Tags

containerd 2.1.3

Welcome to the v2.1.3 release of containerd!

The third patch release for containerd 2.1 contains various fixes and updates
to address pull issues with some registries.

### Highlights

#### Image Distribution

* Fix multipart fetch issue when the server does not return content length ([#12003](https://github.com/containerd/containerd/pull/12003))
* Update transfer service supported platforms logic ([#11999](https://github.com/containerd/containerd/pull/11999))
* Fix import for local transfer service ([#12000](https://github.com/containerd/containerd/pull/12000))
* Fix registry errors with transfer service ([#11979](https://github.com/containerd/containerd/pull/11979))
* Fix fetch always adding range to requests ([#12001](https://github.com/containerd/containerd/pull/12001))
* Update fetcher errors to include full registry error ([#11997](https://github.com/containerd/containerd/pull/11997))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Derek McGowan
* Phil Estes
* Adrien Delorme

### Changes
<details><summary>15 commits</summary>
<p>

* Prepare release notes for v2.1.3 ([#12002](https://github.com/containerd/containerd/pull/12002))
  * [`627729341`](https://github.com/containerd/containerd/commit/62772934139be6d2b648a16b412d847dc0aef09c) Prepare release notes for v2.1.3
* Fix multipart fetch issue when the server does not return content length ([#12003](https://github.com/containerd/containerd/pull/12003))
  * [`7636bd5eb`](https://github.com/containerd/containerd/commit/7636bd5eb2525babefd2983d38f6e1133843eb94) fix when multipart fetching and the server does not return content length
* Update transfer service supported platforms logic ([#11999](https://github.com/containerd/containerd/pull/11999))
  * [`3c5ede878`](https://github.com/containerd/containerd/commit/3c5ede878a7cb2d7a04a40e8ed1086718402fdf3) Update transfer supported platforms logic
* Fix import for local transfer service ([#12000](https://github.com/containerd/containerd/pull/12000))
  * [`fb752bc8e`](https://github.com/containerd/containerd/commit/fb752bc8ed456ff40ceb516dcb72830678cae1ab) fix import for local transfer service
* Fix registry errors with transfer service ([#11979](https://github.com/containerd/containerd/pull/11979))
  * [`f6d926314`](https://github.com/containerd/containerd/commit/f6d92631401562eba488a986a22002025d2860c9) Register remote errors for clients to access registry errors
  * [`7c1813345`](https://github.com/containerd/containerd/commit/7c18133453a495df7a334fde31423c56d42265c2) Decode grpc errors in the transfer client proxy
* Fix fetch always adding range to requests ([#12001](https://github.com/containerd/containerd/pull/12001))
  * [`babacebad`](https://github.com/containerd/containerd/commit/babacebadc0738e6b016e2f366cdf4bdf893a1a5) Fix fetch always adding range to requests
* Update fetcher errors to include full registry error ([#11997](https://github.com/containerd/containerd/pull/11997))
  * [`f30be44ad`](https://github.com/containerd/containerd/commit/f30be44ad31166bb4f4644255c5db59b9f47bb22) Update fetcher errors to include full registry error
</p>
</details>

### Dependency Changes

This release has no dependency changes

Previous release can be found at [v2.1.2](https://github.com/containerd/containerd/releases/tag/v2.1.2)
### Which file should I download?
* `containerd-<VERSION>-<OS>-<ARCH>.tar.gz`:         ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04).
* `containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz`:  Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent.

In addition to containerd, typically you will have to install [runc](https://github.com/opencontainers/runc/releases)
and [CNI plugins](https://github.com/containernetworking/plugins/releases) from their official sites too.

See also the [Getting Started](https://github.com/containerd/containerd/blob/main/docs/getting-started.md) documentation.

containerd 2.1.2

Welcome to the v2.1.2 release of containerd!

The second patch release for containerd 2.1 contains various fixes and updates.

### Highlights

* Fix check of wrapped errors in erofs snapshotter ([#11935](https://github.com/containerd/containerd/pull/11935))

#### Go client

* Improve mount error message ([#11884](https://github.com/containerd/containerd/pull/11884))

#### Image Distribution

* Fix transfer differ selection ([#11936](https://github.com/containerd/containerd/pull/11936))
* Enable DuplicationSuppressor in transfer service ([#11932](https://github.com/containerd/containerd/pull/11932))

#### Runtime

* Properly shutdown non-groupable shims to prevent resource leaks ([#11971](https://github.com/containerd/containerd/pull/11971))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Derek McGowan
* Akihiro Suda
* Kirtana Ashok
* Austin Vazquez
* Maksym Pavlenko
* ningmingxiao
* Gao Xiang
* Henry Wang
* Jin Dong
* Phil Estes
* Wei Fu

### Changes
<details><summary>28 commits</summary>
<p>

* Prepare release notes for v2.1.2 ([#11962](https://github.com/containerd/containerd/pull/11962))
  * [`63b9eae62`](https://github.com/containerd/containerd/commit/63b9eae62e4a927269d3c7d1d0a50eb9095c1ee1) Prepare release notes for v2.1.2
* Properly shutdown non-groupable shims to prevent resource leaks ([#11971](https://github.com/containerd/containerd/pull/11971))
  * [`cff1feb28`](https://github.com/containerd/containerd/commit/cff1feb28c79f1f8f792f6284335f08f065bae1f) *: properly shutdown non-groupable shims to prevent resource leaks
* ci: bump golang [1.23.10,1.24.4] in build and release ([#11968](https://github.com/containerd/containerd/pull/11968))
  * [`2ce169aae`](https://github.com/containerd/containerd/commit/2ce169aae05d76f820ad977e8ea195938ced98a1) ci: bump golang [1.23.10,1.24.4] in build and release
* Backport Enable CIs to run on WS2022 and WS2025 ([#11955](https://github.com/containerd/containerd/pull/11955))
  * [`70bcb9b55`](https://github.com/containerd/containerd/commit/70bcb9b55edf9d832a4f8162a12830bcaf646695) Enable CIs to run on WS2022 and WS2025
* cri:use debug level when receive exec process exited events ([#11848](https://github.com/containerd/containerd/pull/11848))
  * [`40575a15f`](https://github.com/containerd/containerd/commit/40575a15f212903a838381fc893560a86ba8b485) cri:use debug level when receive exec process exited events
* build(deps): bump google.golang.org/grpc from 1.72.0 to 1.72.2 ([#11952](https://github.com/containerd/containerd/pull/11952))
  * [`c71f77170`](https://github.com/containerd/containerd/commit/c71f77170ef2640197884644acfe5ba28b3cf6ab) build(deps): bump google.golang.org/grpc from 1.72.0 to 1.72.2
* Fix transfer differ selection ([#11936](https://github.com/containerd/containerd/pull/11936))
  * [`4bcea74de`](https://github.com/containerd/containerd/commit/4bcea74decd64dcbf616f56b47cf8f5b4a2a586f) Update differ selection in transfer service to prefer default
  * [`0c3cd8a99`](https://github.com/containerd/containerd/commit/0c3cd8a99529849ee2e3f9661ebfa937f3f9be66) Add debug log when transfer returns not implemented
  * [`820e56765`](https://github.com/containerd/containerd/commit/820e56765083b50d0e8f4baf06f4804700f33a92) Add more error details when unpack fails to extract
* Fetch image with default platform only in TestExportAndImportMultiLayer ([#11943](https://github.com/containerd/containerd/pull/11943))
  * [`9b6c1949a`](https://github.com/containerd/containerd/commit/9b6c1949af50ee264d1d3a8b1aafd05149c4b8fe) Fetch image with default platform only in TestExportAndImportMultiLayer
* Fix check of wrapped errors in erofs snapshotter ([#11935](https://github.com/containerd/containerd/pull/11935))
  * [`480126f50`](https://github.com/containerd/containerd/commit/480126f5079e501228553038a584ce8542807d89) erofs-snapshotter: fix to work with wrapped errors
* Enable DuplicationSuppressor in transfer service ([#11932](https://github.com/containerd/containerd/pull/11932))
  * [`d82921ff5`](https://github.com/containerd/containerd/commit/d82921ff59cc91c1d75d35cc1cb3a5e709da9fdd) Enable DuplicationSuppressor in transfer service
* ci: bump golang [1.23.9, 1.24.3] in build and release ([#11889](https://github.com/containerd/containerd/pull/11889))
  * [`0bb25c3d6`](https://github.com/containerd/containerd/commit/0bb25c3d6cbb6eaf8d091b9f728776efdffe4859) ci: bump golang [1.23.9, 1.24.3] in build and release
* Improve mount error message ([#11884](https://github.com/containerd/containerd/pull/11884))
  * [`ac8e84efc`](https://github.com/containerd/containerd/commit/ac8e84efc384a728fbc498cf58f8c689263c857a) client:improve mount error message
* Add symlink breakout test for overriden path ([#11887](https://github.com/containerd/containerd/pull/11887))
  * [`dd2ce49d0`](https://github.com/containerd/containerd/commit/dd2ce49d0f23b0a190b86583c90a5a3eea4cdd4f) Add symlink breakout test for overriden path
</p>
</details>

### Dependency Changes

* **google.golang.org/grpc**  v1.72.0 -> v1.72.2

Previous release can be found at [v2.1.1](https://github.com/containerd/containerd/releases/tag/v2.1.1)
### Which file should I download?
* `containerd-<VERSION>-<OS>-<ARCH>.tar.gz`:         ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04).
* `containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz`:  Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent.

In addition to containerd, typically you will have to install [runc](https://github.com/opencontainers/runc/releases)
and [CNI plugins](https://github.com/containernetworking/plugins/releases) from their official sites too.

See also the [Getting Started](https://github.com/containerd/containerd/blob/main/docs/getting-started.md) documentation.

containerd 2.1.1

Welcome to the v2.1.1 release of containerd!

The first patch release for containerd 2.1 fixes a critical vulnernability (CVE-2025-47290)
which was first introduced in 2.1.0. See the [Github Advisory](https://github.com/containerd/containerd/security/advisories/GHSA-cm76-qm8v-3j95)
for more details. This release also contains a few smaller updates and bux fixes.

### Highlights

#### Image Storage

* Fix erofs media type handling ([#11855](https://github.com/containerd/containerd/pull/11855))

#### Runtime

* Reduce shim cleanup log level and add more context ([#11831](https://github.com/containerd/containerd/pull/11831))

#### Deprecations

* Update removal version for deprecated registry config fields ([#11835](https://github.com/containerd/containerd/pull/11835))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Akihiro Suda
* Samuel Karp
* Derek McGowan
* Gao Xiang
* Akhil Mohan
* Chris Henzie
* Phil Estes
* Sebastiaan van Stijn
* ningmingxiao

### Changes
<details><summary>17 commits</summary>
<p>

  * [`cb1076646`](https://github.com/containerd/containerd/commit/cb1076646aa3740577fafbf3d914198b7fe8e3f7) Merge commit from fork
  * [`216667ba0`](https://github.com/containerd/containerd/commit/216667ba0ada456a2647e52dd2181e9dbd857d93) Prepare release notes for 2.1.1
  * [`ac00b8e61`](https://github.com/containerd/containerd/commit/ac00b8e6108c6925ef4ab39e9b87e956a2efdabf) Revert "perf(applyNaive): avoid walking the tree for each file in the same directory"
* build(deps): bump github.com/Microsoft/hcsshim ([#11847](https://github.com/containerd/containerd/pull/11847))
  * [`444ca17cd`](https://github.com/containerd/containerd/commit/444ca17cd9baa2f68572bcf28af4eea7b12c2f1d) update runhcs version to v0.13.0
  * [`0684f1c44`](https://github.com/containerd/containerd/commit/0684f1c44d021e7ef1ba26fc73b8922633d10403) build(deps): bump github.com/Microsoft/hcsshim
* Fix erofs media type handling ([#11855](https://github.com/containerd/containerd/pull/11855))
  * [`e1817a401`](https://github.com/containerd/containerd/commit/e1817a401f94698cdf8fdc01d8d0e2b4f1f463e7) docs/snapshotters/erofs.md: a tip for improved performance
  * [`2168cb92c`](https://github.com/containerd/containerd/commit/2168cb92c9cf89aaad06be9ae49fce49ed4972d8) erofs-differ: fix EROFS native image support
* Reduce shim cleanup log level and add more context ([#11831](https://github.com/containerd/containerd/pull/11831))
  * [`7fcbc3c46`](https://github.com/containerd/containerd/commit/7fcbc3c46a2e0fdf55082216b8eca3f8f09eb4e0) core/runtime/v2: cleanup shim-cleanup logs
* Update removal version for deprecated registry config fields ([#11835](https://github.com/containerd/containerd/pull/11835))
  * [`37d6c4236`](https://github.com/containerd/containerd/commit/37d6c42368a3e139fb516064ff4eb9637f197c7a) Update removal version for deprecated registry config fields
* ctr:make sure containerd socket exist before create client ([#11827](https://github.com/containerd/containerd/pull/11827))
  * [`e7be076d4`](https://github.com/containerd/containerd/commit/e7be076d48eba3ffa11a4be1133b92987227e776) ctr:make sure containerd socket exist before create client
* .github: mark 2.1 releases as latest ([#11821](https://github.com/containerd/containerd/pull/11821))
  * [`c90524d5f`](https://github.com/containerd/containerd/commit/c90524d5f4c8cec87ce3639263a42e6fa4555ef5) .github: mark 2.1 releases as latest
</p>
</details>

### Dependency Changes

* **github.com/Microsoft/hcsshim**  v0.13.0-rc.3 -> v0.13.0

Previous release can be found at [v2.1.0](https://github.com/containerd/containerd/releases/tag/v2.1.0)
### Which file should I download?
* `containerd-<VERSION>-<OS>-<ARCH>.tar.gz`:         ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04).
* `containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz`:  Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent.

In addition to containerd, typically you will have to install [runc](https://github.com/opencontainers/runc/releases)
and [CNI plugins](https://github.com/containernetworking/plugins/releases) from their official sites too.

See also the [Getting Started](https://github.com/containerd/containerd/blob/main/docs/getting-started.md) documentation.

containerd 2.1.0

Welcome to the v2.1.0 release of containerd!

The first minor release of containerd 2.x focuses on continued stability alongside
new features and improvements. This is the first time-based released for containerd.
Most the feature set and core functionality has long been stable and harderened in production
environments, so now we transition to a balance of timely delivery of new functionality
with the same high confidence in stability and performance.

### Highlights

* Add no_sync option to boost boltDB performance on ephemeral environments ([#10745](https://github.com/containerd/containerd/pull/10745))
* Add content create event ([#11006](https://github.com/containerd/containerd/pull/11006))
* Erofs snapshotter and differ ([#10705](https://github.com/containerd/containerd/pull/10705))

#### Container Runtime Interface (CRI)

* Update CRI to use transfer service for image pull by default ([#8515](https://github.com/containerd/containerd/pull/8515))
* Support multiple cni plugin bin dirs ([#11311](https://github.com/containerd/containerd/pull/11311))
* Support container restore through CRI/Kubernetes ([#10365](https://github.com/containerd/containerd/pull/10365))
* Add OCI/Image Volume Source support ([#10579](https://github.com/containerd/containerd/pull/10579))
* Enable Writable cgroups for unprivileged containers ([#11131](https://github.com/containerd/containerd/pull/11131))
* Fix recursive RLock() mutex acquisition ([containerd/go-cni#126](https://github.com/containerd/go-cni/pull/126))
* Support CNI STATUS Verb ([containerd/go-cni#123](https://github.com/containerd/go-cni/pull/123))

#### Image Distribution

* Retry last registry host on 50x responses ([#11484](https://github.com/containerd/containerd/pull/11484))
* Multipart layer fetch ([#10177](https://github.com/containerd/containerd/pull/10177))
* Enable HTTP debug and trace for transfer based puller ([#10762](https://github.com/containerd/containerd/pull/10762))
* Add support for unpacking custom media types  ([#11744](https://github.com/containerd/containerd/pull/11744))
* Add dial timeout field to hosts toml configuration ([#11106](https://github.com/containerd/containerd/pull/11106))

#### Node Resource Interface (NRI)

* Expose Pod assigned IPs to NRI plugins ([#10921](https://github.com/containerd/containerd/pull/10921))

#### Runtime

* Support multiple uid/gid mappings ([#10722](https://github.com/containerd/containerd/pull/10722))
* Fix race between serve and immediate shutdown on the server ([containerd/ttrpc#175](https://github.com/containerd/ttrpc/pull/175))

#### Breaking

* Update FreeBSD defaults and re-organize platform defaults ([#11017](https://github.com/containerd/containerd/pull/11017))

#### Deprecations

* Postpone cri config deprecations to v2.2 ([#11684](https://github.com/containerd/containerd/pull/11684))
* Remove deprecated dynamic library plugins ([#11683](https://github.com/containerd/containerd/pull/11683))
* Remove the support for Schema 1 images ([#11681](https://github.com/containerd/containerd/pull/11681))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Derek McGowan
* Phil Estes
* Akihiro Suda
* Maksym Pavlenko
* Jin Dong
* Wei Fu
* Sebastiaan van Stijn
* Samuel Karp
* Mike Brown
* Adrien Delorme
* Austin Vazquez
* Akhil Mohan
* Kazuyoshi Kato
* Henry Wang
* Gao Xiang
* ningmingxiao
* Krisztian Litkey
* Yang Yang
* Archit Kulkarni
* Chris Henzie
* Iceber Gu
* Alexey Lunev
* Antonio Ojea
* Davanum Srinivas
* Marat Radchenko
* Michael Zappa
* Paweł Gronowski
* Rodrigo Campos
* Alberto Garcia Hierro
* Amit Barve
* Andrey Smirnov
* Divya
* Etienne Champetier
* Kirtana Ashok
* Philip Laine
* QiPing Wan
* fengwei0328
* zounengren
* Adrian Reber
* Alfred Wingate
* Amal Thundiyil
* Athos Ribeiro
* Brian Goff
* Cesar Talledo
* ChengyuZhu6
* Chongyi Zheng
* Craig Ingram
* Danny Canter
* David Son
* Fupan Li
* HirazawaUi
* Jing Xu
* Jonathan A. Sternberg
* Jose Fernandez
* Kaita Nakamura
* Kohei Tokunaga
* Lei Liu
* Marco Visin
* Mike Baynton
* Qiyuan Liang
* Sameer
* Shiming Zhang
* Swagat Bora
* Teresaliu
* Tony Fang
* Tõnis Tiigi
* Vered Rosen
* Vinayak Goyal
* bo.jiang
* chriskery
* luchenhan
* mahmut
* zhaixiaojuan

### Dependency Changes

* **github.com/Microsoft/hcsshim**                                                 v0.12.9 -> v0.13.0-rc.3
* **github.com/cilium/ebpf**                                                       v0.11.0 -> v0.16.0
* **github.com/containerd/cgroups/v3**                                             v3.0.3 -> v3.0.5
* **github.com/containerd/containerd/api**                                         v1.8.0 -> v1.9.0
* **github.com/containerd/continuity**                                             v0.4.4 -> v0.4.5
* **github.com/containerd/go-cni**                                                 v1.1.10 -> v1.1.12
* **github.com/containerd/imgcrypt/v2**                                            v2.0.0-rc.1 -> v2.0.1
* **github.com/containerd/otelttrpc**                                              ea5083fda723 -> v0.1.0
* **github.com/containerd/platforms**                                              v1.0.0-rc.0 -> v1.0.0-rc.1
* **github.com/containerd/ttrpc**                                                  v1.2.6 -> v1.2.7
* **github.com/containerd/typeurl/v2**                                             v2.2.2 -> v2.2.3
* **github.com/containernetworking/cni**                                           v1.2.3 -> v1.3.0
* **github.com/containernetworking/plugins**                                       v1.5.1 -> v1.7.1
* **github.com/containers/ocicrypt**                                               v1.2.0 -> v1.2.1
* **github.com/davecgh/go-spew**                                                   d8f796af33cc -> v1.1.1
* **github.com/fsnotify/fsnotify**                                                 v1.7.0 -> v1.9.0
* **github.com/go-jose/go-jose/v4**                                                v4.0.4 -> v4.0.5
* **github.com/google/go-cmp**                                                     v0.6.0 -> v0.7.0
* **github.com/grpc-ecosystem/grpc-gateway/v2**                                    v2.22.0 -> v2.26.1
* **github.com/klauspost/compress**                                                v1.17.11 -> v1.18.0
* **github.com/mdlayher/socket**                                                   v0.4.1 -> v0.5.1
* **github.com/moby/spdystream**                                                   v0.4.0 -> v0.5.0
* **github.com/moby/sys/user**                                                     v0.3.0 -> v0.4.0
* **github.com/opencontainers/image-spec**                                         v1.1.0 -> v1.1.1
* **github.com/opencontainers/runtime-spec**                                       v1.2.0 -> v1.2.1
* **github.com/opencontainers/selinux**                                            v1.11.1 -> v1.12.0
* **github.com/pelletier/go-toml/v2**                                              v2.2.3 -> v2.2.4
* **github.com/petermattis/goid**                                                  4fcff4a6cae7 **_new_**
* **github.com/pmezard/go-difflib**                                                5d4384ee4fb2 -> v1.0.0
* **github.com/prometheus/client_golang**                                          v1.20.5 -> v1.22.0
* **github.com/prometheus/common**                                                 v0.55.0 -> v0.62.0
* **github.com/sasha-s/go-deadlock**                                               v0.3.5 **_new_**
* **github.com/smallstep/pkcs7**                                                   v0.1.1 **_new_**
* **github.com/stretchr/testify**                                                  v1.9.0 -> v1.10.0
* **github.com/tchap/go-patricia/v2**                                              v2.3.1 -> v2.3.2
* **github.com/urfave/cli/v2**                                                     v2.27.5 -> v2.27.6
* **github.com/vishvananda/netlink**                                               v1.3.0 -> 0e7078ed04c8
* **github.com/vishvananda/netns**                                                 v0.0.4 -> v0.0.5
* **go.etcd.io/bbolt**                                                             v1.3.11 -> v1.4.0
* **go.opentelemetry.io/auto/sdk**                                                 v1.1.0 **_new_**
* **go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc**  v0.56.0 -> v0.60.0
* **go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp**                v0.56.0 -> v0.60.0
* **go.opentelemetry.io/otel**                                                     v1.31.0 -> v1.35.0
* **go.opentelemetry.io/otel/exporters/otlp/otlptrace**                            v1.31.0 -> v1.35.0
* **go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc**              v1.31.0 -> v1.35.0
* **go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp**              v1.31.0 -> v1.35.0
* **go.opentelemetry.io/otel/metric**                                              v1.31.0 -> v1.35.0
* **go.opentelemetry.io/otel/sdk**                                                 v1.31.0 -> v1.35.0
* **go.opentelemetry.io/otel/trace**                                               v1.31.0 -> v1.35.0
* **go.opentelemetry.io/proto/otlp**                                               v1.3.1 -> v1.5.0
* **golang.org/x/crypto**                                                          v0.28.0 -> v0.36.0
* **golang.org/x/exp**                                                             aacd6d4b4611 -> 2d47ceb2692f
* **golang.org/x/mod**                                                             v0.21.0 -> v0.24.0
* **golang.org/x/net**                                                             v0.30.0 -> v0.38.0
* **golang.org/x/oauth2**                                                          v0.22.0 -> v0.27.0
* **golang.org/x/sync**                                                            v0.8.0 -> v0.14.0
* **golang.org/x/sys**                                                             v0.26.0 -> v0.33.0
* **golang.org/x/term**                                                            v0.25.0 -> v0.30.0
* **golang.org/x/text**                                                            v0.19.0 -> v0.23.0
* **golang.org/x/time**                                                            v0.3.0 -> v0.7.0
* **google.golang.org/genproto/googleapis/api**                                    5fefd90f89a9 -> 56aae31c358a
* **google.golang.org/genproto/googleapis/rpc**                                    324edc3d5d38 -> 56aae31c358a
* **google.golang.org/grpc**                                                       v1.67.1 -> v1.72.0
* **google.golang.org/protobuf**                                                   v1.35.1 -> v1.36.6
* **k8s.io/api**                                                                   v0.31.2 -> v0.32.3
* **k8s.io/apimachinery**                                                          v0.31.2 -> v0.32.3
* **k8s.io/apiserver**                                                             v0.31.2 -> v0.32.3
* **k8s.io/client-go**                                                             v0.31.2 -> v0.32.3
* **k8s.io/cri-api**                                                               v0.31.2 -> v0.32.3
* **k8s.io/kubelet**                                                               v0.31.2 -> v0.32.3
* **k8s.io/utils**                                                                 18e509b52bc8 -> 3ea5e8cea738
* **sigs.k8s.io/json**                                                             bc3834ca7abd -> 9aa6b5e7a4b3
* **sigs.k8s.io/structured-merge-diff/v4**                                         v4.4.1 -> v4.4.2
* **tags.cncf.io/container-device-interface**                                      v0.8.0 -> v1.0.1
* **tags.cncf.io/container-device-interface/specs-go**                             v0.8.0 -> v1.0.0

Previous release can be found at [v2.0.0](https://github.com/containerd/containerd/releases/tag/v2.0.0)
### Which file should I download?
* `containerd-<VERSION>-<OS>-<ARCH>.tar.gz`:         ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04).
* `containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz`:  Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent.

In addition to containerd, typically you will have to install [runc](https://github.com/opencontainers/runc/releases)
and [CNI plugins](https://github.com/containernetworking/plugins/releases) from their official sites too.

See also the [Getting Started](https://github.com/containerd/containerd/blob/main/docs/getting-started.md) documentation.

containerd api/v1.9.0

Welcome to the api/v1.9.0 release of containerd!

The 10th release for the containerd 1.x API aligns with the containerd 2.1 release.

### Highlights

* Add content create event ([#11006](https://github.com/containerd/containerd/pull/11006))

#### Image Distribution

* Enable HTTP debug and trace for transfer based puller ([#10762](https://github.com/containerd/containerd/pull/10762))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Derek McGowan
* Maksym Pavlenko
* Akihiro Suda
* Davanum Srinivas
* Phil Estes
* Adrian Reber
* Jin Dong
* Philip Laine

### Changes
<details><summary>18 commits</summary>
<p>

* Prepare release notes for api/v1.9.0 ([#11812](https://github.com/containerd/containerd/pull/11812))
  * [`145175bf4`](https://github.com/containerd/containerd/commit/145175bf4fb1a21be4c686115f0d83ba19e9fe92) Prepare release notes for api/v1.9.0
* Add release notes for api v1.9.0-rc.0 ([#11751](https://github.com/containerd/containerd/pull/11751))
  * [`c0ce618a1`](https://github.com/containerd/containerd/commit/c0ce618a10541b5e1d2979c2d70e971b23c8a16b) Add release notes for api v1.9.0-rc.0
* Enable HTTP debug and trace for transfer based puller ([#10762](https://github.com/containerd/containerd/pull/10762))
  * [`17b6e1ef8`](https://github.com/containerd/containerd/commit/17b6e1ef85098c532bae0e9544f288ebe530b3fe) Allow streaming to client
  * [`40eb2fdbb`](https://github.com/containerd/containerd/commit/40eb2fdbbb66aa6ef51422e6f62d8f3fb48ab35e) Fix protos
  * [`1d436803d`](https://github.com/containerd/containerd/commit/1d436803dc532c8fd40735c92fd1041dc2cc2868) Add http debug fields to OCI registry protos
* Add content create event ([#11006](https://github.com/containerd/containerd/pull/11006))
  * [`752914b5b`](https://github.com/containerd/containerd/commit/752914b5bfaa4e28d1231901c37bf8d3b47ca73c) Add content create event to api
* bump golang.org/x/net from 0.33.0 to 0.37.0 ([#11574](https://github.com/containerd/containerd/pull/11574))
  * [`7fe5c4123`](https://github.com/containerd/containerd/commit/7fe5c41237b8da120ab45b30ea3f02d64b71a68b) go.mod: golang.org/x/net v0.37.0
* Support container restore through CRI/Kubernetes ([#10365](https://github.com/containerd/containerd/pull/10365))
  * [`9e6beafd5`](https://github.com/containerd/containerd/commit/9e6beafd53919eecd1fb650a76332002cf4c84dd) Support container restore through CRI/Kubernetes
* build(deps): bump golang.org/x/net from 0.23.0 to 0.33.0 in /api ([#11472](https://github.com/containerd/containerd/pull/11472))
  * [`37fe1e8b4`](https://github.com/containerd/containerd/commit/37fe1e8b42f8746944c5d9b4a8bf2b3dcfc99984) build(deps): bump golang.org/x/net from 0.23.0 to 0.33.0 in /api
* Bump to newer opencontainers/image-spec @ v1.1.1 ([#11461](https://github.com/containerd/containerd/pull/11461))
  * [`d37ea6977`](https://github.com/containerd/containerd/commit/d37ea6977d7e096e9221cbbba9a0282e97709acd) Bump to newer opencontainers/image-spec @ v1.1.1
</p>
</details>

### Dependency Changes

* **github.com/opencontainers/image-spec**  v1.1.0 -> v1.1.1
* **golang.org/x/net**                      v0.23.0 -> v0.37.0
* **golang.org/x/sys**                      v0.18.0 -> v0.31.0
* **golang.org/x/text**                     v0.14.0 -> v0.23.0
* **gopkg.in/yaml.v3**                      v3.0.1 **_new_**

Previous release can be found at [api/v1.8.0](https://github.com/containerd/containerd/releases/tag/api/v1.8.0)

containerd 2.1.0-rc.1

Welcome to the v2.1.0-rc.1 release of containerd!
*This is a pre-release of containerd*

The first minor release of containerd 2.x focuses on continued stability alongside
new features and improvements. This is the first time-based released for containerd.
Most the feature set and core functionality has long been stable and harderened in production
environments, so now we transition to a balance of timely delivery of new functionality
with the same high confidence in stability and performance.

### Highlights

* Add no_sync option to boost boltDB performance on ephemeral environments ([#10745](https://github.com/containerd/containerd/pull/10745))
* Add content create event ([#11006](https://github.com/containerd/containerd/pull/11006))
* Erofs snapshotter and differ ([#10705](https://github.com/containerd/containerd/pull/10705))

#### Container Runtime Interface (CRI)

* Update CRI to use transfer service for image pull by default ([#8515](https://github.com/containerd/containerd/pull/8515))
* Support multiple cni plugin bin dirs ([#11311](https://github.com/containerd/containerd/pull/11311))
* Support container restore through CRI/Kubernetes ([#10365](https://github.com/containerd/containerd/pull/10365))
* Add OCI/Image Volume Source support ([#10579](https://github.com/containerd/containerd/pull/10579))
* Enable Writable cgroups for unprivileged containers ([#11131](https://github.com/containerd/containerd/pull/11131))
* Fix recursive RLock() mutex acquisition ([containerd/go-cni#126](https://github.com/containerd/go-cni/pull/126))
* Support CNI STATUS Verb ([containerd/go-cni#123](https://github.com/containerd/go-cni/pull/123))

#### Image Distribution

* Retry last registry host on 50x responses ([#11484](https://github.com/containerd/containerd/pull/11484))
* Multipart layer fetch ([#10177](https://github.com/containerd/containerd/pull/10177))
* Enable HTTP debug and trace for transfer based puller ([#10762](https://github.com/containerd/containerd/pull/10762))
* Add support for unpacking custom media types  ([#11744](https://github.com/containerd/containerd/pull/11744))
* Add dial timeout field to hosts toml configuration ([#11106](https://github.com/containerd/containerd/pull/11106))

#### Node Resource Interface (NRI)

* Expose Pod assigned IPs to NRI plugins ([#10921](https://github.com/containerd/containerd/pull/10921))

#### Runtime

* Support multiple uid/gid mappings ([#10722](https://github.com/containerd/containerd/pull/10722))
* Fix race between serve and immediate shutdown on the server ([containerd/ttrpc#175](https://github.com/containerd/ttrpc/pull/175))

#### Breaking

* Update FreeBSD defaults and re-organize platform defaults ([#11017](https://github.com/containerd/containerd/pull/11017))

#### Deprecations

* Postpone cri config deprecations to v2.2 ([#11684](https://github.com/containerd/containerd/pull/11684))
* Remove deprecated dynamic library plugins ([#11683](https://github.com/containerd/containerd/pull/11683))
* Remove the support for Schema 1 images ([#11681](https://github.com/containerd/containerd/pull/11681))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Phil Estes
* Derek McGowan
* Akihiro Suda
* Maksym Pavlenko
* Jin Dong
* Wei Fu
* Sebastiaan van Stijn
* Samuel Karp
* Mike Brown
* Adrien Delorme
* Akhil Mohan
* Austin Vazquez
* Kazuyoshi Kato
* Henry Wang
* Gao Xiang
* ningmingxiao
* Krisztian Litkey
* Yang Yang
* Archit Kulkarni
* Chris Henzie
* Iceber Gu
* Alexey Lunev
* Antonio Ojea
* Davanum Srinivas
* Marat Radchenko
* Michael Zappa
* Paweł Gronowski
* Rodrigo Campos
* Alberto Garcia Hierro
* Amit Barve
* Andrey Smirnov
* Divya
* Etienne Champetier
* Kirtana Ashok
* Philip Laine
* QiPing Wan
* fengwei0328
* zounengren
* Adrian Reber
* Alfred Wingate
* Amal Thundiyil
* Athos Ribeiro
* Austin Vazquez
* Brian Goff
* Cesar Talledo
* ChengyuZhu6
* Chongyi Zheng
* Craig Ingram
* Danny Canter
* David Son
* Fupan Li
* HirazawaUi
* Jing Xu
* Jonathan A. Sternberg
* Jose Fernandez
* Kaita Nakamura
* Kohei Tokunaga
* Lei Liu
* Marco Visin
* Mike Baynton
* Qiyuan Liang
* Sameer
* Shiming Zhang
* Swagat Bora
* Teresaliu
* Tony Fang
* Tõnis Tiigi
* Vered Rosen
* Vinayak Goyal
* bo.jiang
* chriskery
* luchenhan
* mahmut
* zhaixiaojuan

### Dependency Changes

* **github.com/Microsoft/hcsshim**                                                 v0.12.9 -> v0.13.0-rc.3
* **github.com/cilium/ebpf**                                                       v0.11.0 -> v0.16.0
* **github.com/containerd/cgroups/v3**                                             v3.0.3 -> v3.0.5
* **github.com/containerd/containerd/api**                                         v1.8.0 -> v1.9.0-rc.0
* **github.com/containerd/continuity**                                             v0.4.4 -> v0.4.5
* **github.com/containerd/go-cni**                                                 v1.1.10 -> v1.1.12
* **github.com/containerd/imgcrypt/v2**                                            v2.0.0-rc.1 -> v2.0.1
* **github.com/containerd/otelttrpc**                                              ea5083fda723 -> v0.1.0
* **github.com/containerd/platforms**                                              v1.0.0-rc.0 -> v1.0.0-rc.1
* **github.com/containerd/ttrpc**                                                  v1.2.6 -> v1.2.7
* **github.com/containerd/typeurl/v2**                                             v2.2.2 -> v2.2.3
* **github.com/containernetworking/cni**                                           v1.2.3 -> v1.3.0
* **github.com/containernetworking/plugins**                                       v1.5.1 -> v1.7.1
* **github.com/containers/ocicrypt**                                               v1.2.0 -> v1.2.1
* **github.com/davecgh/go-spew**                                                   d8f796af33cc -> v1.1.1
* **github.com/fsnotify/fsnotify**                                                 v1.7.0 -> v1.9.0
* **github.com/go-jose/go-jose/v4**                                                v4.0.4 -> v4.0.5
* **github.com/google/go-cmp**                                                     v0.6.0 -> v0.7.0
* **github.com/grpc-ecosystem/grpc-gateway/v2**                                    v2.22.0 -> v2.26.1
* **github.com/klauspost/compress**                                                v1.17.11 -> v1.18.0
* **github.com/mdlayher/socket**                                                   v0.4.1 -> v0.5.1
* **github.com/moby/spdystream**                                                   v0.4.0 -> v0.5.0
* **github.com/moby/sys/user**                                                     v0.3.0 -> v0.4.0
* **github.com/opencontainers/image-spec**                                         v1.1.0 -> v1.1.1
* **github.com/opencontainers/runtime-spec**                                       v1.2.0 -> v1.2.1
* **github.com/opencontainers/selinux**                                            v1.11.1 -> v1.12.0
* **github.com/pelletier/go-toml/v2**                                              v2.2.3 -> v2.2.4
* **github.com/petermattis/goid**                                                  4fcff4a6cae7 **_new_**
* **github.com/pmezard/go-difflib**                                                5d4384ee4fb2 -> v1.0.0
* **github.com/prometheus/client_golang**                                          v1.20.5 -> v1.22.0
* **github.com/prometheus/common**                                                 v0.55.0 -> v0.62.0
* **github.com/sasha-s/go-deadlock**                                               v0.3.5 **_new_**
* **github.com/smallstep/pkcs7**                                                   v0.1.1 **_new_**
* **github.com/stretchr/testify**                                                  v1.9.0 -> v1.10.0
* **github.com/tchap/go-patricia/v2**                                              v2.3.1 -> v2.3.2
* **github.com/urfave/cli/v2**                                                     v2.27.5 -> v2.27.6
* **github.com/vishvananda/netlink**                                               v1.3.0 -> 0e7078ed04c8
* **github.com/vishvananda/netns**                                                 v0.0.4 -> v0.0.5
* **go.etcd.io/bbolt**                                                             v1.3.11 -> v1.4.0
* **go.opentelemetry.io/auto/sdk**                                                 v1.1.0 **_new_**
* **go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc**  v0.56.0 -> v0.60.0
* **go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp**                v0.56.0 -> v0.60.0
* **go.opentelemetry.io/otel**                                                     v1.31.0 -> v1.35.0
* **go.opentelemetry.io/otel/exporters/otlp/otlptrace**                            v1.31.0 -> v1.35.0
* **go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc**              v1.31.0 -> v1.35.0
* **go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp**              v1.31.0 -> v1.35.0
* **go.opentelemetry.io/otel/metric**                                              v1.31.0 -> v1.35.0
* **go.opentelemetry.io/otel/sdk**                                                 v1.31.0 -> v1.35.0
* **go.opentelemetry.io/otel/trace**                                               v1.31.0 -> v1.35.0
* **go.opentelemetry.io/proto/otlp**                                               v1.3.1 -> v1.5.0
* **golang.org/x/crypto**                                                          v0.28.0 -> v0.36.0
* **golang.org/x/exp**                                                             aacd6d4b4611 -> 2d47ceb2692f
* **golang.org/x/mod**                                                             v0.21.0 -> v0.24.0
* **golang.org/x/net**                                                             v0.30.0 -> v0.38.0
* **golang.org/x/oauth2**                                                          v0.22.0 -> v0.27.0
* **golang.org/x/sync**                                                            v0.8.0 -> v0.14.0
* **golang.org/x/sys**                                                             v0.26.0 -> v0.33.0
* **golang.org/x/term**                                                            v0.25.0 -> v0.30.0
* **golang.org/x/text**                                                            v0.19.0 -> v0.23.0
* **golang.org/x/time**                                                            v0.3.0 -> v0.7.0
* **google.golang.org/genproto/googleapis/api**                                    5fefd90f89a9 -> 56aae31c358a
* **google.golang.org/genproto/googleapis/rpc**                                    324edc3d5d38 -> 56aae31c358a
* **google.golang.org/grpc**                                                       v1.67.1 -> v1.72.0
* **google.golang.org/protobuf**                                                   v1.35.1 -> v1.36.6
* **k8s.io/api**                                                                   v0.31.2 -> v0.32.3
* **k8s.io/apimachinery**                                                          v0.31.2 -> v0.32.3
* **k8s.io/apiserver**                                                             v0.31.2 -> v0.32.3
* **k8s.io/client-go**                                                             v0.31.2 -> v0.32.3
* **k8s.io/cri-api**                                                               v0.31.2 -> v0.32.3
* **k8s.io/kubelet**                                                               v0.31.2 -> v0.32.3
* **k8s.io/utils**                                                                 18e509b52bc8 -> 3ea5e8cea738
* **sigs.k8s.io/json**                                                             bc3834ca7abd -> 9aa6b5e7a4b3
* **sigs.k8s.io/structured-merge-diff/v4**                                         v4.4.1 -> v4.4.2
* **tags.cncf.io/container-device-interface**                                      v0.8.0 -> v1.0.1
* **tags.cncf.io/container-device-interface/specs-go**                             v0.8.0 -> v1.0.0

Previous release can be found at [v2.0.0](https://github.com/containerd/containerd/releases/tag/v2.0.0)
### Which file should I download?
* `containerd-<VERSION>-<OS>-<ARCH>.tar.gz`:         ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04).
* `containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz`:  Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent.

In addition to containerd, typically you will have to install [runc](https://github.com/opencontainers/runc/releases)
and [CNI plugins](https://github.com/containernetworking/plugins/releases) from their official sites too.

See also the [Getting Started](https://github.com/containerd/containerd/blob/main/docs/getting-started.md) documentation.

containerd 2.1.0-rc.0

Welcome to the v2.1.0-rc.0 release of containerd!
*This is a pre-release of containerd*

The first minor release of containerd 2.x focuses on continued stability alongside
new features and improvements. This is the first time-based released for containerd.
Most the feature set and core functionality has long been stable and harderened in production
environments, so now we transition to a balance of timely delivery of new functionality
with the same high confidence in stability and performance.

### Highlights

* Add no_sync option to boost boltDB performance on ephemeral environments ([#10745](https://github.com/containerd/containerd/pull/10745))
* Add content create event ([#11006](https://github.com/containerd/containerd/pull/11006))
* Erofs snapshotter and differ ([#10705](https://github.com/containerd/containerd/pull/10705))

#### Container Runtime Interface (CRI)

* Update CRI to use transfer service for image pull by default ([#8515](https://github.com/containerd/containerd/pull/8515))
* Support multiple cni plugin bin dirs ([#11311](https://github.com/containerd/containerd/pull/11311))
* Support container restore through CRI/Kubernetes ([#10365](https://github.com/containerd/containerd/pull/10365))
* Add OCI/Image Volume Source support ([#10579](https://github.com/containerd/containerd/pull/10579))
* Enable Writable cgroups for unprivileged containers ([#11131](https://github.com/containerd/containerd/pull/11131))
* Fix recursive RLock() mutex acquisition ([containerd/go-cni#126](https://github.com/containerd/go-cni/pull/126))
* Support CNI STATUS Verb ([containerd/go-cni#123](https://github.com/containerd/go-cni/pull/123))

#### Image Distribution

* Multipart layer fetch ([#10177](https://github.com/containerd/containerd/pull/10177))
* Enable HTTP debug and trace for transfer based puller ([#10762](https://github.com/containerd/containerd/pull/10762))
* Add support for unpacking custom media types  ([#11744](https://github.com/containerd/containerd/pull/11744))
* Add dial timeout field to hosts toml configuration ([#11106](https://github.com/containerd/containerd/pull/11106))

#### Node Resource Interface (NRI)

* Expose Pod assigned IPs to NRI plugins ([#10921](https://github.com/containerd/containerd/pull/10921))

#### Runtime

* Support multiple uid/gid mappings ([#10722](https://github.com/containerd/containerd/pull/10722))
* Fix race between serve and immediate shutdown on the server ([containerd/ttrpc#175](https://github.com/containerd/ttrpc/pull/175))

#### Deprecations

* Postpone cri config deprecations to v2.2 ([#11684](https://github.com/containerd/containerd/pull/11684))
* Remove deprecated dynamic library plugins ([#11683](https://github.com/containerd/containerd/pull/11683))
* Remove the support for Schema 1 images ([#11681](https://github.com/containerd/containerd/pull/11681))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Phil Estes
* Derek McGowan
* Akihiro Suda
* Maksym Pavlenko
* Jin Dong
* Wei Fu
* Sebastiaan van Stijn
* Samuel Karp
* Austin Vazquez
* Mike Brown
* Kazuyoshi Kato
* Akhil Mohan
* Henry Wang
* Adrien Delorme
* Gao Xiang
* ningmingxiao
* Krisztian Litkey
* Archit Kulkarni
* Chris Henzie
* Iceber Gu
* Yang Yang
* Alexey Lunev
* Antonio Ojea
* Davanum Srinivas
* Marat Radchenko
* Michael Zappa
* Paweł Gronowski
* Alberto Garcia Hierro
* Amit Barve
* Andrey Smirnov
* Divya
* Etienne Champetier
* Kirtana Ashok
* Philip Laine
* QiPing Wan
* fengwei0328
* zounengren
* Adrian Reber
* Alfred Wingate
* Amal Thundiyil
* Athos Ribeiro
* Brian Goff
* Cesar Talledo
* ChengyuZhu6
* Chongyi Zheng
* Craig Ingram
* David Son
* Fupan Li
* HirazawaUi
* Jing Xu
* Jonathan A. Sternberg
* Jose Fernandez
* Kaita Nakamura
* Kohei Tokunaga
* Lei Liu
* Marco Visin
* Mike Baynton
* Qiyuan Liang
* Sameer
* Shiming Zhang
* Teresaliu
* Tony Fang
* Tõnis Tiigi
* Vered Rosen
* bo.jiang
* chriskery
* luchenhan
* mahmut
* zhaixiaojuan

### Dependency Changes

* **github.com/Microsoft/hcsshim**                                                 v0.12.9 -> v0.13.0-rc.3
* **github.com/cilium/ebpf**                                                       v0.11.0 -> v0.16.0
* **github.com/containerd/cgroups/v3**                                             v3.0.3 -> v3.0.5
* **github.com/containerd/containerd/api**                                         v1.8.0 -> v1.9.0-rc.0
* **github.com/containerd/continuity**                                             v0.4.4 -> v0.4.5
* **github.com/containerd/go-cni**                                                 v1.1.10 -> v1.1.12
* **github.com/containerd/imgcrypt/v2**                                            v2.0.0-rc.1 -> v2.0.1
* **github.com/containerd/otelttrpc**                                              ea5083fda723 -> v0.1.0
* **github.com/containerd/platforms**                                              v1.0.0-rc.0 -> v1.0.0-rc.1
* **github.com/containerd/ttrpc**                                                  v1.2.6 -> v1.2.7
* **github.com/containerd/typeurl/v2**                                             v2.2.2 -> v2.2.3
* **github.com/containernetworking/cni**                                           v1.2.3 -> v1.3.0
* **github.com/containernetworking/plugins**                                       v1.5.1 -> v1.6.2
* **github.com/containers/ocicrypt**                                               v1.2.0 -> v1.2.1
* **github.com/davecgh/go-spew**                                                   d8f796af33cc -> v1.1.1
* **github.com/fsnotify/fsnotify**                                                 v1.7.0 -> v1.9.0
* **github.com/go-jose/go-jose/v4**                                                v4.0.4 -> v4.0.5
* **github.com/google/go-cmp**                                                     v0.6.0 -> v0.7.0
* **github.com/grpc-ecosystem/grpc-gateway/v2**                                    v2.22.0 -> v2.26.1
* **github.com/klauspost/compress**                                                v1.17.11 -> v1.18.0
* **github.com/mdlayher/socket**                                                   v0.4.1 -> v0.5.1
* **github.com/moby/spdystream**                                                   v0.4.0 -> v0.5.0
* **github.com/moby/sys/user**                                                     v0.3.0 -> v0.4.0
* **github.com/opencontainers/image-spec**                                         v1.1.0 -> v1.1.1
* **github.com/opencontainers/runtime-spec**                                       v1.2.0 -> v1.2.1
* **github.com/opencontainers/selinux**                                            v1.11.1 -> v1.12.0
* **github.com/pelletier/go-toml/v2**                                              v2.2.3 -> v2.2.4
* **github.com/petermattis/goid**                                                  4fcff4a6cae7 **_new_**
* **github.com/pmezard/go-difflib**                                                5d4384ee4fb2 -> v1.0.0
* **github.com/prometheus/client_golang**                                          v1.20.5 -> v1.22.0
* **github.com/prometheus/common**                                                 v0.55.0 -> v0.62.0
* **github.com/sasha-s/go-deadlock**                                               v0.3.5 **_new_**
* **github.com/smallstep/pkcs7**                                                   v0.1.1 **_new_**
* **github.com/stretchr/testify**                                                  v1.9.0 -> v1.10.0
* **github.com/tchap/go-patricia/v2**                                              v2.3.1 -> v2.3.2
* **github.com/urfave/cli/v2**                                                     v2.27.5 -> v2.27.6
* **github.com/vishvananda/netns**                                                 v0.0.4 -> v0.0.5
* **go.etcd.io/bbolt**                                                             v1.3.11 -> v1.4.0
* **go.opentelemetry.io/auto/sdk**                                                 v1.1.0 **_new_**
* **go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc**  v0.56.0 -> v0.60.0
* **go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp**                v0.56.0 -> v0.60.0
* **go.opentelemetry.io/otel**                                                     v1.31.0 -> v1.35.0
* **go.opentelemetry.io/otel/exporters/otlp/otlptrace**                            v1.31.0 -> v1.35.0
* **go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc**              v1.31.0 -> v1.35.0
* **go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp**              v1.31.0 -> v1.35.0
* **go.opentelemetry.io/otel/metric**                                              v1.31.0 -> v1.35.0
* **go.opentelemetry.io/otel/sdk**                                                 v1.31.0 -> v1.35.0
* **go.opentelemetry.io/otel/trace**                                               v1.31.0 -> v1.35.0
* **go.opentelemetry.io/proto/otlp**                                               v1.3.1 -> v1.5.0
* **golang.org/x/crypto**                                                          v0.28.0 -> v0.36.0
* **golang.org/x/exp**                                                             aacd6d4b4611 -> 2d47ceb2692f
* **golang.org/x/mod**                                                             v0.21.0 -> v0.24.0
* **golang.org/x/net**                                                             v0.30.0 -> v0.38.0
* **golang.org/x/oauth2**                                                          v0.22.0 -> v0.27.0
* **golang.org/x/sync**                                                            v0.8.0 -> v0.13.0
* **golang.org/x/sys**                                                             v0.26.0 -> v0.32.0
* **golang.org/x/term**                                                            v0.25.0 -> v0.30.0
* **golang.org/x/text**                                                            v0.19.0 -> v0.23.0
* **golang.org/x/time**                                                            v0.3.0 -> v0.7.0
* **google.golang.org/genproto/googleapis/api**                                    5fefd90f89a9 -> 56aae31c358a
* **google.golang.org/genproto/googleapis/rpc**                                    324edc3d5d38 -> 56aae31c358a
* **google.golang.org/grpc**                                                       v1.67.1 -> v1.72.0
* **google.golang.org/protobuf**                                                   v1.35.1 -> v1.36.6
* **k8s.io/api**                                                                   v0.31.2 -> v0.32.3
* **k8s.io/apimachinery**                                                          v0.31.2 -> v0.32.3
* **k8s.io/apiserver**                                                             v0.31.2 -> v0.32.3
* **k8s.io/client-go**                                                             v0.31.2 -> v0.32.3
* **k8s.io/component-base**                                                        v0.31.2 -> v0.32.3
* **k8s.io/cri-api**                                                               v0.31.2 -> v0.32.3
* **k8s.io/kubelet**                                                               v0.31.2 -> v0.32.3
* **k8s.io/utils**                                                                 18e509b52bc8 -> 3ea5e8cea738
* **sigs.k8s.io/json**                                                             bc3834ca7abd -> 9aa6b5e7a4b3
* **sigs.k8s.io/structured-merge-diff/v4**                                         v4.4.1 -> v4.4.2
* **tags.cncf.io/container-device-interface**                                      v0.8.0 -> v1.0.1
* **tags.cncf.io/container-device-interface/specs-go**                             v0.8.0 -> v1.0.0

Previous release can be found at [v2.0.0](https://github.com/containerd/containerd/releases/tag/v2.0.0)
### Which file should I download?
* `containerd-<VERSION>-<OS>-<ARCH>.tar.gz`:         ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04).
* `containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz`:  Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent.

In addition to containerd, typically you will have to install [runc](https://github.com/opencontainers/runc/releases)
and [CNI plugins](https://github.com/containernetworking/plugins/releases) from their official sites too.

See also the [Getting Started](https://github.com/containerd/containerd/blob/main/docs/getting-started.md) documentation.

containerd api/v1.9.0-rc.0

Welcome to the api/v1.9.0-rc.0 release of containerd!
*This is a pre-release of containerd*

The 10th release for the containerd 1.x API aligns with the containerd 2.1 release.

### Highlights

* Enable HTTP debug and trace for transfer based puller ([#10762](https://github.com/containerd/containerd/pull/10762))
* Add content create event ([#11006](https://github.com/containerd/containerd/pull/11006))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Derek McGowan
* Maksym Pavlenko
* Akihiro Suda
* Davanum Srinivas
* Phil Estes
* Adrian Reber
* Jin Dong
* Philip Laine

### Changes
<details><summary>16 commits</summary>
<p>

* Add release notes for api v1.9.0-rc.0 ([#11751](https://github.com/containerd/containerd/pull/11751))
  * [`c0ce618a1`](https://github.com/containerd/containerd/commit/c0ce618a10541b5e1d2979c2d70e971b23c8a16b) Add release notes for api v1.9.0-rc.0
* Enable HTTP debug and trace for transfer based puller ([#10762](https://github.com/containerd/containerd/pull/10762))
  * [`17b6e1ef8`](https://github.com/containerd/containerd/commit/17b6e1ef85098c532bae0e9544f288ebe530b3fe) Allow streaming to client
  * [`40eb2fdbb`](https://github.com/containerd/containerd/commit/40eb2fdbbb66aa6ef51422e6f62d8f3fb48ab35e) Fix protos
  * [`1d436803d`](https://github.com/containerd/containerd/commit/1d436803dc532c8fd40735c92fd1041dc2cc2868) Add http debug fields to OCI registry protos
* Add content create event ([#11006](https://github.com/containerd/containerd/pull/11006))
  * [`752914b5b`](https://github.com/containerd/containerd/commit/752914b5bfaa4e28d1231901c37bf8d3b47ca73c) Add content create event to api
* bump golang.org/x/net from 0.33.0 to 0.37.0 ([#11574](https://github.com/containerd/containerd/pull/11574))
  * [`7fe5c4123`](https://github.com/containerd/containerd/commit/7fe5c41237b8da120ab45b30ea3f02d64b71a68b) go.mod: golang.org/x/net v0.37.0
* Support container restore through CRI/Kubernetes ([#10365](https://github.com/containerd/containerd/pull/10365))
  * [`9e6beafd5`](https://github.com/containerd/containerd/commit/9e6beafd53919eecd1fb650a76332002cf4c84dd) Support container restore through CRI/Kubernetes
* build(deps): bump golang.org/x/net from 0.23.0 to 0.33.0 in /api ([#11472](https://github.com/containerd/containerd/pull/11472))
  * [`37fe1e8b4`](https://github.com/containerd/containerd/commit/37fe1e8b42f8746944c5d9b4a8bf2b3dcfc99984) build(deps): bump golang.org/x/net from 0.23.0 to 0.33.0 in /api
* Bump to newer opencontainers/image-spec @ v1.1.1 ([#11461](https://github.com/containerd/containerd/pull/11461))
  * [`d37ea6977`](https://github.com/containerd/containerd/commit/d37ea6977d7e096e9221cbbba9a0282e97709acd) Bump to newer opencontainers/image-spec @ v1.1.1
</p>
</details>

### Dependency Changes

* **github.com/opencontainers/image-spec**  v1.1.0 -> v1.1.1
* **golang.org/x/net**                      v0.23.0 -> v0.37.0
* **golang.org/x/sys**                      v0.18.0 -> v0.31.0
* **golang.org/x/text**                     v0.14.0 -> v0.23.0
* **gopkg.in/yaml.v3**                      v3.0.1 **_new_**

Previous release can be found at [api/v1.8.0](https://github.com/containerd/containerd/releases/tag/api/v1.8.0)

containerd 2.0.5

Welcome to the v2.0.5 release of containerd!

The fifth patch release for containerd 2.0 includes various bug fixes and updates.

### Highlights

#### Build and Release Toolchain

* Update go to 1.23.8 ([#11717](https://github.com/containerd/containerd/pull/11717))

#### Container Runtime Interface (CRI)

* Update ImageService to delete images synchronously ([#11599](https://github.com/containerd/containerd/pull/11599))

#### Image Distribution

* Prevent panic on zero length push ([#11698](https://github.com/containerd/containerd/pull/11698))
* Set default differ for the default unpack config of transfer service ([#11688](https://github.com/containerd/containerd/pull/11688))

#### Runtime

* Remove invalid error log when stopping container after containerd restart ([#11621](https://github.com/containerd/containerd/pull/11621))
* Update taskOptions based on runtimeOptions when creating a task ([#11618](https://github.com/containerd/containerd/pull/11618))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Akihiro Suda
* Akhil Mohan
* Derek McGowan
* Phil Estes
* Wei Fu
* Iceber Gu
* Austin Vazquez
* Maksym Pavlenko
* Cesar Talledo
* Henry Wang
* Jin Dong
* Krisztian Litkey
* Yang Yang

### Changes
<details><summary>33 commits</summary>
<p>

* Update go to 1.23.8 ([#11717](https://github.com/containerd/containerd/pull/11717))
  * [`5bcf0a95e`](https://github.com/containerd/containerd/commit/5bcf0a95e39fcfa2be3a867be2606fedebd0b681) use go1.23.8 as the default go version
  * [`4838f33f7`](https://github.com/containerd/containerd/commit/4838f33f7e012a61465a1b41895e942d3e6d8abc) update to go 1.24.2, 1.23.8
* Prepare release notes for v2.0.5 ([#11713](https://github.com/containerd/containerd/pull/11713))
  * [`a8082cd60`](https://github.com/containerd/containerd/commit/a8082cd60df5843b19710e832c653d4cfa6cfd88) Prepare release notes for v2.0.5
* Disable criu test on arm64 ([#11710](https://github.com/containerd/containerd/pull/11710))
  * [`58b715ad8`](https://github.com/containerd/containerd/commit/58b715ad8dd372472f91dec84aec581d35b417c0) Disable arm64 criu testing in GH Actions
  * [`b4a53e826`](https://github.com/containerd/containerd/commit/b4a53e8264dd6cc93573630c0e59902eaa822886) disable portmap test in ubuntu-22 to make CI happy
  * [`4bcf472de`](https://github.com/containerd/containerd/commit/4bcf472de6ccf12b9f17ea095d8257fd7d7c1d18) add option to skip tests in critest
* Prevent panic on zero length push ([#11698](https://github.com/containerd/containerd/pull/11698))
  * [`8a638b71a`](https://github.com/containerd/containerd/commit/8a638b71aef45e16b7dcf86bd5267229d715a2e9) Prevent panic in Docker pusher.
* Set default differ for the default unpack config of transfer service ([#11688](https://github.com/containerd/containerd/pull/11688))
  * [`84d9658c3`](https://github.com/containerd/containerd/commit/84d9658c36c73ba4ae87471dd760ef3539b26c2b) Set default differ for the default unpack config of transfer service
* ci: update GitHub Actions release runner to ubuntu-24.04 ([#11703](https://github.com/containerd/containerd/pull/11703))
  * [`b184a97d3`](https://github.com/containerd/containerd/commit/b184a97d304a6397758810695ca3fb245a66993f) ci: update GitHub Actions release runner to ubuntu-24.04
* Remove invalid error log when stopping container after containerd restart ([#11621](https://github.com/containerd/containerd/pull/11621))
  * [`e04543db0`](https://github.com/containerd/containerd/commit/e04543db09ce872a06bbd3aa751bbd6c3a7531c5) use shimCtx for fifo copy
* Update taskOptions based on runtimeOptions when creating a task ([#11618](https://github.com/containerd/containerd/pull/11618))
  * [`9f46e7a44`](https://github.com/containerd/containerd/commit/9f46e7a449a06934bfb4a9b4b9718c1f625b1693) integration/client: add tests for TaskOptions is not empty
  * [`8a16a6a04`](https://github.com/containerd/containerd/commit/8a16a6a04ad081deac2f4907adda2326e62e5182) prefer task options for PluginInfo request
  * [`a183b2d23`](https://github.com/containerd/containerd/commit/a183b2d232fd3c0ca7cf4903b2392cce639ca7c5) update taskOptions based on runtimeOptions when creating a task
* Update ImageService to delete images synchronously ([#11599](https://github.com/containerd/containerd/pull/11599))
  * [`091143135`](https://github.com/containerd/containerd/commit/091143135ba903808c76fbdd10316975dcf4b0f1) *: CRIImageService should delete image synchronously
* Update runc binary to v1.2.6 ([#11583](https://github.com/containerd/containerd/pull/11583))
  * [`c2372c072`](https://github.com/containerd/containerd/commit/c2372c072cb41e9c4217c345c22189cb139820c6) Update runc binary to v1.2.6
* go.{mod,sum}: bump CDI deps to stable v1.0.0. ([#11566](https://github.com/containerd/containerd/pull/11566))
  * [`e8506511b`](https://github.com/containerd/containerd/commit/e8506511b28fb5343d037e0e56b6a36f7d4a70da) go.{mod,sum}: bump CDI deps to stable v1.0.0.
* silence govulncheck false positives ([#11571](https://github.com/containerd/containerd/pull/11571))
  * [`4cfb89430`](https://github.com/containerd/containerd/commit/4cfb89430cefd30fb2855721176e1b03a227d3b0) go.mod: github.com/go-jose/go-jose/v4
  * [`2b9e6a29d`](https://github.com/containerd/containerd/commit/2b9e6a29d7ba23fea935bfc7fa6613978d0ca45a) go.mod: golang.org/x/oauth2 v0.28.0
  * [`6df1ea0d9`](https://github.com/containerd/containerd/commit/6df1ea0d9e1743d7d2b5ffe049a68b4d279f2dbd) go.mod: golang.org/x/net v0.37.0
* Fix CI lint error (cherry-picked #11555) ([#11567](https://github.com/containerd/containerd/pull/11567))
  * [`16f20abdf`](https://github.com/containerd/containerd/commit/16f20abdffa6041382660f1374f25eb9fdfd2fc7) Fix CI lint error
</p>
</details>

### Dependency Changes

* **github.com/go-jose/go-jose/v4**                     v4.0.4 -> v4.0.5
* **golang.org/x/crypto**                               v0.31.0 -> v0.36.0
* **golang.org/x/net**                                  v0.33.0 -> v0.37.0
* **golang.org/x/oauth2**                               v0.23.0 -> v0.28.0
* **golang.org/x/sync**                                 v0.10.0 -> v0.12.0
* **golang.org/x/sys**                                  v0.28.0 -> v0.31.0
* **golang.org/x/term**                                 v0.27.0 -> v0.30.0
* **golang.org/x/text**                                 v0.21.0 -> v0.23.0
* **tags.cncf.io/container-device-interface**           v0.8.1 -> v1.0.0
* **tags.cncf.io/container-device-interface/specs-go**  v0.8.0 -> v1.0.0

Previous release can be found at [v2.0.4](https://github.com/containerd/containerd/releases/tag/v2.0.4)
### Which file should I download?
* `containerd-<VERSION>-<OS>-<ARCH>.tar.gz`:         ✅Recommended. Dynamically linked with glibc 2.31 (Ubuntu 20.04).
* `containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz`:  Statically linked. Expected to be used on non-glibc Linux distributions. Not position-independent.

In addition to containerd, typically you will have to install [runc](https://github.com/opencontainers/runc/releases)
and [CNI plugins](https://github.com/containernetworking/plugins/releases) from their official sites too.

See also the [Getting Started](https://github.com/containerd/containerd/blob/main/docs/getting-started.md) documentation.

containerd 2.1.0-beta.1

Welcome to the v2.1.0-beta.1 release of containerd!
*This is a pre-release of containerd*

The 2.1 beta series is here, see the [2.1 milestone](https://github.com/containerd/containerd/milestone/48) to track
ongoing efforts. Please try out the beta and report any issues!

The first minor release of containerd 2.x focuses on continued stability alongside
new features and improvements. This is the first time-based released for containerd.
Most the feature set and core functionality has long been stable and harderened in production
environments, so now we transition to a balance of timely delivery of new functionality
with the same high confidence in stability and performance.

### Highlights

* Erofs snapshotter and differ ([#10705](https://github.com/containerd/containerd/pull/10705))

#### Container Runtime Interface (CRI)

* Support multiple cni plugin bin dirs ([#11311](https://github.com/containerd/containerd/pull/11311))
* Add OCI/Image Volume Source support ([#10579](https://github.com/containerd/containerd/pull/10579))
* Enable Writable cgroups for unprivileged containers ([#11131](https://github.com/containerd/containerd/pull/11131))
* Fix recursive RLock() mutex acquisition ([containerd/go-cni#126](https://github.com/containerd/go-cni/pull/126))
* Support CNI STATUS Verb ([containerd/go-cni#123](https://github.com/containerd/go-cni/pull/123))

#### Image Distribution

* Add dial timeout field to hosts toml configuration ([#11106](https://github.com/containerd/containerd/pull/11106))

#### Node Resource Interface (NRI)

* Expose Pod assigned IPs to NRI plugins ([#10921](https://github.com/containerd/containerd/pull/10921))

#### Runtime

* Support multiple uid/gid mappings ([#10722](https://github.com/containerd/containerd/pull/10722))
* Fix race between serve and immediate shutdown on the server ([containerd/ttrpc#175](https://github.com/containerd/ttrpc/pull/175))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Akihiro Suda
* Phil Estes
* Derek McGowan
* Jin Dong
* Maksym Pavlenko
* Wei Fu
* Sebastiaan van Stijn
* Samuel Karp
* Austin Vazquez
* Mike Brown
* Kazuyoshi Kato
* Henry Wang
* Akhil Mohan
* Gao Xiang
* ningmingxiao
* Archit Kulkarni
* Krisztian Litkey
* Alexey Lunev
* Antonio Ojea
* Chris Henzie
* Davanum Srinivas
* Iceber Gu
* Marat Radchenko
* Michael Zappa
* Paweł Gronowski
* Adrien Delorme
* Amit Barve
* Andrey Smirnov
* Divya
* Etienne Champetier
* Kirtana Ashok
* QiPing Wan
* Yang Yang
* fengwei0328
* zounengren
* Adrian Reber
* Alfred Wingate
* Amal Thundiyil
* Athos Ribeiro
* Brian Goff
* Cesar Talledo
* ChengyuZhu6
* Chongyi Zheng
* Craig Ingram
* David Son
* Fupan Li
* HirazawaUi
* Jing Xu
* Jonathan A. Sternberg
* Jose Fernandez
* Kaita Nakamura
* Lei Liu
* Mike Baynton
* Philip Laine
* Qiyuan Liang
* Sameer
* Shiming Zhang
* Teresaliu
* Tõnis Tiigi
* Vered Rosen
* bo.jiang
* chriskery
* luchenhan
* mahmut

### Changes
<details><summary>520 commits</summary>
<p>

* release: use Ubuntu 22.04 (glibc 2.35) ([#11685](https://github.com/containerd/containerd/pull/11685))
  * [`81acabd95`](https://github.com/containerd/containerd/commit/81acabd95618cd8d054bc1c127c4dc9f4b7ced2f) release: use Ubuntu 22.04 (glibc 2.35)
* Prevent panic in Docker pusher. ([#11670](https://github.com/containerd/containerd/pull/11670))
  * [`3251e2cc8`](https://github.com/containerd/containerd/commit/3251e2cc8d17466ef86f1a541a660626ef5fda86) Prevent panic in Docker pusher.
* build(deps): bump the golang-x group with 2 updates ([#11659](https://github.com/containerd/containerd/pull/11659))
  * [`be602ea5c`](https://github.com/containerd/containerd/commit/be602ea5c72c1d4a61be92f3c7bb1ff9654fc7aa) build(deps): bump the golang-x group with 2 updates
* build(deps): bump github.com/pelletier/go-toml/v2 from 2.2.3 to 2.2.4 ([#11658](https://github.com/containerd/containerd/pull/11658))
  * [`3a5f04fdd`](https://github.com/containerd/containerd/commit/3a5f04fdd0b38b99dd2729bfa77328513bb86b0e) build(deps): bump github.com/pelletier/go-toml/v2 from 2.2.3 to 2.2.4
* wrong explicitTLS value when dialTimeout is set ([#11546](https://github.com/containerd/containerd/pull/11546))
  * [`53eec6c78`](https://github.com/containerd/containerd/commit/53eec6c783c2ece74c9334e0e3a12e602b212f21) move host tlsconfig update to a separate function
  * [`f702bf9fe`](https://github.com/containerd/containerd/commit/f702bf9fe51fd83992694151847e4c96a55ddb2c) [hosts] wrong explicitTLS value when dialTimeout is set
* build(deps): bump github/codeql-action from 3.28.13 to 3.28.15 ([#11665](https://github.com/containerd/containerd/pull/11665))
  * [`eae1a6adc`](https://github.com/containerd/containerd/commit/eae1a6adc8f2f1e3f3607eb11d8fcb3f4dd84f10) build(deps): bump github/codeql-action from 3.28.13 to 3.28.15
* avoid import to testing pkg outside of tests ([#11666](https://github.com/containerd/containerd/pull/11666))
  * [`f87b2c1cd`](https://github.com/containerd/containerd/commit/f87b2c1cd87b15fc477ae91386efe6840a97be6d) avoid import to testing pkg outside of tests
* build(deps): bump github.com/containernetworking/cni from 1.2.3 to 1.3.0 ([#11660](https://github.com/containerd/containerd/pull/11660))
  * [`2d3ff252d`](https://github.com/containerd/containerd/commit/2d3ff252dc96ab865fc0328fe7fec8f8f4213c88) build(deps): bump github.com/containernetworking/cni from 1.2.3 to 1.3.0
* fix call fmt.Errorf with wrong error ([#11649](https://github.com/containerd/containerd/pull/11649))
  * [`be9ca11a1`](https://github.com/containerd/containerd/commit/be9ca11a14e424d34d25ccbc88a9eac7067671c0) fix call fmt.Errorf with wrong error
* Set default differ for the default unpack config of transfer service ([#11641](https://github.com/containerd/containerd/pull/11641))
  * [`a083b669c`](https://github.com/containerd/containerd/commit/a083b669c9412eef55ee103fe2bb1dec7c6178bc) Set default differ for the default unpack config of transfer service
* build(deps): bump lycheeverse/lychee-action from 2.3.0 to 2.4.0 ([#11631](https://github.com/containerd/containerd/pull/11631))
  * [`33dae72b9`](https://github.com/containerd/containerd/commit/33dae72b9a805b3ee51d288d7726aeaf1f4acab2) build(deps): bump lycheeverse/lychee-action from 2.3.0 to 2.4.0
* pkg/sys: improve GetLocalListener/CreateUnixSocket error message ([#11608](https://github.com/containerd/containerd/pull/11608))
  * [`1dbb7f2ae`](https://github.com/containerd/containerd/commit/1dbb7f2ae3be1b7925dfbbc064b1b6afefcbe182) pkg/sys: improve GetLocalListener/CreateUnixSocket error message
* cri: fix lost container exit events if they arrive before info is cached ([#11579](https://github.com/containerd/containerd/pull/11579))
  * [`ead5c1ee6`](https://github.com/containerd/containerd/commit/ead5c1ee6573c698b3776581f744a8e752e75770) cri:fix lost container exit events if they arrive before info is cached
* Fix the panic caused by the failure of RunPodSandbox ([#11588](https://github.com/containerd/containerd/pull/11588))
  * [`a3a66d1f2`](https://github.com/containerd/containerd/commit/a3a66d1f2b33758bf65cd8d88936f4a5f2e142fe) Fix the panic caused by the failure of RunPodSandbox
* fix: call checkCopyShimLogError(shimCtx) to avoid expected error log flood ([#11475](https://github.com/containerd/containerd/pull/11475))
  * [`4357a7600`](https://github.com/containerd/containerd/commit/4357a7600ecbe50d55dde3de4bb842cb939cf83b) use shimCtx for fifo copy
* update taskOptions based on runtimeOptions when creating a task  ([#11569](https://github.com/containerd/containerd/pull/11569))
  * [`450038a28`](https://github.com/containerd/containerd/commit/450038a28bff6c83ec7af1f7a417ad5498a4701c) integration/client: add tests for TaskOptions is not empty
  * [`7e5c5038a`](https://github.com/containerd/containerd/commit/7e5c5038ad7b8d9a2670939255c2382dc123b44b) prefer task options for PluginInfo request
  * [`ec3567d6b`](https://github.com/containerd/containerd/commit/ec3567d6b369cde39739b41db8763a19d6f35c39) update taskOptions based on runtimeOptions when creating a task
* correct kep template - remove render type ([#11615](https://github.com/containerd/containerd/pull/11615))
  * [`07a23b6f4`](https://github.com/containerd/containerd/commit/07a23b6f4bd30530a8c3c5ea965fe72695eb649b) use type textarea
* *: image volume feature's follow-up  ([#11605](https://github.com/containerd/containerd/pull/11605))
  * [`fe4703cde`](https://github.com/containerd/containerd/commit/fe4703cde553c184c8846358baa9799cfc4eb34d) integration: check image volume snapshot after deleting pod
  * [`d141d6c3d`](https://github.com/containerd/containerd/commit/d141d6c3dd650a7cdf2aecf5922850a9006d0087) integration: run image volumes for linux platform only
  * [`de833ebbb`](https://github.com/containerd/containerd/commit/de833ebbbe22c5239e66d923f797853144838a45) cri: enhance error handling for image volume
  * [`be0ab6e93`](https://github.com/containerd/containerd/commit/be0ab6e93612a3563e52a42176c70e341348e464) cri: add volatile option to image volume mount if applicable
* downgrade cni version in CI test ([#11616](https://github.com/containerd/containerd/pull/11616))
  * [`cffb6d425`](https://github.com/containerd/containerd/commit/cffb6d42506199be781423fd663fb69b12d5853a) downgrade cni version in CI test
* Create cri_kep.yaml for the new issue template for the new KEP process  ([#11610](https://github.com/containerd/containerd/pull/11610))
  * [`3ef9084d0`](https://github.com/containerd/containerd/commit/3ef9084d099235d6852c4259f540f45014616c7b) Create cri_kep.yaml
* build(deps): bump github.com/containernetworking/plugins from 1.5.1 to 1.6.2 ([#11226](https://github.com/containerd/containerd/pull/11226))
  * [`aff7e4797`](https://github.com/containerd/containerd/commit/aff7e47977172fcad5f872cb42df0b13368a71b2) build(deps): bump github.com/containernetworking/plugins
* build(deps): bump actions/download-artifact from 4.1.9 to 4.2.1 ([#11595](https://github.com/containerd/containerd/pull/11595))
  * [`3689dec42`](https://github.com/containerd/containerd/commit/3689dec42ccd1f4a054cf4c6be6aaef615e9a9d4) build(deps): bump actions/download-artifact from 4.1.9 to 4.2.1
* build(deps): bump actions/cache from 4.2.2 to 4.2.3 ([#11592](https://github.com/containerd/containerd/pull/11592))
  * [`ce690b0a9`](https://github.com/containerd/containerd/commit/ce690b0a9d003636b699db4daab9c2090ee81687) build(deps): bump actions/cache from 4.2.2 to 4.2.3
* build(deps): bump github/codeql-action from 3.28.11 to 3.28.13 ([#11593](https://github.com/containerd/containerd/pull/11593))
  * [`5b194505e`](https://github.com/containerd/containerd/commit/5b194505e836fd6b00cb3b59b7bdc3f17563ca42) build(deps): bump github/codeql-action from 3.28.11 to 3.28.13
* build(deps): bump actions/upload-artifact from 4.6.1 to 4.6.2 ([#11594](https://github.com/containerd/containerd/pull/11594))
  * [`cb6a82a92`](https://github.com/containerd/containerd/commit/cb6a82a9213623fcf2d6cd7af990741083eb509b) build(deps): bump actions/upload-artifact from 4.6.1 to 4.6.2
* build(deps): bump google.golang.org/protobuf from 1.36.5 to 1.36.6 ([#11598](https://github.com/containerd/containerd/pull/11598))
  * [`d080d441d`](https://github.com/containerd/containerd/commit/d080d441d228f39b0db91664bba6410744f8dfc3) build(deps): bump google.golang.org/protobuf from 1.36.5 to 1.36.6
* build(deps): bump github.com/opencontainers/selinux from 1.11.1 to 1.12.0 ([#11596](https://github.com/containerd/containerd/pull/11596))
  * [`7e7c3b0a8`](https://github.com/containerd/containerd/commit/7e7c3b0a84a33c80a8c3b72398dcb559acd1cee8) build(deps): bump github.com/opencontainers/selinux
* *: CRIImageService should delete image synchronously ([#11581](https://github.com/containerd/containerd/pull/11581))
  * [`e7b4165ab`](https://github.com/containerd/containerd/commit/e7b4165ab28767c1c7c498a329461f4a023295ac) *: CRIImageService should delete image synchronously
* Update max container log line size json field ([#11452](https://github.com/containerd/containerd/pull/11452))
  * [`7f9ca1dcb`](https://github.com/containerd/containerd/commit/7f9ca1dcb46ab124af1e7510dc54ff6c07c94305) update max container log line size json field
* Support multiple cni plugin bin dirs ([#11311](https://github.com/containerd/containerd/pull/11311))
  * [`42effa3b9`](https://github.com/containerd/containerd/commit/42effa3b911c5bbfa0c0b2516bb1556e5dc205ae) Mark `NetworkPluginBinDir` as DEPRECATED
  * [`71f593d4a`](https://github.com/containerd/containerd/commit/71f593d4a23aa82316ff7f4f6c5f6c229fdeddce) Support multiple CNI plugin bin dirs
* go.mod: tags.cncf.io/container-device-interface v1.0.1 ([#11582](https://github.com/containerd/containerd/pull/11582))
  * [`10fae41ad`](https://github.com/containerd/containerd/commit/10fae41ad8245a187596d5d5d600b63b515bd674) go.mod: tags.cncf.io/container-device-interface v1.0.1
* cri: introduce io.containerd.timeout.cri.defercleanup setting ([#11380](https://github.com/containerd/containerd/pull/11380))
  * [`7c522819d`](https://github.com/containerd/containerd/commit/7c522819d290d725b224a503deeca554e908cda2) support to set defer cleanup timeout to decrease ctx timeout
* Update runc binary to v1.2.6 ([#11560](https://github.com/containerd/containerd/pull/11560))
  * [`3e96f1a51`](https://github.com/containerd/containerd/commit/3e96f1a51c4dc5bfa08ae2b333c9c9462bbd4c78) Update runc binary to v1.2.6
* build(deps): bump docker/login-action from 3.3.0 to 3.4.0 ([#11552](https://github.com/containerd/containerd/pull/11552))
  * [`234a4411f`](https://github.com/containerd/containerd/commit/234a4411f2a1145b91609274e56f5fb3f660aacc) build(deps): bump docker/login-action from 3.3.0 to 3.4.0
* bump golang.org/x/net from 0.33.0 to 0.37.0 ([#11574](https://github.com/containerd/containerd/pull/11574))
  * [`7fe5c4123`](https://github.com/containerd/containerd/commit/7fe5c41237b8da120ab45b30ea3f02d64b71a68b) go.mod: golang.org/x/net v0.37.0
* build(deps): bump github.com/containerd/imgcrypt/v2 from 2.0.0 to 2.0.1 ([#11570](https://github.com/containerd/containerd/pull/11570))
  * [`14e94bcbf`](https://github.com/containerd/containerd/commit/14e94bcbf32eb4d35181e7b648c42f05a9497242) build(deps): bump github.com/containerd/imgcrypt/v2 from 2.0.0 to 2.0.1
* build(deps): bump golangci/golangci-lint-action from 6.5.0 to 6.5.2 ([#11554](https://github.com/containerd/containerd/pull/11554))
  * [`80e3fc4ce`](https://github.com/containerd/containerd/commit/80e3fc4cecfd5a86f4739bc0060df885aa80a312) build(deps): bump golangci/golangci-lint-action from 6.5.0 to 6.5.2
* build(deps): bump tags.cncf.io/container-device-interface from 0.8.1 to 1.0.0 ([#11522](https://github.com/containerd/containerd/pull/11522))
  * [`6670d4153`](https://github.com/containerd/containerd/commit/6670d415346e6793617d5894e97608f05ef34c72) build(deps): bump tags.cncf.io/container-device-interface
* build(deps): bump the k8s group with 5 updates ([#11553](https://github.com/containerd/containerd/pull/11553))
  * [`ec5d686b1`](https://github.com/containerd/containerd/commit/ec5d686b1027f21afa6c56271cb2a7df7d754c6c) build(deps): bump the k8s group with 5 updates
* Fix CI lint error ([#11555](https://github.com/containerd/containerd/pull/11555))
  * [`c8effff1a`](https://github.com/containerd/containerd/commit/c8effff1a823bed757194584a80a043c3a69da1a) Fix CI lint error
  * [`b430e5ac3`](https://github.com/containerd/containerd/commit/b430e5ac3accf636cf52b0128b27bb828574cbcf) Merge commit from fork
  * [`de1341c20`](https://github.com/containerd/containerd/commit/de1341c201ffb0effebbf51d00376181968c8779) validate uid/gid
* Bump github.com/go-jose/go-jose/v4 from 4.0.4 to 4.0.5 ([#11544](https://github.com/containerd/containerd/pull/11544))
  * [`8028a1d08`](https://github.com/containerd/containerd/commit/8028a1d086620f7ebf9d8b5446e3abb06bdecdc3) Bump github.com/go-jose/go-jose/v4 from v4.0.4 to v4.0.5
  * [`ce055b530`](https://github.com/containerd/containerd/commit/ce055b530556532a2f0d92bdcd39bc89739cdbd8) Bump golang.org/x/text from 0.22.0 to 0.23.0
  * [`e0aaed012`](https://github.com/containerd/containerd/commit/e0aaed0120ba2aa7e9245390a94a2fc550ee5c34) Bump golang.org/x/term from 0.29.0 to 0.30.0
* fix: repeat args from sub-func call ([#11512](https://github.com/containerd/containerd/pull/11512))
  * [`b947e0566`](https://github.com/containerd/containerd/commit/b947e056634177e2e21ea7317b5496956213e004) fix: repeat args from sub-func call
* build(deps): bump github.com/prometheus/client_golang from 1.20.5 to 1.21.1 ([#11525](https://github.com/containerd/containerd/pull/11525))
  * [`75252f975`](https://github.com/containerd/containerd/commit/75252f9759c3bd3dfaf6fb2f5af12771ff1a1810) build(deps): bump github.com/prometheus/client_golang
* integration: update TestUpgrade for 2.1 ([#11519](https://github.com/containerd/containerd/pull/11519))
  * [`06daffb4d`](https://github.com/containerd/containerd/commit/06daffb4d1b65288d4e3c94b172efeddd8d61851) integration: update TestUpgrade for 2.1
* config:fix config migrate lost timeout config ([#11532](https://github.com/containerd/containerd/pull/11532))
  * [`531adbf06`](https://github.com/containerd/containerd/commit/531adbf065160bf91315ef17cd5e70f9895d86b5) config:fix config migrate lost timeout config
* Add dial timeout field to hosts toml configuration ([#11106](https://github.com/containerd/containerd/pull/11106))
  * [`c4982bffc`](https://github.com/containerd/containerd/commit/c4982bffc6dd887a58a189f8a6be99b1b1542953) Add dial timeout field to hosts toml configuration
* Prepare release notes for v2.1.0-beta.0 ([#11510](https://github.com/containerd/containerd/pull/11510))
  * [`12762891d`](https://github.com/containerd/containerd/commit/12762891d6c4e0e91384c01650c102d911f9a915) Remove test for issue 10467
  * [`93cc1e6eb`](https://github.com/containerd/containerd/commit/93cc1e6eb96c099e50f6cc0c7f68feeacf09dc48) Fix upgrade test runtime config
  * [`833d6bc8e`](https://github.com/containerd/containerd/commit/833d6bc8e932a6e2e24b4b3bd4ead920fe8e6035) Update release status for 2.1 to beta
  * [`71cfe00ee`](https://github.com/containerd/containerd/commit/71cfe00eec7b22a392458f4d87261dbd6e828af5) Prepare release notes for v2.1.0-beta.n
  * [`be8fe50f4`](https://github.com/containerd/containerd/commit/be8fe50f49a0fb2752b52d560ab1039dbfd83af4) Update the upgrade test to handle 2.1
* build(deps): bump the otel group with 8 updates ([#11521](https://github.com/containerd/containerd/pull/11521))
  * [`94dd70f4f`](https://github.com/containerd/containerd/commit/94dd70f4f0c659526f3b75dc278530dd8d429628) build(deps): bump the otel group with 8 updates
* client: Respect `client.WithTimeout` option ([#11508](https://github.com/containerd/containerd/pull/11508))
  * [`ee574e76e`](https://github.com/containerd/containerd/commit/ee574e76e7f6bbe239298163eab6ccd8b94d73b3) client: Respect `client.WithTimeout` option
* build(deps): bump github.com/urfave/cli/v2 from 2.27.5 to 2.27.6 ([#11523](https://github.com/containerd/containerd/pull/11523))
  * [`700b98415`](https://github.com/containerd/containerd/commit/700b98415ef82825d18f53612e2e00eb16197d37) build(deps): bump github.com/urfave/cli/v2 from 2.27.5 to 2.27.6
* build(deps): bump the golang-x group with 3 updates ([#11520](https://github.com/containerd/containerd/pull/11520))
  * [`85c04ab0e`](https://github.com/containerd/containerd/commit/85c04ab0ec8d50c042e4665254342730b0d67175) build(deps): bump the golang-x group with 3 updates
* add k8s 1.32 to support table and as tested containerd supported branches at the time of release ([#11534](https://github.com/containerd/containerd/pull/11534))
  * [`5bbd3ed1b`](https://github.com/containerd/containerd/commit/5bbd3ed1b1993c30188cd5b1acb959bb44469127) add k8s 1.32 and as tested containerd supported branches at the time of release
* build(deps): bump google.golang.org/grpc from 1.70.0 to 1.71.0 ([#11524](https://github.com/containerd/containerd/pull/11524))
  * [`c37e48b07`](https://github.com/containerd/containerd/commit/c37e48b07c51f6877a268f69a9d7d85c54e7d97f) build(deps): bump google.golang.org/grpc from 1.70.0 to 1.71.0
* Support container restore through CRI/Kubernetes ([#10365](https://github.com/containerd/containerd/pull/10365))
  * [`9e6beafd5`](https://github.com/containerd/containerd/commit/9e6beafd53919eecd1fb650a76332002cf4c84dd) Support container restore through CRI/Kubernetes
* build(deps): bump actions/attest-build-provenance from 2.2.2 to 2.2.3 ([#11526](https://github.com/containerd/containerd/pull/11526))
  * [`d7de182dd`](https://github.com/containerd/containerd/commit/d7de182ddf46b61b894d363c76b92f5fbc24cccb) build(deps): bump actions/attest-build-provenance from 2.2.2 to 2.2.3
* build(deps): bump github/codeql-action from 3.28.10 to 3.28.11 ([#11527](https://github.com/containerd/containerd/pull/11527))
  * [`9f885ea4f`](https://github.com/containerd/containerd/commit/9f885ea4f549febd5de9fde536006f9484e12df5) build(deps): bump github/codeql-action from 3.28.10 to 3.28.11
* build(deps): bump containerd/project-checks from 1.2.1 to 1.2.2 ([#11528](https://github.com/containerd/containerd/pull/11528))
  * [`88faaac97`](https://github.com/containerd/containerd/commit/88faaac973dee7326e765a601bcdc6cf42843518) build(deps): bump containerd/project-checks from 1.2.1 to 1.2.2
* add name in package version ([#11518](https://github.com/containerd/containerd/pull/11518))
  * [`405a952c6`](https://github.com/containerd/containerd/commit/405a952c653b2ec912cbfdef2c89b43151a072bd) add name in package version
* update to go1.23.7 / go1.24.1 ([#11513](https://github.com/containerd/containerd/pull/11513))
  * [`4f090fe77`](https://github.com/containerd/containerd/commit/4f090fe772b33191fa5e47a6b826ee56f45463f2) update to go1.23.7 / go1.24.1
* Don't produce unnecessary logs when encountering attestations ([#11327](https://github.com/containerd/containerd/pull/11327))
  * [`3cdfc1003`](https://github.com/containerd/containerd/commit/3cdfc1003dbde389d1d3bd012202be534bf6a4cf) core/remotes: Handle attestations in MakeRefKey
  * [`e751b6bb1`](https://github.com/containerd/containerd/commit/e751b6bb1db7936ee111322ff199d9f708c27428) core/images: Ignore attestations when traversing children
* perf(applyNaive): avoid walking the tree for each file in the same directory ([#11337](https://github.com/containerd/containerd/pull/11337))
  * [`d8063c30d`](https://github.com/containerd/containerd/commit/d8063c30dd05ca71e7b2d8d78360af6835dd5e46) perf(applyNaive): avoid walking the tree for each file in the same directory
* Update runtime-spec to v1.2.1 ([#11460](https://github.com/containerd/containerd/pull/11460))
  * [`f8f205382`](https://github.com/containerd/containerd/commit/f8f205382adcad407b7e95e76b18e787e0688b35) Update runtime-spec to v1.2.1
* docs: include note about unprivileged sysctls ([#11502](https://github.com/containerd/containerd/pull/11502))
  * [`edd1cc50d`](https://github.com/containerd/containerd/commit/edd1cc50d5f3c474fe6f09927afbe9be4c7c10da) docs: include note about unprivileged sysctls
* ci: update GitHub Actions release runner to ubuntu-24.04 ([#11479](https://github.com/containerd/containerd/pull/11479))
  * [`705518e58`](https://github.com/containerd/containerd/commit/705518e58b98e868cba35c116d9e46e88f9928bf) ci: update GitHub Actions release runner to ubuntu-24.04
* e2e: use the shim bundled with containerd artifact ([#11489](https://github.com/containerd/containerd/pull/11489))
  * [`393ad5b11`](https://github.com/containerd/containerd/commit/393ad5b11ea3aae3d86f60400f40cf63849eda40) e2e: use the shim bundled with containerd artifact
* build(deps): bump go.etcd.io/bbolt from 1.3.11 to 1.4.0 ([#11450](https://github.com/containerd/containerd/pull/11450))
  * [`e84e5a215`](https://github.com/containerd/containerd/commit/e84e5a215cab4d189e05e989e94ae26cb84553cf) build(deps): bump go.etcd.io/bbolt from 1.3.11 to 1.4.0
  * [`00cb73503`](https://github.com/containerd/containerd/commit/00cb7350392b13cb8c21c5f422304bde7317a760) Swap to go.etcd.io/bbolt/errors for bbolt errors
* CVE-2025-22869: upgrade golang.org/x/crypto to v0.35.0 ([#11482](https://github.com/containerd/containerd/pull/11482))
  * [`af5ff5a1f`](https://github.com/containerd/containerd/commit/af5ff5a1f18c7fb899d5a12434616db62a4a3bee) CVE-2025-22869: upgrade golang.org/x/crypto to v0.35.0
* device mapper:fix sometimes blkdiscard doesn't have --version flags ([#11330](https://github.com/containerd/containerd/pull/11330))
  * [`44baada6a`](https://github.com/containerd/containerd/commit/44baada6aa88a4eb1c1adddceb353b14396cc442) device mapper:fix sometimes blkdiscard doesn't have --version flags
* docs: add CRI Plugin Config runtime_path ([#11402](https://github.com/containerd/containerd/pull/11402))
  * [`a1e7457bc`](https://github.com/containerd/containerd/commit/a1e7457bc486036559d01fe4a88327417efcf6c1) docs: add CRI Plugin Config runtime_path
* Consolidate security profile logic into a common pkg ([#11080](https://github.com/containerd/containerd/pull/11080))
  * [`71958731e`](https://github.com/containerd/containerd/commit/71958731e82a9068e783db9d578586841fd52404) move security profile to cri/sputil pkg
* erofs-snapshotter: two bug-fixes ([#11476](https://github.com/containerd/containerd/pull/11476))
  * [`3a5de731c`](https://github.com/containerd/containerd/commit/3a5de731c587342ccc8691acd5d4ae2154b9511c) erofs-snapshotter: clear IMMUTABLE_FL only for committed snapshots
  * [`971915797`](https://github.com/containerd/containerd/commit/971915797acd86cb4ea7efc7641cb17bec90c896) erofs-snapshotter: force the use of loop devices for single-layer images
* CVE-2025-22868: upgrade golang.org/x/oauth2 to v0.27.0 ([#11481](https://github.com/containerd/containerd/pull/11481))
  * [`10f2b7fde`](https://github.com/containerd/containerd/commit/10f2b7fded7fb91966a9af77d0dae06d872d2c5d) CVE-2025-22868: upgrade golang.org/x/oauth2 to v0.27.0
* build(deps): bump containerd/project-checks from 1.1.0 to 1.2.1 ([#11474](https://github.com/containerd/containerd/pull/11474))
  * [`69c0d7f60`](https://github.com/containerd/containerd/commit/69c0d7f60f74210d6e41515e9064bb96362683c7) build(deps): bump containerd/project-checks from 1.1.0 to 1.2.1
* build(deps): bump github.com/google/go-cmp from 0.6.0 to 0.7.0 ([#11464](https://github.com/containerd/containerd/pull/11464))
  * [`72ac5cad4`](https://github.com/containerd/containerd/commit/72ac5cad446bdb315c83a2f720f55ecdffba3780) build(deps): bump github.com/google/go-cmp from 0.6.0 to 0.7.0
* build(deps): bump github.com/klauspost/compress from 1.17.11 to 1.18.0 ([#11467](https://github.com/containerd/containerd/pull/11467))
  * [`001dfeb19`](https://github.com/containerd/containerd/commit/001dfeb19f791348d3fc89c7d93ad23c971c7b93) build(deps): bump github.com/klauspost/compress from 1.17.11 to 1.18.0
* build(deps): bump actions/download-artifact from 4.1.8 to 4.1.9 ([#11468](https://github.com/containerd/containerd/pull/11468))
  * [`86734729f`](https://github.com/containerd/containerd/commit/86734729fb1274b11fd2a3c97bf61bcc486017e6) build(deps): bump actions/download-artifact from 4.1.8 to 4.1.9
* build(deps): bump docker/setup-buildx-action from 3.9.0 to 3.10.0 ([#11469](https://github.com/containerd/containerd/pull/11469))
  * [`9b0b67951`](https://github.com/containerd/containerd/commit/9b0b679519dc25f20c1084ca719e6225286f3534) build(deps): bump docker/setup-buildx-action from 3.9.0 to 3.10.0
* build(deps): bump actions/attest-build-provenance from 2.2.0 to 2.2.2 ([#11470](https://github.com/containerd/containerd/pull/11470))
  * [`20fa1ca46`](https://github.com/containerd/containerd/commit/20fa1ca46ddb35799fa67c6743ea8652b3bd54f2) build(deps): bump actions/attest-build-provenance from 2.2.0 to 2.2.2
* build(deps): bump golang.org/x/net from 0.23.0 to 0.33.0 in /api ([#11472](https://github.com/containerd/containerd/pull/11472))
  * [`37fe1e8b4`](https://github.com/containerd/containerd/commit/37fe1e8b42f8746944c5d9b4a8bf2b3dcfc99984) build(deps): bump golang.org/x/net from 0.23.0 to 0.33.0 in /api
* build(deps): bump actions/cache from 4.2.1 to 4.2.2 ([#11471](https://github.com/containerd/containerd/pull/11471))
  * [`0eea93d68`](https://github.com/containerd/containerd/commit/0eea93d6873c2b7b26a4c7bae0bfbd29c9039f3c) build(deps): bump actions/cache from 4.2.1 to 4.2.2
* Bump to newer opencontainers/image-spec @ v1.1.1 ([#11461](https://github.com/containerd/containerd/pull/11461))
  * [`d37ea6977`](https://github.com/containerd/containerd/commit/d37ea6977d7e096e9221cbbba9a0282e97709acd) Bump to newer opencontainers/image-spec @ v1.1.1
* Remove After=local-fs.target from containerd.service ([#11116](https://github.com/containerd/containerd/pull/11116))
  * [`e0459262b`](https://github.com/containerd/containerd/commit/e0459262ba8b52e936b3b2e555e7faeab846b600) Remove After=local-fs.target from containerd.service
* erofs-snapshotter: protect layer blobs with FS_IMMUTABLE_FL ([#11431](https://github.com/containerd/containerd/pull/11431))
  * [`b477cf8e9`](https://github.com/containerd/containerd/commit/b477cf8e97b6facd183bba964631a36ef7a3d32b) erofs-snapshotter: protect layer blobs with FS_IMMUTABLE_FL
* Log "container event discarded" as Info ([#11115](https://github.com/containerd/containerd/pull/11115))
  * [`6c7b1afe5`](https://github.com/containerd/containerd/commit/6c7b1afe5127c0f8827a8995c1756ab71289ec98) Log "container event discarded" as Info
* Fix privileged container sysfs can't be rw because pod is ro by default ([#11271](https://github.com/containerd/containerd/pull/11271))
  * [`1fc497218`](https://github.com/containerd/containerd/commit/1fc497218ac5f83fa65b9043bc3bc2bc0dee219c) Fix privileged container sysfs can't be rw because pod is ro by default
* cri,nri: fix initial sync race of registering NRI plugins. ([#11384](https://github.com/containerd/containerd/pull/11384))
  * [`6a01ad3e1`](https://github.com/containerd/containerd/commit/6a01ad3e16c57c631febb92090bbca5c331e2f7d) cri,nri: block NRI plugin sync. during event processing.
* proxy: break up writes from the remote writer to avoid grpc limits ([#11441](https://github.com/containerd/containerd/pull/11441))
  * [`f25f36c33`](https://github.com/containerd/containerd/commit/f25f36c334144d87233e06b0de90522ebd97e144) proxy: break up writes from the remote writer to avoid grpc limits
* build(deps): bump github/codeql-action from 3.28.9 to 3.28.10 ([#11423](https://github.com/containerd/containerd/pull/11423))
  * [`0500dacf6`](https://github.com/containerd/containerd/commit/0500dacf609df804e3cb025f024f39e5e32cb1e4) build(deps): bump github/codeql-action from 3.28.9 to 3.28.10
* go.{mod,sum}: bump CDI deps to v.0.8.1. ([#11449](https://github.com/containerd/containerd/pull/11449))
  * [`22d568fb5`](https://github.com/containerd/containerd/commit/22d568fb5a8381fd20ea4e385f8aff9899e0e710) Update CDI dependency to v0.8.1.
* build(deps): bump the k8s group across 1 directory with 6 updates ([#11398](https://github.com/containerd/containerd/pull/11398))
  * [`d2b5653c1`](https://github.com/containerd/containerd/commit/d2b5653c11b6dc9023609cc9ca35b334e53768c0) build(deps): bump the k8s group across 1 directory with 6 updates
* Prefer runtime options for PluginInfo request ([#11442](https://github.com/containerd/containerd/pull/11442))
  * [`51f063f07`](https://github.com/containerd/containerd/commit/51f063f0716871070f6a8995902ee6a679ee9c45) Prefer runtime options for PluginInfo request
* pkg: prevent oom watcher from depending on shim pkg ([#11433](https://github.com/containerd/containerd/pull/11433))
  * [`268880bf5`](https://github.com/containerd/containerd/commit/268880bf53b39f8de4e6d7d668a8bb5e7ee3519a) [improve] prevent oom watcher depend on shim pkg.
* Ignore defunct verifier procs in test ([#11435](https://github.com/containerd/containerd/pull/11435))
  * [`76858ac8e`](https://github.com/containerd/containerd/commit/76858ac8e3129644fb4cf5ae9f86448655989cf4) Ignore defunct verifier procs in test
* CI: arm64-8core-32gb -> ubuntu-24.04-arm ([#11427](https://github.com/containerd/containerd/pull/11427))
  * [`4e7484d3f`](https://github.com/containerd/containerd/commit/4e7484d3f40a8ec07126eb16fae614aedafe630a) CI: arm64-8core-32gb -> ubuntu-24.04-arm
* build(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.1 ([#11424](https://github.com/containerd/containerd/pull/11424))
  * [`125525d6c`](https://github.com/containerd/containerd/commit/125525d6cd4aa85ac91f694e94b5bf8c9b647b6d) build(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.1
* build(deps): bump actions/cache from 4.2.0 to 4.2.1 ([#11426](https://github.com/containerd/containerd/pull/11426))
  * [`86cde823a`](https://github.com/containerd/containerd/commit/86cde823a8361c3a3d3ff756da5523e89f1bb93b) build(deps): bump actions/cache from 4.2.0 to 4.2.1
* build(deps): bump actions/upload-artifact from 4.6.0 to 4.6.1 ([#11425](https://github.com/containerd/containerd/pull/11425))
  * [`49257264f`](https://github.com/containerd/containerd/commit/49257264fec6c950d18bd6960b35e5ae12eafa02) build(deps): bump actions/upload-artifact from 4.6.0 to 4.6.1
* erofs-snapshotter: add fsverity support ([#11352](https://github.com/containerd/containerd/pull/11352))
  * [`f3b6078f9`](https://github.com/containerd/containerd/commit/f3b6078f90bf61c87bab34c7f6c10eeb8258a465) erofs-snapshotter: add fsverity support
* Support for importing layers in the block CIM format. ([#11179](https://github.com/containerd/containerd/pull/11179))
  * [`a1c540085`](https://github.com/containerd/containerd/commit/a1c540085f86dcc8613e6db11b73bed4a3a02883) Support for importing layers in the block CIM format.
* perf(zstd): deactivate the low mem decoder ([#11335](https://github.com/containerd/containerd/pull/11335))
  * [`c51f5d26f`](https://github.com/containerd/containerd/commit/c51f5d26f1167d612d061cb20ae0cbb1ab00a0da) perf(zstd): deactivate the low mem decoder
* build(deps): bump github/codeql-action from 3.28.8 to 3.28.9 ([#11370](https://github.com/containerd/containerd/pull/11370))
  * [`6a08d70e6`](https://github.com/containerd/containerd/commit/6a08d70e681b81049a2cabfd44216803662d6c8e) build(deps): bump github/codeql-action from 3.28.8 to 3.28.9
* move the device after the options when using mkfs.ext4 ([#11362](https://github.com/containerd/containerd/pull/11362))
  * [`b98378638`](https://github.com/containerd/containerd/commit/b9837863815e2ffe5ea28e52afe24a2e1829863f) move the device after the options when using mkfs.ext4
* build(deps): bump google.golang.org/grpc from 1.69.4 to 1.70.0 ([#11313](https://github.com/containerd/containerd/pull/11313))
  * [`f23981281`](https://github.com/containerd/containerd/commit/f23981281e60fd5ad37d61e43a777ff64fbfb874) build(deps): bump google.golang.org/grpc from 1.69.4 to 1.70.0
* build(deps): bump golangci/golangci-lint-action from 6.3.2 to 6.5.0 ([#11397](https://github.com/containerd/containerd/pull/11397))
  * [`b8a759f1f`](https://github.com/containerd/containerd/commit/b8a759f1fd59eca20534e223fa8db2011ebbb519) build(deps): bump golangci/golangci-lint-action from 6.3.2 to 6.5.0
* build(deps): bump google.golang.org/protobuf from 1.36.3 to 1.36.5 ([#11373](https://github.com/containerd/containerd/pull/11373))
  * [`326fbf074`](https://github.com/containerd/containerd/commit/326fbf07470ee61022e84f1387cf799aa86493b0) build(deps): bump google.golang.org/protobuf from 1.36.3 to 1.36.5
* Clarify port handling in `hosts.toml` ([#11393](https://github.com/containerd/containerd/pull/11393))
  * [`a502b7931`](https://github.com/containerd/containerd/commit/a502b7931babb81749c5236b38a09e5ae73fe88e) Clarify port handling in hosts toml
* Move `linters-settings.exclude-dirs` to `issues.exclude-dirs` in golangci-lint config ([#11399](https://github.com/containerd/containerd/pull/11399))
  * [`480e1039f`](https://github.com/containerd/containerd/commit/480e1039fe23512e6c1ea4bd8db1be93ac125993) move exclude-dirs to issues.exclude-dirs
* Add OCI/Image Volume Source support ([#10579](https://github.com/containerd/containerd/pull/10579))
  * [`1ec10d9ae`](https://github.com/containerd/containerd/commit/1ec10d9ae7535ddd7b18e3c21b6cd8ff12a2f90d) Add OCI/Image Volume Source support
* build(deps): bump github.com/vishvananda/netns from 0.0.4 to 0.0.5 ([#11374](https://github.com/containerd/containerd/pull/11374))
  * [`17acb356f`](https://github.com/containerd/containerd/commit/17acb356f826ccf6dd6b0160dcce5e3aedf41f21) build(deps): bump github.com/vishvananda/netns from 0.0.4 to 0.0.5
* Revert "Add timestamp to PodSandboxStatusResponse for kubernetes Evented PLEG" ([#11323](https://github.com/containerd/containerd/pull/11323))
  * [`83b65e52f`](https://github.com/containerd/containerd/commit/83b65e52fddf9411009e396dda283a782921222f) Revert "Add timestamp to PodSandboxStatusResponse for kubernetes Evented PLEG"
* Update runc binary to v1.2.5 ([#11388](https://github.com/containerd/containerd/pull/11388))
  * [`938775864`](https://github.com/containerd/containerd/commit/938775864aba692f69d4bb143e1d6197b69b421b) Update runc binary to v1.2.5
* build(deps): bump docker/setup-buildx-action from 3.8.0 to 3.9.0 ([#11369](https://github.com/containerd/containerd/pull/11369))
  * [`2f971ee2d`](https://github.com/containerd/containerd/commit/2f971ee2d474c403837500846e0deaa8ba399992) build(deps): bump docker/setup-buildx-action from 3.8.0 to 3.9.0
* Remove noinline in seccomp/apparmor SpecOpts ([#11264](https://github.com/containerd/containerd/pull/11264))
  * [`222308416`](https://github.com/containerd/containerd/commit/222308416cd7d0204c4adf64ffdf438951e5aa64) Remove noinline in apparmor SpecOpts
  * [`2a4164ac8`](https://github.com/containerd/containerd/commit/2a4164ac868955ac9cb406cb4dc434d2eb3f9a16) Remove noinline in seccomp SpecOpts
* build(deps): bump the golang-x group with 3 updates ([#11371](https://github.com/containerd/containerd/pull/11371))
  * [`84e07f6b5`](https://github.com/containerd/containerd/commit/84e07f6b54400bf61d1242c42f3437384aec2a65) build(deps): bump the golang-x group with 3 updates
* update to go 1.24.0 / go1.23.6 ([#11377](https://github.com/containerd/containerd/pull/11377))
  * [`df99aa321`](https://github.com/containerd/containerd/commit/df99aa321a274c50de87332a067537cea746fd5c) update to go 1.24.0 / go1.23.6
  * [`41eaa41c4`](https://github.com/containerd/containerd/commit/41eaa41c43787755427aa430149a9c857c643be3) update golangci-lint to v1.64.2
* build(deps): bump lycheeverse/lychee-action from 2.2.0 to 2.3.0 ([#11368](https://github.com/containerd/containerd/pull/11368))
  * [`2b8a7f253`](https://github.com/containerd/containerd/commit/2b8a7f253dee9bd8a4dc650eb27fbd803a64c97a) build(deps): bump lycheeverse/lychee-action from 2.2.0 to 2.3.0
* build(deps): bump golangci/golangci-lint-action from 6.2.0 to 6.3.2 ([#11367](https://github.com/containerd/containerd/pull/11367))
  * [`bdb8cb5a8`](https://github.com/containerd/containerd/commit/bdb8cb5a80915fc605dcdfa3e0b0f2eb2b293b1c) build(deps): bump golangci/golangci-lint-action from 6.2.0 to 6.3.2
* Erofs snapshotter and differ ([#10705](https://github.com/containerd/containerd/pull/10705))
  * [`2f15d6586`](https://github.com/containerd/containerd/commit/2f15d6586b261d0f0bc68b847660dc2b691169db) Add tests for EROFS snapshotter
  * [`fd4caef78`](https://github.com/containerd/containerd/commit/fd4caef7866306f9e654f54ba0209c7f4a554ad9) Add EROFS snapshotter documentation
  * [`2486d542a`](https://github.com/containerd/containerd/commit/2486d542a5a96d71e3c8bb36517479e0a81f0131) Introduce EROFS Snapshotter
  * [`c73c8e5d5`](https://github.com/containerd/containerd/commit/c73c8e5d526aba6acf0eb75976bfc5a1037d64ac) Introduce EROFS differ
* Update RELEASES.md for new release schedule and LTS policy ([#11294](https://github.com/containerd/containerd/pull/11294))
  * [`6d1f6e75d`](https://github.com/containerd/containerd/commit/6d1f6e75d65283dc6440556cfaf694c20059d77d) Update upgrade section
  * [`5f238fa82`](https://github.com/containerd/containerd/commit/5f238fa827a97e729592c1ed896a1192ba53ab09) Update to time based releases
  * [`886d971f8`](https://github.com/containerd/containerd/commit/886d971f855da042f1c83fc87b2074c858062f3b) Update LTS definition and support horizon
* nri: make OCI spec available on StopPodSandbox ([#11331](https://github.com/containerd/containerd/pull/11331))
  * [`2eb0aa6b9`](https://github.com/containerd/containerd/commit/2eb0aa6b988a508400d6567602e7f3af838ca3c4) nri: make OCI spec available on StopPodSandbox
* build(deps): bump google-github-actions/auth from 2.1.7 to 2.1.8 ([#11332](https://github.com/containerd/containerd/pull/11332))
  * [`565b50dbb`](https://github.com/containerd/containerd/commit/565b50dbb92f231ea1f416dead040d8e96f0963a) build(deps): bump google-github-actions/auth from 2.1.7 to 2.1.8
* build(deps): bump google-github-actions/upload-cloud-storage from 2.2.1 to 2.2.2 ([#11334](https://github.com/containerd/containerd/pull/11334))
  * [`b65f3875b`](https://github.com/containerd/containerd/commit/b65f3875ba3365a780ac9d9ace295c56ac230ee4) build(deps): bump google-github-actions/upload-cloud-storage
* build(deps): bump github/codeql-action from 3.28.6 to 3.28.8 ([#11333](https://github.com/containerd/containerd/pull/11333))
  * [`841ab361c`](https://github.com/containerd/containerd/commit/841ab361c1e52200319c08dc8b09f11e07d78f17) build(deps): bump github/codeql-action from 3.28.6 to 3.28.8
* Fix state/root bug in shim sandbox controller ([#11321](https://github.com/containerd/containerd/pull/11321))
  * [`168c49e4d`](https://github.com/containerd/containerd/commit/168c49e4dcf1fcfebcf5d751f5aa20747b2a2032) Fix state/root bug in shim sandbox controller
* build(deps): bump github/codeql-action from 3.28.1 to 3.28.6 ([#11315](https://github.com/containerd/containerd/pull/11315))
  * [`48d09104d`](https://github.com/containerd/containerd/commit/48d09104dcc4244672c590e9b6ab3ab71d8c9ce4) build(deps): bump github/codeql-action from 3.28.1 to 3.28.6
* build(deps): bump actions/attest-build-provenance from 2.1.0 to 2.2.0 ([#11317](https://github.com/containerd/containerd/pull/11317))
  * [`0c986c332`](https://github.com/containerd/containerd/commit/0c986c332f072ce2273c06d2707976b321830423) build(deps): bump actions/attest-build-provenance from 2.1.0 to 2.2.0
* build(deps): bump actions/stale from 9.0.0 to 9.1.0 ([#11316](https://github.com/containerd/containerd/pull/11316))
  * [`575239789`](https://github.com/containerd/containerd/commit/5752397896d44d5807837c8a71e2c0f1769ba66a) build(deps): bump actions/stale from 9.0.0 to 9.1.0
* build(deps): bump the otel group across 1 directory with 8 updates ([#11286](https://github.com/containerd/containerd/pull/11286))
  * [`69e82f9cd`](https://github.com/containerd/containerd/commit/69e82f9cd3e29428bd480b1c349268a0723af51d) build(deps): bump the otel group across 1 directory with 8 updates
* build(deps): bump github.com/tchap/go-patricia/v2 from 2.3.1 to 2.3.2 ([#11283](https://github.com/containerd/containerd/pull/11283))
  * [`19c546c97`](https://github.com/containerd/containerd/commit/19c546c9760b11c266a314bf25177b96d7a21f24) build(deps): bump github.com/tchap/go-patricia/v2 from 2.3.1 to 2.3.2
* Update cimfs snapshotter & differ for new hcsshim interface ([#10033](https://github.com/containerd/containerd/pull/10033))
  * [`b81ace872`](https://github.com/containerd/containerd/commit/b81ace8724e154a0899679a05a98b7174804abed) Update cimfs snapshotter & differ for new hcsshim interface
* update to go1.23.5 / go1.22.11 ([#11277](https://github.com/containerd/containerd/pull/11277))
  * [`157faf65c`](https://github.com/containerd/containerd/commit/157faf65c55c5de56f636fe3466f59b43241abb3) update to go1.23.5 / go1.22.11
* build(deps): bump lycheeverse/lychee-action from 2.1.0 to 2.2.0 ([#11287](https://github.com/containerd/containerd/pull/11287))
  * [`f572a6db9`](https://github.com/containerd/containerd/commit/f572a6db9037e4a36225a4146a4344aaf34d692c) build(deps): bump lycheeverse/lychee-action from 2.1.0 to 2.2.0
* client: add WithExtraDialOpts option ([#11276](https://github.com/containerd/containerd/pull/11276))
  * [`a6dc9905c`](https://github.com/containerd/containerd/commit/a6dc9905cbb1833c459362ba72928bd348967158) client: add WithExtraDialOpts option
* build(deps): bump google.golang.org/protobuf from 1.36.1 to 1.36.3 ([#11282](https://github.com/containerd/containerd/pull/11282))
  * [`460e5a2e2`](https://github.com/containerd/containerd/commit/460e5a2e2bec851ba357dc1b738e3023841d0f2b) build(deps): bump google.golang.org/protobuf from 1.36.1 to 1.36.3
* build(deps): bump actions/upload-artifact from 4.4.3 to 4.6.0 ([#11288](https://github.com/containerd/containerd/pull/11288))
  * [`36d3888cf`](https://github.com/containerd/containerd/commit/36d3888cf7eb7c9f533167cf93748ece98eb79cf) build(deps): bump actions/upload-artifact from 4.4.3 to 4.6.0
* build(deps): bump softprops/action-gh-release from 2.2.0 to 2.2.1 ([#11289](https://github.com/containerd/containerd/pull/11289))
  * [`4b77d4e41`](https://github.com/containerd/containerd/commit/4b77d4e41ef99e6526f3e20dae36bc301f648477) build(deps): bump softprops/action-gh-release from 2.2.0 to 2.2.1
* build(deps): bump github/codeql-action from 3.27.9 to 3.28.1 ([#11290](https://github.com/containerd/containerd/pull/11290))
  * [`22e77720b`](https://github.com/containerd/containerd/commit/22e77720b3e6aecbb299ad70c68e2ade6dfd0108) build(deps): bump github/codeql-action from 3.27.9 to 3.28.1
* build(deps): bump golangci/golangci-lint-action from 6.1.1 to 6.2.0 ([#11291](https://github.com/containerd/containerd/pull/11291))
  * [`53d6f3482`](https://github.com/containerd/containerd/commit/53d6f34822dda24bf7c8674305c93eadb4bad50b) build(deps): bump golangci/golangci-lint-action from 6.1.1 to 6.2.0
* Support multiple uid/gid mappings ([#10722](https://github.com/containerd/containerd/pull/10722))
  * [`ff0d99e02`](https://github.com/containerd/containerd/commit/ff0d99e02873ac04b4f73054d92d22683a501b7d) Add multiple uid/gid mapping test cases to integration tests
  * [`ec231cdcf`](https://github.com/containerd/containerd/commit/ec231cdcf27b4bfad8fd51dbe4a3a328158aeb86) Update ctr to support remapper labels with multiple uid/gid mapping entries
  * [`8bbfb6528`](https://github.com/containerd/containerd/commit/8bbfb65289f3a32fd5358bf7419f8b860a08fbed) Update snapshotter opts to support multiple uid/gid mapping entries
  * [`8a030d653`](https://github.com/containerd/containerd/commit/8a030d6537e42194cca894ebf89556af09dfade8) Update overlay snapshotter to support multiple uid/gid mappings
  * [`168ec21db`](https://github.com/containerd/containerd/commit/168ec21dbd6254088a47257d1a44812155d6d54c) Update idmapped mount to support multiple uid/gid mappings
  * [`a11405975`](https://github.com/containerd/containerd/commit/a114059759ec1d70ce04acfce028da54428689a9) Add RootPair() and serialization routines to userns idmap
* log: avoid using unsupported field by logrus ([#11148](https://github.com/containerd/containerd/pull/11148))
  * [`04f9e30db`](https://github.com/containerd/containerd/commit/04f9e30db313908c1209b7f7d526d5d3eb8467ed) log: avoid using unsupported field by logrus
* Move all fuzz tests to go native fuzz [part2] ([#11251](https://github.com/containerd/containerd/pull/11251))
  * [`b49df6af1`](https://github.com/containerd/containerd/commit/b49df6af11dbf7e4fc715e972c8e816edcb02309) move FuzzCRIServer to go native fuzz
  * [`6019bcdfb`](https://github.com/containerd/containerd/commit/6019bcdfbbed387b366e4e368c30475f5c31f054) move FuzzContainerdImport to go native fuzz
* Make ovl idmap mounts read-only ([#10955](https://github.com/containerd/containerd/pull/10955))
  * [`1e3d10dc2`](https://github.com/containerd/containerd/commit/1e3d10dc29616f7e81b3fef3314d7a44d593c48c) Make ovl idmap mounts read-only
* runtime/v2: add note about orphan process for runc-shim ([#10002](https://github.com/containerd/containerd/pull/10002))
  * [`58bd48ecf`](https://github.com/containerd/containerd/commit/58bd48ecff5418efbeacf27134d8adb3e58ab17d) add some doc for shim reap orphan process
* Fix panics in CI fuzz integration tests ([#11249](https://github.com/containerd/containerd/pull/11249))
  * [`b7a117b46`](https://github.com/containerd/containerd/commit/b7a117b4648c981275e7e7ac944bfabec45fc56a) Fix fuzz integration tests
* Move CDI device spec out of the OCI package ([#11262](https://github.com/containerd/containerd/pull/11262))
  * [`bdc847f1e`](https://github.com/containerd/containerd/commit/bdc847f1eb535a6728b6db3f2619d2a5ed0edbb9) Remove deprecated WithCDIDevices in oci spec opts
  * [`e20f7f4a2`](https://github.com/containerd/containerd/commit/e20f7f4a2425c005d85855abfd4556d7b4ccbf87) Move CDI device spec out of the OCI package
* docs: fix some function names in comment ([#11261](https://github.com/containerd/containerd/pull/11261))
  * [`740c5d428`](https://github.com/containerd/containerd/commit/740c5d4284de1704ffab91bf03967346ae7d29a9) docs: fix some function names in comment
* Use a order-only-prerequisite for mandir creation ([#11132](https://github.com/containerd/containerd/pull/11132))
  * [`ffbe1b573`](https://github.com/containerd/containerd/commit/ffbe1b5738951aed8945bf58c23e634433e77eb1) Use a order-only-prerequisite for mandir creation
* Update platforms to latest rc ([#11257](https://github.com/containerd/containerd/pull/11257))
  * [`6148dbdd7`](https://github.com/containerd/containerd/commit/6148dbdd778942f7b1f5361d3e18859ada70f4d6) Update platforms to latest rc
* Remove confusing warning in cri runtime config migration ([#10980](https://github.com/containerd/containerd/pull/10980))
  * [`fb44e37ff`](https://github.com/containerd/containerd/commit/fb44e37ff27325edda8e8ad178e1c057139cd4f2) Remove confusing warning in cri runtime config migration
* Unify default transport in docker resolver ([#11167](https://github.com/containerd/containerd/pull/11167))
  * [`47c4dba40`](https://github.com/containerd/containerd/commit/47c4dba40935f8c887a7d43f6fbfca5fafadeb7f) Unify default transport in docker resolver
* Clarify Go client API guidance ([#11093](https://github.com/containerd/containerd/pull/11093))
  * [`9fc711a8a`](https://github.com/containerd/containerd/commit/9fc711a8a0f5ca61007c855d087c5a806d2273cc) Clarify Go client API guidance
* build(deps): bump golang.org/x/sys from 0.28.0 to 0.29.0 in the golang-x group ([#11225](https://github.com/containerd/containerd/pull/11225))
  * [`ef7fa43c9`](https://github.com/containerd/containerd/commit/ef7fa43c9a8ee086eada91630dcfe3ec8cc276b0) build(deps): bump golang.org/x/sys in the golang-x group
* Fix runtime platform loading in cri image plugin init ([#11165](https://github.com/containerd/containerd/pull/11165))
  * [`ef0e70922`](https://github.com/containerd/containerd/commit/ef0e7092287ac4816e9a9fdfd6925e6f75657f41) Fix runtime platform loading in cri image plugin init
* ci: fix the issue of config_file unset ([#11240](https://github.com/containerd/containerd/pull/11240))
  * [`e1aeb37cd`](https://github.com/containerd/containerd/commit/e1aeb37cdf10ed2ed4b2dd4be02d68a556acc106) ci: fix the issue of config_file unset
* Fix go-cni race condition ([#11244](https://github.com/containerd/containerd/pull/11244))
  * [`09bf281ec`](https://github.com/containerd/containerd/commit/09bf281ec415a6029177c60688e261dab55e3944) fix go-cni race condition
* make sure console master tty is closed on task exit ([#11161](https://github.com/containerd/containerd/pull/11161))
  * [`652e4d0b1`](https://github.com/containerd/containerd/commit/652e4d0b10490c4c2cfc94791ea80b5a16ff38ea) Add integ test to check tty leak
  * [`aedb079bf`](https://github.com/containerd/containerd/commit/aedb079bf18f1f913b705d9b791beebcf1962cdd) fix master tty leak due to leaking init container object
* Move fuzz tests to go native fuzz [part1] ([#11189](https://github.com/containerd/containerd/pull/11189))
  * [`e70977180`](https://github.com/containerd/containerd/commit/e70977180ae55ad0bd28e2438b15170d83100d48) change metadata fuzz operations as const and slice instead of map
  * [`a4e3218e8`](https://github.com/containerd/containerd/commit/a4e3218e8f4a817ca0d7f44f622b97e0c83189b7) change tmp dir creation in fuzz to t.TempDir
  * [`a8c643cc5`](https://github.com/containerd/containerd/commit/a8c643cc51b4793189ac6291a62fcc1c3990af50) change copyright from ADA Logics to containerd
  * [`a55083007`](https://github.com/containerd/containerd/commit/a5508300782032adf7011d17a02268a425e3b14c) Remove github.com/AdamKorcz/go-118-fuzz-build in go.mod
  * [`2de103029`](https://github.com/containerd/containerd/commit/2de1030299c1626b2c235c0ed21040bce91f57d3) Move fuzz tests to go native fuzz [part1]
* Bump up otelttrpc to 0.1.0 ([#11241](https://github.com/containerd/containerd/pull/11241))
  * [`15d3bf9b2`](https://github.com/containerd/containerd/commit/15d3bf9b248d423c457e871fe001eeb129a3fa82) Bump up otelttrpc to 0.1.0
* Add snapshotter exports to unpack platform ([#11227](https://github.com/containerd/containerd/pull/11227))
  * [`63f604728`](https://github.com/containerd/containerd/commit/63f6047282525748e13ed91892b50583771c6427) Add snapshotter exports to unpack platform
* ctr: `ctr images import --all-platforms`: fix unpack ([#11229](https://github.com/containerd/containerd/pull/11229))
  * [`79a42eedc`](https://github.com/containerd/containerd/commit/79a42eedc724cd248a995cbf1174d3800d948d52) ctr: `ctr images import --all-platforms`: fix unpack
* Deflake TestFailFastWhenConnectShim by making TestContainerCgroupWritable not parallel ([#11235](https://github.com/containerd/containerd/pull/11235))
  * [`e65283321`](https://github.com/containerd/containerd/commit/e6528332195d23bf98ba58124b4cd647223e6969) make TestContainerCgroupWritable not parallel
* update runc binary to v1.2.4 ([#11230](https://github.com/containerd/containerd/pull/11230))
  * [`54ed595e1`](https://github.com/containerd/containerd/commit/54ed595e1db892e09083e01f6520bc847bf99ee9) update runc binary to v1.2.4
* Enable Writable cgroups for unprivileged containers ([#11131](https://github.com/containerd/containerd/pull/11131))
  * [`1363849b0`](https://github.com/containerd/containerd/commit/1363849b034a1daf58a4d677e758124d7ea7087e) Add integration test
  * [`dda702042`](https://github.com/containerd/containerd/commit/dda7020429a06a1d5549ced9391cc2f85f94adef) Enable Writable cgroups for unprivileged containers
* Avoid duplicated chain ID calculation in unpack ([#11219](https://github.com/containerd/containerd/pull/11219))
  * [`d156d3df9`](https://github.com/containerd/containerd/commit/d156d3df9620844491a4e6c94945693d5c7df043) Benchamrk chainID calculation in unpack
  * [`95f45541e`](https://github.com/containerd/containerd/commit/95f45541e47253610ed83b064dab2124a11027e8) Avoid duplicated chain ID calculation in unpack
* downgrade go-difflib and go-spew to tagged releases ([#11220](https://github.com/containerd/containerd/pull/11220))
  * [`00a11e91d`](https://github.com/containerd/containerd/commit/00a11e91d38b5a1e3540382eaedfda878b1314b1) downgrade go-difflib and go-spew to tagged releases
* Bump seccomp version to be the same as one in runc repo ([#11200](https://github.com/containerd/containerd/pull/11200))
  * [`4f2f12be6`](https://github.com/containerd/containerd/commit/4f2f12be6d91868a3b39d441ac598f876b47a6c0) Bump seccomp version to be the same as one in runc repo
* Remove loop variable copies ([#11194](https://github.com/containerd/containerd/pull/11194))
  * [`bee64b2b9`](https://github.com/containerd/containerd/commit/bee64b2b93ba0494ecff94b72748427d5abe20a5) Remove loop variable copies
* build(deps): bump google.golang.org/protobuf from 1.36.0 to 1.36.1 ([#11192](https://github.com/containerd/containerd/pull/11192))
  * [`4a4a027f7`](https://github.com/containerd/containerd/commit/4a4a027f7984c415d94054f6f6e14a6369a7dcd7) build(deps): bump google.golang.org/protobuf from 1.36.0 to 1.36.1
* bump up ttrpc to use its MD.Clone ([#11204](https://github.com/containerd/containerd/pull/11204))
  * [`ee6338188`](https://github.com/containerd/containerd/commit/ee63381887da22ecc1be8ef2a3e441a72a013e93) bump up ttrpc to use its MD.Clone
* build(deps): bump google.golang.org/grpc from 1.69.0 to 1.69.2 ([#11193](https://github.com/containerd/containerd/pull/11193))
  * [`9bb31b706`](https://github.com/containerd/containerd/commit/9bb31b706c898a9475638206d2c5813fd9e8d77f) build(deps): bump google.golang.org/grpc from 1.69.0 to 1.69.2
* build(deps): bump golang.org/x/net from 0.30.0 to 0.33.0 ([#11181](https://github.com/containerd/containerd/pull/11181))
  * [`7f3599f09`](https://github.com/containerd/containerd/commit/7f3599f09396bf69496e1cf189b999acc0db13a5) build(deps): bump golang.org/x/net from 0.30.0 to 0.33.0
* build(deps): bump github.com/containerd/cgroups/v3 from 3.0.4 to 3.0.5 ([#11191](https://github.com/containerd/containerd/pull/11191))
  * [`f98d5fdb6`](https://github.com/containerd/containerd/commit/f98d5fdb6f684410bea0881159ea0df354cae41b) build(deps): bump github.com/containerd/cgroups/v3 from 3.0.4 to 3.0.5
* Update golangci to 1.60.3 ([#11185](https://github.com/containerd/containerd/pull/11185))
  * [`26a156f4f`](https://github.com/containerd/containerd/commit/26a156f4fd285ecddcdead54105022348075ad62) Update golangci to 1.60.3
* build(deps): bump softprops/action-gh-release from 2.1.0 to 2.2.0 ([#11170](https://github.com/containerd/containerd/pull/11170))
  * [`a172d2c11`](https://github.com/containerd/containerd/commit/a172d2c116daeb101700d9d6c3a3622623c7446d) build(deps): bump softprops/action-gh-release from 2.1.0 to 2.2.0
* Update golangci-lint version in dev tools script ([#11180](https://github.com/containerd/containerd/pull/11180))
  * [`fa531f808`](https://github.com/containerd/containerd/commit/fa531f808b72c6667844ec56cbd9e6e5f23e974d) Update golangci-lint version in dev tools script
* build(deps): bump google.golang.org/protobuf from 1.35.2 to 1.36.0 ([#11177](https://github.com/containerd/containerd/pull/11177))
  * [`2f37b9da3`](https://github.com/containerd/containerd/commit/2f37b9da392387fac21d375874473a017bcefb8b) build(deps): bump google.golang.org/protobuf from 1.35.2 to 1.36.0
* build(deps): bump google.golang.org/grpc from 1.68.1 to 1.69.0 ([#11176](https://github.com/containerd/containerd/pull/11176))
  * [`4e4537a87`](https://github.com/containerd/containerd/commit/4e4537a87a8ee66debb947df455cae6e68e0dd5d) build(deps): bump google.golang.org/grpc from 1.68.1 to 1.69.0
* build(deps): bump github/codeql-action from 3.27.6 to 3.27.9 ([#11171](https://github.com/containerd/containerd/pull/11171))
  * [`d29751424`](https://github.com/containerd/containerd/commit/d297514248daffa3124e529a5ada4f57a15dbb12) build(deps): bump github/codeql-action from 3.27.6 to 3.27.9
* build(deps): bump docker/setup-buildx-action from 3.7.1 to 3.8.0 ([#11172](https://github.com/containerd/containerd/pull/11172))
  * [`31e129856`](https://github.com/containerd/containerd/commit/31e12985601773ce5417926db6eda9c9d63dc445) build(deps): bump docker/setup-buildx-action from 3.7.1 to 3.8.0
* build(deps): bump github.com/containerd/imgcrypt/v2 from 2.0.0-rc.1 to 2.0.0 ([#11174](https://github.com/containerd/containerd/pull/11174))
  * [`f6e956c22`](https://github.com/containerd/containerd/commit/f6e956c2240a3d4dba6c9e6589993d051ff82849) build(deps): bump github.com/containerd/imgcrypt/v2
* build(deps): bump google.golang.org/grpc from 1.67.1 to 1.68.1 ([#11126](https://github.com/containerd/containerd/pull/11126))
  * [`aeb414021`](https://github.com/containerd/containerd/commit/aeb414021b07a625cc58d555aabb18bd5cf51f3d) build(deps): bump google.golang.org/grpc from 1.67.1 to 1.68.1
* test: prevent segfault in imageverifier test ([#10851](https://github.com/containerd/containerd/pull/10851))
  * [`1617fd72e`](https://github.com/containerd/containerd/commit/1617fd72e10634923f75bb27ca00a23cf2f19ecb) test: prevent segfault in imageverifier test
* Report an error when cni confDir removed ([#10646](https://github.com/containerd/containerd/pull/10646))
  * [`0c2805a6e`](https://github.com/containerd/containerd/commit/0c2805a6e452dba5e42b3723b6ba069b811f7c9a) Report an error when cni confDir removed
* build(deps): bump actions/attest-build-provenance from 1.4.4 to 2.1.0 ([#11122](https://github.com/containerd/containerd/pull/11122))
  * [`afee762fb`](https://github.com/containerd/containerd/commit/afee762fbfac0141b50040a1ea8197b02eafa3c1) build(deps): bump actions/attest-build-provenance from 1.4.4 to 2.1.0
* vendor: update golang.org/x/ dependencies ([#11145](https://github.com/containerd/containerd/pull/11145))
  * [`23e014140`](https://github.com/containerd/containerd/commit/23e01414069df958db56ca24fd7806979a9f2f2a) vendor: golang.org/x/crypto v0.31.0
  * [`9b3d999bd`](https://github.com/containerd/containerd/commit/9b3d999bd9affbfe7df5bd7ef8e5df9446eda56f) vendor: golang.org/x/term v0.27.0
  * [`1032fad27`](https://github.com/containerd/containerd/commit/1032fad2721a01ec321881c44963958dcb9b2ed8) vendor: golang.org/x/text v0.21.0
  * [`6764e62cf`](https://github.com/containerd/containerd/commit/6764e62cf7518dd6bc7050ed2d33a52a107fd1cd) vendor: golang.org/x/sync v0.10.0
  * [`160676647`](https://github.com/containerd/containerd/commit/1606766479f3e37318c5f4144d6d3d989cba51aa) vendor: golang.org/x/sys v0.28.0
* build(deps): bump actions/cache from 4.1.2 to 4.2.0 ([#11124](https://github.com/containerd/containerd/pull/11124))
  * [`927012243`](https://github.com/containerd/containerd/commit/9270122437f5a0105c74b49089fddc1a2c2648af) build(deps): bump actions/cache from 4.1.2 to 4.2.0
* internal/cri: should not apply IoOwner options if it's not user namespace ([#11104](https://github.com/containerd/containerd/pull/11104))
  * [`2c4c04032`](https://github.com/containerd/containerd/commit/2c4c040328e161ef04913d8470a7dd61caf9f1be) internal/cri: should not apply IoOwner options
* update runc binary to v1.2.3 ([#11141](https://github.com/containerd/containerd/pull/11141))
  * [`981414521`](https://github.com/containerd/containerd/commit/981414521baf578a313c7b7af034ade6cb92b10d) update runc binary to v1.2.3
* cmd/ctr: allow user to syncfs during unpacking image locally ([#11118](https://github.com/containerd/containerd/pull/11118))
  * [`11b78255d`](https://github.com/containerd/containerd/commit/11b78255de6544fc91d5f523bdfec2bef2a711ca) cmd: add syncfs option to ctr command
* Update go-cni for CNI STATUS ([#11135](https://github.com/containerd/containerd/pull/11135))
  * [`1f220b23e`](https://github.com/containerd/containerd/commit/1f220b23e298b61f5ece5a994ef2a37a843732b0) feat: update go-cni version for CNI STATUS
* Complete cri grpc plugin config migration ([#11061](https://github.com/containerd/containerd/pull/11061))
  * [`ed39dfa5d`](https://github.com/containerd/containerd/commit/ed39dfa5d64d872c8a0b7b88b4973395028b2b1e) Add integration test for custom configuration
  * [`8540fed77`](https://github.com/containerd/containerd/commit/8540fed77493a5a205524b47b810726a0de288eb) complete cri grpc config migration
* ctr pull should unpack for default platform when transfer service is used ([#11086](https://github.com/containerd/containerd/pull/11086))
  * [`4c11d753c`](https://github.com/containerd/containerd/commit/4c11d753ca9964bf70f087560c85614741ca35a5) ctr pull unpack for default platform using transfer service
* update xx to v1.6.1 for compatibility with alpine 3.21 and file 5.46+ ([#11130](https://github.com/containerd/containerd/pull/11130))
  * [`d76f92f24`](https://github.com/containerd/containerd/commit/d76f92f2402049869e5fd94087aeed1a9fddc729) update xx to v1.6.1 for compatibility with alpine 3.21 and file 5.46+
* build(deps): bump github/codeql-action from 3.27.5 to 3.27.6 ([#11123](https://github.com/containerd/containerd/pull/11123))
  * [`73864c520`](https://github.com/containerd/containerd/commit/73864c52037da5cf870a9c11359ab197cdf08fe4) build(deps): bump github/codeql-action from 3.27.5 to 3.27.6
* CI: update Fedora to 41 ([#10930](https://github.com/containerd/containerd/pull/10930))
  * [`6fdc35243`](https://github.com/containerd/containerd/commit/6fdc352439dfdf88ac7a62c95f5fb1fa07ae3be3) CI: update Fedora to 41
* Fix loop variable capture issue ([#11042](https://github.com/containerd/containerd/pull/11042))
  * [`485020ca8`](https://github.com/containerd/containerd/commit/485020ca8999d2aa6c2165419cca0f104e9e9d5c) fix: loop variable capture issue
* Add containerd community call to readme. ([#11046](https://github.com/containerd/containerd/pull/11046))
  * [`59a2c3523`](https://github.com/containerd/containerd/commit/59a2c3523cddd05a5f4b14c7860f43ed66b6003d) Add containerd community call to readme.
* update to go1.23.4 / go1.22.10 ([#11102](https://github.com/containerd/containerd/pull/11102))
  * [`81780a5dd`](https://github.com/containerd/containerd/commit/81780a5dd37106f4bc01fa776b9d069197bed54b) update to go1.23.4 / go1.22.10
* Fix panic due to nil dereference cgroups v2 ([#11069](https://github.com/containerd/containerd/pull/11069))
  * [`0903f203f`](https://github.com/containerd/containerd/commit/0903f203fb8a9b696ff2522f068313f5de2fad80) fix panic due to nil dereference cgroups v2
* The task_dir successfully cleans when the file is absent. ([#11043](https://github.com/containerd/containerd/pull/11043))
  * [`4a664772e`](https://github.com/containerd/containerd/commit/4a664772efc48e031efc6b3ebd422df0e08ddbec) The task_dir successfully cleans when the file is absent.
* docs: fix snapshots api import ([#11073](https://github.com/containerd/containerd/pull/11073))
  * [`b78c5c6ed`](https://github.com/containerd/containerd/commit/b78c5c6ed2ad0f0d0a23306a36f0a71a84582f5d) docs: fix snapshots api import
* build(deps): bump github/codeql-action from 3.27.4 to 3.27.5 ([#11060](https://github.com/containerd/containerd/pull/11060))
  * [`ea9397793`](https://github.com/containerd/containerd/commit/ea9397793f336327551d9024ea89bc9178d00401) build(deps): bump github/codeql-action from 3.27.4 to 3.27.5
* build(deps): bump github.com/containerd/cgroups/v3 from 3.0.3 to 3.0.4 ([#11059](https://github.com/containerd/containerd/pull/11059))
  * [`6c16f3490`](https://github.com/containerd/containerd/commit/6c16f3490934aa396b785bd19c0945279a9e728f) build(deps): bump github.com/containerd/cgroups/v3 from 3.0.3 to 3.0.4
* build(deps): bump the k8s group with 5 updates ([#11057](https://github.com/containerd/containerd/pull/11057))
  * [`662d64080`](https://github.com/containerd/containerd/commit/662d6408018eb74bba4d0700aeac6ea137c23571) build(deps): bump the k8s group with 5 updates
* Update differ to handle zstd media types ([#11062](https://github.com/containerd/containerd/pull/11062))
  * [`17f7858b4`](https://github.com/containerd/containerd/commit/17f7858b4e2e31b447410f66d0100b816c1fe6b3) Update differ to handle zstd media types
* build(deps): bump github.com/stretchr/testify from 1.9.0 to 1.10.0 ([#11058](https://github.com/containerd/containerd/pull/11058))
  * [`5c905fb6c`](https://github.com/containerd/containerd/commit/5c905fb6c3c93d2180b878f36af41f516531937f) build(deps): bump github.com/stretchr/testify from 1.9.0 to 1.10.0
* Unsorted platform conditionals cleanup ([#11065](https://github.com/containerd/containerd/pull/11065))
  * [`e9d560f1e`](https://github.com/containerd/containerd/commit/e9d560f1e8ccd277e19888c95dd4378579d34842) Unsorted platform conditionals cleanup
* Publish attestation as release artifact ([#11049](https://github.com/containerd/containerd/pull/11049))
  * [`3961dc9c8`](https://github.com/containerd/containerd/commit/3961dc9c8cb0e31925e45a2273bbdc06412be262) Publish attestation as release artifact
* Move rockylinux 9.4 to almalinux/9 in CI ([#11050](https://github.com/containerd/containerd/pull/11050))
  * [`288001f68`](https://github.com/containerd/containerd/commit/288001f68c5fd34cfbdc7284f14375a3762b8ff4) move rocky 9.4 to almalinux/9 in CI
* Clarify release for deprecated registry field removals ([#11045](https://github.com/containerd/containerd/pull/11045))
  * [`e24864e48`](https://github.com/containerd/containerd/commit/e24864e48e30e1009a88637d410d6c4df39c3098) Clarify release for deprecated registry field removals
* make ListContainerStats handle container that is removed before its sandbox ([#10724](https://github.com/containerd/containerd/pull/10724))
  * [`c130d93c1`](https://github.com/containerd/containerd/commit/c130d93c11ec128d38d7560262d2e20b03263151) make ListContainerStats handle container that is removed before its sandbox
* Add tests for CNI v2 loopback options ([#10915](https://github.com/containerd/containerd/pull/10915))
  * [`34284c507`](https://github.com/containerd/containerd/commit/34284c50752ea636a2474c7254802d54600199ab) Add tests for CNI v2 loopback options
* *: should align pipe's owner with init process ([#10906](https://github.com/containerd/containerd/pull/10906))
  * [`a21b178f1`](https://github.com/containerd/containerd/commit/a21b178f12b223d48245fac4ad12a0c7b50bf20f) *: should align pipe's owner with init process
* fix: set the credentials even if not provided ([#10917](https://github.com/containerd/containerd/pull/10917))
  * [`11b1353c1`](https://github.com/containerd/containerd/commit/11b1353c12b9f3a1542ffe44a00a988e330f8c56) fix: set the credentials even if not provided
* build(deps): bump google.golang.org/protobuf from 1.35.1 to 1.35.2 ([#11024](https://github.com/containerd/containerd/pull/11024))
  * [`dd2d89167`](https://github.com/containerd/containerd/commit/dd2d891672305ab756b4b93970ac1342c952ffc8) build(deps): bump google.golang.org/protobuf from 1.35.1 to 1.35.2
* Reorganize per-platform defaults ([#11017](https://github.com/containerd/containerd/pull/11017))
  * [`f6e30e962`](https://github.com/containerd/containerd/commit/f6e30e9622b79c1e3ef64e22329bbabe6d1789e7) [defaults] Reorganize per-platform defaults
* build(deps): bump github.com/containerd/continuity from 0.4.4 to 0.4.5 ([#11025](https://github.com/containerd/containerd/pull/11025))
  * [`be2c4504e`](https://github.com/containerd/containerd/commit/be2c4504eefcab5ea3a23caf0630ddeef3a98200) build(deps): bump github.com/containerd/continuity from 0.4.4 to 0.4.5
* Move content events to metadata ([#11013](https://github.com/containerd/containerd/pull/11013))
  * [`9e3ab2332`](https://github.com/containerd/containerd/commit/9e3ab2332b8bc4ba3222133d5b174d5f9be26698) Move content events to metadata
* build(deps): bump github/codeql-action from 3.27.1 to 3.27.4 ([#11026](https://github.com/containerd/containerd/pull/11026))
  * [`f5b2c3a07`](https://github.com/containerd/containerd/commit/f5b2c3a07cd59c28419106d547c169d8d49f0e6f) build(deps): bump github/codeql-action from 3.27.1 to 3.27.4
* Use platform-specific default address ([#11016](https://github.com/containerd/containerd/pull/11016))
  * [`9c7a403a2`](https://github.com/containerd/containerd/commit/9c7a403a22d09050eb37f5e578ec613d38d92231) [containerd-stress] Use platform-specific default address
* Update install-imgcrypt to allow change install repo ([#11019](https://github.com/containerd/containerd/pull/11019))
  * [`f8819df7c`](https://github.com/containerd/containerd/commit/f8819df7c4ee690315d45b57a4fddfcb970fcdd3) Update install-imgcrypt to allow change install repo
* update runc binary to 1.2.2 ([#11022](https://github.com/containerd/containerd/pull/11022))
  * [`9a7bc5423`](https://github.com/containerd/containerd/commit/9a7bc5423ef5f477705802e45c0b06869764caca) update runc binary to 1.2.2
* Fix runtimeoptions location in v2 migration script ([#11012](https://github.com/containerd/containerd/pull/11012))
  * [`2447936fc`](https://github.com/containerd/containerd/commit/2447936fca8dcd92ddb8b3af5ec9038b8117d041) Fix runtimeoptions location in v2 migration
* Revert "Disable vagrant strict dependency checking" ([#11004](https://github.com/containerd/containerd/pull/11004))
  * [`1b01f396d`](https://github.com/containerd/containerd/commit/1b01f396de92dcf3cb47816047e61abe5cb81e69) Revert "Disable vagrant strict dependency checking"
* docs: update schema 1 deprecation information ([#11002](https://github.com/containerd/containerd/pull/11002))
  * [`6c1b699bf`](https://github.com/containerd/containerd/commit/6c1b699bf978b858ef32aeca62beddba9e88da08) docs: update schema 1 deprecation information
* fsverity_linux.go: Fix fsverity.IsEnabled() for big endian systems ([#10981](https://github.com/containerd/containerd/pull/10981))
  * [`91e4e0967`](https://github.com/containerd/containerd/commit/91e4e096758b4eccb28cbf5955e7a42dcdb29c15) fsverity_linux.go: Fix fsverity.IsEnabled() for big endian systems
* build(deps): bump lycheeverse/lychee-action from 2.0.2 to 2.1.0 ([#10989](https://github.com/containerd/containerd/pull/10989))
  * [`73ae1c66f`](https://github.com/containerd/containerd/commit/73ae1c66ff27695a326a77cb59b49c6dee3e6b2b) build(deps): bump lycheeverse/lychee-action from 2.0.2 to 2.1.0
* build(deps): bump github/codeql-action from 3.27.0 to 3.27.1 ([#10988](https://github.com/containerd/containerd/pull/10988))
  * [`4bd33276c`](https://github.com/containerd/containerd/commit/4bd33276c3402f41b5b4618a118772e5a2fb7f41) build(deps): bump github/codeql-action from 3.27.0 to 3.27.1
* build(deps): bump the golang-x group with 3 updates ([#10990](https://github.com/containerd/containerd/pull/10990))
  * [`cebca6f87`](https://github.com/containerd/containerd/commit/cebca6f874fdec53070fae3f45806849180d6235) build(deps): bump the golang-x group with 3 updates
* build(deps): bump github.com/containerd/typeurl/v2 from 2.2.2 to 2.2.3 ([#10992](https://github.com/containerd/containerd/pull/10992))
  * [`01c489141`](https://github.com/containerd/containerd/commit/01c489141c37e27b71370ab26ab28347b17f4284) build(deps): bump github.com/containerd/typeurl/v2 from 2.2.2 to 2.2.3
* build(deps): bump actions/attest-build-provenance from 1.4.3 to 1.4.4 ([#10987](https://github.com/containerd/containerd/pull/10987))
  * [`d32ed4a56`](https://github.com/containerd/containerd/commit/d32ed4a560f240b9a05c8a25cec54456da5d99b9) build(deps): bump actions/attest-build-provenance from 1.4.3 to 1.4.4
* build(deps): bump softprops/action-gh-release from 2.0.9 to 2.1.0 ([#10986](https://github.com/containerd/containerd/pull/10986))
  * [`d810c5759`](https://github.com/containerd/containerd/commit/d810c5759fd5f864d7794a6ff4ef13887110ebe9) build(deps): bump softprops/action-gh-release from 2.0.9 to 2.1.0
* fsverity_test.go: fix nil pointer derefence, fix test fail, fix minor/major device numbers resolving ([#10972](https://github.com/containerd/containerd/pull/10972))
  * [`f9537ae12`](https://github.com/containerd/containerd/commit/f9537ae126fc2be685cc32d5c98b4189a72e02e9) fsverity_test.go: fix major/minor device number resolving
  * [`8a8e50e6d`](https://github.com/containerd/containerd/commit/8a8e50e6d7baf99ebe02e6ca04d9d842addcd36c) fsverity_test.go: fix nil pointer dereference, fix test fail
* update to go1.23.3 / go1.22.9 ([#10970](https://github.com/containerd/containerd/pull/10970))
  * [`bcc3cc968`](https://github.com/containerd/containerd/commit/bcc3cc968abd5e13084afa1e8dba6afc0d41a2fa) update to go1.23.3 / go1.22.9
* Avoid arch info in the sed/replace when building cri-cni-containerd.tar.gz ([#10964](https://github.com/containerd/containerd/pull/10964))
  * [`784116b7d`](https://github.com/containerd/containerd/commit/784116b7d5e67804f26f3c3e060243b0c737ea7c) Avoid arch info in the sed/replace when building cri-cni-containerd.tar.gz
* Expose Pod assigned IPs to NRI plugins ([#10921](https://github.com/containerd/containerd/pull/10921))
  * [`bc056a5c6`](https://github.com/containerd/containerd/commit/bc056a5c60a8add5fb98c59d9e88f9b89025f658) nri: report pod ips to the nri plugins
  * [`a256f326c`](https://github.com/containerd/containerd/commit/a256f326cabd29b4a78334ac981409f005ea9c3f) bump nri version to get PodIPs
* build(deps): bump github.com/fsnotify/fsnotify from 1.7.0 to 1.8.0 ([#10948](https://github.com/containerd/containerd/pull/10948))
  * [`a17001b42`](https://github.com/containerd/containerd/commit/a17001b42694baa746a22217f6ca7857a096b681) build(deps): bump github.com/fsnotify/fsnotify from 1.7.0 to 1.8.0
</p>
</details>

### Changes from containerd/continuity
<details><summary>17 commits</summary>
<p>

* fs: fix Ctime returning Mtime ([containerd/continuity#261](https://github.com/containerd/continuity/pull/261))
  * [`f4f4fb5`](https://github.com/containerd/continuity/commit/f4f4fb5bbdd8321481b8aeedec5cc4412d5001b5) fs: fix Ctime returning Mtime
* fs: implement Atime, Ctime, Mtime for bsd and darwin ([containerd/continuity#262](https://github.com/containerd/continuity/pull/262))
  * [`dbe44eb`](https://github.com/containerd/continuity/commit/dbe44ebd46e9e2497b4b37e0c387f03f7e048f6b) fs: implement Atime, Ctime, Mtime for bsd and darwin
* Makefile: make "lint" target also lint cmd/continuity module and fix linting issues ([containerd/continuity#255](https://github.com/containerd/continuity/pull/255))
  * [`4c00ab7`](https://github.com/containerd/continuity/commit/4c00ab7567238214d4dd9b9797435774836e3381) Makefile: make "lint" target also lint cmd/continuity module
  * [`cadd3a2`](https://github.com/containerd/continuity/commit/cadd3a2d76962f90047608655e607861862e329e) cmd/continuity/continuityfs: SA1019: fuse.ENOENT is deprecated
  * [`38fcdae`](https://github.com/containerd/continuity/commit/38fcdae95788e9c47bdacd674f06164bab91de1b) cmd/continuity: fix SA1019: entry.User/entry.Group is deprecated
* assorted linting fixes and minor cleanups ([containerd/continuity#259](https://github.com/containerd/continuity/pull/259))
  * [`38f66a6`](https://github.com/containerd/continuity/commit/38f66a6d37247c12e5aac5b5ceac4ccb16a1c76e) TestWalkFS: fix unhandled error
  * [`94c0490`](https://github.com/containerd/continuity/commit/94c04905cf9ed5b65bbe2eac4f3f858769cb9f5a) rename variables that shadowed package-level type
  * [`2200bb4`](https://github.com/containerd/continuity/commit/2200bb480f47137ea31eada2d9b0dcfc2474222b) don't use "ctx" for continuity.Context arguments
  * [`583d7ed`](https://github.com/containerd/continuity/commit/583d7ed1582f6b45643c7e11d2b93f6a68b7c623) commands/mount_unsupported: drop nil-assignment (revive)
  * [`5158c3f`](https://github.com/containerd/continuity/commit/5158c3f19836c8dd55dfc1ef84cb8656fca29f9f) golangci-lint: sort linters
  * [`a8c7143`](https://github.com/containerd/continuity/commit/a8c714358ce4cf76db246f88b9495a2b903b2c38) golangci-lint: don't use deprecated name for "govet" linter
* cmd/continuity: switch to google.golang.org/protobuf/proto ([containerd/continuity#260](https://github.com/containerd/continuity/pull/260))
  * [`fd64705`](https://github.com/containerd/continuity/commit/fd6470559ebe380f21b1af08a8869bee7e3435c2) cmd/continuity: switch to google.golang.org/protobuf/proto
</p>
</details>

### Changes from containerd/go-cni
<details><summary>9 commits</summary>
<p>

* Fix recursive RLock() mutex acquisition ([containerd/go-cni#126](https://github.com/containerd/go-cni/pull/126))
  * [`75a2440`](https://github.com/containerd/go-cni/commit/75a24409e8193fc64b0e9ed777ff884c338a21ca) fix: recursive RLock() mutex acquision
* Support CNI STATUS Verb ([containerd/go-cni#123](https://github.com/containerd/go-cni/pull/123))
  * [`208eca9`](https://github.com/containerd/go-cni/commit/208eca91c33bb793f471831a0abaf6cebe9676a4) support CNI status verb
* Bump github actions dependencies to match containerd CI repo and fix lint ([containerd/go-cni#122](https://github.com/containerd/go-cni/pull/122))
  * [`386f475`](https://github.com/containerd/go-cni/commit/386f4757e63914b2589b8abe6098bfa23f83fa8b) Fix ci.yml indent
  * [`a9b0675`](https://github.com/containerd/go-cni/commit/a9b0675fc9b8b5ce52d84f91a4fc049501853862) Another doc commit to trigger lint?
  * [`14af454`](https://github.com/containerd/go-cni/commit/14af4542b76fa694f2e1853b35554f23c6829f5d) Bump github actions dependency versions
  * [`9e0d096`](https://github.com/containerd/go-cni/commit/9e0d096d58145757809ddce8b8650efc07e19916) Trivial doc commit to trigger lint
</p>
</details>

### Changes from containerd/otelttrpc
<details><summary>6 commits</summary>
<p>

* Add dependabot and upgrade golang and dependency versions ([containerd/otelttrpc#3](https://github.com/containerd/otelttrpc/pull/3))
  * [`2d46141`](https://github.com/containerd/otelttrpc/commit/2d46141c9f9842bc8e2563ae884b963e34ea175f) upgrade golang, deps, CI versions
  * [`64922e7`](https://github.com/containerd/otelttrpc/commit/64922e78c69b7bdecf065f039a5ead4d64e567e0) Add dependabot CI
* Fix concurrent map panic on metadata ([containerd/otelttrpc#2](https://github.com/containerd/otelttrpc/pull/2))
  * [`2ba3be1`](https://github.com/containerd/otelttrpc/commit/2ba3be1e39398b8d2544f5ea962edc1e2f906d32) Fix concurrent map panic on inject metadata
  * [`f50a922`](https://github.com/containerd/otelttrpc/commit/f50a9220fc748442b274390c45773191367262ec) UT for concurrent inject/extract metadata
</p>
</details>

### Changes from containerd/platforms
<details><summary>6 commits</summary>
<p>

* Move windows matcher logic so all platforms can use ([containerd/platforms#22](https://github.com/containerd/platforms/pull/22))
  * [`7c58292`](https://github.com/containerd/platforms/commit/7c5829273cd83c987784fd7ef5487485e0d2fee0) Move windows matcher logic so all platforms can use
* replace testify with stdlib in tests ([containerd/platforms#21](https://github.com/containerd/platforms/pull/21))
  * [`86a86b7`](https://github.com/containerd/platforms/commit/86a86b73a6e01f92aecad823e0f516f6198f3e2c) replace testify with stdlib in tests
* Replace arm64 minor variant logic with lookup table ([containerd/platforms#18](https://github.com/containerd/platforms/pull/18))
  * [`364665a`](https://github.com/containerd/platforms/commit/364665a87c183d5b5eb45fc0e9b86e99013a621a) Replace arm64 minor variant logic with lookup table
</p>
</details>

### Changes from containerd/ttrpc
<details><summary>5 commits</summary>
<p>

* Add MD.Clone function ([containerd/ttrpc#177](https://github.com/containerd/ttrpc/pull/177))
  * [`430f734`](https://github.com/containerd/ttrpc/commit/430f7347915993a5543bfb00858ac337274528ba) Add MD.Clone
* Fix race between serve and immediate shutdown on the server ([containerd/ttrpc#175](https://github.com/containerd/ttrpc/pull/175))
  * [`c4d96d5`](https://github.com/containerd/ttrpc/commit/c4d96d55ad9c4f4cf6036c70a5b18ba80655d648) server: fix Serve() vs. immediate Shutdown() race.
  * [`ed6c3ba`](https://github.com/containerd/ttrpc/commit/ed6c3ba082bdbc82284c198d93ca5f07ad9900dd) server_test: add Serve()/Shutdown() race test.
</p>
</details>

### Dependency Changes

* **github.com/Microsoft/hcsshim**                                                 v0.12.9 -> v0.13.0-rc.3
* **github.com/cilium/ebpf**                                                       v0.11.0 -> v0.16.0
* **github.com/containerd/cgroups/v3**                                             v3.0.3 -> v3.0.5
* **github.com/containerd/continuity**                                             v0.4.4 -> v0.4.5
* **github.com/containerd/go-cni**                                                 v1.1.10 -> v1.1.12
* **github.com/containerd/imgcrypt/v2**                                            v2.0.0-rc.1 -> v2.0.1
* **github.com/containerd/otelttrpc**                                              ea5083fda723 -> v0.1.0
* **github.com/containerd/platforms**                                              v1.0.0-rc.0 -> v1.0.0-rc.1
* **github.com/containerd/ttrpc**                                                  v1.2.6 -> v1.2.7
* **github.com/containerd/typeurl/v2**                                             v2.2.2 -> v2.2.3
* **github.com/containernetworking/cni**                                           v1.2.3 -> v1.3.0
* **github.com/containernetworking/plugins**                                       v1.5.1 -> v1.6.2
* **github.com/containers/ocicrypt**                                               v1.2.0 -> v1.2.1
* **github.com/davecgh/go-spew**                                                   d8f796af33cc -> v1.1.1
* **github.com/fsnotify/fsnotify**                                                 v1.7.0 -> v1.8.0
* **github.com/go-jose/go-jose/v4**                                                v4.0.4 -> v4.0.5
* **github.com/google/go-cmp**                                                     v0.6.0 -> v0.7.0
* **github.com/grpc-ecosystem/grpc-gateway/v2**                                    v2.22.0 -> v2.26.1
* **github.com/klauspost/compress**                                                v1.17.11 -> v1.18.0
* **github.com/mdlayher/socket**                                                   v0.4.1 -> v0.5.1
* **github.com/moby/spdystream**                                                   v0.4.0 -> v0.5.0
* **github.com/opencontainers/image-spec**                                         v1.1.0 -> v1.1.1
* **github.com/opencontainers/runtime-spec**                                       v1.2.0 -> v1.2.1
* **github.com/opencontainers/selinux**                                            v1.11.1 -> v1.12.0
* **github.com/pelletier/go-toml/v2**                                              v2.2.3 -> v2.2.4
* **github.com/petermattis/goid**                                                  4fcff4a6cae7 **_new_**
* **github.com/pmezard/go-difflib**                                                5d4384ee4fb2 -> v1.0.0
* **github.com/prometheus/client_golang**                                          v1.20.5 -> v1.21.1
* **github.com/prometheus/common**                                                 v0.55.0 -> v0.62.0
* **github.com/sasha-s/go-deadlock**                                               v0.3.5 **_new_**
* **github.com/smallstep/pkcs7**                                                   v0.1.1 **_new_**
* **github.com/stretchr/testify**                                                  v1.9.0 -> v1.10.0
* **github.com/tchap/go-patricia/v2**                                              v2.3.1 -> v2.3.2
* **github.com/urfave/cli/v2**                                                     v2.27.5 -> v2.27.6
* **github.com/vishvananda/netns**                                                 v0.0.4 -> v0.0.5
* **go.etcd.io/bbolt**                                                             v1.3.11 -> v1.4.0
* **go.opentelemetry.io/auto/sdk**                                                 v1.1.0 **_new_**
* **go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc**  v0.56.0 -> v0.60.0
* **go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp**                v0.56.0 -> v0.60.0
* **go.opentelemetry.io/otel**                                                     v1.31.0 -> v1.35.0
* **go.opentelemetry.io/otel/exporters/otlp/otlptrace**                            v1.31.0 -> v1.35.0
* **go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc**              v1.31.0 -> v1.35.0
* **go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp**              v1.31.0 -> v1.35.0
* **go.opentelemetry.io/otel/metric**                                              v1.31.0 -> v1.35.0
* **go.opentelemetry.io/otel/sdk**                                                 v1.31.0 -> v1.35.0
* **go.opentelemetry.io/otel/trace**                                               v1.31.0 -> v1.35.0
* **go.opentelemetry.io/proto/otlp**                                               v1.3.1 -> v1.5.0
* **golang.org/x/crypto**                                                          v0.28.0 -> v0.36.0
* **golang.org/x/exp**                                                             aacd6d4b4611 -> 2d47ceb2692f
* **golang.org/x/mod**                                                             v0.21.0 -> v0.24.0
* **golang.org/x/net**                                                             v0.30.0 -> v0.37.0
* **golang.org/x/oauth2**                                                          v0.22.0 -> v0.27.0
* **golang.org/x/sync**                                                            v0.8.0 -> v0.13.0
* **golang.org/x/sys**                                                             v0.26.0 -> v0.32.0
* **golang.org/x/term**                                                            v0.25.0 -> v0.30.0
* **golang.org/x/text**                                                            v0.19.0 -> v0.23.0
* **golang.org/x/time**                                                            v0.3.0 -> v0.7.0
* **google.golang.org/genproto/googleapis/api**                                    5fefd90f89a9 -> 56aae31c358a
* **google.golang.org/genproto/googleapis/rpc**                                    324edc3d5d38 -> 56aae31c358a
* **google.golang.org/grpc**                                                       v1.67.1 -> v1.71.0
* **google.golang.org/protobuf**                                                   v1.35.1 -> v1.36.6
* **k8s.io/api**                                                                   v0.31.2 -> v0.32.3
* **k8s.io/apimachinery**                                                          v0.31.2 -> v0.32.3
* **k8s.io/apiserver**                                                             v0.31.2 -> v0.32.3
* **k8s.io/client-go**                                                             v0.31.2 -> v0.32.3
* **k8s.io/component-base**                                                        v0.31.2 -> v0.32.3
* **k8s.io/cri-api**                                                               v0.31.2 -> v0.32.3
* **k8s.io/kubelet**                                                               v0.31.2 -> v0.32.3
* **k8s.io/utils**                                                                 18e509b52bc8 -> 3ea5e8cea738
* **sigs.k8s.io/json**                                                             bc3834ca7abd -> 9aa6b5e7a4b3
* **sigs.k8s.io/structured-merge-diff/v4**                                         v4.4.1 -> v4.4.2
* **tags.cncf.io/container-device-interface**                                      v0.8.0 -> v1.0.1
* **tags.cncf.io/container-device-interface/specs-go**                             v0.8.0 -> v1.0.0

Previous release can be found at [v2.0.0](https://github.com/containerd/containerd/releases/tag/v2.0.0)
### Which file should I download?
* `containerd-<VERSION>-<OS>-<ARCH>.tar.gz`:         ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04).
* `containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz`:  Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent.

In addition to containerd, typically you will have to install [runc](https://github.com/opencontainers/runc/releases)
and [CNI plugins](https://github.com/containernetworking/plugins/releases) from their official sites too.

See also the [Getting Started](https://github.com/containerd/containerd/blob/main/docs/getting-started.md) documentation.

containerd 2.1.0-beta.0

Welcome to the v2.1.0-beta.0 release of containerd!
*This is a pre-release of containerd*

The 2.1 beta series is here, see the [2.1 milestone](https://github.com/containerd/containerd/milestone/48) to track
ongoing efforts. Please try out the beta and report any issues!

The first minor release of containerd 2.x focuses on continued stability alongside
new features and improvements. This is the first time-based released for containerd.
Most the feature set and core functionality has long been stable and harderened in production
environments, so now we transition to a balance of timely delivery of new functionality
with the same high confidence in stability and performance.

### Highlights

* Erofs snapshotter and differ ([#10705](https://github.com/containerd/containerd/pull/10705))
* Fix race between serve and immediate shutdown on the server ([containerd/ttrpc#175](https://github.com/containerd/ttrpc/pull/175))

#### Container Runtime Interface (CRI)

* Add OCI/Image Volume Source support ([#10579](https://github.com/containerd/containerd/pull/10579))
* Enable Writable cgroups for unprivileged containers ([#11131](https://github.com/containerd/containerd/pull/11131))
* Fix recursive RLock() mutex acquisition ([containerd/go-cni#126](https://github.com/containerd/go-cni/pull/126))
* Support CNI STATUS Verb ([containerd/go-cni#123](https://github.com/containerd/go-cni/pull/123))

#### Image Distribution

* Add dial timeout field to hosts toml configuration ([#11106](https://github.com/containerd/containerd/pull/11106))

#### Node Resource Interface (NRI)

* Expose Pod assigned IPs to NRI plugins ([#10921](https://github.com/containerd/containerd/pull/10921))

#### Runtime

* Support multiple uid/gid mappings ([#10722](https://github.com/containerd/containerd/pull/10722))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Akihiro Suda
* Derek McGowan
* Phil Estes
* Maksym Pavlenko
* Jin Dong
* Sebastiaan van Stijn
* Wei Fu
* Samuel Karp
* Austin Vazquez
* Kazuyoshi Kato
* Henry Wang
* Mike Brown
* Akhil Mohan
* Gao Xiang
* Archit Kulkarni
* Krisztian Litkey
* ningmingxiao
* Alexey Lunev
* Antonio Ojea
* Chris Henzie
* Davanum Srinivas
* Marat Radchenko
* Michael Zappa
* Paweł Gronowski
* Adrien Delorme
* Amit Barve
* Andrey Smirnov
* Divya
* Etienne Champetier
* Kirtana Ashok
* fengwei0328
* zounengren
* Adrian Reber
* Alfred Wingate
* Amal Thundiyil
* Athos Ribeiro
* Brian Goff
* ChengyuZhu6
* Chongyi Zheng
* Craig Ingram
* David Son
* Fupan Li
* Jing Xu
* Jonathan A. Sternberg
* Jose Fernandez
* Kaita Nakamura
* Lei Liu
* Mike Baynton
* Philip Laine
* Qiyuan Liang
* Sameer
* Shiming Zhang
* Vered Rosen
* alingse
* bo.jiang
* chriskery
* luchenhan
* mahmut

### Changes
<details><summary>433 commits</summary>
<p>

  * [`b430e5ac3`](https://github.com/containerd/containerd/commit/b430e5ac3accf636cf52b0128b27bb828574cbcf) Merge commit from fork
  * [`de1341c20`](https://github.com/containerd/containerd/commit/de1341c201ffb0effebbf51d00376181968c8779) validate uid/gid
* Bump github.com/go-jose/go-jose/v4 from 4.0.4 to 4.0.5 ([#11544](https://github.com/containerd/containerd/pull/11544))
  * [`8028a1d08`](https://github.com/containerd/containerd/commit/8028a1d086620f7ebf9d8b5446e3abb06bdecdc3) Bump github.com/go-jose/go-jose/v4 from v4.0.4 to v4.0.5
  * [`ce055b530`](https://github.com/containerd/containerd/commit/ce055b530556532a2f0d92bdcd39bc89739cdbd8) Bump golang.org/x/text from 0.22.0 to 0.23.0
  * [`e0aaed012`](https://github.com/containerd/containerd/commit/e0aaed0120ba2aa7e9245390a94a2fc550ee5c34) Bump golang.org/x/term from 0.29.0 to 0.30.0
* fix: repeat args from sub-func call ([#11512](https://github.com/containerd/containerd/pull/11512))
  * [`b947e0566`](https://github.com/containerd/containerd/commit/b947e056634177e2e21ea7317b5496956213e004) fix: repeat args from sub-func call
* build(deps): bump github.com/prometheus/client_golang from 1.20.5 to 1.21.1 ([#11525](https://github.com/containerd/containerd/pull/11525))
  * [`75252f975`](https://github.com/containerd/containerd/commit/75252f9759c3bd3dfaf6fb2f5af12771ff1a1810) build(deps): bump github.com/prometheus/client_golang
* integration: update TestUpgrade for 2.1 ([#11519](https://github.com/containerd/containerd/pull/11519))
  * [`06daffb4d`](https://github.com/containerd/containerd/commit/06daffb4d1b65288d4e3c94b172efeddd8d61851) integration: update TestUpgrade for 2.1
* config:fix config migrate lost timeout config ([#11532](https://github.com/containerd/containerd/pull/11532))
  * [`531adbf06`](https://github.com/containerd/containerd/commit/531adbf065160bf91315ef17cd5e70f9895d86b5) config:fix config migrate lost timeout config
* Add dial timeout field to hosts toml configuration ([#11106](https://github.com/containerd/containerd/pull/11106))
  * [`c4982bffc`](https://github.com/containerd/containerd/commit/c4982bffc6dd887a58a189f8a6be99b1b1542953) Add dial timeout field to hosts toml configuration
* Prepare release notes for v2.1.0-beta.0 ([#11510](https://github.com/containerd/containerd/pull/11510))
  * [`12762891d`](https://github.com/containerd/containerd/commit/12762891d6c4e0e91384c01650c102d911f9a915) Remove test for issue 10467
  * [`93cc1e6eb`](https://github.com/containerd/containerd/commit/93cc1e6eb96c099e50f6cc0c7f68feeacf09dc48) Fix upgrade test runtime config
  * [`833d6bc8e`](https://github.com/containerd/containerd/commit/833d6bc8e932a6e2e24b4b3bd4ead920fe8e6035) Update release status for 2.1 to beta
  * [`71cfe00ee`](https://github.com/containerd/containerd/commit/71cfe00eec7b22a392458f4d87261dbd6e828af5) Prepare release notes for v2.1.0-beta.n
  * [`be8fe50f4`](https://github.com/containerd/containerd/commit/be8fe50f49a0fb2752b52d560ab1039dbfd83af4) Update the upgrade test to handle 2.1
* build(deps): bump the otel group with 8 updates ([#11521](https://github.com/containerd/containerd/pull/11521))
  * [`94dd70f4f`](https://github.com/containerd/containerd/commit/94dd70f4f0c659526f3b75dc278530dd8d429628) build(deps): bump the otel group with 8 updates
* client: Respect `client.WithTimeout` option ([#11508](https://github.com/containerd/containerd/pull/11508))
  * [`ee574e76e`](https://github.com/containerd/containerd/commit/ee574e76e7f6bbe239298163eab6ccd8b94d73b3) client: Respect `client.WithTimeout` option
* build(deps): bump github.com/urfave/cli/v2 from 2.27.5 to 2.27.6 ([#11523](https://github.com/containerd/containerd/pull/11523))
  * [`700b98415`](https://github.com/containerd/containerd/commit/700b98415ef82825d18f53612e2e00eb16197d37) build(deps): bump github.com/urfave/cli/v2 from 2.27.5 to 2.27.6
* build(deps): bump the golang-x group with 3 updates ([#11520](https://github.com/containerd/containerd/pull/11520))
  * [`85c04ab0e`](https://github.com/containerd/containerd/commit/85c04ab0ec8d50c042e4665254342730b0d67175) build(deps): bump the golang-x group with 3 updates
* add k8s 1.32 to support table and as tested containerd supported branches at the time of release ([#11534](https://github.com/containerd/containerd/pull/11534))
  * [`5bbd3ed1b`](https://github.com/containerd/containerd/commit/5bbd3ed1b1993c30188cd5b1acb959bb44469127) add k8s 1.32 and as tested containerd supported branches at the time of release
* build(deps): bump google.golang.org/grpc from 1.70.0 to 1.71.0 ([#11524](https://github.com/containerd/containerd/pull/11524))
  * [`c37e48b07`](https://github.com/containerd/containerd/commit/c37e48b07c51f6877a268f69a9d7d85c54e7d97f) build(deps): bump google.golang.org/grpc from 1.70.0 to 1.71.0
* Support container restore through CRI/Kubernetes ([#10365](https://github.com/containerd/containerd/pull/10365))
  * [`9e6beafd5`](https://github.com/containerd/containerd/commit/9e6beafd53919eecd1fb650a76332002cf4c84dd) Support container restore through CRI/Kubernetes
* build(deps): bump actions/attest-build-provenance from 2.2.2 to 2.2.3 ([#11526](https://github.com/containerd/containerd/pull/11526))
  * [`d7de182dd`](https://github.com/containerd/containerd/commit/d7de182ddf46b61b894d363c76b92f5fbc24cccb) build(deps): bump actions/attest-build-provenance from 2.2.2 to 2.2.3
* build(deps): bump github/codeql-action from 3.28.10 to 3.28.11 ([#11527](https://github.com/containerd/containerd/pull/11527))
  * [`9f885ea4f`](https://github.com/containerd/containerd/commit/9f885ea4f549febd5de9fde536006f9484e12df5) build(deps): bump github/codeql-action from 3.28.10 to 3.28.11
* build(deps): bump containerd/project-checks from 1.2.1 to 1.2.2 ([#11528](https://github.com/containerd/containerd/pull/11528))
  * [`88faaac97`](https://github.com/containerd/containerd/commit/88faaac973dee7326e765a601bcdc6cf42843518) build(deps): bump containerd/project-checks from 1.2.1 to 1.2.2
* add name in package version ([#11518](https://github.com/containerd/containerd/pull/11518))
  * [`405a952c6`](https://github.com/containerd/containerd/commit/405a952c653b2ec912cbfdef2c89b43151a072bd) add name in package version
* update to go1.23.7 / go1.24.1 ([#11513](https://github.com/containerd/containerd/pull/11513))
  * [`4f090fe77`](https://github.com/containerd/containerd/commit/4f090fe772b33191fa5e47a6b826ee56f45463f2) update to go1.23.7 / go1.24.1
* Don't produce unnecessary logs when encountering attestations ([#11327](https://github.com/containerd/containerd/pull/11327))
  * [`3cdfc1003`](https://github.com/containerd/containerd/commit/3cdfc1003dbde389d1d3bd012202be534bf6a4cf) core/remotes: Handle attestations in MakeRefKey
  * [`e751b6bb1`](https://github.com/containerd/containerd/commit/e751b6bb1db7936ee111322ff199d9f708c27428) core/images: Ignore attestations when traversing children
* perf(applyNaive): avoid walking the tree for each file in the same directory ([#11337](https://github.com/containerd/containerd/pull/11337))
  * [`d8063c30d`](https://github.com/containerd/containerd/commit/d8063c30dd05ca71e7b2d8d78360af6835dd5e46) perf(applyNaive): avoid walking the tree for each file in the same directory
* Update runtime-spec to v1.2.1 ([#11460](https://github.com/containerd/containerd/pull/11460))
  * [`f8f205382`](https://github.com/containerd/containerd/commit/f8f205382adcad407b7e95e76b18e787e0688b35) Update runtime-spec to v1.2.1
* docs: include note about unprivileged sysctls ([#11502](https://github.com/containerd/containerd/pull/11502))
  * [`edd1cc50d`](https://github.com/containerd/containerd/commit/edd1cc50d5f3c474fe6f09927afbe9be4c7c10da) docs: include note about unprivileged sysctls
* ci: update GitHub Actions release runner to ubuntu-24.04 ([#11479](https://github.com/containerd/containerd/pull/11479))
  * [`705518e58`](https://github.com/containerd/containerd/commit/705518e58b98e868cba35c116d9e46e88f9928bf) ci: update GitHub Actions release runner to ubuntu-24.04
* e2e: use the shim bundled with containerd artifact ([#11489](https://github.com/containerd/containerd/pull/11489))
  * [`393ad5b11`](https://github.com/containerd/containerd/commit/393ad5b11ea3aae3d86f60400f40cf63849eda40) e2e: use the shim bundled with containerd artifact
* build(deps): bump go.etcd.io/bbolt from 1.3.11 to 1.4.0 ([#11450](https://github.com/containerd/containerd/pull/11450))
  * [`e84e5a215`](https://github.com/containerd/containerd/commit/e84e5a215cab4d189e05e989e94ae26cb84553cf) build(deps): bump go.etcd.io/bbolt from 1.3.11 to 1.4.0
  * [`00cb73503`](https://github.com/containerd/containerd/commit/00cb7350392b13cb8c21c5f422304bde7317a760) Swap to go.etcd.io/bbolt/errors for bbolt errors
* CVE-2025-22869: upgrade golang.org/x/crypto to v0.35.0 ([#11482](https://github.com/containerd/containerd/pull/11482))
  * [`af5ff5a1f`](https://github.com/containerd/containerd/commit/af5ff5a1f18c7fb899d5a12434616db62a4a3bee) CVE-2025-22869: upgrade golang.org/x/crypto to v0.35.0
* device mapper:fix sometimes blkdiscard doesn't have --version flags ([#11330](https://github.com/containerd/containerd/pull/11330))
  * [`44baada6a`](https://github.com/containerd/containerd/commit/44baada6aa88a4eb1c1adddceb353b14396cc442) device mapper:fix sometimes blkdiscard doesn't have --version flags
* docs: add CRI Plugin Config runtime_path ([#11402](https://github.com/containerd/containerd/pull/11402))
  * [`a1e7457bc`](https://github.com/containerd/containerd/commit/a1e7457bc486036559d01fe4a88327417efcf6c1) docs: add CRI Plugin Config runtime_path
* Consolidate security profile logic into a common pkg ([#11080](https://github.com/containerd/containerd/pull/11080))
  * [`71958731e`](https://github.com/containerd/containerd/commit/71958731e82a9068e783db9d578586841fd52404) move security profile to cri/sputil pkg
* erofs-snapshotter: two bug-fixes ([#11476](https://github.com/containerd/containerd/pull/11476))
  * [`3a5de731c`](https://github.com/containerd/containerd/commit/3a5de731c587342ccc8691acd5d4ae2154b9511c) erofs-snapshotter: clear IMMUTABLE_FL only for committed snapshots
  * [`971915797`](https://github.com/containerd/containerd/commit/971915797acd86cb4ea7efc7641cb17bec90c896) erofs-snapshotter: force the use of loop devices for single-layer images
* CVE-2025-22868: upgrade golang.org/x/oauth2 to v0.27.0 ([#11481](https://github.com/containerd/containerd/pull/11481))
  * [`10f2b7fde`](https://github.com/containerd/containerd/commit/10f2b7fded7fb91966a9af77d0dae06d872d2c5d) CVE-2025-22868: upgrade golang.org/x/oauth2 to v0.27.0
* build(deps): bump containerd/project-checks from 1.1.0 to 1.2.1 ([#11474](https://github.com/containerd/containerd/pull/11474))
  * [`69c0d7f60`](https://github.com/containerd/containerd/commit/69c0d7f60f74210d6e41515e9064bb96362683c7) build(deps): bump containerd/project-checks from 1.1.0 to 1.2.1
* build(deps): bump github.com/google/go-cmp from 0.6.0 to 0.7.0 ([#11464](https://github.com/containerd/containerd/pull/11464))
  * [`72ac5cad4`](https://github.com/containerd/containerd/commit/72ac5cad446bdb315c83a2f720f55ecdffba3780) build(deps): bump github.com/google/go-cmp from 0.6.0 to 0.7.0
* build(deps): bump github.com/klauspost/compress from 1.17.11 to 1.18.0 ([#11467](https://github.com/containerd/containerd/pull/11467))
  * [`001dfeb19`](https://github.com/containerd/containerd/commit/001dfeb19f791348d3fc89c7d93ad23c971c7b93) build(deps): bump github.com/klauspost/compress from 1.17.11 to 1.18.0
* build(deps): bump actions/download-artifact from 4.1.8 to 4.1.9 ([#11468](https://github.com/containerd/containerd/pull/11468))
  * [`86734729f`](https://github.com/containerd/containerd/commit/86734729fb1274b11fd2a3c97bf61bcc486017e6) build(deps): bump actions/download-artifact from 4.1.8 to 4.1.9
* build(deps): bump docker/setup-buildx-action from 3.9.0 to 3.10.0 ([#11469](https://github.com/containerd/containerd/pull/11469))
  * [`9b0b67951`](https://github.com/containerd/containerd/commit/9b0b679519dc25f20c1084ca719e6225286f3534) build(deps): bump docker/setup-buildx-action from 3.9.0 to 3.10.0
* build(deps): bump actions/attest-build-provenance from 2.2.0 to 2.2.2 ([#11470](https://github.com/containerd/containerd/pull/11470))
  * [`20fa1ca46`](https://github.com/containerd/containerd/commit/20fa1ca46ddb35799fa67c6743ea8652b3bd54f2) build(deps): bump actions/attest-build-provenance from 2.2.0 to 2.2.2
* build(deps): bump golang.org/x/net from 0.23.0 to 0.33.0 in /api ([#11472](https://github.com/containerd/containerd/pull/11472))
  * [`37fe1e8b4`](https://github.com/containerd/containerd/commit/37fe1e8b42f8746944c5d9b4a8bf2b3dcfc99984) build(deps): bump golang.org/x/net from 0.23.0 to 0.33.0 in /api
* build(deps): bump actions/cache from 4.2.1 to 4.2.2 ([#11471](https://github.com/containerd/containerd/pull/11471))
  * [`0eea93d68`](https://github.com/containerd/containerd/commit/0eea93d6873c2b7b26a4c7bae0bfbd29c9039f3c) build(deps): bump actions/cache from 4.2.1 to 4.2.2
* Bump to newer opencontainers/image-spec @ v1.1.1 ([#11461](https://github.com/containerd/containerd/pull/11461))
  * [`d37ea6977`](https://github.com/containerd/containerd/commit/d37ea6977d7e096e9221cbbba9a0282e97709acd) Bump to newer opencontainers/image-spec @ v1.1.1
* Remove After=local-fs.target from containerd.service ([#11116](https://github.com/containerd/containerd/pull/11116))
  * [`e0459262b`](https://github.com/containerd/containerd/commit/e0459262ba8b52e936b3b2e555e7faeab846b600) Remove After=local-fs.target from containerd.service
* erofs-snapshotter: protect layer blobs with FS_IMMUTABLE_FL ([#11431](https://github.com/containerd/containerd/pull/11431))
  * [`b477cf8e9`](https://github.com/containerd/containerd/commit/b477cf8e97b6facd183bba964631a36ef7a3d32b) erofs-snapshotter: protect layer blobs with FS_IMMUTABLE_FL
* Log "container event discarded" as Info ([#11115](https://github.com/containerd/containerd/pull/11115))
  * [`6c7b1afe5`](https://github.com/containerd/containerd/commit/6c7b1afe5127c0f8827a8995c1756ab71289ec98) Log "container event discarded" as Info
* Fix privileged container sysfs can't be rw because pod is ro by default ([#11271](https://github.com/containerd/containerd/pull/11271))
  * [`1fc497218`](https://github.com/containerd/containerd/commit/1fc497218ac5f83fa65b9043bc3bc2bc0dee219c) Fix privileged container sysfs can't be rw because pod is ro by default
* cri,nri: fix initial sync race of registering NRI plugins. ([#11384](https://github.com/containerd/containerd/pull/11384))
  * [`6a01ad3e1`](https://github.com/containerd/containerd/commit/6a01ad3e16c57c631febb92090bbca5c331e2f7d) cri,nri: block NRI plugin sync. during event processing.
* proxy: break up writes from the remote writer to avoid grpc limits ([#11441](https://github.com/containerd/containerd/pull/11441))
  * [`f25f36c33`](https://github.com/containerd/containerd/commit/f25f36c334144d87233e06b0de90522ebd97e144) proxy: break up writes from the remote writer to avoid grpc limits
* build(deps): bump github/codeql-action from 3.28.9 to 3.28.10 ([#11423](https://github.com/containerd/containerd/pull/11423))
  * [`0500dacf6`](https://github.com/containerd/containerd/commit/0500dacf609df804e3cb025f024f39e5e32cb1e4) build(deps): bump github/codeql-action from 3.28.9 to 3.28.10
* go.{mod,sum}: bump CDI deps to v.0.8.1. ([#11449](https://github.com/containerd/containerd/pull/11449))
  * [`22d568fb5`](https://github.com/containerd/containerd/commit/22d568fb5a8381fd20ea4e385f8aff9899e0e710) Update CDI dependency to v0.8.1.
* build(deps): bump the k8s group across 1 directory with 6 updates ([#11398](https://github.com/containerd/containerd/pull/11398))
  * [`d2b5653c1`](https://github.com/containerd/containerd/commit/d2b5653c11b6dc9023609cc9ca35b334e53768c0) build(deps): bump the k8s group across 1 directory with 6 updates
* Prefer runtime options for PluginInfo request ([#11442](https://github.com/containerd/containerd/pull/11442))
  * [`51f063f07`](https://github.com/containerd/containerd/commit/51f063f0716871070f6a8995902ee6a679ee9c45) Prefer runtime options for PluginInfo request
* pkg: prevent oom watcher from depending on shim pkg ([#11433](https://github.com/containerd/containerd/pull/11433))
  * [`268880bf5`](https://github.com/containerd/containerd/commit/268880bf53b39f8de4e6d7d668a8bb5e7ee3519a) [improve] prevent oom watcher depend on shim pkg.
* Ignore defunct verifier procs in test ([#11435](https://github.com/containerd/containerd/pull/11435))
  * [`76858ac8e`](https://github.com/containerd/containerd/commit/76858ac8e3129644fb4cf5ae9f86448655989cf4) Ignore defunct verifier procs in test
* CI: arm64-8core-32gb -> ubuntu-24.04-arm ([#11427](https://github.com/containerd/containerd/pull/11427))
  * [`4e7484d3f`](https://github.com/containerd/containerd/commit/4e7484d3f40a8ec07126eb16fae614aedafe630a) CI: arm64-8core-32gb -> ubuntu-24.04-arm
* build(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.1 ([#11424](https://github.com/containerd/containerd/pull/11424))
  * [`125525d6c`](https://github.com/containerd/containerd/commit/125525d6cd4aa85ac91f694e94b5bf8c9b647b6d) build(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.1
* build(deps): bump actions/cache from 4.2.0 to 4.2.1 ([#11426](https://github.com/containerd/containerd/pull/11426))
  * [`86cde823a`](https://github.com/containerd/containerd/commit/86cde823a8361c3a3d3ff756da5523e89f1bb93b) build(deps): bump actions/cache from 4.2.0 to 4.2.1
* build(deps): bump actions/upload-artifact from 4.6.0 to 4.6.1 ([#11425](https://github.com/containerd/containerd/pull/11425))
  * [`49257264f`](https://github.com/containerd/containerd/commit/49257264fec6c950d18bd6960b35e5ae12eafa02) build(deps): bump actions/upload-artifact from 4.6.0 to 4.6.1
* erofs-snapshotter: add fsverity support ([#11352](https://github.com/containerd/containerd/pull/11352))
  * [`f3b6078f9`](https://github.com/containerd/containerd/commit/f3b6078f90bf61c87bab34c7f6c10eeb8258a465) erofs-snapshotter: add fsverity support
* Support for importing layers in the block CIM format. ([#11179](https://github.com/containerd/containerd/pull/11179))
  * [`a1c540085`](https://github.com/containerd/containerd/commit/a1c540085f86dcc8613e6db11b73bed4a3a02883) Support for importing layers in the block CIM format.
* perf(zstd): deactivate the low mem decoder ([#11335](https://github.com/containerd/containerd/pull/11335))
  * [`c51f5d26f`](https://github.com/containerd/containerd/commit/c51f5d26f1167d612d061cb20ae0cbb1ab00a0da) perf(zstd): deactivate the low mem decoder
* build(deps): bump github/codeql-action from 3.28.8 to 3.28.9 ([#11370](https://github.com/containerd/containerd/pull/11370))
  * [`6a08d70e6`](https://github.com/containerd/containerd/commit/6a08d70e681b81049a2cabfd44216803662d6c8e) build(deps): bump github/codeql-action from 3.28.8 to 3.28.9
* move the device after the options when using mkfs.ext4 ([#11362](https://github.com/containerd/containerd/pull/11362))
  * [`b98378638`](https://github.com/containerd/containerd/commit/b9837863815e2ffe5ea28e52afe24a2e1829863f) move the device after the options when using mkfs.ext4
* build(deps): bump google.golang.org/grpc from 1.69.4 to 1.70.0 ([#11313](https://github.com/containerd/containerd/pull/11313))
  * [`f23981281`](https://github.com/containerd/containerd/commit/f23981281e60fd5ad37d61e43a777ff64fbfb874) build(deps): bump google.golang.org/grpc from 1.69.4 to 1.70.0
* build(deps): bump golangci/golangci-lint-action from 6.3.2 to 6.5.0 ([#11397](https://github.com/containerd/containerd/pull/11397))
  * [`b8a759f1f`](https://github.com/containerd/containerd/commit/b8a759f1fd59eca20534e223fa8db2011ebbb519) build(deps): bump golangci/golangci-lint-action from 6.3.2 to 6.5.0
* build(deps): bump google.golang.org/protobuf from 1.36.3 to 1.36.5 ([#11373](https://github.com/containerd/containerd/pull/11373))
  * [`326fbf074`](https://github.com/containerd/containerd/commit/326fbf07470ee61022e84f1387cf799aa86493b0) build(deps): bump google.golang.org/protobuf from 1.36.3 to 1.36.5
* Clarify port handling in `hosts.toml` ([#11393](https://github.com/containerd/containerd/pull/11393))
  * [`a502b7931`](https://github.com/containerd/containerd/commit/a502b7931babb81749c5236b38a09e5ae73fe88e) Clarify port handling in hosts toml
* Move `linters-settings.exclude-dirs` to `issues.exclude-dirs` in golangci-lint config ([#11399](https://github.com/containerd/containerd/pull/11399))
  * [`480e1039f`](https://github.com/containerd/containerd/commit/480e1039fe23512e6c1ea4bd8db1be93ac125993) move exclude-dirs to issues.exclude-dirs
* Add OCI/Image Volume Source support ([#10579](https://github.com/containerd/containerd/pull/10579))
  * [`1ec10d9ae`](https://github.com/containerd/containerd/commit/1ec10d9ae7535ddd7b18e3c21b6cd8ff12a2f90d) Add OCI/Image Volume Source support
* build(deps): bump github.com/vishvananda/netns from 0.0.4 to 0.0.5 ([#11374](https://github.com/containerd/containerd/pull/11374))
  * [`17acb356f`](https://github.com/containerd/containerd/commit/17acb356f826ccf6dd6b0160dcce5e3aedf41f21) build(deps): bump github.com/vishvananda/netns from 0.0.4 to 0.0.5
* Revert "Add timestamp to PodSandboxStatusResponse for kubernetes Evented PLEG" ([#11323](https://github.com/containerd/containerd/pull/11323))
  * [`83b65e52f`](https://github.com/containerd/containerd/commit/83b65e52fddf9411009e396dda283a782921222f) Revert "Add timestamp to PodSandboxStatusResponse for kubernetes Evented PLEG"
* Update runc binary to v1.2.5 ([#11388](https://github.com/containerd/containerd/pull/11388))
  * [`938775864`](https://github.com/containerd/containerd/commit/938775864aba692f69d4bb143e1d6197b69b421b) Update runc binary to v1.2.5
* build(deps): bump docker/setup-buildx-action from 3.8.0 to 3.9.0 ([#11369](https://github.com/containerd/containerd/pull/11369))
  * [`2f971ee2d`](https://github.com/containerd/containerd/commit/2f971ee2d474c403837500846e0deaa8ba399992) build(deps): bump docker/setup-buildx-action from 3.8.0 to 3.9.0
* Remove noinline in seccomp/apparmor SpecOpts ([#11264](https://github.com/containerd/containerd/pull/11264))
  * [`222308416`](https://github.com/containerd/containerd/commit/222308416cd7d0204c4adf64ffdf438951e5aa64) Remove noinline in apparmor SpecOpts
  * [`2a4164ac8`](https://github.com/containerd/containerd/commit/2a4164ac868955ac9cb406cb4dc434d2eb3f9a16) Remove noinline in seccomp SpecOpts
* build(deps): bump the golang-x group with 3 updates ([#11371](https://github.com/containerd/containerd/pull/11371))
  * [`84e07f6b5`](https://github.com/containerd/containerd/commit/84e07f6b54400bf61d1242c42f3437384aec2a65) build(deps): bump the golang-x group with 3 updates
* update to go 1.24.0 / go1.23.6 ([#11377](https://github.com/containerd/containerd/pull/11377))
  * [`df99aa321`](https://github.com/containerd/containerd/commit/df99aa321a274c50de87332a067537cea746fd5c) update to go 1.24.0 / go1.23.6
  * [`41eaa41c4`](https://github.com/containerd/containerd/commit/41eaa41c43787755427aa430149a9c857c643be3) update golangci-lint to v1.64.2
* build(deps): bump lycheeverse/lychee-action from 2.2.0 to 2.3.0 ([#11368](https://github.com/containerd/containerd/pull/11368))
  * [`2b8a7f253`](https://github.com/containerd/containerd/commit/2b8a7f253dee9bd8a4dc650eb27fbd803a64c97a) build(deps): bump lycheeverse/lychee-action from 2.2.0 to 2.3.0
* build(deps): bump golangci/golangci-lint-action from 6.2.0 to 6.3.2 ([#11367](https://github.com/containerd/containerd/pull/11367))
  * [`bdb8cb5a8`](https://github.com/containerd/containerd/commit/bdb8cb5a80915fc605dcdfa3e0b0f2eb2b293b1c) build(deps): bump golangci/golangci-lint-action from 6.2.0 to 6.3.2
* Erofs snapshotter and differ ([#10705](https://github.com/containerd/containerd/pull/10705))
  * [`2f15d6586`](https://github.com/containerd/containerd/commit/2f15d6586b261d0f0bc68b847660dc2b691169db) Add tests for EROFS snapshotter
  * [`fd4caef78`](https://github.com/containerd/containerd/commit/fd4caef7866306f9e654f54ba0209c7f4a554ad9) Add EROFS snapshotter documentation
  * [`2486d542a`](https://github.com/containerd/containerd/commit/2486d542a5a96d71e3c8bb36517479e0a81f0131) Introduce EROFS Snapshotter
  * [`c73c8e5d5`](https://github.com/containerd/containerd/commit/c73c8e5d526aba6acf0eb75976bfc5a1037d64ac) Introduce EROFS differ
* Update RELEASES.md for new release schedule and LTS policy ([#11294](https://github.com/containerd/containerd/pull/11294))
  * [`6d1f6e75d`](https://github.com/containerd/containerd/commit/6d1f6e75d65283dc6440556cfaf694c20059d77d) Update upgrade section
  * [`5f238fa82`](https://github.com/containerd/containerd/commit/5f238fa827a97e729592c1ed896a1192ba53ab09) Update to time based releases
  * [`886d971f8`](https://github.com/containerd/containerd/commit/886d971f855da042f1c83fc87b2074c858062f3b) Update LTS definition and support horizon
* nri: make OCI spec available on StopPodSandbox ([#11331](https://github.com/containerd/containerd/pull/11331))
  * [`2eb0aa6b9`](https://github.com/containerd/containerd/commit/2eb0aa6b988a508400d6567602e7f3af838ca3c4) nri: make OCI spec available on StopPodSandbox
* build(deps): bump google-github-actions/auth from 2.1.7 to 2.1.8 ([#11332](https://github.com/containerd/containerd/pull/11332))
  * [`565b50dbb`](https://github.com/containerd/containerd/commit/565b50dbb92f231ea1f416dead040d8e96f0963a) build(deps): bump google-github-actions/auth from 2.1.7 to 2.1.8
* build(deps): bump google-github-actions/upload-cloud-storage from 2.2.1 to 2.2.2 ([#11334](https://github.com/containerd/containerd/pull/11334))
  * [`b65f3875b`](https://github.com/containerd/containerd/commit/b65f3875ba3365a780ac9d9ace295c56ac230ee4) build(deps): bump google-github-actions/upload-cloud-storage
* build(deps): bump github/codeql-action from 3.28.6 to 3.28.8 ([#11333](https://github.com/containerd/containerd/pull/11333))
  * [`841ab361c`](https://github.com/containerd/containerd/commit/841ab361c1e52200319c08dc8b09f11e07d78f17) build(deps): bump github/codeql-action from 3.28.6 to 3.28.8
* Fix state/root bug in shim sandbox controller ([#11321](https://github.com/containerd/containerd/pull/11321))
  * [`168c49e4d`](https://github.com/containerd/containerd/commit/168c49e4dcf1fcfebcf5d751f5aa20747b2a2032) Fix state/root bug in shim sandbox controller
* build(deps): bump github/codeql-action from 3.28.1 to 3.28.6 ([#11315](https://github.com/containerd/containerd/pull/11315))
  * [`48d09104d`](https://github.com/containerd/containerd/commit/48d09104dcc4244672c590e9b6ab3ab71d8c9ce4) build(deps): bump github/codeql-action from 3.28.1 to 3.28.6
* build(deps): bump actions/attest-build-provenance from 2.1.0 to 2.2.0 ([#11317](https://github.com/containerd/containerd/pull/11317))
  * [`0c986c332`](https://github.com/containerd/containerd/commit/0c986c332f072ce2273c06d2707976b321830423) build(deps): bump actions/attest-build-provenance from 2.1.0 to 2.2.0
* build(deps): bump actions/stale from 9.0.0 to 9.1.0 ([#11316](https://github.com/containerd/containerd/pull/11316))
  * [`575239789`](https://github.com/containerd/containerd/commit/5752397896d44d5807837c8a71e2c0f1769ba66a) build(deps): bump actions/stale from 9.0.0 to 9.1.0
* build(deps): bump the otel group across 1 directory with 8 updates ([#11286](https://github.com/containerd/containerd/pull/11286))
  * [`69e82f9cd`](https://github.com/containerd/containerd/commit/69e82f9cd3e29428bd480b1c349268a0723af51d) build(deps): bump the otel group across 1 directory with 8 updates
* build(deps): bump github.com/tchap/go-patricia/v2 from 2.3.1 to 2.3.2 ([#11283](https://github.com/containerd/containerd/pull/11283))
  * [`19c546c97`](https://github.com/containerd/containerd/commit/19c546c9760b11c266a314bf25177b96d7a21f24) build(deps): bump github.com/tchap/go-patricia/v2 from 2.3.1 to 2.3.2
* Update cimfs snapshotter & differ for new hcsshim interface ([#10033](https://github.com/containerd/containerd/pull/10033))
  * [`b81ace872`](https://github.com/containerd/containerd/commit/b81ace8724e154a0899679a05a98b7174804abed) Update cimfs snapshotter & differ for new hcsshim interface
* update to go1.23.5 / go1.22.11 ([#11277](https://github.com/containerd/containerd/pull/11277))
  * [`157faf65c`](https://github.com/containerd/containerd/commit/157faf65c55c5de56f636fe3466f59b43241abb3) update to go1.23.5 / go1.22.11
* build(deps): bump lycheeverse/lychee-action from 2.1.0 to 2.2.0 ([#11287](https://github.com/containerd/containerd/pull/11287))
  * [`f572a6db9`](https://github.com/containerd/containerd/commit/f572a6db9037e4a36225a4146a4344aaf34d692c) build(deps): bump lycheeverse/lychee-action from 2.1.0 to 2.2.0
* client: add WithExtraDialOpts option ([#11276](https://github.com/containerd/containerd/pull/11276))
  * [`a6dc9905c`](https://github.com/containerd/containerd/commit/a6dc9905cbb1833c459362ba72928bd348967158) client: add WithExtraDialOpts option
* build(deps): bump google.golang.org/protobuf from 1.36.1 to 1.36.3 ([#11282](https://github.com/containerd/containerd/pull/11282))
  * [`460e5a2e2`](https://github.com/containerd/containerd/commit/460e5a2e2bec851ba357dc1b738e3023841d0f2b) build(deps): bump google.golang.org/protobuf from 1.36.1 to 1.36.3
* build(deps): bump actions/upload-artifact from 4.4.3 to 4.6.0 ([#11288](https://github.com/containerd/containerd/pull/11288))
  * [`36d3888cf`](https://github.com/containerd/containerd/commit/36d3888cf7eb7c9f533167cf93748ece98eb79cf) build(deps): bump actions/upload-artifact from 4.4.3 to 4.6.0
* build(deps): bump softprops/action-gh-release from 2.2.0 to 2.2.1 ([#11289](https://github.com/containerd/containerd/pull/11289))
  * [`4b77d4e41`](https://github.com/containerd/containerd/commit/4b77d4e41ef99e6526f3e20dae36bc301f648477) build(deps): bump softprops/action-gh-release from 2.2.0 to 2.2.1
* build(deps): bump github/codeql-action from 3.27.9 to 3.28.1 ([#11290](https://github.com/containerd/containerd/pull/11290))
  * [`22e77720b`](https://github.com/containerd/containerd/commit/22e77720b3e6aecbb299ad70c68e2ade6dfd0108) build(deps): bump github/codeql-action from 3.27.9 to 3.28.1
* build(deps): bump golangci/golangci-lint-action from 6.1.1 to 6.2.0 ([#11291](https://github.com/containerd/containerd/pull/11291))
  * [`53d6f3482`](https://github.com/containerd/containerd/commit/53d6f34822dda24bf7c8674305c93eadb4bad50b) build(deps): bump golangci/golangci-lint-action from 6.1.1 to 6.2.0
* Support multiple uid/gid mappings ([#10722](https://github.com/containerd/containerd/pull/10722))
  * [`ff0d99e02`](https://github.com/containerd/containerd/commit/ff0d99e02873ac04b4f73054d92d22683a501b7d) Add multiple uid/gid mapping test cases to integration tests
  * [`ec231cdcf`](https://github.com/containerd/containerd/commit/ec231cdcf27b4bfad8fd51dbe4a3a328158aeb86) Update ctr to support remapper labels with multiple uid/gid mapping entries
  * [`8bbfb6528`](https://github.com/containerd/containerd/commit/8bbfb65289f3a32fd5358bf7419f8b860a08fbed) Update snapshotter opts to support multiple uid/gid mapping entries
  * [`8a030d653`](https://github.com/containerd/containerd/commit/8a030d6537e42194cca894ebf89556af09dfade8) Update overlay snapshotter to support multiple uid/gid mappings
  * [`168ec21db`](https://github.com/containerd/containerd/commit/168ec21dbd6254088a47257d1a44812155d6d54c) Update idmapped mount to support multiple uid/gid mappings
  * [`a11405975`](https://github.com/containerd/containerd/commit/a114059759ec1d70ce04acfce028da54428689a9) Add RootPair() and serialization routines to userns idmap
* log: avoid using unsupported field by logrus ([#11148](https://github.com/containerd/containerd/pull/11148))
  * [`04f9e30db`](https://github.com/containerd/containerd/commit/04f9e30db313908c1209b7f7d526d5d3eb8467ed) log: avoid using unsupported field by logrus
* Move all fuzz tests to go native fuzz [part2] ([#11251](https://github.com/containerd/containerd/pull/11251))
  * [`b49df6af1`](https://github.com/containerd/containerd/commit/b49df6af11dbf7e4fc715e972c8e816edcb02309) move FuzzCRIServer to go native fuzz
  * [`6019bcdfb`](https://github.com/containerd/containerd/commit/6019bcdfbbed387b366e4e368c30475f5c31f054) move FuzzContainerdImport to go native fuzz
* Make ovl idmap mounts read-only ([#10955](https://github.com/containerd/containerd/pull/10955))
  * [`1e3d10dc2`](https://github.com/containerd/containerd/commit/1e3d10dc29616f7e81b3fef3314d7a44d593c48c) Make ovl idmap mounts read-only
* runtime/v2: add note about orphan process for runc-shim ([#10002](https://github.com/containerd/containerd/pull/10002))
  * [`58bd48ecf`](https://github.com/containerd/containerd/commit/58bd48ecff5418efbeacf27134d8adb3e58ab17d) add some doc for shim reap orphan process
* Fix panics in CI fuzz integration tests ([#11249](https://github.com/containerd/containerd/pull/11249))
  * [`b7a117b46`](https://github.com/containerd/containerd/commit/b7a117b4648c981275e7e7ac944bfabec45fc56a) Fix fuzz integration tests
* Move CDI device spec out of the OCI package ([#11262](https://github.com/containerd/containerd/pull/11262))
  * [`bdc847f1e`](https://github.com/containerd/containerd/commit/bdc847f1eb535a6728b6db3f2619d2a5ed0edbb9) Remove deprecated WithCDIDevices in oci spec opts
  * [`e20f7f4a2`](https://github.com/containerd/containerd/commit/e20f7f4a2425c005d85855abfd4556d7b4ccbf87) Move CDI device spec out of the OCI package
* docs: fix some function names in comment ([#11261](https://github.com/containerd/containerd/pull/11261))
  * [`740c5d428`](https://github.com/containerd/containerd/commit/740c5d4284de1704ffab91bf03967346ae7d29a9) docs: fix some function names in comment
* Use a order-only-prerequisite for mandir creation ([#11132](https://github.com/containerd/containerd/pull/11132))
  * [`ffbe1b573`](https://github.com/containerd/containerd/commit/ffbe1b5738951aed8945bf58c23e634433e77eb1) Use a order-only-prerequisite for mandir creation
* Update platforms to latest rc ([#11257](https://github.com/containerd/containerd/pull/11257))
  * [`6148dbdd7`](https://github.com/containerd/containerd/commit/6148dbdd778942f7b1f5361d3e18859ada70f4d6) Update platforms to latest rc
* Remove confusing warning in cri runtime config migration ([#10980](https://github.com/containerd/containerd/pull/10980))
  * [`fb44e37ff`](https://github.com/containerd/containerd/commit/fb44e37ff27325edda8e8ad178e1c057139cd4f2) Remove confusing warning in cri runtime config migration
* Unify default transport in docker resolver ([#11167](https://github.com/containerd/containerd/pull/11167))
  * [`47c4dba40`](https://github.com/containerd/containerd/commit/47c4dba40935f8c887a7d43f6fbfca5fafadeb7f) Unify default transport in docker resolver
* Clarify Go client API guidance ([#11093](https://github.com/containerd/containerd/pull/11093))
  * [`9fc711a8a`](https://github.com/containerd/containerd/commit/9fc711a8a0f5ca61007c855d087c5a806d2273cc) Clarify Go client API guidance
* build(deps): bump golang.org/x/sys from 0.28.0 to 0.29.0 in the golang-x group ([#11225](https://github.com/containerd/containerd/pull/11225))
  * [`ef7fa43c9`](https://github.com/containerd/containerd/commit/ef7fa43c9a8ee086eada91630dcfe3ec8cc276b0) build(deps): bump golang.org/x/sys in the golang-x group
* Fix runtime platform loading in cri image plugin init ([#11165](https://github.com/containerd/containerd/pull/11165))
  * [`ef0e70922`](https://github.com/containerd/containerd/commit/ef0e7092287ac4816e9a9fdfd6925e6f75657f41) Fix runtime platform loading in cri image plugin init
* ci: fix the issue of config_file unset ([#11240](https://github.com/containerd/containerd/pull/11240))
  * [`e1aeb37cd`](https://github.com/containerd/containerd/commit/e1aeb37cdf10ed2ed4b2dd4be02d68a556acc106) ci: fix the issue of config_file unset
* Fix go-cni race condition ([#11244](https://github.com/containerd/containerd/pull/11244))
  * [`09bf281ec`](https://github.com/containerd/containerd/commit/09bf281ec415a6029177c60688e261dab55e3944) fix go-cni race condition
* make sure console master tty is closed on task exit ([#11161](https://github.com/containerd/containerd/pull/11161))
  * [`652e4d0b1`](https://github.com/containerd/containerd/commit/652e4d0b10490c4c2cfc94791ea80b5a16ff38ea) Add integ test to check tty leak
  * [`aedb079bf`](https://github.com/containerd/containerd/commit/aedb079bf18f1f913b705d9b791beebcf1962cdd) fix master tty leak due to leaking init container object
* Move fuzz tests to go native fuzz [part1] ([#11189](https://github.com/containerd/containerd/pull/11189))
  * [`e70977180`](https://github.com/containerd/containerd/commit/e70977180ae55ad0bd28e2438b15170d83100d48) change metadata fuzz operations as const and slice instead of map
  * [`a4e3218e8`](https://github.com/containerd/containerd/commit/a4e3218e8f4a817ca0d7f44f622b97e0c83189b7) change tmp dir creation in fuzz to t.TempDir
  * [`a8c643cc5`](https://github.com/containerd/containerd/commit/a8c643cc51b4793189ac6291a62fcc1c3990af50) change copyright from ADA Logics to containerd
  * [`a55083007`](https://github.com/containerd/containerd/commit/a5508300782032adf7011d17a02268a425e3b14c) Remove github.com/AdamKorcz/go-118-fuzz-build in go.mod
  * [`2de103029`](https://github.com/containerd/containerd/commit/2de1030299c1626b2c235c0ed21040bce91f57d3) Move fuzz tests to go native fuzz [part1]
* Bump up otelttrpc to 0.1.0 ([#11241](https://github.com/containerd/containerd/pull/11241))
  * [`15d3bf9b2`](https://github.com/containerd/containerd/commit/15d3bf9b248d423c457e871fe001eeb129a3fa82) Bump up otelttrpc to 0.1.0
* Add snapshotter exports to unpack platform ([#11227](https://github.com/containerd/containerd/pull/11227))
  * [`63f604728`](https://github.com/containerd/containerd/commit/63f6047282525748e13ed91892b50583771c6427) Add snapshotter exports to unpack platform
* ctr: `ctr images import --all-platforms`: fix unpack ([#11229](https://github.com/containerd/containerd/pull/11229))
  * [`79a42eedc`](https://github.com/containerd/containerd/commit/79a42eedc724cd248a995cbf1174d3800d948d52) ctr: `ctr images import --all-platforms`: fix unpack
* Deflake TestFailFastWhenConnectShim by making TestContainerCgroupWritable not parallel ([#11235](https://github.com/containerd/containerd/pull/11235))
  * [`e65283321`](https://github.com/containerd/containerd/commit/e6528332195d23bf98ba58124b4cd647223e6969) make TestContainerCgroupWritable not parallel
* update runc binary to v1.2.4 ([#11230](https://github.com/containerd/containerd/pull/11230))
  * [`54ed595e1`](https://github.com/containerd/containerd/commit/54ed595e1db892e09083e01f6520bc847bf99ee9) update runc binary to v1.2.4
* Enable Writable cgroups for unprivileged containers ([#11131](https://github.com/containerd/containerd/pull/11131))
  * [`1363849b0`](https://github.com/containerd/containerd/commit/1363849b034a1daf58a4d677e758124d7ea7087e) Add integration test
  * [`dda702042`](https://github.com/containerd/containerd/commit/dda7020429a06a1d5549ced9391cc2f85f94adef) Enable Writable cgroups for unprivileged containers
* Avoid duplicated chain ID calculation in unpack ([#11219](https://github.com/containerd/containerd/pull/11219))
  * [`d156d3df9`](https://github.com/containerd/containerd/commit/d156d3df9620844491a4e6c94945693d5c7df043) Benchamrk chainID calculation in unpack
  * [`95f45541e`](https://github.com/containerd/containerd/commit/95f45541e47253610ed83b064dab2124a11027e8) Avoid duplicated chain ID calculation in unpack
* downgrade go-difflib and go-spew to tagged releases ([#11220](https://github.com/containerd/containerd/pull/11220))
  * [`00a11e91d`](https://github.com/containerd/containerd/commit/00a11e91d38b5a1e3540382eaedfda878b1314b1) downgrade go-difflib and go-spew to tagged releases
* Bump seccomp version to be the same as one in runc repo ([#11200](https://github.com/containerd/containerd/pull/11200))
  * [`4f2f12be6`](https://github.com/containerd/containerd/commit/4f2f12be6d91868a3b39d441ac598f876b47a6c0) Bump seccomp version to be the same as one in runc repo
* Remove loop variable copies ([#11194](https://github.com/containerd/containerd/pull/11194))
  * [`bee64b2b9`](https://github.com/containerd/containerd/commit/bee64b2b93ba0494ecff94b72748427d5abe20a5) Remove loop variable copies
* build(deps): bump google.golang.org/protobuf from 1.36.0 to 1.36.1 ([#11192](https://github.com/containerd/containerd/pull/11192))
  * [`4a4a027f7`](https://github.com/containerd/containerd/commit/4a4a027f7984c415d94054f6f6e14a6369a7dcd7) build(deps): bump google.golang.org/protobuf from 1.36.0 to 1.36.1
* bump up ttrpc to use its MD.Clone ([#11204](https://github.com/containerd/containerd/pull/11204))
  * [`ee6338188`](https://github.com/containerd/containerd/commit/ee63381887da22ecc1be8ef2a3e441a72a013e93) bump up ttrpc to use its MD.Clone
* build(deps): bump google.golang.org/grpc from 1.69.0 to 1.69.2 ([#11193](https://github.com/containerd/containerd/pull/11193))
  * [`9bb31b706`](https://github.com/containerd/containerd/commit/9bb31b706c898a9475638206d2c5813fd9e8d77f) build(deps): bump google.golang.org/grpc from 1.69.0 to 1.69.2
* build(deps): bump golang.org/x/net from 0.30.0 to 0.33.0 ([#11181](https://github.com/containerd/containerd/pull/11181))
  * [`7f3599f09`](https://github.com/containerd/containerd/commit/7f3599f09396bf69496e1cf189b999acc0db13a5) build(deps): bump golang.org/x/net from 0.30.0 to 0.33.0
* build(deps): bump github.com/containerd/cgroups/v3 from 3.0.4 to 3.0.5 ([#11191](https://github.com/containerd/containerd/pull/11191))
  * [`f98d5fdb6`](https://github.com/containerd/containerd/commit/f98d5fdb6f684410bea0881159ea0df354cae41b) build(deps): bump github.com/containerd/cgroups/v3 from 3.0.4 to 3.0.5
* Update golangci to 1.60.3 ([#11185](https://github.com/containerd/containerd/pull/11185))
  * [`26a156f4f`](https://github.com/containerd/containerd/commit/26a156f4fd285ecddcdead54105022348075ad62) Update golangci to 1.60.3
* build(deps): bump softprops/action-gh-release from 2.1.0 to 2.2.0 ([#11170](https://github.com/containerd/containerd/pull/11170))
  * [`a172d2c11`](https://github.com/containerd/containerd/commit/a172d2c116daeb101700d9d6c3a3622623c7446d) build(deps): bump softprops/action-gh-release from 2.1.0 to 2.2.0
* Update golangci-lint version in dev tools script ([#11180](https://github.com/containerd/containerd/pull/11180))
  * [`fa531f808`](https://github.com/containerd/containerd/commit/fa531f808b72c6667844ec56cbd9e6e5f23e974d) Update golangci-lint version in dev tools script
* build(deps): bump google.golang.org/protobuf from 1.35.2 to 1.36.0 ([#11177](https://github.com/containerd/containerd/pull/11177))
  * [`2f37b9da3`](https://github.com/containerd/containerd/commit/2f37b9da392387fac21d375874473a017bcefb8b) build(deps): bump google.golang.org/protobuf from 1.35.2 to 1.36.0
* build(deps): bump google.golang.org/grpc from 1.68.1 to 1.69.0 ([#11176](https://github.com/containerd/containerd/pull/11176))
  * [`4e4537a87`](https://github.com/containerd/containerd/commit/4e4537a87a8ee66debb947df455cae6e68e0dd5d) build(deps): bump google.golang.org/grpc from 1.68.1 to 1.69.0
* build(deps): bump github/codeql-action from 3.27.6 to 3.27.9 ([#11171](https://github.com/containerd/containerd/pull/11171))
  * [`d29751424`](https://github.com/containerd/containerd/commit/d297514248daffa3124e529a5ada4f57a15dbb12) build(deps): bump github/codeql-action from 3.27.6 to 3.27.9
* build(deps): bump docker/setup-buildx-action from 3.7.1 to 3.8.0 ([#11172](https://github.com/containerd/containerd/pull/11172))
  * [`31e129856`](https://github.com/containerd/containerd/commit/31e12985601773ce5417926db6eda9c9d63dc445) build(deps): bump docker/setup-buildx-action from 3.7.1 to 3.8.0
* build(deps): bump github.com/containerd/imgcrypt/v2 from 2.0.0-rc.1 to 2.0.0 ([#11174](https://github.com/containerd/containerd/pull/11174))
  * [`f6e956c22`](https://github.com/containerd/containerd/commit/f6e956c2240a3d4dba6c9e6589993d051ff82849) build(deps): bump github.com/containerd/imgcrypt/v2
* build(deps): bump google.golang.org/grpc from 1.67.1 to 1.68.1 ([#11126](https://github.com/containerd/containerd/pull/11126))
  * [`aeb414021`](https://github.com/containerd/containerd/commit/aeb414021b07a625cc58d555aabb18bd5cf51f3d) build(deps): bump google.golang.org/grpc from 1.67.1 to 1.68.1
* test: prevent segfault in imageverifier test ([#10851](https://github.com/containerd/containerd/pull/10851))
  * [`1617fd72e`](https://github.com/containerd/containerd/commit/1617fd72e10634923f75bb27ca00a23cf2f19ecb) test: prevent segfault in imageverifier test
* Report an error when cni confDir removed ([#10646](https://github.com/containerd/containerd/pull/10646))
  * [`0c2805a6e`](https://github.com/containerd/containerd/commit/0c2805a6e452dba5e42b3723b6ba069b811f7c9a) Report an error when cni confDir removed
* build(deps): bump actions/attest-build-provenance from 1.4.4 to 2.1.0 ([#11122](https://github.com/containerd/containerd/pull/11122))
  * [`afee762fb`](https://github.com/containerd/containerd/commit/afee762fbfac0141b50040a1ea8197b02eafa3c1) build(deps): bump actions/attest-build-provenance from 1.4.4 to 2.1.0
* vendor: update golang.org/x/ dependencies ([#11145](https://github.com/containerd/containerd/pull/11145))
  * [`23e014140`](https://github.com/containerd/containerd/commit/23e01414069df958db56ca24fd7806979a9f2f2a) vendor: golang.org/x/crypto v0.31.0
  * [`9b3d999bd`](https://github.com/containerd/containerd/commit/9b3d999bd9affbfe7df5bd7ef8e5df9446eda56f) vendor: golang.org/x/term v0.27.0
  * [`1032fad27`](https://github.com/containerd/containerd/commit/1032fad2721a01ec321881c44963958dcb9b2ed8) vendor: golang.org/x/text v0.21.0
  * [`6764e62cf`](https://github.com/containerd/containerd/commit/6764e62cf7518dd6bc7050ed2d33a52a107fd1cd) vendor: golang.org/x/sync v0.10.0
  * [`160676647`](https://github.com/containerd/containerd/commit/1606766479f3e37318c5f4144d6d3d989cba51aa) vendor: golang.org/x/sys v0.28.0
* build(deps): bump actions/cache from 4.1.2 to 4.2.0 ([#11124](https://github.com/containerd/containerd/pull/11124))
  * [`927012243`](https://github.com/containerd/containerd/commit/9270122437f5a0105c74b49089fddc1a2c2648af) build(deps): bump actions/cache from 4.1.2 to 4.2.0
* internal/cri: should not apply IoOwner options if it's not user namespace ([#11104](https://github.com/containerd/containerd/pull/11104))
  * [`2c4c04032`](https://github.com/containerd/containerd/commit/2c4c040328e161ef04913d8470a7dd61caf9f1be) internal/cri: should not apply IoOwner options
* update runc binary to v1.2.3 ([#11141](https://github.com/containerd/containerd/pull/11141))
  * [`981414521`](https://github.com/containerd/containerd/commit/981414521baf578a313c7b7af034ade6cb92b10d) update runc binary to v1.2.3
* cmd/ctr: allow user to syncfs during unpacking image locally ([#11118](https://github.com/containerd/containerd/pull/11118))
  * [`11b78255d`](https://github.com/containerd/containerd/commit/11b78255de6544fc91d5f523bdfec2bef2a711ca) cmd: add syncfs option to ctr command
* Update go-cni for CNI STATUS ([#11135](https://github.com/containerd/containerd/pull/11135))
  * [`1f220b23e`](https://github.com/containerd/containerd/commit/1f220b23e298b61f5ece5a994ef2a37a843732b0) feat: update go-cni version for CNI STATUS
* Complete cri grpc plugin config migration ([#11061](https://github.com/containerd/containerd/pull/11061))
  * [`ed39dfa5d`](https://github.com/containerd/containerd/commit/ed39dfa5d64d872c8a0b7b88b4973395028b2b1e) Add integration test for custom configuration
  * [`8540fed77`](https://github.com/containerd/containerd/commit/8540fed77493a5a205524b47b810726a0de288eb) complete cri grpc config migration
* ctr pull should unpack for default platform when transfer service is used ([#11086](https://github.com/containerd/containerd/pull/11086))
  * [`4c11d753c`](https://github.com/containerd/containerd/commit/4c11d753ca9964bf70f087560c85614741ca35a5) ctr pull unpack for default platform using transfer service
* update xx to v1.6.1 for compatibility with alpine 3.21 and file 5.46+ ([#11130](https://github.com/containerd/containerd/pull/11130))
  * [`d76f92f24`](https://github.com/containerd/containerd/commit/d76f92f2402049869e5fd94087aeed1a9fddc729) update xx to v1.6.1 for compatibility with alpine 3.21 and file 5.46+
* build(deps): bump github/codeql-action from 3.27.5 to 3.27.6 ([#11123](https://github.com/containerd/containerd/pull/11123))
  * [`73864c520`](https://github.com/containerd/containerd/commit/73864c52037da5cf870a9c11359ab197cdf08fe4) build(deps): bump github/codeql-action from 3.27.5 to 3.27.6
* CI: update Fedora to 41 ([#10930](https://github.com/containerd/containerd/pull/10930))
  * [`6fdc35243`](https://github.com/containerd/containerd/commit/6fdc352439dfdf88ac7a62c95f5fb1fa07ae3be3) CI: update Fedora to 41
* Fix loop variable capture issue ([#11042](https://github.com/containerd/containerd/pull/11042))
  * [`485020ca8`](https://github.com/containerd/containerd/commit/485020ca8999d2aa6c2165419cca0f104e9e9d5c) fix: loop variable capture issue
* Add containerd community call to readme. ([#11046](https://github.com/containerd/containerd/pull/11046))
  * [`59a2c3523`](https://github.com/containerd/containerd/commit/59a2c3523cddd05a5f4b14c7860f43ed66b6003d) Add containerd community call to readme.
* update to go1.23.4 / go1.22.10 ([#11102](https://github.com/containerd/containerd/pull/11102))
  * [`81780a5dd`](https://github.com/containerd/containerd/commit/81780a5dd37106f4bc01fa776b9d069197bed54b) update to go1.23.4 / go1.22.10
* Fix panic due to nil dereference cgroups v2 ([#11069](https://github.com/containerd/containerd/pull/11069))
  * [`0903f203f`](https://github.com/containerd/containerd/commit/0903f203fb8a9b696ff2522f068313f5de2fad80) fix panic due to nil dereference cgroups v2
* The task_dir successfully cleans when the file is absent. ([#11043](https://github.com/containerd/containerd/pull/11043))
  * [`4a664772e`](https://github.com/containerd/containerd/commit/4a664772efc48e031efc6b3ebd422df0e08ddbec) The task_dir successfully cleans when the file is absent.
* docs: fix snapshots api import ([#11073](https://github.com/containerd/containerd/pull/11073))
  * [`b78c5c6ed`](https://github.com/containerd/containerd/commit/b78c5c6ed2ad0f0d0a23306a36f0a71a84582f5d) docs: fix snapshots api import
* build(deps): bump github/codeql-action from 3.27.4 to 3.27.5 ([#11060](https://github.com/containerd/containerd/pull/11060))
  * [`ea9397793`](https://github.com/containerd/containerd/commit/ea9397793f336327551d9024ea89bc9178d00401) build(deps): bump github/codeql-action from 3.27.4 to 3.27.5
* build(deps): bump github.com/containerd/cgroups/v3 from 3.0.3 to 3.0.4 ([#11059](https://github.com/containerd/containerd/pull/11059))
  * [`6c16f3490`](https://github.com/containerd/containerd/commit/6c16f3490934aa396b785bd19c0945279a9e728f) build(deps): bump github.com/containerd/cgroups/v3 from 3.0.3 to 3.0.4
* build(deps): bump the k8s group with 5 updates ([#11057](https://github.com/containerd/containerd/pull/11057))
  * [`662d64080`](https://github.com/containerd/containerd/commit/662d6408018eb74bba4d0700aeac6ea137c23571) build(deps): bump the k8s group with 5 updates
* Update differ to handle zstd media types ([#11062](https://github.com/containerd/containerd/pull/11062))
  * [`17f7858b4`](https://github.com/containerd/containerd/commit/17f7858b4e2e31b447410f66d0100b816c1fe6b3) Update differ to handle zstd media types
* build(deps): bump github.com/stretchr/testify from 1.9.0 to 1.10.0 ([#11058](https://github.com/containerd/containerd/pull/11058))
  * [`5c905fb6c`](https://github.com/containerd/containerd/commit/5c905fb6c3c93d2180b878f36af41f516531937f) build(deps): bump github.com/stretchr/testify from 1.9.0 to 1.10.0
* Unsorted platform conditionals cleanup ([#11065](https://github.com/containerd/containerd/pull/11065))
  * [`e9d560f1e`](https://github.com/containerd/containerd/commit/e9d560f1e8ccd277e19888c95dd4378579d34842) Unsorted platform conditionals cleanup
* Publish attestation as release artifact ([#11049](https://github.com/containerd/containerd/pull/11049))
  * [`3961dc9c8`](https://github.com/containerd/containerd/commit/3961dc9c8cb0e31925e45a2273bbdc06412be262) Publish attestation as release artifact
* Move rockylinux 9.4 to almalinux/9 in CI ([#11050](https://github.com/containerd/containerd/pull/11050))
  * [`288001f68`](https://github.com/containerd/containerd/commit/288001f68c5fd34cfbdc7284f14375a3762b8ff4) move rocky 9.4 to almalinux/9 in CI
* Clarify release for deprecated registry field removals ([#11045](https://github.com/containerd/containerd/pull/11045))
  * [`e24864e48`](https://github.com/containerd/containerd/commit/e24864e48e30e1009a88637d410d6c4df39c3098) Clarify release for deprecated registry field removals
* make ListContainerStats handle container that is removed before its sandbox ([#10724](https://github.com/containerd/containerd/pull/10724))
  * [`c130d93c1`](https://github.com/containerd/containerd/commit/c130d93c11ec128d38d7560262d2e20b03263151) make ListContainerStats handle container that is removed before its sandbox
* Add tests for CNI v2 loopback options ([#10915](https://github.com/containerd/containerd/pull/10915))
  * [`34284c507`](https://github.com/containerd/containerd/commit/34284c50752ea636a2474c7254802d54600199ab) Add tests for CNI v2 loopback options
* *: should align pipe's owner with init process ([#10906](https://github.com/containerd/containerd/pull/10906))
  * [`a21b178f1`](https://github.com/containerd/containerd/commit/a21b178f12b223d48245fac4ad12a0c7b50bf20f) *: should align pipe's owner with init process
* fix: set the credentials even if not provided ([#10917](https://github.com/containerd/containerd/pull/10917))
  * [`11b1353c1`](https://github.com/containerd/containerd/commit/11b1353c12b9f3a1542ffe44a00a988e330f8c56) fix: set the credentials even if not provided
* build(deps): bump google.golang.org/protobuf from 1.35.1 to 1.35.2 ([#11024](https://github.com/containerd/containerd/pull/11024))
  * [`dd2d89167`](https://github.com/containerd/containerd/commit/dd2d891672305ab756b4b93970ac1342c952ffc8) build(deps): bump google.golang.org/protobuf from 1.35.1 to 1.35.2
* Reorganize per-platform defaults ([#11017](https://github.com/containerd/containerd/pull/11017))
  * [`f6e30e962`](https://github.com/containerd/containerd/commit/f6e30e9622b79c1e3ef64e22329bbabe6d1789e7) [defaults] Reorganize per-platform defaults
* build(deps): bump github.com/containerd/continuity from 0.4.4 to 0.4.5 ([#11025](https://github.com/containerd/containerd/pull/11025))
  * [`be2c4504e`](https://github.com/containerd/containerd/commit/be2c4504eefcab5ea3a23caf0630ddeef3a98200) build(deps): bump github.com/containerd/continuity from 0.4.4 to 0.4.5
* Move content events to metadata ([#11013](https://github.com/containerd/containerd/pull/11013))
  * [`9e3ab2332`](https://github.com/containerd/containerd/commit/9e3ab2332b8bc4ba3222133d5b174d5f9be26698) Move content events to metadata
* build(deps): bump github/codeql-action from 3.27.1 to 3.27.4 ([#11026](https://github.com/containerd/containerd/pull/11026))
  * [`f5b2c3a07`](https://github.com/containerd/containerd/commit/f5b2c3a07cd59c28419106d547c169d8d49f0e6f) build(deps): bump github/codeql-action from 3.27.1 to 3.27.4
* Use platform-specific default address ([#11016](https://github.com/containerd/containerd/pull/11016))
  * [`9c7a403a2`](https://github.com/containerd/containerd/commit/9c7a403a22d09050eb37f5e578ec613d38d92231) [containerd-stress] Use platform-specific default address
* Update install-imgcrypt to allow change install repo ([#11019](https://github.com/containerd/containerd/pull/11019))
  * [`f8819df7c`](https://github.com/containerd/containerd/commit/f8819df7c4ee690315d45b57a4fddfcb970fcdd3) Update install-imgcrypt to allow change install repo
* update runc binary to 1.2.2 ([#11022](https://github.com/containerd/containerd/pull/11022))
  * [`9a7bc5423`](https://github.com/containerd/containerd/commit/9a7bc5423ef5f477705802e45c0b06869764caca) update runc binary to 1.2.2
* Fix runtimeoptions location in v2 migration script ([#11012](https://github.com/containerd/containerd/pull/11012))
  * [`2447936fc`](https://github.com/containerd/containerd/commit/2447936fca8dcd92ddb8b3af5ec9038b8117d041) Fix runtimeoptions location in v2 migration
* Revert "Disable vagrant strict dependency checking" ([#11004](https://github.com/containerd/containerd/pull/11004))
  * [`1b01f396d`](https://github.com/containerd/containerd/commit/1b01f396de92dcf3cb47816047e61abe5cb81e69) Revert "Disable vagrant strict dependency checking"
* docs: update schema 1 deprecation information ([#11002](https://github.com/containerd/containerd/pull/11002))
  * [`6c1b699bf`](https://github.com/containerd/containerd/commit/6c1b699bf978b858ef32aeca62beddba9e88da08) docs: update schema 1 deprecation information
* fsverity_linux.go: Fix fsverity.IsEnabled() for big endian systems ([#10981](https://github.com/containerd/containerd/pull/10981))
  * [`91e4e0967`](https://github.com/containerd/containerd/commit/91e4e096758b4eccb28cbf5955e7a42dcdb29c15) fsverity_linux.go: Fix fsverity.IsEnabled() for big endian systems
* build(deps): bump lycheeverse/lychee-action from 2.0.2 to 2.1.0 ([#10989](https://github.com/containerd/containerd/pull/10989))
  * [`73ae1c66f`](https://github.com/containerd/containerd/commit/73ae1c66ff27695a326a77cb59b49c6dee3e6b2b) build(deps): bump lycheeverse/lychee-action from 2.0.2 to 2.1.0
* build(deps): bump github/codeql-action from 3.27.0 to 3.27.1 ([#10988](https://github.com/containerd/containerd/pull/10988))
  * [`4bd33276c`](https://github.com/containerd/containerd/commit/4bd33276c3402f41b5b4618a118772e5a2fb7f41) build(deps): bump github/codeql-action from 3.27.0 to 3.27.1
* build(deps): bump the golang-x group with 3 updates ([#10990](https://github.com/containerd/containerd/pull/10990))
  * [`cebca6f87`](https://github.com/containerd/containerd/commit/cebca6f874fdec53070fae3f45806849180d6235) build(deps): bump the golang-x group with 3 updates
* build(deps): bump github.com/containerd/typeurl/v2 from 2.2.2 to 2.2.3 ([#10992](https://github.com/containerd/containerd/pull/10992))
  * [`01c489141`](https://github.com/containerd/containerd/commit/01c489141c37e27b71370ab26ab28347b17f4284) build(deps): bump github.com/containerd/typeurl/v2 from 2.2.2 to 2.2.3
* build(deps): bump actions/attest-build-provenance from 1.4.3 to 1.4.4 ([#10987](https://github.com/containerd/containerd/pull/10987))
  * [`d32ed4a56`](https://github.com/containerd/containerd/commit/d32ed4a560f240b9a05c8a25cec54456da5d99b9) build(deps): bump actions/attest-build-provenance from 1.4.3 to 1.4.4
* build(deps): bump softprops/action-gh-release from 2.0.9 to 2.1.0 ([#10986](https://github.com/containerd/containerd/pull/10986))
  * [`d810c5759`](https://github.com/containerd/containerd/commit/d810c5759fd5f864d7794a6ff4ef13887110ebe9) build(deps): bump softprops/action-gh-release from 2.0.9 to 2.1.0
* fsverity_test.go: fix nil pointer derefence, fix test fail, fix minor/major device numbers resolving ([#10972](https://github.com/containerd/containerd/pull/10972))
  * [`f9537ae12`](https://github.com/containerd/containerd/commit/f9537ae126fc2be685cc32d5c98b4189a72e02e9) fsverity_test.go: fix major/minor device number resolving
  * [`8a8e50e6d`](https://github.com/containerd/containerd/commit/8a8e50e6d7baf99ebe02e6ca04d9d842addcd36c) fsverity_test.go: fix nil pointer dereference, fix test fail
* update to go1.23.3 / go1.22.9 ([#10970](https://github.com/containerd/containerd/pull/10970))
  * [`bcc3cc968`](https://github.com/containerd/containerd/commit/bcc3cc968abd5e13084afa1e8dba6afc0d41a2fa) update to go1.23.3 / go1.22.9
* Avoid arch info in the sed/replace when building cri-cni-containerd.tar.gz ([#10964](https://github.com/containerd/containerd/pull/10964))
  * [`784116b7d`](https://github.com/containerd/containerd/commit/784116b7d5e67804f26f3c3e060243b0c737ea7c) Avoid arch info in the sed/replace when building cri-cni-containerd.tar.gz
* Expose Pod assigned IPs to NRI plugins ([#10921](https://github.com/containerd/containerd/pull/10921))
  * [`bc056a5c6`](https://github.com/containerd/containerd/commit/bc056a5c60a8add5fb98c59d9e88f9b89025f658) nri: report pod ips to the nri plugins
  * [`a256f326c`](https://github.com/containerd/containerd/commit/a256f326cabd29b4a78334ac981409f005ea9c3f) bump nri version to get PodIPs
* build(deps): bump github.com/fsnotify/fsnotify from 1.7.0 to 1.8.0 ([#10948](https://github.com/containerd/containerd/pull/10948))
  * [`a17001b42`](https://github.com/containerd/containerd/commit/a17001b42694baa746a22217f6ca7857a096b681) build(deps): bump github.com/fsnotify/fsnotify from 1.7.0 to 1.8.0
</p>
</details>

### Changes from containerd/continuity
<details><summary>17 commits</summary>
<p>

* fs: fix Ctime returning Mtime ([containerd/continuity#261](https://github.com/containerd/continuity/pull/261))
  * [`f4f4fb5`](https://github.com/containerd/continuity/commit/f4f4fb5bbdd8321481b8aeedec5cc4412d5001b5) fs: fix Ctime returning Mtime
* fs: implement Atime, Ctime, Mtime for bsd and darwin ([containerd/continuity#262](https://github.com/containerd/continuity/pull/262))
  * [`dbe44eb`](https://github.com/containerd/continuity/commit/dbe44ebd46e9e2497b4b37e0c387f03f7e048f6b) fs: implement Atime, Ctime, Mtime for bsd and darwin
* Makefile: make "lint" target also lint cmd/continuity module and fix linting issues ([containerd/continuity#255](https://github.com/containerd/continuity/pull/255))
  * [`4c00ab7`](https://github.com/containerd/continuity/commit/4c00ab7567238214d4dd9b9797435774836e3381) Makefile: make "lint" target also lint cmd/continuity module
  * [`cadd3a2`](https://github.com/containerd/continuity/commit/cadd3a2d76962f90047608655e607861862e329e) cmd/continuity/continuityfs: SA1019: fuse.ENOENT is deprecated
  * [`38fcdae`](https://github.com/containerd/continuity/commit/38fcdae95788e9c47bdacd674f06164bab91de1b) cmd/continuity: fix SA1019: entry.User/entry.Group is deprecated
* assorted linting fixes and minor cleanups ([containerd/continuity#259](https://github.com/containerd/continuity/pull/259))
  * [`38f66a6`](https://github.com/containerd/continuity/commit/38f66a6d37247c12e5aac5b5ceac4ccb16a1c76e) TestWalkFS: fix unhandled error
  * [`94c0490`](https://github.com/containerd/continuity/commit/94c04905cf9ed5b65bbe2eac4f3f858769cb9f5a) rename variables that shadowed package-level type
  * [`2200bb4`](https://github.com/containerd/continuity/commit/2200bb480f47137ea31eada2d9b0dcfc2474222b) don't use "ctx" for continuity.Context arguments
  * [`583d7ed`](https://github.com/containerd/continuity/commit/583d7ed1582f6b45643c7e11d2b93f6a68b7c623) commands/mount_unsupported: drop nil-assignment (revive)
  * [`5158c3f`](https://github.com/containerd/continuity/commit/5158c3f19836c8dd55dfc1ef84cb8656fca29f9f) golangci-lint: sort linters
  * [`a8c7143`](https://github.com/containerd/continuity/commit/a8c714358ce4cf76db246f88b9495a2b903b2c38) golangci-lint: don't use deprecated name for "govet" linter
* cmd/continuity: switch to google.golang.org/protobuf/proto ([containerd/continuity#260](https://github.com/containerd/continuity/pull/260))
  * [`fd64705`](https://github.com/containerd/continuity/commit/fd6470559ebe380f21b1af08a8869bee7e3435c2) cmd/continuity: switch to google.golang.org/protobuf/proto
</p>
</details>

### Changes from containerd/go-cni
<details><summary>9 commits</summary>
<p>

* Fix recursive RLock() mutex acquisition ([containerd/go-cni#126](https://github.com/containerd/go-cni/pull/126))
  * [`75a2440`](https://github.com/containerd/go-cni/commit/75a24409e8193fc64b0e9ed777ff884c338a21ca) fix: recursive RLock() mutex acquision
* Support CNI STATUS Verb ([containerd/go-cni#123](https://github.com/containerd/go-cni/pull/123))
  * [`208eca9`](https://github.com/containerd/go-cni/commit/208eca91c33bb793f471831a0abaf6cebe9676a4) support CNI status verb
* Bump github actions dependencies to match containerd CI repo and fix lint ([containerd/go-cni#122](https://github.com/containerd/go-cni/pull/122))
  * [`386f475`](https://github.com/containerd/go-cni/commit/386f4757e63914b2589b8abe6098bfa23f83fa8b) Fix ci.yml indent
  * [`a9b0675`](https://github.com/containerd/go-cni/commit/a9b0675fc9b8b5ce52d84f91a4fc049501853862) Another doc commit to trigger lint?
  * [`14af454`](https://github.com/containerd/go-cni/commit/14af4542b76fa694f2e1853b35554f23c6829f5d) Bump github actions dependency versions
  * [`9e0d096`](https://github.com/containerd/go-cni/commit/9e0d096d58145757809ddce8b8650efc07e19916) Trivial doc commit to trigger lint
</p>
</details>

### Changes from containerd/otelttrpc
<details><summary>6 commits</summary>
<p>

* Add dependabot and upgrade golang and dependency versions ([containerd/otelttrpc#3](https://github.com/containerd/otelttrpc/pull/3))
  * [`2d46141`](https://github.com/containerd/otelttrpc/commit/2d46141c9f9842bc8e2563ae884b963e34ea175f) upgrade golang, deps, CI versions
  * [`64922e7`](https://github.com/containerd/otelttrpc/commit/64922e78c69b7bdecf065f039a5ead4d64e567e0) Add dependabot CI
* Fix concurrent map panic on metadata ([containerd/otelttrpc#2](https://github.com/containerd/otelttrpc/pull/2))
  * [`2ba3be1`](https://github.com/containerd/otelttrpc/commit/2ba3be1e39398b8d2544f5ea962edc1e2f906d32) Fix concurrent map panic on inject metadata
  * [`f50a922`](https://github.com/containerd/otelttrpc/commit/f50a9220fc748442b274390c45773191367262ec) UT for concurrent inject/extract metadata
</p>
</details>

### Changes from containerd/platforms
<details><summary>6 commits</summary>
<p>

* Move windows matcher logic so all platforms can use ([containerd/platforms#22](https://github.com/containerd/platforms/pull/22))
  * [`7c58292`](https://github.com/containerd/platforms/commit/7c5829273cd83c987784fd7ef5487485e0d2fee0) Move windows matcher logic so all platforms can use
* replace testify with stdlib in tests ([containerd/platforms#21](https://github.com/containerd/platforms/pull/21))
  * [`86a86b7`](https://github.com/containerd/platforms/commit/86a86b73a6e01f92aecad823e0f516f6198f3e2c) replace testify with stdlib in tests
* Replace arm64 minor variant logic with lookup table ([containerd/platforms#18](https://github.com/containerd/platforms/pull/18))
  * [`364665a`](https://github.com/containerd/platforms/commit/364665a87c183d5b5eb45fc0e9b86e99013a621a) Replace arm64 minor variant logic with lookup table
</p>
</details>

### Changes from containerd/ttrpc
<details><summary>5 commits</summary>
<p>

* Add MD.Clone function ([containerd/ttrpc#177](https://github.com/containerd/ttrpc/pull/177))
  * [`430f734`](https://github.com/containerd/ttrpc/commit/430f7347915993a5543bfb00858ac337274528ba) Add MD.Clone
* Fix race between serve and immediate shutdown on the server ([containerd/ttrpc#175](https://github.com/containerd/ttrpc/pull/175))
  * [`c4d96d5`](https://github.com/containerd/ttrpc/commit/c4d96d55ad9c4f4cf6036c70a5b18ba80655d648) server: fix Serve() vs. immediate Shutdown() race.
  * [`ed6c3ba`](https://github.com/containerd/ttrpc/commit/ed6c3ba082bdbc82284c198d93ca5f07ad9900dd) server_test: add Serve()/Shutdown() race test.
</p>
</details>

### Dependency Changes

* **github.com/Microsoft/hcsshim**                                                 v0.12.9 -> v0.13.0-rc.3
* **github.com/cilium/ebpf**                                                       v0.11.0 -> v0.16.0
* **github.com/containerd/cgroups/v3**                                             v3.0.3 -> v3.0.5
* **github.com/containerd/continuity**                                             v0.4.4 -> v0.4.5
* **github.com/containerd/go-cni**                                                 v1.1.10 -> v1.1.12
* **github.com/containerd/imgcrypt/v2**                                            v2.0.0-rc.1 -> v2.0.0
* **github.com/containerd/otelttrpc**                                              ea5083fda723 -> v0.1.0
* **github.com/containerd/platforms**                                              v1.0.0-rc.0 -> v1.0.0-rc.1
* **github.com/containerd/ttrpc**                                                  v1.2.6 -> v1.2.7
* **github.com/containerd/typeurl/v2**                                             v2.2.2 -> v2.2.3
* **github.com/containers/ocicrypt**                                               v1.2.0 -> v1.2.1
* **github.com/davecgh/go-spew**                                                   d8f796af33cc -> v1.1.1
* **github.com/fsnotify/fsnotify**                                                 v1.7.0 -> v1.8.0
* **github.com/go-jose/go-jose/v4**                                                v4.0.4 -> v4.0.5
* **github.com/google/go-cmp**                                                     v0.6.0 -> v0.7.0
* **github.com/grpc-ecosystem/grpc-gateway/v2**                                    v2.22.0 -> v2.26.1
* **github.com/klauspost/compress**                                                v1.17.11 -> v1.18.0
* **github.com/moby/spdystream**                                                   v0.4.0 -> v0.5.0
* **github.com/opencontainers/image-spec**                                         v1.1.0 -> v1.1.1
* **github.com/opencontainers/runtime-spec**                                       v1.2.0 -> v1.2.1
* **github.com/petermattis/goid**                                                  4fcff4a6cae7 **_new_**
* **github.com/pmezard/go-difflib**                                                5d4384ee4fb2 -> v1.0.0
* **github.com/prometheus/client_golang**                                          v1.20.5 -> v1.21.1
* **github.com/prometheus/common**                                                 v0.55.0 -> v0.62.0
* **github.com/sasha-s/go-deadlock**                                               v0.3.5 **_new_**
* **github.com/smallstep/pkcs7**                                                   v0.1.1 **_new_**
* **github.com/stretchr/testify**                                                  v1.9.0 -> v1.10.0
* **github.com/tchap/go-patricia/v2**                                              v2.3.1 -> v2.3.2
* **github.com/urfave/cli/v2**                                                     v2.27.5 -> v2.27.6
* **github.com/vishvananda/netns**                                                 v0.0.4 -> v0.0.5
* **go.etcd.io/bbolt**                                                             v1.3.11 -> v1.4.0
* **go.opentelemetry.io/auto/sdk**                                                 v1.1.0 **_new_**
* **go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc**  v0.56.0 -> v0.60.0
* **go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp**                v0.56.0 -> v0.60.0
* **go.opentelemetry.io/otel**                                                     v1.31.0 -> v1.35.0
* **go.opentelemetry.io/otel/exporters/otlp/otlptrace**                            v1.31.0 -> v1.35.0
* **go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc**              v1.31.0 -> v1.35.0
* **go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp**              v1.31.0 -> v1.35.0
* **go.opentelemetry.io/otel/metric**                                              v1.31.0 -> v1.35.0
* **go.opentelemetry.io/otel/sdk**                                                 v1.31.0 -> v1.35.0
* **go.opentelemetry.io/otel/trace**                                               v1.31.0 -> v1.35.0
* **go.opentelemetry.io/proto/otlp**                                               v1.3.1 -> v1.5.0
* **golang.org/x/crypto**                                                          v0.28.0 -> v0.36.0
* **golang.org/x/exp**                                                             aacd6d4b4611 -> 2d47ceb2692f
* **golang.org/x/mod**                                                             v0.21.0 -> v0.24.0
* **golang.org/x/net**                                                             v0.30.0 -> v0.35.0
* **golang.org/x/oauth2**                                                          v0.22.0 -> v0.27.0
* **golang.org/x/sync**                                                            v0.8.0 -> v0.12.0
* **golang.org/x/sys**                                                             v0.26.0 -> v0.31.0
* **golang.org/x/term**                                                            v0.25.0 -> v0.30.0
* **golang.org/x/text**                                                            v0.19.0 -> v0.23.0
* **golang.org/x/time**                                                            v0.3.0 -> v0.7.0
* **google.golang.org/genproto/googleapis/api**                                    5fefd90f89a9 -> 56aae31c358a
* **google.golang.org/genproto/googleapis/rpc**                                    324edc3d5d38 -> 56aae31c358a
* **google.golang.org/grpc**                                                       v1.67.1 -> v1.71.0
* **google.golang.org/protobuf**                                                   v1.35.1 -> v1.36.5
* **k8s.io/api**                                                                   v0.31.2 -> v0.32.2
* **k8s.io/apimachinery**                                                          v0.31.2 -> v0.32.2
* **k8s.io/apiserver**                                                             v0.31.2 -> v0.32.2
* **k8s.io/client-go**                                                             v0.31.2 -> v0.32.2
* **k8s.io/component-base**                                                        v0.31.2 -> v0.32.2
* **k8s.io/cri-api**                                                               v0.31.2 -> v0.32.2
* **k8s.io/kubelet**                                                               v0.31.2 -> v0.32.2
* **k8s.io/utils**                                                                 18e509b52bc8 -> 3ea5e8cea738
* **sigs.k8s.io/json**                                                             bc3834ca7abd -> 9aa6b5e7a4b3
* **sigs.k8s.io/structured-merge-diff/v4**                                         v4.4.1 -> v4.4.2
* **tags.cncf.io/container-device-interface**                                      v0.8.0 -> v0.8.1

Previous release can be found at [v2.0.0](https://github.com/containerd/containerd/releases/tag/v2.0.0)
### Which file should I download?
* `containerd-<VERSION>-<OS>-<ARCH>.tar.gz`:         ✅Recommended. Dynamically linked with glibc 2.31 (Ubuntu 20.04).
* `containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz`:  Statically linked. Expected to be used on non-glibc Linux distributions. Not position-independent.

In addition to containerd, typically you will have to install [runc](https://github.com/opencontainers/runc/releases)
and [CNI plugins](https://github.com/containernetworking/plugins/releases) from their official sites too.

See also the [Getting Started](https://github.com/containerd/containerd/blob/main/docs/getting-started.md) documentation.

containerd 2.0.4

Welcome to the v2.0.4 release of containerd!

The fourth patch release for containerd 2.0 includes various bug fixes and updates.

### Highlights

* Fix integer overflow in User ID handling ([GHSA-265r-hfxg-fhmg](https://github.com/containerd/containerd/security/advisories/GHSA-265r-hfxg-fhmg))
* Respect `client.WithTimeout` option on connect ([#11536](https://github.com/containerd/containerd/pull/11536))
* Update image type checks to avoid unnecessary logs for attestations ([#11537](https://github.com/containerd/containerd/pull/11537))

#### Node Resource Interface (NRI)

* Fix incorrect runtime name being passed to NRI ([#11529](https://github.com/containerd/containerd/pull/11529))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Derek McGowan
* Akihiro Suda
* Paweł Gronowski
* Akhil Mohan
* Phil Estes
* Samuel Karp
* Craig Ingram
* ningmingxiao

### Changes
<details><summary>19 commits</summary>
<p>

  * [`1a43cb6a1`](https://github.com/containerd/containerd/commit/1a43cb6a1035441f9aca8f5666a9b3ef9e70ab20) Merge commit from fork
  * [`07a0b5419`](https://github.com/containerd/containerd/commit/07a0b5419c408e70ed90179ea3e5825d986f80af) (cherry picked from commit de1341c201ffb0effebbf51d00376181968c8779)
* Prepare release notes for v2.0.4 ([#11541](https://github.com/containerd/containerd/pull/11541))
  * [`06a886a8e`](https://github.com/containerd/containerd/commit/06a886a8e49a02bc15895c093e0519db27415548) Prepare release notes for v2.0.4
* Respect `client.WithTimeout` option on connect ([#11536](https://github.com/containerd/containerd/pull/11536))
  * [`6b5efba83`](https://github.com/containerd/containerd/commit/6b5efba83b2aa68b522ebfe73d3fed8e18a59429) client: Respect `client.WithTimeout` option
* Update image type checks to avoid unnecessary logs for attestations ([#11537](https://github.com/containerd/containerd/pull/11537))
  * [`916d48722`](https://github.com/containerd/containerd/commit/916d4872262eed04fb6626183c2306320d14e965) core/remotes: Handle attestations in MakeRefKey
  * [`df4d905a6`](https://github.com/containerd/containerd/commit/df4d905a6f0d9e74a0aff2514030c343d56ba86d) core/images: Ignore attestations when traversing children
* Fix incorrect runtime name being passed to NRI ([#11529](https://github.com/containerd/containerd/pull/11529))
  * [`4f037050c`](https://github.com/containerd/containerd/commit/4f037050ce83224d79e8b65e270222abb9ce6ab0) add name in package version
* update build to go1.23.7, test go1.24.1 ([#11514](https://github.com/containerd/containerd/pull/11514))
  * [`e5ad0d0a0`](https://github.com/containerd/containerd/commit/e5ad0d0a0e212bc8cd5b8b7169f6b10873e2e6fe) update build to go1.23.7, test go1.24.1
* docs: include note about unprivileged sysctls ([#11506](https://github.com/containerd/containerd/pull/11506))
  * [`a39f1146b`](https://github.com/containerd/containerd/commit/a39f1146b065a0ef054933f912ede0476586fa83) docs: include note about unprivileged sysctls
* e2e: use the shim bundled with containerd artifact ([#11503](https://github.com/containerd/containerd/pull/11503))
  * [`81b3384a0`](https://github.com/containerd/containerd/commit/81b3384a0d6c0f58d36884bbd24bf9f7a965b008) e2e: use the shim bundled with containerd artifact
* build(deps): bump containerd/project-checks from 1.1.0 to 1.2.1 ([#11497](https://github.com/containerd/containerd/pull/11497))
  * [`7215a7d2c`](https://github.com/containerd/containerd/commit/7215a7d2caa73cd8ca2de50435fa3a5f1df36d75) build(deps): bump containerd/project-checks from 1.1.0 to 1.2.1
</p>
</details>

### Dependency Changes

This release has no dependency changes

Previous release can be found at [v2.0.3](https://github.com/containerd/containerd/releases/tag/v2.0.3)
### Which file should I download?
* `containerd-<VERSION>-<OS>-<ARCH>.tar.gz`:         ✅Recommended. Dynamically linked with glibc 2.31 (Ubuntu 20.04).
* `containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz`:  Statically linked. Expected to be used on non-glibc Linux distributions. Not position-independent.

In addition to containerd, typically you will have to install [runc](https://github.com/opencontainers/runc/releases)
and [CNI plugins](https://github.com/containernetworking/plugins/releases) from their official sites too.

See also the [Getting Started](https://github.com/containerd/containerd/blob/main/docs/getting-started.md) documentation.

containerd 1.7.27

Welcome to the v1.7.27 release of containerd!

The twenty-seventh patch release for containerd 1.7 contains various fixes
and updates.

### Highlights

* Fix integer overflow in User ID handling ([GHSA-265r-hfxg-fhmg](https://github.com/containerd/containerd/security/advisories/GHSA-265r-hfxg-fhmg))
* Update image type checks to avoid unnecessary logs for attestations ([#11538](https://github.com/containerd/containerd/pull/11538))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Jin Dong
* Akhil Mohan
* Derek McGowan
* Maksym Pavlenko
* Paweł Gronowski
* Phil Estes
* Akihiro Suda
* Craig Ingram
* Krisztian Litkey
* Samuel Karp

### Changes
<details><summary>20 commits</summary>
<p>

  * [`05044ec0a`](https://github.com/containerd/containerd/commit/05044ec0a9a75232cad458027ca83437aae3f4da) Merge commit from fork
  * [`11504c3fc`](https://github.com/containerd/containerd/commit/11504c3fc5f45634f2d93d57743a998194430b82) validate uid/gid
* Prepare release notes for v1.7.27 ([#11540](https://github.com/containerd/containerd/pull/11540))
  * [`1be04be6c`](https://github.com/containerd/containerd/commit/1be04be6c307a7f67423574ca1b9744e57377753) Prepare release notes for v1.7.27
* Update image type checks to avoid unnecessary logs for attestations ([#11538](https://github.com/containerd/containerd/pull/11538))
  * [`82b5c43fe`](https://github.com/containerd/containerd/commit/82b5c43fed40d1f32e88215a3f0acbaf8cd9af10) core/remotes: Handle attestations in MakeRefKey
  * [`2c670e79b`](https://github.com/containerd/containerd/commit/2c670e79bf19bc7716c8b9f1f82c700ad8233af3) core/images: Ignore attestations when traversing children
* update build to go1.23.7, test go1.24.1 ([#11515](https://github.com/containerd/containerd/pull/11515))
  * [`a39863c9f`](https://github.com/containerd/containerd/commit/a39863c9fd52abb50895a4b6f653cf501a2e3388) update build to go1.23.7, test go1.24.1
* Remove hashicorp/go-multierror dependency and fix CI ([#11499](https://github.com/containerd/containerd/pull/11499))
  * [`49537b3a7`](https://github.com/containerd/containerd/commit/49537b3a75bdcd982e7e26855779b346bb363a54) e2e: use the shim bundled with containerd artifact
  * [`fe490b76f`](https://github.com/containerd/containerd/commit/fe490b76fd78cc1461f20aab89951be5f88fc454) Bump up github.com/intel/goresctrl to 0.5.0
  * [`13fc9d313`](https://github.com/containerd/containerd/commit/13fc9d3132fc4c77f6533551049d2d865d4e4b45) update containerd/project-checks to 1.2.1
  * [`585699c94`](https://github.com/containerd/containerd/commit/585699c94f68649a89b0af46d675d6e998d67ccd) Remove unnecessary joinError unwrap
  * [`4b9df59be`](https://github.com/containerd/containerd/commit/4b9df59be202a011c4f65604bbeab75eeb85ab46) Remove hashicorp/go-multierror
* go.{mod,sum}: bump CDI deps to v0.8.1. ([#11422](https://github.com/containerd/containerd/pull/11422))
  * [`5ba28f8dc`](https://github.com/containerd/containerd/commit/5ba28f8dc1d007059ed3eb1a7b55025e72abd525) go.{mod,sum}: bump CDI deps to v0.8.1, re-vendor.
* CI: arm64-8core-32gb -> ubuntu-24.04-arm ([#11437](https://github.com/containerd/containerd/pull/11437))
  * [`85f10bd92`](https://github.com/containerd/containerd/commit/85f10bd9221f35ef1c2b8ec2d67520f461aa51a0) CI: arm64-8core-32gb -> ubuntu-24.04-arm
  * [`561ed520e`](https://github.com/containerd/containerd/commit/561ed520eaef2974aa8008b7a18a0944e6f90872) increase xfs base image size to 300Mb
</p>
</details>

### Dependency Changes

* **github.com/intel/goresctrl**                        v0.3.0 -> v0.5.0
* **github.com/prometheus/client_golang**               v1.14.0 -> v1.16.0
* **github.com/prometheus/common**                      v0.37.0 -> v0.42.0
* **github.com/prometheus/procfs**                      v0.8.0 -> v0.10.1
* **k8s.io/apimachinery**                               v0.26.2 -> v0.27.4
* **sigs.k8s.io/json**                                  f223a00ba0e2 -> bc3834ca7abd
* **tags.cncf.io/container-device-interface**           v0.7.2 -> v0.8.1
* **tags.cncf.io/container-device-interface/specs-go**  v0.7.0 -> v0.8.0

Previous release can be found at [v1.7.26](https://github.com/containerd/containerd/releases/tag/v1.7.26)

containerd 1.6.38

Welcome to the v1.6.38 release of containerd!

The thirty-eighth patch release for containerd 1.6 contains various fixes
and updates.

### Highlights

* Fix integer overflow in User ID handling ([GHSA-265r-hfxg-fhmg](https://github.com/containerd/containerd/security/advisories/GHSA-265r-hfxg-fhmg))

#### Container Runtime Interface (CRI)

* Fix fatal map concurrency error in httpstream ([#11319](https://github.com/containerd/containerd/pull/11319))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Jin Dong
* Akhil Mohan
* Derek McGowan
* Phil Estes
* Akihiro Suda
* Craig Ingram
* Kohei Tokunaga
* Maksym Pavlenko
* Samuel Karp
* ningmingxiao

### Changes
<details><summary>19 commits</summary>
<p>

  * [`cf158e884`](https://github.com/containerd/containerd/commit/cf158e884cfe4812a6c371b59e4ea9bc4c46e51a) Merge commit from fork
  * [`9639b9625`](https://github.com/containerd/containerd/commit/9639b9625554183d0c4d8d072dccb84fedd2320f) validate uid/gid
* Prepare release notes for v1.6.38 ([#11539](https://github.com/containerd/containerd/pull/11539))
  * [`eee34bac2`](https://github.com/containerd/containerd/commit/eee34bac2c401b3e4381594e99f6220bf8258c9c) Prepare release notes for v1.6.38
* update build to go1.23.7, test go1.24.1 ([#11421](https://github.com/containerd/containerd/pull/11421))
  * [`b67a35baf`](https://github.com/containerd/containerd/commit/b67a35baf0a97c87033f1a6c9bdf97630fe4e9e8) move exclude-dirs to issues.exclude-dirs
  * [`2104a41ef`](https://github.com/containerd/containerd/commit/2104a41efece4a12a34e03f00d780e905b95b5a5) update golangci-lint to 1.60.1
  * [`820e81adc`](https://github.com/containerd/containerd/commit/820e81adccbf3819d282a6597db98bd4df49c12c) update build to go1.23.7, test go1.24.1
* Remove hashicorp/go-multierror dependency and fix CI ([#11500](https://github.com/containerd/containerd/pull/11500))
  * [`7cc3b3dce`](https://github.com/containerd/containerd/commit/7cc3b3dcec509f1ce2e5d52887520baa48201c54) e2e: use the shim bundled with containerd artifact
  * [`0733895f3`](https://github.com/containerd/containerd/commit/0733895f3de3df51fe4e14563ee94a98df1be8dd) Remove unnecessary joinError unwrap
  * [`054c4cc79`](https://github.com/containerd/containerd/commit/054c4cc79c929eecfb9724fd1c3e9f13a4cd5701) Remove hashicorp/go-multierror
  * [`ff21be0ee`](https://github.com/containerd/containerd/commit/ff21be0ee8b274c05a542a096c1042ef63857f09) Update go to 1.20 to use its multi error support
  * [`f63b5fd3f`](https://github.com/containerd/containerd/commit/f63b5fd3f9b4b809d94d4a3053c4d76a7753072c) update containerd/project-checks to 1.2.1
* Fix fatal map concurrency error in httpstream ([#11319](https://github.com/containerd/containerd/pull/11319))
  * [`abd1692cf`](https://github.com/containerd/containerd/commit/abd1692cf27bcff4590207bdd8a827b06657c446) fix fatal error: concurrent map iteration and map write
* CI: arm64-8core-32gb -> ubuntu-24.04-arm ([#11438](https://github.com/containerd/containerd/pull/11438))
  * [`f5ab73c0a`](https://github.com/containerd/containerd/commit/f5ab73c0a776ad2462198725b8d522e820dc690a) CI: arm64-8core-32gb -> ubuntu-24.04-arm
  * [`2cc6b5b0a`](https://github.com/containerd/containerd/commit/2cc6b5b0af07563d2c6a0b183a32e342b7ce86d2) increase xfs base image size to 300Mb
</p>
</details>

### Dependency Changes

This release has no dependency changes

Previous release can be found at [v1.6.37](https://github.com/containerd/containerd/releases/tag/v1.6.37)

containerd 2.0.3

Welcome to the v2.0.3 release of containerd!

The third patch release for containerd 2.0 includes various bug fixes and updates.

### Highlights

* Update remote content to break up writes to avoid grpc message size limits ([#11457](https://github.com/containerd/containerd/pull/11457))
* Update runc binary to v1.2.5 ([#11394](https://github.com/containerd/containerd/pull/11394))

#### Container Runtime Interface (CRI)

* Fix privileged container sysfs can't be rw because pod is ro by default ([#11456](https://github.com/containerd/containerd/pull/11456))
* Fix recursive RLock() mutex acquisition ([containerd/go-cni#126](https://github.com/containerd/go-cni/pull/126))

#### Node Resource Interface (NRI)

* Fix initial sync race when registering NRI plugins ([#11329](https://github.com/containerd/containerd/pull/11329))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Derek McGowan
* Akihiro Suda
* Mike Brown
* Phil Estes
* Akhil Mohan
* Chifeng Cai
* Krisztian Litkey
* Wei Fu
* Andrey Smirnov
* Austin Vazquez
* Chris Henzie
* Jing Xu
* Jonathan A. Sternberg
* Jose Fernandez
* Kirtana Ashok
* Lei Liu
* Maksym Pavlenko
* Michael Zappa
* Samuel Karp
* fengwei0328
* zounengren

### Changes
<details><summary>42 commits</summary>
<p>

* Prepare release notes for v2.0.3 ([#11443](https://github.com/containerd/containerd/pull/11443))
  * [`b8dde9189`](https://github.com/containerd/containerd/commit/b8dde9189df2e62b1650fb699ea8e8f612cdfb66) Prepare release notes for v2.0.3
* Update remote content to break up writes to avoid grpc message size limits ([#11457](https://github.com/containerd/containerd/pull/11457))
  * [`eaa7ca80d`](https://github.com/containerd/containerd/commit/eaa7ca80dcc1ea3e3dffe1382d96d77377720c30) proxy: break up writes from the remote writer to avoid grpc limits
* Fix privileged container sysfs can't be rw because pod is ro by default ([#11456](https://github.com/containerd/containerd/pull/11456))
  * [`c7f64196f`](https://github.com/containerd/containerd/commit/c7f64196fcbc792fd9383eb9aa8d43be0f9fa748) Fix privileged container sysfs can't be rw because pod is ro by default
* go.{mod,sum}: bump CDI deps to v.0.8.1. ([#11430](https://github.com/containerd/containerd/pull/11430))
  * [`92ae2951f`](https://github.com/containerd/containerd/commit/92ae2951ffd92e39a38aba2ab48b31a6cb49138e) Update CDI dependency to v0.8.1.
* Prefer runtime options for PluginInfo request ([#11446](https://github.com/containerd/containerd/pull/11446))
  * [`569af34cb`](https://github.com/containerd/containerd/commit/569af34cbb761f0507546457ffe376f4454c87ea) Prefer runtime options for PluginInfo request
* pkg: prevent oom watcher from depending on shim pkg ([#11439](https://github.com/containerd/containerd/pull/11439))
  * [`0ce93e16a`](https://github.com/containerd/containerd/commit/0ce93e16a9fd91c03a67150a6098d09f5258c300) prevent oom watcher depend on shim pkg.
* CI: arm64-8core-32gb -> ubuntu-24.04-arm ([#11436](https://github.com/containerd/containerd/pull/11436))
  * [`f3284aa68`](https://github.com/containerd/containerd/commit/f3284aa68f864f2303b42546b14f7af15eccd063) CI: arm64-8core-32gb -> ubuntu-24.04-arm
* Revert "Add timestamp to PodSandboxStatusResponse for kubernetes Evented PLEG" ([#11403](https://github.com/containerd/containerd/pull/11403))
  * [`b5313993c`](https://github.com/containerd/containerd/commit/b5313993c16f8ae9d4a053162a75bacced36e246) Revert "Add timestamp to PodSandboxStatusResponse for kubernetes Evented PLEG"
* move the device after the options when using mkfs.ext4 ([#11411](https://github.com/containerd/containerd/pull/11411))
  * [`f95a426b8`](https://github.com/containerd/containerd/commit/f95a426b83ec716feaab0a436d5e2280dc4e9d99) move the device after the options when using mkfs.ext4
* update build to go1.23.6, test go1.24.0 ([#11410](https://github.com/containerd/containerd/pull/11410))
  * [`4d19a6adf`](https://github.com/containerd/containerd/commit/4d19a6adfec9440d0806a1cc4633deaef3e5d53c) update build to go1.23.6, test go1.24.0
* build(deps): bump actions/cache from 4.1.2 to 4.2.0 ([#11405](https://github.com/containerd/containerd/pull/11405))
  * [`c738c3aab`](https://github.com/containerd/containerd/commit/c738c3aabc350ae67c5200de4c504c5038834e91) build(deps): bump actions/cache from 4.1.2 to 4.2.0
* Upgrade x/net to 0.33.0 to fix vulnerability GHSA-w32m-9786-jp63 ([#11387](https://github.com/containerd/containerd/pull/11387))
  * [`fcf64305c`](https://github.com/containerd/containerd/commit/fcf64305cef019c8bf135d7373e2b658e02019b3) Update vendor files to fix build failure
  * [`d3437eb29`](https://github.com/containerd/containerd/commit/d3437eb2918f6e266e97c5ee08737926519dc40d) Upgrade x/net to 0.33.0
* Update install-imgcrypt to allow change install repo ([#11357](https://github.com/containerd/containerd/pull/11357))
  * [`0785bd8cc`](https://github.com/containerd/containerd/commit/0785bd8cc6405b346a81025c983365825910e77f) Update install-imgcrypt to allow change install repo
* Update runc binary to v1.2.5 ([#11394](https://github.com/containerd/containerd/pull/11394))
  * [`697c59c63`](https://github.com/containerd/containerd/commit/697c59c63568a8d722e958e68ef52bbb25160b63) Update runc binary to v1.2.5
* Update go-cni version to fix Race Condition issue ([#11269](https://github.com/containerd/containerd/pull/11269))
  * [`06891f899`](https://github.com/containerd/containerd/commit/06891f899d25de9dd1cb5e5443ec099e17a57e00) fix go-cni race condition
* Fix initial sync race when registering NRI plugins ([#11329](https://github.com/containerd/containerd/pull/11329))
  * [`79cdbf61b`](https://github.com/containerd/containerd/commit/79cdbf61b6f7e4be2feb1bb2d631bdb1b9c5cd7f) cri,nri: block NRI plugin sync. during event processing.
* Update github.com/containerd/imgcrypt to v2.0.0 ([#11325](https://github.com/containerd/containerd/pull/11325))
  * [`9d5cfce83`](https://github.com/containerd/containerd/commit/9d5cfce833cf7dc98319390ce002bd4f6a20d423) Update github.com/containerd/imgcrypt to v2.0.0
* Move CDI device spec out of the OCI package ([#11265](https://github.com/containerd/containerd/pull/11265))
  * [`f58939c33`](https://github.com/containerd/containerd/commit/f58939c33d5777c3c813927831bc260cd94baf57) Remove deprecated WithCDIDevices in oci spec opts
  * [`3d53430fe`](https://github.com/containerd/containerd/commit/3d53430fe14eb76849a6c997d60b21a9f95c19ed) Move CDI device spec out of the OCI package
* update to go1.23.5 / go1.22.11 ([#11297](https://github.com/containerd/containerd/pull/11297))
  * [`1f4e5688e`](https://github.com/containerd/containerd/commit/1f4e5688efd71cb9db26158ed697d27ba26dd6b3) update to go1.23.5 / go1.22.11
* build(deps): bump google.golang.org/protobuf from 1.35.1 to 1.35.2 ([#11263](https://github.com/containerd/containerd/pull/11263))
  * [`3a6ab80d0`](https://github.com/containerd/containerd/commit/3a6ab80d0176e205bd9f6a958450f9dce4415091) build(deps): bump google.golang.org/protobuf from 1.35.1 to 1.35.2
</p>
</details>

### Changes from containerd/go-cni
<details><summary>2 commits</summary>
<p>

* Fix recursive RLock() mutex acquisition ([containerd/go-cni#126](https://github.com/containerd/go-cni/pull/126))
  * [`75a2440`](https://github.com/containerd/go-cni/commit/75a24409e8193fc64b0e9ed777ff884c338a21ca) fix: recursive RLock() mutex acquision
</p>
</details>

### Dependency Changes

* **github.com/containerd/go-cni**             v1.1.11 -> v1.1.12
* **github.com/containerd/imgcrypt/v2**        v2.0.0-rc.1 -> v2.0.0
* **github.com/containers/ocicrypt**           v1.2.0 -> v1.2.1
* **github.com/petermattis/goid**              4fcff4a6cae7 **_new_**
* **github.com/sasha-s/go-deadlock**           v0.3.5 **_new_**
* **github.com/smallstep/pkcs7**               v0.1.1 **_new_**
* **golang.org/x/crypto**                      v0.28.0 -> v0.31.0
* **golang.org/x/net**                         v0.30.0 -> v0.33.0
* **golang.org/x/oauth2**                      v0.22.0 -> v0.23.0
* **golang.org/x/sync**                        v0.8.0 -> v0.10.0
* **golang.org/x/sys**                         v0.26.0 -> v0.28.0
* **golang.org/x/term**                        v0.25.0 -> v0.27.0
* **golang.org/x/text**                        v0.19.0 -> v0.21.0
* **google.golang.org/grpc**                   v1.67.1 -> v1.68.1
* **google.golang.org/protobuf**               v1.35.1 -> v1.35.2
* **tags.cncf.io/container-device-interface**  v0.8.0 -> v0.8.1

Previous release can be found at [v2.0.2](https://github.com/containerd/containerd/releases/tag/v2.0.2)
### Which file should I download?
* `containerd-<VERSION>-<OS>-<ARCH>.tar.gz`:         ✅Recommended. Dynamically linked with glibc 2.31 (Ubuntu 20.04).
* `containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz`:  Statically linked. Expected to be used on non-glibc Linux distributions. Not position-independent.

In addition to containerd, typically you will have to install [runc](https://github.com/opencontainers/runc/releases)
and [CNI plugins](https://github.com/containernetworking/plugins/releases) from their official sites too.

See also the [Getting Started](https://github.com/containerd/containerd/blob/main/docs/getting-started.md) documentation.

containerd 1.7.26

Welcome to the v1.7.26 release of containerd!

The twenty-sixth patch release for containerd 1.7 contains various fixes
and updates.

### Highlights

* Add support for syncfs after unpack ([#11267](https://github.com/containerd/containerd/pull/11267))
* Update runc binary to v1.2.5 ([#11395](https://github.com/containerd/containerd/pull/11395))
* Fix race between serve and immediate shutdown on the server ([containerd/ttrpc#175](https://github.com/containerd/ttrpc/pull/175))
* Reject oversized messages from the sender ([containerd/ttrpc#171](https://github.com/containerd/ttrpc/pull/171))

#### Container Runtime Interface (CRI)

* Fix fatal concurrency error in port forwarding ([#11306](https://github.com/containerd/containerd/pull/11306))

#### Node Resource Interface (NRI)

* Fix initial sync race when registering NRI plugins ([#11326](https://github.com/containerd/containerd/pull/11326))
* Add API support for reading Pod IPs ([containerd/nri#119](https://github.com/containerd/nri/pull/119))
* Fix plugin sync to use multiple messages if ttrpc max message limit is hit ([containerd/nri#111](https://github.com/containerd/nri/pull/111))
* Update API to pass configured timeouts to plugins. ([containerd/nri#109](https://github.com/containerd/nri/pull/109))
* Fix mount removal in adjustments ([containerd/nri#107](https://github.com/containerd/nri/pull/107))
* Close plugin if initial synchronization fails ([containerd/nri#103](https://github.com/containerd/nri/pull/103))
* Add support for adjusting OOM score ([containerd/nri#94](https://github.com/containerd/nri/pull/94))
* Add API support for NRI-native CDI injection ([containerd/nri#98](https://github.com/containerd/nri/pull/98))
* Add support for pids cgroup ([containerd/nri#76](https://github.com/containerd/nri/pull/76))

#### Runtime

* Fix console TTY leak in runc shim ([#11250](https://github.com/containerd/containerd/pull/11250))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Krisztian Litkey
* Mike Brown
* Samuel Karp
* Wei Fu
* Phil Estes
* Derek McGowan
* Iceber Gu
* Akhil Mohan
* Antonio Ojea
* Austin Vazquez
* Henry Wang
* Jin Dong
* Xiaojin Zhang
* ningmingxiao
* AbdelrahmanElawady
* Akihiro Suda
* Antti Kervinen
* Jing Xu
* Jitang Lei
* Justin Alvarez
* Lei Liu
* Maksym Pavlenko
* Yang Yang
* Yuhang Wei
* cormick
* jingtao.liang

### Changes
<details><summary>24 commits</summary>
<p>

* Prepare release notes for v1.7.26 ([#11356](https://github.com/containerd/containerd/pull/11356))
  * [`ceba197f5`](https://github.com/containerd/containerd/commit/ceba197f5fa0b76b0f181c24f81c67c43d34bff2) Prepare release notes for v1.7.26
* Upgrade x/net to 0.33.0 to fix vulnerability GHSA-w32m-9786-jp63 ([#11434](https://github.com/containerd/containerd/pull/11434))
  * [`3486bc8dd`](https://github.com/containerd/containerd/commit/3486bc8dd19acbde278ed6c4c4fa42c7299e1278) Upgrade x/net to 0.33.0
* update build to go1.23.6, test go1.24.0 ([#11419](https://github.com/containerd/containerd/pull/11419))
  * [`9025d3075`](https://github.com/containerd/containerd/commit/9025d3075b91b0806ff15f27f28bbce8af4f1a76) update build to go1.23.6, test go1.24.0
* Update install-imgcrypt to allow change install repo ([#11358](https://github.com/containerd/containerd/pull/11358))
  * [`83eaab482`](https://github.com/containerd/containerd/commit/83eaab4822188e019efe68c29a6d77f37f099d6e) Update install-imgcrypt to allow change install repo
* Add support for syncfs after unpack ([#11267](https://github.com/containerd/containerd/pull/11267))
  * [`8bc21cba7`](https://github.com/containerd/containerd/commit/8bc21cba7516727b294d4dd6a3e8859cbdd146a8) support to syncfs after pull by using diff plugin
* Update runc binary to v1.2.5 ([#11395](https://github.com/containerd/containerd/pull/11395))
  * [`27c472acf`](https://github.com/containerd/containerd/commit/27c472acf59c4d86e2b446ae554691149ac43661) Update runc binary to v1.2.5
* Move `run.skip-dirs` to `issues.exclude-dirs` in golangci-lint config ([#11400](https://github.com/containerd/containerd/pull/11400))
  * [`8d8034b66`](https://github.com/containerd/containerd/commit/8d8034b66e2790ef0149207acb7c92a033d7f1f8) move skip-dirs to issues.exclude-dirs
* Fix initial sync race when registering NRI plugins ([#11326](https://github.com/containerd/containerd/pull/11326))
  * [`11af05177`](https://github.com/containerd/containerd/commit/11af05177545dbb97d87aa861b15d70ab911307c) cri,nri: block NRI plugin sync. during event processing.
  * [`d4036cd3d`](https://github.com/containerd/containerd/commit/d4036cd3d1eb174ea379c8e1d139c25cfe9f18d8) go.{mod,sum}: bump NRI to v0.8.0, re-vendor.
* Fix console TTY leak in runc shim ([#11250](https://github.com/containerd/containerd/pull/11250))
  * [`c3e24e024`](https://github.com/containerd/containerd/commit/c3e24e0248f0ca83d0bfbb0262862c2a06a632e2) Add integ test to check tty leak
  * [`4e45a463d`](https://github.com/containerd/containerd/commit/4e45a463d90fd44f6b92978721779d7b09045cee) fix master tty leak due to leaking init container object
* Fix fatal concurrency error in port forwarding ([#11306](https://github.com/containerd/containerd/pull/11306))
  * [`0fe9f0b52`](https://github.com/containerd/containerd/commit/0fe9f0b52f7b700689df46d13de36e67b62486e1) fix fatal error: concurrent map iteration and map write
* update build to go1.22.11, test go1.23.5 ([#11298](https://github.com/containerd/containerd/pull/11298))
  * [`441b92636`](https://github.com/containerd/containerd/commit/441b92636a806d71655945137210126de723e4fe) update build to go1.22.11, test go1.23.5
</p>
</details>

### Changes from containerd/nri
<details><summary>77 commits</summary>
<p>

* Add API support for reading Pod IPs ([containerd/nri#119](https://github.com/containerd/nri/pull/119))
  * [`eaf78a9`](https://github.com/containerd/nri/commit/eaf78a9afe9ebac28a68d1163dd00183525801a3) api: support Pod IPs
*  generate: do not set OOMScoreAdj if no adjustment ([containerd/nri#116](https://github.com/containerd/nri/pull/116))
  * [`07bfc18`](https://github.com/containerd/nri/commit/07bfc18129a3cc9c4b44e1aced9972279a50ddb5) wip: generate: add test for oom score adj
  * [`b5fc359`](https://github.com/containerd/nri/commit/b5fc359973c0e8c599b12c1d118546c267894b3b) generate: do not set OOMScoreAdj if no adjustment
* device-injector: remove unreachable code. ([containerd/nri#115](https://github.com/containerd/nri/pull/115))
  * [`235aa11`](https://github.com/containerd/nri/commit/235aa114dffc784073ec8b2f88fbd4ecfba06450) chore: remove unreachable code and fmt files
* Fix plugin sync to use multiple messages if ttrpc max message limit is hit ([containerd/nri#111](https://github.com/containerd/nri/pull/111))
  * [`159f575`](https://github.com/containerd/nri/commit/159f5754db397e32ce886cd07985ffd95f1bd823) template: dump pod/container count in sync message.
  * [`bf267e3`](https://github.com/containerd/nri/commit/bf267e336f2ec2f5045fd396fb68f9853d2b5db9) stub: collect/handle split sync messages.
  * [`ed78ae9`](https://github.com/containerd/nri/commit/ed78ae9231cb603031f66921559ca6f38ef77bb5) adaptation: use multiple sync messages if necessary.
  * [`6fd59d6`](https://github.com/containerd/nri/commit/6fd59d6d7701cdadeae4db0058b3fde84c02e94b) api: add support for multiple sync messages.
  * [`a7fcccc`](https://github.com/containerd/nri/commit/a7fcccc4ba35f69ea2af790b6cb4b46385c50ce4) mux: split oversized messages.
  * [`5fe9b06`](https://github.com/containerd/nri/commit/5fe9b06401fb7fce78c41b95df04e05dffc22e5b) mux: fix maximum allowed message size.
  * [`693d64e`](https://github.com/containerd/nri/commit/693d64e2565cc14c00fae2de904ffc030fc2b894) go.{mod,sum}, plugins: update ttrpc and NRI deps.
* Update API to pass configured timeouts to plugins. ([containerd/nri#109](https://github.com/containerd/nri/pull/109))
  * [`320e4e7`](https://github.com/containerd/nri/commit/320e4e7e52a856b119cfa1c06a4a135ab5f88f56) adaptation: tests for runtime version, timeouts.
  * [`f86d982`](https://github.com/containerd/nri/commit/f86d98210749556ef562776fde784d2250d1190e) api,adaptation,stub: let plugin know configured timeouts.
  * [`cfcd2af`](https://github.com/containerd/nri/commit/cfcd2af3c80db6667f2d1a291225cc616b6049c3) Makefile: fix ginkgo-tests target.
  * [`8cd9504`](https://github.com/containerd/nri/commit/8cd9504a48e1b79625ff5fce3d058c6662bc34d6) adaptation: block plugin sync/registration in test suite.
  * [`966ac92`](https://github.com/containerd/nri/commit/966ac92b01fca271373e2088695538dcef0edb2b) adaptation: implement plugin synchronization blocks.
* ci: verify that code generation works and results match ([containerd/nri#113](https://github.com/containerd/nri/pull/113))
  * [`f74ce31`](https://github.com/containerd/nri/commit/f74ce31ef9b048d69702b954912122a0597598a8) ci: verify code generation and generated files in repo
* deps: bump gingko to v2.19.1, golang to v1.21.x.  ([containerd/nri#110](https://github.com/containerd/nri/pull/110))
  * [`e4d5c36`](https://github.com/containerd/nri/commit/e4d5c36429c495c5d61d0183ba1c1a908ed598f4) ci: stop testing with golang 1.20.x.
  * [`6578149`](https://github.com/containerd/nri/commit/65781492cc1b0cf5a6a6166a81ba638e45b7f93f) go.{mod,sum}: bump golang requirement to 1.21.
  * [`442e812`](https://github.com/containerd/nri/commit/442e81239436c53689e14d9a641099a4aeec7cbe) go.{mod,sum}: update to ginkgo v2.19.1.
* sync sandboxes and containers after starting the pre-installed plugins ([containerd/nri#43](https://github.com/containerd/nri/pull/43))
  * [`eada085`](https://github.com/containerd/nri/commit/eada085db3965057686def58fd8993c70030dd7f) ignore pre-installed plugins that did not sync successfully
  * [`b881bc4`](https://github.com/containerd/nri/commit/b881bc4ba69e3bfe718939d97f327f3c72670fad) sync sandboxes and containers after starting the pre-installed plugins
* Fix mount removal in adjustments ([containerd/nri#107](https://github.com/containerd/nri/pull/107))
  * [`3880f1d`](https://github.com/containerd/nri/commit/3880f1df504f4b3ceedd3a36172162c886a00564) adaptation: add test case for mount removal.
  * [`0d3b376`](https://github.com/containerd/nri/commit/0d3b37631b9fb913e95a9a0efd31b27117208e40) adaptation: fix mount removal in adjustments.
* codespell: add codespell config, workflow, fix spelling errors. ([containerd/nri#105](https://github.com/containerd/nri/pull/105))
  * [`df84c47`](https://github.com/containerd/nri/commit/df84c475025e3fc536701aa99f6ca6d14dbea648) .github: add codespell workflow.
  * [`a03dc93`](https://github.com/containerd/nri/commit/a03dc9359c2d526924e56a9d167445a69588d3ae) pkg,plugins,.codespellrc: add codespellrc, fix spelling.
* Close plugin if initial synchronization fails ([containerd/nri#103](https://github.com/containerd/nri/pull/103))
  * [`4aec208`](https://github.com/containerd/nri/commit/4aec208281ac3630b02d737005778527aec8abae) adaptation: log plugin as connected and synchronized.
  * [`4e60cd0`](https://github.com/containerd/nri/commit/4e60cd0fb845ffefa9590084bb5261a113ad6858) adaptation: close plugin if initial synchronization fails.
* Reset source path of api.pb.go to pkg/api/api.proto ([containerd/nri#104](https://github.com/containerd/nri/pull/104))
  * [`1cc026f`](https://github.com/containerd/nri/commit/1cc026f8a3773b9e0d4ca80f9c3e978ef7d54bef) Reset source path of api.pb.go to pkg/api/api.proto
* Add support for adjusting OOM score ([containerd/nri#94](https://github.com/containerd/nri/pull/94))
  * [`efcb2da`](https://github.com/containerd/nri/commit/efcb2dad664293bd3fbad1557cac2dcfd15a86dc) NRI plugins support adjust oom_score_adj
* Add API support for NRI-native CDI injection ([containerd/nri#98](https://github.com/containerd/nri/pull/98))
  * [`8783973`](https://github.com/containerd/nri/commit/87839736588c90995cd7d8a19beb47076efd3319) device-injector: clarify precedence of annotations.
  * [`4eb7075`](https://github.com/containerd/nri/commit/4eb70757f7095a9928d6a34a9e8f28eaac066a42) pkg/adaptation: fix grammatical mistakes in comments.
  * [`4bd8da8`](https://github.com/containerd/nri/commit/4bd8da8cf7128f9ac88ebed28f2e3afd73d0fab1) device-injector: add support for CDI injection.
  * [`44773bd`](https://github.com/containerd/nri/commit/44773bdd8b2fc5ed0e193975f54cfdf7153f708c) runtime-tools/generate: add support CDI injection.
  * [`65282fe`](https://github.com/containerd/nri/commit/65282fe079414600930b9fa084a46fb0bd0e0c8b) adaptation: add CDI device injection unit test.
  * [`01f3b7a`](https://github.com/containerd/nri/commit/01f3b7a6681de5961920091f88e71335778ecc21) adaptation: add support for native CDI injection.
  * [`f1aa58f`](https://github.com/containerd/nri/commit/f1aa58f8157aacbdda3826316c77e4e96914235a) api: add support for native CDI device injection.
* types: Fix a typo ([containerd/nri#101](https://github.com/containerd/nri/pull/101))
  * [`8434439`](https://github.com/containerd/nri/commit/8434439b76e0b4c8dad1c5e2b1fadc4bbfea4b1a) types: Fix a typo
* Add support for pids cgroup ([containerd/nri#76](https://github.com/containerd/nri/pull/76))
  * [`1719502`](https://github.com/containerd/nri/commit/1719502ed2a62bb99e561f759278f3e6628ae191) support pids cgroup
* stub: support restart after stub stopped ([containerd/nri#91](https://github.com/containerd/nri/pull/91))
  * [`242661f`](https://github.com/containerd/nri/commit/242661fd7ab841358dc0cc53b8fe34dd7878b6c8) stub: support re-start after stub stopped
* stop closed plugins that will be removed ([containerd/nri#89](https://github.com/containerd/nri/pull/89))
  * [`ba398fa`](https://github.com/containerd/nri/commit/ba398fa866f5f8a2d51e92eedcde2ea6aacce2b1) stop closed plugins that will be removed
* plugins/device-injector: fix a small typo in README.md. ([containerd/nri#97](https://github.com/containerd/nri/pull/97))
  * [`f96a550`](https://github.com/containerd/nri/commit/f96a550770396c0e83763d2ff1a48c74facbbff7) device-injector: small grammar fix in README.md.
* plugins/template: fix a typo in a comment. ([containerd/nri#96](https://github.com/containerd/nri/pull/96))
  * [`5680921`](https://github.com/containerd/nri/commit/5680921a7acdd967fc72317b63380b278c3a447c) plugins/template: fix typo in a comment.
* go.{mod,sum}, .github: bump minimum golang version to 1.20. ([containerd/nri#88](https://github.com/containerd/nri/pull/88))
  * [`2c3608d`](https://github.com/containerd/nri/commit/2c3608db37a03ff3d7b02fc86d2a763976a830ea) .golangci.yml: silence dot-import errors for tests.
  * [`8f56974`](https://github.com/containerd/nri/commit/8f56974eb755a4a09d1013a82f30d9593fc50b9a) pkg/{adaptation,api,net,stub}: fix linter errors.
  * [`e863892`](https://github.com/containerd/nri/commit/e863892df021fc7ac5f5d9302132fb4a82c54394) .github: bump golangci-lint to v1.58.0.
  * [`674cb41`](https://github.com/containerd/nri/commit/674cb4149fc21a25e35e82b3b7baec2c9ac4404a) .github: bump setup-go to v5.
  * [`9106283`](https://github.com/containerd/nri/commit/9106283b2ebbad9f0c3374113a2b93c1cd0ab304) .github: test with golang 1.20.x, 1.21.x, 1.22.3 in CI.
  * [`a9778ad`](https://github.com/containerd/nri/commit/a9778ad8bf138b27289e2d12d84b81420f6709b2) plugins: bump golang version to 1.20.
  * [`8e86065`](https://github.com/containerd/nri/commit/8e860654df09f8aebac99b6738c2cbffefd8f8b8) go.{mod.sum}: bump golang version to 1.20.
* network device injector plugin ([containerd/nri#82](https://github.com/containerd/nri/pull/82))
  * [`ff774e6`](https://github.com/containerd/nri/commit/ff774e6e62a652d4473e2398110ff796aa1e420b) network device injector plugin
* Modify hook-injector plugin to monitor directories to match cri-o ([containerd/nri#84](https://github.com/containerd/nri/pull/84))
  * [`06841c2`](https://github.com/containerd/nri/commit/06841c28928f8f0c21ddb7511cb2b464f8c08139) Modify hook-injector plugin to monitor directories to match cri-o
* docs: fix broken link to sample plugins in README.md ([containerd/nri#81](https://github.com/containerd/nri/pull/81))
  * [`2791e93`](https://github.com/containerd/nri/commit/2791e932d71d3bff0bed040a17b5d4f9afc549be) docs: fix broken link to sample plugins in README.md
</p>
</details>

### Changes from containerd/ttrpc
<details><summary>11 commits</summary>
<p>

* Add MD.Clone function ([containerd/ttrpc#177](https://github.com/containerd/ttrpc/pull/177))
  * [`430f734`](https://github.com/containerd/ttrpc/commit/430f7347915993a5543bfb00858ac337274528ba) Add MD.Clone
* Fix race between serve and immediate shutdown on the server ([containerd/ttrpc#175](https://github.com/containerd/ttrpc/pull/175))
  * [`c4d96d5`](https://github.com/containerd/ttrpc/commit/c4d96d55ad9c4f4cf6036c70a5b18ba80655d648) server: fix Serve() vs. immediate Shutdown() race.
  * [`ed6c3ba`](https://github.com/containerd/ttrpc/commit/ed6c3ba082bdbc82284c198d93ca5f07ad9900dd) server_test: add Serve()/Shutdown() race test.
* Reject oversized messages from the sender ([containerd/ttrpc#171](https://github.com/containerd/ttrpc/pull/171))
  * [`b5cd6e4`](https://github.com/containerd/ttrpc/commit/b5cd6e4b32878158dc44b7854a7d14b454f75daf) channel: allow discovery of overflown message size.
  * [`d8c00df`](https://github.com/containerd/ttrpc/commit/d8c00dfec306c305efef44aa526f2acf8ebd165b) channel_test: update oversize message test.
  * [`de273bf`](https://github.com/containerd/ttrpc/commit/de273bf7511de4710934b92415a00d471a6118cb) channel: reject oversized messages on the sender side.
* server_test: fix error message in TestOversizeCall. ([containerd/ttrpc#170](https://github.com/containerd/ttrpc/pull/170))
  * [`84e1784`](https://github.com/containerd/ttrpc/commit/84e1784f340651f94891fbd091cbb3d5bfdf9e62) server_test: fix error message in TestOversizeCall.
</p>
</details>

### Dependency Changes

* **github.com/containerd/nri**    v0.6.1 -> v0.8.0
* **github.com/containerd/ttrpc**  v1.2.5 -> v1.2.7
* **github.com/go-logr/logr**      v1.3.0 -> v1.4.2
* **golang.org/x/net**             v0.25.0 -> v0.33.0

Previous release can be found at [v1.7.25](https://github.com/containerd/containerd/releases/tag/v1.7.25)

containerd 1.6.37

Welcome to the v1.6.37 release of containerd!

The thirty-seventh patch release for containerd 1.6 contains various fixes
and updates.

### Highlights

* Update runc binary to v1.2.5 ([#11396](https://github.com/containerd/containerd/pull/11396))
* Fix the race condition during GC of snapshots when client retries ([#10764](https://github.com/containerd/containerd/pull/10764))

#### Container Runtime Interface (CRI)

* Update the container exit log to info level ([#11008](https://github.com/containerd/containerd/pull/11008))
* Handle teardown failure to avoid blocking cleanup ([#10778](https://github.com/containerd/containerd/pull/10778))
* Add check for CNI plugins before tearing down pod network ([#10766](https://github.com/containerd/containerd/pull/10766))

#### Runtime

* Fix console TTY leak in runc shim ([#11359](https://github.com/containerd/containerd/pull/11359))
* Fix panic due to nil dereference cgroups v2 ([#11100](https://github.com/containerd/containerd/pull/11100))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Phil Estes
* Akihiro Suda
* Maksym Pavlenko
* Akhil Mohan
* Austin Vazquez
* Derek McGowan
* Samuel Karp
* Henry Wang
* Jin Dong
* Jing Xu
* Sebastiaan van Stijn
* Wei Fu
* Benjamin Peterson
* Kazuyoshi Kato
* Saket Jajoo
* Sameer
* Zou Nengren
* bo.jiang
* jinda.ljd
* ningmingxiao

### Changes
<details><summary>59 commits</summary>
<p>

* Prepare release notes for v1.6.37 ([#11429](https://github.com/containerd/containerd/pull/11429))
  * [`16ba72ad9`](https://github.com/containerd/containerd/commit/16ba72ad97f44da68569409bacea2b63bf04b314) Prepare release notes for v1.6.37
* Fix console TTY leak in runc shim ([#11359](https://github.com/containerd/containerd/pull/11359))
  * [`3e6f219d7`](https://github.com/containerd/containerd/commit/3e6f219d7337db04b9d471c0d3dea22abf083748) Add integ test to check tty leak
  * [`bc20f7457`](https://github.com/containerd/containerd/commit/bc20f74574b55fc6f7540e7ddcf491fa65ac4e0b) fix master tty leak due to leaking init container object
* Update install-imgcrypt to allow change install repo ([#11418](https://github.com/containerd/containerd/pull/11418))
  * [`cbd44298c`](https://github.com/containerd/containerd/commit/cbd44298c1a92ffb31a238a52cc732c408ddd5d5) Update install-imgcrypt to allow change install repo
* Update runc binary to v1.2.5 ([#11396](https://github.com/containerd/containerd/pull/11396))
  * [`9918dc4e3`](https://github.com/containerd/containerd/commit/9918dc4e3a726c3c006f0d6a1bfb037de3176d70) Update runc binary to v1.2.5
* Update vagrant host OS to fix Vagrant CI runs ([#11348](https://github.com/containerd/containerd/pull/11348))
  * [`d92457c71`](https://github.com/containerd/containerd/commit/d92457c71d825faf02ca0c0f58e5971bbd215c82) Remove vagrant scp from the install list
* update runc binary to v1.2.4 ([#11237](https://github.com/containerd/containerd/pull/11237))
  * [`315a23dd9`](https://github.com/containerd/containerd/commit/315a23dd975e3aab1db5391c557ad1415b605220) update runc binary to v1.2.4
* update runc binary to v1.2.3 ([#11144](https://github.com/containerd/containerd/pull/11144))
  * [`79f6df6f4`](https://github.com/containerd/containerd/commit/79f6df6f4ff0c547aaffd51eb693d57679336f66) update runc binary to v1.2.3
* update build to go1.22.10, test go1.23.4 ([#11112](https://github.com/containerd/containerd/pull/11112))
  * [`bf89950f5`](https://github.com/containerd/containerd/commit/bf89950f5fde4d5b22ad50357ba24255b6b47f8b) update build to go1.22.10, test go1.23.4
* Fix panic due to nil dereference cgroups v2 ([#11100](https://github.com/containerd/containerd/pull/11100))
  * [`db096794f`](https://github.com/containerd/containerd/commit/db096794f71ee9729c4cd1fce999c43a25e8e1e3) fix panic due to nil dereference cgroups v2
* Add almalinux/9 in CI ([#11055](https://github.com/containerd/containerd/pull/11055))
  * [`3a0f138b0`](https://github.com/containerd/containerd/commit/3a0f138b044a218c1e1dcdccdc83b275a7951be9) add almalinux/9 in CI
* Update the container exit log to info level ([#11008](https://github.com/containerd/containerd/pull/11008))
  * [`aca1ca440`](https://github.com/containerd/containerd/commit/aca1ca44060500f76804b6378d28a9ba4a648a34) add info of exited event
* update runc binary to 1.2.2 ([#11028](https://github.com/containerd/containerd/pull/11028))
  * [`4eaef56a2`](https://github.com/containerd/containerd/commit/4eaef56a21b12ac7a51daddc1957957fea21c886) update runc binary to 1.2.2
* Revert "Disable vagrant strict dependency checking" ([#11010](https://github.com/containerd/containerd/pull/11010))
  * [`f42035a21`](https://github.com/containerd/containerd/commit/f42035a21318848e7efed49ab227ea8f6b83e8bc) Revert "Disable vagrant strict dependency checking"
* update build to go1.22.9, test go1.23.3 ([#10975](https://github.com/containerd/containerd/pull/10975))
  * [`20958cbb0`](https://github.com/containerd/containerd/commit/20958cbb0fb6237549dff06c1485527d8ef9ea8d) update build to go1.22.9, test go1.23.3
* backport: Disable vagrant strict dependency checking ([#10966](https://github.com/containerd/containerd/pull/10966))
  * [`edb3df5ab`](https://github.com/containerd/containerd/commit/edb3df5ab099bf97fafc3880e207003c072c86f4) Disable vagrant strict dependency checking
* Update critools-version to 1.29 ([#10929](https://github.com/containerd/containerd/pull/10929))
  * [`9eca374a4`](https://github.com/containerd/containerd/commit/9eca374a407732487338b672c726ffdfe779c65a) Update critools-version to 1.29 in release 1.6
* update runc binary to 1.2.1 ([#10941](https://github.com/containerd/containerd/pull/10941))
  * [`6134f736d`](https://github.com/containerd/containerd/commit/6134f736d43ecd997fa4646f3d91f1a40481ad06) update runc binary to 1.2.1
* services/snapshots: include name of snapshotter in debug logs ([#10932](https://github.com/containerd/containerd/pull/10932))
  * [`4e54972f0`](https://github.com/containerd/containerd/commit/4e54972f085e61fc04575f1fd44cad79b033cb27) services/snapshots: include name of snapshotter in debug logs
* Make TestContainerPids more resilient ([#10937](https://github.com/containerd/containerd/pull/10937))
  * [`d7c7a12f3`](https://github.com/containerd/containerd/commit/d7c7a12f36c7f4f89b0f87162e481088c865a267) Make TestContainerPids more resilient
* Add After=dbus.service to containerd.service ([#10860](https://github.com/containerd/containerd/pull/10860))
  * [`e6d8e5e9c`](https://github.com/containerd/containerd/commit/e6d8e5e9c7625ea07dc50025d673004c6d2ee80e) Add After=dbus.service to containerd.service
* Handle teardown failure to avoid blocking cleanup ([#10778](https://github.com/containerd/containerd/pull/10778))
  * [`b1f8b03e7`](https://github.com/containerd/containerd/commit/b1f8b03e7bc9a6e59e0de3cf54fd0d814e5ef79a) Handle teardown failure to avoid blocking cleanup
* Switch from actuated.dev to GH Action runners for arm64 ([#10823](https://github.com/containerd/containerd/pull/10823))
  * [`ba411483a`](https://github.com/containerd/containerd/commit/ba411483a4b523824f9273781a1ad5a84e72ffcc) Switch from actuated.dev to GH Action runners for arm64
  * [`8c58f78c2`](https://github.com/containerd/containerd/commit/8c58f78c2088fe473aa03f184a8a2907e4a44840) Update github actions ci to run on forks
* bump golangci/golangci-lint-action from 4 to 6 ([#10819](https://github.com/containerd/containerd/pull/10819))
  * [`e4211a530`](https://github.com/containerd/containerd/commit/e4211a530c48c08847f75cd84082c738a5879173) bump golangci/golangci-lint-action from 4 to 6
* update to go1.23.2,go1.22.8 ([#10809](https://github.com/containerd/containerd/pull/10809))
  * [`1ca261fe4`](https://github.com/containerd/containerd/commit/1ca261fe466739e27d737d23533c3ae67239eed3) update to go1.23.2,go1.22.8
* Update runner images to macOS13 ([#10784](https://github.com/containerd/containerd/pull/10784))
  * [`1c96f2391`](https://github.com/containerd/containerd/commit/1c96f23918b6d1f76edf0adae94eba1f5a54e19f) Update runner images to macOS13
* Bump crun to 1.16.1 ([#10775](https://github.com/containerd/containerd/pull/10775))
  * [`1ba7381cf`](https://github.com/containerd/containerd/commit/1ba7381cfd7759e27935cc6a03b28985db0f5e3a) Bump crun to 1.16
  * [`afc84d092`](https://github.com/containerd/containerd/commit/afc84d09269254c162c65fdf7cb5b042ec25f610) CI: bump up crun to 1.15
* Fix the race condition during GC of snapshots when client retries ([#10764](https://github.com/containerd/containerd/pull/10764))
  * [`74951d6cf`](https://github.com/containerd/containerd/commit/74951d6cf22eb1f21522229cd8e22b9c4480923d) Fix the race condition during GC of snapshots when client retries
* Add check for CNI plugins before tearing down pod network ([#10766](https://github.com/containerd/containerd/pull/10766))
  * [`ca6516ee8`](https://github.com/containerd/containerd/commit/ca6516ee85cd1f8765b10127c5694bb3fae1dab2) [release/1.6] Add check for CNI plugins before tearing down pod network
</p>
</details>

### Dependency Changes

This release has no dependency changes

Previous release can be found at [v1.6.36](https://github.com/containerd/containerd/releases/tag/v1.6.36)

containerd 2.0.2

Welcome to the v2.0.2 release of containerd!

The second patch release for containerd 2.0 includes a number of bug fixes and improvements.

### Highlights

#### Container Runtime Interface (CRI)

* Remove confusing warning in cri runtime config migration ([#11256](https://github.com/containerd/containerd/pull/11256))
* Fix runtime platform loading in cri image plugin init ([#11248](https://github.com/containerd/containerd/pull/11248))

#### Runtime

* Update runc binary to v1.2.4 ([#11239](https://github.com/containerd/containerd/pull/11239))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Jin Dong
* Derek McGowan
* Akihiro Suda
* Kazuyoshi Kato
* Henry Wang
* Krisztian Litkey
* Phil Estes
* Samuel Karp
* Sebastiaan van Stijn
* Akhil Mohan
* Brian Goff
* Chongyi Zheng
* Maksym Pavlenko
* Mike Brown
* Pierre Gimalac
* Wei Fu

### Changes
<details><summary>23 commits</summary>
<p>

* Prepare release notes for v2.0.2 ([#11245](https://github.com/containerd/containerd/pull/11245))
  * [`cdaf4dfb4`](https://github.com/containerd/containerd/commit/cdaf4dfb4de6b288314cf43d1571c3c6b05e8b27) Prepare release notes for v2.0.2
* Update platforms to latest rc ([#11259](https://github.com/containerd/containerd/pull/11259))
  * [`eb125e1dd`](https://github.com/containerd/containerd/commit/eb125e1dd3ddc427fb314640aabe6eb88c8bbd3b) Update platforms to latest rc
* Remove confusing warning in cri runtime config migration ([#11256](https://github.com/containerd/containerd/pull/11256))
  * [`468079c5c`](https://github.com/containerd/containerd/commit/468079c5c4a8c36be6f8005112bf2f0cd69984c4) Remove confusing warning in cri runtime config migration
* Fix runtime platform loading in cri image plugin init ([#11248](https://github.com/containerd/containerd/pull/11248))
  * [`a2d9d4fd5`](https://github.com/containerd/containerd/commit/a2d9d4fd556970c39d1fe80d94a77a1aa025c032) Fix runtime platform loading in cri image plugin init
* make sure console master tty is closed on task exit ([#11246](https://github.com/containerd/containerd/pull/11246))
  * [`184ffad01`](https://github.com/containerd/containerd/commit/184ffad01ff70e513f969a392de03b6d18b5e31e) Add integ test to check tty leak
  * [`17181ed33`](https://github.com/containerd/containerd/commit/17181ed33e018a629deeb08889bef4cc3412c64e) fix master tty leak due to leaking init container object
* Bump up otelttrpc to 0.1.0 ([#11242](https://github.com/containerd/containerd/pull/11242))
  * [`8666e7422`](https://github.com/containerd/containerd/commit/8666e742255ac0d4e8047538aa69912689722861) Bump up otelttrpc to 0.1.0
* ctr: `ctr images import --all-platforms`: fix unpack ([#11236](https://github.com/containerd/containerd/pull/11236))
  * [`c4270430d`](https://github.com/containerd/containerd/commit/c4270430db0f7e27a4c03b60822c7e14d210ae46) ctr: `ctr images import --all-platforms`: fix unpack
* Update runc binary to v1.2.4 ([#11239](https://github.com/containerd/containerd/pull/11239))
  * [`7373ddd70`](https://github.com/containerd/containerd/commit/7373ddd70bed3958aecd99e9b76d431c890beaa4) update runc binary to v1.2.4
* downgrade go-difflib and go-spew to tagged releases ([#11222](https://github.com/containerd/containerd/pull/11222))
  * [`f34147772`](https://github.com/containerd/containerd/commit/f34147772bb97ef3220c85730b6139bfbf369095) downgrade go-difflib and go-spew to tagged releases
* Add a build tag to disable std `plugin` import ([#11213](https://github.com/containerd/containerd/pull/11213))
  * [`dca769485`](https://github.com/containerd/containerd/commit/dca769485cc524f86984631e15477f07bbf545c4) chore: add a build tag to disable containerd plugin import
* Update golangci to 1.60.3 ([#11187](https://github.com/containerd/containerd/pull/11187))
  * [`5942b3fcb`](https://github.com/containerd/containerd/commit/5942b3fcbacf02e3aeafd0cc1070ee1888aadd31) Update golangci to 1.60.3
</p>
</details>

### Changes from containerd/otelttrpc
<details><summary>6 commits</summary>
<p>

* Add dependabot and upgrade golang and dependency versions ([containerd/otelttrpc#3](https://github.com/containerd/otelttrpc/pull/3))
  * [`2d46141`](https://github.com/containerd/otelttrpc/commit/2d46141c9f9842bc8e2563ae884b963e34ea175f) upgrade golang, deps, CI versions
  * [`64922e7`](https://github.com/containerd/otelttrpc/commit/64922e78c69b7bdecf065f039a5ead4d64e567e0) Add dependabot CI
* Fix concurrent map panic on metadata ([containerd/otelttrpc#2](https://github.com/containerd/otelttrpc/pull/2))
  * [`2ba3be1`](https://github.com/containerd/otelttrpc/commit/2ba3be1e39398b8d2544f5ea962edc1e2f906d32) Fix concurrent map panic on inject metadata
  * [`f50a922`](https://github.com/containerd/otelttrpc/commit/f50a9220fc748442b274390c45773191367262ec) UT for concurrent inject/extract metadata
</p>
</details>

### Changes from containerd/platforms
<details><summary>6 commits</summary>
<p>

* Move windows matcher logic so all platforms can use ([containerd/platforms#22](https://github.com/containerd/platforms/pull/22))
  * [`7c58292`](https://github.com/containerd/platforms/commit/7c5829273cd83c987784fd7ef5487485e0d2fee0) Move windows matcher logic so all platforms can use
* replace testify with stdlib in tests ([containerd/platforms#21](https://github.com/containerd/platforms/pull/21))
  * [`86a86b7`](https://github.com/containerd/platforms/commit/86a86b73a6e01f92aecad823e0f516f6198f3e2c) replace testify with stdlib in tests
* Replace arm64 minor variant logic with lookup table ([containerd/platforms#18](https://github.com/containerd/platforms/pull/18))
  * [`364665a`](https://github.com/containerd/platforms/commit/364665a87c183d5b5eb45fc0e9b86e99013a621a) Replace arm64 minor variant logic with lookup table
</p>
</details>

### Changes from containerd/ttrpc
<details><summary>5 commits</summary>
<p>

* Add MD.Clone function ([containerd/ttrpc#177](https://github.com/containerd/ttrpc/pull/177))
  * [`430f734`](https://github.com/containerd/ttrpc/commit/430f7347915993a5543bfb00858ac337274528ba) Add MD.Clone
* server: fix a Serve() vs. (immediate) Shutdown() race ([containerd/ttrpc#175](https://github.com/containerd/ttrpc/pull/175))
  * [`c4d96d5`](https://github.com/containerd/ttrpc/commit/c4d96d55ad9c4f4cf6036c70a5b18ba80655d648) server: fix Serve() vs. immediate Shutdown() race.
  * [`ed6c3ba`](https://github.com/containerd/ttrpc/commit/ed6c3ba082bdbc82284c198d93ca5f07ad9900dd) server_test: add Serve()/Shutdown() race test.
</p>
</details>

### Dependency Changes

* **github.com/containerd/otelttrpc**  ea5083fda723 -> v0.1.0
* **github.com/containerd/platforms**  v1.0.0-rc.0 -> v1.0.0-rc.1
* **github.com/containerd/ttrpc**      v1.2.6 -> v1.2.7
* **github.com/davecgh/go-spew**       d8f796af33cc -> v1.1.1
* **github.com/pmezard/go-difflib**    5d4384ee4fb2 -> v1.0.0
* **github.com/stretchr/testify**      v1.9.0 -> v1.10.0

Previous release can be found at [v2.0.1](https://github.com/containerd/containerd/releases/tag/v2.0.1)
### Which file should I download?
* `containerd-<VERSION>-<OS>-<ARCH>.tar.gz`:         ✅Recommended. Dynamically linked with glibc 2.31 (Ubuntu 20.04).
* `containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz`:  Statically linked. Expected to be used on non-glibc Linux distributions. Not position-independent.

In addition to containerd, typically you will have to install [runc](https://github.com/opencontainers/runc/releases)
and [CNI plugins](https://github.com/containernetworking/plugins/releases) from their official sites too.

See also the [Getting Started](https://github.com/containerd/containerd/blob/main/docs/getting-started.md) documentation.

containerd 1.7.25

Welcome to the v1.7.25 release of containerd!

The twenty-fifth patch release for containerd 1.7 contains various fixes
and updates.

### Highlights

* Update runc binary to v1.2.4 ([#11238](https://github.com/containerd/containerd/pull/11238))
* Fix proto conflicts and update to 1.8 API ([#11184](https://github.com/containerd/containerd/pull/11184))

#### Container Runtime Interface (CRI)

* Fix `ip_pref` configuration option ([#11223](https://github.com/containerd/containerd/pull/11223))

#### Runtime

* Fix panic due to nil dereference cgroups v2 ([#11099](https://github.com/containerd/containerd/pull/11099))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Akihiro Suda
* Derek McGowan
* Sebastiaan van Stijn
* Wei Fu
* Maksym Pavlenko
* Akhil Mohan
* Henry Wang
* Jin Dong
* Phil Estes
* Sam Edwards
* Samuel Karp
* Brian Goff
* David Son
* Kohei Tokunaga
* Pierre Gimalac
* Yang Yang
* bo.jiang

### Changes
<details><summary>32 commits</summary>
<p>

* Prepare release notes for v1.7.25 ([#11243](https://github.com/containerd/containerd/pull/11243))
  * [`bda53fc60`](https://github.com/containerd/containerd/commit/bda53fc604cbba571db1daca3827b82dde72a0b8) Prepare release notes for v1.7.25
* Update runc binary to v1.2.4 ([#11238](https://github.com/containerd/containerd/pull/11238))
  * [`d4a649130`](https://github.com/containerd/containerd/commit/d4a649130e65a95808cd6a9dfa3a4128c03f4c98) update runc binary to v1.2.4
* Reduce shim plugin log level ([#11224](https://github.com/containerd/containerd/pull/11224))
  * [`99c973791`](https://github.com/containerd/containerd/commit/99c97379135b175862e594d32b421d24655b6920) runtime/v2: reduce shim plugin log
* Fix `ip_pref` configuration option ([#11223](https://github.com/containerd/containerd/pull/11223))
  * [`0cfc1edf3`](https://github.com/containerd/containerd/commit/0cfc1edf34648807bd02caf1835fe2c6fddf46fa) Fix "even if IPv4 comes first" test to have IPv4 first
  * [`53d1fd0d9`](https://github.com/containerd/containerd/commit/53d1fd0d96c2c1f3c4997c2fb376203f6491c7d9) Don't use `To16() != nil` to detect IPv6 addresses
* Add a build tag to disable std `plugin` import (#11202) ([#11203](https://github.com/containerd/containerd/pull/11203))
  * [`2b12ef2f4`](https://github.com/containerd/containerd/commit/2b12ef2f421f141805f8afcd72d1315698b2582c) chore: add a build tag to disable containerd plugin import
* bump github.com/containerd/continuity from 0.4.2 to 0.4.4 ([#11216](https://github.com/containerd/containerd/pull/11216))
  * [`b99091838`](https://github.com/containerd/containerd/commit/b99091838db961b2c06cea388c70466f5ca0a067) build(deps): bump github.com/containerd/continuity from 0.4.3 to 0.4.4
  * [`9f48f7af0`](https://github.com/containerd/containerd/commit/9f48f7af05f1b19c0500eaae78e605ec45e03ab5) build(deps): bump google.golang.org/protobuf from 1.33.0 to 1.35.2
  * [`79172ba16`](https://github.com/containerd/containerd/commit/79172ba1624d21263a236a37909f33b8ba639c61) go.mod: github.com/containerd/continuity v0.4.3
* deps: update golang.org/x/ ([#11178](https://github.com/containerd/containerd/pull/11178))
  * [`2dfbe2c7c`](https://github.com/containerd/containerd/commit/2dfbe2c7c1de9c8a45e1500d09e79652a5a3d416) vendor: update golang.org/x/crypto dependencies
* Fix proto conflicts and update to 1.8 API ([#11184](https://github.com/containerd/containerd/pull/11184))
  * [`3d7a50749`](https://github.com/containerd/containerd/commit/3d7a50749b58d84ae32afaf84a475cb25f0eb327) Replace use of deprecated api Envelope
  * [`929e7bde6`](https://github.com/containerd/containerd/commit/929e7bde6d686e8d694852258762e144d92bc38f) Use api types over deprecated alias
  * [`5a42503d1`](https://github.com/containerd/containerd/commit/5a42503d19e4e17e15af9155830cc1e808f1362b) Remove end of life api directory
  * [`c4069878e`](https://github.com/containerd/containerd/commit/c4069878e1c2587434b303b27e7f114a5426fc81) Update runtime/v2/runc/options to alias api type
  * [`4d955223a`](https://github.com/containerd/containerd/commit/4d955223a4cfa047e8f8ea58efc275d2771c0e0a) Update to containerd api 1.8
  * [`efacd2ac7`](https://github.com/containerd/containerd/commit/efacd2ac7b099e875619df184a4f695719a4ec3b) Fix lint failures
* update runc binary to v1.2.3 ([#11143](https://github.com/containerd/containerd/pull/11143))
  * [`957c31895`](https://github.com/containerd/containerd/commit/957c31895ab1f84f7c33696a931bde628e79086c) update runc binary to v1.2.3
* update build to go1.22.10, test go1.23.4 ([#11111](https://github.com/containerd/containerd/pull/11111))
  * [`4c0db6ad6`](https://github.com/containerd/containerd/commit/4c0db6ad60aa549ed3be557150f263e09cac7061) update build to go1.22.10, test go1.23.4
* Fix panic due to nil dereference cgroups v2 ([#11099](https://github.com/containerd/containerd/pull/11099))
  * [`a40aa60a5`](https://github.com/containerd/containerd/commit/a40aa60a5452f92338e252f047871fee2ddd8727) fix panic due to nil dereference cgroups v2
* Move rockylinux 9.4 to almalinux/9 in CI ([#11054](https://github.com/containerd/containerd/pull/11054))
  * [`b1ef1dda7`](https://github.com/containerd/containerd/commit/b1ef1dda758185d6709b3e4869dded4dd11dee40) move rocky 9.4 to almalinux/9 in CI
</p>
</details>

### Changes from containerd/continuity
<details><summary>40 commits</summary>
<p>

* go.mod: bump up ([containerd/continuity#257](https://github.com/containerd/continuity/pull/257))
  * [`8ae2b5e`](https://github.com/containerd/continuity/commit/8ae2b5ed00ea2ce911d163c19b85de58ffeaee10) Disable FUSE for FreeBSD
  * [`ef3b6f4`](https://github.com/containerd/continuity/commit/ef3b6f490ced58b82bf25ffd3ca5c242bedf06ef) go.mod: bump up
* cmd/continuity/commands: MountCmd: remove macOS remnants ([containerd/continuity#254](https://github.com/containerd/continuity/pull/254))
  * [`327ebdd`](https://github.com/containerd/continuity/commit/327ebdd9c1ddcbfd517279a3602efa286dfe5cdc) cmd/continuity/commands: MountCmd: remove macOS remnants
* kind.String(): fix missing case statements for iota consts in switch ([containerd/continuity#256](https://github.com/containerd/continuity/pull/256))
  * [`7d074e7`](https://github.com/containerd/continuity/commit/7d074e72420162b4e873d4699f2518c02fcb983f) kind.String(): fix missing case statements for iota consts in switch
* go-fix: remove pre-go1.17 build-tags ([containerd/continuity#252](https://github.com/containerd/continuity/pull/252))
  * [`433b975`](https://github.com/containerd/continuity/commit/433b9755fb2e7489793942d7e7d795c91ded249a) go-fix: remove pre-go1.17 build-tags
* fs: properly handle ENOTSUP in copyXAttrs ([containerd/continuity#245](https://github.com/containerd/continuity/pull/245))
  * [`c494f3d`](https://github.com/containerd/continuity/commit/c494f3d90ac521345eed00be6784fe5e798d0bbc) fs: properly handle ENOTSUP in copyXAttrs
* gha: update CodeQL action to v3, run on go1.22 ([containerd/continuity#251](https://github.com/containerd/continuity/pull/251))
  * [`3ca0c62`](https://github.com/containerd/continuity/commit/3ca0c6254f9a9238cf8b27f94e6004d14ebcaf58) gha: update CodeQL action to v3, as v2 is deprecated
  * [`1d06b76`](https://github.com/containerd/continuity/commit/1d06b761601826b507eaa06055f18961c85d8afa) gha: update CodeQL action to run on go1.22
* go.mod: prune indirect gopkg.in/yaml.v3 ([containerd/continuity#250](https://github.com/containerd/continuity/pull/250))
  * [`3eb1ef4`](https://github.com/containerd/continuity/commit/3eb1ef4c2469f3c8e4b557a4f4ddcbd76682e784) cmd/continuity: tidy go.mod, go.sum
  * [`f0775b0`](https://github.com/containerd/continuity/commit/f0775b0cefc909012eab90c1ff60653bc4ddba08) go.mod: prune indirect gopkg.in/yaml.v3
* gha: run CI on go1.22 ([containerd/continuity#242](https://github.com/containerd/continuity/pull/242))
  * [`f0f6869`](https://github.com/containerd/continuity/commit/f0f6869d0dfa7a977b939b91e47fe36bf9c6bbc1) gha: run CI on go1.22
* switch to github.com/containerd/log module ([containerd/continuity#243](https://github.com/containerd/continuity/pull/243))
  * [`7d07d28`](https://github.com/containerd/continuity/commit/7d07d28ec16c8b8bacc7638feef10fc4e15536f4) switch to github.com/containerd/log module
* Fix TestDiffDirChangeWithOverlayfs (also updates the CI to use Ubuntu 24.04) ([containerd/continuity#249](https://github.com/containerd/continuity/pull/249))
  * [`97eff17`](https://github.com/containerd/continuity/commit/97eff17e2d69acf3724a694badf7eedb1c59684f) Fix TestDiffDirChangeWithOverlayfs
  * [`d934057`](https://github.com/containerd/continuity/commit/d93405730daf33f10e26855303a94e126378c90f) CI: use ubuntu-24.04
* fs: implement Atime for Windows ([containerd/continuity#241](https://github.com/containerd/continuity/pull/241))
  * [`3cbda8c`](https://github.com/containerd/continuity/commit/3cbda8c24bde1ce635ff5dc3417a481a3b6b6e07) fs: implement Atime for Windows
* build(deps): bump google.golang.org/protobuf from 1.26.0 to 1.33.0 ([containerd/continuity#238](https://github.com/containerd/continuity/pull/238))
  * [`31a50de`](https://github.com/containerd/continuity/commit/31a50def4bb28692365be8f56c64f71d676b81d1) build(deps): bump google.golang.org/protobuf from 1.26.0 to 1.33.0
* build(deps): bump google.golang.org/protobuf from 1.26.0 to 1.33.0 in /cmd/continuity ([containerd/continuity#237](https://github.com/containerd/continuity/pull/237))
  * [`b3e10e6`](https://github.com/containerd/continuity/commit/b3e10e6650ecac26b241e41c65e58e6199b4a3f7) build(deps): bump google.golang.org/protobuf in /cmd/continuity
* support filesystem magic for linux ([containerd/continuity#239](https://github.com/containerd/continuity/pull/239))
  * [`8df9930`](https://github.com/containerd/continuity/commit/8df993081e4942a06a3de2e78c3171198641f9f8) support filesystem magic for linux
* fs: add DiffDirChanges function to get changeset fast ([containerd/continuity#145](https://github.com/containerd/continuity/pull/145))
  * [`8b312bd`](https://github.com/containerd/continuity/commit/8b312bddbe566d249b9f3962119a20e415f574be) fs: add DiffDirChanges function to get changeset fast
* update golangci-lint to vl.55.0 ([containerd/continuity#233](https://github.com/containerd/continuity/pull/233))
  * [`e08b7e4`](https://github.com/containerd/continuity/commit/e08b7e4a95b607784ce68c7f1216531c51bd375e) update golangci-lint to vl.55.0 , matching the version used by containerd
* Add type to iterate directory ([containerd/continuity#229](https://github.com/containerd/continuity/pull/229))
  * [`5c2d1b4`](https://github.com/containerd/continuity/commit/5c2d1b465b6a874f3e534f844d9ba3b6699f5ce5) Add type to itterate directory
* Substitute deprecated rand.Seed() in Go 1.20 ([containerd/continuity#231](https://github.com/containerd/continuity/pull/231))
  * [`242e29e`](https://github.com/containerd/continuity/commit/242e29e108631f355e3f442f3cc07a05109aabd2) Substitute deprecated rand.Seed() in Go 1.20
</p>
</details>

### Dependency Changes

* **github.com/containerd/containerd/api**       v1.7.19 -> v1.8.0
* **github.com/containerd/continuity**           v0.4.2 -> v0.4.4
* **golang.org/x/crypto**                        v0.21.0 -> v0.31.0
* **golang.org/x/mod**                           v0.12.0 -> v0.17.0
* **golang.org/x/net**                           v0.23.0 -> v0.25.0
* **golang.org/x/sync**                          v0.5.0 -> v0.10.0
* **golang.org/x/sys**                           v0.18.0 -> v0.28.0
* **golang.org/x/term**                          v0.18.0 -> v0.27.0
* **golang.org/x/text**                          v0.14.0 -> v0.21.0
* **google.golang.org/genproto/googleapis/rpc**  995d672761c0 -> c3f982113cda
* **google.golang.org/protobuf**                 v1.33.0 -> v1.35.2

Previous release can be found at [v1.7.24](https://github.com/containerd/containerd/releases/tag/v1.7.24)

containerd 2.0.1

Welcome to the v2.0.1 release of containerd!

The first patch release for containerd 2.0 includes a number of bug fixes and improvements.

### Highlights

#### Container Runtime Interface (CRI)

* Fix apply IoOwner options when not in user namespace ([#11151](https://github.com/containerd/containerd/pull/11151))
* Fix cri grpc plugin config migration ([#11140](https://github.com/containerd/containerd/pull/11140))
* Support CNI STATUS Verb ([containerd/go-cni#123](https://github.com/containerd/go-cni/pull/123))

#### Image Distribution

* Update differ to handle zstd media types ([#11068](https://github.com/containerd/containerd/pull/11068))

#### Runtime

* Update runc binary to v1.2.3 ([#11142](https://github.com/containerd/containerd/pull/11142))
* Fix panic due to nil dereference cgroups v2 ([#11098](https://github.com/containerd/containerd/pull/11098))

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

### Contributors

* Derek McGowan
* Wei Fu
* Archit Kulkarni
* Jin Dong
* Phil Estes
* Akhil Mohan
* Akihiro Suda
* Alexey Lunev
* Austin Vazquez
* Maksym Pavlenko
* Mike Brown
* Michael Zappa
* Samuel Karp
* Sebastiaan van Stijn
* Andrey Smirnov
* Davanum Srinivas

### Changes
<details><summary>50 commits</summary>
<p>

* Prepare release notes for v2.0.1 ([#11158](https://github.com/containerd/containerd/pull/11158))
  * [`b0ece5dc5`](https://github.com/containerd/containerd/commit/b0ece5dc55f93493c2d94f4c19139f0dc49d8f38) Prepare release notes for v2.0.1
* build(deps): bump actions/attest-build-provenance from 1.4.4 to 2.1.0 ([#11154](https://github.com/containerd/containerd/pull/11154))
  * [`fe6957084`](https://github.com/containerd/containerd/commit/fe695708499661af965e068bc4c458b868cc2229) build(deps): bump actions/attest-build-provenance from 1.4.4 to 2.1.0
* update xx to v1.6.1 for compatibility with alpine 3.21 and file 5.46+ ([#11153](https://github.com/containerd/containerd/pull/11153))
  * [`eb2ce6882`](https://github.com/containerd/containerd/commit/eb2ce688293bdb1914ffa2928bb6f3fd88bae114) update xx to v1.6.1 for compatibility with alpine 3.21 and file 5.46+
* ctr pull should unpack for default platform when transfer service is used ([#11139](https://github.com/containerd/containerd/pull/11139))
  * [`44cdca68b`](https://github.com/containerd/containerd/commit/44cdca68b5f97f85386eea305c14c08ed3e93520) ctr pull unpack for default platform using transfer service
* Fix apply IoOwner options when not in user namespace ([#11151](https://github.com/containerd/containerd/pull/11151))
  * [`018d83650`](https://github.com/containerd/containerd/commit/018d83650fd4b23d61cd7af381ea5123935005c6) internal/cri: should not apply IoOwner options
* Update go-cni for CNI STATUS ([#11146](https://github.com/containerd/containerd/pull/11146))
  * [`5eb7995a9`](https://github.com/containerd/containerd/commit/5eb7995a9ae16deb23af0b320a91de633dae0ce0) feat: update go-cni version for CNI STATUS
* Fix cri grpc plugin config migration ([#11140](https://github.com/containerd/containerd/pull/11140))
  * [`a2302ea89`](https://github.com/containerd/containerd/commit/a2302ea89f90cb8ef2cafea3ca4ed20933d5d8b5) Add integration test for custom configuration
  * [`be5eda069`](https://github.com/containerd/containerd/commit/be5eda069f1055d934b40815d0ee30eeeda3771e) complete cri grpc config migration
* Update runc binary to v1.2.3 ([#11142](https://github.com/containerd/containerd/pull/11142))
  * [`a53eff53d`](https://github.com/containerd/containerd/commit/a53eff53d9ad0ed99ae3b48473c5fcb90c930aa4) update runc binary to v1.2.3
* Update differ to handle zstd media types ([#11068](https://github.com/containerd/containerd/pull/11068))
  * [`73f57acb0`](https://github.com/containerd/containerd/commit/73f57acb0da8dd4cff5f9dab2fd8685d7bd0048b) Update differ to handle zstd media types
* update to go1.23.4 / go1.22.10 ([#11109](https://github.com/containerd/containerd/pull/11109))
  * [`290e8bc70`](https://github.com/containerd/containerd/commit/290e8bc70405718e6f61c91415e08affc3ed1056) update to go1.23.4 / go1.22.10
* CI: update Fedora to 41 ([#11110](https://github.com/containerd/containerd/pull/11110))
  * [`62b790bfa`](https://github.com/containerd/containerd/commit/62b790bfac2aa5e4825bb37b93dcc75286ae2a09) CI: update Fedora to 41
* Fix panic due to nil dereference cgroups v2 ([#11098](https://github.com/containerd/containerd/pull/11098))
  * [`3ba2df924`](https://github.com/containerd/containerd/commit/3ba2df924a3f23419b7e8fe2626fa55cd934eb16) fix panic due to nil dereference cgroups v2
* Publish attestation as release artifact ([#11067](https://github.com/containerd/containerd/pull/11067))
  * [`34a45cab2`](https://github.com/containerd/containerd/commit/34a45cab2a573a589415d8d83fc00c3b6114bfff) Publish attestation as release artifact
* Move rockylinux 9.4 to almalinux/9 in CI ([#11053](https://github.com/containerd/containerd/pull/11053))
  * [`7dec6b460`](https://github.com/containerd/containerd/commit/7dec6b460752fb77b4754ef527c5ce492ac3c0ac) move rocky 9.4 to almalinux/9 in CI
* *: should align pipe's owner with init process ([#11035](https://github.com/containerd/containerd/pull/11035))
  * [`cf07f28ee`](https://github.com/containerd/containerd/commit/cf07f28ee22a6df79177b55751902b24548105ad) *: should align pipe's owner with init process
* fix: set the credentials even if not provided ([#11031](https://github.com/containerd/containerd/pull/11031))
  * [`986088866`](https://github.com/containerd/containerd/commit/9860888666f7e96a37d0a412ee80be065ea74903) fix: set the credentials even if not provided
* fsverity_test.go: fix nil pointer derefence, fix test fail, fix minor/major device numbers resolving ([#10978](https://github.com/containerd/containerd/pull/10978))
  * [`30b929ece`](https://github.com/containerd/containerd/commit/30b929ece7e79e030a710de13a58d73b79853e7c) fsverity_test.go: fix major/minor device number resolving
  * [`10996a334`](https://github.com/containerd/containerd/commit/10996a334b2d507e919244fd60be09f62384e3c0) fsverity_test.go: fix nil pointer dereference, fix test fail
* update runc binary to 1.2.2 ([#11023](https://github.com/containerd/containerd/pull/11023))
  * [`9081e979f`](https://github.com/containerd/containerd/commit/9081e979f7c8e6c0628fd1796cccb5d08d714f11) update runc binary to 1.2.2
* Revert "Disable vagrant strict dependency checking" ([#11009](https://github.com/containerd/containerd/pull/11009))
  * [`6399c936f`](https://github.com/containerd/containerd/commit/6399c936fa46999d893fb2309f9a9453c9f7951a) Revert "Disable vagrant strict dependency checking"
* fsverity_linux.go: Fix fsverity.IsEnabled() for big endian systems ([#11005](https://github.com/containerd/containerd/pull/11005))
  * [`a7f2b562f`](https://github.com/containerd/containerd/commit/a7f2b562f3b6f87733ae4e3e4fd04afad3b24816) fsverity_linux.go: Fix fsverity.IsEnabled() for big endian systems
* bump github.com/containerd/typeurl/v2 from 2.2.2 to 2.2.3 ([#10997](https://github.com/containerd/containerd/pull/10997))
  * [`389e781ea`](https://github.com/containerd/containerd/commit/389e781ea10b81d97093eee94e7dba55620f844f) build(deps): bump github.com/containerd/typeurl/v2 from 2.2.2 to 2.2.3
* update to go1.23.3 / go1.22.9 ([#10973](https://github.com/containerd/containerd/pull/10973))
  * [`5b879f30c`](https://github.com/containerd/containerd/commit/5b879f30c05d88f98455dc76f4fe296cb9771b56) update to go1.23.3 / go1.22.9
* ci: enable marking 2.0 releases as latest ([#10963](https://github.com/containerd/containerd/pull/10963))
  * [`458215f6c`](https://github.com/containerd/containerd/commit/458215f6cf256d644239eed9ff40db1b2eceaeb6) ci: enable marking 2.0 releases as latest
* Avoid arch info in the sed/replace when building cri-cni-containerd.tar.gz ([#10968](https://github.com/containerd/containerd/pull/10968))
  * [`e99c2b55c`](https://github.com/containerd/containerd/commit/e99c2b55c3fcbb2e04e0bc2fed37b0c2d7fe9245) Avoid arch info in the sed/replace when building cri-cni-containerd.tar.gz
</p>
</details>

### Changes from containerd/go-cni
<details><summary>7 commits</summary>
<p>

* Support CNI STATUS Verb ([containerd/go-cni#123](https://github.com/containerd/go-cni/pull/123))
  * [`208eca9`](https://github.com/containerd/go-cni/commit/208eca91c33bb793f471831a0abaf6cebe9676a4) support CNI status verb
* Bump github actions dependencies to match containerd CI repo and fix lint ([containerd/go-cni#122](https://github.com/containerd/go-cni/pull/122))
  * [`386f475`](https://github.com/containerd/go-cni/commit/386f4757e63914b2589b8abe6098bfa23f83fa8b) Fix ci.yml indent
  * [`a9b0675`](https://github.com/containerd/go-cni/commit/a9b0675fc9b8b5ce52d84f91a4fc049501853862) Another doc commit to trigger lint?
  * [`14af454`](https://github.com/containerd/go-cni/commit/14af4542b76fa694f2e1853b35554f23c6829f5d) Bump github actions dependency versions
  * [`9e0d096`](https://github.com/containerd/go-cni/commit/9e0d096d58145757809ddce8b8650efc07e19916) Trivial doc commit to trigger lint
</p>
</details>

### Dependency Changes

* **github.com/containerd/go-cni**      v1.1.10 -> v1.1.11
* **github.com/containerd/typeurl/v2**  v2.2.2 -> v2.2.3

Previous release can be found at [v2.0.0](https://github.com/containerd/containerd/releases/tag/v2.0.0)
### Which file should I download?
* `containerd-<VERSION>-<OS>-<ARCH>.tar.gz`:         ✅Recommended. Dynamically linked with glibc 2.31 (Ubuntu 20.04).
* `containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz`:  Statically linked. Expected to be used on non-glibc Linux distributions. Not position-independent.

In addition to containerd, typically you will have to install [runc](https://github.com/opencontainers/runc/releases)
and [CNI plugins](https://github.com/containernetworking/plugins/releases) from their official sites too.

See also the [Getting Started](https://github.com/containerd/containerd/blob/main/docs/getting-started.md) documentation.