire during registry operations ([#11721](https://github.com/containerd/containerd/pull/11721))
* Set default differ for the default unpack config of transfer service ([#11689](https://github.com/containerd/containerd/pull/11689))

#### Runtime

* Update runc binary to v1.3.0 ([#11800](https://github.com/containerd/containerd/pull/11800))
* Remove invalid error log when stopping container after containerd restart ([#11620](https://github.com/containerd/containerd/pull/11620))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Akhil Mohan
* Akihiro Suda
* Austin Vazquez
* Maksym Pavlenko
* Phil Estes
* Derek McGowan
* Kirtana Ashok
* Henry Wang
* Iain Macdonald
* Jin Dong
* Swagat Bora
* Wei Fu
* Yang Yang
* madraceee

### Changes
<details><summary>57 commits</summary>
<p>

* Prepare release notes for v1.7.28 ([#12134](https://github.com/containerd/containerd/pull/12134))
  * [`b01b809f8`](https://github.com/containerd/containerd/commit/b01b809f89a27e19ff7531e1b88df07d2f40de97) Prepare release notes for v1.7.28
* ci: bump Go 1.23.11, 1.24.5 ([#12117](https://github.com/containerd/containerd/pull/12117))
  * [`ce2373176`](https://github.com/containerd/containerd/commit/ce2373176b0db7cdcc3e289f57aeb59927ad0efb) ci: bump Go 1.23.11, 1.24.5
* Backport windows test fixes ([#12121](https://github.com/containerd/containerd/pull/12121))
  * [`3c06bcc4d`](https://github.com/containerd/containerd/commit/3c06bcc4d2f5b55c501f9c5333596c5a6d0a980a) Fix intermittent test failures on Windows CIs
  * [`c6c0c6854`](https://github.com/containerd/containerd/commit/c6c0c6854ff663deb46363a8884a9015598c9f9b) Remove WS2025 from CIs due to regression
* ci: use fedora 39 archive ([#12123](https://github.com/containerd/containerd/pull/12123))
  * [`6d7e021cf`](https://github.com/containerd/containerd/commit/6d7e021cf0f0f6ba1d14f0b4f76ecdf7a005feaa) ci: use fedora/39-cloud-base image from archive
* update runners to ubuntu 24.04 ([#11802](https://github.com/containerd/containerd/pull/11802))
  * [`c362e18cc`](https://github.com/containerd/containerd/commit/c362e18ccd613b5baf04fff87832b871edfdecd5) CI: install OVMF for Vagrant
  * [`1d99bec21`](https://github.com/containerd/containerd/commit/1d99bec213063acdad8d7ad96ea4cbb78ab6b560) CI: fix "Unable to find a source package for vagrant" error
  * [`dafa3c48d`](https://github.com/containerd/containerd/commit/dafa3c48dffaff915bea2293eecd949fbdd94228) add debian sources for ubuntu-24
  * [`b03301d85`](https://github.com/containerd/containerd/commit/b03301d851a5492808f36e5233a808a39575a1a0) partial: enable ubuntu 24 runners
  * [`13fbc5f97`](https://github.com/containerd/containerd/commit/13fbc5f970d1dee5425443a9b346d56ccc98db45) update release runners to ubuntu 24.04
* go.mod: golang.org/x/* latest ([#12096](https://github.com/containerd/containerd/pull/12096))
  * [`da5d1a371`](https://github.com/containerd/containerd/commit/da5d1a3714ac06f6280740f668ebe95c62863c01) go.mod: golang.org/x/* latest
* Remove additional fuzzers from instrumentation repo ([#12099](https://github.com/containerd/containerd/pull/12099))
  * [`5fef123ba`](https://github.com/containerd/containerd/commit/5fef123ba77e3d9fd83f78fd34bdb80549034756) Remove additional fuzzers from CI
* backport windows runner and golang toolchain updates ([#11972](https://github.com/containerd/containerd/pull/11972))
  * [`a35978f5a`](https://github.com/containerd/containerd/commit/a35978f5af147f279280b34082c3781904bfd4cd) ci: bump golang [1.23.10, 1.24.4] in build and release
  * [`df035aa3e`](https://github.com/containerd/containerd/commit/df035aa3ef3d98eb48310d548439eb59c8b6d887) ci: bump golang [1.23.9, 1.24.3] in build and release
  * [`2a6d9fc71`](https://github.com/containerd/containerd/commit/2a6d9fc71e97ff0d742b21d0f62a05a70126aa21) use go1.23.8 as the default go version
  * [`15d4d6eba`](https://github.com/containerd/containerd/commit/15d4d6eba30565274e1ade4d545abab2dbbcf1f9) update to go 1.24.2, 1.23.8
  * [`1613a3b1a`](https://github.com/containerd/containerd/commit/1613a3b1addf8fb8a50cef46860a1b7642d81589) Enable CIs to run on WS2022 and WS2025
* test: added runc v1 tests using vagrant ([#11896](https://github.com/containerd/containerd/pull/11896))
  * [`60e73122c`](https://github.com/containerd/containerd/commit/60e73122c1f74524178ff1ea819a893d7cdb4372) test: added runc v1 tests using vagrant
* Revert "disable portmap test in ubuntu-22 to make CI happy" ([#11803](https://github.com/containerd/containerd/pull/11803))
  * [`10e1b515e`](https://github.com/containerd/containerd/commit/10e1b515ec9c497bcfd7b0758bff3f6c840b303a) Revert "Disable port mapping tests in CRI-in-UserNS"
  * [`7a680e884`](https://github.com/containerd/containerd/commit/7a680e88494d90896322e09d4070ed86d221e25b) fix unbound SKIP_TEST variable error
  * [`e5f8cc995`](https://github.com/containerd/containerd/commit/e5f8cc9953f28f1abdc2f7975a9f5833cc83ee9c) Revert "disable portmap test in ubuntu-22 to make CI happy"
* Update runc binary to v1.3.0 ([#11800](https://github.com/containerd/containerd/pull/11800))
  * [`b001469c7`](https://github.com/containerd/containerd/commit/b001469c70a4489c1453cfe856055b15c536645f) Update runc binary to v1.3.0
* Refresh OAuth tokens when they expire during registry operations ([#11721](https://github.com/containerd/containerd/pull/11721))
  * [`a6421da84`](https://github.com/containerd/containerd/commit/a6421da84bb59dcf3680eb472b78f2eae8086f9b) remotes/docker/authorizer.go: invalidate auth tokens when they expire.
* [CI] Fix vagrant ([#11739](https://github.com/containerd/containerd/pull/11739))
  * [`effc49e8b`](https://github.com/containerd/containerd/commit/effc49e8b096bebfd73effb9257ad4fd80aa4e84) Fix vagrant setup
* Fix CI ([#11722](https://github.com/containerd/containerd/pull/11722))
  * [`d3e7dd716`](https://github.com/containerd/containerd/commit/d3e7dd716a7988bf49f92972998a5260fd538505) Skip criu on Arms
  * [`7cf9ebe94`](https://github.com/containerd/containerd/commit/7cf9ebe94676a443f5df2802f2c784a93dba6b9a) Disable port mapping tests in CRI-in-UserNS
  * [`42657a4ed`](https://github.com/containerd/containerd/commit/42657a4ed1bcc2a5162264cb820d97bdd0a56a6b) disable portmap test in ubuntu-22 to make CI happy
  * [`b300fd37b`](https://github.com/containerd/containerd/commit/b300fd37b840dcad8c0635e1f8ce848413441445) add option to skip tests in critest
  * [`6f4ffad27`](https://github.com/containerd/containerd/commit/6f4ffad27695c7e297c0052091b0d5e7fad7e48a) Address cgroup mountpoint does not exist
  * [`cef298331`](https://github.com/containerd/containerd/commit/cef2983317494d0a7b67e89ef81e083f75102066) Update Ubuntu to 24
  * [`2dd9be16e`](https://github.com/containerd/containerd/commit/2dd9be16e71e97b922ae42b05a7ae837c28563ca) ci: update GitHub Actions release runner to ubuntu-24.04
* Set default differ for the default unpack config of transfer service ([#11689](https://github.com/containerd/containerd/pull/11689))
  * [`e40e59e4e`](https://github.com/containerd/containerd/commit/e40e59e4ee8e7fb00213065c6fabbec8d4e7fc7f) Set default differ for the default unpack config of transfer service
* silence govulncheck false positives ([#11679](https://github.com/containerd/containerd/pull/11679))
  * [`ff097d5a4`](https://github.com/containerd/containerd/commit/ff097d5a4c1a427d10fa989895d05f78c0b52893) silence govulncheck false positives
* vendor: github.com/go-jose/go-jose/v3 v3.0.4 ([#11619](https://github.com/containerd/containerd/pull/11619))
  * [`52dd4dc51`](https://github.com/containerd/containerd/commit/52dd4dc51070fc93f13f048d3a919ccbf2b042aa) vendor: github.com/go-jose/go-jose/v3 v3.0.4
* Remove invalid error log when stopping container after containerd restart ([#11620](https://github.com/containerd/containerd/pull/11620))
  * [`24f41d2d5`](https://github.com/containerd/containerd/commit/24f41d2d5c6514e2f0a6f553f80183ff274ec230) use shimCtx for fifo copy
* Update runc binary to v1.2.6 ([#11584](https://github.com/containerd/containerd/pull/11584))
  * [`1e1e78ad7`](https://github.com/containerd/containerd/commit/1e1e78ad7cab8d6f50be6bcf0ef7178a2ba3e207) Update runc binary to v1.2.6
* Use RWMutex in NSMap and reduce lock area ([#11556](https://github.com/containerd/containerd/pull/11556))
  * [`9a8d1d44a`](https://github.com/containerd/containerd/commit/9a8d1d44a1dee8f805ad0b071b686887222a1fe7) Use RWMutex in NSMap and reduce lock area
</p>
</details>

### Dependency Changes

* **github.com/go-jose/go-jose/v3**  v3.0.3 -> v3.0.4
* **golang.org/x/crypto**            v0.31.0 -> v0.40.0
* **golang.org/x/mod**               v0.17.0 -> v0.26.0
* **golang.org/x/net**               v0.33.0 -> v0.42.0
* **golang.org/x/oauth2**            v0.11.0 -> v0.30.0
* **golang.org/x/sync**              v0.10.0 -> v0.16.0
* **golang.org/x/sys**               v0.28.0 -> v0.34.0
* **golang.org/x/term**              v0.27.0 -> v0.33.0
* **golang.org/x/text**              v0.21.0 -> v0.27.0
* **golang.org/x/time**              90d013bbcef8 -> v0.12.0

Previous release can be found at [v1.7.27](https://github.com/containerd/containerd/releases/tag/v1.7.27)

Unverified

v1.6.39

b4506601 · Merge pull request #12045 from austinvazquez/release-v1.6.39 · Jul 22, 2025

containerd 1.6.39

Welcome to the v1.6.39 release of containerd!

The thirty-ninth patch release for containerd 1.6 contains various fixes
and updates.

### Highlights

#### Runtime

* Fix close container io not closed when runtime create failed ([#12052](https://github.com/containerd/containerd/pull/12052))
* Update runc binary to v1.3.0 ([#11799](https://github.com/containerd/containerd/pull/11799))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Akihiro Suda
* Austin Vazquez
* Phil Estes
* Derek McGowan
* Kirtana Ashok
* Akhil Mohan
* Maksym Pavlenko
* Mike Brown
* madraceee
* ningmingxiao
* zounengren

### Changes
<details><summary>33 commits</summary>
<p>

* Prepare release notes for v1.6.39 ([#12045](https://github.com/containerd/containerd/pull/12045))
  * [`22134cbfe`](https://github.com/containerd/containerd/commit/22134cbfea295649f9c43212c1fb14444cfe93ed) Prepare release notes for v1.6.39
* ci: bump Go 1.23.11, 1.24.5 ([#12118](https://github.com/containerd/containerd/pull/12118))
  * [`067a639f6`](https://github.com/containerd/containerd/commit/067a639f6076d3a655533edf470aa0534930eb0d) ci: bump Go 1.23.11, 1.24.5
* Backport windows test fixes ([#12122](https://github.com/containerd/containerd/pull/12122))
  * [`9cc952fb0`](https://github.com/containerd/containerd/commit/9cc952fb0b8e092b40c6187209dc9624377cb6cd) Fix intermittent test failures on Windows CIs
  * [`555a34af0`](https://github.com/containerd/containerd/commit/555a34af0511f64eafcc1141b5a0a0e996f2751e) Remove WS2025 from CIs due to regression
* ci: use fedora 39 archive ([#12125](https://github.com/containerd/containerd/pull/12125))
  * [`b58df07d6`](https://github.com/containerd/containerd/commit/b58df07d680e1872bd598b48c4b304c81d6697e4) ci: use fedora 39 archive
* go.mod: github.com/containerd/btrfs v1.0.1 ([#12105](https://github.com/containerd/containerd/pull/12105))
  * [`fa4b325e0`](https://github.com/containerd/containerd/commit/fa4b325e079be2b2b859f8dc8d6d1bab4ea14d29) go.mod: github.com/containerd/btrfs v1.0.1
* go.mod:  golang.org/x/* latest,  github.com/go-jose/go-jose/v3 v3.0.4 ([#12095](https://github.com/containerd/containerd/pull/12095))
  * [`2c9f5778f`](https://github.com/containerd/containerd/commit/2c9f5778f04dc51ffa26f9dc9fae2bdd8b9699c8) Fix lint failures
  * [`b2576bb82`](https://github.com/containerd/containerd/commit/b2576bb82454a36b0f3f65e906d1365f44003d61) go.mod: github.com/go-jose/go-jose/v3 v3.0.4
  * [`262e98e90`](https://github.com/containerd/containerd/commit/262e98e90504eca34a2420003d3eaaffd353cd46) go.mod: golang.org/x/* latest
* Fix close container io not closed when runtime create failed ([#12052](https://github.com/containerd/containerd/pull/12052))
  * [`22f669a7c`](https://github.com/containerd/containerd/commit/22f669a7c0bc30beaa7337a02646ec882d3f2174) bugfix:close container io when runtime create failed
* backport windows runner and golang toolchain updates ([#12005](https://github.com/containerd/containerd/pull/12005))
  * [`c165cc68b`](https://github.com/containerd/containerd/commit/c165cc68beec6ab59f037da8cfb37fe768e98848) ci: bump Go 1.24.4 in CI
  * [`ffacabc05`](https://github.com/containerd/containerd/commit/ffacabc054b3fc21eea11482aff2f56f732c0526) ci: bump golang [1.23.9, 1.24.3] in build and release
  * [`3ec9965e8`](https://github.com/containerd/containerd/commit/3ec9965e8e5669cdd10813d4f5dc71df46547fbf) use go1.23.8 as the default go version
  * [`e62a059a2`](https://github.com/containerd/containerd/commit/e62a059a2a0b2b63c60bac0130d4053eb1b4207a) update to go 1.24.2, 1.23.8
  * [`d430f3277`](https://github.com/containerd/containerd/commit/d430f3277ea945385d408e6b1ffde9ab7e8ac9f5) Enable CIs to run on WS2022 and WS2025
* Update runc binary to v1.3.0 ([#11799](https://github.com/containerd/containerd/pull/11799))
  * [`d00ccf523`](https://github.com/containerd/containerd/commit/d00ccf523dfee664e2ec158a19f88d731fdff237) Update runc binary to v1.3.0
* test: added runc v1 support in vagrant ([#11913](https://github.com/containerd/containerd/pull/11913))
  * [`9e49725bf`](https://github.com/containerd/containerd/commit/9e49725bf455606d0843360268acb549b0da7967) test: added runc v1 support in vagrant
* : Fix CI ([#11804](https://github.com/containerd/containerd/pull/11804))
  * [`57250c719`](https://github.com/containerd/containerd/commit/57250c7197b60b6a06d65f2c1a9b07b0b8605a83) Skip criu on Arms
  * [`9d350bbbd`](https://github.com/containerd/containerd/commit/9d350bbbdabb45ea248cd5266322965874290ed2) Address cgroup mountpoint does not exist
  * [`78cbefc95`](https://github.com/containerd/containerd/commit/78cbefc954ec04caa26e7e09b8d8de12960988a0) ci: update GitHub Actions release runner to ubuntu-24.04
* Update runc binary to v1.2.6 ([#11585](https://github.com/containerd/containerd/pull/11585))
  * [`2325157ed`](https://github.com/containerd/containerd/commit/2325157ed07ac38f8fe260063c1cd52d73a36a01) Update runc binary to v1.2.6
</p>
</details>

### Changes from containerd/btrfs
<details><summary>12 commits</summary>
<p>

* Fix `error: implicit declaration of function ‘memcpy’` ([containerd/btrfs#44](https://github.com/containerd/btrfs/pull/44))
  * [`3fb5c91`](https://github.com/containerd/btrfs/commit/3fb5c91f016ebdfc72a0c64e81889defdb1dd51d) CI: update (Go 1.23, etc.)
  * [`cab79ec`](https://github.com/containerd/btrfs/commit/cab79ec9ea7e1b910e9aef01afbf87efb57ee674) CI: enable jobs for release/1.0
  * [`12b3998`](https://github.com/containerd/btrfs/commit/12b3998bdd04e4c8b36d69faf5e65d8157be94c8) Fix `error: implicit declaration of function ‘memcpy’`
* Update GitHub actions CI workflow ([containerd/btrfs#38](https://github.com/containerd/btrfs/pull/38))
  * [`5d1f727`](https://github.com/containerd/btrfs/commit/5d1f7270e597460ff18660b50a5fbc96d81dd6d6) Update GitHub actions CI workflow
* Upgrade Go compiler from Go 1.16 to Go 1.19 ([containerd/btrfs#39](https://github.com/containerd/btrfs/pull/39))
  * [`d16e22b`](https://github.com/containerd/btrfs/commit/d16e22bc2cf48d71f14ee79d1c3a6d8c944dd759) Upgrade Go compiler from Go 1.16 to Go 1.19
* replace pkg/errors ([containerd/btrfs#35](https://github.com/containerd/btrfs/pull/35))
  * [`9933796`](https://github.com/containerd/btrfs/commit/9933796ae83cea9d4d9b239c76440c1ff14c4e7b) replace pkg/errors
* Branch rename for GH Actions ([containerd/btrfs#33](https://github.com/containerd/btrfs/pull/33))
  * [`1aff978`](https://github.com/containerd/btrfs/commit/1aff97820a2be844266702bb611b1767d4cfcc00) Branch rename for GH Actions
</p>
</details>

### Dependency Changes

* **cloud.google.com/go/compute/metadata**  v0.2.3 -> v0.3.0
* **github.com/containerd/btrfs**           v1.0.0 -> v1.0.1
* **github.com/go-jose/go-jose/v3**         v3.0.3 -> v3.0.4
* **golang.org/x/crypto**                   v0.21.0 -> v0.40.0
* **golang.org/x/net**                      v0.23.0 -> v0.42.0
* **golang.org/x/oauth2**                   v0.11.0 -> v0.30.0
* **golang.org/x/sync**                     v0.3.0 -> v0.16.0
* **golang.org/x/sys**                      v0.18.0 -> v0.34.0
* **golang.org/x/term**                     v0.18.0 -> v0.33.0
* **golang.org/x/text**                     v0.14.0 -> v0.27.0
* **golang.org/x/time**                     1f47c861a9ac -> v0.12.0

Previous release can be found at [v1.6.38](https://github.com/containerd/containerd/releases/tag/v1.6.38)

Unverified

v2.1.3

c787fb98 · Merge pull request #12002 from dmcgowan/prepare-v2.1.3 · Jun 20, 2025

containerd 2.1.3

Welcome to the v2.1.3 release of containerd!

The third patch release for containerd 2.1 contains various fixes and updates
to address pull issues with some registries.

### Highlights

#### Image Distribution

* Fix multipart fetch issue when the server does not return content length ([#12003](https://github.com/containerd/containerd/pull/12003))
* Update transfer service supported platforms logic ([#11999](https://github.com/containerd/containerd/pull/11999))
* Fix import for local transfer service ([#12000](https://github.com/containerd/containerd/pull/12000))
* Fix registry errors with transfer service ([#11979](https://github.com/containerd/containerd/pull/11979))
* Fix fetch always adding range to requests ([#12001](https://github.com/containerd/containerd/pull/12001))
* Update fetcher errors to include full registry error ([#11997](https://github.com/containerd/containerd/pull/11997))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Derek McGowan
* Phil Estes
* Adrien Delorme

### Changes
<details><summary>15 commits</summary>
<p>

* Prepare release notes for v2.1.3 ([#12002](https://github.com/containerd/containerd/pull/12002))
  * [`627729341`](https://github.com/containerd/containerd/commit/62772934139be6d2b648a16b412d847dc0aef09c) Prepare release notes for v2.1.3
* Fix multipart fetch issue when the server does not return content length ([#12003](https://github.com/containerd/containerd/pull/12003))
  * [`7636bd5eb`](https://github.com/containerd/containerd/commit/7636bd5eb2525babefd2983d38f6e1133843eb94) fix when multipart fetching and the server does not return content length
* Update transfer service supported platforms logic ([#11999](https://github.com/containerd/containerd/pull/11999))
  * [`3c5ede878`](https://github.com/containerd/containerd/commit/3c5ede878a7cb2d7a04a40e8ed1086718402fdf3) Update transfer supported platforms logic
* Fix import for local transfer service ([#12000](https://github.com/containerd/containerd/pull/12000))
  * [`fb752bc8e`](https://github.com/containerd/containerd/commit/fb752bc8ed456ff40ceb516dcb72830678cae1ab) fix import for local transfer service
* Fix registry errors with transfer service ([#11979](https://github.com/containerd/containerd/pull/11979))
  * [`f6d926314`](https://github.com/containerd/containerd/commit/f6d92631401562eba488a986a22002025d2860c9) Register remote errors for clients to access registry errors
  * [`7c1813345`](https://github.com/containerd/containerd/commit/7c18133453a495df7a334fde31423c56d42265c2) Decode grpc errors in the transfer client proxy
* Fix fetch always adding range to requests ([#12001](https://github.com/containerd/containerd/pull/12001))
  * [`babacebad`](https://github.com/containerd/containerd/commit/babacebadc0738e6b016e2f366cdf4bdf893a1a5) Fix fetch always adding range to requests
* Update fetcher errors to include full registry error ([#11997](https://github.com/containerd/containerd/pull/11997))
  * [`f30be44ad`](https://github.com/containerd/containerd/commit/f30be44ad31166bb4f4644255c5db59b9f47bb22) Update fetcher errors to include full registry error
</p>
</details>

### Dependency Changes

This release has no dependency changes

Previous release can be found at [v2.1.2](https://github.com/containerd/containerd/releases/tag/v2.1.2)
### Which file should I download?
* `containerd-<VERSION>-<OS>-<ARCH>.tar.gz`:         ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04).
* `containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz`:  Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent.

In addition to containerd, typically you will have to install [runc](https://github.com/opencontainers/runc/releases)
and [CNI plugins](https://github.com/containernetworking/plugins/releases) from their official sites too.

See also the [Getting Started](https://github.com/containerd/containerd/blob/main/docs/getting-started.md) documentation.

Unverified

v2.1.2

64ed2720 · Merge pull request #11962 from kiashok/tag-2.1.2 · Jun 12, 2025

containerd 2.1.2

Welcome to the v2.1.2 release of containerd!

The second patch release for containerd 2.1 contains various fixes and updates.

### Highlights

* Fix check of wrapped errors in erofs snapshotter ([#11935](https://github.com/containerd/containerd/pull/11935))

#### Go client

* Improve mount error message ([#11884](https://github.com/containerd/containerd/pull/11884))

#### Image Distribution

* Fix transfer differ selection ([#11936](https://github.com/containerd/containerd/pull/11936))
* Enable DuplicationSuppressor in transfer service ([#11932](https://github.com/containerd/containerd/pull/11932))

#### Runtime

* Properly shutdown non-groupable shims to prevent resource leaks ([#11971](https://github.com/containerd/containerd/pull/11971))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Derek McGowan
* Akihiro Suda
* Kirtana Ashok
* Austin Vazquez
* Maksym Pavlenko
* ningmingxiao
* Gao Xiang
* Henry Wang
* Jin Dong
* Phil Estes
* Wei Fu

### Changes
<details><summary>28 commits</summary>
<p>

* Prepare release notes for v2.1.2 ([#11962](https://github.com/containerd/containerd/pull/11962))
  * [`63b9eae62`](https://github.com/containerd/containerd/commit/63b9eae62e4a927269d3c7d1d0a50eb9095c1ee1) Prepare release notes for v2.1.2
* Properly shutdown non-groupable shims to prevent resource leaks ([#11971](https://github.com/containerd/containerd/pull/11971))
  * [`cff1feb28`](https://github.com/containerd/containerd/commit/cff1feb28c79f1f8f792f6284335f08f065bae1f) *: properly shutdown non-groupable shims to prevent resource leaks
* ci: bump golang [1.23.10,1.24.4] in build and release ([#11968](https://github.com/containerd/containerd/pull/11968))
  * [`2ce169aae`](https://github.com/containerd/containerd/commit/2ce169aae05d76f820ad977e8ea195938ced98a1) ci: bump golang [1.23.10,1.24.4] in build and release
* Backport Enable CIs to run on WS2022 and WS2025 ([#11955](https://github.com/containerd/containerd/pull/11955))
  * [`70bcb9b55`](https://github.com/containerd/containerd/commit/70bcb9b55edf9d832a4f8162a12830bcaf646695) Enable CIs to run on WS2022 and WS2025
* cri:use debug level when receive exec process exited events ([#11848](https://github.com/containerd/containerd/pull/11848))
  * [`40575a15f`](https://github.com/containerd/containerd/commit/40575a15f212903a838381fc893560a86ba8b485) cri:use debug level when receive exec process exited events
* build(deps): bump google.golang.org/grpc from 1.72.0 to 1.72.2 ([#11952](https://github.com/containerd/containerd/pull/11952))
  * [`c71f77170`](https://github.com/containerd/containerd/commit/c71f77170ef2640197884644acfe5ba28b3cf6ab) build(deps): bump google.golang.org/grpc from 1.72.0 to 1.72.2
* Fix transfer differ selection ([#11936](https://github.com/containerd/containerd/pull/11936))
  * [`4bcea74de`](https://github.com/containerd/containerd/commit/4bcea74decd64dcbf616f56b47cf8f5b4a2a586f) Update differ selection in transfer service to prefer default
  * [`0c3cd8a99`](https://github.com/containerd/containerd/commit/0c3cd8a99529849ee2e3f9661ebfa937f3f9be66) Add debug log when transfer returns not implemented
  * [`820e56765`](https://github.com/containerd/containerd/commit/820e56765083b50d0e8f4baf06f4804700f33a92) Add more error details when unpack fails to extract
* Fetch image with default platform only in TestExportAndImportMultiLayer ([#11943](https://github.com/containerd/containerd/pull/11943))
  * [`9b6c1949a`](https://github.com/containerd/containerd/commit/9b6c1949af50ee264d1d3a8b1aafd05149c4b8fe) Fetch image with default platform only in TestExportAndImportMultiLayer
* Fix check of wrapped errors in erofs snapshotter ([#11935](https://github.com/containerd/containerd/pull/11935))
  * [`480126f50`](https://github.com/containerd/containerd/commit/480126f5079e501228553038a584ce8542807d89) erofs-snapshotter: fix to work with wrapped errors
* Enable DuplicationSuppressor in transfer service ([#11932](https://github.com/containerd/containerd/pull/11932))
  * [`d82921ff5`](https://github.com/containerd/containerd/commit/d82921ff59cc91c1d75d35cc1cb3a5e709da9fdd) Enable DuplicationSuppressor in transfer service
* ci: bump golang [1.23.9, 1.24.3] in build and release ([#11889](https://github.com/containerd/containerd/pull/11889))
  * [`0bb25c3d6`](https://github.com/containerd/containerd/commit/0bb25c3d6cbb6eaf8d091b9f728776efdffe4859) ci: bump golang [1.23.9, 1.24.3] in build and release
* Improve mount error message ([#11884](https://github.com/containerd/containerd/pull/11884))
  * [`ac8e84efc`](https://github.com/containerd/containerd/commit/ac8e84efc384a728fbc498cf58f8c689263c857a) client:improve mount error message
* Add symlink breakout test for overriden path ([#11887](https://github.com/containerd/containerd/pull/11887))
  * [`dd2ce49d0`](https://github.com/containerd/containerd/commit/dd2ce49d0f23b0a190b86583c90a5a3eea4cdd4f) Add symlink breakout test for overriden path
</p>
</details>

### Dependency Changes

* **google.golang.org/grpc**  v1.72.0 -> v1.72.2

Previous release can be found at [v2.1.1](https://github.com/containerd/containerd/releases/tag/v2.1.1)
### Which file should I download?
* `containerd-<VERSION>-<OS>-<ARCH>.tar.gz`:         ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04).
* `containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz`:  Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent.

In addition to containerd, typically you will have to install [runc](https://github.com/opencontainers/runc/releases)
and [CNI plugins](https://github.com/containernetworking/plugins/releases) from their official sites too.

See also the [Getting Started](https://github.com/containerd/containerd/blob/main/docs/getting-started.md) documentation.

Unverified

v2.1.1

cb107664 · Merge commit from fork · May 21, 2025

containerd 2.1.1

Welcome to the v2.1.1 release of containerd!

The first patch release for containerd 2.1 fixes a critical vulnernability (CVE-2025-47290)
which was first introduced in 2.1.0. See the [Github Advisory](https://github.com/containerd/containerd/security/advisories/GHSA-cm76-qm8v-3j95)
for more details. This release also contains a few smaller updates and bux fixes.

### Highlights

#### Image Storage

* Fix erofs media type handling ([#11855](https://github.com/containerd/containerd/pull/11855))

#### Runtime

* Reduce shim cleanup log level and add more context ([#11831](https://github.com/containerd/containerd/pull/11831))

#### Deprecations

* Update removal version for deprecated registry config fields ([#11835](https://github.com/containerd/containerd/pull/11835))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Akihiro Suda
* Samuel Karp
* Derek McGowan
* Gao Xiang
* Akhil Mohan
* Chris Henzie
* Phil Estes
* Sebastiaan van Stijn
* ningmingxiao

### Changes
<details><summary>17 commits</summary>
<p>

  * [`cb1076646`](https://github.com/containerd/containerd/commit/cb1076646aa3740577fafbf3d914198b7fe8e3f7) Merge commit from fork
  * [`216667ba0`](https://github.com/containerd/containerd/commit/216667ba0ada456a2647e52dd2181e9dbd857d93) Prepare release notes for 2.1.1
  * [`ac00b8e61`](https://github.com/containerd/containerd/commit/ac00b8e6108c6925ef4ab39e9b87e956a2efdabf) Revert "perf(applyNaive): avoid walking the tree for each file in the same directory"
* build(deps): bump github.com/Microsoft/hcsshim ([#11847](https://github.com/containerd/containerd/pull/11847))
  * [`444ca17cd`](https://github.com/containerd/containerd/commit/444ca17cd9baa2f68572bcf28af4eea7b12c2f1d) update runhcs version to v0.13.0
  * [`0684f1c44`](https://github.com/containerd/containerd/commit/0684f1c44d021e7ef1ba26fc73b8922633d10403) build(deps): bump github.com/Microsoft/hcsshim
* Fix erofs media type handling ([#11855](https://github.com/containerd/containerd/pull/11855))
  * [`e1817a401`](https://github.com/containerd/containerd/commit/e1817a401f94698cdf8fdc01d8d0e2b4f1f463e7) docs/snapshotters/erofs.md: a tip for improved performance
  * [`2168cb92c`](https://github.com/containerd/containerd/commit/2168cb92c9cf89aaad06be9ae49fce49ed4972d8) erofs-differ: fix EROFS native image support
* Reduce shim cleanup log level and add more context ([#11831](https://github.com/containerd/containerd/pull/11831))
  * [`7fcbc3c46`](https://github.com/containerd/containerd/commit/7fcbc3c46a2e0fdf55082216b8eca3f8f09eb4e0) core/runtime/v2: cleanup shim-cleanup logs
* Update removal version for deprecated registry config fields ([#11835](https://github.com/containerd/containerd/pull/11835))
  * [`37d6c4236`](https://github.com/containerd/containerd/commit/37d6c42368a3e139fb516064ff4eb9637f197c7a) Update removal version for deprecated registry config fields
* ctr:make sure containerd socket exist before create client ([#11827](https://github.com/containerd/containerd/pull/11827))
  * [`e7be076d4`](https://github.com/containerd/containerd/commit/e7be076d48eba3ffa11a4be1133b92987227e776) ctr:make sure containerd socket exist before create client
* .github: mark 2.1 releases as latest ([#11821](https://github.com/containerd/containerd/pull/11821))
  * [`c90524d5f`](https://github.com/containerd/containerd/commit/c90524d5f4c8cec87ce3639263a42e6fa4555ef5) .github: mark 2.1 releases as latest
</p>
</details>

### Dependency Changes

* **github.com/Microsoft/hcsshim**  v0.13.0-rc.3 -> v0.13.0

Previous release can be found at [v2.1.0](https://github.com/containerd/containerd/releases/tag/v2.1.0)
### Which file should I download?
* `containerd-<VERSION>-<OS>-<ARCH>.tar.gz`:         ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04).
* `containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz`:  Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent.

In addition to containerd, typically you will have to install [runc](https://github.com/opencontainers/runc/releases)
and [CNI plugins](https://github.com/containernetworking/plugins/releases) from their official sites too.

See also the [Getting Started](https://github.com/containerd/containerd/blob/main/docs/getting-started.md) documentation.

Unverified

v2.1.0

061792f0 · Merge pull request #11819 from dmcgowan/prepare-v2.1.0 · May 08, 2025

containerd 2.1.0

Welcome to the v2.1.0 release of containerd!

The first minor release of containerd 2.x focuses on continued stability alongside
new features and improvements. This is the first time-based released for containerd.
Most the feature set and core functionality has long been stable and harderened in production
environments, so now we transition to a balance of timely delivery of new functionality
with the same high confidence in stability and performance.

### Highlights

* Add no_sync option to boost boltDB performance on ephemeral environments ([#10745](https://github.com/containerd/containerd/pull/10745))
* Add content create event ([#11006](https://github.com/containerd/containerd/pull/11006))
* Erofs snapshotter and differ ([#10705](https://github.com/containerd/containerd/pull/10705))

#### Container Runtime Interface (CRI)

* Update CRI to use transfer service for image pull by default ([#8515](https://github.com/containerd/containerd/pull/8515))
* Support multiple cni plugin bin dirs ([#11311](https://github.com/containerd/containerd/pull/11311))
* Support container restore through CRI/Kubernetes ([#10365](https://github.com/containerd/containerd/pull/10365))
* Add OCI/Image Volume Source support ([#10579](https://github.com/containerd/containerd/pull/10579))
* Enable Writable cgroups for unprivileged containers ([#11131](https://github.com/containerd/containerd/pull/11131))
* Fix recursive RLock() mutex acquisition ([containerd/go-cni#126](https://github.com/containerd/go-cni/pull/126))
* Support CNI STATUS Verb ([containerd/go-cni#123](https://github.com/containerd/go-cni/pull/123))

#### Image Distribution

* Retry last registry host on 50x responses ([#11484](https://github.com/containerd/containerd/pull/11484))
* Multipart layer fetch ([#10177](https://github.com/containerd/containerd/pull/10177))
* Enable HTTP debug and trace for transfer based puller ([#10762](https://github.com/containerd/containerd/pull/10762))
* Add support for unpacking custom media types  ([#11744](https://github.com/containerd/containerd/pull/11744))
* Add dial timeout field to hosts toml configuration ([#11106](https://github.com/containerd/containerd/pull/11106))

#### Node Resource Interface (NRI)

* Expose Pod assigned IPs to NRI plugins ([#10921](https://github.com/containerd/containerd/pull/10921))

#### Runtime

* Support multiple uid/gid mappings ([#10722](https://github.com/containerd/containerd/pull/10722))
* Fix race between serve and immediate shutdown on the server ([containerd/ttrpc#175](https://github.com/containerd/ttrpc/pull/175))

#### Breaking

* Update FreeBSD defaults and re-organize platform defaults ([#11017](https://github.com/containerd/containerd/pull/11017))

#### Deprecations

* Postpone cri config deprecations to v2.2 ([#11684](https://github.com/containerd/containerd/pull/11684))
* Remove deprecated dynamic library plugins ([#11683](https://github.com/containerd/containerd/pull/11683))
* Remove the support for Schema 1 images ([#11681](https://github.com/containerd/containerd/pull/11681))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Derek McGowan
* Phil Estes
* Akihiro Suda
* Maksym Pavlenko
* Jin Dong
* Wei Fu
* Sebastiaan van Stijn
* Samuel Karp
* Mike Brown
* Adrien Delorme
* Austin Vazquez
* Akhil Mohan
* Kazuyoshi Kato
* Henry Wang
* Gao Xiang
* ningmingxiao
* Krisztian Litkey
* Yang Yang
* Archit Kulkarni
* Chris Henzie
* Iceber Gu
* Alexey Lunev
* Antonio Ojea
* Davanum Srinivas
* Marat Radchenko
* Michael Zappa
* Paweł Gronowski
* Rodrigo Campos
* Alberto Garcia Hierro
* Amit Barve
* Andrey Smirnov
* Divya
* Etienne Champetier
* Kirtana Ashok
* Philip Laine
* QiPing Wan
* fengwei0328
* zounengren
* Adrian Reber
* Alfred Wingate
* Amal Thundiyil
* Athos Ribeiro
* Brian Goff
* Cesar Talledo
* ChengyuZhu6
* Chongyi Zheng
* Craig Ingram
* Danny Canter
* David Son
* Fupan Li
* HirazawaUi
* Jing Xu
* Jonathan A. Sternberg
* Jose Fernandez
* Kaita Nakamura
* Kohei Tokunaga
* Lei Liu
* Marco Visin
* Mike Baynton
* Qiyuan Liang
* Sameer
* Shiming Zhang
* Swagat Bora
* Teresaliu
* Tony Fang
* Tõnis Tiigi
* Vered Rosen
* Vinayak Goyal
* bo.jiang
* chriskery
* luchenhan
* mahmut
* zhaixiaojuan

### Dependency Changes

* **github.com/Microsoft/hcsshim**                                                 v0.12.9 -> v0.13.0-rc.3
* **github.com/cilium/ebpf**                                                       v0.11.0 -> v0.16.0
* **github.com/containerd/cgroups/v3**                                             v3.0.3 -> v3.0.5
* **github.com/containerd/containerd/api**                                         v1.8.0 -> v1.9.0
* **github.com/containerd/continuity**                                             v0.4.4 -> v0.4.5
* **github.com/containerd/go-cni**                                                 v1.1.10 -> v1.1.12
* **github.com/containerd/imgcrypt/v2**                                            v2.0.0-rc.1 -> v2.0.1
* **github.com/containerd/otelttrpc**                                              ea5083fda723 -> v0.1.0
* **github.com/containerd/platforms**                                              v1.0.0-rc.0 -> v1.0.0-rc.1
* **github.com/containerd/ttrpc**                                                  v1.2.6 -> v1.2.7
* **github.com/containerd/typeurl/v2**                                             v2.2.2 -> v2.2.3
* **github.com/containernetworking/cni**                                           v1.2.3 -> v1.3.0
* **github.com/containernetworking/plugins**                                       v1.5.1 -> v1.7.1
* **github.com/containers/ocicrypt**                                               v1.2.0 -> v1.2.1
* **github.com/davecgh/go-spew**                                                   d8f796af33cc -> v1.1.1
* **github.com/fsnotify/fsnotify**                                                 v1.7.0 -> v1.9.0
* **github.com/go-jose/go-jose/v4**                                                v4.0.4 -> v4.0.5
* **github.com/google/go-cmp**                                                     v0.6.0 -> v0.7.0
* **github.com/grpc-ecosystem/grpc-gateway/v2**                                    v2.22.0 -> v2.26.1
* **github.com/klauspost/compress**                                                v1.17.11 -> v1.18.0
* **github.com/mdlayher/socket**                                                   v0.4.1 -> v0.5.1
* **github.com/moby/spdystream**                                                   v0.4.0 -> v0.5.0
* **github.com/moby/sys/user**                                                     v0.3.0 -> v0.4.0
* **github.com/opencontainers/image-spec**                                         v1.1.0 -> v1.1.1
* **github.com/opencontainers/runtime-spec**                                       v1.2.0 -> v1.2.1
* **github.com/opencontainers/selinux**                                            v1.11.1 -> v1.12.0
* **github.com/pelletier/go-toml/v2**                                              v2.2.3 -> v2.2.4
* **github.com/petermattis/goid**                                                  4fcff4a6cae7 **_new_**
* **github.com/pmezard/go-difflib**                                                5d4384ee4fb2 -> v1.0.0
* **github.com/prometheus/client_golang**                                          v1.20.5 -> v1.22.0
* **github.com/prometheus/common**                                                 v0.55.0 -> v0.62.0
* **github.com/sasha-s/go-deadlock**                                               v0.3.5 **_new_**
* **github.com/smallstep/pkcs7**                                                   v0.1.1 **_new_**
* **github.com/stretchr/testify**                                                  v1.9.0 -> v1.10.0
* **github.com/tchap/go-patricia/v2**                                              v2.3.1 -> v2.3.2
* **github.com/urfave/cli/v2**                                                     v2.27.5 -> v2.27.6
* **github.com/vishvananda/netlink**                                               v1.3.0 -> 0e7078ed04c8
* **github.com/vishvananda/netns**                                                 v0.0.4 -> v0.0.5
* **go.etcd.io/bbolt**                                                             v1.3.11 -> v1.4.0
* **go.opentelemetry.io/auto/sdk**                                                 v1.1.0 **_new_**
* **go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc**  v0.56.0 -> v0.60.0
* **go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp**                v0.56.0 -> v0.60.0
* **go.opentelemetry.io/otel**                                                     v1.31.0 -> v1.35.0
* **go.opentelemetry.io/otel/exporters/otlp/otlptrace**                            v1.31.0 -> v1.35.0
* **go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc**              v1.31.0 -> v1.35.0
* **go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp**              v1.31.0 -> v1.35.0
* **go.opentelemetry.io/otel/metric**                                              v1.31.0 -> v1.35.0
* **go.opentelemetry.io/otel/sdk**                                                 v1.31.0 -> v1.35.0
* **go.opentelemetry.io/otel/trace**                                               v1.31.0 -> v1.35.0
* **go.opentelemetry.io/proto/otlp**                                               v1.3.1 -> v1.5.0
* **golang.org/x/crypto**                                                          v0.28.0 -> v0.36.0
* **golang.org/x/exp**                                                             aacd6d4b4611 -> 2d47ceb2692f
* **golang.org/x/mod**                                                             v0.21.0 -> v0.24.0
* **golang.org/x/net**                                                             v0.30.0 -> v0.38.0
* **golang.org/x/oauth2**                                                          v0.22.0 -> v0.27.0
* **golang.org/x/sync**                                                            v0.8.0 -> v0.14.0
* **golang.org/x/sys**                                                             v0.26.0 -> v0.33.0
* **golang.org/x/term**                                                            v0.25.0 -> v0.30.0
* **golang.org/x/text**                                                            v0.19.0 -> v0.23.0
* **golang.org/x/time**                                                            v0.3.0 -> v0.7.0
* **google.golang.org/genproto/googleapis/api**                                    5fefd90f89a9 -> 56aae31c358a
* **google.golang.org/genproto/googleapis/rpc**                                    324edc3d5d38 -> 56aae31c358a
* **google.golang.org/grpc**                                                       v1.67.1 -> v1.72.0
* **google.golang.org/protobuf**                                                   v1.35.1 -> v1.36.6
* **k8s.io/api**                                                                   v0.31.2 -> v0.32.3
* **k8s.io/apimachinery**                                                          v0.31.2 -> v0.32.3
* **k8s.io/apiserver**                                                             v0.31.2 -> v0.32.3
* **k8s.io/client-go**                                                             v0.31.2 -> v0.32.3
* **k8s.io/cri-api**                                                               v0.31.2 -> v0.32.3
* **k8s.io/kubelet**                                                               v0.31.2 -> v0.32.3
* **k8s.io/utils**                                                                 18e509b52bc8 -> 3ea5e8cea738
* **sigs.k8s.io/json**                                                             bc3834ca7abd -> 9aa6b5e7a4b3
* **sigs.k8s.io/structured-merge-diff/v4**                                         v4.4.1 -> v4.4.2
* **tags.cncf.io/container-device-interface**                                      v0.8.0 -> v1.0.1
* **tags.cncf.io/container-device-interface/specs-go**                             v0.8.0 -> v1.0.0

Previous release can be found at [v2.0.0](https://github.com/containerd/containerd/releases/tag/v2.0.0)
### Which file should I download?
* `containerd-<VERSION>-<OS>-<ARCH>.tar.gz`:         ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04).
* `containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz`:  Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent.

In addition to containerd, typically you will have to install [runc](https://github.com/opencontainers/runc/releases)
and [CNI plugins](https://github.com/containernetworking/plugins/releases) from their official sites too.

See also the [Getting Started](https://github.com/containerd/containerd/blob/main/docs/getting-started.md) documentation.

Unverified

api/v1.9.0

9033738f · Merge pull request #11812 from dmcgowan/prepare-api-v1.9.0 · May 08, 2025

containerd api/v1.9.0

Welcome to the api/v1.9.0 release of containerd!

The 10th release for the containerd 1.x API aligns with the containerd 2.1 release.

### Highlights

* Add content create event ([#11006](https://github.com/containerd/containerd/pull/11006))

#### Image Distribution

* Enable HTTP debug and trace for transfer based puller ([#10762](https://github.com/containerd/containerd/pull/10762))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Derek McGowan
* Maksym Pavlenko
* Akihiro Suda
* Davanum Srinivas
* Phil Estes
* Adrian Reber
* Jin Dong
* Philip Laine

### Changes
<details><summary>18 commits</summary>
<p>

* Prepare release notes for api/v1.9.0 ([#11812](https://github.com/containerd/containerd/pull/11812))
  * [`145175bf4`](https://github.com/containerd/containerd/commit/145175bf4fb1a21be4c686115f0d83ba19e9fe92) Prepare release notes for api/v1.9.0
* Add release notes for api v1.9.0-rc.0 ([#11751](https://github.com/containerd/containerd/pull/11751))
  * [`c0ce618a1`](https://github.com/containerd/containerd/commit/c0ce618a10541b5e1d2979c2d70e971b23c8a16b) Add release notes for api v1.9.0-rc.0
* Enable HTTP debug and trace for transfer based puller ([#10762](https://github.com/containerd/containerd/pull/10762))
  * [`17b6e1ef8`](https://github.com/containerd/containerd/commit/17b6e1ef85098c532bae0e9544f288ebe530b3fe) Allow streaming to client
  * [`40eb2fdbb`](https://github.com/containerd/containerd/commit/40eb2fdbbb66aa6ef51422e6f62d8f3fb48ab35e) Fix protos
  * [`1d436803d`](https://github.com/containerd/containerd/commit/1d436803dc532c8fd40735c92fd1041dc2cc2868) Add http debug fields to OCI registry protos
* Add content create event ([#11006](https://github.com/containerd/containerd/pull/11006))
  * [`752914b5b`](https://github.com/containerd/containerd/commit/752914b5bfaa4e28d1231901c37bf8d3b47ca73c) Add content create event to api
* bump golang.org/x/net from 0.33.0 to 0.37.0 ([#11574](https://github.com/containerd/containerd/pull/11574))
  * [`7fe5c4123`](https://github.com/containerd/containerd/commit/7fe5c41237b8da120ab45b30ea3f02d64b71a68b) go.mod: golang.org/x/net v0.37.0
* Support container restore through CRI/Kubernetes ([#10365](https://github.com/containerd/containerd/pull/10365))
  * [`9e6beafd5`](https://github.com/containerd/containerd/commit/9e6beafd53919eecd1fb650a76332002cf4c84dd) Support container restore through CRI/Kubernetes
* build(deps): bump golang.org/x/net from 0.23.0 to 0.33.0 in /api ([#11472](https://github.com/containerd/containerd/pull/11472))
  * [`37fe1e8b4`](https://github.com/containerd/containerd/commit/37fe1e8b42f8746944c5d9b4a8bf2b3dcfc99984) build(deps): bump golang.org/x/net from 0.23.0 to 0.33.0 in /api
* Bump to newer opencontainers/image-spec @ v1.1.1 ([#11461](https://github.com/containerd/containerd/pull/11461))
  * [`d37ea6977`](https://github.com/containerd/containerd/commit/d37ea6977d7e096e9221cbbba9a0282e97709acd) Bump to newer opencontainers/image-spec @ v1.1.1
</p>
</details>

### Dependency Changes

* **github.com/opencontainers/image-spec**  v1.1.0 -> v1.1.1
* **golang.org/x/net**                      v0.23.0 -> v0.37.0
* **golang.org/x/sys**                      v0.18.0 -> v0.31.0
* **golang.org/x/text**                     v0.14.0 -> v0.23.0
* **gopkg.in/yaml.v3**                      v3.0.1 **_new_**

Previous release can be found at [api/v1.8.0](https://github.com/containerd/containerd/releases/tag/api/v1.8.0)

Unverified

v2.1.0-rc.1

5a3bbca1 · Merge pull request #11724 from swagatbora90/cri-image-transfer-doc-update · May 06, 2025

containerd 2.1.0-rc.1

Welcome to the v2.1.0-rc.1 release of containerd!
*This is a pre-release of containerd*

The first minor release of containerd 2.x focuses on continued stability alongside
new features and improvements. This is the first time-based released for containerd.
Most the feature set and core functionality has long been stable and harderened in production
environments, so now we transition to a balance of timely delivery of new functionality
with the same high confidence in stability and performance.

### Highlights

* Add no_sync option to boost boltDB performance on ephemeral environments ([#10745](https://github.com/containerd/containerd/pull/10745))
* Add content create event ([#11006](https://github.com/containerd/containerd/pull/11006))
* Erofs snapshotter and differ ([#10705](https://github.com/containerd/containerd/pull/10705))

#### Container Runtime Interface (CRI)

* Update CRI to use transfer service for image pull by default ([#8515](https://github.com/containerd/containerd/pull/8515))
* Support multiple cni plugin bin dirs ([#11311](https://github.com/containerd/containerd/pull/11311))
* Support container restore through CRI/Kubernetes ([#10365](https://github.com/containerd/containerd/pull/10365))
* Add OCI/Image Volume Source support ([#10579](https://github.com/containerd/containerd/pull/10579))
* Enable Writable cgroups for unprivileged containers ([#11131](https://github.com/containerd/containerd/pull/11131))
* Fix recursive RLock() mutex acquisition ([containerd/go-cni#126](https://github.com/containerd/go-cni/pull/126))
* Support CNI STATUS Verb ([containerd/go-cni#123](https://github.com/containerd/go-cni/pull/123))

#### Image Distribution

* Retry last registry host on 50x responses ([#11484](https://github.com/containerd/containerd/pull/11484))
* Multipart layer fetch ([#10177](https://github.com/containerd/containerd/pull/10177))
* Enable HTTP debug and trace for transfer based puller ([#10762](https://github.com/containerd/containerd/pull/10762))
* Add support for unpacking custom media types  ([#11744](https://github.com/containerd/containerd/pull/11744))
* Add dial timeout field to hosts toml configuration ([#11106](https://github.com/containerd/containerd/pull/11106))

#### Node Resource Interface (NRI)

* Expose Pod assigned IPs to NRI plugins ([#10921](https://github.com/containerd/containerd/pull/10921))

#### Runtime

* Support multiple uid/gid mappings ([#10722](https://github.com/containerd/containerd/pull/10722))
* Fix race between serve and immediate shutdown on the server ([containerd/ttrpc#175](https://github.com/containerd/ttrpc/pull/175))

#### Breaking

* Update FreeBSD defaults and re-organize platform defaults ([#11017](https://github.com/containerd/containerd/pull/11017))

#### Deprecations

* Postpone cri config deprecations to v2.2 ([#11684](https://github.com/containerd/containerd/pull/11684))
* Remove deprecated dynamic library plugins ([#11683](https://github.com/containerd/containerd/pull/11683))
* Remove the support for Schema 1 images ([#11681](https://github.com/containerd/containerd/pull/11681))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Phil Estes
* Derek McGowan
* Akihiro Suda
* Maksym Pavlenko
* Jin Dong
* Wei Fu
* Sebastiaan van Stijn
* Samuel Karp
* Mike Brown
* Adrien Delorme
* Akhil Mohan
* Austin Vazquez
* Kazuyoshi Kato
* Henry Wang
* Gao Xiang
* ningmingxiao
* Krisztian Litkey
* Yang Yang
* Archit Kulkarni
* Chris Henzie
* Iceber Gu
* Alexey Lunev
* Antonio Ojea
* Davanum Srinivas
* Marat Radchenko
* Michael Zappa
* Paweł Gronowski
* Rodrigo Campos
* Alberto Garcia Hierro
* Amit Barve
* Andrey Smirnov
* Divya
* Etienne Champetier
* Kirtana Ashok
* Philip Laine
* QiPing Wan
* fengwei0328
* zounengren
* Adrian Reber
* Alfred Wingate
* Amal Thundiyil
* Athos Ribeiro
* Austin Vazquez
* Brian Goff
* Cesar Talledo
* ChengyuZhu6
* Chongyi Zheng
* Craig Ingram
* Danny Canter
* David Son
* Fupan Li
* HirazawaUi
* Jing Xu
* Jonathan A. Sternberg
* Jose Fernandez
* Kaita Nakamura
* Kohei Tokunaga
* Lei Liu
* Marco Visin
* Mike Baynton
* Qiyuan Liang
* Sameer
* Shiming Zhang
* Swagat Bora
* Teresaliu
* Tony Fang
* Tõnis Tiigi
* Vered Rosen
* Vinayak Goyal
* bo.jiang
* chriskery
* luchenhan
* mahmut
* zhaixiaojuan

### Dependency Changes

* **github.com/Microsoft/hcsshim**                                                 v0.12.9 -> v0.13.0-rc.3
* **github.com/cilium/ebpf**                                                       v0.11.0 -> v0.16.0
* **github.com/containerd/cgroups/v3**                                             v3.0.3 -> v3.0.5
* **github.com/containerd/containerd/api**                                         v1.8.0 -> v1.9.0-rc.0
* **github.com/containerd/continuity**                                             v0.4.4 -> v0.4.5
* **github.com/containerd/go-cni**                                                 v1.1.10 -> v1.1.12
* **github.com/containerd/imgcrypt/v2**                                            v2.0.0-rc.1 -> v2.0.1
* **github.com/containerd/otelttrpc**                                              ea5083fda723 -> v0.1.0
* **github.com/containerd/platforms**                                              v1.0.0-rc.0 -> v1.0.0-rc.1
* **github.com/containerd/ttrpc**                                                  v1.2.6 -> v1.2.7
* **github.com/containerd/typeurl/v2**                                             v2.2.2 -> v2.2.3
* **github.com/containernetworking/cni**                                           v1.2.3 -> v1.3.0
* **github.com/containernetworking/plugins**                                       v1.5.1 -> v1.7.1
* **github.com/containers/ocicrypt**                                               v1.2.0 -> v1.2.1
* **github.com/davecgh/go-spew**                                                   d8f796af33cc -> v1.1.1
* **github.com/fsnotify/fsnotify**                                                 v1.7.0 -> v1.9.0
* **github.com/go-jose/go-jose/v4**                                                v4.0.4 -> v4.0.5
* **github.com/google/go-cmp**                                                     v0.6.0 -> v0.7.0
* **github.com/grpc-ecosystem/grpc-gateway/v2**                                    v2.22.0 -> v2.26.1
* **github.com/klauspost/compress**                                                v1.17.11 -> v1.18.0
* **github.com/mdlayher/socket**                                                   v0.4.1 -> v0.5.1
* **github.com/moby/spdystream**                                                   v0.4.0 -> v0.5.0
* **github.com/moby/sys/user**                                                     v0.3.0 -> v0.4.0
* **github.com/opencontainers/image-spec**                                         v1.1.0 -> v1.1.1
* **github.com/opencontainers/runtime-spec**                                       v1.2.0 -> v1.2.1
* **github.com/opencontainers/selinux**                                            v1.11.1 -> v1.12.0
* **github.com/pelletier/go-toml/v2**                                              v2.2.3 -> v2.2.4
* **github.com/petermattis/goid**                                                  4fcff4a6cae7 **_new_**
* **github.com/pmezard/go-difflib**                                                5d4384ee4fb2 -> v1.0.0
* **github.com/prometheus/client_golang**                                          v1.20.5 -> v1.22.0
* **github.com/prometheus/common**                                                 v0.55.0 -> v0.62.0
* **github.com/sasha-s/go-deadlock**                                               v0.3.5 **_new_**
* **github.com/smallstep/pkcs7**                                                   v0.1.1 **_new_**
* **github.com/stretchr/testify**                                                  v1.9.0 -> v1.10.0
* **github.com/tchap/go-patricia/v2**                                              v2.3.1 -> v2.3.2
* **github.com/urfave/cli/v2**                                                     v2.27.5 -> v2.27.6
* **github.com/vishvananda/netlink**                                               v1.3.0 -> 0e7078ed04c8
* **github.com/vishvananda/netns**                                                 v0.0.4 -> v0.0.5
* **go.etcd.io/bbolt**                                                             v1.3.11 -> v1.4.0
* **go.opentelemetry.io/auto/sdk**                                                 v1.1.0 **_new_**
* **go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc**  v0.56.0 -> v0.60.0
* **go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp**                v0.56.0 -> v0.60.0
* **go.opentelemetry.io/otel**                                                     v1.31.0 -> v1.35.0
* **go.opentelemetry.io/otel/exporters/otlp/otlptrace**                            v1.31.0 -> v1.35.0
* **go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc**              v1.31.0 -> v1.35.0
* **go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp**              v1.31.0 -> v1.35.0
* **go.opentelemetry.io/otel/metric**                                              v1.31.0 -> v1.35.0
* **go.opentelemetry.io/otel/sdk**                                                 v1.31.0 -> v1.35.0
* **go.opentelemetry.io/otel/trace**                                               v1.31.0 -> v1.35.0
* **go.opentelemetry.io/proto/otlp**                                               v1.3.1 -> v1.5.0
* **golang.org/x/crypto**                                                          v0.28.0 -> v0.36.0
* **golang.org/x/exp**                                                             aacd6d4b4611 -> 2d47ceb2692f
* **golang.org/x/mod**                                                             v0.21.0 -> v0.24.0
* **golang.org/x/net**                                                             v0.30.0 -> v0.38.0
* **golang.org/x/oauth2**                                                          v0.22.0 -> v0.27.0
* **golang.org/x/sync**                                                            v0.8.0 -> v0.14.0
* **golang.org/x/sys**                                                             v0.26.0 -> v0.33.0
* **golang.org/x/term**                                                            v0.25.0 -> v0.30.0
* **golang.org/x/text**                                                            v0.19.0 -> v0.23.0
* **golang.org/x/time**                                                            v0.3.0 -> v0.7.0
* **google.golang.org/genproto/googleapis/api**                                    5fefd90f89a9 -> 56aae31c358a
* **google.golang.org/genproto/googleapis/rpc**                                    324edc3d5d38 -> 56aae31c358a
* **google.golang.org/grpc**                                                       v1.67.1 -> v1.72.0
* **google.golang.org/protobuf**                                                   v1.35.1 -> v1.36.6
* **k8s.io/api**                                                                   v0.31.2 -> v0.32.3
* **k8s.io/apimachinery**                                                          v0.31.2 -> v0.32.3
* **k8s.io/apiserver**                                                             v0.31.2 -> v0.32.3
* **k8s.io/client-go**                                                             v0.31.2 -> v0.32.3
* **k8s.io/cri-api**                                                               v0.31.2 -> v0.32.3
* **k8s.io/kubelet**                                                               v0.31.2 -> v0.32.3
* **k8s.io/utils**                                                                 18e509b52bc8 -> 3ea5e8cea738
* **sigs.k8s.io/json**                                                             bc3834ca7abd -> 9aa6b5e7a4b3
* **sigs.k8s.io/structured-merge-diff/v4**                                         v4.4.1 -> v4.4.2
* **tags.cncf.io/container-device-interface**                                      v0.8.0 -> v1.0.1
* **tags.cncf.io/container-device-interface/specs-go**                             v0.8.0 -> v1.0.0

Previous release can be found at [v2.0.0](https://github.com/containerd/containerd/releases/tag/v2.0.0)
### Which file should I download?
* `containerd-<VERSION>-<OS>-<ARCH>.tar.gz`:         ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04).
* `containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz`:  Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent.

In addition to containerd, typically you will have to install [runc](https://github.com/opencontainers/runc/releases)
and [CNI plugins](https://github.com/containernetworking/plugins/releases) from their official sites too.

See also the [Getting Started](https://github.com/containerd/containerd/blob/main/docs/getting-started.md) documentation.

Unverified

v2.1.0-rc.0

e29f23e4 · Merge pull request #11752 from dmcgowan/prepare-2.1.0-rc · Apr 26, 2025

containerd 2.1.0-rc.0

Welcome to the v2.1.0-rc.0 release of containerd!
*This is a pre-release of containerd*

The first minor release of containerd 2.x focuses on continued stability alongside
new features and improvements. This is the first time-based released for containerd.
Most the feature set and core functionality has long been stable and harderened in production
environments, so now we transition to a balance of timely delivery of new functionality
with the same high confidence in stability and performance.

### Highlights

* Add no_sync option to boost boltDB performance on ephemeral environments ([#10745](https://github.com/containerd/containerd/pull/10745))
* Add content create event ([#11006](https://github.com/containerd/containerd/pull/11006))
* Erofs snapshotter and differ ([#10705](https://github.com/containerd/containerd/pull/10705))

#### Container Runtime Interface (CRI)

* Update CRI to use transfer service for image pull by default ([#8515](https://github.com/containerd/containerd/pull/8515))
* Support multiple cni plugin bin dirs ([#11311](https://github.com/containerd/containerd/pull/11311))
* Support container restore through CRI/Kubernetes ([#10365](https://github.com/containerd/containerd/pull/10365))
* Add OCI/Image Volume Source support ([#10579](https://github.com/containerd/containerd/pull/10579))
* Enable Writable cgroups for unprivileged containers ([#11131](https://github.com/containerd/containerd/pull/11131))
* Fix recursive RLock() mutex acquisition ([containerd/go-cni#126](https://github.com/containerd/go-cni/pull/126))
* Support CNI STATUS Verb ([containerd/go-cni#123](https://github.com/containerd/go-cni/pull/123))

#### Image Distribution

* Multipart layer fetch ([#10177](https://github.com/containerd/containerd/pull/10177))
* Enable HTTP debug and trace for transfer based puller ([#10762](https://github.com/containerd/containerd/pull/10762))
* Add support for unpacking custom media types  ([#11744](https://github.com/containerd/containerd/pull/11744))
* Add dial timeout field to hosts toml configuration ([#11106](https://github.com/containerd/containerd/pull/11106))

#### Node Resource Interface (NRI)

* Expose Pod assigned IPs to NRI plugins ([#10921](https://github.com/containerd/containerd/pull/10921))

#### Runtime

* Support multiple uid/gid mappings ([#10722](https://github.com/containerd/containerd/pull/10722))
* Fix race between serve and immediate shutdown on the server ([containerd/ttrpc#175](https://github.com/containerd/ttrpc/pull/175))

#### Deprecations

* Postpone cri config deprecations to v2.2 ([#11684](https://github.com/containerd/containerd/pull/11684))
* Remove deprecated dynamic library plugins ([#11683](https://github.com/containerd/containerd/pull/11683))
* Remove the support for Schema 1 images ([#11681](https://github.com/containerd/containerd/pull/11681))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Phil Estes
* Derek McGowan
* Akihiro Suda
* Maksym Pavlenko
* Jin Dong
* Wei Fu
* Sebastiaan van Stijn
* Samuel Karp
* Austin Vazquez
* Mike Brown
* Kazuyoshi Kato
* Akhil Mohan
* Henry Wang
* Adrien Delorme
* Gao Xiang
* ningmingxiao
* Krisztian Litkey
* Archit Kulkarni
* Chris Henzie
* Iceber Gu
* Yang Yang
* Alexey Lunev
* Antonio Ojea
* Davanum Srinivas
* Marat Radchenko
* Michael Zappa
* Paweł Gronowski
* Alberto Garcia Hierro
* Amit Barve
* Andrey Smirnov
* Divya
* Etienne Champetier
* Kirtana Ashok
* Philip Laine
* QiPing Wan
* fengwei0328
* zounengren
* Adrian Reber
* Alfred Wingate
* Amal Thundiyil
* Athos Ribeiro
* Brian Goff
* Cesar Talledo
* ChengyuZhu6
* Chongyi Zheng
* Craig Ingram
* David Son
* Fupan Li
* HirazawaUi
* Jing Xu
* Jonathan A. Sternberg
* Jose Fernandez
* Kaita Nakamura
* Kohei Tokunaga
* Lei Liu
* Marco Visin
* Mike Baynton
* Qiyuan Liang
* Sameer
* Shiming Zhang
* Teresaliu
* Tony Fang
* Tõnis Tiigi
* Vered Rosen
* bo.jiang
* chriskery
* luchenhan
* mahmut
* zhaixiaojuan

### Dependency Changes

* **github.com/Microsoft/hcsshim**                                                 v0.12.9 -> v0.13.0-rc.3
* **github.com/cilium/ebpf**                                                       v0.11.0 -> v0.16.0
* **github.com/containerd/cgroups/v3**                                             v3.0.3 -> v3.0.5
* **github.com/containerd/containerd/api**                                         v1.8.0 -> v1.9.0-rc.0
* **github.com/containerd/continuity**                                             v0.4.4 -> v0.4.5
* **github.com/containerd/go-cni**                                                 v1.1.10 -> v1.1.12
* **github.com/containerd/imgcrypt/v2**                                            v2.0.0-rc.1 -> v2.0.1
* **github.com/containerd/otelttrpc**                                              ea5083fda723 -> v0.1.0
* **github.com/containerd/platforms**                                              v1.0.0-rc.0 -> v1.0.0-rc.1
* **github.com/containerd/ttrpc**                                                  v1.2.6 -> v1.2.7
* **github.com/containerd/typeurl/v2**                                             v2.2.2 -> v2.2.3
* **github.com/containernetworking/cni**                                           v1.2.3 -> v1.3.0
* **github.com/containernetworking/plugins**                                       v1.5.1 -> v1.6.2
* **github.com/containers/ocicrypt**                                               v1.2.0 -> v1.2.1
* **github.com/davecgh/go-spew**                                                   d8f796af33cc -> v1.1.1
* **github.com/fsnotify/fsnotify**                                                 v1.7.0 -> v1.9.0
* **github.com/go-jose/go-jose/v4**                                                v4.0.4 -> v4.0.5
* **github.com/google/go-cmp**                                                     v0.6.0 -> v0.7.0
* **github.com/grpc-ecosystem/grpc-gateway/v2**                                    v2.22.0 -> v2.26.1
* **github.com/klauspost/compress**                                                v1.17.11 -> v1.18.0
* **github.com/mdlayher/socket**                                                   v0.4.1 -> v0.5.1
* **github.com/moby/spdystream**                                                   v0.4.0 -> v0.5.0
* **github.com/moby/sys/user**                                                     v0.3.0 -> v0.4.0
* **github.com/opencontainers/image-spec**                                         v1.1.0 -> v1.1.1
* **github.com/opencontainers/runtime-spec**                                       v1.2.0 -> v1.2.1
* **github.com/opencontainers/selinux**                                            v1.11.1 -> v1.12.0
* **github.com/pelletier/go-toml/v2**                                              v2.2.3 -> v2.2.4
* **github.com/petermattis/goid**                                                  4fcff4a6cae7 **_new_**
* **github.com/pmezard/go-difflib**                                                5d4384ee4fb2 -> v1.0.0
* **github.com/prometheus/client_golang**                                          v1.20.5 -> v1.22.0
* **github.com/prometheus/common**                                                 v0.55.0 -> v0.62.0
* **github.com/sasha-s/go-deadlock**                                               v0.3.5 **_new_**
* **github.com/smallstep/pkcs7**                                                   v0.1.1 **_new_**
* **github.com/stretchr/testify**                                                  v1.9.0 -> v1.10.0
* **github.com/tchap/go-patricia/v2**                                              v2.3.1 -> v2.3.2
* **github.com/urfave/cli/v2**                                                     v2.27.5 -> v2.27.6
* **github.com/vishvananda/netns**                                                 v0.0.4 -> v0.0.5
* **go.etcd.io/bbolt**                                                             v1.3.11 -> v1.4.0
* **go.opentelemetry.io/auto/sdk**                                                 v1.1.0 **_new_**
* **go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc**  v0.56.0 -> v0.60.0
* **go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp**                v0.56.0 -> v0.60.0
* **go.opentelemetry.io/otel**                                                     v1.31.0 -> v1.35.0
* **go.opentelemetry.io/otel/exporters/otlp/otlptrace**                            v1.31.0 -> v1.35.0
* **go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc**              v1.31.0 -> v1.35.0
* **go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp**              v1.31.0 -> v1.35.0
* **go.opentelemetry.io/otel/metric**                                              v1.31.0 -> v1.35.0
* **go.opentelemetry.io/otel/sdk**                                                 v1.31.0 -> v1.35.0
* **go.opentelemetry.io/otel/trace**                                               v1.31.0 -> v1.35.0
* **go.opentelemetry.io/proto/otlp**                                               v1.3.1 -> v1.5.0
* **golang.org/x/crypto**                                                          v0.28.0 -> v0.36.0
* **golang.org/x/exp**                                                             aacd6d4b4611 -> 2d47ceb2692f
* **golang.org/x/mod**                                                             v0.21.0 -> v0.24.0
* **golang.org/x/net**                                                             v0.30.0 -> v0.38.0
* **golang.org/x/oauth2**                                                          v0.22.0 -> v0.27.0
* **golang.org/x/sync**                                                            v0.8.0 -> v0.13.0
* **golang.org/x/sys**                                                             v0.26.0 -> v0.32.0
* **golang.org/x/term**                                                            v0.25.0 -> v0.30.0
* **golang.org/x/text**                                                            v0.19.0 -> v0.23.0
* **golang.org/x/time**                                                            v0.3.0 -> v0.7.0
* **google.golang.org/genproto/googleapis/api**                                    5fefd90f89a9 -> 56aae31c358a
* **google.golang.org/genproto/googleapis/rpc**                                    324edc3d5d38 -> 56aae31c358a
* **google.golang.org/grpc**                                                       v1.67.1 -> v1.72.0
* **google.golang.org/protobuf**                                                   v1.35.1 -> v1.36.6
* **k8s.io/api**                                                                   v0.31.2 -> v0.32.3
* **k8s.io/apimachinery**                                                          v0.31.2 -> v0.32.3
* **k8s.io/apiserver**                                                             v0.31.2 -> v0.32.3
* **k8s.io/client-go**                                                             v0.31.2 -> v0.32.3
* **k8s.io/component-base**                                                        v0.31.2 -> v0.32.3
* **k8s.io/cri-api**                                                               v0.31.2 -> v0.32.3
* **k8s.io/kubelet**                                                               v0.31.2 -> v0.32.3
* **k8s.io/utils**                                                                 18e509b52bc8 -> 3ea5e8cea738
* **sigs.k8s.io/json**                                                             bc3834ca7abd -> 9aa6b5e7a4b3
* **sigs.k8s.io/structured-merge-diff/v4**                                         v4.4.1 -> v4.4.2
* **tags.cncf.io/container-device-interface**                                      v0.8.0 -> v1.0.1
* **tags.cncf.io/container-device-interface/specs-go**                             v0.8.0 -> v1.0.0

Previous release can be found at [v2.0.0](https://github.com/containerd/containerd/releases/tag/v2.0.0)
### Which file should I download?
* `containerd-<VERSION>-<OS>-<ARCH>.tar.gz`:         ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04).
* `containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz`:  Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent.

In addition to containerd, typically you will have to install [runc](https://github.com/opencontainers/runc/releases)
and [CNI plugins](https://github.com/containernetworking/plugins/releases) from their official sites too.

See also the [Getting Started](https://github.com/containerd/containerd/blob/main/docs/getting-started.md) documentation.

Unverified

api/v1.9.0-rc.0

11524ef1 · Merge pull request #11751 from dmcgowan/prepare-api-1.9.0-rc · Apr 25, 2025

containerd api/v1.9.0-rc.0

Welcome to the api/v1.9.0-rc.0 release of containerd!
*This is a pre-release of containerd*

The 10th release for the containerd 1.x API aligns with the containerd 2.1 release.

### Highlights

* Enable HTTP debug and trace for transfer based puller ([#10762](https://github.com/containerd/containerd/pull/10762))
* Add content create event ([#11006](https://github.com/containerd/containerd/pull/11006))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Derek McGowan
* Maksym Pavlenko
* Akihiro Suda
* Davanum Srinivas
* Phil Estes
* Adrian Reber
* Jin Dong
* Philip Laine

### Changes
<details><summary>16 commits</summary>
<p>

* Add release notes for api v1.9.0-rc.0 ([#11751](https://github.com/containerd/containerd/pull/11751))
  * [`c0ce618a1`](https://github.com/containerd/containerd/commit/c0ce618a10541b5e1d2979c2d70e971b23c8a16b) Add release notes for api v1.9.0-rc.0
* Enable HTTP debug and trace for transfer based puller ([#10762](https://github.com/containerd/containerd/pull/10762))
  * [`17b6e1ef8`](https://github.com/containerd/containerd/commit/17b6e1ef85098c532bae0e9544f288ebe530b3fe) Allow streaming to client
  * [`40eb2fdbb`](https://github.com/containerd/containerd/commit/40eb2fdbbb66aa6ef51422e6f62d8f3fb48ab35e) Fix protos
  * [`1d436803d`](https://github.com/containerd/containerd/commit/1d436803dc532c8fd40735c92fd1041dc2cc2868) Add http debug fields to OCI registry protos
* Add content create event ([#11006](https://github.com/containerd/containerd/pull/11006))
  * [`752914b5b`](https://github.com/containerd/containerd/commit/752914b5bfaa4e28d1231901c37bf8d3b47ca73c) Add content create event to api
* bump golang.org/x/net from 0.33.0 to 0.37.0 ([#11574](https://github.com/containerd/containerd/pull/11574))
  * [`7fe5c4123`](https://github.com/containerd/containerd/commit/7fe5c41237b8da120ab45b30ea3f02d64b71a68b) go.mod: golang.org/x/net v0.37.0
* Support container restore through CRI/Kubernetes ([#10365](https://github.com/containerd/containerd/pull/10365))
  * [`9e6beafd5`](https://github.com/containerd/containerd/commit/9e6beafd53919eecd1fb650a76332002cf4c84dd) Support container restore through CRI/Kubernetes
* build(deps): bump golang.org/x/net from 0.23.0 to 0.33.0 in /api ([#11472](https://github.com/containerd/containerd/pull/11472))
  * [`37fe1e8b4`](https://github.com/containerd/containerd/commit/37fe1e8b42f8746944c5d9b4a8bf2b3dcfc99984) build(deps): bump golang.org/x/net from 0.23.0 to 0.33.0 in /api
* Bump to newer opencontainers/image-spec @ v1.1.1 ([#11461](https://github.com/containerd/containerd/pull/11461))
  * [`d37ea6977`](https://github.com/containerd/containerd/commit/d37ea6977d7e096e9221cbbba9a0282e97709acd) Bump to newer opencontainers/image-spec @ v1.1.1
</p>
</details>

### Dependency Changes

* **github.com/opencontainers/image-spec**  v1.1.0 -> v1.1.1
* **golang.org/x/net**                      v0.23.0 -> v0.37.0
* **golang.org/x/sys**                      v0.18.0 -> v0.31.0
* **golang.org/x/text**                     v0.14.0 -> v0.23.0
* **gopkg.in/yaml.v3**                      v3.0.1 **_new_**

Previous release can be found at [api/v1.8.0](https://github.com/containerd/containerd/releases/tag/api/v1.8.0)

Unverified

v2.0.5

fb4c30d4 · Merge pull request #11717 from dmcgowan/backport-go-1.23.8 · Apr 17, 2025

containerd 2.0.5

Welcome to the v2.0.5 release of containerd!

The fifth patch release for containerd 2.0 includes various bug fixes and updates.

### Highlights

#### Build and Release Toolchain

* Update go to 1.23.8 ([#11717](https://github.com/containerd/containerd/pull/11717))

#### Container Runtime Interface (CRI)

* Update ImageService to delete images synchronously ([#11599](https://github.com/containerd/containerd/pull/11599))

#### Image Distribution

* Prevent panic on zero length push ([#11698](https://github.com/containerd/containerd/pull/11698))
* Set default differ for the default unpack config of transfer service ([#11688](https://github.com/containerd/containerd/pull/11688))

#### Runtime

* Remove invalid error log when stopping container after containerd restart ([#11621](https://github.com/containerd/containerd/pull/11621))
* Update taskOptions based on runtimeOptions when creating a task ([#11618](https://github.com/containerd/containerd/pull/11618))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Akihiro Suda
* Akhil Mohan
* Derek McGowan
* Phil Estes
* Wei Fu
* Iceber Gu
* Austin Vazquez
* Maksym Pavlenko
* Cesar Talledo
* Henry Wang
* Jin Dong
* Krisztian Litkey
* Yang Yang

### Changes
<details><summary>33 commits</summary>
<p>

* Update go to 1.23.8 ([#11717](https://github.com/containerd/containerd/pull/11717))
  * [`5bcf0a95e`](https://github.com/containerd/containerd/commit/5bcf0a95e39fcfa2be3a867be2606fedebd0b681) use go1.23.8 as the default go version
  * [`4838f33f7`](https://github.com/containerd/containerd/commit/4838f33f7e012a61465a1b41895e942d3e6d8abc) update to go 1.24.2, 1.23.8
* Prepare release notes for v2.0.5 ([#11713](https://github.com/containerd/containerd/pull/11713))
  * [`a8082cd60`](https://github.com/containerd/containerd/commit/a8082cd60df5843b19710e832c653d4cfa6cfd88) Prepare release notes for v2.0.5
* Disable criu test on arm64 ([#11710](https://github.com/containerd/containerd/pull/11710))
  * [`58b715ad8`](https://github.com/containerd/containerd/commit/58b715ad8dd372472f91dec84aec581d35b417c0) Disable arm64 criu testing in GH Actions
  * [`b4a53e826`](https://github.com/containerd/containerd/commit/b4a53e8264dd6cc93573630c0e59902eaa822886) disable portmap test in ubuntu-22 to make CI happy
  * [`4bcf472de`](https://github.com/containerd/containerd/commit/4bcf472de6ccf12b9f17ea095d8257fd7d7c1d18) add option to skip tests in critest
* Prevent panic on zero length push ([#11698](https://github.com/containerd/containerd/pull/11698))
  * [`8a638b71a`](https://github.com/containerd/containerd/commit/8a638b71aef45e16b7dcf86bd5267229d715a2e9) Prevent panic in Docker pusher.
* Set default differ for the default unpack config of transfer service ([#11688](https://github.com/containerd/containerd/pull/11688))
  * [`84d9658c3`](https://github.com/containerd/containerd/commit/84d9658c36c73ba4ae87471dd760ef3539b26c2b) Set default differ for the default unpack config of transfer service
* ci: update GitHub Actions release runner to ubuntu-24.04 ([#11703](https://github.com/containerd/containerd/pull/11703))
  * [`b184a97d3`](https://github.com/containerd/containerd/commit/b184a97d304a6397758810695ca3fb245a66993f) ci: update GitHub Actions release runner to ubuntu-24.04
* Remove invalid error log when stopping container after containerd restart ([#11621](https://github.com/containerd/containerd/pull/11621))
  * [`e04543db0`](https://github.com/containerd/containerd/commit/e04543db09ce872a06bbd3aa751bbd6c3a7531c5) use shimCtx for fifo copy
* Update taskOptions based on runtimeOptions when creating a task ([#11618](https://github.com/containerd/containerd/pull/11618))
  * [`9f46e7a44`](https://github.com/containerd/containerd/commit/9f46e7a449a06934bfb4a9b4b9718c1f625b1693) integration/client: add tests for TaskOptions is not empty
  * [`8a16a6a04`](https://github.com/containerd/containerd/commit/8a16a6a04ad081deac2f4907adda2326e62e5182) prefer task options for PluginInfo request
  * [`a183b2d23`](https://github.com/containerd/containerd/commit/a183b2d232fd3c0ca7cf4903b2392cce639ca7c5) update taskOptions based on runtimeOptions when creating a task
* Update ImageService to delete images synchronously ([#11599](https://github.com/containerd/containerd/pull/11599))
  * [`091143135`](https://github.com/containerd/containerd/commit/091143135ba903808c76fbdd10316975dcf4b0f1) *: CRIImageService should delete image synchronously
* Update runc binary to v1.2.6 ([#11583](https://github.com/containerd/containerd/pull/11583))
  * [`c2372c072`](https://github.com/containerd/containerd/commit/c2372c072cb41e9c4217c345c22189cb139820c6) Update runc binary to v1.2.6
* go.{mod,sum}: bump CDI deps to stable v1.0.0. ([#11566](https://github.com/containerd/containerd/pull/11566))
  * [`e8506511b`](https://github.com/containerd/containerd/commit/e8506511b28fb5343d037e0e56b6a36f7d4a70da) go.{mod,sum}: bump CDI deps to stable v1.0.0.
* silence govulncheck false positives ([#11571](https://github.com/containerd/containerd/pull/11571))
  * [`4cfb89430`](https://github.com/containerd/containerd/commit/4cfb89430cefd30fb2855721176e1b03a227d3b0) go.mod: github.com/go-jose/go-jose/v4
  * [`2b9e6a29d`](https://github.com/containerd/containerd/commit/2b9e6a29d7ba23fea935bfc7fa6613978d0ca45a) go.mod: golang.org/x/oauth2 v0.28.0
  * [`6df1ea0d9`](https://github.com/containerd/containerd/commit/6df1ea0d9e1743d7d2b5ffe049a68b4d279f2dbd) go.mod: golang.org/x/net v0.37.0
* Fix CI lint error (cherry-picked #11555) ([#11567](https://github.com/containerd/containerd/pull/11567))
  * [`16f20abdf`](https://github.com/containerd/containerd/commit/16f20abdffa6041382660f1374f25eb9fdfd2fc7) Fix CI lint error
</p>
</details>

### Dependency Changes

* **github.com/go-jose/go-jose/v4**                     v4.0.4 -> v4.0.5
* **golang.org/x/crypto**                               v0.31.0 -> v0.36.0
* **golang.org/x/net**                                  v0.33.0 -> v0.37.0
* **golang.org/x/oauth2**                               v0.23.0 -> v0.28.0
* **golang.org/x/sync**                                 v0.10.0 -> v0.12.0
* **golang.org/x/sys**                                  v0.28.0 -> v0.31.0
* **golang.org/x/term**                                 v0.27.0 -> v0.30.0
* **golang.org/x/text**                                 v0.21.0 -> v0.23.0
* **tags.cncf.io/container-device-interface**           v0.8.1 -> v1.0.0
* **tags.cncf.io/container-device-interface/specs-go**  v0.8.0 -> v1.0.0

Previous release can be found at [v2.0.4](https://github.com/containerd/containerd/releases/tag/v2.0.4)
### Which file should I download?
* `containerd-<VERSION>-<OS>-<ARCH>.tar.gz`:         ✅Recommended. Dynamically linked with glibc 2.31 (Ubuntu 20.04).
* `containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz`:  Statically linked. Expected to be used on non-glibc Linux distributions. Not position-independent.

In addition to containerd, typically you will have to install [runc](https://github.com/opencontainers/runc/releases)
and [CNI plugins](https://github.com/containernetworking/plugins/releases) from their official sites too.

See also the [Getting Started](https://github.com/containerd/containerd/blob/main/docs/getting-started.md) documentation.

Unverified

v2.1.0-beta.1

afc840ba · Merge pull request #11685 from AkihiroSuda/release-ubuntu-22.04 · Apr 16, 2025

containerd 2.1.0-beta.1

Welcome to the v2.1.0-beta.1 release of containerd!
*This is a pre-release of containerd*

The 2.1 beta series is here, see the [2.1 milestone](https://github.com/containerd/containerd/milestone/48) to track
ongoing efforts. Please try out the beta and report any issues!

The first minor release of containerd 2.x focuses on continued stability alongside
new features and improvements. This is the first time-based released for containerd.
Most the feature set and core functionality has long been stable and harderened in production
environments, so now we transition to a balance of timely delivery of new functionality
with the same high confidence in stability and performance.

### Highlights

* Erofs snapshotter and differ ([#10705](https://github.com/containerd/containerd/pull/10705))

#### Container Runtime Interface (CRI)

* Support multiple cni plugin bin dirs ([#11311](https://github.com/containerd/containerd/pull/11311))
* Add OCI/Image Volume Source support ([#10579](https://github.com/containerd/containerd/pull/10579))
* Enable Writable cgroups for unprivileged containers ([#11131](https://github.com/containerd/containerd/pull/11131))
* Fix recursive RLock() mutex acquisition ([containerd/go-cni#126](https://github.com/containerd/go-cni/pull/126))
* Support CNI STATUS Verb ([containerd/go-cni#123](https://github.com/containerd/go-cni/pull/123))

#### Image Distribution

* Add dial timeout field to hosts toml configuration ([#11106](https://github.com/containerd/containerd/pull/11106))

#### Node Resource Interface (NRI)

* Expose Pod assigned IPs to NRI plugins ([#10921](https://github.com/containerd/containerd/pull/10921))

#### Runtime

* Support multiple uid/gid mappings ([#10722](https://github.com/containerd/containerd/pull/10722))
* Fix race between serve and immediate shutdown on the server ([containerd/ttrpc#175](https://github.com/containerd/ttrpc/pull/175))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Akihiro Suda
* Phil Estes
* Derek McGowan
* Jin Dong
* Maksym Pavlenko
* Wei Fu
* Sebastiaan van Stijn
* Samuel Karp
* Austin Vazquez
* Mike Brown
* Kazuyoshi Kato
* Henry Wang
* Akhil Mohan
* Gao Xiang
* ningmingxiao
* Archit Kulkarni
* Krisztian Litkey
* Alexey Lunev
* Antonio Ojea
* Chris Henzie
* Davanum Srinivas
* Iceber Gu
* Marat Radchenko
* Michael Zappa
* Paweł Gronowski
* Adrien Delorme
* Amit Barve
* Andrey Smirnov
* Divya
* Etienne Champetier
* Kirtana Ashok
* QiPing Wan
* Yang Yang
* fengwei0328
* zounengren
* Adrian Reber
* Alfred Wingate
* Amal Thundiyil
* Athos Ribeiro
* Brian Goff
* Cesar Talledo
* ChengyuZhu6
* Chongyi Zheng
* Craig Ingram
* David Son
* Fupan Li
* HirazawaUi
* Jing Xu
* Jonathan A. Sternberg
* Jose Fernandez
* Kaita Nakamura
* Lei Liu
* Mike Baynton
* Philip Laine
* Qiyuan Liang
* Sameer
* Shiming Zhang
* Teresaliu
* Tõnis Tiigi
* Vered Rosen
* bo.jiang
* chriskery
* luchenhan
* mahmut

### Changes
<details><summary>520 commits</summary>
<p>

* release: use Ubuntu 22.04 (glibc 2.35) ([#11685](https://github.com/containerd/containerd/pull/11685))
  * [`81acabd95`](https://github.com/containerd/containerd/commit/81acabd95618cd8d054bc1c127c4dc9f4b7ced2f) release: use Ubuntu 22.04 (glibc 2.35)
* Prevent panic in Docker pusher. ([#11670](https://github.com/containerd/containerd/pull/11670))
  * [`3251e2cc8`](https://github.com/containerd/containerd/commit/3251e2cc8d17466ef86f1a541a660626ef5fda86) Prevent panic in Docker pusher.
* build(deps): bump the golang-x group with 2 updates ([#11659](https://github.com/containerd/containerd/pull/11659))
  * [`be602ea5c`](https://github.com/containerd/containerd/commit/be602ea5c72c1d4a61be92f3c7bb1ff9654fc7aa) build(deps): bump the golang-x group with 2 updates
* build(deps): bump github.com/pelletier/go-toml/v2 from 2.2.3 to 2.2.4 ([#11658](https://github.com/containerd/containerd/pull/11658))
  * [`3a5f04fdd`](https://github.com/containerd/containerd/commit/3a5f04fdd0b38b99dd2729bfa77328513bb86b0e) build(deps): bump github.com/pelletier/go-toml/v2 from 2.2.3 to 2.2.4
* wrong explicitTLS value when dialTimeout is set ([#11546](https://github.com/containerd/containerd/pull/11546))
  * [`53eec6c78`](https://github.com/containerd/containerd/commit/53eec6c783c2ece74c9334e0e3a12e602b212f21) move host tlsconfig update to a separate function
  * [`f702bf9fe`](https://github.com/containerd/containerd/commit/f702bf9fe51fd83992694151847e4c96a55ddb2c) [hosts] wrong explicitTLS value when dialTimeout is set
* build(deps): bump github/codeql-action from 3.28.13 to 3.28.15 ([#11665](https://github.com/containerd/containerd/pull/11665))
  * [`eae1a6adc`](https://github.com/containerd/containerd/commit/eae1a6adc8f2f1e3f3607eb11d8fcb3f4dd84f10) build(deps): bump github/codeql-action from 3.28.13 to 3.28.15
* avoid import to testing pkg outside of tests ([#11666](https://github.com/containerd/containerd/pull/11666))
  * [`f87b2c1cd`](https://github.com/containerd/containerd/commit/f87b2c1cd87b15fc477ae91386efe6840a97be6d) avoid import to testing pkg outside of tests
* build(deps): bump github.com/containernetworking/cni from 1.2.3 to 1.3.0 ([#11660](https://github.com/containerd/containerd/pull/11660))
  * [`2d3ff252d`](https://github.com/containerd/containerd/commit/2d3ff252dc96ab865fc0328fe7fec8f8f4213c88) build(deps): bump github.com/containernetworking/cni from 1.2.3 to 1.3.0
* fix call fmt.Errorf with wrong error ([#11649](https://github.com/containerd/containerd/pull/11649))
  * [`be9ca11a1`](https://github.com/containerd/containerd/commit/be9ca11a14e424d34d25ccbc88a9eac7067671c0) fix call fmt.Errorf with wrong error
* Set default differ for the default unpack config of transfer service ([#11641](https://github.com/containerd/containerd/pull/11641))
  * [`a083b669c`](https://github.com/containerd/containerd/commit/a083b669c9412eef55ee103fe2bb1dec7c6178bc) Set default differ for the default unpack config of transfer service
* build(deps): bump lycheeverse/lychee-action from 2.3.0 to 2.4.0 ([#11631](https://github.com/containerd/containerd/pull/11631))
  * [`33dae72b9`](https://github.com/containerd/containerd/commit/33dae72b9a805b3ee51d288d7726aeaf1f4acab2) build(deps): bump lycheeverse/lychee-action from 2.3.0 to 2.4.0
* pkg/sys: improve GetLocalListener/CreateUnixSocket error message ([#11608](https://github.com/containerd/containerd/pull/11608))
  * [`1dbb7f2ae`](https://github.com/containerd/containerd/commit/1dbb7f2ae3be1b7925dfbbc064b1b6afefcbe182) pkg/sys: improve GetLocalListener/CreateUnixSocket error message
* cri: fix lost container exit events if they arrive before info is cached ([#11579](https://github.com/containerd/containerd/pull/11579))
  * [`ead5c1ee6`](https://github.com/containerd/containerd/commit/ead5c1ee6573c698b3776581f744a8e752e75770) cri:fix lost container exit events if they arrive before info is cached
* Fix the panic caused by the failure of RunPodSandbox ([#11588](https://github.com/containerd/containerd/pull/11588))
  * [`a3a66d1f2`](https://github.com/containerd/containerd/commit/a3a66d1f2b33758bf65cd8d88936f4a5f2e142fe) Fix the panic caused by the failure of RunPodSandbox
* fix: call checkCopyShimLogError(shimCtx) to avoid expected error log flood ([#11475](https://github.com/containerd/containerd/pull/11475))
  * [`4357a7600`](https://github.com/containerd/containerd/commit/4357a7600ecbe50d55dde3de4bb842cb939cf83b) use shimCtx for fifo copy
* update taskOptions based on runtimeOptions when creating a task  ([#11569](https://github.com/containerd/containerd/pull/11569))
  * [`450038a28`](https://github.com/containerd/containerd/commit/450038a28bff6c83ec7af1f7a417ad5498a4701c) integration/client: add tests for TaskOptions is not empty
  * [`7e5c5038a`](https://github.com/containerd/containerd/commit/7e5c5038ad7b8d9a2670939255c2382dc123b44b) prefer task options for PluginInfo request
  * [`ec3567d6b`](https://github.com/containerd/containerd/commit/ec3567d6b369cde39739b41db8763a19d6f35c39) update taskOptions based on runtimeOptions when creating a task
* correct kep template - remove render type ([#11615](https://github.com/containerd/containerd/pull/11615))
  * [`07a23b6f4`](https://github.com/containerd/containerd/commit/07a23b6f4bd30530a8c3c5ea965fe72695eb649b) use type textarea
* *: image volume feature's follow-up  ([#11605](https://github.com/containerd/containerd/pull/11605))
  * [`fe4703cde`](https://github.com/containerd/containerd/commit/fe4703cde553c184c8846358baa9799cfc4eb34d) integration: check image volume snapshot after deleting pod
  * [`d141d6c3d`](https://github.com/containerd/containerd/commit/d141d6c3dd650a7cdf2aecf5922850a9006d0087) integration: run image volumes for linux platform only
  * [`de833ebbb`](https://github.com/containerd/containerd/commit/de833ebbbe22c5239e66d923f797853144838a45) cri: enhance error handling for image volume
  * [`be0ab6e93`](https://github.com/containerd/containerd/commit/be0ab6e93612a3563e52a42176c70e341348e464) cri: add volatile option to image volume mount if applicable
* downgrade cni version in CI test ([#11616](https://github.com/containerd/containerd/pull/11616))
  * [`cffb6d425`](https://github.com/containerd/containerd/commit/cffb6d42506199be781423fd663fb69b12d5853a) downgrade cni version in CI test
* Create cri_kep.yaml for the new issue template for the new KEP process  ([#11610](https://github.com/containerd/containerd/pull/11610))
  * [`3ef9084d0`](https://github.com/containerd/containerd/commit/3ef9084d099235d6852c4259f540f45014616c7b) Create cri_kep.yaml
* build(deps): bump github.com/containernetworking/plugins from 1.5.1 to 1.6.2 ([#11226](https://github.com/containerd/containerd/pull/11226))
  * [`aff7e4797`](https://github.com/containerd/containerd/commit/aff7e47977172fcad5f872cb42df0b13368a71b2) build(deps): bump github.com/containernetworking/plugins
* build(deps): bump actions/download-artifact from 4.1.9 to 4.2.1 ([#11595](https://github.com/containerd/containerd/pull/11595))
  * [`3689dec42`](https://github.com/containerd/containerd/commit/3689dec42ccd1f4a054cf4c6be6aaef615e9a9d4) build(deps): bump actions/download-artifact from 4.1.9 to 4.2.1
* build(deps): bump actions/cache from 4.2.2 to 4.2.3 ([#11592](https://github.com/containerd/containerd/pull/11592))
  * [`ce690b0a9`](https://github.com/containerd/containerd/commit/ce690b0a9d003636b699db4daab9c2090ee81687) build(deps): bump actions/cache from 4.2.2 to 4.2.3
* build(deps): bump github/codeql-action from 3.28.11 to 3.28.13 ([#11593](https://github.com/containerd/containerd/pull/11593))
  * [`5b194505e`](https://github.com/containerd/containerd/commit/5b194505e836fd6b00cb3b59b7bdc3f17563ca42) build(deps): bump github/codeql-action from 3.28.11 to 3.28.13
* build(deps): bump actions/upload-artifact from 4.6.1 to 4.6.2 ([#11594](https://github.com/containerd/containerd/pull/11594))
  * [`cb6a82a92`](https://github.com/containerd/containerd/commit/cb6a82a9213623fcf2d6cd7af990741083eb509b) build(deps): bump actions/upload-artifact from 4.6.1 to 4.6.2
* build(deps): bump google.golang.org/protobuf from 1.36.5 to 1.36.6 ([#11598](https://github.com/containerd/containerd/pull/11598))
  * [`d080d441d`](https://github.com/containerd/containerd/commit/d080d441d228f39b0db91664bba6410744f8dfc3) build(deps): bump google.golang.org/protobuf from 1.36.5 to 1.36.6
* build(deps): bump github.com/opencontainers/selinux from 1.11.1 to 1.12.0 ([#11596](https://github.com/containerd/containerd/pull/11596))
  * [`7e7c3b0a8`](https://github.com/containerd/containerd/commit/7e7c3b0a84a33c80a8c3b72398dcb559acd1cee8) build(deps): bump github.com/opencontainers/selinux
* *: CRIImageService should delete image synchronously ([#11581](https://github.com/containerd/containerd/pull/11581))
  * [`e7b4165ab`](https://github.com/containerd/containerd/commit/e7b4165ab28767c1c7c498a329461f4a023295ac) *: CRIImageService should delete image synchronously
* Update max container log line size json field ([#11452](https://github.com/containerd/containerd/pull/11452))
  * [`7f9ca1dcb`](https://github.com/containerd/containerd/commit/7f9ca1dcb46ab124af1e7510dc54ff6c07c94305) update max container log line size json field
* Support multiple cni plugin bin dirs ([#11311](https://github.com/containerd/containerd/pull/11311))
  * [`42effa3b9`](https://github.com/containerd/containerd/commit/42effa3b911c5bbfa0c0b2516bb1556e5dc205ae) Mark `NetworkPluginBinDir` as DEPRECATED
  * [`71f593d4a`](https://github.com/containerd/containerd/commit/71f593d4a23aa82316ff7f4f6c5f6c229fdeddce) Support multiple CNI plugin bin dirs
* go.mod: tags.cncf.io/container-device-interface v1.0.1 ([#11582](https://github.com/containerd/containerd/pull/11582))
  * [`10fae41ad`](https://github.com/containerd/containerd/commit/10fae41ad8245a187596d5d5d600b63b515bd674) go.mod: tags.cncf.io/container-device-interface v1.0.1
* cri: introduce io.containerd.timeout.cri.defercleanup setting ([#11380](https://github.com/containerd/containerd/pull/11380))
  * [`7c522819d`](https://github.com/containerd/containerd/commit/7c522819d290d725b224a503deeca554e908cda2) support to set defer cleanup timeout to decrease ctx timeout
* Update runc binary to v1.2.6 ([#11560](https://github.com/containerd/containerd/pull/11560))
  * [`3e96f1a51`](https://github.com/containerd/containerd/commit/3e96f1a51c4dc5bfa08ae2b333c9c9462bbd4c78) Update runc binary to v1.2.6
* build(deps): bump docker/login-action from 3.3.0 to 3.4.0 ([#11552](https://github.com/containerd/containerd/pull/11552))
  * [`234a4411f`](https://github.com/containerd/containerd/commit/234a4411f2a1145b91609274e56f5fb3f660aacc) build(deps): bump docker/login-action from 3.3.0 to 3.4.0
* bump golang.org/x/net from 0.33.0 to 0.37.0 ([#11574](https://github.com/containerd/containerd/pull/11574))
  * [`7fe5c4123`](https://github.com/containerd/containerd/commit/7fe5c41237b8da120ab45b30ea3f02d64b71a68b) go.mod: golang.org/x/net v0.37.0
* build(deps): bump github.com/containerd/imgcrypt/v2 from 2.0.0 to 2.0.1 ([#11570](https://github.com/containerd/containerd/pull/11570))
  * [`14e94bcbf`](https://github.com/containerd/containerd/commit/14e94bcbf32eb4d35181e7b648c42f05a9497242) build(deps): bump github.com/containerd/imgcrypt/v2 from 2.0.0 to 2.0.1
* build(deps): bump golangci/golangci-lint-action from 6.5.0 to 6.5.2 ([#11554](https://github.com/containerd/containerd/pull/11554))
  * [`80e3fc4ce`](https://github.com/containerd/containerd/commit/80e3fc4cecfd5a86f4739bc0060df885aa80a312) build(deps): bump golangci/golangci-lint-action from 6.5.0 to 6.5.2
* build(deps): bump tags.cncf.io/container-device-interface from 0.8.1 to 1.0.0 ([#11522](https://github.com/containerd/containerd/pull/11522))
  * [`6670d4153`](https://github.com/containerd/containerd/commit/6670d415346e6793617d5894e97608f05ef34c72) build(deps): bump tags.cncf.io/container-device-interface
* build(deps): bump the k8s group with 5 updates ([#11553](https://github.com/containerd/containerd/pull/11553))
  * [`ec5d686b1`](https://github.com/containerd/containerd/commit/ec5d686b1027f21afa6c56271cb2a7df7d754c6c) build(deps): bump the k8s group with 5 updates
* Fix CI lint error ([#11555](https://github.com/containerd/containerd/pull/11555))
  * [`c8effff1a`](https://github.com/containerd/containerd/commit/c8effff1a823bed757194584a80a043c3a69da1a) Fix CI lint error
  * [`b430e5ac3`](https://github.com/containerd/containerd/commit/b430e5ac3accf636cf52b0128b27bb828574cbcf) Merge commit from fork
  * [`de1341c20`](https://github.com/containerd/containerd/commit/de1341c201ffb0effebbf51d00376181968c8779) validate uid/gid
* Bump github.com/go-jose/go-jose/v4 from 4.0.4 to 4.0.5 ([#11544](https://github.com/containerd/containerd/pull/11544))
  * [`8028a1d08`](https://github.com/containerd/containerd/commit/8028a1d086620f7ebf9d8b5446e3abb06bdecdc3) Bump github.com/go-jose/go-jose/v4 from v4.0.4 to v4.0.5
  * [`ce055b530`](https://github.com/containerd/containerd/commit/ce055b530556532a2f0d92bdcd39bc89739cdbd8) Bump golang.org/x/text from 0.22.0 to 0.23.0
  * [`e0aaed012`](https://github.com/containerd/containerd/commit/e0aaed0120ba2aa7e9245390a94a2fc550ee5c34) Bump golang.org/x/term from 0.29.0 to 0.30.0
* fix: repeat args from sub-func call ([#11512](https://github.com/containerd/containerd/pull/11512))
  * [`b947e0566`](https://github.com/containerd/containerd/commit/b947e056634177e2e21ea7317b5496956213e004) fix: repeat args from sub-func call
* build(deps): bump github.com/prometheus/client_golang from 1.20.5 to 1.21.1 ([#11525](https://github.com/containerd/containerd/pull/11525))
  * [`75252f975`](https://github.com/containerd/containerd/commit/75252f9759c3bd3dfaf6fb2f5af12771ff1a1810) build(deps): bump github.com/prometheus/client_golang
* integration: update TestUpgrade for 2.1 ([#11519](https://github.com/containerd/containerd/pull/11519))
  * [`06daffb4d`](https://github.com/containerd/containerd/commit/06daffb4d1b65288d4e3c94b172efeddd8d61851) integration: update TestUpgrade for 2.1
* config:fix config migrate lost timeout config ([#11532](https://github.com/containerd/containerd/pull/11532))
  * [`531adbf06`](https://github.com/containerd/containerd/commit/531adbf065160bf91315ef17cd5e70f9895d86b5) config:fix config migrate lost timeout config
* Add dial timeout field to hosts toml configuration ([#11106](https://github.com/containerd/containerd/pull/11106))
  * [`c4982bffc`](https://github.com/containerd/containerd/commit/c4982bffc6dd887a58a189f8a6be99b1b1542953) Add dial timeout field to hosts toml configuration
* Prepare release notes for v2.1.0-beta.0 ([#11510](https://github.com/containerd/containerd/pull/11510))
  * [`12762891d`](https://github.com/containerd/containerd/commit/12762891d6c4e0e91384c01650c102d911f9a915) Remove test for issue 10467
  * [`93cc1e6eb`](https://github.com/containerd/containerd/commit/93cc1e6eb96c099e50f6cc0c7f68feeacf09dc48) Fix upgrade test runtime config
  * [`833d6bc8e`](https://github.com/containerd/containerd/commit/833d6bc8e932a6e2e24b4b3bd4ead920fe8e6035) Update release status for 2.1 to beta
  * [`71cfe00ee`](https://github.com/containerd/containerd/commit/71cfe00eec7b22a392458f4d87261dbd6e828af5) Prepare release notes for v2.1.0-beta.n
  * [`be8fe50f4`](https://github.com/containerd/containerd/commit/be8fe50f49a0fb2752b52d560ab1039dbfd83af4) Update the upgrade test to handle 2.1
* build(deps): bump the otel group with 8 updates ([#11521](https://github.com/containerd/containerd/pull/11521))
  * [`94dd70f4f`](https://github.com/containerd/containerd/commit/94dd70f4f0c659526f3b75dc278530dd8d429628) build(deps): bump the otel group with 8 updates
* client: Respect `client.WithTimeout` option ([#11508](https://github.com/containerd/containerd/pull/11508))
  * [`ee574e76e`](https://github.com/containerd/containerd/commit/ee574e76e7f6bbe239298163eab6ccd8b94d73b3) client: Respect `client.WithTimeout` option
* build(deps): bump github.com/urfave/cli/v2 from 2.27.5 to 2.27.6 ([#11523](https://github.com/containerd/containerd/pull/11523))
  * [`700b98415`](https://github.com/containerd/containerd/commit/700b98415ef82825d18f53612e2e00eb16197d37) build(deps): bump github.com/urfave/cli/v2 from 2.27.5 to 2.27.6
* build(deps): bump the golang-x group with 3 updates ([#11520](https://github.com/containerd/containerd/pull/11520))
  * [`85c04ab0e`](https://github.com/containerd/containerd/commit/85c04ab0ec8d50c042e4665254342730b0d67175) build(deps): bump the golang-x group with 3 updates
* add k8s 1.32 to support table and as tested containerd supported branches at the time of release ([#11534](https://github.com/containerd/containerd/pull/11534))
  * [`5bbd3ed1b`](https://github.com/containerd/containerd/commit/5bbd3ed1b1993c30188cd5b1acb959bb44469127) add k8s 1.32 and as tested containerd supported branches at the time of release
* build(deps): bump google.golang.org/grpc from 1.70.0 to 1.71.0 ([#11524](https://github.com/containerd/containerd/pull/11524))
  * [`c37e48b07`](https://github.com/containerd/containerd/commit/c37e48b07c51f6877a268f69a9d7d85c54e7d97f) build(deps): bump google.golang.org/grpc from 1.70.0 to 1.71.0
* Support container restore through CRI/Kubernetes ([#10365](https://github.com/containerd/containerd/pull/10365))
  * [`9e6beafd5`](https://github.com/containerd/containerd/commit/9e6beafd53919eecd1fb650a76332002cf4c84dd) Support container restore through CRI/Kubernetes
* build(deps): bump actions/attest-build-provenance from 2.2.2 to 2.2.3 ([#11526](https://github.com/containerd/containerd/pull/11526))
  * [`d7de182dd`](https://github.com/containerd/containerd/commit/d7de182ddf46b61b894d363c76b92f5fbc24cccb) build(deps): bump actions/attest-build-provenance from 2.2.2 to 2.2.3
* build(deps): bump github/codeql-action from 3.28.10 to 3.28.11 ([#11527](https://github.com/containerd/containerd/pull/11527))
  * [`9f885ea4f`](https://github.com/containerd/containerd/commit/9f885ea4f549febd5de9fde536006f9484e12df5) build(deps): bump github/codeql-action from 3.28.10 to 3.28.11
* build(deps): bump containerd/project-checks from 1.2.1 to 1.2.2 ([#11528](https://github.com/containerd/containerd/pull/11528))
  * [`88faaac97`](https://github.com/containerd/containerd/commit/88faaac973dee7326e765a601bcdc6cf42843518) build(deps): bump containerd/project-checks from 1.2.1 to 1.2.2
* add name in package version ([#11518](https://github.com/containerd/containerd/pull/11518))
  * [`405a952c6`](https://github.com/containerd/containerd/commit/405a952c653b2ec912cbfdef2c89b43151a072bd) add name in package version
* update to go1.23.7 / go1.24.1 ([#11513](https://github.com/containerd/containerd/pull/11513))
  * [`4f090fe77`](https://github.com/containerd/containerd/commit/4f090fe772b33191fa5e47a6b826ee56f45463f2) update to go1.23.7 / go1.24.1
* Don't produce unnecessary logs when encountering attestations ([#11327](https://github.com/containerd/containerd/pull/11327))
  * [`3cdfc1003`](https://github.com/containerd/containerd/commit/3cdfc1003dbde389d1d3bd012202be534bf6a4cf) core/remotes: Handle attestations in MakeRefKey
  * [`e751b6bb1`](https://github.com/containerd/containerd/commit/e751b6bb1db7936ee111322ff199d9f708c27428) core/images: Ignore attestations when traversing children
* perf(applyNaive): avoid walking the tree for each file in the same directory ([#11337](https://github.com/containerd/containerd/pull/11337))
  * [`d8063c30d`](https://github.com/containerd/containerd/commit/d8063c30dd05ca71e7b2d8d78360af6835dd5e46) perf(applyNaive): avoid walking the tree for each file in the same directory
* Update runtime-spec to v1.2.1 ([#11460](https://github.com/containerd/containerd/pull/11460))
  * [`f8f205382`](https://github.com/containerd/containerd/commit/f8f205382adcad407b7e95e76b18e787e0688b35) Update runtime-spec to v1.2.1
* docs: include note about unprivileged sysctls ([#11502](https://github.com/containerd/containerd/pull/11502))
  * [`edd1cc50d`](https://github.com/containerd/containerd/commit/edd1cc50d5f3c474fe6f09927afbe9be4c7c10da) docs: include note about unprivileged sysctls
* ci: update GitHub Actions release runner to ubuntu-24.04 ([#11479](https://github.com/containerd/containerd/pull/11479))
  * [`705518e58`](https://github.com/containerd/containerd/commit/705518e58b98e868cba35c116d9e46e88f9928bf) ci: update GitHub Actions release runner to ubuntu-24.04
* e2e: use the shim bundled with containerd artifact ([#11489](https://github.com/containerd/containerd/pull/11489))
  * [`393ad5b11`](https://github.com/containerd/containerd/commit/393ad5b11ea3aae3d86f60400f40cf63849eda40) e2e: use the shim bundled with containerd artifact
* build(deps): bump go.etcd.io/bbolt from 1.3.11 to 1.4.0 ([#11450](https://github.com/containerd/containerd/pull/11450))
  * [`e84e5a215`](https://github.com/containerd/containerd/commit/e84e5a215cab4d189e05e989e94ae26cb84553cf) build(deps): bump go.etcd.io/bbolt from 1.3.11 to 1.4.0
  * [`00cb73503`](https://github.com/containerd/containerd/commit/00cb7350392b13cb8c21c5f422304bde7317a760) Swap to go.etcd.io/bbolt/errors for bbolt errors
* CVE-2025-22869: upgrade golang.org/x/crypto to v0.35.0 ([#11482](https://github.com/containerd/containerd/pull/11482))
  * [`af5ff5a1f`](https://github.com/containerd/containerd/commit/af5ff5a1f18c7fb899d5a12434616db62a4a3bee) CVE-2025-22869: upgrade golang.org/x/crypto to v0.35.0
* device mapper:fix sometimes blkdiscard doesn't have --version flags ([#11330](https://github.com/containerd/containerd/pull/11330))
  * [`44baada6a`](https://github.com/containerd/containerd/commit/44baada6aa88a4eb1c1adddceb353b14396cc442) device mapper:fix sometimes blkdiscard doesn't have --version flags
* docs: add CRI Plugin Config runtime_path ([#11402](https://github.com/containerd/containerd/pull/11402))
  * [`a1e7457bc`](https://github.com/containerd/containerd/commit/a1e7457bc486036559d01fe4a88327417efcf6c1) docs: add CRI Plugin Config runtime_path
* Consolidate security profile logic into a common pkg ([#11080](https://github.com/containerd/containerd/pull/11080))
  * [`71958731e`](https://github.com/containerd/containerd/commit/71958731e82a9068e783db9d578586841fd52404) move security profile to cri/sputil pkg
* erofs-snapshotter: two bug-fixes ([#11476](https://github.com/containerd/containerd/pull/11476))
  * [`3a5de731c`](https://github.com/containerd/containerd/commit/3a5de731c587342ccc8691acd5d4ae2154b9511c) erofs-snapshotter: clear IMMUTABLE_FL only for committed snapshots
  * [`971915797`](https://github.com/containerd/containerd/commit/971915797acd86cb4ea7efc7641cb17bec90c896) erofs-snapshotter: force the use of loop devices for single-layer images
* CVE-2025-22868: upgrade golang.org/x/oauth2 to v0.27.0 ([#11481](https://github.com/containerd/containerd/pull/11481))
  * [`10f2b7fde`](https://github.com/containerd/containerd/commit/10f2b7fded7fb91966a9af77d0dae06d872d2c5d) CVE-2025-22868: upgrade golang.org/x/oauth2 to v0.27.0
* build(deps): bump containerd/project-checks from 1.1.0 to 1.2.1 ([#11474](https://github.com/containerd/containerd/pull/11474))
  * [`69c0d7f60`](https://github.com/containerd/containerd/commit/69c0d7f60f74210d6e41515e9064bb96362683c7) build(deps): bump containerd/project-checks from 1.1.0 to 1.2.1
* build(deps): bump github.com/google/go-cmp from 0.6.0 to 0.7.0 ([#11464](https://github.com/containerd/containerd/pull/11464))
  * [`72ac5cad4`](https://github.com/containerd/containerd/commit/72ac5cad446bdb315c83a2f720f55ecdffba3780) build(deps): bump github.com/google/go-cmp from 0.6.0 to 0.7.0
* build(deps): bump github.com/klauspost/compress from 1.17.11 to 1.18.0 ([#11467](https://github.com/containerd/containerd/pull/11467))
  * [`001dfeb19`](https://github.com/containerd/containerd/commit/001dfeb19f791348d3fc89c7d93ad23c971c7b93) build(deps): bump github.com/klauspost/compress from 1.17.11 to 1.18.0
* build(deps): bump actions/download-artifact from 4.1.8 to 4.1.9 ([#11468](https://github.com/containerd/containerd/pull/11468))
  * [`86734729f`](https://github.com/containerd/containerd/commit/86734729fb1274b11fd2a3c97bf61bcc486017e6) build(deps): bump actions/download-artifact from 4.1.8 to 4.1.9
* build(deps): bump docker/setup-buildx-action from 3.9.0 to 3.10.0 ([#11469](https://github.com/containerd/containerd/pull/11469))
  * [`9b0b67951`](https://github.com/containerd/containerd/commit/9b0b679519dc25f20c1084ca719e6225286f3534) build(deps): bump docker/setup-buildx-action from 3.9.0 to 3.10.0
* build(deps): bump actions/attest-build-provenance from 2.2.0 to 2.2.2 ([#11470](https://github.com/containerd/containerd/pull/11470))
  * [`20fa1ca46`](https://github.com/containerd/containerd/commit/20fa1ca46ddb35799fa67c6743ea8652b3bd54f2) build(deps): bump actions/attest-build-provenance from 2.2.0 to 2.2.2
* build(deps): bump golang.org/x/net from 0.23.0 to 0.33.0 in /api ([#11472](https://github.com/containerd/containerd/pull/11472))
  * [`37fe1e8b4`](https://github.com/containerd/containerd/commit/37fe1e8b42f8746944c5d9b4a8bf2b3dcfc99984) build(deps): bump golang.org/x/net from 0.23.0 to 0.33.0 in /api
* build(deps): bump actions/cache from 4.2.1 to 4.2.2 ([#11471](https://github.com/containerd/containerd/pull/11471))
  * [`0eea93d68`](https://github.com/containerd/containerd/commit/0eea93d6873c2b7b26a4c7bae0bfbd29c9039f3c) build(deps): bump actions/cache from 4.2.1 to 4.2.2
* Bump to newer opencontainers/image-spec @ v1.1.1 ([#11461](https://github.com/containerd/containerd/pull/11461))
  * [`d37ea6977`](https://github.com/containerd/containerd/commit/d37ea6977d7e096e9221cbbba9a0282e97709acd) Bump to newer opencontainers/image-spec @ v1.1.1
* Remove After=local-fs.target from containerd.service ([#11116](https://github.com/containerd/containerd/pull/11116))
  * [`e0459262b`](https://github.com/containerd/containerd/commit/e0459262ba8b52e936b3b2e555e7faeab846b600) Remove After=local-fs.target from containerd.service
* erofs-snapshotter: protect layer blobs with FS_IMMUTABLE_FL ([#11431](https://github.com/containerd/containerd/pull/11431))
  * [`b477cf8e9`](https://github.com/containerd/containerd/commit/b477cf8e97b6facd183bba964631a36ef7a3d32b) erofs-snapshotter: protect layer blobs with FS_IMMUTABLE_FL
* Log "container event discarded" as Info ([#11115](https://github.com/containerd/containerd/pull/11115))
  * [`6c7b1afe5`](https://github.com/containerd/containerd/commit/6c7b1afe5127c0f8827a8995c1756ab71289ec98) Log "container event discarded" as Info
* Fix privileged container sysfs can't be rw because pod is ro by default ([#11271](https://github.com/containerd/containerd/pull/11271))
  * [`1fc497218`](https://github.com/containerd/containerd/commit/1fc497218ac5f83fa65b9043bc3bc2bc0dee219c) Fix privileged container sysfs can't be rw because pod is ro by default
* cri,nri: fix initial sync race of registering NRI plugins. ([#11384](https://github.com/containerd/containerd/pull/11384))
  * [`6a01ad3e1`](https://github.com/containerd/containerd/commit/6a01ad3e16c57c631febb92090bbca5c331e2f7d) cri,nri: block NRI plugin sync. during event processing.
* proxy: break up writes from the remote writer to avoid grpc limits ([#11441](https://github.com/containerd/containerd/pull/11441))
  * [`f25f36c33`](https://github.com/containerd/containerd/commit/f25f36c334144d87233e06b0de90522ebd97e144) proxy: break up writes from the remote writer to avoid grpc limits
* build(deps): bump github/codeql-action from 3.28.9 to 3.28.10 ([#11423](https://github.com/containerd/containerd/pull/11423))
  * [`0500dacf6`](https://github.com/containerd/containerd/commit/0500dacf609df804e3cb025f024f39e5e32cb1e4) build(deps): bump github/codeql-action from 3.28.9 to 3.28.10
* go.{mod,sum}: bump CDI deps to v.0.8.1. ([#11449](https://github.com/containerd/containerd/pull/11449))
  * [`22d568fb5`](https://github.com/containerd/containerd/commit/22d568fb5a8381fd20ea4e385f8aff9899e0e710) Update CDI dependency to v0.8.1.
* build(deps): bump the k8s group across 1 directory with 6 updates ([#11398](https://github.com/containerd/containerd/pull/11398))
  * [`d2b5653c1`](https://github.com/containerd/containerd/commit/d2b5653c11b6dc9023609cc9ca35b334e53768c0) build(deps): bump the k8s group across 1 directory with 6 updates
* Prefer runtime options for PluginInfo request ([#11442](https://github.com/containerd/containerd/pull/11442))
  * [`51f063f07`](https://github.com/containerd/containerd/commit/51f063f0716871070f6a8995902ee6a679ee9c45) Prefer runtime options for PluginInfo request
* pkg: prevent oom watcher from depending on shim pkg ([#11433](https://github.com/containerd/containerd/pull/11433))
  * [`268880bf5`](https://github.com/containerd/containerd/commit/268880bf53b39f8de4e6d7d668a8bb5e7ee3519a) [improve] prevent oom watcher depend on shim pkg.
* Ignore defunct verifier procs in test ([#11435](https://github.com/containerd/containerd/pull/11435))
  * [`76858ac8e`](https://github.com/containerd/containerd/commit/76858ac8e3129644fb4cf5ae9f86448655989cf4) Ignore defunct verifier procs in test
* CI: arm64-8core-32gb -> ubuntu-24.04-arm ([#11427](https://github.com/containerd/containerd/pull/11427))
  * [`4e7484d3f`](https://github.com/containerd/containerd/commit/4e7484d3f40a8ec07126eb16fae614aedafe630a) CI: arm64-8core-32gb -> ubuntu-24.04-arm
* build(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.1 ([#11424](https://github.com/containerd/containerd/pull/11424))
  * [`125525d6c`](https://github.com/containerd/containerd/commit/125525d6cd4aa85ac91f694e94b5bf8c9b647b6d) build(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.1
* build(deps): bump actions/cache from 4.2.0 to 4.2.1 ([#11426](https://github.com/containerd/containerd/pull/11426))
  * [`86cde823a`](https://github.com/containerd/containerd/commit/86cde823a8361c3a3d3ff756da5523e89f1bb93b) build(deps): bump actions/cache from 4.2.0 to 4.2.1
* build(deps): bump actions/upload-artifact from 4.6.0 to 4.6.1 ([#11425](https://github.com/containerd/containerd/pull/11425))
  * [`49257264f`](https://github.com/containerd/containerd/commit/49257264fec6c950d18bd6960b35e5ae12eafa02) build(deps): bump actions/upload-artifact from 4.6.0 to 4.6.1
* erofs-snapshotter: add fsverity support ([#11352](https://github.com/containerd/containerd/pull/11352))
  * [`f3b6078f9`](https://github.com/containerd/containerd/commit/f3b6078f90bf61c87bab34c7f6c10eeb8258a465) erofs-snapshotter: add fsverity support
* Support for importing layers in the block CIM format. ([#11179](https://github.com/containerd/containerd/pull/11179))
  * [`a1c540085`](https://github.com/containerd/containerd/commit/a1c540085f86dcc8613e6db11b73bed4a3a02883) Support for importing layers in the block CIM format.
* perf(zstd): deactivate the low mem decoder ([#11335](https://github.com/containerd/containerd/pull/11335))
  * [`c51f5d26f`](https://github.com/containerd/containerd/commit/c51f5d26f1167d612d061cb20ae0cbb1ab00a0da) perf(zstd): deactivate the low mem decoder
* build(deps): bump github/codeql-action from 3.28.8 to 3.28.9 ([#11370](https://github.com/containerd/containerd/pull/11370))
  * [`6a08d70e6`](https://github.com/containerd/containerd/commit/6a08d70e681b81049a2cabfd44216803662d6c8e) build(deps): bump github/codeql-action from 3.28.8 to 3.28.9
* move the device after the options when using mkfs.ext4 ([#11362](https://github.com/containerd/containerd/pull/11362))
  * [`b98378638`](https://github.com/containerd/containerd/commit/b9837863815e2ffe5ea28e52afe24a2e1829863f) move the device after the options when using mkfs.ext4
* build(deps): bump google.golang.org/grpc from 1.69.4 to 1.70.0 ([#11313](https://github.com/containerd/containerd/pull/11313))
  * [`f23981281`](https://github.com/containerd/containerd/commit/f23981281e60fd5ad37d61e43a777ff64fbfb874) build(deps): bump google.golang.org/grpc from 1.69.4 to 1.70.0
* build(deps): bump golangci/golangci-lint-action from 6.3.2 to 6.5.0 ([#11397](https://github.com/containerd/containerd/pull/11397))
  * [`b8a759f1f`](https://github.com/containerd/containerd/commit/b8a759f1fd59eca20534e223fa8db2011ebbb519) build(deps): bump golangci/golangci-lint-action from 6.3.2 to 6.5.0
* build(deps): bump google.golang.org/protobuf from 1.36.3 to 1.36.5 ([#11373](https://github.com/containerd/containerd/pull/11373))
  * [`326fbf074`](https://github.com/containerd/containerd/commit/326fbf07470ee61022e84f1387cf799aa86493b0) build(deps): bump google.golang.org/protobuf from 1.36.3 to 1.36.5
* Clarify port handling in `hosts.toml` ([#11393](https://github.com/containerd/containerd/pull/11393))
  * [`a502b7931`](https://github.com/containerd/containerd/commit/a502b7931babb81749c5236b38a09e5ae73fe88e) Clarify port handling in hosts toml
* Move `linters-settings.exclude-dirs` to `issues.exclude-dirs` in golangci-lint config ([#11399](https://github.com/containerd/containerd/pull/11399))
  * [`480e1039f`](https://github.com/containerd/containerd/commit/480e1039fe23512e6c1ea4bd8db1be93ac125993) move exclude-dirs to issues.exclude-dirs
* Add OCI/Image Volume Source support ([#10579](https://github.com/containerd/containerd/pull/10579))
  * [`1ec10d9ae`](https://github.com/containerd/containerd/commit/1ec10d9ae7535ddd7b18e3c21b6cd8ff12a2f90d) Add OCI/Image Volume Source support
* build(deps): bump github.com/vishvananda/netns from 0.0.4 to 0.0.5 ([#11374](https://github.com/containerd/containerd/pull/11374))
  * [`17acb356f`](https://github.com/containerd/containerd/commit/17acb356f826ccf6dd6b0160dcce5e3aedf41f21) build(deps): bump github.com/vishvananda/netns from 0.0.4 to 0.0.5
* Revert "Add timestamp to PodSandboxStatusResponse for kubernetes Evented PLEG" ([#11323](https://github.com/containerd/containerd/pull/11323))
  * [`83b65e52f`](https://github.com/containerd/containerd/commit/83b65e52fddf9411009e396dda283a782921222f) Revert "Add timestamp to PodSandboxStatusResponse for kubernetes Evented PLEG"
* Update runc binary to v1.2.5 ([#11388](https://github.com/containerd/containerd/pull/11388))
  * [`938775864`](https://github.com/containerd/containerd/commit/938775864aba692f69d4bb143e1d6197b69b421b) Update runc binary to v1.2.5
* build(deps): bump docker/setup-buildx-action from 3.8.0 to 3.9.0 ([#11369](https://github.com/containerd/containerd/pull/11369))
  * [`2f971ee2d`](https://github.com/containerd/containerd/commit/2f971ee2d474c403837500846e0deaa8ba399992) build(deps): bump docker/setup-buildx-action from 3.8.0 to 3.9.0
* Remove noinline in seccomp/apparmor SpecOpts ([#11264](https://github.com/containerd/containerd/pull/11264))
  * [`222308416`](https://github.com/containerd/containerd/commit/222308416cd7d0204c4adf64ffdf438951e5aa64) Remove noinline in apparmor SpecOpts
  * [`2a4164ac8`](https://github.com/containerd/containerd/commit/2a4164ac868955ac9cb406cb4dc434d2eb3f9a16) Remove noinline in seccomp SpecOpts
* build(deps): bump the golang-x group with 3 updates ([#11371](https://github.com/containerd/containerd/pull/11371))
  * [`84e07f6b5`](https://github.com/containerd/containerd/commit/84e07f6b54400bf61d1242c42f3437384aec2a65) build(deps): bump the golang-x group with 3 updates
* update to go 1.24.0 / go1.23.6 ([#11377](https://github.com/containerd/containerd/pull/11377))
  * [`df99aa321`](https://github.com/containerd/containerd/commit/df99aa321a274c50de87332a067537cea746fd5c) update to go 1.24.0 / go1.23.6
  * [`41eaa41c4`](https://github.com/containerd/containerd/commit/41eaa41c43787755427aa430149a9c857c643be3) update golangci-lint to v1.64.2
* build(deps): bump lycheeverse/lychee-action from 2.2.0 to 2.3.0 ([#11368](https://github.com/containerd/containerd/pull/11368))
  * [`2b8a7f253`](https://github.com/containerd/containerd/commit/2b8a7f253dee9bd8a4dc650eb27fbd803a64c97a) build(deps): bump lycheeverse/lychee-action from 2.2.0 to 2.3.0
* build(deps): bump golangci/golangci-lint-action from 6.2.0 to 6.3.2 ([#11367](https://github.com/containerd/containerd/pull/11367))
  * [`bdb8cb5a8`](https://github.com/containerd/containerd/commit/bdb8cb5a80915fc605dcdfa3e0b0f2eb2b293b1c) build(deps): bump golangci/golangci-lint-action from 6.2.0 to 6.3.2
* Erofs snapshotter and differ ([#10705](https://github.com/containerd/containerd/pull/10705))
  * [`2f15d6586`](https://github.com/containerd/containerd/commit/2f15d6586b261d0f0bc68b847660dc2b691169db) Add tests for EROFS snapshotter
  * [`fd4caef78`](https://github.com/containerd/containerd/commit/fd4caef7866306f9e654f54ba0209c7f4a554ad9) Add EROFS snapshotter documentation
  * [`2486d542a`](https://github.com/containerd/containerd/commit/2486d542a5a96d71e3c8bb36517479e0a81f0131) Introduce EROFS Snapshotter
  * [`c73c8e5d5`](https://github.com/containerd/containerd/commit/c73c8e5d526aba6acf0eb75976bfc5a1037d64ac) Introduce EROFS differ
* Update RELEASES.md for new release schedule and LTS policy ([#11294](https://github.com/containerd/containerd/pull/11294))
  * [`6d1f6e75d`](https://github.com/containerd/containerd/commit/6d1f6e75d65283dc6440556cfaf694c20059d77d) Update upgrade section
  * [`5f238fa82`](https://github.com/containerd/containerd/commit/5f238fa827a97e729592c1ed896a1192ba53ab09) Update to time based releases
  * [`886d971f8`](https://github.com/containerd/containerd/commit/886d971f855da042f1c83fc87b2074c858062f3b) Update LTS definition and support horizon
* nri: make OCI spec available on StopPodSandbox ([#11331](https://github.com/containerd/containerd/pull/11331))
  * [`2eb0aa6b9`](https://github.com/containerd/containerd/commit/2eb0aa6b988a508400d6567602e7f3af838ca3c4) nri: make OCI spec available on StopPodSandbox
* build(deps): bump google-github-actions/auth from 2.1.7 to 2.1.8 ([#11332](https://github.com/containerd/containerd/pull/11332))
  * [`565b50dbb`](https://github.com/containerd/containerd/commit/565b50dbb92f231ea1f416dead040d8e96f0963a) build(deps): bump google-github-actions/auth from 2.1.7 to 2.1.8
* build(deps): bump google-github-actions/upload-cloud-storage from 2.2.1 to 2.2.2 ([#11334](https://github.com/containerd/containerd/pull/11334))
  * [`b65f3875b`](https://github.com/containerd/containerd/commit/b65f3875ba3365a780ac9d9ace295c56ac230ee4) build(deps): bump google-github-actions/upload-cloud-storage
* build(deps): bump github/codeql-action from 3.28.6 to 3.28.8 ([#11333](https://github.com/containerd/containerd/pull/11333))
  * [`841ab361c`](https://github.com/containerd/containerd/commit/841ab361c1e52200319c08dc8b09f11e07d78f17) build(deps): bump github/codeql-action from 3.28.6 to 3.28.8
* Fix state/root bug in shim sandbox controller ([#11321](https://github.com/containerd/containerd/pull/11321))
  * [`168c49e4d`](https://github.com/containerd/containerd/commit/168c49e4dcf1fcfebcf5d751f5aa20747b2a2032) Fix state/root bug in shim sandbox controller
* build(deps): bump github/codeql-action from 3.28.1 to 3.28.6 ([#11315](https://github.com/containerd/containerd/pull/11315))
  * [`48d09104d`](https://github.com/containerd/containerd/commit/48d09104dcc4244672c590e9b6ab3ab71d8c9ce4) build(deps): bump github/codeql-action from 3.28.1 to 3.28.6
* build(deps): bump actions/attest-build-provenance from 2.1.0 to 2.2.0 ([#11317](https://github.com/containerd/containerd/pull/11317))
  * [`0c986c332`](https://github.com/containerd/containerd/commit/0c986c332f072ce2273c06d2707976b321830423) build(deps): bump actions/attest-build-provenance from 2.1.0 to 2.2.0
* build(deps): bump actions/stale from 9.0.0 to 9.1.0 ([#11316](https://github.com/containerd/containerd/pull/11316))
  * [`575239789`](https://github.com/containerd/containerd/commit/5752397896d44d5807837c8a71e2c0f1769ba66a) build(deps): bump actions/stale from 9.0.0 to 9.1.0
* build(deps): bump the otel group across 1 directory with 8 updates ([#11286](https://github.com/containerd/containerd/pull/11286))
  * [`69e82f9cd`](https://github.com/containerd/containerd/commit/69e82f9cd3e29428bd480b1c349268a0723af51d) build(deps): bump the otel group across 1 directory with 8 updates
* build(deps): bump github.com/tchap/go-patricia/v2 from 2.3.1 to 2.3.2 ([#11283](https://github.com/containerd/containerd/pull/11283))
  * [`19c546c97`](https://github.com/containerd/containerd/commit/19c546c9760b11c266a314bf25177b96d7a21f24) build(deps): bump github.com/tchap/go-patricia/v2 from 2.3.1 to 2.3.2
* Update cimfs snapshotter & differ for new hcsshim interface ([#10033](https://github.com/containerd/containerd/pull/10033))
  * [`b81ace872`](https://github.com/containerd/containerd/commit/b81ace8724e154a0899679a05a98b7174804abed) Update cimfs snapshotter & differ for new hcsshim interface
* update to go1.23.5 / go1.22.11 ([#11277](https://github.com/containerd/containerd/pull/11277))
  * [`157faf65c`](https://github.com/containerd/containerd/commit/157faf65c55c5de56f636fe3466f59b43241abb3) update to go1.23.5 / go1.22.11
* build(deps): bump lycheeverse/lychee-action from 2.1.0 to 2.2.0 ([#11287](https://github.com/containerd/containerd/pull/11287))
  * [`f572a6db9`](https://github.com/containerd/containerd/commit/f572a6db9037e4a36225a4146a4344aaf34d692c) build(deps): bump lycheeverse/lychee-action from 2.1.0 to 2.2.0
* client: add WithExtraDialOpts option ([#11276](https://github.com/containerd/containerd/pull/11276))
  * [`a6dc9905c`](https://github.com/containerd/containerd/commit/a6dc9905cbb1833c459362ba72928bd348967158) client: add WithExtraDialOpts option
* build(deps): bump google.golang.org/protobuf from 1.36.1 to 1.36.3 ([#11282](https://github.com/containerd/containerd/pull/11282))
  * [`460e5a2e2`](https://github.com/containerd/containerd/commit/460e5a2e2bec851ba357dc1b738e3023841d0f2b) build(deps): bump google.golang.org/protobuf from 1.36.1 to 1.36.3
* build(deps): bump actions/upload-artifact from 4.4.3 to 4.6.0 ([#11288](https://github.com/containerd/containerd/pull/11288))
  * [`36d3888cf`](https://github.com/containerd/containerd/commit/36d3888cf7eb7c9f533167cf93748ece98eb79cf) build(deps): bump actions/upload-artifact from 4.4.3 to 4.6.0
* build(deps): bump softprops/action-gh-release from 2.2.0 to 2.2.1 ([#11289](https://github.com/containerd/containerd/pull/11289))
  * [`4b77d4e41`](https://github.com/containerd/containerd/commit/4b77d4e41ef99e6526f3e20dae36bc301f648477) build(deps): bump softprops/action-gh-release from 2.2.0 to 2.2.1
* build(deps): bump github/codeql-action from 3.27.9 to 3.28.1 ([#11290](https://github.com/containerd/containerd/pull/11290))
  * [`22e77720b`](https://github.com/containerd/containerd/commit/22e77720b3e6aecbb299ad70c68e2ade6dfd0108) build(deps): bump github/codeql-action from 3.27.9 to 3.28.1
* build(deps): bump golangci/golangci-lint-action from 6.1.1 to 6.2.0 ([#11291](https://github.com/containerd/containerd/pull/11291))
  * [`53d6f3482`](https://github.com/containerd/containerd/commit/53d6f34822dda24bf7c8674305c93eadb4bad50b) build(deps): bump golangci/golangci-lint-action from 6.1.1 to 6.2.0
* Support multiple uid/gid mappings ([#10722](https://github.com/containerd/containerd/pull/10722))
  * [`ff0d99e02`](https://github.com/containerd/containerd/commit/ff0d99e02873ac04b4f73054d92d22683a501b7d) Add multiple uid/gid mapping test cases to integration tests
  * [`ec231cdcf`](https://github.com/containerd/containerd/commit/ec231cdcf27b4bfad8fd51dbe4a3a328158aeb86) Update ctr to support remapper labels with multiple uid/gid mapping entries
  * [`8bbfb6528`](https://github.com/containerd/containerd/commit/8bbfb65289f3a32fd5358bf7419f8b860a08fbed) Update snapshotter opts to support multiple uid/gid mapping entries
  * [`8a030d653`](https://github.com/containerd/containerd/commit/8a030d6537e42194cca894ebf89556af09dfade8) Update overlay snapshotter to support multiple uid/gid mappings
  * [`168ec21db`](https://github.com/containerd/containerd/commit/168ec21dbd6254088a47257d1a44812155d6d54c) Update idmapped mount to support multiple uid/gid mappings
  * [`a11405975`](https://github.com/containerd/containerd/commit/a114059759ec1d70ce04acfce028da54428689a9) Add RootPair() and serialization routines to userns idmap
* log: avoid using unsupported field by logrus ([#11148](https://github.com/containerd/containerd/pull/11148))
  * [`04f9e30db`](https://github.com/containerd/containerd/commit/04f9e30db313908c1209b7f7d526d5d3eb8467ed) log: avoid using unsupported field by logrus
* Move all fuzz tests to go native fuzz [part2] ([#11251](https://github.com/containerd/containerd/pull/11251))
  * [`b49df6af1`](https://github.com/containerd/containerd/commit/b49df6af11dbf7e4fc715e972c8e816edcb02309) move FuzzCRIServer to go native fuzz
  * [`6019bcdfb`](https://github.com/containerd/containerd/commit/6019bcdfbbed387b366e4e368c30475f5c31f054) move FuzzContainerdImport to go native fuzz
* Make ovl idmap mounts read-only ([#10955](https://github.com/containerd/containerd/pull/10955))
  * [`1e3d10dc2`](https://github.com/containerd/containerd/commit/1e3d10dc29616f7e81b3fef3314d7a44d593c48c) Make ovl idmap mounts read-only
* runtime/v2: add note about orphan process for runc-shim ([#10002](https://github.com/containerd/containerd/pull/10002))
  * [`58bd48ecf`](https://github.com/containerd/containerd/commit/58bd48ecff5418efbeacf27134d8adb3e58ab17d) add some doc for shim reap orphan process
* Fix panics in CI fuzz integration tests ([#11249](https://github.com/containerd/containerd/pull/11249))
  * [`b7a117b46`](https://github.com/containerd/containerd/commit/b7a117b4648c981275e7e7ac944bfabec45fc56a) Fix fuzz integration tests
* Move CDI device spec out of the OCI package ([#11262](https://github.com/containerd/containerd/pull/11262))
  * [`bdc847f1e`](https://github.com/containerd/containerd/commit/bdc847f1eb535a6728b6db3f2619d2a5ed0edbb9) Remove deprecated WithCDIDevices in oci spec opts
  * [`e20f7f4a2`](https://github.com/containerd/containerd/commit/e20f7f4a2425c005d85855abfd4556d7b4ccbf87) Move CDI device spec out of the OCI package
* docs: fix some function names in comment ([#11261](https://github.com/containerd/containerd/pull/11261))
  * [`740c5d428`](https://github.com/containerd/containerd/commit/740c5d4284de1704ffab91bf03967346ae7d29a9) docs: fix some function names in comment
* Use a order-only-prerequisite for mandir creation ([#11132](https://github.com/containerd/containerd/pull/11132))
  * [`ffbe1b573`](https://github.com/containerd/containerd/commit/ffbe1b5738951aed8945bf58c23e634433e77eb1) Use a order-only-prerequisite for mandir creation
* Update platforms to latest rc ([#11257](https://github.com/containerd/containerd/pull/11257))
  * [`6148dbdd7`](https://github.com/containerd/containerd/commit/6148dbdd778942f7b1f5361d3e18859ada70f4d6) Update platforms to latest rc
* Remove confusing warning in cri runtime config migration ([#10980](https://github.com/containerd/containerd/pull/10980))
  * [`fb44e37ff`](https://github.com/containerd/containerd/commit/fb44e37ff27325edda8e8ad178e1c057139cd4f2) Remove confusing warning in cri runtime config migration
* Unify default transport in docker resolver ([#11167](https://github.com/containerd/containerd/pull/11167))
  * [`47c4dba40`](https://github.com/containerd/containerd/commit/47c4dba40935f8c887a7d43f6fbfca5fafadeb7f) Unify default transport in docker resolver
* Clarify Go client API guidance ([#11093](https://github.com/containerd/containerd/pull/11093))
  * [`9fc711a8a`](https://github.com/containerd/containerd/commit/9fc711a8a0f5ca61007c855d087c5a806d2273cc) Clarify Go client API guidance
* build(deps): bump golang.org/x/sys from 0.28.0 to 0.29.0 in the golang-x group ([#11225](https://github.com/containerd/containerd/pull/11225))
  * [`ef7fa43c9`](https://github.com/containerd/containerd/commit/ef7fa43c9a8ee086eada91630dcfe3ec8cc276b0) build(deps): bump golang.org/x/sys in the golang-x group
* Fix runtime platform loading in cri image plugin init ([#11165](https://github.com/containerd/containerd/pull/11165))
  * [`ef0e70922`](https://github.com/containerd/containerd/commit/ef0e7092287ac4816e9a9fdfd6925e6f75657f41) Fix runtime platform loading in cri image plugin init
* ci: fix the issue of config_file unset ([#11240](https://github.com/containerd/containerd/pull/11240))
  * [`e1aeb37cd`](https://github.com/containerd/containerd/commit/e1aeb37cdf10ed2ed4b2dd4be02d68a556acc106) ci: fix the issue of config_file unset
* Fix go-cni race condition ([#11244](https://github.com/containerd/containerd/pull/11244))
  * [`09bf281ec`](https://github.com/containerd/containerd/commit/09bf281ec415a6029177c60688e261dab55e3944) fix go-cni race condition
* make sure console master tty is closed on task exit ([#11161](https://github.com/containerd/containerd/pull/11161))
  * [`652e4d0b1`](https://github.com/containerd/containerd/commit/652e4d0b10490c4c2cfc94791ea80b5a16ff38ea) Add integ test to check tty leak
  * [`aedb079bf`](https://github.com/containerd/containerd/commit/aedb079bf18f1f913b705d9b791beebcf1962cdd) fix master tty leak due to leaking init container object
* Move fuzz tests to go native fuzz [part1] ([#11189](https://github.com/containerd/containerd/pull/11189))
  * [`e70977180`](https://github.com/containerd/containerd/commit/e70977180ae55ad0bd28e2438b15170d83100d48) change metadata fuzz operations as const and slice instead of map
  * [`a4e3218e8`](https://github.com/containerd/containerd/commit/a4e3218e8f4a817ca0d7f44f622b97e0c83189b7) change tmp dir creation in fuzz to t.TempDir
  * [`a8c643cc5`](https://github.com/containerd/containerd/commit/a8c643cc51b4793189ac6291a62fcc1c3990af50) change copyright from ADA Logics to containerd
  * [`a55083007`](https://github.com/containerd/containerd/commit/a5508300782032adf7011d17a02268a425e3b14c) Remove github.com/AdamKorcz/go-118-fuzz-build in go.mod
  * [`2de103029`](https://github.com/containerd/containerd/commit/2de1030299c1626b2c235c0ed21040bce91f57d3) Move fuzz tests to go native fuzz [part1]
* Bump up otelttrpc to 0.1.0 ([#11241](https://github.com/containerd/containerd/pull/11241))
  * [`15d3bf9b2`](https://github.com/containerd/containerd/commit/15d3bf9b248d423c457e871fe001eeb129a3fa82) Bump up otelttrpc to 0.1.0
* Add snapshotter exports to unpack platform ([#11227](https://github.com/containerd/containerd/pull/11227))
  * [`63f604728`](https://github.com/containerd/containerd/commit/63f6047282525748e13ed91892b50583771c6427) Add snapshotter exports to unpack platform
* ctr: `ctr images import --all-platforms`: fix unpack ([#11229](https://github.com/containerd/containerd/pull/11229))
  * [`79a42eedc`](https://github.com/containerd/containerd/commit/79a42eedc724cd248a995cbf1174d3800d948d52) ctr: `ctr images import --all-platforms`: fix unpack
* Deflake TestFailFastWhenConnectShim by making TestContainerCgroupWritable not parallel ([#11235](https://github.com/containerd/containerd/pull/11235))
  * [`e65283321`](https://github.com/containerd/containerd/commit/e6528332195d23bf98ba58124b4cd647223e6969) make TestContainerCgroupWritable not parallel
* update runc binary to v1.2.4 ([#11230](https://github.com/containerd/containerd/pull/11230))
  * [`54ed595e1`](https://github.com/containerd/containerd/commit/54ed595e1db892e09083e01f6520bc847bf99ee9) update runc binary to v1.2.4
* Enable Writable cgroups for unprivileged containers ([#11131](https://github.com/containerd/containerd/pull/11131))
  * [`1363849b0`](https://github.com/containerd/containerd/commit/1363849b034a1daf58a4d677e758124d7ea7087e) Add integration test
  * [`dda702042`](https://github.com/containerd/containerd/commit/dda7020429a06a1d5549ced9391cc2f85f94adef) Enable Writable cgroups for unprivileged containers
* Avoid duplicated chain ID calculation in unpack ([#11219](https://github.com/containerd/containerd/pull/11219))
  * [`d156d3df9`](https://github.com/containerd/containerd/commit/d156d3df9620844491a4e6c94945693d5c7df043) Benchamrk chainID calculation in unpack
  * [`95f45541e`](https://github.com/containerd/containerd/commit/95f45541e47253610ed83b064dab2124a11027e8) Avoid duplicated chain ID calculation in unpack
* downgrade go-difflib and go-spew to tagged releases ([#11220](https://github.com/containerd/containerd/pull/11220))
  * [`00a11e91d`](https://github.com/containerd/containerd/commit/00a11e91d38b5a1e3540382eaedfda878b1314b1) downgrade go-difflib and go-spew to tagged releases
* Bump seccomp version to be the same as one in runc repo ([#11200](https://github.com/containerd/containerd/pull/11200))
  * [`4f2f12be6`](https://github.com/containerd/containerd/commit/4f2f12be6d91868a3b39d441ac598f876b47a6c0) Bump seccomp version to be the same as one in runc repo
* Remove loop variable copies ([#11194](https://github.com/containerd/containerd/pull/11194))
  * [`bee64b2b9`](https://github.com/containerd/containerd/commit/bee64b2b93ba0494ecff94b72748427d5abe20a5) Remove loop variable copies
* build(deps): bump google.golang.org/protobuf from 1.36.0 to 1.36.1 ([#11192](https://github.com/containerd/containerd/pull/11192))
  * [`4a4a027f7`](https://github.com/containerd/containerd/commit/4a4a027f7984c415d94054f6f6e14a6369a7dcd7) build(deps): bump google.golang.org/protobuf from 1.36.0 to 1.36.1
* bump up ttrpc to use its MD.Clone ([#11204](https://github.com/containerd/containerd/pull/11204))
  * [`ee6338188`](https://github.com/containerd/containerd/commit/ee63381887da22ecc1be8ef2a3e441a72a013e93) bump up ttrpc to use its MD.Clone
* build(deps): bump google.golang.org/grpc from 1.69.0 to 1.69.2 ([#11193](https://github.com/containerd/containerd/pull/11193))
  * [`9bb31b706`](https://github.com/containerd/containerd/commit/9bb31b706c898a9475638206d2c5813fd9e8d77f) build(deps): bump google.golang.org/grpc from 1.69.0 to 1.69.2
* build(deps): bump golang.org/x/net from 0.30.0 to 0.33.0 ([#11181](https://github.com/containerd/containerd/pull/11181))
  * [`7f3599f09`](https://github.com/containerd/containerd/commit/7f3599f09396bf69496e1cf189b999acc0db13a5) build(deps): bump golang.org/x/net from 0.30.0 to 0.33.0
* build(deps): bump github.com/containerd/cgroups/v3 from 3.0.4 to 3.0.5 ([#11191](https://github.com/containerd/containerd/pull/11191))
  * [`f98d5fdb6`](https://github.com/containerd/containerd/commit/f98d5fdb6f684410bea0881159ea0df354cae41b) build(deps): bump github.com/containerd/cgroups/v3 from 3.0.4 to 3.0.5
* Update golangci to 1.60.3 ([#11185](https://github.com/containerd/containerd/pull/11185))
  * [`26a156f4f`](https://github.com/containerd/containerd/commit/26a156f4fd285ecddcdead54105022348075ad62) Update golangci to 1.60.3
* build(deps): bump softprops/action-gh-release from 2.1.0 to 2.2.0 ([#11170](https://github.com/containerd/containerd/pull/11170))
  * [`a172d2c11`](https://github.com/containerd/containerd/commit/a172d2c116daeb101700d9d6c3a3622623c7446d) build(deps): bump softprops/action-gh-release from 2.1.0 to 2.2.0
* Update golangci-lint version in dev tools script ([#11180](https://github.com/containerd/containerd/pull/11180))
  * [`fa531f808`](https://github.com/containerd/containerd/commit/fa531f808b72c6667844ec56cbd9e6e5f23e974d) Update golangci-lint version in dev tools script
* build(deps): bump google.golang.org/protobuf from 1.35.2 to 1.36.0 ([#11177](https://github.com/containerd/containerd/pull/11177))
  * [`2f37b9da3`](https://github.com/containerd/containerd/commit/2f37b9da392387fac21d375874473a017bcefb8b) build(deps): bump google.golang.org/protobuf from 1.35.2 to 1.36.0
* build(deps): bump google.golang.org/grpc from 1.68.1 to 1.69.0 ([#11176](https://github.com/containerd/containerd/pull/11176))
  * [`4e4537a87`](https://github.com/containerd/containerd/commit/4e4537a87a8ee66debb947df455cae6e68e0dd5d) build(deps): bump google.golang.org/grpc from 1.68.1 to 1.69.0
* build(deps): bump github/codeql-action from 3.27.6 to 3.27.9 ([#11171](https://github.com/containerd/containerd/pull/11171))
  * [`d29751424`](https://github.com/containerd/containerd/commit/d297514248daffa3124e529a5ada4f57a15dbb12) build(deps): bump github/codeql-action from 3.27.6 to 3.27.9
* build(deps): bump docker/setup-buildx-action from 3.7.1 to 3.8.0 ([#11172](https://github.com/containerd/containerd/pull/11172))
  * [`31e129856`](https://github.com/containerd/containerd/commit/31e12985601773ce5417926db6eda9c9d63dc445) build(deps): bump docker/setup-buildx-action from 3.7.1 to 3.8.0
* build(deps): bump github.com/containerd/imgcrypt/v2 from 2.0.0-rc.1 to 2.0.0 ([#11174](https://github.com/containerd/containerd/pull/11174))
  * [`f6e956c22`](https://github.com/containerd/containerd/commit/f6e956c2240a3d4dba6c9e6589993d051ff82849) build(deps): bump github.com/containerd/imgcrypt/v2
* build(deps): bump google.golang.org/grpc from 1.67.1 to 1.68.1 ([#11126](https://github.com/containerd/containerd/pull/11126))
  * [`aeb414021`](https://github.com/containerd/containerd/commit/aeb414021b07a625cc58d555aabb18bd5cf51f3d) build(deps): bump google.golang.org/grpc from 1.67.1 to 1.68.1
* test: prevent segfault in imageverifier test ([#10851](https://github.com/containerd/containerd/pull/10851))
  * [`1617fd72e`](https://github.com/containerd/containerd/commit/1617fd72e10634923f75bb27ca00a23cf2f19ecb) test: prevent segfault in imageverifier test
* Report an error when cni confDir removed ([#10646](https://github.com/containerd/containerd/pull/10646))
  * [`0c2805a6e`](https://github.com/containerd/containerd/commit/0c2805a6e452dba5e42b3723b6ba069b811f7c9a) Report an error when cni confDir removed
* build(deps): bump actions/attest-build-provenance from 1.4.4 to 2.1.0 ([#11122](https://github.com/containerd/containerd/pull/11122))
  * [`afee762fb`](https://github.com/containerd/containerd/commit/afee762fbfac0141b50040a1ea8197b02eafa3c1) build(deps): bump actions/attest-build-provenance from 1.4.4 to 2.1.0
* vendor: update golang.org/x/ dependencies ([#11145](https://github.com/containerd/containerd/pull/11145))
  * [`23e014140`](https://github.com/containerd/containerd/commit/23e01414069df958db56ca24fd7806979a9f2f2a) vendor: golang.org/x/crypto v0.31.0
  * [`9b3d999bd`](https://github.com/containerd/containerd/commit/9b3d999bd9affbfe7df5bd7ef8e5df9446eda56f) vendor: golang.org/x/term v0.27.0
  * [`1032fad27`](https://github.com/containerd/containerd/commit/1032fad2721a01ec321881c44963958dcb9b2ed8) vendor: golang.org/x/text v0.21.0
  * [`6764e62cf`](https://github.com/containerd/containerd/commit/6764e62cf7518dd6bc7050ed2d33a52a107fd1cd) vendor: golang.org/x/sync v0.10.0
  * [`160676647`](https://github.com/containerd/containerd/commit/1606766479f3e37318c5f4144d6d3d989cba51aa) vendor: golang.org/x/sys v0.28.0
* build(deps): bump actions/cache from 4.1.2 to 4.2.0 ([#11124](https://github.com/containerd/containerd/pull/11124))
  * [`927012243`](https://github.com/containerd/containerd/commit/9270122437f5a0105c74b49089fddc1a2c2648af) build(deps): bump actions/cache from 4.1.2 to 4.2.0
* internal/cri: should not apply IoOwner options if it's not user namespace ([#11104](https://github.com/containerd/containerd/pull/11104))
  * [`2c4c04032`](https://github.com/containerd/containerd/commit/2c4c040328e161ef04913d8470a7dd61caf9f1be) internal/cri: should not apply IoOwner options
* update runc binary to v1.2.3 ([#11141](https://github.com/containerd/containerd/pull/11141))
  * [`981414521`](https://github.com/containerd/containerd/commit/981414521baf578a313c7b7af034ade6cb92b10d) update runc binary to v1.2.3
* cmd/ctr: allow user to syncfs during unpacking image locally ([#11118](https://github.com/containerd/containerd/pull/11118))
  * [`11b78255d`](https://github.com/containerd/containerd/commit/11b78255de6544fc91d5f523bdfec2bef2a711ca) cmd: add syncfs option to ctr command
* Update go-cni for CNI STATUS ([#11135](https://github.com/containerd/containerd/pull/11135))
  * [`1f220b23e`](https://github.com/containerd/containerd/commit/1f220b23e298b61f5ece5a994ef2a37a843732b0) feat: update go-cni version for CNI STATUS
* Complete cri grpc plugin config migration ([#11061](https://github.com/containerd/containerd/pull/11061))
  * [`ed39dfa5d`](https://github.com/containerd/containerd/commit/ed39dfa5d64d872c8a0b7b88b4973395028b2b1e) Add integration test for custom configuration
  * [`8540fed77`](https://github.com/containerd/containerd/commit/8540fed77493a5a205524b47b810726a0de288eb) complete cri grpc config migration
* ctr pull should unpack for default platform when transfer service is used ([#11086](https://github.com/containerd/containerd/pull/11086))
  * [`4c11d753c`](https://github.com/containerd/containerd/commit/4c11d753ca9964bf70f087560c85614741ca35a5) ctr pull unpack for default platform using transfer service
* update xx to v1.6.1 for compatibility with alpine 3.21 and file 5.46+ ([#11130](https://github.com/containerd/containerd/pull/11130))
  * [`d76f92f24`](https://github.com/containerd/containerd/commit/d76f92f2402049869e5fd94087aeed1a9fddc729) update xx to v1.6.1 for compatibility with alpine 3.21 and file 5.46+
* build(deps): bump github/codeql-action from 3.27.5 to 3.27.6 ([#11123](https://github.com/containerd/containerd/pull/11123))
  * [`73864c520`](https://github.com/containerd/containerd/commit/73864c52037da5cf870a9c11359ab197cdf08fe4) build(deps): bump github/codeql-action from 3.27.5 to 3.27.6
* CI: update Fedora to 41 ([#10930](https://github.com/containerd/containerd/pull/10930))
  * [`6fdc35243`](https://github.com/containerd/containerd/commit/6fdc352439dfdf88ac7a62c95f5fb1fa07ae3be3) CI: update Fedora to 41
* Fix loop variable capture issue ([#11042](https://github.com/containerd/containerd/pull/11042))
  * [`485020ca8`](https://github.com/containerd/containerd/commit/485020ca8999d2aa6c2165419cca0f104e9e9d5c) fix: loop variable capture issue
* Add containerd community call to readme. ([#11046](https://github.com/containerd/containerd/pull/11046))
  * [`59a2c3523`](https://github.com/containerd/containerd/commit/59a2c3523cddd05a5f4b14c7860f43ed66b6003d) Add containerd community call to readme.
* update to go1.23.4 / go1.22.10 ([#11102](https://github.com/containerd/containerd/pull/11102))
  * [`81780a5dd`](https://github.com/containerd/containerd/commit/81780a5dd37106f4bc01fa776b9d069197bed54b) update to go1.23.4 / go1.22.10
* Fix panic due to nil dereference cgroups v2 ([#11069](https://github.com/containerd/containerd/pull/11069))
  * [`0903f203f`](https://github.com/containerd/containerd/commit/0903f203fb8a9b696ff2522f068313f5de2fad80) fix panic due to nil dereference cgroups v2
* The task_dir successfully cleans when the file is absent. ([#11043](https://github.com/containerd/containerd/pull/11043))
  * [`4a664772e`](https://github.com/containerd/containerd/commit/4a664772efc48e031efc6b3ebd422df0e08ddbec) The task_dir successfully cleans when the file is absent.
* docs: fix snapshots api import ([#11073](https://github.com/containerd/containerd/pull/11073))
  * [`b78c5c6ed`](https://github.com/containerd/containerd/commit/b78c5c6ed2ad0f0d0a23306a36f0a71a84582f5d) docs: fix snapshots api import
* build(deps): bump github/codeql-action from 3.27.4 to 3.27.5 ([#11060](https://github.com/containerd/containerd/pull/11060))
  * [`ea9397793`](https://github.com/containerd/containerd/commit/ea9397793f336327551d9024ea89bc9178d00401) build(deps): bump github/codeql-action from 3.27.4 to 3.27.5
* build(deps): bump github.com/containerd/cgroups/v3 from 3.0.3 to 3.0.4 ([#11059](https://github.com/containerd/containerd/pull/11059))
  * [`6c16f3490`](https://github.com/containerd/containerd/commit/6c16f3490934aa396b785bd19c0945279a9e728f) build(deps): bump github.com/containerd/cgroups/v3 from 3.0.3 to 3.0.4
* build(deps): bump the k8s group with 5 updates ([#11057](https://github.com/containerd/containerd/pull/11057))
  * [`662d64080`](https://github.com/containerd/containerd/commit/662d6408018eb74bba4d0700aeac6ea137c23571) build(deps): bump the k8s group with 5 updates
* Update differ to handle zstd media types ([#11062](https://github.com/containerd/containerd/pull/11062))
  * [`17f7858b4`](https://github.com/containerd/containerd/commit/17f7858b4e2e31b447410f66d0100b816c1fe6b3) Update differ to handle zstd media types
* build(deps): bump github.com/stretchr/testify from 1.9.0 to 1.10.0 ([#11058](https://github.com/containerd/containerd/pull/11058))
  * [`5c905fb6c`](https://github.com/containerd/containerd/commit/5c905fb6c3c93d2180b878f36af41f516531937f) build(deps): bump github.com/stretchr/testify from 1.9.0 to 1.10.0
* Unsorted platform conditionals cleanup ([#11065](https://github.com/containerd/containerd/pull/11065))
  * [`e9d560f1e`](https://github.com/containerd/containerd/commit/e9d560f1e8ccd277e19888c95dd4378579d34842) Unsorted platform conditionals cleanup
* Publish attestation as release artifact ([#11049](https://github.com/containerd/containerd/pull/11049))
  * [`3961dc9c8`](https://github.com/containerd/containerd/commit/3961dc9c8cb0e31925e45a2273bbdc06412be262) Publish attestation as release artifact
* Move rockylinux 9.4 to almalinux/9 in CI ([#11050](https://github.com/containerd/containerd/pull/11050))
  * [`288001f68`](https://github.com/containerd/containerd/commit/288001f68c5fd34cfbdc7284f14375a3762b8ff4) move rocky 9.4 to almalinux/9 in CI
* Clarify release for deprecated registry field removals ([#11045](https://github.com/containerd/containerd/pull/11045))
  * [`e24864e48`](https://github.com/containerd/containerd/commit/e24864e48e30e1009a88637d410d6c4df39c3098) Clarify release for deprecated registry field removals
* make ListContainerStats handle container that is removed before its sandbox ([#10724](https://github.com/containerd/containerd/pull/10724))
  * [`c130d93c1`](https://github.com/containerd/containerd/commit/c130d93c11ec128d38d7560262d2e20b03263151) make ListContainerStats handle container that is removed before its sandbox
* Add tests for CNI v2 loopback options ([#10915](https://github.com/containerd/containerd/pull/10915))
  * [`34284c507`](https://github.com/containerd/containerd/commit/34284c50752ea636a2474c7254802d54600199ab) Add tests for CNI v2 loopback options
* *: should align pipe's owner with init process ([#10906](https://github.com/containerd/containerd/pull/10906))
  * [`a21b178f1`](https://github.com/containerd/containerd/commit/a21b178f12b223d48245fac4ad12a0c7b50bf20f) *: should align pipe's owner with init process
* fix: set the credentials even if not provided ([#10917](https://github.com/containerd/containerd/pull/10917))
  * [`11b1353c1`](https://github.com/containerd/containerd/commit/11b1353c12b9f3a1542ffe44a00a988e330f8c56) fix: set the credentials even if not provided
* build(deps): bump google.golang.org/protobuf from 1.35.1 to 1.35.2 ([#11024](https://github.com/containerd/containerd/pull/11024))
  * [`dd2d89167`](https://github.com/containerd/containerd/commit/dd2d891672305ab756b4b93970ac1342c952ffc8) build(deps): bump google.golang.org/protobuf from 1.35.1 to 1.35.2
* Reorganize per-platform defaults ([#11017](https://github.com/containerd/containerd/pull/11017))
  * [`f6e30e962`](https://github.com/containerd/containerd/commit/f6e30e9622b79c1e3ef64e22329bbabe6d1789e7) [defaults] Reorganize per-platform defaults
* build(deps): bump github.com/containerd/continuity from 0.4.4 to 0.4.5 ([#11025](https://github.com/containerd/containerd/pull/11025))
  * [`be2c4504e`](https://github.com/containerd/containerd/commit/be2c4504eefcab5ea3a23caf0630ddeef3a98200) build(deps): bump github.com/containerd/continuity from 0.4.4 to 0.4.5
* Move content events to metadata ([#11013](https://github.com/containerd/containerd/pull/11013))
  * [`9e3ab2332`](https://github.com/containerd/containerd/commit/9e3ab2332b8bc4ba3222133d5b174d5f9be26698) Move content events to metadata
* build(deps): bump github/codeql-action from 3.27.1 to 3.27.4 ([#11026](https://github.com/containerd/containerd/pull/11026))
  * [`f5b2c3a07`](https://github.com/containerd/containerd/commit/f5b2c3a07cd59c28419106d547c169d8d49f0e6f) build(deps): bump github/codeql-action from 3.27.1 to 3.27.4
* Use platform-specific default address ([#11016](https://github.com/containerd/containerd/pull/11016))
  * [`9c7a403a2`](https://github.com/containerd/containerd/commit/9c7a403a22d09050eb37f5e578ec613d38d92231) [containerd-stress] Use platform-specific default address
* Update install-imgcrypt to allow change install repo ([#11019](https://github.com/containerd/containerd/pull/11019))
  * [`f8819df7c`](https://github.com/containerd/containerd/commit/f8819df7c4ee690315d45b57a4fddfcb970fcdd3) Update install-imgcrypt to allow change install repo
* update runc binary to 1.2.2 ([#11022](https://github.com/containerd/containerd/pull/11022))
  * [`9a7bc5423`](https://github.com/containerd/containerd/commit/9a7bc5423ef5f477705802e45c0b06869764caca) update runc binary to 1.2.2
* Fix runtimeoptions location in v2 migration script ([#11012](https://github.com/containerd/containerd/pull/11012))
  * [`2447936fc`](https://github.com/containerd/containerd/commit/2447936fca8dcd92ddb8b3af5ec9038b8117d041) Fix runtimeoptions location in v2 migration
* Revert "Disable vagrant strict dependency checking" ([#11004](https://github.com/containerd/containerd/pull/11004))
  * [`1b01f396d`](https://github.com/containerd/containerd/commit/1b01f396de92dcf3cb47816047e61abe5cb81e69) Revert "Disable vagrant strict dependency checking"
* docs: update schema 1 deprecation information ([#11002](https://github.com/containerd/containerd/pull/11002))
  * [`6c1b699bf`](https://github.com/containerd/containerd/commit/6c1b699bf978b858ef32aeca62beddba9e88da08) docs: update schema 1 deprecation information
* fsverity_linux.go: Fix fsverity.IsEnabled() for big endian systems ([#10981](https://github.com/containerd/containerd/pull/10981))
  * [`91e4e0967`](https://github.com/containerd/containerd/commit/91e4e096758b4eccb28cbf5955e7a42dcdb29c15) fsverity_linux.go: Fix fsverity.IsEnabled() for big endian systems
* build(deps): bump lycheeverse/lychee-action from 2.0.2 to 2.1.0 ([#10989](https://github.com/containerd/containerd/pull/10989))
  * [`73ae1c66f`](https://github.com/containerd/containerd/commit/73ae1c66ff27695a326a77cb59b49c6dee3e6b2b) build(deps): bump lycheeverse/lychee-action from 2.0.2 to 2.1.0
* build(deps): bump github/codeql-action from 3.27.0 to 3.27.1 ([#10988](https://github.com/containerd/containerd/pull/10988))
  * [`4bd33276c`](https://github.com/containerd/containerd/commit/4bd33276c3402f41b5b4618a118772e5a2fb7f41) build(deps): bump github/codeql-action from 3.27.0 to 3.27.1
* build(deps): bump the golang-x group with 3 updates ([#10990](https://github.com/containerd/containerd/pull/10990))
  * [`cebca6f87`](https://github.com/containerd/containerd/commit/cebca6f874fdec53070fae3f45806849180d6235) build(deps): bump the golang-x group with 3 updates
* build(deps): bump github.com/containerd/typeurl/v2 from 2.2.2 to 2.2.3 ([#10992](https://github.com/containerd/containerd/pull/10992))
  * [`01c489141`](https://github.com/containerd/containerd/commit/01c489141c37e27b71370ab26ab28347b17f4284) build(deps): bump github.com/containerd/typeurl/v2 from 2.2.2 to 2.2.3
* build(deps): bump actions/attest-build-provenance from 1.4.3 to 1.4.4 ([#10987](https://github.com/containerd/containerd/pull/10987))
  * [`d32ed4a56`](https://github.com/containerd/containerd/commit/d32ed4a560f240b9a05c8a25cec54456da5d99b9) build(deps): bump actions/attest-build-provenance from 1.4.3 to 1.4.4
* build(deps): bump softprops/action-gh-release from 2.0.9 to 2.1.0 ([#10986](https://github.com/containerd/containerd/pull/10986))
  * [`d810c5759`](https://github.com/containerd/containerd/commit/d810c5759fd5f864d7794a6ff4ef13887110ebe9) build(deps): bump softprops/action-gh-release from 2.0.9 to 2.1.0
* fsverity_test.go: fix nil pointer derefence, fix test fail, fix minor/major device numbers resolving ([#10972](https://github.com/containerd/containerd/pull/10972))
  * [`f9537ae12`](https://github.com/containerd/containerd/commit/f9537ae126fc2be685cc32d5c98b4189a72e02e9) fsverity_test.go: fix major/minor device number resolving
  * [`8a8e50e6d`](https://github.com/containerd/containerd/commit/8a8e50e6d7baf99ebe02e6ca04d9d842addcd36c) fsverity_test.go: fix nil pointer dereference, fix test fail
* update to go1.23.3 / go1.22.9 ([#10970](https://github.com/containerd/containerd/pull/10970))
  * [`bcc3cc968`](https://github.com/containerd/containerd/commit/bcc3cc968abd5e13084afa1e8dba6afc0d41a2fa) update to go1.23.3 / go1.22.9
* Avoid arch info in the sed/replace when building cri-cni-containerd.tar.gz ([#10964](https://github.com/containerd/containerd/pull/10964))
  * [`784116b7d`](https://github.com/containerd/containerd/commit/784116b7d5e67804f26f3c3e060243b0c737ea7c) Avoid arch info in the sed/replace when building cri-cni-containerd.tar.gz
* Expose Pod assigned IPs to NRI plugins ([#10921](https://github.com/containerd/containerd/pull/10921))
  * [`bc056a5c6`](https://github.com/containerd/containerd/commit/bc056a5c60a8add5fb98c59d9e88f9b89025f658) nri: report pod ips to the nri plugins
  * [`a256f326c`](https://github.com/containerd/containerd/commit/a256f326cabd29b4a78334ac981409f005ea9c3f) bump nri version to get PodIPs
* build(deps): bump github.com/fsnotify/fsnotify from 1.7.0 to 1.8.0 ([#10948](https://github.com/containerd/containerd/pull/10948))
  * [`a17001b42`](https://github.com/containerd/containerd/commit/a17001b42694baa746a22217f6ca7857a096b681) build(deps): bump github.com/fsnotify/fsnotify from 1.7.0 to 1.8.0
</p>
</details>

### Changes from containerd/continuity
<details><summary>17 commits</summary>
<p>

* fs: fix Ctime returning Mtime ([containerd/continuity#261](https://github.com/containerd/continuity/pull/261))
  * [`f4f4fb5`](https://github.com/containerd/continuity/commit/f4f4fb5bbdd8321481b8aeedec5cc4412d5001b5) fs: fix Ctime returning Mtime
* fs: implement Atime, Ctime, Mtime for bsd and darwin ([containerd/continuity#262](https://github.com/containerd/continuity/pull/262))
  * [`dbe44eb`](https://github.com/containerd/continuity/commit/dbe44ebd46e9e2497b4b37e0c387f03f7e048f6b) fs: implement Atime, Ctime, Mtime for bsd and darwin
* Makefile: make "lint" target also lint cmd/continuity module and fix linting issues ([containerd/continuity#255](https://github.com/containerd/continuity/pull/255))
  * [`4c00ab7`](https://github.com/containerd/continuity/commit/4c00ab7567238214d4dd9b9797435774836e3381) Makefile: make "lint" target also lint cmd/continuity module
  * [`cadd3a2`](https://github.com/containerd/continuity/commit/cadd3a2d76962f90047608655e607861862e329e) cmd/continuity/continuityfs: SA1019: fuse.ENOENT is deprecated
  * [`38fcdae`](https://github.com/containerd/continuity/commit/38fcdae95788e9c47bdacd674f06164bab91de1b) cmd/continuity: fix SA1019: entry.User/entry.Group is deprecated
* assorted linting fixes and minor cleanups ([containerd/continuity#259](https://github.com/containerd/continuity/pull/259))
  * [`38f66a6`](https://github.com/containerd/continuity/commit/38f66a6d37247c12e5aac5b5ceac4ccb16a1c76e) TestWalkFS: fix unhandled error
  * [`94c0490`](https://github.com/containerd/continuity/commit/94c04905cf9ed5b65bbe2eac4f3f858769cb9f5a) rename variables that shadowed package-level type
  * [`2200bb4`](https://github.com/containerd/continuity/commit/2200bb480f47137ea31eada2d9b0dcfc2474222b) don't use "ctx" for continuity.Context arguments
  * [`583d7ed`](https://github.com/containerd/continuity/commit/583d7ed1582f6b45643c7e11d2b93f6a68b7c623) commands/mount_unsupported: drop nil-assignment (revive)
  * [`5158c3f`](https://github.com/containerd/continuity/commit/5158c3f19836c8dd55dfc1ef84cb8656fca29f9f) golangci-lint: sort linters
  * [`a8c7143`](https://github.com/containerd/continuity/commit/a8c714358ce4cf76db246f88b9495a2b903b2c38) golangci-lint: don't use deprecated name for "govet" linter
* cmd/continuity: switch to google.golang.org/protobuf/proto ([containerd/continuity#260](https://github.com/containerd/continuity/pull/260))
  * [`fd64705`](https://github.com/containerd/continuity/commit/fd6470559ebe380f21b1af08a8869bee7e3435c2) cmd/continuity: switch to google.golang.org/protobuf/proto
</p>
</details>

### Changes from containerd/go-cni
<details><summary>9 commits</summary>
<p>

* Fix recursive RLock() mutex acquisition ([containerd/go-cni#126](https://github.com/containerd/go-cni/pull/126))
  * [`75a2440`](https://github.com/containerd/go-cni/commit/75a24409e8193fc64b0e9ed777ff884c338a21ca) fix: recursive RLock() mutex acquision
* Support CNI STATUS Verb ([containerd/go-cni#123](https://github.com/containerd/go-cni/pull/123))
  * [`208eca9`](https://github.com/containerd/go-cni/commit/208eca91c33bb793f471831a0abaf6cebe9676a4) support CNI status verb
* Bump github actions dependencies to match containerd CI repo and fix lint ([containerd/go-cni#122](https://github.com/containerd/go-cni/pull/122))
  * [`386f475`](https://github.com/containerd/go-cni/commit/386f4757e63914b2589b8abe6098bfa23f83fa8b) Fix ci.yml indent
  * [`a9b0675`](https://github.com/containerd/go-cni/commit/a9b0675fc9b8b5ce52d84f91a4fc049501853862) Another doc commit to trigger lint?
  * [`14af454`](https://github.com/containerd/go-cni/commit/14af4542b76fa694f2e1853b35554f23c6829f5d) Bump github actions dependency versions
  * [`9e0d096`](https://github.com/containerd/go-cni/commit/9e0d096d58145757809ddce8b8650efc07e19916) Trivial doc commit to trigger lint
</p>
</details>

### Changes from containerd/otelttrpc
<details><summary>6 commits</summary>
<p>

* Add dependabot and upgrade golang and dependency versions ([containerd/otelttrpc#3](https://github.com/containerd/otelttrpc/pull/3))
  * [`2d46141`](https://github.com/containerd/otelttrpc/commit/2d46141c9f9842bc8e2563ae884b963e34ea175f) upgrade golang, deps, CI versions
  * [`64922e7`](https://github.com/containerd/otelttrpc/commit/64922e78c69b7bdecf065f039a5ead4d64e567e0) Add dependabot CI
* Fix concurrent map panic on metadata ([containerd/otelttrpc#2](https://github.com/containerd/otelttrpc/pull/2))
  * [`2ba3be1`](https://github.com/containerd/otelttrpc/commit/2ba3be1e39398b8d2544f5ea962edc1e2f906d32) Fix concurrent map panic on inject metadata
  * [`f50a922`](https://github.com/containerd/otelttrpc/commit/f50a9220fc748442b274390c45773191367262ec) UT for concurrent inject/extract metadata
</p>
</details>

### Changes from containerd/platforms
<details><summary>6 commits</summary>
<p>

* Move windows matcher logic so all platforms can use ([containerd/platforms#22](https://github.com/containerd/platforms/pull/22))
  * [`7c58292`](https://github.com/containerd/platforms/commit/7c5829273cd83c987784fd7ef5487485e0d2fee0) Move windows matcher logic so all platforms can use
* replace testify with stdlib in tests ([containerd/platforms#21](https://github.com/containerd/platforms/pull/21))
  * [`86a86b7`](https://github.com/containerd/platforms/commit/86a86b73a6e01f92aecad823e0f516f6198f3e2c) replace testify with stdlib in tests
* Replace arm64 minor variant logic with lookup table ([containerd/platforms#18](https://github.com/containerd/platforms/pull/18))
  * [`364665a`](https://github.com/containerd/platforms/commit/364665a87c183d5b5eb45fc0e9b86e99013a621a) Replace arm64 minor variant logic with lookup table
</p>
</details>

### Changes from containerd/ttrpc
<details><summary>5 commits</summary>
<p>

* Add MD.Clone function ([containerd/ttrpc#177](https://github.com/containerd/ttrpc/pull/177))
  * [`430f734`](https://github.com/containerd/ttrpc/commit/430f7347915993a5543bfb00858ac337274528ba) Add MD.Clone
* Fix race between serve and immediate shutdown on the server ([containerd/ttrpc#175](https://github.com/containerd/ttrpc/pull/175))
  * [`c4d96d5`](https://github.com/containerd/ttrpc/commit/c4d96d55ad9c4f4cf6036c70a5b18ba80655d648) server: fix Serve() vs. immediate Shutdown() race.
  * [`ed6c3ba`](https://github.com/containerd/ttrpc/commit/ed6c3ba082bdbc82284c198d93ca5f07ad9900dd) server_test: add Serve()/Shutdown() race test.
</p>
</details>

### Dependency Changes

* **github.com/Microsoft/hcsshim**                                                 v0.12.9 -> v0.13.0-rc.3
* **github.com/cilium/ebpf**                                                       v0.11.0 -> v0.16.0
* **github.com/containerd/cgroups/v3**                                             v3.0.3 -> v3.0.5
* **github.com/containerd/continuity**                                             v0.4.4 -> v0.4.5
* **github.com/containerd/go-cni**                                                 v1.1.10 -> v1.1.12
* **github.com/containerd/imgcrypt/v2**                                            v2.0.0-rc.1 -> v2.0.1
* **github.com/containerd/otelttrpc**                                              ea5083fda723 -> v0.1.0
* **github.com/containerd/platforms**                                              v1.0.0-rc.0 -> v1.0.0-rc.1
* **github.com/containerd/ttrpc**                                                  v1.2.6 -> v1.2.7
* **github.com/containerd/typeurl/v2**                                             v2.2.2 -> v2.2.3
* **github.com/containernetworking/cni**                                           v1.2.3 -> v1.3.0
* **github.com/containernetworking/plugins**                                       v1.5.1 -> v1.6.2
* **github.com/containers/ocicrypt**                                               v1.2.0 -> v1.2.1
* **github.com/davecgh/go-spew**                                                   d8f796af33cc -> v1.1.1
* **github.com/fsnotify/fsnotify**                                                 v1.7.0 -> v1.8.0
* **github.com/go-jose/go-jose/v4**                                                v4.0.4 -> v4.0.5
* **github.com/google/go-cmp**                                                     v0.6.0 -> v0.7.0
* **github.com/grpc-ecosystem/grpc-gateway/v2**                                    v2.22.0 -> v2.26.1
* **github.com/klauspost/compress**                                                v1.17.11 -> v1.18.0
* **github.com/mdlayher/socket**                                                   v0.4.1 -> v0.5.1
* **github.com/moby/spdystream**                                                   v0.4.0 -> v0.5.0
* **github.com/opencontainers/image-spec**                                         v1.1.0 -> v1.1.1
* **github.com/opencontainers/runtime-spec**                                       v1.2.0 -> v1.2.1
* **github.com/opencontainers/selinux**                                            v1.11.1 -> v1.12.0
* **github.com/pelletier/go-toml/v2**                                              v2.2.3 -> v2.2.4
* **github.com/petermattis/goid**                                                  4fcff4a6cae7 **_new_**
* **github.com/pmezard/go-difflib**                                                5d4384ee4fb2 -> v1.0.0
* **github.com/prometheus/client_golang**                                          v1.20.5 -> v1.21.1
* **github.com/prometheus/common**                                                 v0.55.0 -> v0.62.0
* **github.com/sasha-s/go-deadlock**                                               v0.3.5 **_new_**
* **github.com/smallstep/pkcs7**                                                   v0.1.1 **_new_**
* **github.com/stretchr/testify**                                                  v1.9.0 -> v1.10.0
* **github.com/tchap/go-patricia/v2**                                              v2.3.1 -> v2.3.2
* **github.com/urfave/cli/v2**                                                     v2.27.5 -> v2.27.6
* **github.com/vishvananda/netns**                                                 v0.0.4 -> v0.0.5
* **go.etcd.io/bbolt**                                                             v1.3.11 -> v1.4.0
* **go.opentelemetry.io/auto/sdk**                                                 v1.1.0 **_new_**
* **go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc**  v0.56.0 -> v0.60.0
* **go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp**                v0.56.0 -> v0.60.0
* **go.opentelemetry.io/otel**                                                     v1.31.0 -> v1.35.0
* **go.opentelemetry.io/otel/exporters/otlp/otlptrace**                            v1.31.0 -> v1.35.0
* **go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc**              v1.31.0 -> v1.35.0
* **go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp**              v1.31.0 -> v1.35.0
* **go.opentelemetry.io/otel/metric**                                              v1.31.0 -> v1.35.0
* **go.opentelemetry.io/otel/sdk**                                                 v1.31.0 -> v1.35.0
* **go.opentelemetry.io/otel/trace**                                               v1.31.0 -> v1.35.0
* **go.opentelemetry.io/proto/otlp**                                               v1.3.1 -> v1.5.0
* **golang.org/x/crypto**                                                          v0.28.0 -> v0.36.0
* **golang.org/x/exp**                                                             aacd6d4b4611 -> 2d47ceb2692f
* **golang.org/x/mod**                                                             v0.21.0 -> v0.24.0
* **golang.org/x/net**                                                             v0.30.0 -> v0.37.0
* **golang.org/x/oauth2**                                                          v0.22.0 -> v0.27.0
* **golang.org/x/sync**                                                            v0.8.0 -> v0.13.0
* **golang.org/x/sys**                                                             v0.26.0 -> v0.32.0
* **golang.org/x/term**                                                            v0.25.0 -> v0.30.0
* **golang.org/x/text**                                                            v0.19.0 -> v0.23.0
* **golang.org/x/time**                                                            v0.3.0 -> v0.7.0
* **google.golang.org/genproto/googleapis/api**                                    5fefd90f89a9 -> 56aae31c358a
* **google.golang.org/genproto/googleapis/rpc**                                    324edc3d5d38 -> 56aae31c358a
* **google.golang.org/grpc**                                                       v1.67.1 -> v1.71.0
* **google.golang.org/protobuf**                                                   v1.35.1 -> v1.36.6
* **k8s.io/api**                                                                   v0.31.2 -> v0.32.3
* **k8s.io/apimachinery**                                                          v0.31.2 -> v0.32.3
* **k8s.io/apiserver**                                                             v0.31.2 -> v0.32.3
* **k8s.io/client-go**                                                             v0.31.2 -> v0.32.3
* **k8s.io/component-base**                                                        v0.31.2 -> v0.32.3
* **k8s.io/cri-api**                                                               v0.31.2 -> v0.32.3
* **k8s.io/kubelet**                                                               v0.31.2 -> v0.32.3
* **k8s.io/utils**                                                                 18e509b52bc8 -> 3ea5e8cea738
* **sigs.k8s.io/json**                                                             bc3834ca7abd -> 9aa6b5e7a4b3
* **sigs.k8s.io/structured-merge-diff/v4**                                         v4.4.1 -> v4.4.2
* **tags.cncf.io/container-device-interface**                                      v0.8.0 -> v1.0.1
* **tags.cncf.io/container-device-interface/specs-go**                             v0.8.0 -> v1.0.0

Previous release can be found at [v2.0.0](https://github.com/containerd/containerd/releases/tag/v2.0.0)
### Which file should I download?
* `containerd-<VERSION>-<OS>-<ARCH>.tar.gz`:         ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04).
* `containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz`:  Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent.

In addition to containerd, typically you will have to install [runc](https://github.com/opencontainers/runc/releases)
and [CNI plugins](https://github.com/containernetworking/plugins/releases) from their official sites too.

See also the [Getting Started](https://github.com/containerd/containerd/blob/main/docs/getting-started.md) documentation.

Unverified

v2.1.0-beta.0

b430e5ac · Merge commit from fork · Mar 18, 2025

containerd 2.1.0-beta.0

Welcome to the v2.1.0-beta.0 release of containerd!
*This is a pre-release of containerd*

The 2.1 beta series is here, see the [2.1 milestone](https://github.com/containerd/containerd/milestone/48) to track
ongoing efforts. Please try out the beta and report any issues!

The first minor release of containerd 2.x focuses on continued stability alongside
new features and improvements. This is the first time-based released for containerd.
Most the feature set and core functionality has long been stable and harderened in production
environments, so now we transition to a balance of timely delivery of new functionality
with the same high confidence in stability and performance.

### Highlights

* Erofs snapshotter and differ ([#10705](https://github.com/containerd/containerd/pull/10705))
* Fix race between serve and immediate shutdown on the server ([containerd/ttrpc#175](https://github.com/containerd/ttrpc/pull/175))

#### Container Runtime Interface (CRI)

* Add OCI/Image Volume Source support ([#10579](https://github.com/containerd/containerd/pull/10579))
* Enable Writable cgroups for unprivileged containers ([#11131](https://github.com/containerd/containerd/pull/11131))
* Fix recursive RLock() mutex acquisition ([containerd/go-cni#126](https://github.com/containerd/go-cni/pull/126))
* Support CNI STATUS Verb ([containerd/go-cni#123](https://github.com/containerd/go-cni/pull/123))

#### Image Distribution

* Add dial timeout field to hosts toml configuration ([#11106](https://github.com/containerd/containerd/pull/11106))

#### Node Resource Interface (NRI)

* Expose Pod assigned IPs to NRI plugins ([#10921](https://github.com/containerd/containerd/pull/10921))

#### Runtime

* Support multiple uid/gid mappings ([#10722](https://github.com/containerd/containerd/pull/10722))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Akihiro Suda
* Derek McGowan
* Phil Estes
* Maksym Pavlenko
* Jin Dong
* Sebastiaan van Stijn
* Wei Fu
* Samuel Karp
* Austin Vazquez
* Kazuyoshi Kato
* Henry Wang
* Mike Brown
* Akhil Mohan
* Gao Xiang
* Archit Kulkarni
* Krisztian Litkey
* ningmingxiao
* Alexey Lunev
* Antonio Ojea
* Chris Henzie
* Davanum Srinivas
* Marat Radchenko
* Michael Zappa
* Paweł Gronowski
* Adrien Delorme
* Amit Barve
* Andrey Smirnov
* Divya
* Etienne Champetier
* Kirtana Ashok
* fengwei0328
* zounengren
* Adrian Reber
* Alfred Wingate
* Amal Thundiyil
* Athos Ribeiro
* Brian Goff
* ChengyuZhu6
* Chongyi Zheng
* Craig Ingram
* David Son
* Fupan Li
* Jing Xu
* Jonathan A. Sternberg
* Jose Fernandez
* Kaita Nakamura
* Lei Liu
* Mike Baynton
* Philip Laine
* Qiyuan Liang
* Sameer
* Shiming Zhang
* Vered Rosen
* alingse
* bo.jiang
* chriskery
* luchenhan
* mahmut

### Changes
<details><summary>433 commits</summary>
<p>

  * [`b430e5ac3`](https://github.com/containerd/containerd/commit/b430e5ac3accf636cf52b0128b27bb828574cbcf) Merge commit from fork
  * [`de1341c20`](https://github.com/containerd/containerd/commit/de1341c201ffb0effebbf51d00376181968c8779) validate uid/gid
* Bump github.com/go-jose/go-jose/v4 from 4.0.4 to 4.0.5 ([#11544](https://github.com/containerd/containerd/pull/11544))
  * [`8028a1d08`](https://github.com/containerd/containerd/commit/8028a1d086620f7ebf9d8b5446e3abb06bdecdc3) Bump github.com/go-jose/go-jose/v4 from v4.0.4 to v4.0.5
  * [`ce055b530`](https://github.com/containerd/containerd/commit/ce055b530556532a2f0d92bdcd39bc89739cdbd8) Bump golang.org/x/text from 0.22.0 to 0.23.0
  * [`e0aaed012`](https://github.com/containerd/containerd/commit/e0aaed0120ba2aa7e9245390a94a2fc550ee5c34) Bump golang.org/x/term from 0.29.0 to 0.30.0
* fix: repeat args from sub-func call ([#11512](https://github.com/containerd/containerd/pull/11512))
  * [`b947e0566`](https://github.com/containerd/containerd/commit/b947e056634177e2e21ea7317b5496956213e004) fix: repeat args from sub-func call
* build(deps): bump github.com/prometheus/client_golang from 1.20.5 to 1.21.1 ([#11525](https://github.com/containerd/containerd/pull/11525))
  * [`75252f975`](https://github.com/containerd/containerd/commit/75252f9759c3bd3dfaf6fb2f5af12771ff1a1810) build(deps): bump github.com/prometheus/client_golang
* integration: update TestUpgrade for 2.1 ([#11519](https://github.com/containerd/containerd/pull/11519))
  * [`06daffb4d`](https://github.com/containerd/containerd/commit/06daffb4d1b65288d4e3c94b172efeddd8d61851) integration: update TestUpgrade for 2.1
* config:fix config migrate lost timeout config ([#11532](https://github.com/containerd/containerd/pull/11532))
  * [`531adbf06`](https://github.com/containerd/containerd/commit/531adbf065160bf91315ef17cd5e70f9895d86b5) config:fix config migrate lost timeout config
* Add dial timeout field to hosts toml configuration ([#11106](https://github.com/containerd/containerd/pull/11106))
  * [`c4982bffc`](https://github.com/containerd/containerd/commit/c4982bffc6dd887a58a189f8a6be99b1b1542953) Add dial timeout field to hosts toml configuration
* Prepare release notes for v2.1.0-beta.0 ([#11510](https://github.com/containerd/containerd/pull/11510))
  * [`12762891d`](https://github.com/containerd/containerd/commit/12762891d6c4e0e91384c01650c102d911f9a915) Remove test for issue 10467
  * [`93cc1e6eb`](https://github.com/containerd/containerd/commit/93cc1e6eb96c099e50f6cc0c7f68feeacf09dc48) Fix upgrade test runtime config
  * [`833d6bc8e`](https://github.com/containerd/containerd/commit/833d6bc8e932a6e2e24b4b3bd4ead920fe8e6035) Update release status for 2.1 to beta
  * [`71cfe00ee`](https://github.com/containerd/containerd/commit/71cfe00eec7b22a392458f4d87261dbd6e828af5) Prepare release notes for v2.1.0-beta.n
  * [`be8fe50f4`](https://github.com/containerd/containerd/commit/be8fe50f49a0fb2752b52d560ab1039dbfd83af4) Update the upgrade test to handle 2.1
* build(deps): bump the otel group with 8 updates ([#11521](https://github.com/containerd/containerd/pull/11521))
  * [`94dd70f4f`](https://github.com/containerd/containerd/commit/94dd70f4f0c659526f3b75dc278530dd8d429628) build(deps): bump the otel group with 8 updates
* client: Respect `client.WithTimeout` option ([#11508](https://github.com/containerd/containerd/pull/11508))
  * [`ee574e76e`](https://github.com/containerd/containerd/commit/ee574e76e7f6bbe239298163eab6ccd8b94d73b3) client: Respect `client.WithTimeout` option
* build(deps): bump github.com/urfave/cli/v2 from 2.27.5 to 2.27.6 ([#11523](https://github.com/containerd/containerd/pull/11523))
  * [`700b98415`](https://github.com/containerd/containerd/commit/700b98415ef82825d18f53612e2e00eb16197d37) build(deps): bump github.com/urfave/cli/v2 from 2.27.5 to 2.27.6
* build(deps): bump the golang-x group with 3 updates ([#11520](https://github.com/containerd/containerd/pull/11520))
  * [`85c04ab0e`](https://github.com/containerd/containerd/commit/85c04ab0ec8d50c042e4665254342730b0d67175) build(deps): bump the golang-x group with 3 updates
* add k8s 1.32 to support table and as tested containerd supported branches at the time of release ([#11534](https://github.com/containerd/containerd/pull/11534))
  * [`5bbd3ed1b`](https://github.com/containerd/containerd/commit/5bbd3ed1b1993c30188cd5b1acb959bb44469127) add k8s 1.32 and as tested containerd supported branches at the time of release
* build(deps): bump google.golang.org/grpc from 1.70.0 to 1.71.0 ([#11524](https://github.com/containerd/containerd/pull/11524))
  * [`c37e48b07`](https://github.com/containerd/containerd/commit/c37e48b07c51f6877a268f69a9d7d85c54e7d97f) build(deps): bump google.golang.org/grpc from 1.70.0 to 1.71.0
* Support container restore through CRI/Kubernetes ([#10365](https://github.com/containerd/containerd/pull/10365))
  * [`9e6beafd5`](https://github.com/containerd/containerd/commit/9e6beafd53919eecd1fb650a76332002cf4c84dd) Support container restore through CRI/Kubernetes
* build(deps): bump actions/attest-build-provenance from 2.2.2 to 2.2.3 ([#11526](https://github.com/containerd/containerd/pull/11526))
  * [`d7de182dd`](https://github.com/containerd/containerd/commit/d7de182ddf46b61b894d363c76b92f5fbc24cccb) build(deps): bump actions/attest-build-provenance from 2.2.2 to 2.2.3
* build(deps): bump github/codeql-action from 3.28.10 to 3.28.11 ([#11527](https://github.com/containerd/containerd/pull/11527))
  * [`9f885ea4f`](https://github.com/containerd/containerd/commit/9f885ea4f549febd5de9fde536006f9484e12df5) build(deps): bump github/codeql-action from 3.28.10 to 3.28.11
* build(deps): bump containerd/project-checks from 1.2.1 to 1.2.2 ([#11528](https://github.com/containerd/containerd/pull/11528))
  * [`88faaac97`](https://github.com/containerd/containerd/commit/88faaac973dee7326e765a601bcdc6cf42843518) build(deps): bump containerd/project-checks from 1.2.1 to 1.2.2
* add name in package version ([#11518](https://github.com/containerd/containerd/pull/11518))
  * [`405a952c6`](https://github.com/containerd/containerd/commit/405a952c653b2ec912cbfdef2c89b43151a072bd) add name in package version
* update to go1.23.7 / go1.24.1 ([#11513](https://github.com/containerd/containerd/pull/11513))
  * [`4f090fe77`](https://github.com/containerd/containerd/commit/4f090fe772b33191fa5e47a6b826ee56f45463f2) update to go1.23.7 / go1.24.1
* Don't produce unnecessary logs when encountering attestations ([#11327](https://github.com/containerd/containerd/pull/11327))
  * [`3cdfc1003`](https://github.com/containerd/containerd/commit/3cdfc1003dbde389d1d3bd012202be534bf6a4cf) core/remotes: Handle attestations in MakeRefKey
  * [`e751b6bb1`](https://github.com/containerd/containerd/commit/e751b6bb1db7936ee111322ff199d9f708c27428) core/images: Ignore attestations when traversing children
* perf(applyNaive): avoid walking the tree for each file in the same directory ([#11337](https://github.com/containerd/containerd/pull/11337))
  * [`d8063c30d`](https://github.com/containerd/containerd/commit/d8063c30dd05ca71e7b2d8d78360af6835dd5e46) perf(applyNaive): avoid walking the tree for each file in the same directory
* Update runtime-spec to v1.2.1 ([#11460](https://github.com/containerd/containerd/pull/11460))
  * [`f8f205382`](https://github.com/containerd/containerd/commit/f8f205382adcad407b7e95e76b18e787e0688b35) Update runtime-spec to v1.2.1
* docs: include note about unprivileged sysctls ([#11502](https://github.com/containerd/containerd/pull/11502))
  * [`edd1cc50d`](https://github.com/containerd/containerd/commit/edd1cc50d5f3c474fe6f09927afbe9be4c7c10da) docs: include note about unprivileged sysctls
* ci: update GitHub Actions release runner to ubuntu-24.04 ([#11479](https://github.com/containerd/containerd/pull/11479))
  * [`705518e58`](https://github.com/containerd/containerd/commit/705518e58b98e868cba35c116d9e46e88f9928bf) ci: update GitHub Actions release runner to ubuntu-24.04
* e2e: use the shim bundled with containerd artifact ([#11489](https://github.com/containerd/containerd/pull/11489))
  * [`393ad5b11`](https://github.com/containerd/containerd/commit/393ad5b11ea3aae3d86f60400f40cf63849eda40) e2e: use the shim bundled with containerd artifact
* build(deps): bump go.etcd.io/bbolt from 1.3.11 to 1.4.0 ([#11450](https://github.com/containerd/containerd/pull/11450))
  * [`e84e5a215`](https://github.com/containerd/containerd/commit/e84e5a215cab4d189e05e989e94ae26cb84553cf) build(deps): bump go.etcd.io/bbolt from 1.3.11 to 1.4.0
  * [`00cb73503`](https://github.com/containerd/containerd/commit/00cb7350392b13cb8c21c5f422304bde7317a760) Swap to go.etcd.io/bbolt/errors for bbolt errors
* CVE-2025-22869: upgrade golang.org/x/crypto to v0.35.0 ([#11482](https://github.com/containerd/containerd/pull/11482))
  * [`af5ff5a1f`](https://github.com/containerd/containerd/commit/af5ff5a1f18c7fb899d5a12434616db62a4a3bee) CVE-2025-22869: upgrade golang.org/x/crypto to v0.35.0
* device mapper:fix sometimes blkdiscard doesn't have --version flags ([#11330](https://github.com/containerd/containerd/pull/11330))
  * [`44baada6a`](https://github.com/containerd/containerd/commit/44baada6aa88a4eb1c1adddceb353b14396cc442) device mapper:fix sometimes blkdiscard doesn't have --version flags
* docs: add CRI Plugin Config runtime_path ([#11402](https://github.com/containerd/containerd/pull/11402))
  * [`a1e7457bc`](https://github.com/containerd/containerd/commit/a1e7457bc486036559d01fe4a88327417efcf6c1) docs: add CRI Plugin Config runtime_path
* Consolidate security profile logic into a common pkg ([#11080](https://github.com/containerd/containerd/pull/11080))
  * [`71958731e`](https://github.com/containerd/containerd/commit/71958731e82a9068e783db9d578586841fd52404) move security profile to cri/sputil pkg
* erofs-snapshotter: two bug-fixes ([#11476](https://github.com/containerd/containerd/pull/11476))
  * [`3a5de731c`](https://github.com/containerd/containerd/commit/3a5de731c587342ccc8691acd5d4ae2154b9511c) erofs-snapshotter: clear IMMUTABLE_FL only for committed snapshots
  * [`971915797`](https://github.com/containerd/containerd/commit/971915797acd86cb4ea7efc7641cb17bec90c896) erofs-snapshotter: force the use of loop devices for single-layer images
* CVE-2025-22868: upgrade golang.org/x/oauth2 to v0.27.0 ([#11481](https://github.com/containerd/containerd/pull/11481))
  * [`10f2b7fde`](https://github.com/containerd/containerd/commit/10f2b7fded7fb91966a9af77d0dae06d872d2c5d) CVE-2025-22868: upgrade golang.org/x/oauth2 to v0.27.0
* build(deps): bump containerd/project-checks from 1.1.0 to 1.2.1 ([#11474](https://github.com/containerd/containerd/pull/11474))
  * [`69c0d7f60`](https://github.com/containerd/containerd/commit/69c0d7f60f74210d6e41515e9064bb96362683c7) build(deps): bump containerd/project-checks from 1.1.0 to 1.2.1
* build(deps): bump github.com/google/go-cmp from 0.6.0 to 0.7.0 ([#11464](https://github.com/containerd/containerd/pull/11464))
  * [`72ac5cad4`](https://github.com/containerd/containerd/commit/72ac5cad446bdb315c83a2f720f55ecdffba3780) build(deps): bump github.com/google/go-cmp from 0.6.0 to 0.7.0
* build(deps): bump github.com/klauspost/compress from 1.17.11 to 1.18.0 ([#11467](https://github.com/containerd/containerd/pull/11467))
  * [`001dfeb19`](https://github.com/containerd/containerd/commit/001dfeb19f791348d3fc89c7d93ad23c971c7b93) build(deps): bump github.com/klauspost/compress from 1.17.11 to 1.18.0
* build(deps): bump actions/download-artifact from 4.1.8 to 4.1.9 ([#11468](https://github.com/containerd/containerd/pull/11468))
  * [`86734729f`](https://github.com/containerd/containerd/commit/86734729fb1274b11fd2a3c97bf61bcc486017e6) build(deps): bump actions/download-artifact from 4.1.8 to 4.1.9
* build(deps): bump docker/setup-buildx-action from 3.9.0 to 3.10.0 ([#11469](https://github.com/containerd/containerd/pull/11469))
  * [`9b0b67951`](https://github.com/containerd/containerd/commit/9b0b679519dc25f20c1084ca719e6225286f3534) build(deps): bump docker/setup-buildx-action from 3.9.0 to 3.10.0
* build(deps): bump actions/attest-build-provenance from 2.2.0 to 2.2.2 ([#11470](https://github.com/containerd/containerd/pull/11470))
  * [`20fa1ca46`](https://github.com/containerd/containerd/commit/20fa1ca46ddb35799fa67c6743ea8652b3bd54f2) build(deps): bump actions/attest-build-provenance from 2.2.0 to 2.2.2
* build(deps): bump golang.org/x/net from 0.23.0 to 0.33.0 in /api ([#11472](https://github.com/containerd/containerd/pull/11472))
  * [`37fe1e8b4`](https://github.com/containerd/containerd/commit/37fe1e8b42f8746944c5d9b4a8bf2b3dcfc99984) build(deps): bump golang.org/x/net from 0.23.0 to 0.33.0 in /api
* build(deps): bump actions/cache from 4.2.1 to 4.2.2 ([#11471](https://github.com/containerd/containerd/pull/11471))
  * [`0eea93d68`](https://github.com/containerd/containerd/commit/0eea93d6873c2b7b26a4c7bae0bfbd29c9039f3c) build(deps): bump actions/cache from 4.2.1 to 4.2.2
* Bump to newer opencontainers/image-spec @ v1.1.1 ([#11461](https://github.com/containerd/containerd/pull/11461))
  * [`d37ea6977`](https://github.com/containerd/containerd/commit/d37ea6977d7e096e9221cbbba9a0282e97709acd) Bump to newer opencontainers/image-spec @ v1.1.1
* Remove After=local-fs.target from containerd.service ([#11116](https://github.com/containerd/containerd/pull/11116))
  * [`e0459262b`](https://github.com/containerd/containerd/commit/e0459262ba8b52e936b3b2e555e7faeab846b600) Remove After=local-fs.target from containerd.service
* erofs-snapshotter: protect layer blobs with FS_IMMUTABLE_FL ([#11431](https://github.com/containerd/containerd/pull/11431))
  * [`b477cf8e9`](https://github.com/containerd/containerd/commit/b477cf8e97b6facd183bba964631a36ef7a3d32b) erofs-snapshotter: protect layer blobs with FS_IMMUTABLE_FL
* Log "container event discarded" as Info ([#11115](https://github.com/containerd/containerd/pull/11115))
  * [`6c7b1afe5`](https://github.com/containerd/containerd/commit/6c7b1afe5127c0f8827a8995c1756ab71289ec98) Log "container event discarded" as Info
* Fix privileged container sysfs can't be rw because pod is ro by default ([#11271](https://github.com/containerd/containerd/pull/11271))
  * [`1fc497218`](https://github.com/containerd/containerd/commit/1fc497218ac5f83fa65b9043bc3bc2bc0dee219c) Fix privileged container sysfs can't be rw because pod is ro by default
* cri,nri: fix initial sync race of registering NRI plugins. ([#11384](https://github.com/containerd/containerd/pull/11384))
  * [`6a01ad3e1`](https://github.com/containerd/containerd/commit/6a01ad3e16c57c631febb92090bbca5c331e2f7d) cri,nri: block NRI plugin sync. during event processing.
* proxy: break up writes from the remote writer to avoid grpc limits ([#11441](https://github.com/containerd/containerd/pull/11441))
  * [`f25f36c33`](https://github.com/containerd/containerd/commit/f25f36c334144d87233e06b0de90522ebd97e144) proxy: break up writes from the remote writer to avoid grpc limits
* build(deps): bump github/codeql-action from 3.28.9 to 3.28.10 ([#11423](https://github.com/containerd/containerd/pull/11423))
  * [`0500dacf6`](https://github.com/containerd/containerd/commit/0500dacf609df804e3cb025f024f39e5e32cb1e4) build(deps): bump github/codeql-action from 3.28.9 to 3.28.10
* go.{mod,sum}: bump CDI deps to v.0.8.1. ([#11449](https://github.com/containerd/containerd/pull/11449))
  * [`22d568fb5`](https://github.com/containerd/containerd/commit/22d568fb5a8381fd20ea4e385f8aff9899e0e710) Update CDI dependency to v0.8.1.
* build(deps): bump the k8s group across 1 directory with 6 updates ([#11398](https://github.com/containerd/containerd/pull/11398))
  * [`d2b5653c1`](https://github.com/containerd/containerd/commit/d2b5653c11b6dc9023609cc9ca35b334e53768c0) build(deps): bump the k8s group across 1 directory with 6 updates
* Prefer runtime options for PluginInfo request ([#11442](https://github.com/containerd/containerd/pull/11442))
  * [`51f063f07`](https://github.com/containerd/containerd/commit/51f063f0716871070f6a8995902ee6a679ee9c45) Prefer runtime options for PluginInfo request
* pkg: prevent oom watcher from depending on shim pkg ([#11433](https://github.com/containerd/containerd/pull/11433))
  * [`268880bf5`](https://github.com/containerd/containerd/commit/268880bf53b39f8de4e6d7d668a8bb5e7ee3519a) [improve] prevent oom watcher depend on shim pkg.
* Ignore defunct verifier procs in test ([#11435](https://github.com/containerd/containerd/pull/11435))
  * [`76858ac8e`](https://github.com/containerd/containerd/commit/76858ac8e3129644fb4cf5ae9f86448655989cf4) Ignore defunct verifier procs in test
* CI: arm64-8core-32gb -> ubuntu-24.04-arm ([#11427](https://github.com/containerd/containerd/pull/11427))
  * [`4e7484d3f`](https://github.com/containerd/containerd/commit/4e7484d3f40a8ec07126eb16fae614aedafe630a) CI: arm64-8core-32gb -> ubuntu-24.04-arm
* build(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.1 ([#11424](https://github.com/containerd/containerd/pull/11424))
  * [`125525d6c`](https://github.com/containerd/containerd/commit/125525d6cd4aa85ac91f694e94b5bf8c9b647b6d) build(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.1
* build(deps): bump actions/cache from 4.2.0 to 4.2.1 ([#11426](https://github.com/containerd/containerd/pull/11426))
  * [`86cde823a`](https://github.com/containerd/containerd/commit/86cde823a8361c3a3d3ff756da5523e89f1bb93b) build(deps): bump actions/cache from 4.2.0 to 4.2.1
* build(deps): bump actions/upload-artifact from 4.6.0 to 4.6.1 ([#11425](https://github.com/containerd/containerd/pull/11425))
  * [`49257264f`](https://github.com/containerd/containerd/commit/49257264fec6c950d18bd6960b35e5ae12eafa02) build(deps): bump actions/upload-artifact from 4.6.0 to 4.6.1
* erofs-snapshotter: add fsverity support ([#11352](https://github.com/containerd/containerd/pull/11352))
  * [`f3b6078f9`](https://github.com/containerd/containerd/commit/f3b6078f90bf61c87bab34c7f6c10eeb8258a465) erofs-snapshotter: add fsverity support
* Support for importing layers in the block CIM format. ([#11179](https://github.com/containerd/containerd/pull/11179))
  * [`a1c540085`](https://github.com/containerd/containerd/commit/a1c540085f86dcc8613e6db11b73bed4a3a02883) Support for importing layers in the block CIM format.
* perf(zstd): deactivate the low mem decoder ([#11335](https://github.com/containerd/containerd/pull/11335))
  * [`c51f5d26f`](https://github.com/containerd/containerd/commit/c51f5d26f1167d612d061cb20ae0cbb1ab00a0da) perf(zstd): deactivate the low mem decoder
* build(deps): bump github/codeql-action from 3.28.8 to 3.28.9 ([#11370](https://github.com/containerd/containerd/pull/11370))
  * [`6a08d70e6`](https://github.com/containerd/containerd/commit/6a08d70e681b81049a2cabfd44216803662d6c8e) build(deps): bump github/codeql-action from 3.28.8 to 3.28.9
* move the device after the options when using mkfs.ext4 ([#11362](https://github.com/containerd/containerd/pull/11362))
  * [`b98378638`](https://github.com/containerd/containerd/commit/b9837863815e2ffe5ea28e52afe24a2e1829863f) move the device after the options when using mkfs.ext4
* build(deps): bump google.golang.org/grpc from 1.69.4 to 1.70.0 ([#11313](https://github.com/containerd/containerd/pull/11313))
  * [`f23981281`](https://github.com/containerd/containerd/commit/f23981281e60fd5ad37d61e43a777ff64fbfb874) build(deps): bump google.golang.org/grpc from 1.69.4 to 1.70.0
* build(deps): bump golangci/golangci-lint-action from 6.3.2 to 6.5.0 ([#11397](https://github.com/containerd/containerd/pull/11397))
  * [`b8a759f1f`](https://github.com/containerd/containerd/commit/b8a759f1fd59eca20534e223fa8db2011ebbb519) build(deps): bump golangci/golangci-lint-action from 6.3.2 to 6.5.0
* build(deps): bump google.golang.org/protobuf from 1.36.3 to 1.36.5 ([#11373](https://github.com/containerd/containerd/pull/11373))
  * [`326fbf074`](https://github.com/containerd/containerd/commit/326fbf07470ee61022e84f1387cf799aa86493b0) build(deps): bump google.golang.org/protobuf from 1.36.3 to 1.36.5
* Clarify port handling in `hosts.toml` ([#11393](https://github.com/containerd/containerd/pull/11393))
  * [`a502b7931`](https://github.com/containerd/containerd/commit/a502b7931babb81749c5236b38a09e5ae73fe88e) Clarify port handling in hosts toml
* Move `linters-settings.exclude-dirs` to `issues.exclude-dirs` in golangci-lint config ([#11399](https://github.com/containerd/containerd/pull/11399))
  * [`480e1039f`](https://github.com/containerd/containerd/commit/480e1039fe23512e6c1ea4bd8db1be93ac125993) move exclude-dirs to issues.exclude-dirs
* Add OCI/Image Volume Source support ([#10579](https://github.com/containerd/containerd/pull/10579))
  * [`1ec10d9ae`](https://github.com/containerd/containerd/commit/1ec10d9ae7535ddd7b18e3c21b6cd8ff12a2f90d) Add OCI/Image Volume Source support
* build(deps): bump github.com/vishvananda/netns from 0.0.4 to 0.0.5 ([#11374](https://github.com/containerd/containerd/pull/11374))
  * [`17acb356f`](https://github.com/containerd/containerd/commit/17acb356f826ccf6dd6b0160dcce5e3aedf41f21) build(deps): bump github.com/vishvananda/netns from 0.0.4 to 0.0.5
* Revert "Add timestamp to PodSandboxStatusResponse for kubernetes Evented PLEG" ([#11323](https://github.com/containerd/containerd/pull/11323))
  * [`83b65e52f`](https://github.com/containerd/containerd/commit/83b65e52fddf9411009e396dda283a782921222f) Revert "Add timestamp to PodSandboxStatusResponse for kubernetes Evented PLEG"
* Update runc binary to v1.2.5 ([#11388](https://github.com/containerd/containerd/pull/11388))
  * [`938775864`](https://github.com/containerd/containerd/commit/938775864aba692f69d4bb143e1d6197b69b421b) Update runc binary to v1.2.5
* build(deps): bump docker/setup-buildx-action from 3.8.0 to 3.9.0 ([#11369](https://github.com/containerd/containerd/pull/11369))
  * [`2f971ee2d`](https://github.com/containerd/containerd/commit/2f971ee2d474c403837500846e0deaa8ba399992) build(deps): bump docker/setup-buildx-action from 3.8.0 to 3.9.0
* Remove noinline in seccomp/apparmor SpecOpts ([#11264](https://github.com/containerd/containerd/pull/11264))
  * [`222308416`](https://github.com/containerd/containerd/commit/222308416cd7d0204c4adf64ffdf438951e5aa64) Remove noinline in apparmor SpecOpts
  * [`2a4164ac8`](https://github.com/containerd/containerd/commit/2a4164ac868955ac9cb406cb4dc434d2eb3f9a16) Remove noinline in seccomp SpecOpts
* build(deps): bump the golang-x group with 3 updates ([#11371](https://github.com/containerd/containerd/pull/11371))
  * [`84e07f6b5`](https://github.com/containerd/containerd/commit/84e07f6b54400bf61d1242c42f3437384aec2a65) build(deps): bump the golang-x group with 3 updates
* update to go 1.24.0 / go1.23.6 ([#11377](https://github.com/containerd/containerd/pull/11377))
  * [`df99aa321`](https://github.com/containerd/containerd/commit/df99aa321a274c50de87332a067537cea746fd5c) update to go 1.24.0 / go1.23.6
  * [`41eaa41c4`](https://github.com/containerd/containerd/commit/41eaa41c43787755427aa430149a9c857c643be3) update golangci-lint to v1.64.2
* build(deps): bump lycheeverse/lychee-action from 2.2.0 to 2.3.0 ([#11368](https://github.com/containerd/containerd/pull/11368))
  * [`2b8a7f253`](https://github.com/containerd/containerd/commit/2b8a7f253dee9bd8a4dc650eb27fbd803a64c97a) build(deps): bump lycheeverse/lychee-action from 2.2.0 to 2.3.0
* build(deps): bump golangci/golangci-lint-action from 6.2.0 to 6.3.2 ([#11367](https://github.com/containerd/containerd/pull/11367))
  * [`bdb8cb5a8`](https://github.com/containerd/containerd/commit/bdb8cb5a80915fc605dcdfa3e0b0f2eb2b293b1c) build(deps): bump golangci/golangci-lint-action from 6.2.0 to 6.3.2
* Erofs snapshotter and differ ([#10705](https://github.com/containerd/containerd/pull/10705))
  * [`2f15d6586`](https://github.com/containerd/containerd/commit/2f15d6586b261d0f0bc68b847660dc2b691169db) Add tests for EROFS snapshotter
  * [`fd4caef78`](https://github.com/containerd/containerd/commit/fd4caef7866306f9e654f54ba0209c7f4a554ad9) Add EROFS snapshotter documentation
  * [`2486d542a`](https://github.com/containerd/containerd/commit/2486d542a5a96d71e3c8bb36517479e0a81f0131) Introduce EROFS Snapshotter
  * [`c73c8e5d5`](https://github.com/containerd/containerd/commit/c73c8e5d526aba6acf0eb75976bfc5a1037d64ac) Introduce EROFS differ
* Update RELEASES.md for new release schedule and LTS policy ([#11294](https://github.com/containerd/containerd/pull/11294))
  * [`6d1f6e75d`](https://github.com/containerd/containerd/commit/6d1f6e75d65283dc6440556cfaf694c20059d77d) Update upgrade section
  * [`5f238fa82`](https://github.com/containerd/containerd/commit/5f238fa827a97e729592c1ed896a1192ba53ab09) Update to time based releases
  * [`886d971f8`](https://github.com/containerd/containerd/commit/886d971f855da042f1c83fc87b2074c858062f3b) Update LTS definition and support horizon
* nri: make OCI spec available on StopPodSandbox ([#11331](https://github.com/containerd/containerd/pull/11331))
  * [`2eb0aa6b9`](https://github.com/containerd/containerd/commit/2eb0aa6b988a508400d6567602e7f3af838ca3c4) nri: make OCI spec available on StopPodSandbox
* build(deps): bump google-github-actions/auth from 2.1.7 to 2.1.8 ([#11332](https://github.com/containerd/containerd/pull/11332))
  * [`565b50dbb`](https://github.com/containerd/containerd/commit/565b50dbb92f231ea1f416dead040d8e96f0963a) build(deps): bump google-github-actions/auth from 2.1.7 to 2.1.8
* build(deps): bump google-github-actions/upload-cloud-storage from 2.2.1 to 2.2.2 ([#11334](https://github.com/containerd/containerd/pull/11334))
  * [`b65f3875b`](https://github.com/containerd/containerd/commit/b65f3875ba3365a780ac9d9ace295c56ac230ee4) build(deps): bump google-github-actions/upload-cloud-storage
* build(deps): bump github/codeql-action from 3.28.6 to 3.28.8 ([#11333](https://github.com/containerd/containerd/pull/11333))
  * [`841ab361c`](https://github.com/containerd/containerd/commit/841ab361c1e52200319c08dc8b09f11e07d78f17) build(deps): bump github/codeql-action from 3.28.6 to 3.28.8
* Fix state/root bug in shim sandbox controller ([#11321](https://github.com/containerd/containerd/pull/11321))
  * [`168c49e4d`](https://github.com/containerd/containerd/commit/168c49e4dcf1fcfebcf5d751f5aa20747b2a2032) Fix state/root bug in shim sandbox controller
* build(deps): bump github/codeql-action from 3.28.1 to 3.28.6 ([#11315](https://github.com/containerd/containerd/pull/11315))
  * [`48d09104d`](https://github.com/containerd/containerd/commit/48d09104dcc4244672c590e9b6ab3ab71d8c9ce4) build(deps): bump github/codeql-action from 3.28.1 to 3.28.6
* build(deps): bump actions/attest-build-provenance from 2.1.0 to 2.2.0 ([#11317](https://github.com/containerd/containerd/pull/11317))
  * [`0c986c332`](https://github.com/containerd/containerd/commit/0c986c332f072ce2273c06d2707976b321830423) build(deps): bump actions/attest-build-provenance from 2.1.0 to 2.2.0
* build(deps): bump actions/stale from 9.0.0 to 9.1.0 ([#11316](https://github.com/containerd/containerd/pull/11316))
  * [`575239789`](https://github.com/containerd/containerd/commit/5752397896d44d5807837c8a71e2c0f1769ba66a) build(deps): bump actions/stale from 9.0.0 to 9.1.0
* build(deps): bump the otel group across 1 directory with 8 updates ([#11286](https://github.com/containerd/containerd/pull/11286))
  * [`69e82f9cd`](https://github.com/containerd/containerd/commit/69e82f9cd3e29428bd480b1c349268a0723af51d) build(deps): bump the otel group across 1 directory with 8 updates
* build(deps): bump github.com/tchap/go-patricia/v2 from 2.3.1 to 2.3.2 ([#11283](https://github.com/containerd/containerd/pull/11283))
  * [`19c546c97`](https://github.com/containerd/containerd/commit/19c546c9760b11c266a314bf25177b96d7a21f24) build(deps): bump github.com/tchap/go-patricia/v2 from 2.3.1 to 2.3.2
* Update cimfs snapshotter & differ for new hcsshim interface ([#10033](https://github.com/containerd/containerd/pull/10033))
  * [`b81ace872`](https://github.com/containerd/containerd/commit/b81ace8724e154a0899679a05a98b7174804abed) Update cimfs snapshotter & differ for new hcsshim interface
* update to go1.23.5 / go1.22.11 ([#11277](https://github.com/containerd/containerd/pull/11277))
  * [`157faf65c`](https://github.com/containerd/containerd/commit/157faf65c55c5de56f636fe3466f59b43241abb3) update to go1.23.5 / go1.22.11
* build(deps): bump lycheeverse/lychee-action from 2.1.0 to 2.2.0 ([#11287](https://github.com/containerd/containerd/pull/11287))
  * [`f572a6db9`](https://github.com/containerd/containerd/commit/f572a6db9037e4a36225a4146a4344aaf34d692c) build(deps): bump lycheeverse/lychee-action from 2.1.0 to 2.2.0
* client: add WithExtraDialOpts option ([#11276](https://github.com/containerd/containerd/pull/11276))
  * [`a6dc9905c`](https://github.com/containerd/containerd/commit/a6dc9905cbb1833c459362ba72928bd348967158) client: add WithExtraDialOpts option
* build(deps): bump google.golang.org/protobuf from 1.36.1 to 1.36.3 ([#11282](https://github.com/containerd/containerd/pull/11282))
  * [`460e5a2e2`](https://github.com/containerd/containerd/commit/460e5a2e2bec851ba357dc1b738e3023841d0f2b) build(deps): bump google.golang.org/protobuf from 1.36.1 to 1.36.3
* build(deps): bump actions/upload-artifact from 4.4.3 to 4.6.0 ([#11288](https://github.com/containerd/containerd/pull/11288))
  * [`36d3888cf`](https://github.com/containerd/containerd/commit/36d3888cf7eb7c9f533167cf93748ece98eb79cf) build(deps): bump actions/upload-artifact from 4.4.3 to 4.6.0
* build(deps): bump softprops/action-gh-release from 2.2.0 to 2.2.1 ([#11289](https://github.com/containerd/containerd/pull/11289))
  * [`4b77d4e41`](https://github.com/containerd/containerd/commit/4b77d4e41ef99e6526f3e20dae36bc301f648477) build(deps): bump softprops/action-gh-release from 2.2.0 to 2.2.1
* build(deps): bump github/codeql-action from 3.27.9 to 3.28.1 ([#11290](https://github.com/containerd/containerd/pull/11290))
  * [`22e77720b`](https://github.com/containerd/containerd/commit/22e77720b3e6aecbb299ad70c68e2ade6dfd0108) build(deps): bump github/codeql-action from 3.27.9 to 3.28.1
* build(deps): bump golangci/golangci-lint-action from 6.1.1 to 6.2.0 ([#11291](https://github.com/containerd/containerd/pull/11291))
  * [`53d6f3482`](https://github.com/containerd/containerd/commit/53d6f34822dda24bf7c8674305c93eadb4bad50b) build(deps): bump golangci/golangci-lint-action from 6.1.1 to 6.2.0
* Support multiple uid/gid mappings ([#10722](https://github.com/containerd/containerd/pull/10722))
  * [`ff0d99e02`](https://github.com/containerd/containerd/commit/ff0d99e02873ac04b4f73054d92d22683a501b7d) Add multiple uid/gid mapping test cases to integration tests
  * [`ec231cdcf`](https://github.com/containerd/containerd/commit/ec231cdcf27b4bfad8fd51dbe4a3a328158aeb86) Update ctr to support remapper labels with multiple uid/gid mapping entries
  * [`8bbfb6528`](https://github.com/containerd/containerd/commit/8bbfb65289f3a32fd5358bf7419f8b860a08fbed) Update snapshotter opts to support multiple uid/gid mapping entries
  * [`8a030d653`](https://github.com/containerd/containerd/commit/8a030d6537e42194cca894ebf89556af09dfade8) Update overlay snapshotter to support multiple uid/gid mappings
  * [`168ec21db`](https://github.com/containerd/containerd/commit/168ec21dbd6254088a47257d1a44812155d6d54c) Update idmapped mount to support multiple uid/gid mappings
  * [`a11405975`](https://github.com/containerd/containerd/commit/a114059759ec1d70ce04acfce028da54428689a9) Add RootPair() and serialization routines to userns idmap
* log: avoid using unsupported field by logrus ([#11148](https://github.com/containerd/containerd/pull/11148))
  * [`04f9e30db`](https://github.com/containerd/containerd/commit/04f9e30db313908c1209b7f7d526d5d3eb8467ed) log: avoid using unsupported field by logrus
* Move all fuzz tests to go native fuzz [part2] ([#11251](https://github.com/containerd/containerd/pull/11251))
  * [`b49df6af1`](https://github.com/containerd/containerd/commit/b49df6af11dbf7e4fc715e972c8e816edcb02309) move FuzzCRIServer to go native fuzz
  * [`6019bcdfb`](https://github.com/containerd/containerd/commit/6019bcdfbbed387b366e4e368c30475f5c31f054) move FuzzContainerdImport to go native fuzz
* Make ovl idmap mounts read-only ([#10955](https://github.com/containerd/containerd/pull/10955))
  * [`1e3d10dc2`](https://github.com/containerd/containerd/commit/1e3d10dc29616f7e81b3fef3314d7a44d593c48c) Make ovl idmap mounts read-only
* runtime/v2: add note about orphan process for runc-shim ([#10002](https://github.com/containerd/containerd/pull/10002))
  * [`58bd48ecf`](https://github.com/containerd/containerd/commit/58bd48ecff5418efbeacf27134d8adb3e58ab17d) add some doc for shim reap orphan process
* Fix panics in CI fuzz integration tests ([#11249](https://github.com/containerd/containerd/pull/11249))
  * [`b7a117b46`](https://github.com/containerd/containerd/commit/b7a117b4648c981275e7e7ac944bfabec45fc56a) Fix fuzz integration tests
* Move CDI device spec out of the OCI package ([#11262](https://github.com/containerd/containerd/pull/11262))
  * [`bdc847f1e`](https://github.com/containerd/containerd/commit/bdc847f1eb535a6728b6db3f2619d2a5ed0edbb9) Remove deprecated WithCDIDevices in oci spec opts
  * [`e20f7f4a2`](https://github.com/containerd/containerd/commit/e20f7f4a2425c005d85855abfd4556d7b4ccbf87) Move CDI device spec out of the OCI package
* docs: fix some function names in comment ([#11261](https://github.com/containerd/containerd/pull/11261))
  * [`740c5d428`](https://github.com/containerd/containerd/commit/740c5d4284de1704ffab91bf03967346ae7d29a9) docs: fix some function names in comment
* Use a order-only-prerequisite for mandir creation ([#11132](https://github.com/containerd/containerd/pull/11132))
  * [`ffbe1b573`](https://github.com/containerd/containerd/commit/ffbe1b5738951aed8945bf58c23e634433e77eb1) Use a order-only-prerequisite for mandir creation
* Update platforms to latest rc ([#11257](https://github.com/containerd/containerd/pull/11257))
  * [`6148dbdd7`](https://github.com/containerd/containerd/commit/6148dbdd778942f7b1f5361d3e18859ada70f4d6) Update platforms to latest rc
* Remove confusing warning in cri runtime config migration ([#10980](https://github.com/containerd/containerd/pull/10980))
  * [`fb44e37ff`](https://github.com/containerd/containerd/commit/fb44e37ff27325edda8e8ad178e1c057139cd4f2) Remove confusing warning in cri runtime config migration
* Unify default transport in docker resolver ([#11167](https://github.com/containerd/containerd/pull/11167))
  * [`47c4dba40`](https://github.com/containerd/containerd/commit/47c4dba40935f8c887a7d43f6fbfca5fafadeb7f) Unify default transport in docker resolver
* Clarify Go client API guidance ([#11093](https://github.com/containerd/containerd/pull/11093))
  * [`9fc711a8a`](https://github.com/containerd/containerd/commit/9fc711a8a0f5ca61007c855d087c5a806d2273cc) Clarify Go client API guidance
* build(deps): bump golang.org/x/sys from 0.28.0 to 0.29.0 in the golang-x group ([#11225](https://github.com/containerd/containerd/pull/11225))
  * [`ef7fa43c9`](https://github.com/containerd/containerd/commit/ef7fa43c9a8ee086eada91630dcfe3ec8cc276b0) build(deps): bump golang.org/x/sys in the golang-x group
* Fix runtime platform loading in cri image plugin init ([#11165](https://github.com/containerd/containerd/pull/11165))
  * [`ef0e70922`](https://github.com/containerd/containerd/commit/ef0e7092287ac4816e9a9fdfd6925e6f75657f41) Fix runtime platform loading in cri image plugin init
* ci: fix the issue of config_file unset ([#11240](https://github.com/containerd/containerd/pull/11240))
  * [`e1aeb37cd`](https://github.com/containerd/containerd/commit/e1aeb37cdf10ed2ed4b2dd4be02d68a556acc106) ci: fix the issue of config_file unset
* Fix go-cni race condition ([#11244](https://github.com/containerd/containerd/pull/11244))
  * [`09bf281ec`](https://github.com/containerd/containerd/commit/09bf281ec415a6029177c60688e261dab55e3944) fix go-cni race condition
* make sure console master tty is closed on task exit ([#11161](https://github.com/containerd/containerd/pull/11161))
  * [`652e4d0b1`](https://github.com/containerd/containerd/commit/652e4d0b10490c4c2cfc94791ea80b5a16ff38ea) Add integ test to check tty leak
  * [`aedb079bf`](https://github.com/containerd/containerd/commit/aedb079bf18f1f913b705d9b791beebcf1962cdd) fix master tty leak due to leaking init container object
* Move fuzz tests to go native fuzz [part1] ([#11189](https://github.com/containerd/containerd/pull/11189))
  * [`e70977180`](https://github.com/containerd/containerd/commit/e70977180ae55ad0bd28e2438b15170d83100d48) change metadata fuzz operations as const and slice instead of map
  * [`a4e3218e8`](https://github.com/containerd/containerd/commit/a4e3218e8f4a817ca0d7f44f622b97e0c83189b7) change tmp dir creation in fuzz to t.TempDir
  * [`a8c643cc5`](https://github.com/containerd/containerd/commit/a8c643cc51b4793189ac6291a62fcc1c3990af50) change copyright from ADA Logics to containerd
  * [`a55083007`](https://github.com/containerd/containerd/commit/a5508300782032adf7011d17a02268a425e3b14c) Remove github.com/AdamKorcz/go-118-fuzz-build in go.mod
  * [`2de103029`](https://github.com/containerd/containerd/commit/2de1030299c1626b2c235c0ed21040bce91f57d3) Move fuzz tests to go native fuzz [part1]
* Bump up otelttrpc to 0.1.0 ([#11241](https://github.com/containerd/containerd/pull/11241))
  * [`15d3bf9b2`](https://github.com/containerd/containerd/commit/15d3bf9b248d423c457e871fe001eeb129a3fa82) Bump up otelttrpc to 0.1.0
* Add snapshotter exports to unpack platform ([#11227](https://github.com/containerd/containerd/pull/11227))
  * [`63f604728`](https://github.com/containerd/containerd/commit/63f6047282525748e13ed91892b50583771c6427) Add snapshotter exports to unpack platform
* ctr: `ctr images import --all-platforms`: fix unpack ([#11229](https://github.com/containerd/containerd/pull/11229))
  * [`79a42eedc`](https://github.com/containerd/containerd/commit/79a42eedc724cd248a995cbf1174d3800d948d52) ctr: `ctr images import --all-platforms`: fix unpack
* Deflake TestFailFastWhenConnectShim by making TestContainerCgroupWritable not parallel ([#11235](https://github.com/containerd/containerd/pull/11235))
  * [`e65283321`](https://github.com/containerd/containerd/commit/e6528332195d23bf98ba58124b4cd647223e6969) make TestContainerCgroupWritable not parallel
* update runc binary to v1.2.4 ([#11230](https://github.com/containerd/containerd/pull/11230))
  * [`54ed595e1`](https://github.com/containerd/containerd/commit/54ed595e1db892e09083e01f6520bc847bf99ee9) update runc binary to v1.2.4
* Enable Writable cgroups for unprivileged containers ([#11131](https://github.com/containerd/containerd/pull/11131))
  * [`1363849b0`](https://github.com/containerd/containerd/commit/1363849b034a1daf58a4d677e758124d7ea7087e) Add integration test
  * [`dda702042`](https://github.com/containerd/containerd/commit/dda7020429a06a1d5549ced9391cc2f85f94adef) Enable Writable cgroups for unprivileged containers
* Avoid duplicated chain ID calculation in unpack ([#11219](https://github.com/containerd/containerd/pull/11219))
  * [`d156d3df9`](https://github.com/containerd/containerd/commit/d156d3df9620844491a4e6c94945693d5c7df043) Benchamrk chainID calculation in unpack
  * [`95f45541e`](https://github.com/containerd/containerd/commit/95f45541e47253610ed83b064dab2124a11027e8) Avoid duplicated chain ID calculation in unpack
* downgrade go-difflib and go-spew to tagged releases ([#11220](https://github.com/containerd/containerd/pull/11220))
  * [`00a11e91d`](https://github.com/containerd/containerd/commit/00a11e91d38b5a1e3540382eaedfda878b1314b1) downgrade go-difflib and go-spew to tagged releases
* Bump seccomp version to be the same as one in runc repo ([#11200](https://github.com/containerd/containerd/pull/11200))
  * [`4f2f12be6`](https://github.com/containerd/containerd/commit/4f2f12be6d91868a3b39d441ac598f876b47a6c0) Bump seccomp version to be the same as one in runc repo
* Remove loop variable copies ([#11194](https://github.com/containerd/containerd/pull/11194))
  * [`bee64b2b9`](https://github.com/containerd/containerd/commit/bee64b2b93ba0494ecff94b72748427d5abe20a5) Remove loop variable copies
* build(deps): bump google.golang.org/protobuf from 1.36.0 to 1.36.1 ([#11192](https://github.com/containerd/containerd/pull/11192))
  * [`4a4a027f7`](https://github.com/containerd/containerd/commit/4a4a027f7984c415d94054f6f6e14a6369a7dcd7) build(deps): bump google.golang.org/protobuf from 1.36.0 to 1.36.1
* bump up ttrpc to use its MD.Clone ([#11204](https://github.com/containerd/containerd/pull/11204))
  * [`ee6338188`](https://github.com/containerd/containerd/commit/ee63381887da22ecc1be8ef2a3e441a72a013e93) bump up ttrpc to use its MD.Clone
* build(deps): bump google.golang.org/grpc from 1.69.0 to 1.69.2 ([#11193](https://github.com/containerd/containerd/pull/11193))
  * [`9bb31b706`](https://github.com/containerd/containerd/commit/9bb31b706c898a9475638206d2c5813fd9e8d77f) build(deps): bump google.golang.org/grpc from 1.69.0 to 1.69.2
* build(deps): bump golang.org/x/net from 0.30.0 to 0.33.0 ([#11181](https://github.com/containerd/containerd/pull/11181))
  * [`7f3599f09`](https://github.com/containerd/containerd/commit/7f3599f09396bf69496e1cf189b999acc0db13a5) build(deps): bump golang.org/x/net from 0.30.0 to 0.33.0
* build(deps): bump github.com/containerd/cgroups/v3 from 3.0.4 to 3.0.5 ([#11191](https://github.com/containerd/containerd/pull/11191))
  * [`f98d5fdb6`](https://github.com/containerd/containerd/commit/f98d5fdb6f684410bea0881159ea0df354cae41b) build(deps): bump github.com/containerd/cgroups/v3 from 3.0.4 to 3.0.5
* Update golangci to 1.60.3 ([#11185](https://github.com/containerd/containerd/pull/11185))
  * [`26a156f4f`](https://github.com/containerd/containerd/commit/26a156f4fd285ecddcdead54105022348075ad62) Update golangci to 1.60.3
* build(deps): bump softprops/action-gh-release from 2.1.0 to 2.2.0 ([#11170](https://github.com/containerd/containerd/pull/11170))
  * [`a172d2c11`](https://github.com/containerd/containerd/commit/a172d2c116daeb101700d9d6c3a3622623c7446d) build(deps): bump softprops/action-gh-release from 2.1.0 to 2.2.0
* Update golangci-lint version in dev tools script ([#11180](https://github.com/containerd/containerd/pull/11180))
  * [`fa531f808`](https://github.com/containerd/containerd/commit/fa531f808b72c6667844ec56cbd9e6e5f23e974d) Update golangci-lint version in dev tools script
* build(deps): bump google.golang.org/protobuf from 1.35.2 to 1.36.0 ([#11177](https://github.com/containerd/containerd/pull/11177))
  * [`2f37b9da3`](https://github.com/containerd/containerd/commit/2f37b9da392387fac21d375874473a017bcefb8b) build(deps): bump google.golang.org/protobuf from 1.35.2 to 1.36.0
* build(deps): bump google.golang.org/grpc from 1.68.1 to 1.69.0 ([#11176](https://github.com/containerd/containerd/pull/11176))
  * [`4e4537a87`](https://github.com/containerd/containerd/commit/4e4537a87a8ee66debb947df455cae6e68e0dd5d) build(deps): bump google.golang.org/grpc from 1.68.1 to 1.69.0
* build(deps): bump github/codeql-action from 3.27.6 to 3.27.9 ([#11171](https://github.com/containerd/containerd/pull/11171))
  * [`d29751424`](https://github.com/containerd/containerd/commit/d297514248daffa3124e529a5ada4f57a15dbb12) build(deps): bump github/codeql-action from 3.27.6 to 3.27.9
* build(deps): bump docker/setup-buildx-action from 3.7.1 to 3.8.0 ([#11172](https://github.com/containerd/containerd/pull/11172))
  * [`31e129856`](https://github.com/containerd/containerd/commit/31e12985601773ce5417926db6eda9c9d63dc445) build(deps): bump docker/setup-buildx-action from 3.7.1 to 3.8.0
* build(deps): bump github.com/containerd/imgcrypt/v2 from 2.0.0-rc.1 to 2.0.0 ([#11174](https://github.com/containerd/containerd/pull/11174))
  * [`f6e956c22`](https://github.com/containerd/containerd/commit/f6e956c2240a3d4dba6c9e6589993d051ff82849) build(deps): bump github.com/containerd/imgcrypt/v2
* build(deps): bump google.golang.org/grpc from 1.67.1 to 1.68.1 ([#11126](https://github.com/containerd/containerd/pull/11126))
  * [`aeb414021`](https://github.com/containerd/containerd/commit/aeb414021b07a625cc58d555aabb18bd5cf51f3d) build(deps): bump google.golang.org/grpc from 1.67.1 to 1.68.1
* test: prevent segfault in imageverifier test ([#10851](https://github.com/containerd/containerd/pull/10851))
  * [`1617fd72e`](https://github.com/containerd/containerd/commit/1617fd72e10634923f75bb27ca00a23cf2f19ecb) test: prevent segfault in imageverifier test
* Report an error when cni confDir removed ([#10646](https://github.com/containerd/containerd/pull/10646))
  * [`0c2805a6e`](https://github.com/containerd/containerd/commit/0c2805a6e452dba5e42b3723b6ba069b811f7c9a) Report an error when cni confDir removed
* build(deps): bump actions/attest-build-provenance from 1.4.4 to 2.1.0 ([#11122](https://github.com/containerd/containerd/pull/11122))
  * [`afee762fb`](https://github.com/containerd/containerd/commit/afee762fbfac0141b50040a1ea8197b02eafa3c1) build(deps): bump actions/attest-build-provenance from 1.4.4 to 2.1.0
* vendor: update golang.org/x/ dependencies ([#11145](https://github.com/containerd/containerd/pull/11145))
  * [`23e014140`](https://github.com/containerd/containerd/commit/23e01414069df958db56ca24fd7806979a9f2f2a) vendor: golang.org/x/crypto v0.31.0
  * [`9b3d999bd`](https://github.com/containerd/containerd/commit/9b3d999bd9affbfe7df5bd7ef8e5df9446eda56f) vendor: golang.org/x/term v0.27.0
  * [`1032fad27`](https://github.com/containerd/containerd/commit/1032fad2721a01ec321881c44963958dcb9b2ed8) vendor: golang.org/x/text v0.21.0
  * [`6764e62cf`](https://github.com/containerd/containerd/commit/6764e62cf7518dd6bc7050ed2d33a52a107fd1cd) vendor: golang.org/x/sync v0.10.0
  * [`160676647`](https://github.com/containerd/containerd/commit/1606766479f3e37318c5f4144d6d3d989cba51aa) vendor: golang.org/x/sys v0.28.0
* build(deps): bump actions/cache from 4.1.2 to 4.2.0 ([#11124](https://github.com/containerd/containerd/pull/11124))
  * [`927012243`](https://github.com/containerd/containerd/commit/9270122437f5a0105c74b49089fddc1a2c2648af) build(deps): bump actions/cache from 4.1.2 to 4.2.0
* internal/cri: should not apply IoOwner options if it's not user namespace ([#11104](https://github.com/containerd/containerd/pull/11104))
  * [`2c4c04032`](https://github.com/containerd/containerd/commit/2c4c040328e161ef04913d8470a7dd61caf9f1be) internal/cri: should not apply IoOwner options
* update runc binary to v1.2.3 ([#11141](https://github.com/containerd/containerd/pull/11141))
  * [`981414521`](https://github.com/containerd/containerd/commit/981414521baf578a313c7b7af034ade6cb92b10d) update runc binary to v1.2.3
* cmd/ctr: allow user to syncfs during unpacking image locally ([#11118](https://github.com/containerd/containerd/pull/11118))
  * [`11b78255d`](https://github.com/containerd/containerd/commit/11b78255de6544fc91d5f523bdfec2bef2a711ca) cmd: add syncfs option to ctr command
* Update go-cni for CNI STATUS ([#11135](https://github.com/containerd/containerd/pull/11135))
  * [`1f220b23e`](https://github.com/containerd/containerd/commit/1f220b23e298b61f5ece5a994ef2a37a843732b0) feat: update go-cni version for CNI STATUS
* Complete cri grpc plugin config migration ([#11061](https://github.com/containerd/containerd/pull/11061))
  * [`ed39dfa5d`](https://github.com/containerd/containerd/commit/ed39dfa5d64d872c8a0b7b88b4973395028b2b1e) Add integration test for custom configuration
  * [`8540fed77`](https://github.com/containerd/containerd/commit/8540fed77493a5a205524b47b810726a0de288eb) complete cri grpc config migration
* ctr pull should unpack for default platform when transfer service is used ([#11086](https://github.com/containerd/containerd/pull/11086))
  * [`4c11d753c`](https://github.com/containerd/containerd/commit/4c11d753ca9964bf70f087560c85614741ca35a5) ctr pull unpack for default platform using transfer service
* update xx to v1.6.1 for compatibility with alpine 3.21 and file 5.46+ ([#11130](https://github.com/containerd/containerd/pull/11130))
  * [`d76f92f24`](https://github.com/containerd/containerd/commit/d76f92f2402049869e5fd94087aeed1a9fddc729) update xx to v1.6.1 for compatibility with alpine 3.21 and file 5.46+
* build(deps): bump github/codeql-action from 3.27.5 to 3.27.6 ([#11123](https://github.com/containerd/containerd/pull/11123))
  * [`73864c520`](https://github.com/containerd/containerd/commit/73864c52037da5cf870a9c11359ab197cdf08fe4) build(deps): bump github/codeql-action from 3.27.5 to 3.27.6
* CI: update Fedora to 41 ([#10930](https://github.com/containerd/containerd/pull/10930))
  * [`6fdc35243`](https://github.com/containerd/containerd/commit/6fdc352439dfdf88ac7a62c95f5fb1fa07ae3be3) CI: update Fedora to 41
* Fix loop variable capture issue ([#11042](https://github.com/containerd/containerd/pull/11042))
  * [`485020ca8`](https://github.com/containerd/containerd/commit/485020ca8999d2aa6c2165419cca0f104e9e9d5c) fix: loop variable capture issue
* Add containerd community call to readme. ([#11046](https://github.com/containerd/containerd/pull/11046))
  * [`59a2c3523`](https://github.com/containerd/containerd/commit/59a2c3523cddd05a5f4b14c7860f43ed66b6003d) Add containerd community call to readme.
* update to go1.23.4 / go1.22.10 ([#11102](https://github.com/containerd/containerd/pull/11102))
  * [`81780a5dd`](https://github.com/containerd/containerd/commit/81780a5dd37106f4bc01fa776b9d069197bed54b) update to go1.23.4 / go1.22.10
* Fix panic due to nil dereference cgroups v2 ([#11069](https://github.com/containerd/containerd/pull/11069))
  * [`0903f203f`](https://github.com/containerd/containerd/commit/0903f203fb8a9b696ff2522f068313f5de2fad80) fix panic due to nil dereference cgroups v2
* The task_dir successfully cleans when the file is absent. ([#11043](https://github.com/containerd/containerd/pull/11043))
  * [`4a664772e`](https://github.com/containerd/containerd/commit/4a664772efc48e031efc6b3ebd422df0e08ddbec) The task_dir successfully cleans when the file is absent.
* docs: fix snapshots api import ([#11073](https://github.com/containerd/containerd/pull/11073))
  * [`b78c5c6ed`](https://github.com/containerd/containerd/commit/b78c5c6ed2ad0f0d0a23306a36f0a71a84582f5d) docs: fix snapshots api import
* build(deps): bump github/codeql-action from 3.27.4 to 3.27.5 ([#11060](https://github.com/containerd/containerd/pull/11060))
  * [`ea9397793`](https://github.com/containerd/containerd/commit/ea9397793f336327551d9024ea89bc9178d00401) build(deps): bump github/codeql-action from 3.27.4 to 3.27.5
* build(deps): bump github.com/containerd/cgroups/v3 from 3.0.3 to 3.0.4 ([#11059](https://github.com/containerd/containerd/pull/11059))
  * [`6c16f3490`](https://github.com/containerd/containerd/commit/6c16f3490934aa396b785bd19c0945279a9e728f) build(deps): bump github.com/containerd/cgroups/v3 from 3.0.3 to 3.0.4
* build(deps): bump the k8s group with 5 updates ([#11057](https://github.com/containerd/containerd/pull/11057))
  * [`662d64080`](https://github.com/containerd/containerd/commit/662d6408018eb74bba4d0700aeac6ea137c23571) build(deps): bump the k8s group with 5 updates
* Update differ to handle zstd media types ([#11062](https://github.com/containerd/containerd/pull/11062))
  * [`17f7858b4`](https://github.com/containerd/containerd/commit/17f7858b4e2e31b447410f66d0100b816c1fe6b3) Update differ to handle zstd media types
* build(deps): bump github.com/stretchr/testify from 1.9.0 to 1.10.0 ([#11058](https://github.com/containerd/containerd/pull/11058))
  * [`5c905fb6c`](https://github.com/containerd/containerd/commit/5c905fb6c3c93d2180b878f36af41f516531937f) build(deps): bump github.com/stretchr/testify from 1.9.0 to 1.10.0
* Unsorted platform conditionals cleanup ([#11065](https://github.com/containerd/containerd/pull/11065))
  * [`e9d560f1e`](https://github.com/containerd/containerd/commit/e9d560f1e8ccd277e19888c95dd4378579d34842) Unsorted platform conditionals cleanup
* Publish attestation as release artifact ([#11049](https://github.com/containerd/containerd/pull/11049))
  * [`3961dc9c8`](https://github.com/containerd/containerd/commit/3961dc9c8cb0e31925e45a2273bbdc06412be262) Publish attestation as release artifact
* Move rockylinux 9.4 to almalinux/9 in CI ([#11050](https://github.com/containerd/containerd/pull/11050))
  * [`288001f68`](https://github.com/containerd/containerd/commit/288001f68c5fd34cfbdc7284f14375a3762b8ff4) move rocky 9.4 to almalinux/9 in CI
* Clarify release for deprecated registry field removals ([#11045](https://github.com/containerd/containerd/pull/11045))
  * [`e24864e48`](https://github.com/containerd/containerd/commit/e24864e48e30e1009a88637d410d6c4df39c3098) Clarify release for deprecated registry field removals
* make ListContainerStats handle container that is removed before its sandbox ([#10724](https://github.com/containerd/containerd/pull/10724))
  * [`c130d93c1`](https://github.com/containerd/containerd/commit/c130d93c11ec128d38d7560262d2e20b03263151) make ListContainerStats handle container that is removed before its sandbox
* Add tests for CNI v2 loopback options ([#10915](https://github.com/containerd/containerd/pull/10915))
  * [`34284c507`](https://github.com/containerd/containerd/commit/34284c50752ea636a2474c7254802d54600199ab) Add tests for CNI v2 loopback options
* *: should align pipe's owner with init process ([#10906](https://github.com/containerd/containerd/pull/10906))
  * [`a21b178f1`](https://github.com/containerd/containerd/commit/a21b178f12b223d48245fac4ad12a0c7b50bf20f) *: should align pipe's owner with init process
* fix: set the credentials even if not provided ([#10917](https://github.com/containerd/containerd/pull/10917))
  * [`11b1353c1`](https://github.com/containerd/containerd/commit/11b1353c12b9f3a1542ffe44a00a988e330f8c56) fix: set the credentials even if not provided
* build(deps): bump google.golang.org/protobuf from 1.35.1 to 1.35.2 ([#11024](https://github.com/containerd/containerd/pull/11024))
  * [`dd2d89167`](https://github.com/containerd/containerd/commit/dd2d891672305ab756b4b93970ac1342c952ffc8) build(deps): bump google.golang.org/protobuf from 1.35.1 to 1.35.2
* Reorganize per-platform defaults ([#11017](https://github.com/containerd/containerd/pull/11017))
  * [`f6e30e962`](https://github.com/containerd/containerd/commit/f6e30e9622b79c1e3ef64e22329bbabe6d1789e7) [defaults] Reorganize per-platform defaults
* build(deps): bump github.com/containerd/continuity from 0.4.4 to 0.4.5 ([#11025](https://github.com/containerd/containerd/pull/11025))
  * [`be2c4504e`](https://github.com/containerd/containerd/commit/be2c4504eefcab5ea3a23caf0630ddeef3a98200) build(deps): bump github.com/containerd/continuity from 0.4.4 to 0.4.5
* Move content events to metadata ([#11013](https://github.com/containerd/containerd/pull/11013))
  * [`9e3ab2332`](https://github.com/containerd/containerd/commit/9e3ab2332b8bc4ba3222133d5b174d5f9be26698) Move content events to metadata
* build(deps): bump github/codeql-action from 3.27.1 to 3.27.4 ([#11026](https://github.com/containerd/containerd/pull/11026))
  * [`f5b2c3a07`](https://github.com/containerd/containerd/commit/f5b2c3a07cd59c28419106d547c169d8d49f0e6f) build(deps): bump github/codeql-action from 3.27.1 to 3.27.4
* Use platform-specific default address ([#11016](https://github.com/containerd/containerd/pull/11016))
  * [`9c7a403a2`](https://github.com/containerd/containerd/commit/9c7a403a22d09050eb37f5e578ec613d38d92231) [containerd-stress] Use platform-specific default address
* Update install-imgcrypt to allow change install repo ([#11019](https://github.com/containerd/containerd/pull/11019))
  * [`f8819df7c`](https://github.com/containerd/containerd/commit/f8819df7c4ee690315d45b57a4fddfcb970fcdd3) Update install-imgcrypt to allow change install repo
* update runc binary to 1.2.2 ([#11022](https://github.com/containerd/containerd/pull/11022))
  * [`9a7bc5423`](https://github.com/containerd/containerd/commit/9a7bc5423ef5f477705802e45c0b06869764caca) update runc binary to 1.2.2
* Fix runtimeoptions location in v2 migration script ([#11012](https://github.com/containerd/containerd/pull/11012))
  * [`2447936fc`](https://github.com/containerd/containerd/commit/2447936fca8dcd92ddb8b3af5ec9038b8117d041) Fix runtimeoptions location in v2 migration
* Revert "Disable vagrant strict dependency checking" ([#11004](https://github.com/containerd/containerd/pull/11004))
  * [`1b01f396d`](https://github.com/containerd/containerd/commit/1b01f396de92dcf3cb47816047e61abe5cb81e69) Revert "Disable vagrant strict dependency checking"
* docs: update schema 1 deprecation information ([#11002](https://github.com/containerd/containerd/pull/11002))
  * [`6c1b699bf`](https://github.com/containerd/containerd/commit/6c1b699bf978b858ef32aeca62beddba9e88da08) docs: update schema 1 deprecation information
* fsverity_linux.go: Fix fsverity.IsEnabled() for big endian systems ([#10981](https://github.com/containerd/containerd/pull/10981))
  * [`91e4e0967`](https://github.com/containerd/containerd/commit/91e4e096758b4eccb28cbf5955e7a42dcdb29c15) fsverity_linux.go: Fix fsverity.IsEnabled() for big endian systems
* build(deps): bump lycheeverse/lychee-action from 2.0.2 to 2.1.0 ([#10989](https://github.com/containerd/containerd/pull/10989))
  * [`73ae1c66f`](https://github.com/containerd/containerd/commit/73ae1c66ff27695a326a77cb59b49c6dee3e6b2b) build(deps): bump lycheeverse/lychee-action from 2.0.2 to 2.1.0
* build(deps): bump github/codeql-action from 3.27.0 to 3.27.1 ([#10988](https://github.com/containerd/containerd/pull/10988))
  * [`4bd33276c`](https://github.com/containerd/containerd/commit/4bd33276c3402f41b5b4618a118772e5a2fb7f41) build(deps): bump github/codeql-action from 3.27.0 to 3.27.1
* build(deps): bump the golang-x group with 3 updates ([#10990](https://github.com/containerd/containerd/pull/10990))
  * [`cebca6f87`](https://github.com/containerd/containerd/commit/cebca6f874fdec53070fae3f45806849180d6235) build(deps): bump the golang-x group with 3 updates
* build(deps): bump github.com/containerd/typeurl/v2 from 2.2.2 to 2.2.3 ([#10992](https://github.com/containerd/containerd/pull/10992))
  * [`01c489141`](https://github.com/containerd/containerd/commit/01c489141c37e27b71370ab26ab28347b17f4284) build(deps): bump github.com/containerd/typeurl/v2 from 2.2.2 to 2.2.3
* build(deps): bump actions/attest-build-provenance from 1.4.3 to 1.4.4 ([#10987](https://github.com/containerd/containerd/pull/10987))
  * [`d32ed4a56`](https://github.com/containerd/containerd/commit/d32ed4a560f240b9a05c8a25cec54456da5d99b9) build(deps): bump actions/attest-build-provenance from 1.4.3 to 1.4.4
* build(deps): bump softprops/action-gh-release from 2.0.9 to 2.1.0 ([#10986](https://github.com/containerd/containerd/pull/10986))
  * [`d810c5759`](https://github.com/containerd/containerd/commit/d810c5759fd5f864d7794a6ff4ef13887110ebe9) build(deps): bump softprops/action-gh-release from 2.0.9 to 2.1.0
* fsverity_test.go: fix nil pointer derefence, fix test fail, fix minor/major device numbers resolving ([#10972](https://github.com/containerd/containerd/pull/10972))
  * [`f9537ae12`](https://github.com/containerd/containerd/commit/f9537ae126fc2be685cc32d5c98b4189a72e02e9) fsverity_test.go: fix major/minor device number resolving
  * [`8a8e50e6d`](https://github.com/containerd/containerd/commit/8a8e50e6d7baf99ebe02e6ca04d9d842addcd36c) fsverity_test.go: fix nil pointer dereference, fix test fail
* update to go1.23.3 / go1.22.9 ([#10970](https://github.com/containerd/containerd/pull/10970))
  * [`bcc3cc968`](https://github.com/containerd/containerd/commit/bcc3cc968abd5e13084afa1e8dba6afc0d41a2fa) update to go1.23.3 / go1.22.9
* Avoid arch info in the sed/replace when building cri-cni-containerd.tar.gz ([#10964](https://github.com/containerd/containerd/pull/10964))
  * [`784116b7d`](https://github.com/containerd/containerd/commit/784116b7d5e67804f26f3c3e060243b0c737ea7c) Avoid arch info in the sed/replace when building cri-cni-containerd.tar.gz
* Expose Pod assigned IPs to NRI plugins ([#10921](https://github.com/containerd/containerd/pull/10921))
  * [`bc056a5c6`](https://github.com/containerd/containerd/commit/bc056a5c60a8add5fb98c59d9e88f9b89025f658) nri: report pod ips to the nri plugins
  * [`a256f326c`](https://github.com/containerd/containerd/commit/a256f326cabd29b4a78334ac981409f005ea9c3f) bump nri version to get PodIPs
* build(deps): bump github.com/fsnotify/fsnotify from 1.7.0 to 1.8.0 ([#10948](https://github.com/containerd/containerd/pull/10948))
  * [`a17001b42`](https://github.com/containerd/containerd/commit/a17001b42694baa746a22217f6ca7857a096b681) build(deps): bump github.com/fsnotify/fsnotify from 1.7.0 to 1.8.0
</p>
</details>

### Changes from containerd/continuity
<details><summary>17 commits</summary>
<p>

* fs: fix Ctime returning Mtime ([containerd/continuity#261](https://github.com/containerd/continuity/pull/261))
  * [`f4f4fb5`](https://github.com/containerd/continuity/commit/f4f4fb5bbdd8321481b8aeedec5cc4412d5001b5) fs: fix Ctime returning Mtime
* fs: implement Atime, Ctime, Mtime for bsd and darwin ([containerd/continuity#262](https://github.com/containerd/continuity/pull/262))
  * [`dbe44eb`](https://github.com/containerd/continuity/commit/dbe44ebd46e9e2497b4b37e0c387f03f7e048f6b) fs: implement Atime, Ctime, Mtime for bsd and darwin
* Makefile: make "lint" target also lint cmd/continuity module and fix linting issues ([containerd/continuity#255](https://github.com/containerd/continuity/pull/255))
  * [`4c00ab7`](https://github.com/containerd/continuity/commit/4c00ab7567238214d4dd9b9797435774836e3381) Makefile: make "lint" target also lint cmd/continuity module
  * [`cadd3a2`](https://github.com/containerd/continuity/commit/cadd3a2d76962f90047608655e607861862e329e) cmd/continuity/continuityfs: SA1019: fuse.ENOENT is deprecated
  * [`38fcdae`](https://github.com/containerd/continuity/commit/38fcdae95788e9c47bdacd674f06164bab91de1b) cmd/continuity: fix SA1019: entry.User/entry.Group is deprecated
* assorted linting fixes and minor cleanups ([containerd/continuity#259](https://github.com/containerd/continuity/pull/259))
  * [`38f66a6`](https://github.com/containerd/continuity/commit/38f66a6d37247c12e5aac5b5ceac4ccb16a1c76e) TestWalkFS: fix unhandled error
  * [`94c0490`](https://github.com/containerd/continuity/commit/94c04905cf9ed5b65bbe2eac4f3f858769cb9f5a) rename variables that shadowed package-level type
  * [`2200bb4`](https://github.com/containerd/continuity/commit/2200bb480f47137ea31eada2d9b0dcfc2474222b) don't use "ctx" for continuity.Context arguments
  * [`583d7ed`](https://github.com/containerd/continuity/commit/583d7ed1582f6b45643c7e11d2b93f6a68b7c623) commands/mount_unsupported: drop nil-assignment (revive)
  * [`5158c3f`](https://github.com/containerd/continuity/commit/5158c3f19836c8dd55dfc1ef84cb8656fca29f9f) golangci-lint: sort linters
  * [`a8c7143`](https://github.com/containerd/continuity/commit/a8c714358ce4cf76db246f88b9495a2b903b2c38) golangci-lint: don't use deprecated name for "govet" linter
* cmd/continuity: switch to google.golang.org/protobuf/proto ([containerd/continuity#260](https://github.com/containerd/continuity/pull/260))
  * [`fd64705`](https://github.com/containerd/continuity/commit/fd6470559ebe380f21b1af08a8869bee7e3435c2) cmd/continuity: switch to google.golang.org/protobuf/proto
</p>
</details>

### Changes from containerd/go-cni
<details><summary>9 commits</summary>
<p>

* Fix recursive RLock() mutex acquisition ([containerd/go-cni#126](https://github.com/containerd/go-cni/pull/126))
  * [`75a2440`](https://github.com/containerd/go-cni/commit/75a24409e8193fc64b0e9ed777ff884c338a21ca) fix: recursive RLock() mutex acquision
* Support CNI STATUS Verb ([containerd/go-cni#123](https://github.com/containerd/go-cni/pull/123))
  * [`208eca9`](https://github.com/containerd/go-cni/commit/208eca91c33bb793f471831a0abaf6cebe9676a4) support CNI status verb
* Bump github actions dependencies to match containerd CI repo and fix lint ([containerd/go-cni#122](https://github.com/containerd/go-cni/pull/122))
  * [`386f475`](https://github.com/containerd/go-cni/commit/386f4757e63914b2589b8abe6098bfa23f83fa8b) Fix ci.yml indent
  * [`a9b0675`](https://github.com/containerd/go-cni/commit/a9b0675fc9b8b5ce52d84f91a4fc049501853862) Another doc commit to trigger lint?
  * [`14af454`](https://github.com/containerd/go-cni/commit/14af4542b76fa694f2e1853b35554f23c6829f5d) Bump github actions dependency versions
  * [`9e0d096`](https://github.com/containerd/go-cni/commit/9e0d096d58145757809ddce8b8650efc07e19916) Trivial doc commit to trigger lint
</p>
</details>

### Changes from containerd/otelttrpc
<details><summary>6 commits</summary>
<p>

* Add dependabot and upgrade golang and dependency versions ([containerd/otelttrpc#3](https://github.com/containerd/otelttrpc/pull/3))
  * [`2d46141`](https://github.com/containerd/otelttrpc/commit/2d46141c9f9842bc8e2563ae884b963e34ea175f) upgrade golang, deps, CI versions
  * [`64922e7`](https://github.com/containerd/otelttrpc/commit/64922e78c69b7bdecf065f039a5ead4d64e567e0) Add dependabot CI
* Fix concurrent map panic on metadata ([containerd/otelttrpc#2](https://github.com/containerd/otelttrpc/pull/2))
  * [`2ba3be1`](https://github.com/containerd/otelttrpc/commit/2ba3be1e39398b8d2544f5ea962edc1e2f906d32) Fix concurrent map panic on inject metadata
  * [`f50a922`](https://github.com/containerd/otelttrpc/commit/f50a9220fc748442b274390c45773191367262ec) UT for concurrent inject/extract metadata
</p>
</details>

### Changes from containerd/platforms
<details><summary>6 commits</summary>
<p>

* Move windows matcher logic so all platforms can use ([containerd/platforms#22](https://github.com/containerd/platforms/pull/22))
  * [`7c58292`](https://github.com/containerd/platforms/commit/7c5829273cd83c987784fd7ef5487485e0d2fee0) Move windows matcher logic so all platforms can use
* replace testify with stdlib in tests ([containerd/platforms#21](https://github.com/containerd/platforms/pull/21))
  * [`86a86b7`](https://github.com/containerd/platforms/commit/86a86b73a6e01f92aecad823e0f516f6198f3e2c) replace testify with stdlib in tests
* Replace arm64 minor variant logic with lookup table ([containerd/platforms#18](https://github.com/containerd/platforms/pull/18))
  * [`364665a`](https://github.com/containerd/platforms/commit/364665a87c183d5b5eb45fc0e9b86e99013a621a) Replace arm64 minor variant logic with lookup table
</p>
</details>

### Changes from containerd/ttrpc
<details><summary>5 commits</summary>
<p>

* Add MD.Clone function ([containerd/ttrpc#177](https://github.com/containerd/ttrpc/pull/177))
  * [`430f734`](https://github.com/containerd/ttrpc/commit/430f7347915993a5543bfb00858ac337274528ba) Add MD.Clone
* Fix race between serve and immediate shutdown on the server ([containerd/ttrpc#175](https://github.com/containerd/ttrpc/pull/175))
  * [`c4d96d5`](https://github.com/containerd/ttrpc/commit/c4d96d55ad9c4f4cf6036c70a5b18ba80655d648) server: fix Serve() vs. immediate Shutdown() race.
  * [`ed6c3ba`](https://github.com/containerd/ttrpc/commit/ed6c3ba082bdbc82284c198d93ca5f07ad9900dd) server_test: add Serve()/Shutdown() race test.
</p>
</details>

### Dependency Changes

* **github.com/Microsoft/hcsshim**                                                 v0.12.9 -> v0.13.0-rc.3
* **github.com/cilium/ebpf**                                                       v0.11.0 -> v0.16.0
* **github.com/containerd/cgroups/v3**                                             v3.0.3 -> v3.0.5
* **github.com/containerd/continuity**                                             v0.4.4 -> v0.4.5
* **github.com/containerd/go-cni**                                                 v1.1.10 -> v1.1.12
* **github.com/containerd/imgcrypt/v2**                                            v2.0.0-rc.1 -> v2.0.0
* **github.com/containerd/otelttrpc**                                              ea5083fda723 -> v0.1.0
* **github.com/containerd/platforms**                                              v1.0.0-rc.0 -> v1.0.0-rc.1
* **github.com/containerd/ttrpc**                                                  v1.2.6 -> v1.2.7
* **github.com/containerd/typeurl/v2**                                             v2.2.2 -> v2.2.3
* **github.com/containers/ocicrypt**                                               v1.2.0 -> v1.2.1
* **github.com/davecgh/go-spew**                                                   d8f796af33cc -> v1.1.1
* **github.com/fsnotify/fsnotify**                                                 v1.7.0 -> v1.8.0
* **github.com/go-jose/go-jose/v4**                                                v4.0.4 -> v4.0.5
* **github.com/google/go-cmp**                                                     v0.6.0 -> v0.7.0
* **github.com/grpc-ecosystem/grpc-gateway/v2**                                    v2.22.0 -> v2.26.1
* **github.com/klauspost/compress**                                                v1.17.11 -> v1.18.0
* **github.com/moby/spdystream**                                                   v0.4.0 -> v0.5.0
* **github.com/opencontainers/image-spec**                                         v1.1.0 -> v1.1.1
* **github.com/opencontainers/runtime-spec**                                       v1.2.0 -> v1.2.1
* **github.com/petermattis/goid**                                                  4fcff4a6cae7 **_new_**
* **github.com/pmezard/go-difflib**                                                5d4384ee4fb2 -> v1.0.0
* **github.com/prometheus/client_golang**                                          v1.20.5 -> v1.21.1
* **github.com/prometheus/common**                                                 v0.55.0 -> v0.62.0
* **github.com/sasha-s/go-deadlock**                                               v0.3.5 **_new_**
* **github.com/smallstep/pkcs7**                                                   v0.1.1 **_new_**
* **github.com/stretchr/testify**                                                  v1.9.0 -> v1.10.0
* **github.com/tchap/go-patricia/v2**                                              v2.3.1 -> v2.3.2
* **github.com/urfave/cli/v2**                                                     v2.27.5 -> v2.27.6
* **github.com/vishvananda/netns**                                                 v0.0.4 -> v0.0.5
* **go.etcd.io/bbolt**                                                             v1.3.11 -> v1.4.0
* **go.opentelemetry.io/auto/sdk**                                                 v1.1.0 **_new_**
* **go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc**  v0.56.0 -> v0.60.0
* **go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp**                v0.56.0 -> v0.60.0
* **go.opentelemetry.io/otel**                                                     v1.31.0 -> v1.35.0
* **go.opentelemetry.io/otel/exporters/otlp/otlptrace**                            v1.31.0 -> v1.35.0
* **go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc**              v1.31.0 -> v1.35.0
* **go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp**              v1.31.0 -> v1.35.0
* **go.opentelemetry.io/otel/metric**                                              v1.31.0 -> v1.35.0
* **go.opentelemetry.io/otel/sdk**                                                 v1.31.0 -> v1.35.0
* **go.opentelemetry.io/otel/trace**                                               v1.31.0 -> v1.35.0
* **go.opentelemetry.io/proto/otlp**                                               v1.3.1 -> v1.5.0
* **golang.org/x/crypto**                                                          v0.28.0 -> v0.36.0
* **golang.org/x/exp**                                                             aacd6d4b4611 -> 2d47ceb2692f
* **golang.org/x/mod**                                                             v0.21.0 -> v0.24.0
* **golang.org/x/net**                                                             v0.30.0 -> v0.35.0
* **golang.org/x/oauth2**                                                          v0.22.0 -> v0.27.0
* **golang.org/x/sync**                                                            v0.8.0 -> v0.12.0
* **golang.org/x/sys**                                                             v0.26.0 -> v0.31.0
* **golang.org/x/term**                                                            v0.25.0 -> v0.30.0
* **golang.org/x/text**                                                            v0.19.0 -> v0.23.0
* **golang.org/x/time**                                                            v0.3.0 -> v0.7.0
* **google.golang.org/genproto/googleapis/api**                                    5fefd90f89a9 -> 56aae31c358a
* **google.golang.org/genproto/googleapis/rpc**                                    324edc3d5d38 -> 56aae31c358a
* **google.golang.org/grpc**                                                       v1.67.1 -> v1.71.0
* **google.golang.org/protobuf**                                                   v1.35.1 -> v1.36.5
* **k8s.io/api**                                                                   v0.31.2 -> v0.32.2
* **k8s.io/apimachinery**                                                          v0.31.2 -> v0.32.2
* **k8s.io/apiserver**                                                             v0.31.2 -> v0.32.2
* **k8s.io/client-go**                                                             v0.31.2 -> v0.32.2
* **k8s.io/component-base**                                                        v0.31.2 -> v0.32.2
* **k8s.io/cri-api**                                                               v0.31.2 -> v0.32.2
* **k8s.io/kubelet**                                                               v0.31.2 -> v0.32.2
* **k8s.io/utils**                                                                 18e509b52bc8 -> 3ea5e8cea738
* **sigs.k8s.io/json**                                                             bc3834ca7abd -> 9aa6b5e7a4b3
* **sigs.k8s.io/structured-merge-diff/v4**                                         v4.4.1 -> v4.4.2
* **tags.cncf.io/container-device-interface**                                      v0.8.0 -> v0.8.1

Previous release can be found at [v2.0.0](https://github.com/containerd/containerd/releases/tag/v2.0.0)
### Which file should I download?
* `containerd-<VERSION>-<OS>-<ARCH>.tar.gz`:         ✅Recommended. Dynamically linked with glibc 2.31 (Ubuntu 20.04).
* `containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz`:  Statically linked. Expected to be used on non-glibc Linux distributions. Not position-independent.

In addition to containerd, typically you will have to install [runc](https://github.com/opencontainers/runc/releases)
and [CNI plugins](https://github.com/containernetworking/plugins/releases) from their official sites too.

See also the [Getting Started](https://github.com/containerd/containerd/blob/main/docs/getting-started.md) documentation.

Unverified

v2.0.4

1a43cb6a · Merge commit from fork · Mar 18, 2025

containerd 2.0.4

Welcome to the v2.0.4 release of containerd!

The fourth patch release for containerd 2.0 includes various bug fixes and updates.

### Highlights

* Fix integer overflow in User ID handling ([GHSA-265r-hfxg-fhmg](https://github.com/containerd/containerd/security/advisories/GHSA-265r-hfxg-fhmg))
* Respect `client.WithTimeout` option on connect ([#11536](https://github.com/containerd/containerd/pull/11536))
* Update image type checks to avoid unnecessary logs for attestations ([#11537](https://github.com/containerd/containerd/pull/11537))

#### Node Resource Interface (NRI)

* Fix incorrect runtime name being passed to NRI ([#11529](https://github.com/containerd/containerd/pull/11529))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Derek McGowan
* Akihiro Suda
* Paweł Gronowski
* Akhil Mohan
* Phil Estes
* Samuel Karp
* Craig Ingram
* ningmingxiao

### Changes
<details><summary>19 commits</summary>
<p>

  * [`1a43cb6a1`](https://github.com/containerd/containerd/commit/1a43cb6a1035441f9aca8f5666a9b3ef9e70ab20) Merge commit from fork
  * [`07a0b5419`](https://github.com/containerd/containerd/commit/07a0b5419c408e70ed90179ea3e5825d986f80af) (cherry picked from commit de1341c201ffb0effebbf51d00376181968c8779)
* Prepare release notes for v2.0.4 ([#11541](https://github.com/containerd/containerd/pull/11541))
  * [`06a886a8e`](https://github.com/containerd/containerd/commit/06a886a8e49a02bc15895c093e0519db27415548) Prepare release notes for v2.0.4
* Respect `client.WithTimeout` option on connect ([#11536](https://github.com/containerd/containerd/pull/11536))
  * [`6b5efba83`](https://github.com/containerd/containerd/commit/6b5efba83b2aa68b522ebfe73d3fed8e18a59429) client: Respect `client.WithTimeout` option
* Update image type checks to avoid unnecessary logs for attestations ([#11537](https://github.com/containerd/containerd/pull/11537))
  * [`916d48722`](https://github.com/containerd/containerd/commit/916d4872262eed04fb6626183c2306320d14e965) core/remotes: Handle attestations in MakeRefKey
  * [`df4d905a6`](https://github.com/containerd/containerd/commit/df4d905a6f0d9e74a0aff2514030c343d56ba86d) core/images: Ignore attestations when traversing children
* Fix incorrect runtime name being passed to NRI ([#11529](https://github.com/containerd/containerd/pull/11529))
  * [`4f037050c`](https://github.com/containerd/containerd/commit/4f037050ce83224d79e8b65e270222abb9ce6ab0) add name in package version
* update build to go1.23.7, test go1.24.1 ([#11514](https://github.com/containerd/containerd/pull/11514))
  * [`e5ad0d0a0`](https://github.com/containerd/containerd/commit/e5ad0d0a0e212bc8cd5b8b7169f6b10873e2e6fe) update build to go1.23.7, test go1.24.1
* docs: include note about unprivileged sysctls ([#11506](https://github.com/containerd/containerd/pull/11506))
  * [`a39f1146b`](https://github.com/containerd/containerd/commit/a39f1146b065a0ef054933f912ede0476586fa83) docs: include note about unprivileged sysctls
* e2e: use the shim bundled with containerd artifact ([#11503](https://github.com/containerd/containerd/pull/11503))
  * [`81b3384a0`](https://github.com/containerd/containerd/commit/81b3384a0d6c0f58d36884bbd24bf9f7a965b008) e2e: use the shim bundled with containerd artifact
* build(deps): bump containerd/project-checks from 1.1.0 to 1.2.1 ([#11497](https://github.com/containerd/containerd/pull/11497))
  * [`7215a7d2c`](https://github.com/containerd/containerd/commit/7215a7d2caa73cd8ca2de50435fa3a5f1df36d75) build(deps): bump containerd/project-checks from 1.1.0 to 1.2.1
</p>
</details>

### Dependency Changes

This release has no dependency changes

Previous release can be found at [v2.0.3](https://github.com/containerd/containerd/releases/tag/v2.0.3)
### Which file should I download?
* `containerd-<VERSION>-<OS>-<ARCH>.tar.gz`:         ✅Recommended. Dynamically linked with glibc 2.31 (Ubuntu 20.04).
* `containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz`:  Statically linked. Expected to be used on non-glibc Linux distributions. Not position-independent.

In addition to containerd, typically you will have to install [runc](https://github.com/opencontainers/runc/releases)
and [CNI plugins](https://github.com/containernetworking/plugins/releases) from their official sites too.

See also the [Getting Started](https://github.com/containerd/containerd/blob/main/docs/getting-started.md) documentation.

Unverified

v1.7.27

05044ec0 · Merge commit from fork · Mar 18, 2025

containerd 1.7.27

Welcome to the v1.7.27 release of containerd!

The twenty-seventh patch release for containerd 1.7 contains various fixes
and updates.

### Highlights

* Fix integer overflow in User ID handling ([GHSA-265r-hfxg-fhmg](https://github.com/containerd/containerd/security/advisories/GHSA-265r-hfxg-fhmg))
* Update image type checks to avoid unnecessary logs for attestations ([#11538](https://github.com/containerd/containerd/pull/11538))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Jin Dong
* Akhil Mohan
* Derek McGowan
* Maksym Pavlenko
* Paweł Gronowski
* Phil Estes
* Akihiro Suda
* Craig Ingram
* Krisztian Litkey
* Samuel Karp

### Changes
<details><summary>20 commits</summary>
<p>

  * [`05044ec0a`](https://github.com/containerd/containerd/commit/05044ec0a9a75232cad458027ca83437aae3f4da) Merge commit from fork
  * [`11504c3fc`](https://github.com/containerd/containerd/commit/11504c3fc5f45634f2d93d57743a998194430b82) validate uid/gid
* Prepare release notes for v1.7.27 ([#11540](https://github.com/containerd/containerd/pull/11540))
  * [`1be04be6c`](https://github.com/containerd/containerd/commit/1be04be6c307a7f67423574ca1b9744e57377753) Prepare release notes for v1.7.27
* Update image type checks to avoid unnecessary logs for attestations ([#11538](https://github.com/containerd/containerd/pull/11538))
  * [`82b5c43fe`](https://github.com/containerd/containerd/commit/82b5c43fed40d1f32e88215a3f0acbaf8cd9af10) core/remotes: Handle attestations in MakeRefKey
  * [`2c670e79b`](https://github.com/containerd/containerd/commit/2c670e79bf19bc7716c8b9f1f82c700ad8233af3) core/images: Ignore attestations when traversing children
* update build to go1.23.7, test go1.24.1 ([#11515](https://github.com/containerd/containerd/pull/11515))
  * [`a39863c9f`](https://github.com/containerd/containerd/commit/a39863c9fd52abb50895a4b6f653cf501a2e3388) update build to go1.23.7, test go1.24.1
* Remove hashicorp/go-multierror dependency and fix CI ([#11499](https://github.com/containerd/containerd/pull/11499))
  * [`49537b3a7`](https://github.com/containerd/containerd/commit/49537b3a75bdcd982e7e26855779b346bb363a54) e2e: use the shim bundled with containerd artifact
  * [`fe490b76f`](https://github.com/containerd/containerd/commit/fe490b76fd78cc1461f20aab89951be5f88fc454) Bump up github.com/intel/goresctrl to 0.5.0
  * [`13fc9d313`](https://github.com/containerd/containerd/commit/13fc9d3132fc4c77f6533551049d2d865d4e4b45) update containerd/project-checks to 1.2.1
  * [`585699c94`](https://github.com/containerd/containerd/commit/585699c94f68649a89b0af46d675d6e998d67ccd) Remove unnecessary joinError unwrap
  * [`4b9df59be`](https://github.com/containerd/containerd/commit/4b9df59be202a011c4f65604bbeab75eeb85ab46) Remove hashicorp/go-multierror
* go.{mod,sum}: bump CDI deps to v0.8.1. ([#11422](https://github.com/containerd/containerd/pull/11422))
  * [`5ba28f8dc`](https://github.com/containerd/containerd/commit/5ba28f8dc1d007059ed3eb1a7b55025e72abd525) go.{mod,sum}: bump CDI deps to v0.8.1, re-vendor.
* CI: arm64-8core-32gb -> ubuntu-24.04-arm ([#11437](https://github.com/containerd/containerd/pull/11437))
  * [`85f10bd92`](https://github.com/containerd/containerd/commit/85f10bd9221f35ef1c2b8ec2d67520f461aa51a0) CI: arm64-8core-32gb -> ubuntu-24.04-arm
  * [`561ed520e`](https://github.com/containerd/containerd/commit/561ed520eaef2974aa8008b7a18a0944e6f90872) increase xfs base image size to 300Mb
</p>
</details>

### Dependency Changes

* **github.com/intel/goresctrl**                        v0.3.0 -> v0.5.0
* **github.com/prometheus/client_golang**               v1.14.0 -> v1.16.0
* **github.com/prometheus/common**                      v0.37.0 -> v0.42.0
* **github.com/prometheus/procfs**                      v0.8.0 -> v0.10.1
* **k8s.io/apimachinery**                               v0.26.2 -> v0.27.4
* **sigs.k8s.io/json**                                  f223a00ba0e2 -> bc3834ca7abd
* **tags.cncf.io/container-device-interface**           v0.7.2 -> v0.8.1
* **tags.cncf.io/container-device-interface/specs-go**  v0.7.0 -> v0.8.0

Previous release can be found at [v1.7.26](https://github.com/containerd/containerd/releases/tag/v1.7.26)

Unverified

v1.6.38

cf158e88 · Merge commit from fork · Mar 18, 2025

containerd 1.6.38

Welcome to the v1.6.38 release of containerd!

The thirty-eighth patch release for containerd 1.6 contains various fixes
and updates.

### Highlights

* Fix integer overflow in User ID handling ([GHSA-265r-hfxg-fhmg](https://github.com/containerd/containerd/security/advisories/GHSA-265r-hfxg-fhmg))

#### Container Runtime Interface (CRI)

* Fix fatal map concurrency error in httpstream ([#11319](https://github.com/containerd/containerd/pull/11319))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Jin Dong
* Akhil Mohan
* Derek McGowan
* Phil Estes
* Akihiro Suda
* Craig Ingram
* Kohei Tokunaga
* Maksym Pavlenko
* Samuel Karp
* ningmingxiao

### Changes
<details><summary>19 commits</summary>
<p>

  * [`cf158e884`](https://github.com/containerd/containerd/commit/cf158e884cfe4812a6c371b59e4ea9bc4c46e51a) Merge commit from fork
  * [`9639b9625`](https://github.com/containerd/containerd/commit/9639b9625554183d0c4d8d072dccb84fedd2320f) validate uid/gid
* Prepare release notes for v1.6.38 ([#11539](https://github.com/containerd/containerd/pull/11539))
  * [`eee34bac2`](https://github.com/containerd/containerd/commit/eee34bac2c401b3e4381594e99f6220bf8258c9c) Prepare release notes for v1.6.38
* update build to go1.23.7, test go1.24.1 ([#11421](https://github.com/containerd/containerd/pull/11421))
  * [`b67a35baf`](https://github.com/containerd/containerd/commit/b67a35baf0a97c87033f1a6c9bdf97630fe4e9e8) move exclude-dirs to issues.exclude-dirs
  * [`2104a41ef`](https://github.com/containerd/containerd/commit/2104a41efece4a12a34e03f00d780e905b95b5a5) update golangci-lint to 1.60.1
  * [`820e81adc`](https://github.com/containerd/containerd/commit/820e81adccbf3819d282a6597db98bd4df49c12c) update build to go1.23.7, test go1.24.1
* Remove hashicorp/go-multierror dependency and fix CI ([#11500](https://github.com/containerd/containerd/pull/11500))
  * [`7cc3b3dce`](https://github.com/containerd/containerd/commit/7cc3b3dcec509f1ce2e5d52887520baa48201c54) e2e: use the shim bundled with containerd artifact
  * [`0733895f3`](https://github.com/containerd/containerd/commit/0733895f3de3df51fe4e14563ee94a98df1be8dd) Remove unnecessary joinError unwrap
  * [`054c4cc79`](https://github.com/containerd/containerd/commit/054c4cc79c929eecfb9724fd1c3e9f13a4cd5701) Remove hashicorp/go-multierror
  * [`ff21be0ee`](https://github.com/containerd/containerd/commit/ff21be0ee8b274c05a542a096c1042ef63857f09) Update go to 1.20 to use its multi error support
  * [`f63b5fd3f`](https://github.com/containerd/containerd/commit/f63b5fd3f9b4b809d94d4a3053c4d76a7753072c) update containerd/project-checks to 1.2.1
* Fix fatal map concurrency error in httpstream ([#11319](https://github.com/containerd/containerd/pull/11319))
  * [`abd1692cf`](https://github.com/containerd/containerd/commit/abd1692cf27bcff4590207bdd8a827b06657c446) fix fatal error: concurrent map iteration and map write
* CI: arm64-8core-32gb -> ubuntu-24.04-arm ([#11438](https://github.com/containerd/containerd/pull/11438))
  * [`f5ab73c0a`](https://github.com/containerd/containerd/commit/f5ab73c0a776ad2462198725b8d522e820dc690a) CI: arm64-8core-32gb -> ubuntu-24.04-arm
  * [`2cc6b5b0a`](https://github.com/containerd/containerd/commit/2cc6b5b0af07563d2c6a0b183a32e342b7ce86d2) increase xfs base image size to 300Mb
</p>
</details>

### Dependency Changes

This release has no dependency changes

Previous release can be found at [v1.6.37](https://github.com/containerd/containerd/releases/tag/v1.6.37)

Unverified

v2.0.3

06b99ca8 · Merge pull request #11443 from dmcgowan/prepare-v2.0.3 · Feb 28, 2025

containerd 2.0.3

Welcome to the v2.0.3 release of containerd!

The third patch release for containerd 2.0 includes various bug fixes and updates.

### Highlights

* Update remote content to break up writes to avoid grpc message size limits ([#11457](https://github.com/containerd/containerd/pull/11457))
* Update runc binary to v1.2.5 ([#11394](https://github.com/containerd/containerd/pull/11394))

#### Container Runtime Interface (CRI)

* Fix privileged container sysfs can't be rw because pod is ro by default ([#11456](https://github.com/containerd/containerd/pull/11456))
* Fix recursive RLock() mutex acquisition ([containerd/go-cni#126](https://github.com/containerd/go-cni/pull/126))

#### Node Resource Interface (NRI)

* Fix initial sync race when registering NRI plugins ([#11329](https://github.com/containerd/containerd/pull/11329))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Derek McGowan
* Akihiro Suda
* Mike Brown
* Phil Estes
* Akhil Mohan
* Chifeng Cai
* Krisztian Litkey
* Wei Fu
* Andrey Smirnov
* Austin Vazquez
* Chris Henzie
* Jing Xu
* Jonathan A. Sternberg
* Jose Fernandez
* Kirtana Ashok
* Lei Liu
* Maksym Pavlenko
* Michael Zappa
* Samuel Karp
* fengwei0328
* zounengren

### Changes
<details><summary>42 commits</summary>
<p>

* Prepare release notes for v2.0.3 ([#11443](https://github.com/containerd/containerd/pull/11443))
  * [`b8dde9189`](https://github.com/containerd/containerd/commit/b8dde9189df2e62b1650fb699ea8e8f612cdfb66) Prepare release notes for v2.0.3
* Update remote content to break up writes to avoid grpc message size limits ([#11457](https://github.com/containerd/containerd/pull/11457))
  * [`eaa7ca80d`](https://github.com/containerd/containerd/commit/eaa7ca80dcc1ea3e3dffe1382d96d77377720c30) proxy: break up writes from the remote writer to avoid grpc limits
* Fix privileged container sysfs can't be rw because pod is ro by default ([#11456](https://github.com/containerd/containerd/pull/11456))
  * [`c7f64196f`](https://github.com/containerd/containerd/commit/c7f64196fcbc792fd9383eb9aa8d43be0f9fa748) Fix privileged container sysfs can't be rw because pod is ro by default
* go.{mod,sum}: bump CDI deps to v.0.8.1. ([#11430](https://github.com/containerd/containerd/pull/11430))
  * [`92ae2951f`](https://github.com/containerd/containerd/commit/92ae2951ffd92e39a38aba2ab48b31a6cb49138e) Update CDI dependency to v0.8.1.
* Prefer runtime options for PluginInfo request ([#11446](https://github.com/containerd/containerd/pull/11446))
  * [`569af34cb`](https://github.com/containerd/containerd/commit/569af34cbb761f0507546457ffe376f4454c87ea) Prefer runtime options for PluginInfo request
* pkg: prevent oom watcher from depending on shim pkg ([#11439](https://github.com/containerd/containerd/pull/11439))
  * [`0ce93e16a`](https://github.com/containerd/containerd/commit/0ce93e16a9fd91c03a67150a6098d09f5258c300) prevent oom watcher depend on shim pkg.
* CI: arm64-8core-32gb -> ubuntu-24.04-arm ([#11436](https://github.com/containerd/containerd/pull/11436))
  * [`f3284aa68`](https://github.com/containerd/containerd/commit/f3284aa68f864f2303b42546b14f7af15eccd063) CI: arm64-8core-32gb -> ubuntu-24.04-arm
* Revert "Add timestamp to PodSandboxStatusResponse for kubernetes Evented PLEG" ([#11403](https://github.com/containerd/containerd/pull/11403))
  * [`b5313993c`](https://github.com/containerd/containerd/commit/b5313993c16f8ae9d4a053162a75bacced36e246) Revert "Add timestamp to PodSandboxStatusResponse for kubernetes Evented PLEG"
* move the device after the options when using mkfs.ext4 ([#11411](https://github.com/containerd/containerd/pull/11411))
  * [`f95a426b8`](https://github.com/containerd/containerd/commit/f95a426b83ec716feaab0a436d5e2280dc4e9d99) move the device after the options when using mkfs.ext4
* update build to go1.23.6, test go1.24.0 ([#11410](https://github.com/containerd/containerd/pull/11410))
  * [`4d19a6adf`](https://github.com/containerd/containerd/commit/4d19a6adfec9440d0806a1cc4633deaef3e5d53c) update build to go1.23.6, test go1.24.0
* build(deps): bump actions/cache from 4.1.2 to 4.2.0 ([#11405](https://github.com/containerd/containerd/pull/11405))
  * [`c738c3aab`](https://github.com/containerd/containerd/commit/c738c3aabc350ae67c5200de4c504c5038834e91) build(deps): bump actions/cache from 4.1.2 to 4.2.0
* Upgrade x/net to 0.33.0 to fix vulnerability GHSA-w32m-9786-jp63 ([#11387](https://github.com/containerd/containerd/pull/11387))
  * [`fcf64305c`](https://github.com/containerd/containerd/commit/fcf64305cef019c8bf135d7373e2b658e02019b3) Update vendor files to fix build failure
  * [`d3437eb29`](https://github.com/containerd/containerd/commit/d3437eb2918f6e266e97c5ee08737926519dc40d) Upgrade x/net to 0.33.0
* Update install-imgcrypt to allow change install repo ([#11357](https://github.com/containerd/containerd/pull/11357))
  * [`0785bd8cc`](https://github.com/containerd/containerd/commit/0785bd8cc6405b346a81025c983365825910e77f) Update install-imgcrypt to allow change install repo
* Update runc binary to v1.2.5 ([#11394](https://github.com/containerd/containerd/pull/11394))
  * [`697c59c63`](https://github.com/containerd/containerd/commit/697c59c63568a8d722e958e68ef52bbb25160b63) Update runc binary to v1.2.5
* Update go-cni version to fix Race Condition issue ([#11269](https://github.com/containerd/containerd/pull/11269))
  * [`06891f899`](https://github.com/containerd/containerd/commit/06891f899d25de9dd1cb5e5443ec099e17a57e00) fix go-cni race condition
* Fix initial sync race when registering NRI plugins ([#11329](https://github.com/containerd/containerd/pull/11329))
  * [`79cdbf61b`](https://github.com/containerd/containerd/commit/79cdbf61b6f7e4be2feb1bb2d631bdb1b9c5cd7f) cri,nri: block NRI plugin sync. during event processing.
* Update github.com/containerd/imgcrypt to v2.0.0 ([#11325](https://github.com/containerd/containerd/pull/11325))
  * [`9d5cfce83`](https://github.com/containerd/containerd/commit/9d5cfce833cf7dc98319390ce002bd4f6a20d423) Update github.com/containerd/imgcrypt to v2.0.0
* Move CDI device spec out of the OCI package ([#11265](https://github.com/containerd/containerd/pull/11265))
  * [`f58939c33`](https://github.com/containerd/containerd/commit/f58939c33d5777c3c813927831bc260cd94baf57) Remove deprecated WithCDIDevices in oci spec opts
  * [`3d53430fe`](https://github.com/containerd/containerd/commit/3d53430fe14eb76849a6c997d60b21a9f95c19ed) Move CDI device spec out of the OCI package
* update to go1.23.5 / go1.22.11 ([#11297](https://github.com/containerd/containerd/pull/11297))
  * [`1f4e5688e`](https://github.com/containerd/containerd/commit/1f4e5688efd71cb9db26158ed697d27ba26dd6b3) update to go1.23.5 / go1.22.11
* build(deps): bump google.golang.org/protobuf from 1.35.1 to 1.35.2 ([#11263](https://github.com/containerd/containerd/pull/11263))
  * [`3a6ab80d0`](https://github.com/containerd/containerd/commit/3a6ab80d0176e205bd9f6a958450f9dce4415091) build(deps): bump google.golang.org/protobuf from 1.35.1 to 1.35.2
</p>
</details>

### Changes from containerd/go-cni
<details><summary>2 commits</summary>
<p>

* Fix recursive RLock() mutex acquisition ([containerd/go-cni#126](https://github.com/containerd/go-cni/pull/126))
  * [`75a2440`](https://github.com/containerd/go-cni/commit/75a24409e8193fc64b0e9ed777ff884c338a21ca) fix: recursive RLock() mutex acquision
</p>
</details>

### Dependency Changes

* **github.com/containerd/go-cni**             v1.1.11 -> v1.1.12
* **github.com/containerd/imgcrypt/v2**        v2.0.0-rc.1 -> v2.0.0
* **github.com/containers/ocicrypt**           v1.2.0 -> v1.2.1
* **github.com/petermattis/goid**              4fcff4a6cae7 **_new_**
* **github.com/sasha-s/go-deadlock**           v0.3.5 **_new_**
* **github.com/smallstep/pkcs7**               v0.1.1 **_new_**
* **golang.org/x/crypto**                      v0.28.0 -> v0.31.0
* **golang.org/x/net**                         v0.30.0 -> v0.33.0
* **golang.org/x/oauth2**                      v0.22.0 -> v0.23.0
* **golang.org/x/sync**                        v0.8.0 -> v0.10.0
* **golang.org/x/sys**                         v0.26.0 -> v0.28.0
* **golang.org/x/term**                        v0.25.0 -> v0.27.0
* **golang.org/x/text**                        v0.19.0 -> v0.21.0
* **google.golang.org/grpc**                   v1.67.1 -> v1.68.1
* **google.golang.org/protobuf**               v1.35.1 -> v1.35.2
* **tags.cncf.io/container-device-interface**  v0.8.0 -> v0.8.1

Previous release can be found at [v2.0.2](https://github.com/containerd/containerd/releases/tag/v2.0.2)
### Which file should I download?
* `containerd-<VERSION>-<OS>-<ARCH>.tar.gz`:         ✅Recommended. Dynamically linked with glibc 2.31 (Ubuntu 20.04).
* `containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz`:  Statically linked. Expected to be used on non-glibc Linux distributions. Not position-independent.

In addition to containerd, typically you will have to install [runc](https://github.com/opencontainers/runc/releases)
and [CNI plugins](https://github.com/containernetworking/plugins/releases) from their official sites too.

See also the [Getting Started](https://github.com/containerd/containerd/blob/main/docs/getting-started.md) documentation.

Unverified

v1.7.26

753481ec · Merge pull request #11356 from austinvazquez/release-1.7.26 · Feb 26, 2025

containerd 1.7.26

Welcome to the v1.7.26 release of containerd!

The twenty-sixth patch release for containerd 1.7 contains various fixes
and updates.

### Highlights

* Add support for syncfs after unpack ([#11267](https://github.com/containerd/containerd/pull/11267))
* Update runc binary to v1.2.5 ([#11395](https://github.com/containerd/containerd/pull/11395))
* Fix race between serve and immediate shutdown on the server ([containerd/ttrpc#175](https://github.com/containerd/ttrpc/pull/175))
* Reject oversized messages from the sender ([containerd/ttrpc#171](https://github.com/containerd/ttrpc/pull/171))

#### Container Runtime Interface (CRI)

* Fix fatal concurrency error in port forwarding ([#11306](https://github.com/containerd/containerd/pull/11306))

#### Node Resource Interface (NRI)

* Fix initial sync race when registering NRI plugins ([#11326](https://github.com/containerd/containerd/pull/11326))
* Add API support for reading Pod IPs ([containerd/nri#119](https://github.com/containerd/nri/pull/119))
* Fix plugin sync to use multiple messages if ttrpc max message limit is hit ([containerd/nri#111](https://github.com/containerd/nri/pull/111))
* Update API to pass configured timeouts to plugins. ([containerd/nri#109](https://github.com/containerd/nri/pull/109))
* Fix mount removal in adjustments ([containerd/nri#107](https://github.com/containerd/nri/pull/107))
* Close plugin if initial synchronization fails ([containerd/nri#103](https://github.com/containerd/nri/pull/103))
* Add support for adjusting OOM score ([containerd/nri#94](https://github.com/containerd/nri/pull/94))
* Add API support for NRI-native CDI injection ([containerd/nri#98](https://github.com/containerd/nri/pull/98))
* Add support for pids cgroup ([containerd/nri#76](https://github.com/containerd/nri/pull/76))

#### Runtime

* Fix console TTY leak in runc shim ([#11250](https://github.com/containerd/containerd/pull/11250))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Krisztian Litkey
* Mike Brown
* Samuel Karp
* Wei Fu
* Phil Estes
* Derek McGowan
* Iceber Gu
* Akhil Mohan
* Antonio Ojea
* Austin Vazquez
* Henry Wang
* Jin Dong
* Xiaojin Zhang
* ningmingxiao
* AbdelrahmanElawady
* Akihiro Suda
* Antti Kervinen
* Jing Xu
* Jitang Lei
* Justin Alvarez
* Lei Liu
* Maksym Pavlenko
* Yang Yang
* Yuhang Wei
* cormick
* jingtao.liang

### Changes
<details><summary>24 commits</summary>
<p>

* Prepare release notes for v1.7.26 ([#11356](https://github.com/containerd/containerd/pull/11356))
  * [`ceba197f5`](https://github.com/containerd/containerd/commit/ceba197f5fa0b76b0f181c24f81c67c43d34bff2) Prepare release notes for v1.7.26
* Upgrade x/net to 0.33.0 to fix vulnerability GHSA-w32m-9786-jp63 ([#11434](https://github.com/containerd/containerd/pull/11434))
  * [`3486bc8dd`](https://github.com/containerd/containerd/commit/3486bc8dd19acbde278ed6c4c4fa42c7299e1278) Upgrade x/net to 0.33.0
* update build to go1.23.6, test go1.24.0 ([#11419](https://github.com/containerd/containerd/pull/11419))
  * [`9025d3075`](https://github.com/containerd/containerd/commit/9025d3075b91b0806ff15f27f28bbce8af4f1a76) update build to go1.23.6, test go1.24.0
* Update install-imgcrypt to allow change install repo ([#11358](https://github.com/containerd/containerd/pull/11358))
  * [`83eaab482`](https://github.com/containerd/containerd/commit/83eaab4822188e019efe68c29a6d77f37f099d6e) Update install-imgcrypt to allow change install repo
* Add support for syncfs after unpack ([#11267](https://github.com/containerd/containerd/pull/11267))
  * [`8bc21cba7`](https://github.com/containerd/containerd/commit/8bc21cba7516727b294d4dd6a3e8859cbdd146a8) support to syncfs after pull by using diff plugin
* Update runc binary to v1.2.5 ([#11395](https://github.com/containerd/containerd/pull/11395))
  * [`27c472acf`](https://github.com/containerd/containerd/commit/27c472acf59c4d86e2b446ae554691149ac43661) Update runc binary to v1.2.5
* Move `run.skip-dirs` to `issues.exclude-dirs` in golangci-lint config ([#11400](https://github.com/containerd/containerd/pull/11400))
  * [`8d8034b66`](https://github.com/containerd/containerd/commit/8d8034b66e2790ef0149207acb7c92a033d7f1f8) move skip-dirs to issues.exclude-dirs
* Fix initial sync race when registering NRI plugins ([#11326](https://github.com/containerd/containerd/pull/11326))
  * [`11af05177`](https://github.com/containerd/containerd/commit/11af05177545dbb97d87aa861b15d70ab911307c) cri,nri: block NRI plugin sync. during event processing.
  * [`d4036cd3d`](https://github.com/containerd/containerd/commit/d4036cd3d1eb174ea379c8e1d139c25cfe9f18d8) go.{mod,sum}: bump NRI to v0.8.0, re-vendor.
* Fix console TTY leak in runc shim ([#11250](https://github.com/containerd/containerd/pull/11250))
  * [`c3e24e024`](https://github.com/containerd/containerd/commit/c3e24e0248f0ca83d0bfbb0262862c2a06a632e2) Add integ test to check tty leak
  * [`4e45a463d`](https://github.com/containerd/containerd/commit/4e45a463d90fd44f6b92978721779d7b09045cee) fix master tty leak due to leaking init container object
* Fix fatal concurrency error in port forwarding ([#11306](https://github.com/containerd/containerd/pull/11306))
  * [`0fe9f0b52`](https://github.com/containerd/containerd/commit/0fe9f0b52f7b700689df46d13de36e67b62486e1) fix fatal error: concurrent map iteration and map write
* update build to go1.22.11, test go1.23.5 ([#11298](https://github.com/containerd/containerd/pull/11298))
  * [`441b92636`](https://github.com/containerd/containerd/commit/441b92636a806d71655945137210126de723e4fe) update build to go1.22.11, test go1.23.5
</p>
</details>

### Changes from containerd/nri
<details><summary>77 commits</summary>
<p>

* Add API support for reading Pod IPs ([containerd/nri#119](https://github.com/containerd/nri/pull/119))
  * [`eaf78a9`](https://github.com/containerd/nri/commit/eaf78a9afe9ebac28a68d1163dd00183525801a3) api: support Pod IPs
*  generate: do not set OOMScoreAdj if no adjustment ([containerd/nri#116](https://github.com/containerd/nri/pull/116))
  * [`07bfc18`](https://github.com/containerd/nri/commit/07bfc18129a3cc9c4b44e1aced9972279a50ddb5) wip: generate: add test for oom score adj
  * [`b5fc359`](https://github.com/containerd/nri/commit/b5fc359973c0e8c599b12c1d118546c267894b3b) generate: do not set OOMScoreAdj if no adjustment
* device-injector: remove unreachable code. ([containerd/nri#115](https://github.com/containerd/nri/pull/115))
  * [`235aa11`](https://github.com/containerd/nri/commit/235aa114dffc784073ec8b2f88fbd4ecfba06450) chore: remove unreachable code and fmt files
* Fix plugin sync to use multiple messages if ttrpc max message limit is hit ([containerd/nri#111](https://github.com/containerd/nri/pull/111))
  * [`159f575`](https://github.com/containerd/nri/commit/159f5754db397e32ce886cd07985ffd95f1bd823) template: dump pod/container count in sync message.
  * [`bf267e3`](https://github.com/containerd/nri/commit/bf267e336f2ec2f5045fd396fb68f9853d2b5db9) stub: collect/handle split sync messages.
  * [`ed78ae9`](https://github.com/containerd/nri/commit/ed78ae9231cb603031f66921559ca6f38ef77bb5) adaptation: use multiple sync messages if necessary.
  * [`6fd59d6`](https://github.com/containerd/nri/commit/6fd59d6d7701cdadeae4db0058b3fde84c02e94b) api: add support for multiple sync messages.
  * [`a7fcccc`](https://github.com/containerd/nri/commit/a7fcccc4ba35f69ea2af790b6cb4b46385c50ce4) mux: split oversized messages.
  * [`5fe9b06`](https://github.com/containerd/nri/commit/5fe9b06401fb7fce78c41b95df04e05dffc22e5b) mux: fix maximum allowed message size.
  * [`693d64e`](https://github.com/containerd/nri/commit/693d64e2565cc14c00fae2de904ffc030fc2b894) go.{mod,sum}, plugins: update ttrpc and NRI deps.
* Update API to pass configured timeouts to plugins. ([containerd/nri#109](https://github.com/containerd/nri/pull/109))
  * [`320e4e7`](https://github.com/containerd/nri/commit/320e4e7e52a856b119cfa1c06a4a135ab5f88f56) adaptation: tests for runtime version, timeouts.
  * [`f86d982`](https://github.com/containerd/nri/commit/f86d98210749556ef562776fde784d2250d1190e) api,adaptation,stub: let plugin know configured timeouts.
  * [`cfcd2af`](https://github.com/containerd/nri/commit/cfcd2af3c80db6667f2d1a291225cc616b6049c3) Makefile: fix ginkgo-tests target.
  * [`8cd9504`](https://github.com/containerd/nri/commit/8cd9504a48e1b79625ff5fce3d058c6662bc34d6) adaptation: block plugin sync/registration in test suite.
  * [`966ac92`](https://github.com/containerd/nri/commit/966ac92b01fca271373e2088695538dcef0edb2b) adaptation: implement plugin synchronization blocks.
* ci: verify that code generation works and results match ([containerd/nri#113](https://github.com/containerd/nri/pull/113))
  * [`f74ce31`](https://github.com/containerd/nri/commit/f74ce31ef9b048d69702b954912122a0597598a8) ci: verify code generation and generated files in repo
* deps: bump gingko to v2.19.1, golang to v1.21.x.  ([containerd/nri#110](https://github.com/containerd/nri/pull/110))
  * [`e4d5c36`](https://github.com/containerd/nri/commit/e4d5c36429c495c5d61d0183ba1c1a908ed598f4) ci: stop testing with golang 1.20.x.
  * [`6578149`](https://github.com/containerd/nri/commit/65781492cc1b0cf5a6a6166a81ba638e45b7f93f) go.{mod,sum}: bump golang requirement to 1.21.
  * [`442e812`](https://github.com/containerd/nri/commit/442e81239436c53689e14d9a641099a4aeec7cbe) go.{mod,sum}: update to ginkgo v2.19.1.
* sync sandboxes and containers after starting the pre-installed plugins ([containerd/nri#43](https://github.com/containerd/nri/pull/43))
  * [`eada085`](https://github.com/containerd/nri/commit/eada085db3965057686def58fd8993c70030dd7f) ignore pre-installed plugins that did not sync successfully
  * [`b881bc4`](https://github.com/containerd/nri/commit/b881bc4ba69e3bfe718939d97f327f3c72670fad) sync sandboxes and containers after starting the pre-installed plugins
* Fix mount removal in adjustments ([containerd/nri#107](https://github.com/containerd/nri/pull/107))
  * [`3880f1d`](https://github.com/containerd/nri/commit/3880f1df504f4b3ceedd3a36172162c886a00564) adaptation: add test case for mount removal.
  * [`0d3b376`](https://github.com/containerd/nri/commit/0d3b37631b9fb913e95a9a0efd31b27117208e40) adaptation: fix mount removal in adjustments.
* codespell: add codespell config, workflow, fix spelling errors. ([containerd/nri#105](https://github.com/containerd/nri/pull/105))
  * [`df84c47`](https://github.com/containerd/nri/commit/df84c475025e3fc536701aa99f6ca6d14dbea648) .github: add codespell workflow.
  * [`a03dc93`](https://github.com/containerd/nri/commit/a03dc9359c2d526924e56a9d167445a69588d3ae) pkg,plugins,.codespellrc: add codespellrc, fix spelling.
* Close plugin if initial synchronization fails ([containerd/nri#103](https://github.com/containerd/nri/pull/103))
  * [`4aec208`](https://github.com/containerd/nri/commit/4aec208281ac3630b02d737005778527aec8abae) adaptation: log plugin as connected and synchronized.
  * [`4e60cd0`](https://github.com/containerd/nri/commit/4e60cd0fb845ffefa9590084bb5261a113ad6858) adaptation: close plugin if initial synchronization fails.
* Reset source path of api.pb.go to pkg/api/api.proto ([containerd/nri#104](https://github.com/containerd/nri/pull/104))
  * [`1cc026f`](https://github.com/containerd/nri/commit/1cc026f8a3773b9e0d4ca80f9c3e978ef7d54bef) Reset source path of api.pb.go to pkg/api/api.proto
* Add support for adjusting OOM score ([containerd/nri#94](https://github.com/containerd/nri/pull/94))
  * [`efcb2da`](https://github.com/containerd/nri/commit/efcb2dad664293bd3fbad1557cac2dcfd15a86dc) NRI plugins support adjust oom_score_adj
* Add API support for NRI-native CDI injection ([containerd/nri#98](https://github.com/containerd/nri/pull/98))
  * [`8783973`](https://github.com/containerd/nri/commit/87839736588c90995cd7d8a19beb47076efd3319) device-injector: clarify precedence of annotations.
  * [`4eb7075`](https://github.com/containerd/nri/commit/4eb70757f7095a9928d6a34a9e8f28eaac066a42) pkg/adaptation: fix grammatical mistakes in comments.
  * [`4bd8da8`](https://github.com/containerd/nri/commit/4bd8da8cf7128f9ac88ebed28f2e3afd73d0fab1) device-injector: add support for CDI injection.
  * [`44773bd`](https://github.com/containerd/nri/commit/44773bdd8b2fc5ed0e193975f54cfdf7153f708c) runtime-tools/generate: add support CDI injection.
  * [`65282fe`](https://github.com/containerd/nri/commit/65282fe079414600930b9fa084a46fb0bd0e0c8b) adaptation: add CDI device injection unit test.
  * [`01f3b7a`](https://github.com/containerd/nri/commit/01f3b7a6681de5961920091f88e71335778ecc21) adaptation: add support for native CDI injection.
  * [`f1aa58f`](https://github.com/containerd/nri/commit/f1aa58f8157aacbdda3826316c77e4e96914235a) api: add support for native CDI device injection.
* types: Fix a typo ([containerd/nri#101](https://github.com/containerd/nri/pull/101))
  * [`8434439`](https://github.com/containerd/nri/commit/8434439b76e0b4c8dad1c5e2b1fadc4bbfea4b1a) types: Fix a typo
* Add support for pids cgroup ([containerd/nri#76](https://github.com/containerd/nri/pull/76))
  * [`1719502`](https://github.com/containerd/nri/commit/1719502ed2a62bb99e561f759278f3e6628ae191) support pids cgroup
* stub: support restart after stub stopped ([containerd/nri#91](https://github.com/containerd/nri/pull/91))
  * [`242661f`](https://github.com/containerd/nri/commit/242661fd7ab841358dc0cc53b8fe34dd7878b6c8) stub: support re-start after stub stopped
* stop closed plugins that will be removed ([containerd/nri#89](https://github.com/containerd/nri/pull/89))
  * [`ba398fa`](https://github.com/containerd/nri/commit/ba398fa866f5f8a2d51e92eedcde2ea6aacce2b1) stop closed plugins that will be removed
* plugins/device-injector: fix a small typo in README.md. ([containerd/nri#97](https://github.com/containerd/nri/pull/97))
  * [`f96a550`](https://github.com/containerd/nri/commit/f96a550770396c0e83763d2ff1a48c74facbbff7) device-injector: small grammar fix in README.md.
* plugins/template: fix a typo in a comment. ([containerd/nri#96](https://github.com/containerd/nri/pull/96))
  * [`5680921`](https://github.com/containerd/nri/commit/5680921a7acdd967fc72317b63380b278c3a447c) plugins/template: fix typo in a comment.
* go.{mod,sum}, .github: bump minimum golang version to 1.20. ([containerd/nri#88](https://github.com/containerd/nri/pull/88))
  * [`2c3608d`](https://github.com/containerd/nri/commit/2c3608db37a03ff3d7b02fc86d2a763976a830ea) .golangci.yml: silence dot-import errors for tests.
  * [`8f56974`](https://github.com/containerd/nri/commit/8f56974eb755a4a09d1013a82f30d9593fc50b9a) pkg/{adaptation,api,net,stub}: fix linter errors.
  * [`e863892`](https://github.com/containerd/nri/commit/e863892df021fc7ac5f5d9302132fb4a82c54394) .github: bump golangci-lint to v1.58.0.
  * [`674cb41`](https://github.com/containerd/nri/commit/674cb4149fc21a25e35e82b3b7baec2c9ac4404a) .github: bump setup-go to v5.
  * [`9106283`](https://github.com/containerd/nri/commit/9106283b2ebbad9f0c3374113a2b93c1cd0ab304) .github: test with golang 1.20.x, 1.21.x, 1.22.3 in CI.
  * [`a9778ad`](https://github.com/containerd/nri/commit/a9778ad8bf138b27289e2d12d84b81420f6709b2) plugins: bump golang version to 1.20.
  * [`8e86065`](https://github.com/containerd/nri/commit/8e860654df09f8aebac99b6738c2cbffefd8f8b8) go.{mod.sum}: bump golang version to 1.20.
* network device injector plugin ([containerd/nri#82](https://github.com/containerd/nri/pull/82))
  * [`ff774e6`](https://github.com/containerd/nri/commit/ff774e6e62a652d4473e2398110ff796aa1e420b) network device injector plugin
* Modify hook-injector plugin to monitor directories to match cri-o ([containerd/nri#84](https://github.com/containerd/nri/pull/84))
  * [`06841c2`](https://github.com/containerd/nri/commit/06841c28928f8f0c21ddb7511cb2b464f8c08139) Modify hook-injector plugin to monitor directories to match cri-o
* docs: fix broken link to sample plugins in README.md ([containerd/nri#81](https://github.com/containerd/nri/pull/81))
  * [`2791e93`](https://github.com/containerd/nri/commit/2791e932d71d3bff0bed040a17b5d4f9afc549be) docs: fix broken link to sample plugins in README.md
</p>
</details>

### Changes from containerd/ttrpc
<details><summary>11 commits</summary>
<p>

* Add MD.Clone function ([containerd/ttrpc#177](https://github.com/containerd/ttrpc/pull/177))
  * [`430f734`](https://github.com/containerd/ttrpc/commit/430f7347915993a5543bfb00858ac337274528ba) Add MD.Clone
* Fix race between serve and immediate shutdown on the server ([containerd/ttrpc#175](https://github.com/containerd/ttrpc/pull/175))
  * [`c4d96d5`](https://github.com/containerd/ttrpc/commit/c4d96d55ad9c4f4cf6036c70a5b18ba80655d648) server: fix Serve() vs. immediate Shutdown() race.
  * [`ed6c3ba`](https://github.com/containerd/ttrpc/commit/ed6c3ba082bdbc82284c198d93ca5f07ad9900dd) server_test: add Serve()/Shutdown() race test.
* Reject oversized messages from the sender ([containerd/ttrpc#171](https://github.com/containerd/ttrpc/pull/171))
  * [`b5cd6e4`](https://github.com/containerd/ttrpc/commit/b5cd6e4b32878158dc44b7854a7d14b454f75daf) channel: allow discovery of overflown message size.
  * [`d8c00df`](https://github.com/containerd/ttrpc/commit/d8c00dfec306c305efef44aa526f2acf8ebd165b) channel_test: update oversize message test.
  * [`de273bf`](https://github.com/containerd/ttrpc/commit/de273bf7511de4710934b92415a00d471a6118cb) channel: reject oversized messages on the sender side.
* server_test: fix error message in TestOversizeCall. ([containerd/ttrpc#170](https://github.com/containerd/ttrpc/pull/170))
  * [`84e1784`](https://github.com/containerd/ttrpc/commit/84e1784f340651f94891fbd091cbb3d5bfdf9e62) server_test: fix error message in TestOversizeCall.
</p>
</details>

### Dependency Changes

* **github.com/containerd/nri**    v0.6.1 -> v0.8.0
* **github.com/containerd/ttrpc**  v1.2.5 -> v1.2.7
* **github.com/go-logr/logr**      v1.3.0 -> v1.4.2
* **golang.org/x/net**             v0.25.0 -> v0.33.0

Previous release can be found at [v1.7.25](https://github.com/containerd/containerd/releases/tag/v1.7.25)

Unverified