chore(deps): Update module github.com/containerd/containerd to v1.7.29 [SECURITY]

[renovate-sh-app]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/containerd/containerd	v1.7.18 → v1.7.29

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2024-40635

Impact

A bug was found in containerd where containers launched with a User set as a UID:GID larger than the maximum 32-bit signed integer can cause an overflow condition where the container ultimately runs as root (UID 0). This could cause unexpected behavior for environments that require containers to run as a non-root user.

Patches

This bug has been fixed in the following containerd versions:

• 2.0.4 (Fixed in containerd/containerd@1a43cb6)
• 1.7.27 (Fixed in containerd/containerd@05044ec)
• 1.6.38 (Fixed in containerd/containerd@cf158e8)

Users should update to these versions to resolve the issue.

Workarounds

Ensure that only trusted images are used and that only trusted users have permissions to import images.

Credits

The containerd project would like to thank Benjamin Koltermann and emxll for responsibly disclosing this issue in accordance with the containerd security policy.

References

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40635

For more information

If you have any questions or comments about this advisory:

• Open an issue in containerd
• Email us at security@containerd.io

To report a security issue in containerd:

• Report a new vulnerability
• Email us at security@containerd.io

CVE-2024-25621

Impact

An overly broad default permission vulnerability was found in containerd.

• /var/lib/containerd was created with the permission bits 0o711, while it should be created with 0o700
  • Allowed local users on the host to potentially access the metadata store and the content store
• /run/containerd/io.containerd.grpc.v1.cri was created with 0o755, while it should be created with 0o700
  • Allowed local users on the host to potentially access the contents of Kubernetes local volumes. The contents of volumes might include setuid binaries, which could allow a local user on the host to elevate privileges on the host.
• /run/containerd/io.containerd.sandbox.controller.v1.shim was created with 0o711, while it should be created with 0o700

The directory paths may differ depending on the daemon configuration.
When the temp directory path is specified in the daemon configuration, that directory was also created with 0o711, while it should be created with 0o700.

Patches

This bug has been fixed in the following containerd versions:

• 2.2.0
• 2.1.5
• 2.0.7
• 1.7.29

Users should update to these versions to resolve the issue.
These updates automatically change the permissions of the existing directories.

Note

/run/containerd and /run/containerd/io.containerd.runtime.v2.task are still created with 0o711.
This is an expected behavior for supporting userns-remapped containers.

Workarounds

The system administrator on the host can manually chmod the directories to not
have group or world accessible permisisons:

chmod 700 /var/lib/containerd
chmod 700 /run/containerd/io.containerd.grpc.v1.cri
chmod 700 /run/containerd/io.containerd.sandbox.controller.v1.shim

An alternative mitigation would be to run containerd in rootless mode.

Credits

The containerd project would like to thank David Leadbeater for responsibly disclosing this issue in accordance with the containerd security policy.

For more information

If you have any questions or comments about this advisory:

• Open an issue in containerd
• Email us at security@containerd.io

To report a security issue in containerd:

• Report a new vulnerability

CVE-2025-64329

Impact

A bug was found in containerd's CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks.

Repetitive calls of CRI Attach (e.g., kubectl attach) could increase the memory usage of containerd.

Patches

This bug has been fixed in the following containerd versions:

• 2.2.0
• 2.1.5
• 2.0.7
• 1.7.29

Users should update to these versions to resolve the issue.

Workarounds

Set up an admission controller to control accesses to pods/attach resources.
e.g., Validating Admission Policy.

Credits

The containerd project would like to thank @​Wheat2018 for responsibly disclosing this issue in accordance with the containerd security policy.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64329

For more information

If you have any questions or comments about this advisory:

• Open an issue in containerd
• Email us at security@containerd.io

To report a security issue in containerd:

• Report a new vulnerability

---

containerd has an integer overflow in User ID handling

CVE-2024-40635 / GHSA-265r-hfxg-fhmg / GO-2025-3528

More information

Details

Impact

A bug was found in containerd where containers launched with a User set as a UID:GID larger than the maximum 32-bit signed integer can cause an overflow condition where the container ultimately runs as root (UID 0). This could cause unexpected behavior for environments that require containers to run as a non-root user.

Patches

This bug has been fixed in the following containerd versions:

• 2.0.4 (Fixed in containerd/containerd@1a43cb6)
• 1.7.27 (Fixed in containerd/containerd@05044ec)
• 1.6.38 (Fixed in containerd/containerd@cf158e8)

Users should update to these versions to resolve the issue.

Workarounds

Ensure that only trusted images are used and that only trusted users have permissions to import images.

Credits

The containerd project would like to thank Benjamin Koltermann and emxll for responsibly disclosing this issue in accordance with the containerd security policy.

References

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40635

For more information

If you have any questions or comments about this advisory:

• Open an issue in containerd
• Email us at security@containerd.io

To report a security issue in containerd:

• Report a new vulnerability
• Email us at security@containerd.io

Severity

• CVSS Score: Unknown
• Vector String: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

References

• https://github.com/containerd/containerd/security/advisories/GHSA-265r-hfxg-fhmg
• https://nvd.nist.gov/vuln/detail/CVE-2024-40635
• https://github.com/containerd/containerd/commit/05044ec0a9a75232cad458027ca83437aae3f4da
• https://github.com/containerd/containerd/commit/1a43cb6a1035441f9aca8f5666a9b3ef9e70ab20
• https://github.com/containerd/containerd/commit/cf158e884cfe4812a6c371b59e4ea9bc4c46e51a
• https://github.com/containerd/containerd
• https://lists.debian.org/debian-lts-announce/2025/05/msg00005.html

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

containerd has an integer overflow in User ID handling in github.com/containerd/containerd

CVE-2024-40635 / GHSA-265r-hfxg-fhmg / GO-2025-3528

More information

Details

containerd has an integer overflow in User ID handling in github.com/containerd/containerd

Severity

Unknown

References

• https://github.com/containerd/containerd/security/advisories/GHSA-265r-hfxg-fhmg
• https://github.com/containerd/containerd/commit/05044ec0a9a75232cad458027ca83437aae3f4da
• https://github.com/containerd/containerd/commit/1a43cb6a1035441f9aca8f5666a9b3ef9e70ab20
• https://github.com/containerd/containerd/commit/cf158e884cfe4812a6c371b59e4ea9bc4c46e51a

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

containerd affected by a local privilege escalation via wide permissions on CRI directory

CVE-2024-25621 / GHSA-pwhc-rpq9-4c8w / GO-2025-4100

More information

Details

Impact

An overly broad default permission vulnerability was found in containerd.

• /var/lib/containerd was created with the permission bits 0o711, while it should be created with 0o700
  • Allowed local users on the host to potentially access the metadata store and the content store
• /run/containerd/io.containerd.grpc.v1.cri was created with 0o755, while it should be created with 0o700
  • Allowed local users on the host to potentially access the contents of Kubernetes local volumes. The contents of volumes might include setuid binaries, which could allow a local user on the host to elevate privileges on the host.
• /run/containerd/io.containerd.sandbox.controller.v1.shim was created with 0o711, while it should be created with 0o700

The directory paths may differ depending on the daemon configuration.
When the temp directory path is specified in the daemon configuration, that directory was also created with 0o711, while it should be created with 0o700.

Patches

This bug has been fixed in the following containerd versions:

• 2.2.0
• 2.1.5
• 2.0.7
• 1.7.29

Users should update to these versions to resolve the issue.
These updates automatically change the permissions of the existing directories.

[!NOTE]

/run/containerd and /run/containerd/io.containerd.runtime.v2.task are still created with 0o711.
This is an expected behavior for supporting userns-remapped containers.

Workarounds

The system administrator on the host can manually chmod the directories to not
have group or world accessible permisisons:

chmod 700 /var/lib/containerd
chmod 700 /run/containerd/io.containerd.grpc.v1.cri
chmod 700 /run/containerd/io.containerd.sandbox.controller.v1.shim

An alternative mitigation would be to run containerd in rootless mode.

Credits

The containerd project would like to thank David Leadbeater for responsibly disclosing this issue in accordance with the containerd security policy.

For more information

If you have any questions or comments about this advisory:

• Open an issue in containerd
• Email us at security@containerd.io

To report a security issue in containerd:

• Report a new vulnerability

Severity

• CVSS Score: Unknown
• Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

References

• https://github.com/containerd/containerd/security/advisories/GHSA-pwhc-rpq9-4c8w
• https://nvd.nist.gov/vuln/detail/CVE-2024-25621
• https://github.com/containerd/containerd/commit/7c59e8e9e970d38061a77b586b23655c352bfec5
• https://github.com/containerd/containerd
• https://github.com/containerd/containerd/blob/main/docs/rootless.md

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

containerd CRI server: Host memory exhaustion through Attach goroutine leak in github.com/containerd/containerd

CVE-2025-64329 / GHSA-m6hq-p25p-ffr2 / GO-2025-4108

More information

Details

containerd CRI server: Host memory exhaustion through Attach goroutine leak in github.com/containerd/containerd

Severity

Unknown

References

• https://github.com/containerd/containerd/security/advisories/GHSA-m6hq-p25p-ffr2
• https://nvd.nist.gov/vuln/detail/CVE-2025-64329
• https://github.com/containerd/containerd/commit/083b53cd6f19b5de7717b0ce92c11bdf95e612df

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

containerd affected by a local privilege escalation via wide permissions on CRI directory in github.com/containerd/containerd

CVE-2024-25621 / GHSA-pwhc-rpq9-4c8w / GO-2025-4100

More information

Details

containerd affected by a local privilege escalation via wide permissions on CRI directory in github.com/containerd/containerd

Severity

Unknown

References

• https://github.com/containerd/containerd/security/advisories/GHSA-pwhc-rpq9-4c8w
• https://nvd.nist.gov/vuln/detail/CVE-2024-25621
• https://github.com/containerd/containerd/commit/7c59e8e9e970d38061a77b586b23655c352bfec5
• https://github.com/containerd/containerd/blob/main/docs/rootless.md

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

containerd CRI server: Host memory exhaustion through Attach goroutine leak

CVE-2025-64329 / GHSA-m6hq-p25p-ffr2 / GO-2025-4108

More information

Details

Impact

A bug was found in containerd's CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks.

Repetitive calls of CRI Attach (e.g., kubectl attach) could increase the memory usage of containerd.

Patches

This bug has been fixed in the following containerd versions:

• 2.2.0
• 2.1.5
• 2.0.7
• 1.7.29

Users should update to these versions to resolve the issue.

Workarounds

Set up an admission controller to control accesses to pods/attach resources.
e.g., Validating Admission Policy.

Credits

The containerd project would like to thank @​Wheat2018 for responsibly disclosing this issue in accordance with the containerd security policy.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64329

For more information

If you have any questions or comments about this advisory:

• Open an issue in containerd
• Email us at security@containerd.io

To report a security issue in containerd:

• Report a new vulnerability

Severity

• CVSS Score: Unknown
• Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

• https://github.com/containerd/containerd/security/advisories/GHSA-m6hq-p25p-ffr2
• https://nvd.nist.gov/vuln/detail/CVE-2025-64329
• https://github.com/containerd/containerd/commit/083b53cd6f19b5de7717b0ce92c11bdf95e612df
• https://github.com/containerd/containerd

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

containerd/containerd (github.com/containerd/containerd)

v1.7.29: containerd 1.7.29

Compare Source

Welcome to the v1.7.29 release of containerd!

The twenty-ninth patch release for containerd 1.7 contains various fixes
and updates including security patches.

Security Updates

• containerd

  • GHSA-pwhc-rpq9-4c8w
  • GHSA-m6hq-p25p-ffr2

• runc

  • GHSA-qw9x-cqr3-wc7r
  • GHSA-cgrx-mc8f-2prm
  • GHSA-9493-h29p-rfm2

Highlights

Image Distribution

• Update differ to handle zstd media types (#​12018)

Runtime

• Update runc binary to v1.3.3 (#​12480)
• Fix lost container logs from quickly closing io (#​12375)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Derek McGowan
• Akihiro Suda
• Phil Estes
• Austin Vazquez
• Sebastiaan van Stijn
• ningmingxiao
• Maksym Pavlenko
• StepSecurity Bot
• wheat2018

Changes

38 commits

• 442cb34bd Merge commit from fork
• 0450f046e Fix directory permissions
• e5cb6ddb7 Merge commit from fork
• c575d1b5f fix goroutine leak of container Attach
• Prepare release notes for v1.7.29 (#​12486)
  • 1fc2daaf3 Prepare release notes for v1.7.29
• Update runc binary to v1.3.3 (#​12480)
  • 3f5f9f872 runc: Update runc binary to v1.3.3
• Update GHA images and bump Go 1.24.9; 1.25.3 (#​12471)
  • 667409fb6 ci: bump Go 1.24.9, 1.25.3
  • 294f8c027 Update GHA runners to use latest images for basic binaries build
  • cf66b4141 Update GHA runners to use latest image for most jobs
  • fa3e6fa18 pkg/epoch: extract parsing SOURCE_DATE_EPOCH to a function
  • ac334bffc pkg/epoch: fix tests on macOS
  • d04b8721f pkg/epoch: replace some fmt.Sprintfs with strconv
• CI: update Fedora to 43 (#​12450)
  • 5cfedbf52 CI: update Fedora to 43
• CI: skip ubuntu-24.04-arm on private repos (#​12429)
  • cf99a012d CI: skip ubuntu-24.04-arm on private repos
• runc:Update runc binary to v1.3.1 (#​12276)
  • 4c77b8d07 runc:Update runc binary to v1.3.1
• Fix lost container logs from quickly closing io (#​12375)
  • d30024db2 bugfix:fix container logs lost because io close too quickly
• ci: bump Go 1.24.8 (#​12362)
  • f4b3d96f3 ci: bump Go 1.24.8
  • 334fd8e4b update golangci-lint to v1.64.2
  • 8a67abc4c Drop inactivated linter exportloopref
  • e4dbf08f0 build(deps): bump golangci/golangci-lint-action from 6.3.2 to 6.5.0
  • d7db2ba06 build(deps): bump golangci/golangci-lint-action from 6.2.0 to 6.3.2
  • d7182888f build(deps): bump golangci/golangci-lint-action from 6.1.1 to 6.2.0
  • 4be6c7e3b build(deps): bump actions/cache from 4.1.2 to 4.2.0
  • a2e097e86 build(deps): bump actions/checkout from 4.2.1 to 4.2.2
  • 6de404d11 build(deps): bump actions/cache from 4.1.1 to 4.1.2
  • 038a25584 [StepSecurity] ci: Harden GitHub Actions
• Update differ to handle zstd media types (#​12018)
  • eaeb4b6ac Update differ to handle zstd media types
• ci: bump Go 1.23.12, 1.24.6 (#​12188)
  • 83c535339 ci: bump Go 1.23.12, 1.24.6

Dependency Changes

This release has no dependency changes

Previous release can be found at v1.7.28

v1.7.28: containerd 1.7.28

Compare Source

Welcome to the v1.7.28 release of containerd!

The twenty-eighth patch release for containerd 1.7 contains various fixes
and updates.

Highlights

Image Distribution

• Refresh OAuth tokens when they expire during registry operations (#​11721)
• Set default differ for the default unpack config of transfer service (#​11689)

Runtime

• Update runc binary to v1.3.0 (#​11800)
• Remove invalid error log when stopping container after containerd restart (#​11620)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Akhil Mohan
• Akihiro Suda
• Austin Vazquez
• Maksym Pavlenko
• Phil Estes
• Derek McGowan
• Kirtana Ashok
• Henry Wang
• Iain Macdonald
• Jin Dong
• Swagat Bora
• Wei Fu
• Yang Yang
• madraceee

Changes

57 commits

• Prepare release notes for v1.7.28 (#​12134)
  • b01b809f8 Prepare release notes for v1.7.28
• ci: bump Go 1.23.11, 1.24.5 (#​12117)
  • ce2373176 ci: bump Go 1.23.11, 1.24.5
• Backport windows test fixes (#​12121)
  • 3c06bcc4d Fix intermittent test failures on Windows CIs
  • c6c0c6854 Remove WS2025 from CIs due to regression
• ci: use fedora 39 archive (#​12123)
  • 6d7e021cf ci: use fedora/39-cloud-base image from archive
• update runners to ubuntu 24.04 (#​11802)
  • c362e18cc CI: install OVMF for Vagrant
  • 1d99bec21 CI: fix "Unable to find a source package for vagrant" error
  • dafa3c48d add debian sources for ubuntu-24
  • b03301d85 partial: enable ubuntu 24 runners
  • 13fbc5f97 update release runners to ubuntu 24.04
• go.mod: golang.org/x/* latest (#​12096)
  • da5d1a371 go.mod: golang.org/x/* latest
• Remove additional fuzzers from instrumentation repo (#​12099)
  • 5fef123ba Remove additional fuzzers from CI
• backport windows runner and golang toolchain updates (#​11972)
  • a35978f5a ci: bump golang [1.23.10, 1.24.4] in build and release
  • df035aa3e ci: bump golang [1.23.9, 1.24.3] in build and release
  • 2a6d9fc71 use go1.23.8 as the default go version
  • 15d4d6eba update to go 1.24.2, 1.23.8
  • 1613a3b1a Enable CIs to run on WS2022 and WS2025
• test: added runc v1 tests using vagrant (#​11896)
  • 60e73122c test: added runc v1 tests using vagrant
• Revert "disable portmap test in ubuntu-22 to make CI happy" (#​11803)
  • 10e1b515e Revert "Disable port mapping tests in CRI-in-UserNS"
  • 7a680e884 fix unbound SKIP_TEST variable error
  • e5f8cc995 Revert "disable portmap test in ubuntu-22 to make CI happy"
• Update runc binary to v1.3.0 (#​11800)
  • b001469c7 Update runc binary to v1.3.0
• Refresh OAuth tokens when they expire during registry operations (#​11721)
  • a6421da84 remotes/docker/authorizer.go: invalidate auth tokens when they expire.
• [CI] Fix vagrant (#​11739)
  • effc49e8b Fix vagrant setup
• Fix CI (#​11722)
  • d3e7dd716 Skip criu on Arms
  • 7cf9ebe94 Disable port mapping tests in CRI-in-UserNS
  • 42657a4ed disable portmap test in ubuntu-22 to make CI happy
  • b300fd37b add option to skip tests in critest
  • 6f4ffad27 Address cgroup mountpoint does not exist
  • cef298331 Update Ubuntu to 24
  • 2dd9be16e ci: update GitHub Actions release runner to ubuntu-24.04
• Set default differ for the default unpack config of transfer service (#​11689)
  • e40e59e4e Set default differ for the default unpack config of transfer service
• silence govulncheck false positives (#​11679)
  • ff097d5a4 silence govulncheck false positives
• vendor: github.com/go-jose/go-jose/v3 v3.0.4 (#​11619)
  • 52dd4dc51 vendor: github.com/go-jose/go-jose/v3 v3.0.4
• Remove invalid error log when stopping container after containerd restart (#​11620)
  • 24f41d2d5 use shimCtx for fifo copy
• Update runc binary to v1.2.6 (#​11584)
  • 1e1e78ad7 Update runc binary to v1.2.6
• Use RWMutex in NSMap and reduce lock area (#​11556)
  • 9a8d1d44a Use RWMutex in NSMap and reduce lock area

Dependency Changes

• github.com/go-jose/go-jose/v3 v3.0.3 -> v3.0.4
• golang.org/x/crypto v0.31.0 -> v0.40.0
• golang.org/x/mod v0.17.0 -> v0.26.0
• golang.org/x/net v0.33.0 -> v0.42.0
• golang.org/x/oauth2 v0.11.0 -> v0.30.0
• golang.org/x/sync v0.10.0 -> v0.16.0
• golang.org/x/sys v0.28.0 -> v0.34.0
• golang.org/x/term v0.27.0 -> v0.33.0
• golang.org/x/text v0.21.0 -> v0.27.0
• golang.org/x/time 90d013b -> v0.12.0

Previous release can be found at v1.7.27

v1.7.27: containerd 1.7.27

Compare Source

Welcome to the v1.7.27 release of containerd!

The twenty-seventh patch release for containerd 1.7 contains various fixes
and updates.

Highlights

• Fix integer overflow in User ID handling (GHSA-265r-hfxg-fhmg)
• Update image type checks to avoid unnecessary logs for attestations (#​11538)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Jin Dong
• Akhil Mohan
• Derek McGowan
• Maksym Pavlenko
• Paweł Gronowski
• Phil Estes
• Akihiro Suda
• Craig Ingram
• Krisztian Litkey
• Samuel Karp

Changes

20 commits

• 05044ec0a Merge commit from fork
• 11504c3fc validate uid/gid
• Prepare release notes for v1.7.27 (#​11540)
  • 1be04be6c Prepare release notes for v1.7.27
• Update image type checks to avoid unnecessary logs for attestations (#​11538)
  • 82b5c43fe core/remotes: Handle attestations in MakeRefKey
  • 2c670e79b core/images: Ignore attestations when traversing children
• update build to go1.23.7, test go1.24.1 (#​11515)
  • a39863c9f update build to go1.23.7, test go1.24.1
• Remove hashicorp/go-multierror dependency and fix CI (#​11499)
  • 49537b3a7 e2e: use the shim bundled with containerd artifact
  • fe490b76f Bump up github.com/intel/goresctrl to 0.5.0
  • 13fc9d313 update containerd/project-checks to 1.2.1
  • 585699c94 Remove unnecessary joinError unwrap
  • 4b9df59be Remove hashicorp/go-multierror
• go.{mod,sum}: bump CDI deps to v0.8.1. (#​11422)
  • 5ba28f8dc go.{mod,sum}: bump CDI deps to v0.8.1, re-vendor.
• CI: arm64-8core-32gb -> ubuntu-24.04-arm (#​11437)
  • 85f10bd92 CI: arm64-8core-32gb -> ubuntu-24.04-arm
  • 561ed520e increase xfs base image size to 300Mb

Dependency Changes

• github.com/intel/goresctrl v0.3.0 -> v0.5.0
• github.com/prometheus/client_golang v1.14.0 -> v1.16.0
• github.com/prometheus/common v0.37.0 -> v0.42.0
• github.com/prometheus/procfs v0.8.0 -> v0.10.1
• k8s.io/apimachinery v0.26.2 -> v0.27.4
• sigs.k8s.io/json f223a00 -> bc3834c
• tags.cncf.io/container-device-interface v0.7.2 -> v0.8.1
• tags.cncf.io/container-device-interface/specs-go v0.7.0 -> v0.8.0

Previous release can be found at v1.7.26

v1.7.26: containerd 1.7.26

Compare Source

Welcome to the v1.7.26 release of containerd!

The twenty-sixth patch release for containerd 1.7 contains various fixes
and updates.

Highlights

• Add support for syncfs after unpack (#​11267)
• Update runc binary to v1.2.5 (#​11395)
• Fix race between serve and immediate shutdown on the server (containerd/ttrpc#175)
• Reject oversized messages from the sender (containerd/ttrpc#171)

Container Runtime Interface (CRI)

• Fix fatal concurrency error in port forwarding (#​11306)

Node Resource Interface (NRI)

• Fix initial sync race when registering NRI plugins (#​11326)
• Add API support for reading Pod IPs (containerd/nri#119)
• Fix plugin sync to use multiple messages if ttrpc max message limit is hit (containerd/nri#111)
• Update API to pass configured timeouts to plugins. (containerd/nri#109)
• Fix mount removal in adjustments (containerd/nri#107)
• Close plugin if initial synchronization fails (containerd/nri#103)
• Add support for adjusting OOM score (containerd/nri#94)
• Add API support for NRI-native CDI injection (containerd/nri#98)
• Add support for pids cgroup (containerd/nri#76)

Runtime

• Fix console TTY leak in runc shim (#​11250)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Krisztian Litkey
• Mike Brown
• Samuel Karp
• Wei Fu
• Phil Estes
• Derek McGowan
• Iceber Gu
• Akhil Mohan
• Antonio Ojea
• Austin Vazquez
• Henry Wang
• Jin Dong
• Xiaojin Zhang
• ningmingxiao
• AbdelrahmanElawady
• Akihiro Suda
• Antti Kervinen
• Jing Xu
• Jitang Lei
• Justin Alvarez
• Lei Liu
• Maksym Pavlenko
• Yang Yang
• Yuhang Wei
• cormick
• jingtao.liang

Changes

24 commits

• Prepare release notes for v1.7.26 (#​11356)
  • ceba197f5 Prepare release notes for v1.7.26
• Upgrade x/net to 0.33.0 to fix vulnerability GHSA-w32m-9786-jp63 (#​11434)
  • 3486bc8dd Upgrade x/net to 0.33.0
• update build to go1.23.6, test go1.24.0 (#​11419)
  • 9025d3075 update build to go1.23.6, test go1.24.0
• Update install-imgcrypt to allow change install repo (#​11358)
  • 83eaab482 Update install-imgcrypt to allow change install repo
• Add support for syncfs after unpack (#​11267)
  • 8bc21cba7 support to syncfs after pull by using diff plugin
• Update runc binary to v1.2.5 (#​11395)
  • 27c472acf Update runc binary to v1.2.5
• Move run.skip-dirs to issues.exclude-dirs in golangci-lint config (#​11400)
  • 8d8034b66 move skip-dirs to issues.exclude-dirs
• Fix initial sync race when registering NRI plugins (#​11326)
  • 11af05177 cri,nri: block NRI plugin sync. during event processing.
  • d4036cd3d go.{mod,sum}: bump NRI to v0.8.0, re-vendor.
• Fix console TTY leak in runc shim (#​11250)
  • c3e24e024 Add integ test to check tty leak
  • 4e45a463d fix master tty leak due to leaking init container object
• Fix fatal concurrency error in port forwarding (#​11306)
  • 0fe9f0b52 fix fatal error: concurrent map iteration and map write
• update build to go1.22.11, test go1.23.5 (#​11298)
  • 441b92636 update build to go1.22.11, test go1.23.5

Changes from containerd/nri

77 commits

• Add API support for reading Pod IPs (containerd/nri#119)
  • eaf78a9 api: support Pod IPs
• generate: do not set OOMScoreAdj if no adjustment (containerd/nri#116)
• 07bfc18 wip: generate: add test for oom score adj
• b5fc359 generate: do not set OOMScoreAdj if no adjustment
• device-injector: remove unreachable code. (containerd/nri#115)
  • 235aa11 chore: remove unreachable code and fmt files
• Fix plugin sync to use multiple messages if ttrpc max message limit is hit (containerd/nri#111)
  • 159f575 template: dump pod/container count in sync message.
  • bf267e3 stub: collect/handle split sync messages.
  • ed78ae9 adaptation: use multiple sync messages if necessary.
  • 6fd59d6 api: add support for multiple sync messages.
  • a7fcccc mux: split oversized messages.
  • 5fe9b06 mux: fix maximum allowed message size.
  • 693d64e go.{mod,sum}, plugins: update ttrpc and NRI deps.
• Update API to pass configured timeouts to plugins. (containerd/nri#109)
  • 320e4e7 adaptation: tests for runtime version, timeouts.
  • f86d982 api,adaptation,stub: let plugin know configured timeouts.
  • cfcd2af Makefile: fix ginkgo-tests target.
  • 8cd9504 adaptation: block plugin sync/registration in test suite.
  • 966ac92 adaptation: implement plugin synchronization blocks.
• ci: verify that code generation works and results match (containerd/nri#113)
  • f74ce31 ci: verify code generation and generated files in repo
• deps: bump gingko to v2.19.1, golang to v1.21.x. (containerd/nri#110)
  • e4d5c36 ci: stop testing with golang 1.20.x.
  • 6578149 go.{mod,sum}: bump golang requirement to 1.21.
  • 442e812 go.{mod,sum}: update to ginkgo v2.19.1.
• sync sandboxes and containers after starting the pre-installed plugins (containerd/nri#43)
  • eada085 ignore pre-installed plugins that did not sync successfully
  • b881bc4 sync sandboxes and containers after starting the pre-installed plugins
• Fix mount removal in adjustments (containerd/nri#107)
  • 3880f1d adaptation: add test case for mount removal.
  • 0d3b376 adaptation: fix mount removal in adjustments.
• codespell: add codespell config, workflow, fix spelling errors. (containerd/nri#105)
  • df84c47 .github: add codespell workflow.
  • a03dc93 pkg,plugins,.codespellrc: add codespellrc, fix spelling.
• Close plugin if initial synchronization fails (containerd/nri#103)
  • 4aec208 adaptation: log plugin as connected and synchronized.
  • 4e60cd0 adaptation: close plugin if initial synchronization fails.
• Reset source path of api.pb.go to pkg/api/api.proto (containerd/nri#104)
  • 1cc026f Reset source path of api.pb.go to pkg/api/api.proto
• Add support for adjusting OOM score (containerd/nri#94)
  • efcb2da NRI plugins support adjust oom_score_adj
• Add API support for NRI-na

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

Need help?

You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section.

[github-actions]

🔍 Dependency Review

github.com/containerd/containerd v1.7.18 → github.com/containerd/containerd/api v1.9.0 — ⚠️ Needs Review

This change is not a straight version bump; it replaces the full Containerd module with the API-only submodule. The github.com/containerd/containerd/api module contains only the generated protobuf/gRPC API definitions (packages under github.com/containerd/containerd/api/...) and does not include the higher-level client and helper packages that live in github.com/containerd/containerd (e.g., client, oci, images, snapshots, naming, etc.).

Because the dependency is indirect in your modules, this may be harmless if no code in your repository (or crucial transitive dependencies) require the higher-level github.com/containerd/containerd packages. However, if any direct or transitive code depends on those packages, replacing the root module with the API-only module may drop them from the module graph and lead to build or runtime issues.

Summary of impact:

• Safe if you (and your direct deps) only use Containerd’s API protobufs (e.g., api/services/*/v1, api/types).
• Risky if any code (directly or indirectly) requires github.com/containerd/containerd packages like client, oci, images, etc.

What to check:

• Search your repo and critical direct dependencies for imports of github.com/containerd/containerd (non-/api/... paths).
• Run go mod graph | grep containerd to confirm whether the root github.com/containerd/containerd module is still present via other transitives.
• Build and run unit tests that touch any container/runtime code paths.

Code changes you may need:

• If your code (or a direct dependency you control) uses higher-level Containerd packages, keep the root module alongside the API module, or revert this replacement. For example, to restore the original behavior:

 require (
-    github.com/containerd/containerd/api v1.9.0 // indirect
+    github.com/containerd/containerd v1.7.18 // indirect
+    github.com/containerd/containerd/api v1.9.0 // indirect
 )

If you do intend to use only the API module, and you have any direct imports of root-level packages, migrate off those helpers to your own client or replacements, or re-add github.com/containerd/containerd as above.

Changelog and compatibility notes (evidence):

• The api submodule exports protobuf/gRPC service definitions and messages. Changes between api versions are typically additive (new fields, messages, or services) and maintain protobuf wire compatibility. Breaking removals or field renames in stable services would be unusual.
• The root github.com/containerd/containerd module includes client and helper packages not present in api. Replacing it with api removes those packages from your dependency graph unless still pulled in by other dependencies.

Relevant references (from the containerd repository structure and release practices):

• The api module lives under the containerd repo and provides only generated protos in api/services/*/v1 and api/types/....
• Root-level helper packages (e.g., client, oci, images) are part of github.com/containerd/containerd and are not in github.com/containerd/containerd/api.

No repository code updates are mandatory if you don’t import root-level containerd packages and only need API protos. Otherwise, explicitly retain the root module as shown above to preserve existing behavior.

Notes

• This review only covers the changed dependency shown in the provided go.mod diffs. No other net-new dependencies were assessed.

[ptodev]

This seems to change to a different module, which is quite weird. I think I'll just make another PR to upgrade to containerd/containerd 1.7.29.

[jharvey10]

I noticed a similar sort of thing for another renovate PR. It said it was updating one thing, but actually subtly changed it to something else. I guess just something we keep an eye on.

Edit: It was actually this PR 😅, but I guess I forgot to add a comment on it. Definitely warrants a separate PR that does it properly though.

[ptodev]

I manually updated the Go mod files to v1.7.30 and my local go mod tidy also changed this dependency to containerd/api v1.9.0. So weird...

[ptodev]

@jharvey10 this is weird but if go mod tidy works, then I suppose it's ok 🤷 I'm ok with merging it.

I still can't tell why the modle changed though. go mod graph tells me it's because of percona:

github.com/percona/percona-backup-mongodb@v1.8.1-0.20250429102026-063dab6cc946 github.com/containerd/containerd@v1.7.18

I appears to be an indirect dependency there. I don't understand why suddenly it's a different module for the same version of percona.

If you're ok with this we can just merge it. I don't think it's high risk.

[ptodev]

@jharvey10 Oh it auto merged 😆

[jharvey10]

@ptodev oh cool! Well if you reproduced the same result locally, then I feel like that gives pretty high confidence that it's correct.