containerd/containerd v2.1.5 Release Notes

Published at: 2025-11-06T00:50:26Z

Welcome to the v2.1.5 release of containerd!

The fifth patch release for containerd 2.1 contains various fixes and updates.

Security Updates

containerd
- GHSA-pwhc-rpq9-4c8w
- GHSA-m6hq-p25p-ffr2
runc

Highlights

Container Runtime Interface (CRI)

Disable event subscriber during task cleanup (#12410)
Add SystemdCgroup to default runtime options (#12253)
Fix userns with container image VOLUME mounts that need copy (#12242)

Image Distribution

Ensure errContentRangeIgnored error when range-get request is ignored (#12312)

Runtime

Update runc binary to v1.3.3 (#12478)

Deprecations

Postpone v2.2 deprecation items to v2.3 (#12431)

Please try out the release binaries and report any issues at https://github.com/containerd/containerd/issues.

Contributors

Phil Estes
Akihiro Suda
Derek McGowan
Austin Vazquez
Rodrigo Campos
Maksym Pavlenko
Wei Fu
ningmingxiao
Akhil Mohan
Henry Wang
Andrew Halaney
Divya Rani
Jose Fernandez
Swagat Bora
wheat2018

Changes

58 commits

Prepare release notes for v2.1.5 (#12483)
- fc5bdfeac Prepare release notes for v2.1.5
- c578c26bf Update mailmap
- 46a4a03fb Merge commit from fork
- 232786c90 Fix directory permissions
- 239ab877d Merge commit from fork
- 0766796e8 fix goroutine leak of container Attach
Update runc binary to v1.3.3 (#12478)
- 3d713d3d0 runc: Update runc binary to v1.3.3
Update GHA runners to use latest images for basic binaries build (#12470)
- de4221cb7 Update GHA runners to use latest images for basic binaries build
ci: bump Go 1.24.9, 1.25.3 (#12467)
- 2045b1920 ci: bump Go 1.24.9, 1.25.3
Update GHA runners to use latest image for most jobs (#12468)
- 21ec7cc7d Update GHA runners to use latest image for most jobs
CI: update Fedora to 43 (#12449)
- 893b5f92e CI: update Fedora to 43
Postpone v2.2 deprecation items to v2.3 (#12431)
- 6374a8f9d Postpone v2.2 deprecation items to v2.3
CI: skip ubuntu-24.04-arm on private repos (#12427)
- 98e0e73de CI: skip ubuntu-24.04-arm on private repos
Disable event subscriber during task cleanup (#12410)
- a3770cf83 cri/server/podsandbox: disable event subscriber
Fix lost container logs from quickly closing io (#12377)
- 7d9f09ba0 bugfix:fix container logs lost because io close too quickly
ci: bump Go 1.24.8 (#12360)
- d1cab3cc5 ci: bump Go 1.24.8
Prevent goroutine hangs during ProgressTracker shutdown (#12336)
- 9b57a4d35 Prevent goroutine hangs during ProgressTracker shutdown
Ensure errContentRangeIgnored error when range-get request is ignored (#12312)
- ca3de4fe7 Ensure errContentRangeIgnored error when range-get request is ignored by registry
Remove additional fuzzers from instrumentation repo (#12313)
- dfffe3d9c Remove additional fuzzers from CI
update release builds to 1.24.7 and add 1.25.1 to CI (#12258)
- c54585ba7 update release builds to 1.24.7 and add 1.25.1 to CI
runc:Update runc binary to v1.3.1 (#12277)
- f0a48ce38 runc:Update runc binary to v1.3.1
Add SystemdCgroup to default runtime options (#12253)
- f13f8c431 add SystemdCgroup to default runtime options
install-runhcs-shim: fetch target commit instead of tags (#12256)
- 42bb71e1e install-runhcs-shim: fetch target commit instead of tags
Fix userns with container image VOLUME mounts that need copy (#12242)
- 10944e19f integration: Add test for directives with userns
- 41d74aee2 cri: Fix userns with Dockerfile VOLUME mounts that need copy
Fix overlayfs issues related to user namespace (#12222)
- f40bfc46b core/mount: Retry unmounting idmapped directories
- 1f51d2dea core/mount: Test cleanup of DoPrepareIDMappedOverlay()
- 8fbf8c503 core/mount: Properly cleanup on doPrepareIDMappedOverlay errors
- b9d678e15 core/mount: Don’t call nil function on errors
- 583fe2d24 core/mount: Only idmap once per overlayfs, not per layer
Add documentation for cgroup_writable field (#12229)
- 4832b4d15 Add documentation for cgroup_writable field
fix: create bootstrap.json with 0644 permission (#12183)
- 3c174cf64 fix: create bootstrap.json with 0644 permission
ci: bump Go 1.23.12, 1.24.6 (#12186)
- 74b0505eb ci: bump Go 1.23.12, 1.24.6
sys: fix pidfd leak in UnshareAfterEnterUserns (#12179)
- 5ef6ea747 sys: fix pidfd leak in UnshareAfterEnterUserns

Dependency Changes

This release has no dependency changes

Previous release can be found at v2.1.4

Which file should I download?

containerd-<VERSION>-<OS>-<ARCH>.tar.gz: ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04).
containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz: Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent.

In addition to containerd, typically you will have to install runc and CNI plugins from their official sites too.

See also the Getting Started documentation.

Containerd V2.1.4 Release Note Containerd V2.2.0 Release Note