Skip to content

containerd 2.2.3

Choose a tag to compare

View all tags
@github-actions github-actions released this 14 Apr 17:38
· 853 commits to main since this release
v2.2.3
This tag was signed with the committer’s verified signature.
dmcgowan Derek McGowan
GPG key ID: F58C5D0A4405ACDB
Verified
Learn about vigilant mode.
77c8424
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Welcome to the v2.2.3 release of containerd!

The third patch release for containerd 2.2 contains various fixes
and updates including a security patch.

Security Updates

Highlights

Container Runtime Interface (CRI)

  • Preserve cgroup mount options for privileged containers (#13120)
  • Ensure UpdatePodSandbox returns Unimplemented instead of a generic error (#13023)

Go client

  • Handle absolute symlinks in rootfs user lookup to fix regressions when using Go 1.24 (#13015)

Image Distribution

  • Enable mount manager in diff walking to fix layer extraction errors with some snapshotters (e.g., EROFS) (#13198)
  • Apply hardening to prevent TOCTOU race during tar extraction (#12971)

Runtime

  • Restore support for client-mounted roots in Windows containers using process isolation (#13195)
  • Update runc to v1.3.5 (#13061)
  • Apply absolute symlink resolution to /etc/group in OCI spec to fix lookups on NixOS-style systems (#13019)
  • Handle absolute symlinks in rootfs user lookup to fix regressions when using Go 1.24 (#13015)

Snapshotters

  • Fix bug that caused whiteouts to be ignored when parallel unpack was used (#13125)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

  • Samuel Karp
  • Sebastiaan van Stijn
  • Maksym Pavlenko
  • Chris Henzie
  • Derek McGowan
  • Paulo Oliveira
  • Henry Wang
  • Phil Estes
  • Wei Fu
  • Akihiro Suda
  • Gao Xiang
  • Ricardo Branco
  • Shachar Tal

Changes

40 commits

  • Prepare release notes for v2.2.3 (#13224)
  • update github.com/moby/spdystream v0.5.1 (#13217)
    • 31bd34a06 update github.com/moby/spdystream v0.5.1
  • vendor: github.com/klauspost/compress v1.18.5 (#13197)
    • 1336f6c45 vendor: github.com/klauspost/compress v1.18.5
  • diff/walking: enable mount manager (#13198)
    • 409f75be8 diff/walking: enable mount manager
  • update runhcs to v0.14.1 (#13195)
  • vendor: github.com/Microsoft/hcsshim v0.14.1 (#13196)
    • 8bd1b74e5 vendor: github.com/Microsoft/hcsshim v0.14.1
    • c6b0be8e1 vendor: github.com/Microsoft/hcsshim v0.14.0
  • update to Go 1.25.9, 1.26.2 (#13190)
  • Skip TestExportAndImportMultiLayer on s390x (#13154)
    • be554f478 Skip TestExportAndImportMultiLayer on s390x
  • Tweak mount info for overlayfs in case of parallel unpack (#13125)
    • 660de195b Tweak mount info for overlayfs in case of parallel unpack
    • bc9274a4b Add integration test for issue 13030
  • Preserve cgroup mount options for privileged containers (#13120)
    • c387890b5 Add integration test for privileged container cgroup mounts
    • 047a335a6 Forward RUNC_FLAVOR env var down to integration tests
    • 9b2d72ee0 Preserve host cgroup mount options for privileged containers
    • 5b66cd6a0 Move cgroup namespace placement higher in spec builder
  • update runc binary to v1.3.5 (#13061)
    • 584205c2f [release/2.2] update runc binary to v1.3.5
  • Fix vagrant on CI (#13066)
  • Fix TOCTOU race bug in tar extraction (#12971)
    • fbed68b8f Fix TOCTOU race bug in tar extraction
  • cri: UpdatePodSandbox should return Unimplemented (#13023)
    • a83510103 cri: UpdatePodSandbox should return Unimplemented
  • fix(oci): apply absolute symlink resolution to /etc/group (#13019)
    • ee4179e52 fix(oci): apply absolute symlink resolution to /etc/group
  • fix(oci): handle absolute symlinks in rootfs user lookup (#13015)
    • fd061b848 test(oci): use fstest and mock fs for better symlink coverage
    • 5d44d2c22 fix(oci): handle absolute symlinks in rootfs user lookup
  • update to go1.25.8, test go1.26.1 (#13011)
    • 00c776f07 update to go1.25.8, test go1.26.1

Dependency Changes

  • github.com/Microsoft/hcsshim v0.14.0-rc.1 -> v0.14.1
  • github.com/klauspost/compress v1.18.1 -> v1.18.5
  • github.com/moby/spdystream v0.5.0 -> v0.5.1

Previous release can be found at v2.2.2

Which file should I download?

  • containerd-<VERSION>-<OS>-<ARCH>.tar.gz: ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04).
  • containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz: Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent.

In addition to containerd, typically you will have to install runc
and CNI plugins from their official sites too.

See also the Getting Started documentation.

Assets 25
Loading