🎉 欢迎访问本站,如有问题欢迎 留言
Docs
Cncf
Project
Containerd
Containerd V2.2.4 Release Note

来源: https://github.com/containerd/containerd/releases/tag/v2.2.4

containerd/containerd v2.2.4 Release Notes

Published at: 2026-05-20T23:44:15Z

Welcome to the v2.2.4 release of containerd!

The fourth patch release for containerd 2.2 contains various fixes and updates including security patches.

  • containerd

  • go-jose

  • Use mount manager during image volume processing to support snapshotters that require writable block volumes (e.g., EROFS) (#13242)

  • Fix handling of out-of-range USER values in OCI spec to avoid unexpected username/group lookups (#13448)

  • Apply hardening to block AF_ALG in default socket policy (#13408)

  • Fix bugs in sandbox service affecting sandbox creation configuration and event publishing (#13266)

  • Set AppArmor abi conditionally to support versions < 3.0 (#13275)

  • Disable overlay “rebase” capability when running in a user namespace to fix layer extraction failures (#13393)

  • Support both “volatile” and “fsync=volatile” mount options for volatile snapshotter (#13296)

Please try out the release binaries and report any issues at https://github.com/containerd/containerd/issues.

  • Wei Fu
  • Akihiro Suda
  • Chris Henzie
  • Paweł Gronowski
  • Samuel Karp
  • Brian Goff
  • Champ-Goblem
  • Chris Chang
  • LEI WANG
  • Phil Estes
  • William Myers
21 commits

  • oci: return explicit error for out-of-range USER values (#13448)
    • d20c6267b oci: return explicit error for out-of-range USER values
  • seccomp: Block AF_ALG in default socket policy (#13408)
    • db34dc4b4 seccomp: Block AF_ALG in default socket policy
    • 214b141ee seccomp: Document socket rule scope and socketcall limitation
  • update Go to 1.25.10, 1.26.3 (#13375)
  • overlay: disable “rebase” capability when running in UserNS (#13393)
    • 63874d262 overlay: disable “rebase” capability when running in UserNS
  • Support both styles of volatile mount option (#13296)
    • 2c7d48acf Support both styles of volatile mount option
  • Bump go-jose/go-jose to v4.1.4 to fix GHSA-78h2-9frx-2jm8 (#13292)
    • 80311db63 chore: update go-jose for CVE-2026-34986
  • sandbox: forward Create fields, fix event topics (#13266)
    • caa29a741 sandbox: forward Create fields, fix event topics
  • apparmor: Set abi conditionally (#13275)
  • Parameterize K8s version in node-e2e workflow (#13247)
    • f9c34f7b1 Parameterize K8s version in node-e2e workflow
  • cri: use mount manager when image has volumes (#13242)
    • 39dc2a475 cri: use mount manager when image has volumes

  • github.com/go-jose/go-jose/v4 v4.1.3 -> v4.1.4

Previous release can be found at v2.2.3

  • containerd-<VERSION>-<OS>-<ARCH>.tar.gz: ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04).
  • containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz: Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent.

In addition to containerd, typically you will have to install runc and CNI plugins from their official sites too.

See also the Getting Started documentation.

Containerd V2.2.1 Release NoteContainerd V2.2.5 Release Note