containerd/containerd v2.2.1 Release Notes

Published at: 2025-12-18T17:37:28Z

Welcome to the v2.2.1 release of containerd!

The first patch release for containerd 2.2 contains various fixes and improvements.

Highlights

Container Runtime Interface (CRI)

Redact all query parameters in CRI error logs (#12546)

Image Distribution

Fix image defaults on Darwin to usable configuration (#12544)
Fix possible panic from WithMediaTypeKeyPrefix (#12516)

Runtime

Update runc binary to v1.3.4 (#12593)
Fix parsing of hugetlb..events files (containerd/cgroups#379)

Please try out the release binaries and report any issues at https://github.com/containerd/containerd/issues.

Contributors

Krisztian Litkey
Markus Lehtonen
Akihiro Suda
Mike Brown
Sebastiaan van Stijn
Derek McGowan
Heran Yang
Wei Fu
Phil Estes
Samuel Karp
Austin Vazquez
Sascha Grunert
Akhil Mohan
Andrey Noskov
Brian Goff
CrazyMax
Davanum Srinivas
Gaurav Ghildiyal
Neeraj Krishna Gopalakrishna
Paweł Gronowski
Tariq Ibrahim
TomerLev
Tõnis Tiigi
bo.jiang
ningmingxiao

Changes

53 commits

Prepare release notes for v2.2.1 (#12677)
- f6bae1f88 Prepare release notes for v2.2.1
cri,nri: bump NRI dependencies to v0.11.0 (#12701)
- c22cf5d49 cri,nri: pass any linux security profile to plugins.
- d7532de75 cri,nri: pass any linux RDT constraints to plugins.
- ef36e6181 cri,nri: pass any linux net devices to plugins.
- d56faf426 cri,nri: pass any linux scheduler attributes to plugins.
- e1824d261 cri,nri: pass any linux I/O priority to plugins.
- 01d5490ae go.{mod,sum}: bump NRI deps to v0.11.0, re-vendor.
pkg/tracing: HTTPStatusCodeAttributes: remove use of deprecated SemConv const (#12697)
- 58d23ab63 pkg/tracing: HTTPStatusCodeAttributes: remove use of deprecated SemConv const
cri/nri: short-circuit nil adjustment. (#12672)
- 05ccbb3a7 cri/nri: short-circuit nil adjustment.
go.{mod,sum}: bump CDI deps to v1.1.0. (#12664)
- c166a577d go.{mod,sum} bump CDI deps to v1.1.0.
go.mod: containerd/zfs v2.0.0; remove exclude rules (#12654)
- 73a08aa00 go.mod: remove exclude rules
- cee08c8af build(deps): bump github.com/containerd/zfs/v2 from 2.0.0-rc.0 to 2.0.0
go.mod: github.com/containernetworking/plugins v1.9.0 (#12658)
- 8a5fc8641 go.mod: github.com/containernetworking/plugins v1.9.0
go.mod: golang.org/x/crypto v0.45.0 (#12638)
- 55c93d6fb go.mod: golang.org/x/crypto v0.45.0
ci :bump Go 1.24.11, 1.25.5 (#12625)
- aedd29bb4 ci: bump Go 1.24.11, 1.25.5
- 26628f139 ci: bump Go 1.24.10, 1.25.4
- 8bb0e9be6 ci(release): set GO_VERSION in Dockerfile
core/runtime/v2: remove uses of otelgrpc.UnaryClientInterceptor (#12622)
- ed19c5420 core/runtime/v2: remove uses of otelgrpc.UnaryClientInterceptor
ci: update CIFuzz actions to support Ubuntu 24.04 (#12632)
- 952237d9b ci: update CIFuzz actions to support Ubuntu 24.04
Update runc binary to v1.3.4 (#12593)
- fb5b818a9 runc: Update runc binary to v1.3.4
: update containerd/cgroups from v3.1.0 to v3.1.2 (#12598)
- 51582ed27 bump containerd/cgroups to v3.1.2
- 50d0e4fd4 build(deps): bump github.com/containerd/cgroups/v3 from 3.1.0 to 3.1.1
core/mount: should not call removeLoop when set autoclear (#12587)
- 41a69eb0d core/mount: should not call removeLoop when set autoclear
build(deps): bump github.com/opencontainers/selinux (#12589)
- e3bf2b80b build(deps): bump github.com/opencontainers/selinux
.github: skip 5 critest cases for window-2022 (#12584)
- da8e846f9 .github: skip 5 critest cases in window CI pipeline
Fix image defaults on Darwin to usable configuration (#12544)
- d154e234b Update the ctr pull defaults when using the transfer service
- 09364216d Fix transfer unpack defaults on darwin
- 2055d3c62 Update default differs on darwin
- 9da97686d Use default writable size in erofs snapshotter for non-Linux hosts
- eeb0f889a Update default erofs block size on macOS during erofs diff
Redact all query parameters in CRI error logs (#12546)
- c707f771a fix: redact all query parameters in CRI error logs
Revert “Implement io.ReaderAt on docker fetch reader” (#12542)
- 678f944dd Revert “Implement io.ReaderAt on docker fetch reader”
Fix possible panic from WithMediaTypeKeyPrefix (#12516)
- 8b73c2de3 remotes: fix possible panic from WithMediaTypeKeyPrefix

Changes from containerd/cgroups

13 commits

ci: bump golangci-lint to v2.6.2 (containerd/cgroups#382)
- a302e56 ci: bump golangci-lint to v2.6.2
- 731cf7a ci: suppress errcheck
- 9bee663 utils: move Close() to defer block
- 9d7647c rdma: use strings.Cut in Go 1.18
- 109f063 memory_test: apply De Morgan’s law
- e6fcf3f memory_test: omit type from declaration
build(deps): bump actions/checkout from 5 to 6 (containerd/cgroups#381)
- 4e30098 build(deps): bump actions/checkout from 5 to 6
Fix parsing of hugetlb.
.events files (containerd/cgroups#379)
- 2ad7a12 hugetlb: correctly parse hugetlb..events files
go.mod: github.com/opencontainers/runtime-spec v1.3.0 (containerd/cgroups#376)
- 34ef430 go.mod: github.com/opencontainers/runtime-spec v1.3.0

Changes from containerd/nri

79 commits

adaptation: allow compiling out WASM support altogether. (containerd/nri#253)
- ab88fe6 adaptation: allow compiling out WASM support altogether.
Support direct editing of the intelRdt config (containerd/nri#215)
- 8c0c9f6 Implement removal of RDT
- dfbae8a plugins: add sample rdt plugin
- d05dd81 pkg/adaptation: support new RDT fields
- 725289b pkg/runtime-tools/generate: support new RDT fields
- a7832a2 api: add rdt
update wazero/wazero version to v1.10.1 (containerd/nri#252)
- 9eb9a0f update tetratelabs/wazero version to v1.10.1
support specifying a custom NRI socket path (containerd/nri#249)
- 2df6565 [plugins] support specifying a custom NRI socket path
pkg/api: add OptionalRepeatedString type (containerd/nri#212)
- 687c1a6 pkg/api: add OptionalRepeatedString type
api,adaptation,generate: allow setting kernel scheduling policy attributes. (containerd/nri#160)
- 6a371ac device-injector: add scheduling policy adjustment.
- e06369e api,adaptation,generate: allow setting scheduler attributes.
device-injector: always log injection summary. (containerd/nri#246)
- 14cc2e2 device-injector: always log injection summary.
api,adaptation,generate: allow adjusting linux net devices (containerd/nri#157)
- 5145c92 device-injector: add network device injection.
- 8a03823 api,adaptation,generate: allow adjusting linux net devices.
Add support for sysctl adjustment (containerd/nri#248)
- 914fbf3 default-validator: restrict sysctl adjustment
- a418956 api: apply sysctl adjustments
- 8705f9b api: add sysctl container adjustment
feat: Make logger a configurable struct member for stub (containerd/nri#239)
- 08a891a feat: Make logger a configurable struct member for stub
Drop dependency on opencontainers/runtime-tools (containerd/nri#247)
- 5e5c2be Drop dependency on opencontainers/runtime-tools
deps: bump runtime-spec to v1.3.0. (containerd/nri#243)
- 29c5811 (v0.1.0) examples: lock NRI, runtime spec deps.
- d812952 v010-adapter: lock NRI, runtime spec and tools deps.
- 7dd7c7f api,runtime-tools: adjust for runtime-spec v1.3.0.
- 5d5d4c4 go.{mod,sum}: update runtime-tools, runtime-spec to v1.3.0.
adaptation: ensure sync’ed plugins are fully registered in tests. (containerd/nri#234)
- c840397 adaptation: ensure sync’ed plugins are fully registered in tests.
Fix wasm example (containerd/nri#237)
- 44b2861 Fix wasm example
Makefile: build proto files unconditionally (containerd/nri#229)
- d99f960 Fix dockerized proto build
- 9623748 Makefile: build proto files unconditionally
- 25d9391 build: ensure we use correct version of protoc and its deps.
adaptation: test with populated initial resources. (containerd/nri#231)
- b6b98b5 adaptation: test with populated initial resources.
Install protoc locally in the source tree (containerd/nri#232)
- 2394daa Install protoc locally in the source tree
plugins/logger: fix default event subscription mask. (containerd/nri#158)
- 33b1db1 logger: fix default event subscription mask.
extract memory and CPU resource helpers (containerd/nri#210)
- 7afb32a extract memory and CPU resource helpers
api: expose container user/group ID to plugins. (containerd/nri#230)
- 22aeb46 docs: update README with container uid/gid info.
- 71b0335 api,adaptation: add container uid/gid info.
contrib: add example for enabling per-container RDT monitoring (containerd/nri#228)
- 91fbf06 contrib: add example for enabling per-container RDT monitoring
ci: enable image signing (containerd/nri#224)
- fb54916 ci: enable image signing
golangci: disable QF1008 from staticcheck linter (containerd/nri#226)
- 0b3b577 golangci: disable QF1008 from staticcheck linter
ci: bump golangci-lint to v2.4 (containerd/nri#225)
- 9787127 Bump golangci-lint to v2.4
- 1a50ff5 Add nolint directives
- 00fa1a1 Add and fix comments for exported types
- ac21da7 pkg/api/seccomp: add comments for exported functions
- 3aff986 pkg/runtime-tools/generate: remove embedded field “Generator”
- c0c4bb6 pkg/api/validate: add comments for exported methods
- c0ba9da adaptation/builtin: add comment for exported symbols
.gitignore: revert hastily reviewed editor-specific addition. (containerd/nri#221)
- 02376f3 .gitignore: add comment about global gitignore.
- 9336a79 Revert “nit: Add .idea folder to gitignore”
nit: Add .idea folder to gitignore (containerd/nri#218)
- f578ea2 nit: Add .idea folder to gitignore
chore: clean and unify nolint directives (containerd/nri#217)
- 21741b9 chore: clean and unify nolint directives
Downgrade go to require 1.24.0 (containerd/nri#214)
- d26e910 Downgrade go to require 1.24.0
Add dockerized target for building proto files (containerd/nri#211)
- 13fcc07 Add dockerized target for building proto files

Changes from containerd/zfs

11 commits

go.mod: update to stable containerd v2.0 (containerd/zfs#89)
- f11f891 go.mod: update to stable containerd v2.0
ci: update actions, test against go1.23, fix linting, and update golangci-lint (containerd/zfs#88)
- 662ad3c gha: update golangci/golangci-lint-action@v9, golangci-lint v2.7
- b0b2584 remove nolint comments
- 7c4274b fix error capitalization
- 24ce1b9 fix inconsistent receiver name
- c8545c3 gha: update actions/checkout@v6
- d23ec04 gha: update actions/setup-go@v6
- bb45f6e gha: update containerd/project-checks@v1.2.2
- 65bc451 gha: test against go1.23

Dependency Changes

github.com/containerd/cgroups/v3 v3.1.0 -> v3.1.2
github.com/containerd/nri v0.10.0 -> v0.11.0
github.com/containerd/zfs/v2 v2.0.0-rc.0 -> v2.0.0
github.com/containernetworking/plugins v1.8.0 -> v1.9.0
github.com/cyphar/filepath-securejoin v0.5.1 new
github.com/opencontainers/runtime-spec v1.2.1 -> v1.3.0
github.com/opencontainers/runtime-tools 0ea5ed0382a2 -> edf4cb3d2116
github.com/opencontainers/selinux v1.12.0 -> v1.13.1
github.com/tetratelabs/wazero v1.9.0 -> v1.10.1
golang.org/x/crypto v0.41.0 -> v0.45.0
golang.org/x/net v0.43.0 -> v0.47.0
golang.org/x/sync v0.17.0 -> v0.18.0
golang.org/x/sys v0.37.0 -> v0.38.0
golang.org/x/term v0.34.0 -> v0.37.0
golang.org/x/text v0.28.0 -> v0.31.0
tags.cncf.io/container-device-interface v1.0.1 -> v1.1.0
tags.cncf.io/container-device-interface/specs-go v1.0.0 -> v1.1.0

Previous release can be found at v2.2.0

Which file should I download?

containerd-<VERSION>-<OS>-<ARCH>.tar.gz: ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04).
containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz: Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent.

In addition to containerd, typically you will have to install runc and CNI plugins from their official sites too.

See also the Getting Started documentation.

Containerd V2.2.0 Release Note Containerd V2.2.4 Release Note