[release/2.3] Prepare release notes for v2.3.1

[AkihiroSuda]

containerd 2.3.1

Welcome to the v2.3.1 release of containerd!

The first patch release for containerd 2.3 contains various fixes and improvements.

Security Updates

• CVE-2026-46680

Highlights

• Fix bug where failed gRPC plugins were not tolerated when starting listeners (#13390)

Image Storage

• Ensure metadata and mount plugin boltdb files are closed on server shutdown (#13379)

Runtime

• Fix handling of out-of-range USER values in OCI spec to avoid unexpected username/group lookups (#13447)
• Fix sandbox task API endpoints for non-runc runtimes and deprecate task fields in Runc options (#13422)
• Apply hardening to default seccomp socket policy by blocking AF_ALG (#13409)

Snapshotters

• Disable overlayfs "rebase" capability when running in user namespace (#13394)
• Fix transfer plugin error when EROFS differ is configured but mkfs.erofs is unavailable (#13364)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Maksym Pavlenko
• Akihiro Suda
• Derek McGowan
• Pawe┼é Gronowski
• Brian Goff
• Austin Vazquez
• LEI WANG
• Samuel Karp

Changes

23 commits

• 58af96519 Prepare release notes for v2.3.1
• 8f0b3ca83 Update api to v1.11.1
• oci: return explicit error for out-of-range USER values (#13447)
  • a05ae7885 oci: return explicit error for out-of-range USER values
• Prepare release notes for api/v1.11.1 (#13444)
  • da7aef299 Prepare release notes for api/v1.11.1
• Fix sandbox task API endpoints for non-runc runtimes (#13422)
  • 5282d4e09 Wire task address and version fields
  • e44f5f9ec protos: include task API address to CreateTaskRequest
• seccomp: Block AF_ALG in default socket policy (#13409)
  • 4d80a31bf seccomp: Block AF_ALG in default socket policy
  • 2ed0d97b6 seccomp: Document socket rule scope and socketcall limitation
• server: tolerate failed gRPC plugins when starting listeners (#13390)
  • 3a88fdde0 server: tolerate failed gRPC plugins when starting listeners
• overlay: disable "rebase" capability when running in UserNS (#13394)
  • 2be0710b8 overlay: disable "rebase" capability when running in UserNS
• Update Go to 1.26.3 (#13374)
  • 3b199c22b Update Go to 1.26.3
• fix: close boltdb on metadata and mount plugin close (#13379)
  • 1d601271a fix: close boltdb on metadata and mount plugin close
• Fix optional EROFS differ setup in transfer plugin (#13364)
  • d666d2e42 Refactor transfer unpack configuration setup
  • ccc3bd7b9 Fix optional transfer differ setup

Dependency Changes

• github.com/containerd/containerd/api v1.11.0 -> v1.11.1

Previous release can be found at v2.3.0

Which file should I download?

• containerd-<VERSION>-<OS>-<ARCH>.tar.gz: Γ£àRecommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04).
• containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz: Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent.

In addition to containerd, typically you will have to install runc
and CNI plugins from their official sites too.

See also the Getting Started documentation.

[samuelkarp]

I ran my release skill to fix up the highlights:

---

containerd 2.3.1

Welcome to the v2.3.1 release of containerd!

The first patch release for containerd 2.3 contains various fixes and improvements.

Highlights

• Fix bug where failed gRPC plugins were not tolerated when starting listeners (#13390)

Image Storage

• Ensure metadata and mount plugin boltdb files are closed on server shutdown (#13379)

Snapshotters

• Disable overlayfs "rebase" capability when running in user namespace (#13394)
• Fix transfer plugin error when EROFS differ is configured but mkfs.erofs is unavailable (#13364)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Akihiro Suda
• Maksym Pavlenko
• Brian Goff
• Austin Vazquez
• Paweł Gronowski
• Samuel Karp

Changes

12 commits

• 08a380d22 Prepare release notes for v2.3.1
• server: tolerate failed gRPC plugins when starting listeners (#13390)
  • 3a88fdde0 server: tolerate failed gRPC plugins when starting listeners
• overlay: disable "rebase" capability when running in UserNS (#13394)
  • 2be0710b8 overlay: disable "rebase" capability when running in UserNS
• Update Go to 1.26.3 (#13374)
  • 3b199c22b Update Go to 1.26.3
• fix: close boltdb on metadata and mount plugin close (#13379)
  • 1d601271a fix: close boltdb on metadata and mount plugin close
• Fix optional EROFS differ setup in transfer plugin (#13364)
  • d666d2e42 Refactor transfer unpack configuration setup
  • ccc3bd7b9 Fix optional transfer differ setup

Dependency Changes

This release has no dependency changes

Previous release can be found at v2.3.0

Which file should I download?

• containerd-<VERSION>-<OS>-<ARCH>.tar.gz: ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04).
• containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz: Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent.

In addition to containerd, typically you will have to install runc
and CNI plugins from their official sites too.

See also the Getting Started documentation.

[AkihiroSuda]

I ran my release skill to fix up the highlights:

Thanks, is this skill public ?

[samuelkarp]

Thanks, is this skill public ?

Not yet, but I'm happy to push it somewhere. Should we make a containerd-skills repo?

[AkihiroSuda]

Should we make a containerd-skills repo?

I guess it can be put into either https://github.com/containerd/release-tool or https://github.com/containerd/project ?

[AkihiroSuda]

@samuelkarp Do you have an AI skill to merge this PR and ship a release too? If so, do you want to try it with this PR?

[samuelkarp]

No, it just does the preparation. Final merge is through GitHub like normal, then signed tag with the generated release notes file, like git tag --cleanup=whitespace -s v2.3.0-beta.2 -F /tmp/v2.3.0.beta.2-notes (from my shell history).

File is generated like:

# Ensure GITHUB_ACTOR and GITHUB_TOKEN are set for PR data extraction
export GITHUB_ACTOR=$(gh api user -q .login)
export GITHUB_TOKEN=$(gh auth token)

# Run release-tool (Note: the -t flag for the tag should NOT include +unknown)
# The -n flag is required to see output in the console.
release-tool -r -n -g -l -t v2.2.3 ./releases/v2.2.3.toml

Since the skill already updated the release-note blocks on the PRs, you can generate the same notes by running that command that I showed in the comment.

[samuelkarp]

I guess it can be put into either https://github.com/containerd/release-tool or https://github.com/containerd/project ?

I had thought about a separate repo, but that could make sense.

• release-tool: would make sense only for this skill, and would mean the release-tool would need to have a local checkout. I don't think all of us do, but that's not a high bar
• project - this is mostly our governance repo right now and we don't have code here

I have a couple other containerd skills too that I'd want to put somewhere. Those wouldn't make sense for the release-tool repo but could make sense elsewhere (like I have one for updating the docs workflows for the containerd.io repo). Thoughts?

[AkihiroSuda]

Maybe rename release-tool to maintainer-tool? Then it makes more sense as the place to put AI skills?

[mxpv]

Can we pls include #13360 in 2.3.1 ? (will cherry-pick once it lands).

[mxpv]

Can we pls include #13360 in 2.3.1 ? (will cherry-pick once it lands).

Cherry-pick PR #13422