Welcome to the v1.7.24 release of containerd!

The twenty-fourth patch release for containerd 1.7 contains various fixes
and updates.

Highlights

• Update runc binary to 1.2.2 (#11027)
• Fix "invalid metric type" error message for cgroup v1 (#10814)

Container Runtime Interface (CRI)

• Update the container exit log to info level (#11007)

Image Distribution

• Fix retry logic and concurrency issue with http fallback (#11032)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Derek McGowan
• Phil Estes
• Akhil Mohan
• Akihiro Suda
• Maksym Pavlenko
• Austin Vazquez
• Samuel Karp
• Benjamin Peterson
• Davanum Srinivas
• Iceber Gu
• Mike Brown
• Sebastiaan van Stijn
• Tõnis Tiigi
• ningmingxiao

Changes

Dependency Changes

This release has no dependency changes

Previous release can be found at v1.7.23

Welcome to the v2.0.0 release of containerd!

The first major release of containerd 2.x focuses on the continued stability of
containerd's core feature set with an easy upgrade from containerd 1.x. This
release includes the stabilization of new features added in the last 1.x release
as well as the removal of features which were deprecated in 1.x. The goal is to
support the vast community of containerd users well into the future along with
their ever increasing deployment footprints and variety of use cases.

See containerd 2.0 documentation for details on what is new and has changed in this release.

Highlights

• Allow sections of Plugins to be merged, and not overwritten as entire sections. (#9982)
• Add Update API for sandbox controller (#9903)
• Configure otel from env instead of config.toml (#8970)
• Enable NRI by default (#9744)
• Add PluginInfo to introspection API (#9442)
• Remove overlayfs volatile option on temp mounts (#9555)
• Expose usage of deprecated features (#9258)
• Use Intel ISA-L's igzip if available (#9200)
• Introduce top level config migration (#9223)
• Add image delete target (#8989)
• Remove LimitNOFILE from containerd.service (#8924)
• Add support for image expiration during garbage collection (#9022)
• Reduce the contention between ref lock and boltdb lock in content store (#8792)
• Remove "containerd.io/restart.logpath" label (#8264)
• Remove aufs snapshotter (#8263)
• Fix deadlock during NRI plugin registration (containerd/nri#79)
• Support arm64/v9 and minor variants (containerd/platforms#8)
• Fix deadlock when writing to pipe blocks (containerd/ttrpc#168)

Build and Release Toolchain

• Generate attestation for artifacts during release (#10543)
• Remove cri-containerd-*.tar.gz release bundles (#9096)

Container Runtime Interface (CRI)

• Use 'UserSpecifiedImage' from CRI to set the image-name annotation (#10747)
• Fine-grained SupplementalGroups control (#9737)
• Add support to set loopback to up (#10238)
• KEP-3857: Recursive Read-only (RRO) mounts (#9787)
• Add support for multiple subscribers to CRI container events (#9661)
• Enable CDI by default (#9621)
• Remove non-sandboxed CRI implementation (#9228)
• Add support for userns in stateless and stateful pods with idmap mounts (KEP-127, k8s >= 1.27) (#8287)
• Use sandboxed CRI by default (#8994)
• Implement RuntimeConfig CRI call (#8722)
• Add support for user namespaces (KEP-127) (#8803)
• Remove CRI v1alpha2 (#8276)

Go client

• Add api Go module and move all protos under api (#10151)
• Move packages based on contributing guide (#9365)
• Generalize plugin library (#9214)
• Use github.com/containerd/log (#9086)

Image Distribution

• Support to syncfs after pull by using diff plugin (#10284)
• Skip "unknown" in image platform listing (#10257)
• Update unpacker to fetch all provided content (#10202)
• Enable Transfer service API to support plain HTTP (#10024)
• Enable Transfer service to use registry configuration directory (#9908)
• Disable the support for Schema 1 images (#9765)
• Update Transfer service to add OCI descriptors to Progress structure (#9630)
• Update import and export to allow references to missing content (#9554)
• Add option to perform syncfs after pull (#9401)
• Add image verifier transfer service plugin system based on a binary directory (#8493)

Runtime

• Implement RuntimeStatus.features.supplemental_groups_policy from KEP-3619 (#10410)
• Add pprof to runc-shim (#10242)
• Provide runtime options in plugin info (#10251)
• Store bootstrap parameters in sandbox metadata (#9736)
• Update apparmor to allow confined runc to kill containers (#10123)
• Support vsock connection to task api (#9738)
• Update RuntimeDefault seccomp profile to disallow io_uring related syscalls (#9320)
• Switch runc shim to task service v3 and fix restore (#9233)
• Add sandboxer configuration and move sandbox controllers to plugins (#8268)
• Add annotations to CreateSandbox request (#8960)
• Add SandboxMetrics (#8680)
• Publish sandbox events (#8602)
• Remove the CriuPath field from runc's options (#8279)
• Remove io.containerd.runtime.v1.linux and io.containerd.runc.v1 (#8262)

Security Advisories

• [medium] RAPL accessible to a container GHSA-7ww5-4wqc-m92c

Breaking

• Remove disable_cgroup from CRI config (#10594)
• Disable the support for Schema 1 images (#9765)
• Update RuntimeDefault seccomp profile to disallow io_uring related syscalls (#9320)
• Move client to subpackage (#9316)
• Remove LimitNOFILE from containerd.service (#8924)
• Remove CRI v1alpha2 (#8276)
• Remove io.containerd.runtime.v1.linux and io.containerd.runc.v1 (#8262)
• Remove "containerd.io/restart.logpath" label (#8264)
• Remove aufs snapshotter (#8263)

Deprecations

• Update warnings for deprecated CRI config fields (#10509)
• Add type alias for event Envelope (#10279)
• Postpone removal of deprecated CRI config properties (#9966)
• Deprecate go-plugin configuration option (#9238)
• CNI conf_template in CRI is no longer deprecated (#8637)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Derek McGowan
• Akihiro Suda
• Maksym Pavlenko
• Wei Fu
• Phil Estes
• Sebastiaan van Stijn
• Samuel Karp
• Krisztian Litkey
• Kazuyoshi Kato
• Austin Vazquez
• Rodrigo Campos
• Danny Canter
• Abel Feng
• Mike Brown
• Kirtana Ashok
• Akhil Mohan
• Iceber Gu
• Gabriel Adrian Samfira
• Jin Dong
• Kohei Tokunaga
• Bjorn Neergaard
• Brian Goff
• Justin Chadwell
• rongfu.leng
• James Sturtevant
• Davanum Srinivas
• Paul "TBBle" Hampson
• Henry Wang
• Enrico Weigelt
• Laura Brehm
• Marat Radchenko
• Paweł G...

Welcome to the api/v1.8.0 release of containerd!

The first dedicated release for the containerd API. This release continues the 1.x
line of API compatibility with the 9th minor release of the 1.x API.

Highlights

• Add Update API for sandbox controller (#9903)
• Add PluginInfo to introspection API (#9442)
• Expose usage of deprecated features (#9258)
• Add image delete target (#8989)

Go client

• Add api Go module and move all protos under api (#10151)

Image Distribution

• Enable Transfer service API to support plain HTTP (#10024)
• Enable Transfer service to use registry configuration directory (#9908)
• Update Transfer service to add OCI descriptors to Progress structure (#9630)
• Add option to perform syncfs after pull (#9401)

Runtime

• Store bootstrap parameters in sandbox metadata (#9736)
• Add sandboxer configuration and move sandbox controllers to plugins (#8268)
• Add annotations to CreateSandbox request (#8960)
• Add SandboxMetrics (#8680)
• Publish sandbox events (#8602)

Deprecations

• Add type alias for event Envelope (#10279)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Derek McGowan
• Maksym Pavlenko
• Wei Fu
• Abel Feng
• Akihiro Suda
• Phil Estes
• Danny Canter
• Samuel Karp
• Kohei Tokunaga
• Sebastiaan van Stijn
• Akhil Mohan
• Brian Goff
• Bryant Biggs
• Davanum Srinivas
• Iceber Gu
• Kirtana Ashok

Changes

Welcome to the v2.0.0-rc.6 release of containerd!
This is a pre-release of containerd

The first major release of containerd 2.x focuses on the continued stability of
containerd's core feature set with an easy upgrade from containerd 1.x. This
release includes the stabilization of new features added in the last 1.x release
as well as the removal of features which were deprecated in 1.x. The goal is to
support the vast community of containerd users well into the future along with
their ever increasing deployment footprints and variety of use cases.

Highlights

• Allow sections of Plugins to be merged, and not overwritten as entire sections. (#9982)
• Add Update API for sandbox controller (#9903)
• Configure otel from env instead of config.toml (#8970)
• Enable NRI by default (#9744)
• Add PluginInfo to introspection API (#9442)
• Remove overlayfs volatile option on temp mounts (#9555)
• Expose usage of deprecated features (#9258)
• Use Intel ISA-L's igzip if available (#9200)
• Introduce top level config migration (#9223)
• Add image delete target (#8989)
• Remove LimitNOFILE from containerd.service (#8924)
• Add support for image expiration during garbage collection (#9022)
• Reduce the contention between ref lock and boltdb lock in content store (#8792)
• Remove "containerd.io/restart.logpath" label (#8264)
• Remove aufs snapshotter (#8263)
• Fix deadlock during NRI plugin registration (containerd/nri#79)
• Fix deadlock when writing to pipe blocks (containerd/ttrpc#168)

Build and Release Toolchain

• Generate attestation for artifacts during release (#10543)
• Remove cri-containerd-*.tar.gz release bundles (#9096)

Container Runtime Interface (CRI)

• Use 'UserSpecifiedImage' from CRI to set the image-name annotation (#10747)
• Fine-grained SupplementalGroups control (#9737)
• Add support to set loopback to up (#10238)
• Add support for multiple subscribers to CRI container events (#9661)
• Enable CDI by default (#9621)
• Remove non-sandboxed CRI implementation (#9228)
• Add support for userns in stateless and stateful pods with idmap mounts (KEP-127, k8s >= 1.27) (#8287)
• Use sandboxed CRI by default (#8994)
• Implement RuntimeConfig CRI call (#8722)
• Add support for user namespaces (KEP-127) (#8803)
• Remove CRI v1alpha2 (#8276)

Go client

• Add api Go module and move all protos under api (#10151)
• Move packages based on contributing guide (#9365)
• Generalize plugin library (#9214)
• Use github.com/containerd/log (#9086)

Image Distribution

• Support to syncfs after pull by using diff plugin (#10284)
• Skip "unknown" in image platform listing (#10257)
• Update unpacker to fetch all provided content (#10202)
• Enable Transfer service API to support plain HTTP (#10024)
• Enable Transfer service to use registry configuration directory (#9908)
• Disable the support for Schema 1 images (#9765)
• Update Transfer service to add OCI descriptors to Progress structure (#9630)
• Update import and export to allow references to missing content (#9554)
• Add option to perform syncfs after pull (#9401)
• Add image verifier transfer service plugin system based on a binary directory (#8493)

Runtime

• Implement RuntimeStatus.features.supplemental_groups_policy from KEP-3619 (#10410)
• Add pprof to runc-shim (#10242)
• Provide runtime options in plugin info (#10251)
• Store bootstrap parameters in sandbox metadata (#9736)
• Update apparmor to allow confined runc to kill containers (#10123)
• Support vsock connection to task api (#9738)
• Update RuntimeDefault seccomp profile to disallow io_uring related syscalls (#9320)
• Switch runc shim to task service v3 and fix restore (#9233)
• Add sandboxer configuration and move sandbox controllers to plugins (#8268)
• Add annotations to CreateSandbox request (#8960)
• Add SandboxMetrics (#8680)
• Publish sandbox events (#8602)
• Remove the CriuPath field from runc's options (#8279)
• Remove io.containerd.runtime.v1.linux and io.containerd.runc.v1 (#8262)

Security Advisories

• [medium] RAPL accessible to a container GHSA-7ww5-4wqc-m92c

Breaking

• Remove disable_cgroup from CRI config (#10594)
• Disable the support for Schema 1 images (#9765)
• Update RuntimeDefault seccomp profile to disallow io_uring related syscalls (#9320)
• Move client to subpackage (#9316)
• Remove LimitNOFILE from containerd.service (#8924)
• Remove CRI v1alpha2 (#8276)
• Remove io.containerd.runtime.v1.linux and io.containerd.runc.v1 (#8262)
• Remove "containerd.io/restart.logpath" label (#8264)
• Remove aufs snapshotter (#8263)

Deprecations

• Update warnings for deprecated CRI config fields (#10509)
• Add type alias for event Envelope (#10279)
• Postpone removal of deprecated CRI config properties (#9966)
• Deprecate go-plugin configuration option (#9238)
• CNI conf_template in CRI is no longer deprecated (#8637)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Derek McGowan
• Akihiro Suda
• Maksym Pavlenko
• Wei Fu
• Phil Estes
• Sebastiaan van Stijn
• Samuel Karp
• Stefan Berger
• Krisztian Litkey
• Kazuyoshi Kato
• Rodrigo Campos
• Austin Vazquez
• Danny Canter
• Abel Feng
• Mike Brown
• Akhil Mohan
• Kirtana Ashok
• Iceber Gu
• Gabriel Adrian Samfira
• Jin Dong
• Kohei Tokunaga
• Bjorn Neergaard
• Brian Goff
• Justin Chadwell
• rongfu.leng
• James Sturtevant
• Davanum Srinivas
• Paul "TBBle" Hampson
• Henry Wang
• Enrico Weigelt
• Laura Brehm
• Marat Radchenko
• Paweł Gronowski
• Shingo Omura
• Hsing-Yu (David) Chen
• Ilya Hanov
• Cardy.Tang
• Swagat Bora
• Aditi Sharma
• Amit Barve
• Bryant Biggs
• Evan Lezar
• James Jenkins
• Jordan Liggitt
• Kay Yan
• Markus Lehtonen
• Nashwan Azhari
• Shuaiyi Zhang
• Vinayak Goyal
• helen
• Alexandru Matei
• Anthony Nandaa
• Avi Deitcher
• Charity Kathure
• Cory Snider
• Ed Bartosh
• Etienne Champetier
• Kevin Parsons
• Michael Zappa
• Milas Bowman
• lengrongfu
• ningmingxiao
• yanggang
• zounengren
• Ad...

Welcome to the api/v1.8.0-rc.4 release of containerd!
This is a pre-release of containerd

The first dedicated release for the containerd API. This release continues the 1.x
line of API compatibility with the 9th minor release of the 1.x API.

Highlights

• Add Update API for sandbox controller (#9903)
• Add PluginInfo to introspection API (#9442)
• Expose usage of deprecated features (#9258)
• Add image delete target (#8989)

Go client

• Add api Go module and move all protos under api (#10151)

Image Distribution

• Enable Transfer service API to support plain HTTP (#10024)
• Enable Transfer service to use registry configuration directory (#9908)
• Update Transfer service to add OCI descriptors to Progress structure (#9630)
• Add option to perform syncfs after pull (#9401)

Runtime

• Store bootstrap parameters in sandbox metadata (#9736)
• Add sandboxer configuration and move sandbox controllers to plugins (#8268)
• Add annotations to CreateSandbox request (#8960)
• Add SandboxMetrics (#8680)
• Publish sandbox events (#8602)

Deprecations

• Add type alias for event Envelope (#10279)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Derek McGowan
• Maksym Pavlenko
• Wei Fu
• Abel Feng
• Akihiro Suda
• Phil Estes
• Danny Canter
• Samuel Karp
• Kohei Tokunaga
• Sebastiaan van Stijn
• Akhil Mohan
• Brian Goff
• Bryant Biggs
• Davanum Srinivas
• Iceber Gu
• Kirtana Ashok

Changes

Welcome to the v1.7.23 release of containerd!

The twenty-third patch release for containerd 1.7 contains various fixes
and updates.

Highlights

• Add errdefs aliases (#10792)
• Allow proxy plugins to have capabilities (#10731)
• Revert errdefs package migration (#10712)

Container Runtime Interface (CRI)

• Add check for CNI plugins before tearing down pod network (#10767)

Image Distribution

• Fix the race condition during GC of snapshots when client retries (#10763)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Derek McGowan
• Austin Vazquez
• Phil Estes
• Akihiro Suda
• Samuel Karp
• Maksym Pavlenko
• Kern Walster
• Kir Kolyshkin
• Saket Jajoo
• Sameer
• Wei Fu
• Zou Nengren
• bo.jiang

Changes

Changes from containerd/errdefs

Dependen...

Welcome to the v2.0.0-rc.5 release of containerd!
This is a pre-release of containerd

The first major release of containerd 2.x focuses on the continued stability of
containerd's core feature set with an easy upgrade from containerd 1.x. This
release includes the stabilization of new features added in the last 1.x release
as well as the removal of features which were deprecated in 1.x. The goal is to
support the vast community of containerd users well into the future along with
their ever increasing deployment footprints and variety of use cases.

Highlights

• Add Update API for sandbox controller (#9903)
• Configure otel from env instead of config.toml (#8970)
• Enable NRI by default (#9744)
• Add PluginInfo to introspection API (#9442)
• Remove overlayfs volatile option on temp mounts (#9555)
• Expose usage of deprecated features (#9258)
• Use Intel ISA-L's igzip if available (#9200)
• Introduce top level config migration (#9223)
• Add image delete target (#8989)
• Remove LimitNOFILE from containerd.service (#8924)
• Add support for image expiration during garbage collection (#9022)
• Reduce the contention between ref lock and boltdb lock in content store (#8792)
• Remove "containerd.io/restart.logpath" label (#8264)
• Remove aufs snapshotter (#8263)
• Fix deadlock during NRI plugin registration (containerd/nri#79)
• Fix deadlock when writing to pipe blocks (containerd/ttrpc#168)

Build and Release Toolchain

• Generate attestation for artifacts during release (#10543)

Container Runtime Interface (CRI)

• Use 'UserSpecifiedImage' from CRI to set the image-name annotation (#10747)
• Add support to set loopback to up (#10238)
• Add support for multiple subscribers to CRI container events (#9661)
• Enable CDI by default (#9621)
• Remove non-sandboxed CRI implementation (#9228)
• Add support for userns in stateless and stateful pods with idmap mounts (KEP-127, k8s >= 1.27) (#8287)
• Use sandboxed CRI by default (#8994)
• Implement RuntimeConfig CRI call (#8722)
• Add support for user namespaces (KEP-127) (#8803)
• Remove CRI v1alpha2 (#8276)

Go client

• Add api Go module and move all protos under api (#10151)
• Move packages based on contributing guide (#9365)
• Generalize plugin library (#9214)
• Use github.com/containerd/log (#9086)

Image Distribution

• Support to syncfs after pull by using diff plugin (#10284)
• Skip "unknown" in image platform listing (#10257)
• Update unpacker to fetch all provided content (#10202)
• Enable Transfer service API to support plain HTTP (#10024)
• Enable Transfer service to use registry configuration directory (#9908)
• Disable the support for Schema 1 images (#9765)
• Update Transfer service to add OCI descriptors to Progress structure (#9630)
• Update import and export to allow references to missing content (#9554)
• Add option to perform syncfs after pull (#9401)
• Add image verifier transfer service plugin system based on a binary directory (#8493)

Runtime

• Implement RuntimeStatus.features.supplemental_groups_policy from KEP-3619 (#10410)
• Add pprof to runc-shim (#10242)
• Provide runtime options in plugin info (#10251)
• Store bootstrap parameters in sandbox metadata (#9736)
• Update apparmor to allow confined runc to kill containers (#10123)
• Support vsock connection to task api (#9738)
• Update RuntimeDefault seccomp profile to disallow io_uring related syscalls (#9320)
• Switch runc shim to task service v3 and fix restore (#9233)
• Add sandboxer configuration and move sandbox controllers to plugins (#8268)
• Add annotations to CreateSandbox request (#8960)
• Add SandboxMetrics (#8680)
• Publish sandbox events (#8602)
• Remove the CriuPath field from runc's options (#8279)
• Remove io.containerd.runtime.v1.linux and io.containerd.runc.v1 (#8262)

Security Advisories

• [medium] RAPL accessible to a container GHSA-7ww5-4wqc-m92c

Breaking

• Remove disable_cgroup from CRI config (#10594)
• Disable the support for Schema 1 images (#9765)
• Update RuntimeDefault seccomp profile to disallow io_uring related syscalls (#9320)
• Move client to subpackage (#9316)
• Remove LimitNOFILE from containerd.service (#8924)
• Remove CRI v1alpha2 (#8276)
• Remove io.containerd.runtime.v1.linux and io.containerd.runc.v1 (#8262)
• Remove "containerd.io/restart.logpath" label (#8264)
• Remove aufs snapshotter (#8263)

Deprecations

• Update warnings for deprecated CRI config fields (#10509)
• Add type alias for event Envelope (#10279)
• Postpone removal of deprecated CRI config properties (#9966)
• Deprecate go-plugin configuration option (#9238)
• CNI conf_template in CRI is no longer deprecated (#8637)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Derek McGowan
• Akihiro Suda
• Maksym Pavlenko
• Wei Fu
• Phil Estes
• Sebastiaan van Stijn
• Samuel Karp
• Stefan Berger
• Kazuyoshi Kato
• Rodrigo Campos
• Danny Canter
• Abel Feng
• Akhil Mohan
• Kirtana Ashok
• Gabriel Adrian Samfira
• Austin Vazquez
• Iceber Gu
• Krisztian Litkey
• Kohei Tokunaga
• Mike Brown
• Jin Dong
• Bjorn Neergaard
• Justin Chadwell
• rongfu.leng
• James Sturtevant
• Davanum Srinivas
• Paul "TBBle" Hampson
• Henry Wang
• Brian Goff
• Enrico Weigelt
• Laura Brehm
• Marat Radchenko
• Paweł Gronowski
• Shingo Omura
• Hsing-Yu (David) Chen
• Ilya Hanov
• Cardy.Tang
• Swagat Bora
• Aditi Sharma
• Amit Barve
• Bryant Biggs
• Evan Lezar
• James Jenkins
• Jordan Liggitt
• Kay Yan
• Markus Lehtonen
• Nashwan Azhari
• Shuaiyi Zhang
• Vinayak Goyal
• helen
• Alexandru Matei
• Anthony Nandaa
• Avi Deitcher
• Charity Kathure
• Cory Snider
• Ed Bartosh
• Etienne Champetier
• Kevin Parsons
• Michael Zappa
• Milas Bowman
• ningmingxiao
• yanggang
• zounengren
• Aditya Ramani
• Adrian Reber
• Amir M. Ghazanfari
• Artem Khramov
• Brad Davidson
• Chen Yiyang
• Christian Muehlhaeuser
• Djordje Lukic
• Edgar Lee
• Eric Lin
• Ethan Lowman
• Jiang Liu
• June Rhodes
• Kern Walster
• Lucas Rattz
• Mahamed Ali
• Maksim An
• Michael Crosby
• Peteris Rudzusiks
• Sam Edwards
• Samruddhi Khandale
• Sascha Grunert
• Steve Griffith
• Tony Fang
• ...

Welcome to the v1.7.22 release of containerd!

The twenty-second patch release for containerd 1.7 contains various fixes
and updates.

Highlights

Build and Release Toolchain

• Update to go1.22.7, go1.23.1 (#10679)

Container Runtime Interface (CRI)

• Cumulative stats can't decrease (#10670)

Runtime

• Fix bug where init exits were being dropped (#10675)
• Update runc binary to 1.1.14 (#10668)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Samuel Karp
• James Sturtevant
• Laura Brehm
• Maksym Pavlenko
• Akhil Mohan
• Akihiro Suda
• Cory Snider
• Derek McGowan
• Sebastiaan van Stijn

Changes

Dependency Changes

This release has no dependency changes

Previous release can be found at v1.7.21

Welcome to the v1.6.36 release of containerd!

The thirty-sixth patch release for containerd 1.6 contains various fixes
and updates.

Highlights

• Ensure the CRIAPIV1Alpha2 warning's lastOccurrence is accurate (#10582)

Build and Release Toolchain

• Update to go1.22.7, go1.23.1 (#10680)

Container Runtime Interface (CRI)

• Cumulative stats can't decrease (#10671)
• Fix memory leak with kubectl exec >= 1.30.0 (#10574)

Runtime

• Fix bug where init exits were being dropped (#10676)
• Update runc binary to 1.1.14 (#10667)

Deprecations

• Ensure the CRIAPIV1Alpha2 warning's lastOccurrence is accurate (#10582)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Samuel Karp
• Davanum Srinivas
• Akhil Mohan
• Akihiro Suda
• Laura Brehm
• Sebastiaan van Stijn
• Chris Henzie
• Cory Snider
• Derek McGowan
• James Sturtevant
• Maksym Pavlenko
• Mike Brown
• Phil Estes
• Shengjing Zhu

Changes

Dependency Changes

This release has no dependency changes

Previous release can be found at v1.6.35

Welcome to the v2.0.0-rc.4 release of containerd!
This is a pre-release of containerd

The first major release of containerd 2.x focuses on the continued stability of
containerd's core feature set with an easy upgrade from containerd 1.x. This
release includes the stabilization of new features added in the last 1.x release
as well as the removal of features which were deprecated in 1.x. The goal is to
support the vast community of containerd users well into the future along with
their ever increasing deployment footprints and variety of use cases.

Highlights

• Add Update API for sandbox controller (#9903)
• Configure otel from env instead of config.toml (#8970)
• Enable NRI by default (#9744)
• Add PluginInfo to introspection API (#9442)
• Remove overlayfs volatile option on temp mounts (#9555)
• Expose usage of deprecated features (#9258)
• Use Intel ISA-L's igzip if available (#9200)
• Introduce top level config migration (#9223)
• Add image delete target (#8989)
• Remove LimitNOFILE from containerd.service (#8924)
• Add support for image expiration during garbage collection (#9022)
• Reduce the contention between ref lock and boltdb lock in content store (#8792)
• Remove "containerd.io/restart.logpath" label (#8264)
• Remove aufs snapshotter (#8263)
• Fix deadlock during NRI plugin registration (containerd/nri#79)
• Fix deadlock when writing to pipe blocks (containerd/ttrpc#168)

Build and Release Toolchain

• Generate attestation for artifacts during release (#10543)

Container Runtime Interface (CRI)

• Add support to set loopback to up (#10238)
• Add support for multiple subscribers to CRI container events (#9661)
• Enable CDI by default (#9621)
• Remove non-sandboxed CRI implementation (#9228)
• Add support for userns in stateless and stateful pods with idmap mounts (KEP-127, k8s >= 1.27) (#8287)
• Use sandboxed CRI by default (#8994)
• Implement RuntimeConfig CRI call (#8722)
• Add support for user namespaces (KEP-127) (#8803)
• Remove CRI v1alpha2 (#8276)

Go client

• Add api Go module and move all protos under api (#10151)
• Move packages based on contributing guide (#9365)
• Generalize plugin library (#9214)
• Use github.com/containerd/log (#9086)

Image Distribution

• Support to syncfs after pull by using diff plugin (#10284)
• Skip "unknown" in image platform listing (#10257)
• Update unpacker to fetch all provided content (#10202)
• Enable Transfer service API to support plain HTTP (#10024)
• Enable Transfer service to use registry configuration directory (#9908)
• Disable the support for Schema 1 images (#9765)
• Update Transfer service to add OCI descriptors to Progress structure (#9630)
• Update import and export to allow references to missing content (#9554)
• Add option to perform syncfs after pull (#9401)
• Add image verifier transfer service plugin system based on a binary directory (#8493)

Runtime

• Implement RuntimeStatus.features.supplemental_groups_policy from KEP-3619 (#10410)
• Add pprof to runc-shim (#10242)
• Provide runtime options in plugin info (#10251)
• Store bootstrap parameters in sandbox metadata (#9736)
• Update apparmor to allow confined runc to kill containers (#10123)
• Support vsock connection to task api (#9738)
• Update RuntimeDefault seccomp profile to disallow io_uring related syscalls (#9320)
• Switch runc shim to task service v3 and fix restore (#9233)
• Add sandboxer configuration and move sandbox controllers to plugins (#8268)
• Add annotations to CreateSandbox request (#8960)
• Add SandboxMetrics (#8680)
• Publish sandbox events (#8602)
• Remove the CriuPath field from runc's options (#8279)
• Remove support for config.toml version = 1 (#8275)
• Remove io.containerd.runtime.v1.linux and io.containerd.runc.v1 (#8262)

Security Advisories

• [medium] RAPL accessible to a container GHSA-7ww5-4wqc-m92c

Breaking

• Disable the support for Schema 1 images (#9765)
• Update RuntimeDefault seccomp profile to disallow io_uring related syscalls (#9320)
• Move client to subpackage (#9316)
• Remove LimitNOFILE from containerd.service (#8924)
• Remove CRI v1alpha2 (#8276)
• Remove io.containerd.runtime.v1.linux and io.containerd.runc.v1 (#8262)
• Remove "containerd.io/restart.logpath" label (#8264)
• Remove aufs snapshotter (#8263)

Deprecations

• Update warnings for deprecated CRI config fields (#10509)
• Add type alias for event Envelope (#10279)
• Postpone removal of deprecated CRI config properties (#9966)
• Deprecate go-plugin configuration option (#9238)
• CNI conf_template in CRI is no longer deprecated (#8637)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Derek McGowan
• Akihiro Suda
• Maksym Pavlenko
• Wei Fu
• Phil Estes
• Sebastiaan van Stijn
• Samuel Karp
• Stefan Berger
• Kazuyoshi Kato
• Rodrigo Campos
• Danny Canter
• Abel Feng
• Akhil Mohan
• Kirtana Ashok
• Gabriel Adrian Samfira
• Austin Vazquez
• Iceber Gu
• Kohei Tokunaga
• Mike Brown
• Krisztian Litkey
• Jin Dong
• Bjorn Neergaard
• Justin Chadwell
• rongfu.leng
• James Sturtevant
• Paul "TBBle" Hampson
• Davanum Srinivas
• Enrico Weigelt
• Henry Wang
• Brian Goff
• Paweł Gronowski
• Shingo Omura
• Hsing-Yu (David) Chen
• Ilya Hanov
• Laura Brehm
• Marat Radchenko
• Cardy.Tang
• Swagat Bora
• Aditi Sharma
• Amit Barve
• Bryant Biggs
• Evan Lezar
• James Jenkins
• Jordan Liggitt
• Kay Yan
• Markus Lehtonen
• Nashwan Azhari
• Shuaiyi Zhang
• Vinayak Goyal
• helen
• Alexandru Matei
• Anthony Nandaa
• Avi Deitcher
• Charity Kathure
• Ed Bartosh
• Etienne Champetier
• Kevin Parsons
• Michael Zappa
• Milas Bowman
• ningmingxiao
• yanggang
• Aditya Ramani
• Adrian Reber
• Amir M. Ghazanfari
• Artem Khramov
• Brad Davidson
• Chen Yiyang
• Christian Muehlhaeuser
• Cory Snider
• Djordje Lukic
• Edgar Lee
• Eric Lin
• Ethan Lowman
• Jiang Liu
• June Rhodes
• Kern Walster
• Lucas Rattz
• Mahamed Ali
• Maksim An
• Michael Crosby
• Peteris Rudzusiks
• Sam Edwards
• Samruddhi Khandale
• Sascha Grunert
• Steve Griffith
• Tony Fang
• VERNOU Cédric
• Vishal Reddy Gurrala
• hang.jiang
• harshitasao
• jerryzhuang
• lengrongfu
• roman-kiselenko
• zhanluxianshen
• zounengren
• Aa...