diff --git a/reports/containerd_release_api_v1.11.0-beta.1_20260411_004052.json b/reports/containerd_release_api_v1.11.0-beta.1_20260411_004052.json new file mode 100644 index 0000000..7e61a9b --- /dev/null +++ b/reports/containerd_release_api_v1.11.0-beta.1_20260411_004052.json @@ -0,0 +1,277 @@ +{ + "metadata": { + "generated_at": "2026-04-11T00:41:59.804048", + "tool": "containerd-release-tracker", + "version": "1.0.0" + }, + "release": { + "tag_name": "api/v1.11.0-beta.1", + "name": "containerd API 1.11.0-beta.1", + "body": "Welcome to the api/v1.11.0-beta.1 release of containerd!\n*This is a pre-release of containerd*\n\nThe 12th release for the containerd 1.x API aligns with the containerd 2.3 release.\n\n### Highlights\n\n* Add transfer types for container filesystem copy ([#13165](https://github.com/containerd/containerd/pull/13165))\n* Introduce shim bootstrap protocol ([#12786](https://github.com/containerd/containerd/pull/12786))\n* Update sandbox API to include spec field ([#12840](https://github.com/containerd/containerd/pull/12840))\n\nPlease try out the release binaries and report any issues at\nhttps://github.com/containerd/containerd/issues.\n\n### Contributors\n\n* Maksym Pavlenko\n* Derek McGowan\n* Wei Fu\n* Gao Xiang\n* Sebastiaan van Stijn\n\n### Changes\n
41 commits\n

\n\n* Update bootstrap API log level definition ([#13208](https://github.com/containerd/containerd/pull/13208))\n * [`2c102c6cb`](https://github.com/containerd/containerd/commit/2c102c6cbebbc1dabe31eb0740a1803fcce56c4e) Update bootstrap API log level definition\n* Add transfer types for container filesystem copy ([#13165](https://github.com/containerd/containerd/pull/13165))\n * [`121f3a21e`](https://github.com/containerd/containerd/commit/121f3a21e438cd8c18c6d76cbab1514ee2a8d8d2) Add transfer types for container filesystem copy\n* Introduce shim bootstrap protocol ([#12786](https://github.com/containerd/containerd/pull/12786))\n * [`16b7ce254`](https://github.com/containerd/containerd/commit/16b7ce254959e62927896aecc033e86b0a10dc31) Address code review suggestions\n * [`9bf65dcf0`](https://github.com/containerd/containerd/commit/9bf65dcf0275341a75b9e56454e5ebe599bcc90f) Use enums instead of strings for capabilities and log level\n * [`9dc864fd0`](https://github.com/containerd/containerd/commit/9dc864fd0feefd907aba16ba98cf453dd16df694) Switch to proto instead of json\n * [`3fbdb132b`](https://github.com/containerd/containerd/commit/3fbdb132bf4fb2f59995b9fc632c0ad507ff98f6) Fix module path\n * [`1852a4758`](https://github.com/containerd/containerd/commit/1852a4758ea70e12ada6bc98c45258a001c9f6bc) Remove testify dependency from api\n * [`0f55bdd49`](https://github.com/containerd/containerd/commit/0f55bdd49c41ba2a43d6595bdd827b6ba4ed4987) Fix extensions API and update tests\n * [`d957b1bf5`](https://github.com/containerd/containerd/commit/d957b1bf53914443e28a3a7ab63824ea2e6c22ed) Use log level instead of debug flag\n * [`31d0bbbad`](https://github.com/containerd/containerd/commit/31d0bbbad7723c8555b299f1dc12f7173390b2ec) Include containerd version when launching shim\n * [`f71c2e421`](https://github.com/containerd/containerd/commit/f71c2e4211c9cbae06c582222d200c8756a84845) Reformat and clean proto files\n * [`9e9a095fe`](https://github.com/containerd/containerd/commit/9e9a095feb43c6b6a84fe1f4b2331977ebb92b91) Read spec annotations from file\n * [`3831fc806`](https://github.com/containerd/containerd/commit/3831fc80630879870327fde99f66b12959c973f0) Fix reading from stdin\n * [`5ea993b48`](https://github.com/containerd/containerd/commit/5ea993b48d29e620dba6f90746a98ff0a4a29f65) Pass runc options as a separate extension\n * [`e72145b19`](https://github.com/containerd/containerd/commit/e72145b192de6542dfb86554cda512e37f46eb5e) Update vendor\n * [`790b0ead7`](https://github.com/containerd/containerd/commit/790b0ead7bc4e234b5ce90b9a1225b60bad34d75) Implement shim bootstrap protocol\n* Add `os.features` support for EROFS native container images ([#13091](https://github.com/containerd/containerd/pull/13091))\n * [`146930e91`](https://github.com/containerd/containerd/commit/146930e91de7598fa93161cb96d16208f1eff866) api: add `os_features` to api/types/platform.proto\n* build(deps): bump google.golang.org/grpc from 1.59.0 to 1.79.3 in /api ([#13099](https://github.com/containerd/containerd/pull/13099))\n * [`d323efc2b`](https://github.com/containerd/containerd/commit/d323efc2bfaf8425c8a2f1ceeb34e8230eb16f8d) build(deps): bump google.golang.org/grpc from 1.59.0 to 1.79.3 in /api\n* Prepare release notes for api/v1.11.0-beta.0 ([#13045](https://github.com/containerd/containerd/pull/13045))\n * [`aac6b5348`](https://github.com/containerd/containerd/commit/aac6b53488f05253f88fb061fed6674630feb41f) Prepare release notes for api/v1.11.0-beta.0\n* api: regenerate and re-vendor protos ([#12913](https://github.com/containerd/containerd/pull/12913))\n * [`4b4eb6715`](https://github.com/containerd/containerd/commit/4b4eb67150b724e0c0450cc92f295b8d6582ca9a) api: regenerate and re-vendor protos\n* Remove Container field from sandbox metadata ([#12840](https://github.com/containerd/containerd/pull/12840))\n * [`8ccf18724`](https://github.com/containerd/containerd/commit/8ccf18724f691f7f5503faf0b004334eb9f92cf3) Update sandbox API to include spec field\n* Use buf to format proto files ([#12841](https://github.com/containerd/containerd/pull/12841))\n * [`ca1c5b2d3`](https://github.com/containerd/containerd/commit/ca1c5b2d3db8c620c26ab9674b7ccb9a4b023a63) Reformat and revendor proto files\n * [`2a87c9d7d`](https://github.com/containerd/containerd/commit/2a87c9d7d29a5d947fa671a0d7b52f449835fd11) Add .editorconfig for proto files\n* Generate api/next.txtpb and name module ([#12815](https://github.com/containerd/containerd/pull/12815))\n * [`472e0a8e7`](https://github.com/containerd/containerd/commit/472e0a8e7ada278b7aa376173eca20ad0a0348be) Generate next.txtpb to replace next.pb.txt\n * [`f58dbbda0`](https://github.com/containerd/containerd/commit/f58dbbda0b34bea75f714e82463eb0706c06d30d) Add buf.build repository name for publishing API\n* Migrate from protobuild to buf ([#12762](https://github.com/containerd/containerd/pull/12762))\n * [`dac9721fa`](https://github.com/containerd/containerd/commit/dac9721faf891205ed46105cd38340bc3bceabcb) Drop outdated pb.txt files\n * [`6a6283193`](https://github.com/containerd/containerd/commit/6a6283193b6f865c35529717068259bf54ccc307) Update pb files\n * [`57782b717`](https://github.com/containerd/containerd/commit/57782b7175f743489010c348a8f59da720140722) Move buf configuration under api/\n * [`39991b661`](https://github.com/containerd/containerd/commit/39991b6617041c8c5b471f11f08461f36cc6719f) Use relative import intead of GOPATH style imports\n * [`eb586b5ef`](https://github.com/containerd/containerd/commit/eb586b5ef2e20c5f845f28d5e9cd5f5e8e10885d) Regenerate proto files\n

\n
\n\n### Dependency Changes\n\n* **golang.org/x/net** v0.38.0 -> v0.48.0\n* **golang.org/x/sys** v0.31.0 -> v0.39.0\n* **golang.org/x/text** v0.23.0 -> v0.32.0\n* **google.golang.org/genproto/googleapis/rpc** c3f982113cda -> ff82c1b0f217\n* **google.golang.org/grpc** v1.59.0 -> v1.79.3\n* **google.golang.org/protobuf** v1.33.0 -> v1.36.10\n\nPrevious release can be found at [api/v1.10.0](https://github.com/containerd/containerd/releases/tag/api/v1.10.0)\n", + "published_at": "2026-04-11T00:06:52Z", + "prerelease": true, + "draft": false, + "html_url": "https://github.com/containerd/containerd/releases/tag/api/v1.11.0-beta.1", + "author": "github-actions[bot]" + }, + "analysis": { + "summary": "containerd API 1.11.0-beta.1 是一个预发布版本,为即将到来的 containerd 2.3 版本奠定 API 基础,核心价值在于引入了新的 shim 引导协议、沙箱 API 改进以及容器文件系统复制支持,同时包含重要的 gRPC 安全更新。", + "key_changes": [ + "引入 shim 引导协议,统一并标准化 containerd 向 shim 传递配置参数的方式,取代原有的混合传递机制(CLI参数、环境变量、stdin) - [PR #12786](https://github.com/containerd/containerd/pull/12786)", + "更新沙箱 API,移除元数据中的 Container 字段,改为包含 spec 字段,以抽象化对 pause 容器的依赖 - [PR #12840](https://github.com/containerd/containerd/pull/12840)", + "为容器文件系统复制(类似 `docker cp`)添加传输类型定义,为未来实现容器与宿主机间安全文件传输提供 API 支持 - [PR #13165](https://github.com/containerd/containerd/pull/13165)", + "在平台定义中添加 `os.features` 字段,以原生支持 EROFS 容器镜像,优化解压和运行体验 - [PR #13091](https://github.com/containerd/containerd/pull/13091)" + ], + "important_bugfixes": [ + "更新 gRPC 依赖至 1.79.3,修复了路径授权绕过漏洞,该漏洞允许恶意构造的 :path 请求头绕过基于路径的拦截器(如 grpc/authz)的“拒绝”规则 - [PR #13099](https://github.com/containerd/containerd/pull/13099) - **影响:** 如果使用了 gRPC 拦截器进行细粒度授权控制,此漏洞可能导致未授权访问,建议关注并评估风险。" + ], + "security_issues": [ + "gRPC 库安全更新,修复了路径头授权绕过漏洞 - [PR #13099](https://github.com/containerd/containerd/pull/13099) - **风险级别:** 中。影响依赖于 gRPC 拦截器进行路径级权限校验的场景。" + ], + "performance_improvements": [ + "将 Protobuf 构建工具从 protobuild 迁移至 buf,简化 CI/本地构建依赖,提高代码生成的可复现性,并为未来引入 API 破坏性变更检测、代码规范检查等能力铺平道路 - [PR #12762](https://github.com/containerd/containerd/pull/12762) - **提升:** 主要提升开发效率和工具链现代化水平。", + "新的 shim 引导协议使用 Protobuf 替代 JSON 和混合传递方式,有望简化 shim 启动逻辑,提高参数传递的效率和可维护性 - [PR #12786](https://github.com/containerd/containerd/pull/12786) - **提升:** 改善启动流程的健壮性和未来可扩展性。" + ], + "breaking_changes": [ + "沙箱 API 元数据中移除了 `Container` 字段,依赖此字段获取 pause 容器信息的插件(如 NRI)需要重构,改为从元数据存储中获取所需数据 - [PR #12840](https://github.com/containerd/containerd/pull/12840) - **影响:** 自定义插件或工具如果直接访问沙箱的 Container 字段,将无法编译或运行,需要适配新的 API。", + "新的 shim 引导协议将逐步弃用原有的 CLI 参数、环境变量等启动参数传递方式。虽然当前是新增而非立即替换,但为未来版本废弃旧方式做准备,shim 实现者需要关注 - [PR #12786](https://github.com/containerd/containerd/pull/12786) - **影响:** 自定义或第三方 shim 需要评估并计划支持新的 BootstrapParams 协议。" + ], + "recommendations": [ + "**当前版本为 Beta 预发布版,不建议在生产环境直接升级。** 主要目的是供开发者和生态插件作者进行兼容性测试。", + "建议安全团队评估 gRPC 授权绕过漏洞(CVE-2024-7240)对现有环境的影响,并考虑在当前的稳定版本(如 1.6.x 或 1.7.x)中向后移植此安全修复。", + "插件和工具开发者应重点关注两项破坏性变更(沙箱 API 和 shim 引导协议),并开始适配工作,为 containerd 2.3 的正式发布做准备。", + "关注 EROFS 镜像支持特性,如果计划使用 EROFS 作为容器镜像格式,可以开始测试相关工作流。" + ], + "risk_assessment": "整体风险评估:中等。作为 API 的 Beta 预发布版,其本身不直接用于生产环境,因此直接升级风险低。然而,版本中预示的 API 变化(特别是破坏性变更)为未来 containerd 2.3 的升级带来了必须提前准备的中等风险。建议的升级时机是在 containerd 2.3 正式发布并经过充分测试后。需要特别关注的方面是:1) 所有自定义或第三方 shim 对新引导协议的兼容性;2) 依赖沙箱内部结构的插件或监控工具的适配情况;3) gRPC 安全修复在现有分支的落地情况。" + }, + "statistics": { + "analyzed_prs": 13, + "analyzed_issues": 0, + "important_items": 7 + }, + "important_items": [ + { + "type": "PR", + "title": "#12762: Migrate from protobuild to buf", + "reason": "Performance related" + }, + { + "type": "PR", + "title": "#12786: Introduce shim bootstrap protocol", + "reason": "Performance related" + }, + { + "type": "PR", + "title": "#12785: Make shim socket directory use configured directory", + "reason": "Performance related" + }, + { + "type": "PR", + "title": "#7061: [CRI] Remove image store", + "reason": "Performance related" + }, + { + "type": "PR", + "title": "#12815: Generate api/next.txtpb and name module", + "reason": "Performance related" + }, + { + "type": "PR", + "title": "#13045: Prepare release notes for api/v1.11.0-beta.0", + "reason": "Performance related" + }, + { + "type": "PR", + "title": "#13099: build(deps): bump google.golang.org/grpc from 1.59.0 to 1.79.3 in /api", + "reason": "Contains 'security'; Contains 'performance'; Cherry-pick or backport; Performance related" + } + ], + "prs": { + "12762": { + "title": "Migrate from protobuild to buf", + "url": "https://github.com/containerd/containerd/pull/12762", + "body": "This PR migrates from `Protobuild` (which we all love and use for quite some time) to [`buf`](https://github.com/bufbuild/buf) to manage our proto files.\r\n\r\nImmediate benefits:\r\n- No need to install `protoc` dependency. Mush simpler [CI setup](https://github.com/containerd/containerd/pull/12762/changes/edb3e0869706fa0d058f8530f7b563af9310eec3).\r\n- Much better local/CI reproducibility - all generators and dependencies are pinned in `buf.yaml` and `buf.lock`, so same output is expected everywhere. Only the `buf` binary need to be installed on the system to get things going.\r\n- No longer needs `containerd` to be in `GOPATH` (not strictly buf’s feature, but implemented in this PR)\r\n\r\nThere are also some longer term nice-to-have features that we could benefit from, which we don't have in protobuild:\r\n- Breaking change detector (we can run this on CI to guaranty API compatibility)\r\n- Linter\r\n- Formatter.\r\n\r\nI was able to generate exactly the same code with buf as it was before.\r\nThe only annoying thing is\r\n\r\n`// \tprotoc (unknown)`\r\n\r\nwhich seems to be expected when buf is not using external protoc binary (which we don't):\r\n\r\n> The protoc (unknown) line is being inserted by protoc-gen-go which we do not control. Part of the CodeGeneratorRequest passed to protoc-gen-go specifies the version of protoc being used, but buf is not, and doesn't use, protoc, so there is no appropriate answer here.\r\n\r\nMade a few follow up changes based on feedback:\r\n- Switched to relative imports (which `buf` supports natively), so workarounds in the `Makefile` no longer necessary.\r\n- Moved `buf` configuration files under `api/` directory", + "state": "closed", + "merged": true, + "created_at": "2026-01-08T23:33:25Z", + "merged_at": "2026-01-09T20:20:51Z", + "author": "mxpv", + "labels": [ + "size/XXL", + "area/toolchain" + ] + }, + "12786": { + "title": "Introduce shim bootstrap protocol", + "url": "https://github.com/containerd/containerd/pull/12786", + "body": " Containerd needs to pass a bunch of parameters from the daemon down to the shim. Historically, we introduced several mechanisms to do it:\r\n- CLI arguments (-namespace, -id, -address, -publish-binary, -debug)\r\n- Env variables (TTRPC_ADDRESS, GRPC_ADDRESS, NAMESPACE, MAX_SHIM_VERSION, GOMAXPROCS, SCHED_CORE)\r\n- Some are passed via stdin (runtime options as protobuf)\r\n- spec.json file to read annotations from disk\r\n\r\nWe have a few cases where we need to introduce more parameters:\r\n- https://github.com/containerd/containerd/pull/12785\r\n- https://github.com/containerd/containerd/pull/12849\r\n- Further podsandbox/ work will require more configuration to be passed\r\n\r\nThis PR is a proposal to address the issues with 2 new structs:\r\n- `BootstrapParams` is passed via stdin with all configurations (at `shim -start`).\r\n- `BootstrapResult` is written by the shim to stdout.\r\n\r\nAnd deprecate everything else.\r\n\r\nThe structs are defined in protobuf, we can version it and detect breaking changes.\r\nAnd we'll use json to serialize/deserialize when launching a new shim instances.\r\n\r\nThe structs are also extensible enough to support more use cases in future.\r\n\r\nCompatibility:\r\n- `pkg/shim` is backward compatible. It uses the new bootstrap protocol by default and fallbacks to CLI/env/stdin.\r\n- containerd still provides CLI/env for backward compatibility. We should deprecate this approach in 2.3 and probably remove in 2.4?\r\n\r\n", + "state": "closed", + "merged": true, + "created_at": "2026-01-15T02:12:18Z", + "merged_at": "2026-04-08T22:07:51Z", + "author": "mxpv", + "labels": [ + "impact/changelog", + "size/XXL" + ] + }, + "12785": { + "title": "Make shim socket directory use configured directory", + "url": "https://github.com/containerd/containerd/pull/12785", + "body": "Send the socket directory from containerd to the shim. The shim still\r\ndecides where the socket goes but can use the environment variable\r\npassed from containerd to ensure the socket is placed in the configured\r\ndirectory with proper permission.\r\n\r\nThis is needed for some rootless cases which do not have permission to\r\nthe default state directory as currently set. The directory being\r\nhardcoded by the shim means it is currently not possible to change the\r\nlocation the shim will listen at.\r\n", + "state": "open", + "merged": false, + "created_at": "2026-01-14T07:30:46Z", + "merged_at": null, + "author": "dmcgowan", + "labels": [ + "area/runtime", + "size/XL" + ] + }, + "12849": { + "title": "Remove image service dependency from podsandbox controller", + "url": "https://github.com/containerd/containerd/pull/12849", + "body": "This PR removes the last significant dependency on internal CRI APIs, opening the path for migration down to the shim. \r\n \r\nI've made several attempts to decouple the `Controller` from the rest of the CRI APIs, but it's challenging without major refactoring (see previous attempts: https://github.com/containerd/containerd/pull/7061). As a result, I've moved pause container pulling back to the CRI layer. Since almost every runtime today assumes pause containers anyway, this should not be a significant issue.\r\n \r\nIf/when we come up with a different solution, we can deprecate and remove this. Additionally, we can make this conditional once https://github.com/containerd/containerd/pull/12786 lands.", + "state": "closed", + "merged": true, + "created_at": "2026-02-03T03:21:37Z", + "merged_at": "2026-02-20T22:03:14Z", + "author": "mxpv", + "labels": [ + "area/cri", + "size/L" + ] + }, + "7061": { + "title": "[CRI] Remove image store", + "url": "https://github.com/containerd/containerd/pull/7061", + "body": "This PR refactors CRI and removes in-memory image store in favor of containerd's metadata image store. The goal is to simplify CRI code and rely more on containerd APIs instead of maintaining custom layers.\r\n\r\nSo instead of in-memory cache, this PR relies on containerd’s metadata store (and labels) to keep additional image information needed by CRI. It preserves existing logic with creating a separate image per reference, but now appends appropriate labels, so we can just use boltdb.\r\n\r\nLabels can be appended on demand, on event, or at daemon start - some of these may be removed in 2.0. Currently labels that we add - config digest (that CRI uses for image ID), image size, chain ID, etc.\r\n\r\nIn the new implementation search for image references narrows down to querying metadata store with all records that contain same image ID label. Queries are slower comparing to the original implementation, but boltdb still reasonably fast (also there is room for optimization if that will be a bottleneck). ", + "state": "closed", + "merged": false, + "created_at": "2022-06-14T23:17:51Z", + "merged_at": null, + "author": "mxpv", + "labels": [ + "area/cri", + "kind/refactor" + ] + }, + "12815": { + "title": "Generate api/next.txtpb and name module", + "url": "https://github.com/containerd/containerd/pull/12815", + "body": "`buf` will generate the protobuf text file which can be used for viewing all protobuf changes in one file and quickly diffing changes.\r\n\r\nAdd a module name to the buf.yaml to allow pushing. With the switch the buf and relative paths, without publishing the containerd protos are not importable without copying locally. Using the buf registy makes this easier for importers. There is no requirement to use the buf registry though.\r\n\r\n", + "state": "closed", + "merged": true, + "created_at": "2026-01-24T01:26:54Z", + "merged_at": "2026-01-24T06:49:33Z", + "author": "dmcgowan", + "labels": [ + "size/XXL", + "area/toolchain" + ] + }, + "12840": { + "title": "Remove Container field from sandbox metadata", + "url": "https://github.com/containerd/containerd/pull/12840", + "body": "There are multiple places in CRI which assume the use of pause containers and the podsandbox package. Since the goal of the Sandbox API is to abstract away the use of pause containers, we should not make such assumptions. \r\n\r\nThis PR removes the Container object for the pause container from Sandbox metadata. This was primarily used in NRI, so this PR refactors the code to fetch the necessary data from the metadata store instead.\r\n\r\n@chrishenzie could PTAL? This updates `nriPodSandbox` to fetch spec from sandbox store instead of task instance (we don't want to access pause container directly), so this, technically, amends lifecycle test, because the spec will remain available after stopping pod sandbox.\r\n\r\n\r\n```release-note\r\nUpdate sandbox API to include spec field\r\n```", + "state": "closed", + "merged": true, + "created_at": "2026-01-31T02:07:50Z", + "merged_at": "2026-02-18T05:33:05Z", + "author": "mxpv", + "labels": [ + "impact/changelog", + "size/XXL" + ] + }, + "12841": { + "title": "Use buf to format proto files", + "url": "https://github.com/containerd/containerd/pull/12841", + "body": "We've integrated `buf` in https://github.com/containerd/containerd/pull/12762 \r\n`buf` comes with an integrated linter and formatter. \r\n \r\nThis PR updates `Makefile` targets to use `buf format` to format proto files. \r\n \r\nOur current proto formatter is pretty rudimentary. It only requires tabs instead of spaces. But would happily pass everything else (like double tabs). \r\n \r\n`buf` is much more sophisticated and can handle pretty complex cases, which is nice.\r\nIt also comes with github actions integration out of the box. \r\n \r\nThe only downside is that `buf` accepts no configuration leaving no way to amend how proto files are formatted. \r\nAnd by default, they use 2 spaces instead of tabs. I'm not sure is this is going to be a deal breaker for us", + "state": "closed", + "merged": true, + "created_at": "2026-01-31T02:30:28Z", + "merged_at": "2026-02-07T08:33:02Z", + "author": "mxpv", + "labels": [ + "size/XXL", + "area/toolchain" + ] + }, + "12913": { + "title": "api: regenerate and re-vendor protos", + "url": "https://github.com/containerd/containerd/pull/12913", + "body": "Probably related to https://github.com/containerd/containerd/commit/ca1c5b2d3db8c620c26ab9674b7ccb9a4b023a63 (https://github.com/containerd/containerd/pull/12841).\r\n\r\nI got this diff when running `make protos`; let's see if CI agrees it's OK 😅 ", + "state": "closed", + "merged": true, + "created_at": "2026-02-17T13:06:25Z", + "merged_at": "2026-02-24T20:23:18Z", + "author": "thaJeztah", + "labels": [ + "size/XXL", + "go", + "area/toolchain" + ] + }, + "13045": { + "title": "Prepare release notes for api/v1.11.0-beta.0", + "url": "https://github.com/containerd/containerd/pull/13045", + "body": "First step in v2.3 beta process\r\n\r\n----\r\ncontainerd api/v1.11.0-beta.0\r\n\r\nWelcome to the api/v1.11.0-beta.0 release of containerd! \r\n*This is a pre-release of containerd*\r\n\r\nThe 12th release for the containerd 1.x API aligns with the containerd 2.3 release.\r\n\r\n### Highlights\r\n\r\n* Update sandbox API to include spec field ([#12840](https://github.com/containerd/containerd/pull/12840))\r\n\r\nPlease try out the release binaries and report any issues at\r\nhttps://github.com/containerd/containerd/issues.\r\n\r\n### Contributors\r\n\r\n* Maksym Pavlenko\r\n* Derek McGowan\r\n* Sebastiaan van Stijn\r\n* Wei Fu\r\n\r\n### Changes\r\n
17 commits\r\n

\r\n\r\n * [`aac6b5348`](https://github.com/containerd/containerd/commit/aac6b53488f05253f88fb061fed6674630feb41f) Prepare release notes for api/v1.11.0-beta.0\r\n* api: regenerate and re-vendor protos ([#12913](https://github.com/containerd/containerd/pull/12913))\r\n * [`4b4eb6715`](https://github.com/containerd/containerd/commit/4b4eb67150b724e0c0450cc92f295b8d6582ca9a) api: regenerate and re-vendor protos\r\n* Remove Container field from sandbox metadata ([#12840](https://github.com/containerd/containerd/pull/12840))\r\n * [`8ccf18724`](https://github.com/containerd/containerd/commit/8ccf18724f691f7f5503faf0b004334eb9f92cf3) Update sandbox API to include spec field\r\n* Use buf to format proto files ([#12841](https://github.com/containerd/containerd/pull/12841))\r\n * [`ca1c5b2d3`](https://github.com/containerd/containerd/commit/ca1c5b2d3db8c620c26ab9674b7ccb9a4b023a63) Reformat and revendor proto files\r\n * [`2a87c9d7d`](https://github.com/containerd/containerd/commit/2a87c9d7d29a5d947fa671a0d7b52f449835fd11) Add .editorconfig for proto files\r\n* Generate api/next.txtpb and name module ([#12815](https://github.com/containerd/containerd/pull/12815))\r\n * [`472e0a8e7`](https://github.com/containerd/containerd/commit/472e0a8e7ada278b7aa376173eca20ad0a0348be) Generate next.txtpb to replace next.pb.txt\r\n * [`f58dbbda0`](https://github.com/containerd/containerd/commit/f58dbbda0b34bea75f714e82463eb0706c06d30d) Add buf.build repository name for publishing API\r\n* Migrate from protobuild to buf ([#12762](https://github.com/containerd/containerd/pull/12762))\r\n * [`dac9721fa`](https://github.com/containerd/containerd/commit/dac9721faf891205ed46105cd38340bc3bceabcb) Drop outdated pb.txt files\r\n * [`6a6283193`](https://github.com/containerd/containerd/commit/6a6283193b6f865c35529717068259bf54ccc307) Update pb files\r\n * [`57782b717`](https://github.com/containerd/containerd/commit/57782b7175f743489010c348a8f59da720140722) Move buf configuration under api/\r\n * [`39991b661`](https://github.com/containerd/containerd/commit/39991b6617041c8c5b471f11f08461f36cc6719f) Use relative import intead of GOPATH style imports\r\n * [`eb586b5ef`](https://github.com/containerd/containerd/commit/eb586b5ef2e20c5f845f28d5e9cd5f5e8e10885d) Regenerate proto files\r\n

\r\n
\r\n\r\n### Dependency Changes\r\n\r\nThis release has no dependency changes\r\n\r\nPrevious release can be found at [api/v1.10.0](https://github.com/containerd/containerd/releases/tag/api/v1.10.0)\r\n\r\n", + "state": "closed", + "merged": true, + "created_at": "2026-03-17T01:35:52Z", + "merged_at": "2026-03-17T17:01:49Z", + "author": "dmcgowan", + "labels": [ + "size/S" + ] + }, + "13091": { + "title": "Add `os.features` support for EROFS native container images", + "url": "https://github.com/containerd/containerd/pull/13091", + "body": "~depends on #13080~ \r\nsupercedes #12784 \r\n\r\n**Note that users still need to explicitly specify the EROFS snapshotter in order to run the EROFS native images by design; it only improves the user experence of the unpacking process**\r\n\r\nFirst, it enhances the transfer service: If no snapshotter is specified and `os.features` contains \"erofs\", unpacking should use the EROFS snapshotter and differ.\r\n\r\nSecond, if no snapshotter is specified, _container run_ selects the default snapshotter. However, if `os.features` is set, we should always call `checkSnapshotterSupport()` so that containerd clients can report a clear error instead of the confusing layer extraction error out of overlayfs snapshotter.\r\n\r\nTested by the ubuntu-22.04 multi-manifest image (\"linux/amd64\" and \"linux(+erofs)/amd64\"):\r\n`ctr i pull --platform=\"linux(+erofs)\" docker.io/hsiangkao/ubuntu:22.04-platforms`\r\nand\r\n`ctr run --platform=\"linux(+erofs)/amd64\" --tty docker.io/hsiangkao/ubuntu:22.04-platforms test`\r\nand\r\n`ctr run --platform=\"linux(+erofs)/amd64\" --snapshotter erofs --tty docker.io/hsiangkao/ubuntu:22.04-platforms test`\r\n\r\nScreenshot (`docker.1ms.run` is a connectable mirror of `docker.io`):\r\n\"image\"\r\n", + "state": "closed", + "merged": true, + "created_at": "2026-03-23T02:55:10Z", + "merged_at": "2026-04-01T23:54:55Z", + "author": "hsiangkao", + "labels": [ + "kind/feature", + "size/XL", + "area/distribution" + ] + }, + "13099": { + "title": "build(deps): bump google.golang.org/grpc from 1.59.0 to 1.79.3 in /api", + "url": "https://github.com/containerd/containerd/pull/13099", + "body": "Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.59.0 to 1.79.3.\n
\nRelease notes\n

Sourced from google.golang.org/grpc's releases.

\n
\n

Release 1.79.3

\n

Security

\n\n

Release 1.79.2

\n

Bug Fixes

\n\n

Release 1.79.1

\n

Bug Fixes

\n\n

Release 1.79.0

\n

API Changes

\n\n

Behavior Changes

\n\n

New Features

\n\n

Bug Fixes

\n\n

Performance Improvements

\n\n\n
\n

... (truncated)

\n
\n
\nCommits\n\n
\n
\n\n\n[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=google.golang.org/grpc&package-manager=go_modules&previous-version=1.59.0&new-version=1.79.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n
\nDependabot commands and options\n
\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency\n- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)\nYou can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/containerd/containerd/network/alerts).\n\n
", + "state": "closed", + "merged": true, + "created_at": "2026-03-23T17:02:32Z", + "merged_at": "2026-03-23T19:23:32Z", + "author": "dependabot[bot]", + "labels": [ + "dependencies", + "size/M", + "go" + ] + }, + "13165": { + "title": "Add transfer types for container filesystem copy", + "url": "https://github.com/containerd/containerd/pull/13165", + "body": "Add support for transfering data to and from a container filesystem. This is needed to implement an equivalent of `docker cp` when the runtime cannot/should not directly access to mounted container filesystem.\r\n\r\nUpstreaming the types from Nerdbox (https://github.com/containerd/nerdbox/blob/main/api/proto/nerdbox/types/transfer/v1/filesystem.proto). These are currently being tested at the shim level but adding the type enables transfer plugins to plumb it through to clients. Add support for ctr might not make it in for 2.3 but the API can stabilize and plugins can be implemented.", + "state": "closed", + "merged": true, + "created_at": "2026-04-05T06:14:33Z", + "merged_at": "2026-04-09T05:51:48Z", + "author": "dmcgowan", + "labels": [ + "impact/changelog", + "kind/feature", + "size/XXL" + ] + } + }, + "issues": {} +} \ No newline at end of file diff --git a/reports/containerd_release_api_v1.11.0-beta.1_20260411_004052.md b/reports/containerd_release_api_v1.11.0-beta.1_20260411_004052.md new file mode 100644 index 0000000..1415546 --- /dev/null +++ b/reports/containerd_release_api_v1.11.0-beta.1_20260411_004052.md @@ -0,0 +1,212 @@ +# Containerd 版本发布分析报告 +## containerd API 1.11.0-beta.1 (api/v1.11.0-beta.1) + +### 📋 版本信息 +- **版本标签:** api/v1.11.0-beta.1 +- **版本名称:** containerd API 1.11.0-beta.1 +- **发布时间:** 2026-04-11T00:06:52Z +- **发布者:** github-actions[bot] +- **预发布版本:** 是 +- **草稿状态:** 否 +- **GitHub 链接:** https://github.com/containerd/containerd/releases/tag/api/v1.11.0-beta.1 + +### 🔍 分析统计 +- **分析时间:** 2026-04-11 00:40:52 +- **分析的 PR 数量:** 13 +- **分析的 Issue 数量:** 0 +- **重要项目数量:** 7 + +## 📊 版本概述 +containerd API 1.11.0-beta.1 是一个预发布版本,为即将到来的 containerd 2.3 版本奠定 API 基础,核心价值在于引入了新的 shim 引导协议、沙箱 API 改进以及容器文件系统复制支持,同时包含重要的 gRPC 安全更新。 + +## 🔒 安全问题修复 +1. ⚠️ gRPC 库安全更新,修复了路径头授权绕过漏洞 - [PR #13099](https://github.com/containerd/containerd/pull/13099) - **风险级别:** 中。影响依赖于 gRPC 拦截器进行路径级权限校验的场景。 + +**🚨 安全建议:** 如果您的环境中使用了受影响的功能,建议优先升级到此版本。 + +## 🐛 重要问题修复 +1. 更新 gRPC 依赖至 1.79.3,修复了路径授权绕过漏洞,该漏洞允许恶意构造的 :path 请求头绕过基于路径的拦截器(如 grpc/authz)的“拒绝”规则 - [PR #13099](https://github.com/containerd/containerd/pull/13099) - **影响:** 如果使用了 gRPC 拦截器进行细粒度授权控制,此漏洞可能导致未授权访问,建议关注并评估风险。 + +## 💥 破坏性变更 +1. 🚨 沙箱 API 元数据中移除了 `Container` 字段,依赖此字段获取 pause 容器信息的插件(如 NRI)需要重构,改为从元数据存储中获取所需数据 - [PR #12840](https://github.com/containerd/containerd/pull/12840) - **影响:** 自定义插件或工具如果直接访问沙箱的 Container 字段,将无法编译或运行,需要适配新的 API。 +2. 🚨 新的 shim 引导协议将逐步弃用原有的 CLI 参数、环境变量等启动参数传递方式。虽然当前是新增而非立即替换,但为未来版本废弃旧方式做准备,shim 实现者需要关注 - [PR #12786](https://github.com/containerd/containerd/pull/12786) - **影响:** 自定义或第三方 shim 需要评估并计划支持新的 BootstrapParams 协议。 + +**⚠️ 升级警告:** 此版本包含破坏性变更,升级前请仔细评估对现有系统的影响。 + +## ✨ 主要变更 +1. 引入 shim 引导协议,统一并标准化 containerd 向 shim 传递配置参数的方式,取代原有的混合传递机制(CLI参数、环境变量、stdin) - [PR #12786](https://github.com/containerd/containerd/pull/12786) +2. 更新沙箱 API,移除元数据中的 Container 字段,改为包含 spec 字段,以抽象化对 pause 容器的依赖 - [PR #12840](https://github.com/containerd/containerd/pull/12840) +3. 为容器文件系统复制(类似 `docker cp`)添加传输类型定义,为未来实现容器与宿主机间安全文件传输提供 API 支持 - [PR #13165](https://github.com/containerd/containerd/pull/13165) +4. 在平台定义中添加 `os.features` 字段,以原生支持 EROFS 容器镜像,优化解压和运行体验 - [PR #13091](https://github.com/containerd/containerd/pull/13091) + +## 🚀 性能优化 +1. 将 Protobuf 构建工具从 protobuild 迁移至 buf,简化 CI/本地构建依赖,提高代码生成的可复现性,并为未来引入 API 破坏性变更检测、代码规范检查等能力铺平道路 - [PR #12762](https://github.com/containerd/containerd/pull/12762) - **提升:** 主要提升开发效率和工具链现代化水平。 +2. 新的 shim 引导协议使用 Protobuf 替代 JSON 和混合传递方式,有望简化 shim 启动逻辑,提高参数传递的效率和可维护性 - [PR #12786](https://github.com/containerd/containerd/pull/12786) - **提升:** 改善启动流程的健壮性和未来可扩展性。 + +## 🎯 风险评估 +整体风险评估:中等。作为 API 的 Beta 预发布版,其本身不直接用于生产环境,因此直接升级风险低。然而,版本中预示的 API 变化(特别是破坏性变更)为未来 containerd 2.3 的升级带来了必须提前准备的中等风险。建议的升级时机是在 containerd 2.3 正式发布并经过充分测试后。需要特别关注的方面是:1) 所有自定义或第三方 shim 对新引导协议的兼容性;2) 依赖沙箱内部结构的插件或监控工具的适配情况;3) gRPC 安全修复在现有分支的落地情况。 + +## 📋 升级建议 +1. **当前版本为 Beta 预发布版,不建议在生产环境直接升级。** 主要目的是供开发者和生态插件作者进行兼容性测试。 +2. 建议安全团队评估 gRPC 授权绕过漏洞(CVE-2024-7240)对现有环境的影响,并考虑在当前的稳定版本(如 1.6.x 或 1.7.x)中向后移植此安全修复。 +3. 插件和工具开发者应重点关注两项破坏性变更(沙箱 API 和 shim 引导协议),并开始适配工作,为 containerd 2.3 的正式发布做准备。 +4. 关注 EROFS 镜像支持特性,如果计划使用 EROFS 作为容器镜像格式,可以开始测试相关工作流。 + +## 📋 Release 包含的变更 + +### PR #12762: Migrate from protobuild to buf +- **链接:** https://github.com/containerd/containerd/pull/12762 +- **状态:** closed +- **已合并:** 是 +- **作者:** mxpv +- **标签:** size/XXL, area/toolchain +- **变更说明:** + **PR #12762:** Migrate from protobuild to buf +**标签:** size/XXL, area/toolchain + +**PR内容:** This PR migrates from `Protobuild` (which we all love and use for quite some time) to [`buf`](https://github.com/bufbuild/buf) to manage our proto files. + +Immediate benefits: +- No need to install `protoc` dependency. Mush simpler [CI setup](https://github.com/containerd/containerd/pull/12762/changes/edb... + +### PR #12786: Introduce shim bootstrap protocol +- **链接:** https://github.com/containerd/containerd/pull/12786 +- **状态:** closed +- **已合并:** 是 +- **作者:** mxpv +- **标签:** impact/changelog, size/XXL +- **变更说明:** + **PR #12786:** Introduce shim bootstrap protocol +**标签:** impact/changelog, size/XXL + +**PR内容:** Containerd needs to pass a bunch of parameters from the daemon down to the shim. Historically, we introduced several mechanisms to do it: +- CLI arguments (-namespace, -id, -address, -publish-binary, -debug) +- Env variables (TTRPC_ADDRESS, GRPC_ADDRESS, NAMESPACE, MAX_SHIM_VERSION, GOMAXPROCS, SCHED... + +### PR #12815: Generate api/next.txtpb and name module +- **链接:** https://github.com/containerd/containerd/pull/12815 +- **状态:** closed +- **已合并:** 是 +- **作者:** dmcgowan +- **标签:** size/XXL, area/toolchain +- **变更说明:** + **PR #12815:** Generate api/next.txtpb and name module +**标签:** size/XXL, area/toolchain + +**PR内容:** `buf` will generate the protobuf text file which can be used for viewing all protobuf changes in one file and quickly diffing changes. + +Add a module name to the buf.yaml to allow pushing. With the switch the buf and relative paths, without publishing the containerd protos are not importable with... + +### PR #12840: Remove Container field from sandbox metadata +- **链接:** https://github.com/containerd/containerd/pull/12840 +- **状态:** closed +- **已合并:** 是 +- **作者:** mxpv +- **标签:** impact/changelog, size/XXL +- **变更说明:** + **PR #12840:** Remove Container field from sandbox metadata +**标签:** impact/changelog, size/XXL + +**PR内容:** There are multiple places in CRI which assume the use of pause containers and the podsandbox package. Since the goal of the Sandbox API is to abstract away the use of pause containers, we should not make such assumptions. ... + +### PR #12841: Use buf to format proto files +- **链接:** https://github.com/containerd/containerd/pull/12841 +- **状态:** closed +- **已合并:** 是 +- **作者:** mxpv +- **标签:** size/XXL, area/toolchain +- **变更说明:** + **PR #12841:** Use buf to format proto files +**标签:** size/XXL, area/toolchain + +**PR内容:** We've integrated `buf` in https://github.com/containerd/containerd/pull/12762 +`buf` comes with an integrated linter and formatter. ... + +### PR #12913: api: regenerate and re-vendor protos +- **链接:** https://github.com/containerd/containerd/pull/12913 +- **状态:** closed +- **已合并:** 是 +- **作者:** thaJeztah +- **标签:** size/XXL, go, area/toolchain +- **变更说明:** + **PR #12913:** api: regenerate and re-vendor protos +**标签:** size/XXL, go, area/toolchain + +**PR内容:** Probably related to https://github.com/containerd/containerd/commit/ca1c5b2d3db8c620c26ab9674b7ccb9a4b023a63 (https://github.com/containerd/containerd/pull/12841). + +I got this diff when running `make protos`; let's see if CI agrees it's OK 😅 ... + +### PR #13045: Prepare release notes for api/v1.11.0-beta.0 +- **链接:** https://github.com/containerd/containerd/pull/13045 +- **状态:** closed +- **已合并:** 是 +- **作者:** dmcgowan +- **标签:** size/S +- **变更说明:** + **PR #13045:** Prepare release notes for api/v1.11.0-beta.0 +**标签:** size/S + +**PR内容:** First step in v2.3 beta process + +---- +containerd api/v1.11.0-beta.0 + +Welcome to the api/v1.11.0-beta.0 release of containerd! +*This is a pre-release of containerd* + +The 12th release for the containerd 1.x API aligns with the containerd 2.3 release. + +### Highlights + +* Update sandbox API to include... + +### PR #13091: Add `os.features` support for EROFS native container images +- **链接:** https://github.com/containerd/containerd/pull/13091 +- **状态:** closed +- **已合并:** 是 +- **作者:** hsiangkao +- **标签:** kind/feature, size/XL, area/distribution +- **变更说明:** + **PR #13091:** Add `os.features` support for EROFS native container images +**标签:** kind/feature, size/XL, area/distribution + +**PR内容:** ~depends on #13080~ +supercedes #12784 + +**Note that users still need to explicitly specify the EROFS snapshotter in order to run the EROFS native images by design; it only improves the user experence of the unpacking process** + +First, it enhances the trans... + +### PR #13099: build(deps): bump google.golang.org/grpc from 1.59.0 to 1.79.3 in /api +- **链接:** https://github.com/containerd/containerd/pull/13099 +- **状态:** closed +- **已合并:** 是 +- **作者:** dependabot[bot] +- **标签:** dependencies, size/M, go +- **变更说明:** + **PR #13099:** build(deps): bump google.golang.org/grpc from 1.59.0 to 1.79.3 in /api +**标签:** dependencies, size/M, go + +**PR内容:** Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.59.0 to 1.79.3. +
+Release notes +

Sourced from google.golang.org/grpc's releases.

+
+

R... + +### PR #13165: Add transfer types for container filesystem copy +- **链接:** https://github.com/containerd/containerd/pull/13165 +- **状态:** closed +- **已合并:** 是 +- **作者:** dmcgowan +- **标签:** impact/changelog, kind/feature, size/XXL +- **变更说明:** + **PR #13165:** Add transfer types for container filesystem copy +**标签:** impact/changelog, kind/feature, size/XXL + +**PR内容:** Add support for transfering data to and from a container filesystem. This is needed to implement an equivalent of `docker cp` when the runtime cannot/should not directly access to mounted container filesystem. + +Upstreaming the types from Nerdbox (https://github.com/conta... + +--- +*本报告由 Containerd Release Tracker 自动生成* \ No newline at end of file