fix(deps): update module github.com/containerd/containerd to v1.7.27 [security] (v1.1) - abandoned

[cilium-renovate]

This PR contains the following updates:

Package	Type	Update	Change
github.com/containerd/containerd	require	patch	v1.7.16 -> v1.7.27

---

containerd has an integer overflow in User ID handling

CVE-2024-40635 / GHSA-265r-hfxg-fhmg / GO-2025-3528

More information

Details

Impact

A bug was found in containerd where containers launched with a User set as a UID:GID larger than the maximum 32-bit signed integer can cause an overflow condition where the container ultimately runs as root (UID 0). This could cause unexpected behavior for environments that require containers to run as a non-root user.

Patches

This bug has been fixed in the following containerd versions:

• 2.0.4 (Fixed in containerd/containerd@1a43cb6)
• 1.7.27 (Fixed in containerd/containerd@05044ec)
• 1.6.38 (Fixed in containerd/containerd@cf158e8)

Users should update to these versions to resolve the issue.

Workarounds

Ensure that only trusted images are used and that only trusted users have permissions to import images.

Credits

The containerd project would like to thank Benjamin Koltermann and emxll for responsibly disclosing this issue in accordance with the containerd security policy.

References

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40635

For more information

If you have any questions or comments about this advisory:

• Open an issue in containerd
• Email us at security@containerd.io

To report a security issue in containerd:

• Report a new vulnerability
• Email us at security@containerd.io

Severity

• CVSS Score: 4.6 / 10 (Medium)
• Vector String: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

References

• https://github.com/containerd/containerd/security/advisories/GHSA-265r-hfxg-fhmg
• https://nvd.nist.gov/vuln/detail/CVE-2024-40635
• https://github.com/containerd/containerd/commit/05044ec0a9a75232cad458027ca83437aae3f4da
• https://github.com/containerd/containerd/commit/1a43cb6a1035441f9aca8f5666a9b3ef9e70ab20
• https://github.com/containerd/containerd/commit/cf158e884cfe4812a6c371b59e4ea9bc4c46e51a
• https://github.com/containerd/containerd

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

containerd has an integer overflow in User ID handling in github.com/containerd/containerd

CVE-2024-40635 / GHSA-265r-hfxg-fhmg / GO-2025-3528

More information

Details

containerd has an integer overflow in User ID handling in github.com/containerd/containerd

Severity

Unknown

References

• https://github.com/containerd/containerd/security/advisories/GHSA-265r-hfxg-fhmg
• https://github.com/containerd/containerd/commit/05044ec0a9a75232cad458027ca83437aae3f4da
• https://github.com/containerd/containerd/commit/1a43cb6a1035441f9aca8f5666a9b3ef9e70ab20
• https://github.com/containerd/containerd/commit/cf158e884cfe4812a6c371b59e4ea9bc4c46e51a

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

Release Notes

containerd/containerd (github.com/containerd/containerd)

v1.7.27: containerd 1.7.27

Compare Source

Welcome to the v1.7.27 release of containerd!

The twenty-seventh patch release for containerd 1.7 contains various fixes
and updates.

Highlights

• Fix integer overflow in User ID handling (GHSA-265r-hfxg-fhmg)
• Update image type checks to avoid unnecessary logs for attestations (#​11538)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Jin Dong
• Akhil Mohan
• Derek McGowan
• Maksym Pavlenko
• Paweł Gronowski
• Phil Estes
• Akihiro Suda
• Craig Ingram
• Krisztian Litkey
• Samuel Karp

Changes

20 commits

• 05044ec0a Merge commit from fork
• 11504c3fc validate uid/gid
• Prepare release notes for v1.7.27 (#​11540)
  • 1be04be6c Prepare release notes for v1.7.27
• Update image type checks to avoid unnecessary logs for attestations (#​11538)
  • 82b5c43fe core/remotes: Handle attestations in MakeRefKey
  • 2c670e79b core/images: Ignore attestations when traversing children
• update build to go1.23.7, test go1.24.1 (#​11515)
  • a39863c9f update build to go1.23.7, test go1.24.1
• Remove hashicorp/go-multierror dependency and fix CI (#​11499)
  • 49537b3a7 e2e: use the shim bundled with containerd artifact
  • fe490b76f Bump up github.com/intel/goresctrl to 0.5.0
  • 13fc9d313 update containerd/project-checks to 1.2.1
  • 585699c94 Remove unnecessary joinError unwrap
  • 4b9df59be Remove hashicorp/go-multierror
• go.{mod,sum}: bump CDI deps to v0.8.1. (#​11422)
  • 5ba28f8dc go.{mod,sum}: bump CDI deps to v0.8.1, re-vendor.
• CI: arm64-8core-32gb -> ubuntu-24.04-arm (#​11437)
  • 85f10bd92 CI: arm64-8core-32gb -> ubuntu-24.04-arm
  • 561ed520e increase xfs base image size to 300Mb

Dependency Changes

• github.com/intel/goresctrl v0.3.0 -> v0.5.0
• github.com/prometheus/client_golang v1.14.0 -> v1.16.0
• github.com/prometheus/common v0.37.0 -> v0.42.0
• github.com/prometheus/procfs v0.8.0 -> v0.10.1
• k8s.io/apimachinery v0.26.2 -> v0.27.4
• sigs.k8s.io/json f223a00 -> bc3834c
• tags.cncf.io/container-device-interface v0.7.2 -> v0.8.1
• tags.cncf.io/container-device-interface/specs-go v0.7.0 -> v0.8.0

Previous release can be found at v1.7.26

v1.7.26: containerd 1.7.26

Compare Source

Welcome to the v1.7.26 release of containerd!

The twenty-sixth patch release for containerd 1.7 contains various fixes
and updates.

Highlights

• Add support for syncfs after unpack (#​11267)
• Update runc binary to v1.2.5 (#​11395)
• Fix race between serve and immediate shutdown on the server (containerd/ttrpc#175)
• Reject oversized messages from the sender (containerd/ttrpc#171)

Container Runtime Interface (CRI)

• Fix fatal concurrency error in port forwarding (#​11306)

Node Resource Interface (NRI)

• Fix initial sync race when registering NRI plugins (#​11326)
• Add API support for reading Pod IPs (containerd/nri#119)
• Fix plugin sync to use multiple messages if ttrpc max message limit is hit (containerd/nri#111)
• Update API to pass configured timeouts to plugins. (containerd/nri#109)
• Fix mount removal in adjustments (containerd/nri#107)
• Close plugin if initial synchronization fails (containerd/nri#103)
• Add support for adjusting OOM score (containerd/nri#94)
• Add API support for NRI-native CDI injection (containerd/nri#98)
• Add support for pids cgroup (containerd/nri#76)

Runtime

• Fix console TTY leak in runc shim (#​11250)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Krisztian Litkey
• Mike Brown
• Samuel Karp
• Wei Fu
• Phil Estes
• Derek McGowan
• Iceber Gu
• Akhil Mohan
• Antonio Ojea
• Austin Vazquez
• Henry Wang
• Jin Dong
• Xiaojin Zhang
• ningmingxiao
• AbdelrahmanElawady
• Akihiro Suda
• Antti Kervinen
• Jing Xu
• Jitang Lei
• Justin Alvarez
• Lei Liu
• Maksym Pavlenko
• Yang Yang
• Yuhang Wei
• cormick
• jingtao.liang

Changes

24 commits

• Prepare release notes for v1.7.26 (#​11356)
  • ceba197f5 Prepare release notes for v1.7.26
• Upgrade x/net to 0.33.0 to fix vulnerability GHSA-w32m-9786-jp63 (#​11434)
  • 3486bc8dd Upgrade x/net to 0.33.0
• update build to go1.23.6, test go1.24.0 (#​11419)
  • 9025d3075 update build to go1.23.6, test go1.24.0
• Update install-imgcrypt to allow change install repo (#​11358)
  • 83eaab482 Update install-imgcrypt to allow change install repo
• Add support for syncfs after unpack (#​11267)
  • 8bc21cba7 support to syncfs after pull by using diff plugin
• Update runc binary to v1.2.5 (#​11395)
  • 27c472acf Update runc binary to v1.2.5
• Move run.skip-dirs to issues.exclude-dirs in golangci-lint config (#​11400)
  • 8d8034b66 move skip-dirs to issues.exclude-dirs
• Fix initial sync race when registering NRI plugins (#​11326)
  • 11af05177 cri,nri: block NRI plugin sync. during event processing.
  • d4036cd3d go.{mod,sum}: bump NRI to v0.8.0, re-vendor.
• Fix console TTY leak in runc shim (#​11250)
  • c3e24e024 Add integ test to check tty leak
  • 4e45a463d fix master tty leak due to leaking init container object
• Fix fatal concurrency error in port forwarding (#​11306)
  • 0fe9f0b52 fix fatal error: concurrent map iteration and map write
• update build to go1.22.11, test go1.23.5 (#​11298)
  • 441b92636 update build to go1.22.11, test go1.23.5

Changes from containerd/nri

77 commits

• Add API support for reading Pod IPs (containerd/nri#119)
  • eaf78a9 api: support Pod IPs
• generate: do not set OOMScoreAdj if no adjustment (containerd/nri#116)
• 07bfc18 wip: generate: add test for oom score adj
• b5fc359 generate: do not set OOMScoreAdj if no adjustment
• device-injector: remove unreachable code. (containerd/nri#115)
  • 235aa11 chore: remove unreachable code and fmt files
• Fix plugin sync to use multiple messages if ttrpc max message limit is hit (containerd/nri#111)
  • 159f575 template: dump pod/container count in sync message.
  • bf267e3 stub: collect/handle split sync messages.
  • ed78ae9 adaptation: use multiple sync messages if necessary.
  • 6fd59d6 api: add support for multiple sync messages.
  • a7fcccc mux: split oversized messages.
  • 5fe9b06 mux: fix maximum allowed message size.
  • 693d64e go.{mod,sum}, plugins: update ttrpc and NRI deps.
• Update API to pass configured timeouts to plugins. (containerd/nri#109)
  • 320e4e7 adaptation: tests for runtime version, timeouts.
  • f86d982 api,adaptation,stub: let plugin know configured timeouts.
  • cfcd2af Makefile: fix ginkgo-tests target.
  • 8cd9504 adaptation: block plugin sync/registration in test suite.
  • 966ac92 adaptation: implement plugin synchronization blocks.
• ci: verify that code generation works and results match (containerd/nri#113)
  • f74ce31 ci: verify code generation and generated files in repo
• deps: bump gingko to v2.19.1, golang to v1.21.x. (containerd/nri#110)
  • e4d5c36 ci: stop testing with golang 1.20.x.
  • 6578149 go.{mod,sum}: bump golang requirement to 1.21.
  • 442e812 go.{mod,sum}: update to ginkgo v2.19.1.
• sync sandboxes and containers after starting the pre-installed plugins (containerd/nri#43)
  • eada085 ignore pre-installed plugins that did not sync successfully
  • b881bc4 sync sandboxes and containers after starting the pre-installed plugins
• Fix mount removal in adjustments (containerd/nri#107)
  • 3880f1d adaptation: add test case for mount removal.
  • 0d3b376 adaptation: fix mount removal in adjustments.
• codespell: add codespell config, workflow, fix spelling errors. (containerd/nri#105)
  • df84c47 .github: add codespell workflow.
  • a03dc93 pkg,plugins,.codespellrc: add codespellrc, fix spelling.
• Close plugin if initial synchronization fails (containerd/nri#103)
  • 4aec208 adaptation: log plugin as connected and synchronized.
  • 4e60cd0 adaptation: close plugin if initial synchronization fails.
• Reset source path of api.pb.go to pkg/api/api.proto (containerd/nri#104)
  • 1cc026f Reset source path of api.pb.go to pkg/api/api.proto
• Add support for adjusting OOM score (containerd/nri#94)
  • efcb2da NRI plugins support adjust oom_score_adj
• Add API support for NRI-native CDI injection (containerd/nri#98)
  • 8783973 device-injector: clarify precedence of annotations.
  • 4eb7075 pkg/adaptation: fix grammatical mistakes in comments.
  • 4bd8da8 device-injector: add support for CDI injection.
  • 44773bd runtime-tools/generate: add support CDI injection.
  • 65282fe adaptation: add CDI device injection unit test.
  • 01f3b7a adaptation: add support for native CDI injection.
  • f1aa58f api: add support for native CDI device injection.
• types: Fix a typo (containerd/nri#101)
  • 8434439 types: Fix a typo
• Add support for pids cgroup (containerd/nri#76)
  • 1719502 support pids cgroup
• stub: support restart after stub stopped (containerd/nri#91)
  • 242661f stub: support re-start after stub stopped
• stop closed plugins that will be removed (containerd/nri#89)
  • ba398fa stop closed plugins that will be removed
• plugins/device-injector: fix a small typo in README.md. (containerd/nri#97)
  • f96a550 device-injector: small grammar fix in README.md.
• plugins/template: fix a typo in a comment. (containerd/nri#96)
  • 5680921 plugins/template: fix typo in a comment.
• go.{mod,sum}, .github: bump minimum golang version to 1.20. (containerd/nri#88)
  • 2c3608d .golangci.yml: silence dot-import errors for tests.
  • 8f56974 pkg/{adaptation,api,net,stub}: fix linter errors.
  • e863892 .github: bump golangci-lint to v1.58.0.
  • 674cb41 .github: bump setup-go to v5.
  • 9106283 .github: test with golang 1.20.x, 1.21.x, 1.22.3 in CI.
  • a9778ad plugins: bump golang version to 1.20.
  • 8e86065 go.{mod.sum}: bump golang version to 1.20.
• network device injector plugin (containerd/nri#82)
  • ff774e6 network device injector plugin
• Modify hook-injector plugin to monitor directories to match cri-o (containerd/nri#84)
  • 06841c2 Modify hook-injector plugin to monitor directories to match cri-o
• docs: fix broken link to sample plugins in README.md (containerd/nri#81)
  • 2791e93 docs: fix broken link to sample plugins in README.md

Changes from containerd/ttrpc

11 commits

• Add MD.Clone function (containerd/ttrpc#177)
  • 430f734 Add MD.Clone
• Fix race between serve and immediate shutdown on the server (containerd/ttrpc#175)
  • c4d96d5 server: fix Serve() vs. immediate Shutdown() race.
  • ed6c3ba server_test: add Serve()/Shutdown() race test.
• Reject oversized messages from the sender (containerd/ttrpc#171)
  • b5cd6e4 channel: allow discovery of overflown message size.
  • d8c00df channel_test: update oversize message test.
  • de273bf channel: reject oversized messages on the sender side.
• server_test: fix error message in TestOversizeCall. (containerd/ttrpc#170)
  • 84e1784 server_test: fix error message in TestOversizeCall.

Dependency Changes

• github.com/containerd/nri v0.6.1 -> v0.8.0
• github.com/containerd/ttrpc v1.2.5 -> v1.2.7
• github.com/go-logr/logr v1.3.0 -> v1.4.2
• golang.org/x/net v0.25.0 -> v0.33.0

Previous release can be found at v1.7.25

v1.7.25: containerd 1.7.25

Compare Source

Welcome to the v1.7.25 release of containerd!

The twenty-fifth patch release for containerd 1.7 contains various fixes
and updates.

Highlights

• Update runc binary to v1.2.4 (#​11238)
• Fix proto conflicts and update to 1.8 API (#​11184)

Container Runtime Interface (CRI)

• Fix ip_pref configuration option (#​11223)

Runtime

• Fix panic due to nil dereference cgroups v2 (#​11099)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Akihiro Suda
• Derek McGowan
• Sebastiaan van Stijn
• Wei Fu
• Maksym Pavlenko
• Akhil Mohan
• Henry Wang
• Jin Dong
• Phil Estes
• Sam Edwards
• Samuel Karp
• Brian Goff
• David Son
• Kohei Tokunaga
• Pierre Gimalac
• Yang Yang
• bo.jiang

Changes

32 commits

• Prepare release notes for v1.7.25 (#​11243)
  • bda53fc60 Prepare release notes for v1.7.25
• Update runc binary to v1.2.4 (#​11238)
  • d4a649130 update runc binary to v1.2.4
• Reduce shim plugin log level (#​11224)
  • 99c973791 runtime/v2: reduce shim plugin log
• Fix ip_pref configuration option (#​11223)
  • 0cfc1edf3 Fix "even if IPv4 comes first" test to have IPv4 first
  • 53d1fd0d9 Don't use To16() != nil to detect IPv6 addresses
• Add a build tag to disable std plugin import (#​11202) (#​11203)
  • 2b12ef2f4 chore: add a build tag to disable containerd plugin import
• bump github.com/containerd/continuity from 0.4.2 to 0.4.4 (#​11216)
  • b99091838 build(deps): bump github.com/containerd/continuity from 0.4.3 to 0.4.4
  • 9f48f7af0 build(deps): bump google.golang.org/protobuf from 1.33.0 to 1.35.2
  • 79172ba16 go.mod: github.com/containerd/continuity v0.4.3
• deps: update golang.org/x/ (#​11178)
  • 2dfbe2c7c vendor: update golang.org/x/crypto dependencies
• Fix proto conflicts and update to 1.8 API (#​11184)
  • 3d7a50749 Replace use of deprecated api Envelope
  • 929e7bde6 Use api types over deprecated alias
  • 5a42503d1 Remove end of life api directory
  • c4069878e Update runtime/v2/runc/options to alias api type
  • 4d955223a Update to containerd api 1.8
  • efacd2ac7 Fix lint failures
• update runc binary to v1.2.3 (#​11143)
  • 957c31895 update runc binary to v1.2.3
• update build to go1.22.10, test go1.23.4 (#​11111)
  • 4c0db6ad6 update build to go1.22.10, test go1.23.4
• Fix panic due to nil dereference cgroups v2 (#​11099)
  • a40aa60a5 fix panic due to nil dereference cgroups v2
• Move rockylinux 9.4 to almalinux/9 in CI (#​11054)
  • b1ef1dda7 move rocky 9.4 to almalinux/9 in CI

Changes from containerd/continuity

40 commits

• go.mod: bump up (containerd/continuity#257)
  • 8ae2b5e Disable FUSE for FreeBSD
  • ef3b6f4 go.mod: bump up
• cmd/continuity/commands: MountCmd: remove macOS remnants (containerd/continuity#254)
  • 327ebdd cmd/continuity/commands: MountCmd: remove macOS remnants
• kind.String(): fix missing case statements for iota consts in switch (containerd/continuity#256)
  • 7d074e7 kind.String(): fix missing case statements for iota consts in switch
• go-fix: remove pre-go1.17 build-tags (containerd/continuity#252)
  • 433b975 go-fix: remove pre-go1.17 build-tags
• fs: properly handle ENOTSUP in copyXAttrs (containerd/continuity#245)
  • c494f3d fs: properly handle ENOTSUP in copyXAttrs
• gha: update CodeQL action to v3, run on go1.22 (containerd/continuity#251)
  • 3ca0c62 gha: update CodeQL action to v3, as v2 is deprecated
  • 1d06b76 gha: update CodeQL action to run on go1.22
• go.mod: prune indirect gopkg.in/yaml.v3 (containerd/continuity#250)
  • 3eb1ef4 cmd/continuity: tidy go.mod, go.sum
  • f0775b0 go.mod: prune indirect gopkg.in/yaml.v3
• gha: run CI on go1.22 (containerd/continuity#242)
  • f0f6869 gha: run CI on go1.22
• switch to github.com/containerd/log module (containerd/continuity#243)
  • 7d07d28 switch to github.com/containerd/log module
• Fix TestDiffDirChangeWithOverlayfs (also updates the CI to use Ubuntu 24.04) (containerd/continuity#249)
  • 97eff17 Fix TestDiffDirChangeWithOverlayfs
  • d934057 CI: use ubuntu-24.04
• fs: implement Atime for Windows (containerd/continuity#241)
  • 3cbda8c fs: implement Atime for Windows
• build(deps): bump google.golang.org/protobuf from 1.26.0 to 1.33.0 (containerd/continuity#238)
  • 31a50de build(deps): bump google.golang.org/protobuf from 1.26.0 to 1.33.0
• build(deps): bump google.golang.org/protobuf from 1.26.0 to 1.33.0 in /cmd/continuity (containerd/continuity#237)
  • b3e10e6 build(deps): bump google.golang.org/protobuf in /cmd/continuity
• support filesystem magic for linux (containerd/continuity#239)
  • 8df9930 support filesystem magic for linux
• fs: add DiffDirChanges function to get changeset fast (containerd/continuity#145)
  • 8b312bd fs: add DiffDirChanges function to get changeset fast
• update golangci-lint to vl.55.0 (containerd/continuity#233)
  • e08b7e4 update golangci-lint to vl.55.0 , matching the version used by containerd
• Add type to iterate directory (containerd/continuity#229)
  • 5c2d1b4 Add type to itterate directory
• Substitute deprecated rand.Seed() in Go 1.20 (containerd/continuity#231)
  • 242e29e Substitute deprecated rand.Seed() in Go 1.20

Dependency Changes

• github.com/containerd/containerd/api v1.7.19 -> v1.8.0
• github.com/containerd/continuity v0.4.2 -> v0.4.4
• golang.org/x/crypto v0.21.0 -> v0.31.0
• golang.org/x/mod v0.12.0 -> v0.17.0
• golang.org/x/net v0.23.0 -> v0.25.0
• golang.org/x/sync v0.5.0 -> v0.10.0
• golang.org/x/sys v0.18.0 -> v0.28.0
• golang.org/x/term v0.18.0 -> v0.27.0
• golang.org/x/text v0.14.0 -> v0.21.0
• google.golang.org/genproto/googleapis/rpc 995d672 -> c3f9821
• google.golang.org/protobuf v1.33.0 -> v1.35.2

Previous release can be found at v1.7.24

v1.7.24: containerd 1.7.24

Compare Source

Welcome to the v1.7.24 release of containerd!

The twenty-fourth patch release for containerd 1.7 contains various fixes
and updates.

Highlights

• Update runc binary to 1.2.2 (#​11027)
• Fix "invalid metric type" error message for cgroup v1 (#​10814)

Container Runtime Interface (CRI)

• Update the container exit log to info level (#​11007)

Image Distribution

• Fix retry logic and concurrency issue with http fallback (#​11032)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Derek McGowan
• Phil Estes
• Akhil Mohan
• Akihiro Suda
• Maksym Pavlenko
• Austin Vazquez
• Samuel Karp
• Benjamin Peterson
• Davanum Srinivas
• Iceber Gu
• Mike Brown
• Sebastiaan van Stijn
• Tõnis Tiigi
• ningmingxiao

Changes

36 commits

• Prepare release notes for v1.7.24 (#​11036)
  • 936f8e2de Prepare release notes for v1.7.24
• Update the container exit log to info level (#​11007)
  • 47ff8e2b6 add info of exited event
• Fix retry logic and concurrency issue with http fallback (#​11032)
  • 10af0d60f Adds a mutex to protect fallback host
  • e426ec51b Use unix and windows specific connection error checks
  • 49c9f303b Allow fallback across default ports
• local: avoid writing to content root on readonly store (#​10913)
  • ddf2b03ed local: avoid writing to content root on readonly store
• Update runc binary to 1.2.2 (#​11027)
  • 06e72da76 update runc binary to 1.2.2
• Revert "Disable vagrant strict dependency checking" (#​11011)
  • 23a31ce63 Revert "Disable vagrant strict dependency checking"
• testutil: avoid conflict with continuity/testutil (#​10956)
  • 4bd411f8c testutil: avoid conflict with continuity/testutil
• update cri-tools to v1.29.0 (#​10969)
  • 216dc892e update cri-tools to v1.29.0
• update build to go1.22.9, test go1.23.3 (#​10974)
  • 56a7d31cb update build to go1.22.9, test go1.23.3
• ci: disable marking 1.7 releases as latest (#​10962)
  • 205940716 ci: disable marking 1.7 releases as latest
• Avoid arch info in the sed/replace when building cri-cni-containerd.tar.gz (#​10976)
  • b7bb8d515 Avoid arch info in the sed/replace when building cri-cni-containerd.tar.gz
• backport: Disable vagrant strict dependency checking (#​10965)
  • 860a51384 Disable vagrant strict dependency checking
• Update runc binary to 1.2.1 (#​10940)
  • 710cd3716 update runc binary to 1.2.1
• services/snapshots: include name of snapshotter in debug logs (#​10931)
  • 5bd0834ce services/snapshots: include name of snapshotter in debug logs
• Make TestContainerPids more resilient (#​10936)
  • 455787bf8 Make TestContainerPids more resilient
• Add After=dbus.service to containerd.service (#​10859)
  • cb82e52a4 Add After=dbus.service to containerd.service
• Fix "invalid metric type" error message for cgroup v1 (#​10814)
  • d6f577843 metrics: Use UnmarshalTo instead of UnmarshalAny

Dependency Changes

This release has no dependency changes

Previous release can be found at v1.7.23

v1.7.23: containerd 1.7.23

Compare Source

Welcome to the v1.7.23 release of containerd!

The twenty-third patch release for containerd 1.7 contains various fixes
and updates.

Highlights

• Add errdefs aliases (#​10792)
• Allow proxy plugins to have capabilities (#​10731)
• Revert errdefs package migration (#​10712)

Container Runtime Interface (CRI)

• Add check for CNI plugins before tearing down pod network (#​10767)

Image Distribution

• Fix the race condition during GC of snapshots when client retries (#​10763)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Derek McGowan
• Austin Vazquez
• Phil Estes
• Akihiro Suda
• Samuel Karp
• Maksym Pavlenko
• Kern Walster
• Kir Kolyshkin
• Saket Jajoo
• Sameer
• Wei Fu
• Zou Nengren
• bo.jiang

Changes

37 commits

• Prepare release notes for v1.7.23 (#​10802)
  • 921f554af Prepare release notes for v1.7.23
• Revert "update runc binary to 1.1.15" (#​10826)
  • 8f16d6588 Revert "update runc binary to 1.1.15"
• Switch from actuated.dev to GH Action runners for arm64 (#​10822)
  • 41e8f24cd Switch from actuated.dev to GH Action runners for arm64
  • dd811f224 Update github actions ci to run on forks
• bump golangci/golangci-lint-action from 4 to 6 (#​10813)
  • 284484af4 bump golangci/golangci-lint-action from 4 to 6
• update to go1.23.2,go1.22.8 (#​10808)
  • 814c59ba5 update to go1.23.2,go1.22.8
• prow: allow ENABLE_CRI_SANDBOXES to be configured (#​10801)
  • ae11176fa prow: allow ENABLE_CRI_SANDBOXES to be configured
• TestNewBinaryIOCleanup: fix a comment, minor rewrite (#​10776)
  • 7fd794a7c TestNewBinaryIOCleanup: fix a comment, minor rewrite
• Add errdefs aliases (#​10792)
  • 0714a2952 Add errdefs aliases
• Update runc binary to 1.1.15 (#​10794)
  • 113a9f1fc update runc binary to 1.1.15
• Update runner images to macOS13 (#​10783)
  • 5305b03f2 Update runner images to macOS13
• Allow proxy plugins to have capabilities (#​10731)
  • 950740390 Allow proxy plugins to have capabilities
• Bump crun to 1.16.1 (#​10774)
  • e8aae7824 Bump crun to 1.16
  • ee1c39b79 CI: bump up crun to 1.15
• Fix the race condition during GC of snapshots when client retries (#​10763)
  • cb5e6a01a Fix the race condition during GC of snapshots when client retries
• Add check for CNI plugins before tearing down pod network (#​10767)
  • 278bd0f72 [release/1.7] Add check for CNI plugins before tearing down pod network
• Revert errdefs package migration (#​10712)
  • 18403239e Synchronize 1.7 error package with errdefs
  • d8d27205b Revert "migrate errdefs package to github.com/containerd/errdefs module"
  • e82d201b3 Revert "replace uses of github.com/containerd/containerd/errdefs"
  • 51939238f Revert "errdefs: denote deprecation as a godoc comment"
  • ae80077e8 Revert "golangci-lint: enable depguard for packages that moved"
  • 32675f983 Revert "remove imports of errdefs package"

Changes from containerd/errdefs

29 commits

• Add errdefs/pkg package (containerd/errdefs#19)
  • 46a6522 Add errdefs/pkg package
• Update GitHub Actions packages and runners (containerd/errdefs#20)
  • 303a6ea Update to Go 1.22.8 in CI
  • e70104e Upgrade to golangci-lint@v1.61.0
  • ffe5586 Upgrade to golangci/golangci-lint-action@v6
  • 908b04b Upgrade to actions/checkout@v4
  • 608b83c Upgrade to actions/setup-go@v5
  • 8e82ae4 Upgrade macOS runner image to macOS 13
• Complete interface definitions for errors ([Complete interface definitions for errors containerd/errdefs#18](https://redirect.github.com/container

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[cilium-renovate]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 4 additional dependencies were updated

Details:

Package	Change
google.golang.org/protobuf	v1.34.2 -> v1.35.2
github.com/Microsoft/go-winio	v0.6.1 -> v0.6.2
github.com/containerd/ttrpc	v1.2.3 -> v1.2.7
github.com/opencontainers/image-spec	v1.1.0-rc3 -> v1.1.0

[cilium-renovate]

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.