diff --git a/reports/containerd_release_v2.2.3_20260414_184052.json b/reports/containerd_release_v2.2.3_20260414_184052.json new file mode 100644 index 0000000..fae1dc7 --- /dev/null +++ b/reports/containerd_release_v2.2.3_20260414_184052.json @@ -0,0 +1,467 @@ +{ + "metadata": { + "generated_at": "2026-04-14T18:41:30.816012", + "tool": "containerd-release-tracker", + "version": "1.0.0" + }, + "release": { + "tag_name": "v2.2.3", + "name": "containerd 2.2.3", + "body": "Welcome to the v2.2.3 release of containerd!\n\nThe third patch release for containerd 2.2 contains various fixes\nand updates including a security patch.\n\n### Security Updates\n\n* **spdystream**\n * [**CVE-2026-35469**](https://github.com/moby/spdystream/security/advisories/GHSA-pc3f-x583-g7j2)\n\n### Highlights\n\n#### Container Runtime Interface (CRI)\n\n* Preserve cgroup mount options for privileged containers ([#13120](https://github.com/containerd/containerd/pull/13120))\n* Ensure UpdatePodSandbox returns Unimplemented instead of a generic error ([#13023](https://github.com/containerd/containerd/pull/13023))\n\n#### Go client\n\n* Handle absolute symlinks in rootfs user lookup to fix regressions when using Go 1.24 ([#13015](https://github.com/containerd/containerd/pull/13015))\n\n#### Image Distribution\n\n* Enable mount manager in diff walking to fix layer extraction errors with some snapshotters (e.g., EROFS) ([#13198](https://github.com/containerd/containerd/pull/13198))\n* Apply hardening to prevent TOCTOU race during tar extraction ([#12971](https://github.com/containerd/containerd/pull/12971))\n\n#### Runtime\n\n* Restore support for client-mounted roots in Windows containers using process isolation ([#13195](https://github.com/containerd/containerd/pull/13195))\n* Update runc to v1.3.5 ([#13061](https://github.com/containerd/containerd/pull/13061))\n* Apply absolute symlink resolution to /etc/group in OCI spec to fix lookups on NixOS-style systems ([#13019](https://github.com/containerd/containerd/pull/13019))\n* Handle absolute symlinks in rootfs user lookup to fix regressions when using Go 1.24 ([#13015](https://github.com/containerd/containerd/pull/13015))\n\n#### Snapshotters\n\n* Fix bug that caused whiteouts to be ignored when parallel unpack was used ([#13125](https://github.com/containerd/containerd/pull/13125))\n\nPlease try out the release binaries and report any issues at\nhttps://github.com/containerd/containerd/issues.\n\n### Contributors\n\n* Samuel Karp\n* Sebastiaan van Stijn\n* Maksym Pavlenko\n* Chris Henzie\n* Derek McGowan\n* Paulo Oliveira\n* Henry Wang\n* Phil Estes\n* Wei Fu\n* Akihiro Suda\n* Gao Xiang\n* Ricardo Branco\n* Shachar Tal\n\n### Changes\n
40 commits\n

\n\n* Prepare release notes for v2.2.3 ([#13224](https://github.com/containerd/containerd/pull/13224))\n * [`8a0f4ed5d`](https://github.com/containerd/containerd/commit/8a0f4ed5d360171d62ca625bc93f393a36241189) Prepare release notes for v2.2.3\n* update github.com/moby/spdystream v0.5.1 ([#13217](https://github.com/containerd/containerd/pull/13217))\n * [`31bd34a06`](https://github.com/containerd/containerd/commit/31bd34a064dc7136413efde09b99a2bdd14dabe9) update github.com/moby/spdystream v0.5.1\n* vendor: github.com/klauspost/compress v1.18.5 ([#13197](https://github.com/containerd/containerd/pull/13197))\n * [`1336f6c45`](https://github.com/containerd/containerd/commit/1336f6c45d25c674963e5cb86ee1ea522e6f513e) vendor: github.com/klauspost/compress v1.18.5\n* diff/walking: enable mount manager ([#13198](https://github.com/containerd/containerd/pull/13198))\n * [`409f75be8`](https://github.com/containerd/containerd/commit/409f75be8791d53e2e4e96ab060d8db56fd46b1e) diff/walking: enable mount manager\n* update runhcs to v0.14.1 ([#13195](https://github.com/containerd/containerd/pull/13195))\n * [`3f33146c1`](https://github.com/containerd/containerd/commit/3f33146c1c199f1d9479d791b105197cebf7b1bc) update runhcs to v0.14.1\n* vendor: github.com/Microsoft/hcsshim v0.14.1 ([#13196](https://github.com/containerd/containerd/pull/13196))\n * [`8bd1b74e5`](https://github.com/containerd/containerd/commit/8bd1b74e5dbcd6aad671666e13861a6c8a7bf13c) vendor: github.com/Microsoft/hcsshim v0.14.1\n * [`c6b0be8e1`](https://github.com/containerd/containerd/commit/c6b0be8e1317166d53a05c308db3223293f36f85) vendor: github.com/Microsoft/hcsshim v0.14.0\n* update to Go 1.25.9, 1.26.2 ([#13190](https://github.com/containerd/containerd/pull/13190))\n * [`2ecde8cfe`](https://github.com/containerd/containerd/commit/2ecde8cfe12320fefd05e08c83e413a4046bb72c) update to Go 1.25.9, 1.26.2\n* Skip TestExportAndImportMultiLayer on s390x ([#13154](https://github.com/containerd/containerd/pull/13154))\n * [`be554f478`](https://github.com/containerd/containerd/commit/be554f478ceb629d3dc3fbd5331b9167cc7a4870) Skip TestExportAndImportMultiLayer on s390x\n* Tweak mount info for overlayfs in case of parallel unpack ([#13125](https://github.com/containerd/containerd/pull/13125))\n * [`660de195b`](https://github.com/containerd/containerd/commit/660de195b07db576cbe8aab53a4b6e87cc931347) Tweak mount info for overlayfs in case of parallel unpack\n * [`bc9274a4b`](https://github.com/containerd/containerd/commit/bc9274a4b05342ba1096c73ce6ce8a505ce243ce) Add integration test for issue 13030\n* Preserve cgroup mount options for privileged containers ([#13120](https://github.com/containerd/containerd/pull/13120))\n * [`c387890b5`](https://github.com/containerd/containerd/commit/c387890b582324c4cf11e940efe4268a21524ed6) Add integration test for privileged container cgroup mounts\n * [`047a335a6`](https://github.com/containerd/containerd/commit/047a335a69d66e673ddc155fed779152e00a5652) Forward RUNC_FLAVOR env var down to integration tests\n * [`9b2d72ee0`](https://github.com/containerd/containerd/commit/9b2d72ee03b548c8344cd243670e06f863a701a2) Preserve host cgroup mount options for privileged containers\n * [`5b66cd6a0`](https://github.com/containerd/containerd/commit/5b66cd6a0902b7927eeb8107bb5a30d78436eaa3) Move cgroup namespace placement higher in spec builder\n* update runc binary to v1.3.5 ([#13061](https://github.com/containerd/containerd/pull/13061))\n * [`584205c2f`](https://github.com/containerd/containerd/commit/584205c2fa986334d22b840293b1060b10ab724e) [release/2.2] update runc binary to v1.3.5\n* Fix vagrant on CI ([#13066](https://github.com/containerd/containerd/pull/13066))\n * [`77c6886df`](https://github.com/containerd/containerd/commit/77c6886df6510bf1ac9326436e7b371a28eb5678) Ignore NOCHANGE error\n* Fix TOCTOU race bug in tar extraction ([#12971](https://github.com/containerd/containerd/pull/12971))\n * [`fbed68b8f`](https://github.com/containerd/containerd/commit/fbed68b8fb97b778b0caf68167cb0c4ab4af27df) Fix TOCTOU race bug in tar extraction\n* cri: UpdatePodSandbox should return Unimplemented ([#13023](https://github.com/containerd/containerd/pull/13023))\n * [`a83510103`](https://github.com/containerd/containerd/commit/a835101036b106386be8e5b433d5ca0f1f0529cd) cri: UpdatePodSandbox should return Unimplemented\n* fix(oci): apply absolute symlink resolution to /etc/group ([#13019](https://github.com/containerd/containerd/pull/13019))\n * [`ee4179e52`](https://github.com/containerd/containerd/commit/ee4179e5212c09e7bc4c429bf5b77eabb2b84662) fix(oci): apply absolute symlink resolution to /etc/group\n* fix(oci): handle absolute symlinks in rootfs user lookup ([#13015](https://github.com/containerd/containerd/pull/13015))\n * [`fd061b848`](https://github.com/containerd/containerd/commit/fd061b84887177b969e8f8e2499e780341cde0ae) test(oci): use fstest and mock fs for better symlink coverage\n * [`5d44d2c22`](https://github.com/containerd/containerd/commit/5d44d2c220d6296156c1c4fe3a500958667a3708) fix(oci): handle absolute symlinks in rootfs user lookup\n* update to go1.25.8, test go1.26.1 ([#13011](https://github.com/containerd/containerd/pull/13011))\n * [`00c776f07`](https://github.com/containerd/containerd/commit/00c776f075f06e4eeb4bfd97e23b3331c5c96bbc) update to go1.25.8, test go1.26.1\n

\n
\n\n### Dependency Changes\n\n* **github.com/Microsoft/hcsshim** v0.14.0-rc.1 -> v0.14.1\n* **github.com/klauspost/compress** v1.18.1 -> v1.18.5\n* **github.com/moby/spdystream** v0.5.0 -> v0.5.1\n\nPrevious release can be found at [v2.2.2](https://github.com/containerd/containerd/releases/tag/v2.2.2)\n### Which file should I download?\n* `containerd---.tar.gz`: ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04).\n* `containerd-static---.tar.gz`: Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent.\n\nIn addition to containerd, typically you will have to install [runc](https://github.com/opencontainers/runc/releases)\nand [CNI plugins](https://github.com/containernetworking/plugins/releases) from their official sites too.\n\nSee also the [Getting Started](https://github.com/containerd/containerd/blob/main/docs/getting-started.md) documentation.\n", + "published_at": "2026-04-14T17:38:30Z", + "prerelease": false, + "draft": false, + "html_url": "https://github.com/containerd/containerd/releases/tag/v2.2.3", + "author": "github-actions[bot]" + }, + "analysis": { + "summary": "containerd 2.2.3 是一个重要的补丁版本,主要修复了多个影响容器创建、镜像解压和安全性的关键Bug,并包含一个安全更新。", + "key_changes": [ + "修复特权容器cgroup挂载选项,防止意外修改主机cgroup设置 - [PR #13120](https://github.com/containerd/containerd/pull/13120)", + "确保UpdatePodSandbox返回正确的Unimplemented错误码,改善Kubernetes兼容性 - [PR #13023](https://github.com/containerd/containerd/pull/13023)", + "修复并行解压时忽略whiteout文件的问题,确保文件系统层正确性 - [PR #13125](https://github.com/containerd/containerd/pull/13125)", + "更新runc至v1.3.5,包含上游修复和改进 - [PR #13061](https://github.com/containerd/containerd/pull/13061)" + ], + "important_bugfixes": [ + "修复绝对符号链接处理:解决使用Go 1.24时,因/etc/passwd或/etc/group为绝对符号链接导致容器创建失败的问题 - [PR #13015](https://github.com/containerd/containerd/pull/13015) - **影响:** 使用NixOS风格镜像或类似配置的系统将无法创建容器", + "修复tar提取中的TOCTOU竞争条件:增强安全性,防止潜在的竞争条件攻击 - [PR #12971](https://github.com/containerd/containerd/pull/12971) - **影响:** 降低在镜像提取过程中因竞争条件导致的安全风险", + "修复并行解压时忽略whiteout文件的问题:确保在启用`max_concurrent_unpacks`时,被删除的文件正确隐藏 - [PR #13125](https://github.com/containerd/containerd/pull/13125) - **影响:** 已删除的文件可能错误地出现在容器文件系统中,导致应用行为异常", + "为/etc/group应用绝对符号链接解析:扩展修复范围,确保组信息查找也支持绝对符号链接 - [PR #13019](https://github.com/containerd/containerd/pull/13019) - **影响:** 与上述/etc/passwd问题类似,影响用户组解析和容器启动" + ], + "security_issues": [ + "更新spdystream依赖以修复CVE-2026-35469 - [PR #13217](https://github.com/containerd/containerd/pull/13217) - **风险级别:** 中(具体细节需参考上游公告)", + "修复tar提取中的TOCTOU竞争条件漏洞 - [PR #12971](https://github.com/containerd/containerd/pull/12971) - **风险级别:** 低(属于防御性加固)", + "更新Go至1.25.8/1.26.2,包含多个Go运行时安全修复(如crypto/x509, html/template等) - [PR #13011](https://github.com/containerd/containerd/pull/13011) - **风险级别:** 中(修复了Go标准库中的安全漏洞)" + ], + "performance_improvements": [ + "在差异计算中启用挂载管理器,修复使用某些快照程序(如EROFS)时的层提取错误 - [PR #13198](https://github.com/containerd/containerd/pull/13198) - **提升:** 提高与特定文件系统和快照程序的兼容性,减少提取失败", + "更新Go版本至1.25.9和1.26.2,通常包含性能改进和垃圾回收优化 - [PR #13190](https://github.com/containerd/containerd/pull/13190) - **提升:** 整体运行时性能和稳定性提升" + ], + "breaking_changes": [ + "无明显的破坏性变更。此版本主要为向后兼容的Bug修复和安全更新。" + ], + "recommendations": [ + "**建议尽快安排升级**,特别是如果您使用NixOS风格镜像、启用了并行解压(`max_concurrent_unpacks > 1`),或运行特权容器。", + "升级前,请在测试环境中验证与您的工作负载的兼容性,重点关注容器创建和镜像拉取流程。", + "如果您的环境对安全性要求高,应优先考虑此版本,因为它包含了Go语言的安全修复和一个CVE修复。", + "升级时,建议同时将`runc`更新至v1.3.5,以获取完整的运行时修复。", + "对于使用Windows容器并采用进程隔离的场景,此版本修复了客户端挂载根目录的支持,相关用户应进行验证。" + ], + "risk_assessment": "整体风险评估:**低风险**。这是一个补丁版本,主要包含关键Bug修复和安全更新,未引入新功能或架构变更。建议在下一个维护窗口安排升级。需要特别关注的方面是:1) 特权容器的cgroup行为变化;2) 绝对符号链接处理的修复是否会影响现有基于NixOS或类似定制镜像的容器。升级后应监控容器创建成功率和运行时稳定性。" + }, + "statistics": { + "analyzed_prs": 19, + "analyzed_issues": 2, + "important_items": 17 + }, + "important_items": [ + { + "type": "PR", + "title": "#12971: [release/2.2] Fix TOCTOU race bug in tar extraction", + "reason": "Cherry-pick or backport" + }, + { + "type": "PR", + "title": "#12961: Fix TOCTOU race bug in tar extraction", + "reason": "Contains 'security'; Has label 'kind/bug'" + }, + { + "type": "PR", + "title": "#13011: [release/2.2 backport] update to go1.25.8, test go1.26.1", + "reason": "Contains 'panic'; Contains 'crash'; Contains 'security'; Cherry-pick or backport; Potential crash issue" + }, + { + "type": "PR", + "title": "#12985: update to go1.25.8, test go1.26.1", + "reason": "Contains 'panic'; Contains 'crash'; Contains 'security'; Cherry-pick or backport; Potential crash issue" + }, + { + "type": "PR", + "title": "#13010: [release/2.2] update to go1.25.8, test go1.26.1", + "reason": "Cherry-pick or backport" + }, + { + "type": "PR", + "title": "#13015: [release/2.2] fix(oci): handle absolute symlinks in rootfs user lookup", + "reason": "Contains 'regression'; Cherry-pick or backport" + }, + { + "type": "PR", + "title": "#12732: fix(oci): handle absolute symlinks in rootfs user lookup", + "reason": "Contains 'regression'; Performance related" + }, + { + "type": "PR", + "title": "#13019: [release/2.2] fix(oci): apply absolute symlink resolution to /etc/group", + "reason": "Cherry-pick or backport" + }, + { + "type": "PR", + "title": "#13066: [release/2.2] Fix vagrant on CI", + "reason": "Cherry-pick or backport" + }, + { + "type": "PR", + "title": "#13055: Fix vagrant on CI", + "reason": "Performance related" + }, + { + "type": "PR", + "title": "#13120: [release/2.2] Preserve cgroup mount options for privileged containers", + "reason": "Cherry-pick or backport" + }, + { + "type": "PR", + "title": "#12952: Preserve cgroup mount options for privileged containers", + "reason": "Has label 'kind/bug'; Performance related" + }, + { + "type": "PR", + "title": "#13125: [release/2.2] Tweak mount info for overlayfs in case of parallel unpack", + "reason": "Cherry-pick or backport" + }, + { + "type": "PR", + "title": "#13115: Tweak mount info for overlayfs in case of parallel unpack", + "reason": "Has label 'kind/bug'; Performance related" + }, + { + "type": "PR", + "title": "#13154: [release/2.2] Skip TestExportAndImportMultiLayer on s390x", + "reason": "Cherry-pick or backport" + }, + { + "type": "Issue", + "title": "#12683: [Go 1.24] v2.2.0 fails to create containers from images having /etc/{passwd,group} symlinked to an absolute path", + "reason": "Has label 'kind/bug'" + }, + { + "type": "Issue", + "title": "#13030: whiteout files not honored by max_concurrent_unpacks > 1", + "reason": "Has label 'kind/bug'" + } + ], + "prs": { + "12971": { + "title": "[release/2.2] Fix TOCTOU race bug in tar extraction", + "url": "https://github.com/containerd/containerd/pull/12971", + "body": "This is an automated cherry-pick of #12961\n\n/assign AkihiroSuda\n\n```release-note\nApply hardening to prevent TOCTOU race during tar extraction\n```", + "state": "closed", + "merged": true, + "created_at": "2026-03-04T01:05:46Z", + "merged_at": "2026-03-13T16:22:25Z", + "author": "k8s-infra-cherrypick-robot", + "labels": [ + "impact/changelog", + "size/XS", + "area/distribution" + ] + }, + "12961": { + "title": "Fix TOCTOU race bug in tar extraction", + "url": "https://github.com/containerd/containerd/pull/12961", + "body": "See https://github.com/containerd/containerd/security/advisories/GHSA-ww5g-h6rh-8wm3 for a conversation around this particular bug.", + "state": "closed", + "merged": true, + "created_at": "2026-03-02T20:02:21Z", + "merged_at": "2026-03-04T01:03:47Z", + "author": "shachartal", + "labels": [ + "kind/bug", + "size/XS" + ] + }, + "13011": { + "title": "[release/2.2 backport] update to go1.25.8, test go1.26.1", + "url": "https://github.com/containerd/containerd/pull/13011", + "body": "- backport https://github.com/containerd/containerd/pull/12985\r\n- replaces, closes https://github.com/containerd/containerd/pull/13010\r\n\r\ngo1.25.8 (released 2026-03-05) includes security fixes to the html/template, net/url, and os packages, as well as bug fixes to the go command, the compiler, and the os package. See the Go 1.25.8 milestone on our issue tracker for details.\r\n\r\n- 1.25.8 https://github.com/golang/go/issues?q=milestone%3AGo1.25.8+label%3ACherryPickApproved\r\n- diff: https://github.com/golang/go/compare/go1.25.7...go1.25.8\r\n- 1.26.1 https://github.com/golang/go/issues?q=milestone%3AGo1.26.1+label%3ACherryPickApproved\r\n- diff: https://github.com/golang/go/compare/go1.26.0...go1.26.1\r\n\r\n---\r\n\r\nWe have just released Go versions 1.26.1 and 1.25.8, minor point releases.\r\n\r\nThese releases include 5 security fixes following the security policy:\r\n\r\ncrypto/x509: incorrect enforcement of email constraints\r\n\r\n- When verifying a certificate chain which contains a certificate containing multiple email address constraints (composed of the full email address) which share common local portions (the portion of the address before the '@' character) but different domain portions (the portion of the address after the '@' character), these constraints will not be properly applied, and only the last constraint will be considered.\r\n\r\n This can allow certificates in the chain containing email addresses which are either not permitted or excluded by the relevant constraints to be returned by calls to Certificate.Verify. Since the name constraint checks happen after chain building is complete, this only applies to certificate chains which chain to trusted roots (root certificates either in VerifyOptions.Roots or in the system root certificate pool), requiring a trusted CA to issue certificates containing either not permitted or excluded email addresses.\r\n\r\n This issue only affects Go 1.26.\r\n\r\n Thanks to Jakub Ciolek for reporting this issue.\r\n\r\n This is CVE-2026-27137 and Go issue https://go.dev/issue/77952.\r\n\r\n- crypto/x509: panic in name constraint checking for malformed certificates\r\n\r\n Certificate verification can panic when a certificate in the chain has an empty DNS name and another certificate in the chain has excluded name constraints. This can crash programs that are either directly verifying X.509 certificate chains, or those that use TLS.\r\n\r\n Since the name constraint checks happen after chain building is complete, this only applies to certificate chains which chain to trusted roots (root certificates either in VerifyOptions.Roots or in the system root certificate pool), requiring a trusted CA to issue certificates containing malformed DNS names.\r\n\r\n This issue only affects Go 1.26.\r\n\r\n Thanks to Jakub Ciolek for reporting this issue.\r\n\r\n This is CVE-2026-27138 and Go issue https://go.dev/issue/77953.\r\n\r\n- html/template: URLs in meta content attribute actions are not escaped\r\n\r\n Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value \"refresh\".\r\n\r\n A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow \"url=\" by setting htmlmetacontenturlescape=0.\r\n\r\n This is CVE-2026-27142 and Go issue https://go.dev/issue/77954.\r\n\r\n- net/url: reject IPv6 literal not at start of host\r\n\r\n The Go standard library function net/url.Parse insufficiently validated the host/authority component and accepted some invalid URLs by effectively treating garbage before an IP-literal as ignorable. The function should have rejected this as invalid.\r\n\r\n To prevent this behavior, net/url.Parse now rejects IPv6 literals that do not appear at the start of the host subcomponent of a URL.\r\n\r\n Thanks to Masaki Hara (https://github.com/qnighy) of Wantedly.\r\n\r\n This is CVE-2026-25679 and Go issue https://go.dev/issue/77578.\r\n\r\n- os: FileInfo can escape from a Root\r\n\r\n On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened.\r\n\r\n The contents of the FileInfo were populated using the lstat system call, which takes the path to the file as a parameter. If a component of the full path of the file described by the FileInfo is replaced with a symbolic link, the target of the lstat can be directed to another location on the filesystem.\r\n\r\n The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem. This could be used to probe for the presence or absence of files as well as gleaning metadata like file sizes, but does not permit reading or writing files outside the root.\r\n\r\n The FileInfo is now populated using fstatat.\r\n\r\n Thank you to Miloslav Trmač of Red Hat for reporting this issue.\r\n\r\n This is CVE-2026-27139 and Go issue https://go.dev/issue/77827.\r\n\r\n\r\n(cherry picked from commit 38b3e4c4aa6b39518c7eb2e86376099fe195ea82)", + "state": "closed", + "merged": true, + "created_at": "2026-03-11T09:02:26Z", + "merged_at": "2026-03-11T14:19:24Z", + "author": "thaJeztah", + "labels": [ + "size/S", + "go", + "area/toolchain" + ] + }, + "12985": { + "title": "update to go1.25.8, test go1.26.1", + "url": "https://github.com/containerd/containerd/pull/12985", + "body": "go1.25.8 (released 2026-03-05) includes security fixes to the html/template, net/url, and os packages, as well as bug fixes to the go command, the compiler, and the os package. See the Go 1.25.8 milestone on our issue tracker for details.\r\n\r\n- 1.25.8 https://github.com/golang/go/issues?q=milestone%3AGo1.25.8+label%3ACherryPickApproved\r\n- diff: https://github.com/golang/go/compare/go1.25.7...go1.25.8\r\n- 1.26.1 https://github.com/golang/go/issues?q=milestone%3AGo1.26.1+label%3ACherryPickApproved\r\n- diff: https://github.com/golang/go/compare/go1.26.0...go1.26.1\r\n\r\n---\r\n\r\nWe have just released Go versions 1.26.1 and 1.25.8, minor point releases.\r\n\r\nThese releases include 5 security fixes following the security policy:\r\n\r\ncrypto/x509: incorrect enforcement of email constraints\r\n\r\n- When verifying a certificate chain which contains a certificate containing multiple email address constraints (composed of the full email address) which share common local portions (the portion of the address before the '@' character) but different domain portions (the portion of the address after the '@' character), these constraints will not be properly applied, and only the last constraint will be considered.\r\n\r\n This can allow certificates in the chain containing email addresses which are either not permitted or excluded by the relevant constraints to be returned by calls to Certificate.Verify. Since the name constraint checks happen after chain building is complete, this only applies to certificate chains which chain to trusted roots (root certificates either in VerifyOptions.Roots or in the system root certificate pool), requiring a trusted CA to issue certificates containing either not permitted or excluded email addresses.\r\n\r\n This issue only affects Go 1.26.\r\n\r\n Thanks to Jakub Ciolek for reporting this issue.\r\n\r\n This is CVE-2026-27137 and Go issue https://go.dev/issue/77952.\r\n\r\n- crypto/x509: panic in name constraint checking for malformed certificates\r\n\r\n Certificate verification can panic when a certificate in the chain has an empty DNS name and another certificate in the chain has excluded name constraints. This can crash programs that are either directly verifying X.509 certificate chains, or those that use TLS.\r\n\r\n Since the name constraint checks happen after chain building is complete, this only applies to certificate chains which chain to trusted roots (root certificates either in VerifyOptions.Roots or in the system root certificate pool), requiring a trusted CA to issue certificates containing malformed DNS names.\r\n\r\n This issue only affects Go 1.26.\r\n\r\n Thanks to Jakub Ciolek for reporting this issue.\r\n\r\n This is CVE-2026-27138 and Go issue https://go.dev/issue/77953.\r\n\r\n- html/template: URLs in meta content attribute actions are not escaped\r\n\r\n Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value \"refresh\".\r\n\r\n A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow \"url=\" by setting htmlmetacontenturlescape=0.\r\n\r\n This is CVE-2026-27142 and Go issue https://go.dev/issue/77954.\r\n\r\n- net/url: reject IPv6 literal not at start of host\r\n\r\n The Go standard library function net/url.Parse insufficiently validated the host/authority component and accepted some invalid URLs by effectively treating garbage before an IP-literal as ignorable. The function should have rejected this as invalid.\r\n\r\n To prevent this behavior, net/url.Parse now rejects IPv6 literals that do not appear at the start of the host subcomponent of a URL.\r\n\r\n Thanks to Masaki Hara (https://github.com/qnighy) of Wantedly.\r\n\r\n This is CVE-2026-25679 and Go issue https://go.dev/issue/77578.\r\n\r\n- os: FileInfo can escape from a Root\r\n\r\n On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened.\r\n\r\n The contents of the FileInfo were populated using the lstat system call, which takes the path to the file as a parameter. If a component of the full path of the file described by the FileInfo is replaced with a symbolic link, the target of the lstat can be directed to another location on the filesystem.\r\n\r\n The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem. This could be used to probe for the presence or absence of files as well as gleaning metadata like file sizes, but does not permit reading or writing files outside the root.\r\n\r\n The FileInfo is now populated using fstatat.\r\n\r\n Thank you to Miloslav Trmač of Red Hat for reporting this issue.\r\n\r\n This is CVE-2026-27139 and Go issue https://go.dev/issue/77827.", + "state": "closed", + "merged": true, + "created_at": "2026-03-06T13:48:16Z", + "merged_at": "2026-03-11T04:31:15Z", + "author": "thaJeztah", + "labels": [ + "cherry-pick/1.7.x", + "size/S", + "area/toolchain", + "cherry-picked/2.1.x", + "cherry-picked/2.2.x" + ] + }, + "13010": { + "title": "[release/2.2] update to go1.25.8, test go1.26.1", + "url": "https://github.com/containerd/containerd/pull/13010", + "body": "This is an automated cherry-pick of #12985\n\n/assign thaJeztah", + "state": "closed", + "merged": false, + "created_at": "2026-03-11T08:54:55Z", + "merged_at": null, + "author": "k8s-infra-cherrypick-robot", + "labels": [ + "size/S", + "area/toolchain" + ] + }, + "13015": { + "title": "[release/2.2] fix(oci): handle absolute symlinks in rootfs user lookup", + "url": "https://github.com/containerd/containerd/pull/13015", + "body": "This is an automated cherry-pick of #12732\n\n/assign AkihiroSuda\n\n```release-note\nHandle absolute symlinks in rootfs user lookup to fix regressions when using Go 1.24\n```", + "state": "closed", + "merged": true, + "created_at": "2026-03-11T10:33:57Z", + "merged_at": "2026-03-12T06:22:16Z", + "author": "k8s-infra-cherrypick-robot", + "labels": [ + "impact/changelog", + "area/runtime", + "size/L", + "go", + "area/client" + ] + }, + "12732": { + "title": "fix(oci): handle absolute symlinks in rootfs user lookup", + "url": "https://github.com/containerd/containerd/pull/12732", + "body": "### Analysis\r\nThis PR addresses a regression/behavior change introduced with Go 1.24 builds regarding strict path validation in `os.DirFS` (via `os.Root`).\r\n\r\nIn scenarios involving container images based on NixOS (or other distributions using absolute symlinks for configuration files), standard files like `/etc/passwd` or `/etc/group` are often symlinks pointing to absolute paths (e.g., `/nix/store/...`).\r\n\r\nIn Go 1.24, calling `root.Open(\"etc/passwd\")` fails with `path escapes from parent` if the symlink target is absolute, even if that target resolves to a valid path within the container's root filesystem context. This breaks container creation for these images.\r\n\r\n### Solution\r\nI introduced a helper function `openUserFile` in `pkg/oci/spec_opts.go` to wrap the file opening logic for `UserFromFS` and `GIDFromFS`.\r\n\r\nThe logic is as follows:\r\n1. Attempt to open the file normally.\r\n2. If `Open` fails, check if the filesystem supports `ReadLink` (using a local interface `readLinker` to maintain compatibility with Go versions prior to 1.23).\r\n3. If the file is an absolute symlink, re-anchor the path relative to the rootfs (stripping the leading `/`) and attempt to open it again.\r\n\r\nThis approach ensures compatibility with NixOS-style images while respecting the safety constraints of the standard library where possible.\r\n\r\n### Testing\r\n- [x] Ran unit tests `go test -v ./pkg/oci/...` (All passed).\r\n- [x] Verified locally with a reproduction test case that mimics the Go 1.24 behavior and the NixOS directory structure.\r\n\r\n**Fixes:** #12683", + "state": "closed", + "merged": true, + "created_at": "2025-12-27T17:50:41Z", + "merged_at": "2026-01-14T01:06:47Z", + "author": "pauloappbr", + "labels": [ + "size/L", + "go", + "area/client", + "cherry-picked/2.2.x" + ] + }, + "13019": { + "title": "[release/2.2] fix(oci): apply absolute symlink resolution to /etc/group", + "url": "https://github.com/containerd/containerd/pull/13019", + "body": "This is an automated cherry-pick of #12925\n\n/assign AkihiroSuda\n\n```release-note\nApply absolute symlink resolution to /etc/group in OCI spec to fix lookups on NixOS-style systems\n```", + "state": "closed", + "merged": true, + "created_at": "2026-03-12T08:38:16Z", + "merged_at": "2026-03-12T23:23:45Z", + "author": "k8s-infra-cherrypick-robot", + "labels": [ + "impact/changelog", + "area/runtime", + "size/M", + "go" + ] + }, + "12925": { + "title": "fix(oci): apply absolute symlink resolution to /etc/group", + "url": "https://github.com/containerd/containerd/pull/12925", + "body": "This is a follow-up to PR #12732. \r\n\r\nAs noted by @TheColorman, while the previous PR successfully resolved absolute symlinks pointing outside the mount root for `/etc/passwd` during user lookups, the same logic was missing for group lookups. This caused `openat etc/group: path escapes from parent` errors when `/etc/group` was also an absolute symlink (e.g., in NixOS environments).\r\n\r\nThis patch updates `GIDFromFS`, `getSupplementalGroupsFromFS`, and `WithAppendAdditionalGroups` to use the `openUserFile` helper, ensuring absolute symlinks are correctly re-anchored across all OCI user/group resolution paths.\r\n\r\nFixes #12683\r\n\r\nSigned-off-by: Paulo Oliveira ", + "state": "closed", + "merged": true, + "created_at": "2026-02-20T13:45:24Z", + "merged_at": "2026-03-12T08:37:38Z", + "author": "pauloappbr", + "labels": [ + "cherry-pick/1.7.x", + "size/M", + "go", + "area/client", + "cherry-pick/2.1.x", + "cherry-picked/2.2.x" + ] + }, + "13023": { + "title": "[release/2.2] cri: UpdatePodSandbox should return Unimplemented", + "url": "https://github.com/containerd/containerd/pull/13023", + "body": "errgrpc will correctly translate ErrNotImplemented to GRPC's Unimplemented, but a plain error will be returned directly.\n\n```release-note\nEnsure UpdatePodSandbox returns Unimplemented instead of a generic error\n```", + "state": "closed", + "merged": true, + "created_at": "2026-03-12T20:29:09Z", + "merged_at": "2026-03-13T00:37:06Z", + "author": "samuelkarp", + "labels": [ + "impact/changelog", + "area/cri", + "size/XS" + ] + }, + "13061": { + "title": "[release/2.2] update runc binary to v1.3.5", + "url": "https://github.com/containerd/containerd/pull/13061", + "body": "release notes: https://github.com/opencontainers/runc/releases/tag/v1.3.5\r\nfull diff: https://github.com/opencontainers/runc/compare/v1.3.4...v1.3.5\n\n```release-note\nUpdate runc to v1.3.5\n```", + "state": "closed", + "merged": true, + "created_at": "2026-03-19T11:46:00Z", + "merged_at": "2026-03-20T13:14:39Z", + "author": "thaJeztah", + "labels": [ + "impact/changelog", + "area/runtime", + "size/XS" + ] + }, + "13066": { + "title": "[release/2.2] Fix vagrant on CI", + "url": "https://github.com/containerd/containerd/pull/13066", + "body": "This is an automated cherry-pick of #13055\n\n/assign estesp", + "state": "closed", + "merged": true, + "created_at": "2026-03-19T14:29:51Z", + "merged_at": "2026-03-19T16:17:37Z", + "author": "k8s-infra-cherrypick-robot", + "labels": [ + "size/XS" + ] + }, + "13055": { + "title": "Fix vagrant on CI", + "url": "https://github.com/containerd/containerd/pull/13055", + "body": "Recent jobs started to fail:\r\n\r\n```bash\r\n default: NOCHANGE: partition 4 is size 123318239. it cannot be grown\r\nThe SSH command responded with a non-zero exit status. Vagrant\r\nassumes that this means the command failed. The output for this command\r\nshould be in the log above. Please read the output to determine what\r\nwent wrong.\r\n```\r\n\r\n- https://github.com/containerd/containerd/actions/runs/23276654538/job/67681274802\r\n- https://github.com/containerd/containerd/actions/runs/23273699658/job/67672196780\r\n- https://github.com/containerd/containerd/actions/runs/23273684057/job/67683270990", + "state": "closed", + "merged": true, + "created_at": "2026-03-19T03:00:29Z", + "merged_at": "2026-03-19T06:07:43Z", + "author": "mxpv", + "labels": [ + "size/XS" + ] + }, + "13120": { + "title": "[release/2.2] Preserve cgroup mount options for privileged containers", + "url": "https://github.com/containerd/containerd/pull/13120", + "body": "This is an automated cherry-pick of #12952\n\n/assign chrishenzie\n\n```release-note\nPreserve cgroup mount options for privileged containers\n```\n\n```release-note\nPreserve cgroup mount options for privileged containers\n```", + "state": "closed", + "merged": true, + "created_at": "2026-03-25T02:21:57Z", + "merged_at": "2026-03-25T19:27:09Z", + "author": "k8s-infra-cherrypick-robot", + "labels": [ + "impact/changelog", + "area/cri", + "size/L" + ] + }, + "12952": { + "title": "Preserve cgroup mount options for privileged containers", + "url": "https://github.com/containerd/containerd/pull/12952", + "body": "Privileged containers don't have a cgroup namespace, so by default they run in the host's cgroup namespace.\r\nhttps://github.com/containerd/containerd/blob/d1d9d07f1960f7f3648298e44963a263eac87fa5/internal/cri/server/container_create.go#L933-L939\r\n\r\nWhen mounting cgroup2 inside a privileged container, applying a different set of mount options can inadvertently alter the host's shared cgroup2 VFS superblock mount options. Because the container's mount options were previously hardcoded, any additional host mount options like `nsdelegate` or `memory_recursiveprot` would be accidentally stripped from the host.\r\n\r\nFixes this issue by reading the host's `/sys/fs/cgroup` mount options during container creation and explicitly including them if the container is privileged.\r\n\r\nAn integration test is also included to verify that the host's cgroup mount options remain unchanged before and after running a privileged container.\r\n\r\nAdditionally updates the Vagrantfile and cri-integration script to forward the `RUNC_FLAVOR` environment variable to conditionally skip the integration test for `crun` until support is added for `nsdelegate`.\r\n\r\nAssisted-by: gemini-cli\r\n\r\n@samuelkarp @Divya063 ", + "state": "closed", + "merged": true, + "created_at": "2026-02-28T09:01:24Z", + "merged_at": "2026-03-24T23:27:57Z", + "author": "chrishenzie", + "labels": [ + "kind/bug", + "area/cri", + "size/L", + "cherry-picked/2.1.x", + "cherry-picked/2.2.x" + ] + }, + "13125": { + "title": "[release/2.2] Tweak mount info for overlayfs in case of parallel unpack", + "url": "https://github.com/containerd/containerd/pull/13125", + "body": "This is an automated cherry-pick of #13115\r\n\r\n/assign samuelkarp\r\n\r\n```release-note\r\nFix bug that caused whiteouts to be ignored when parallel unpack was used\r\n```", + "state": "closed", + "merged": true, + "created_at": "2026-03-25T20:58:38Z", + "merged_at": "2026-03-26T00:45:14Z", + "author": "k8s-infra-cherrypick-robot", + "labels": [ + "impact/changelog", + "area/snapshotters", + "size/L" + ] + }, + "13115": { + "title": "Tweak mount info for overlayfs in case of parallel unpack", + "url": "https://github.com/containerd/containerd/pull/13115", + "body": "Fixes: https://github.com/containerd/containerd/issues/13030\r\n\r\nAlternative to: https://github.com/containerd/containerd/pull/13044\r\n\r\nInstead of changing overlay snapshotter itself, this PR updates unpacker logic to tweak the mount info returned by overlay in the parallel case.\r\n\r\n", + "state": "closed", + "merged": true, + "created_at": "2026-03-24T18:55:21Z", + "merged_at": "2026-03-25T20:55:43Z", + "author": "henry118", + "labels": [ + "kind/bug", + "size/L", + "cherry-pick/2.2.x" + ] + }, + "13154": { + "title": "[release/2.2] Skip TestExportAndImportMultiLayer on s390x", + "url": "https://github.com/containerd/containerd/pull/13154", + "body": "This is an automated cherry-pick of #13149\n\n/assign samuelkarp", + "state": "closed", + "merged": true, + "created_at": "2026-04-02T19:18:34Z", + "merged_at": "2026-04-02T21:53:48Z", + "author": "k8s-infra-cherrypick-robot", + "labels": [ + "kind/test", + "size/XS" + ] + }, + "13149": { + "title": "Skip TestExportAndImportMultiLayer on s390x", + "url": "https://github.com/containerd/containerd/pull/13149", + "body": "Skip TestExportAndImportMultiLayer on s390x\r\n\r\nThe test image `ghcr.io/containerd/volume-copy-up:2.`1 does not include a manifest for s390x, causing the test to fail with:\r\n\"no manifest found for platform: not found\".", + "state": "closed", + "merged": true, + "created_at": "2026-04-02T16:46:35Z", + "merged_at": "2026-04-02T18:39:42Z", + "author": "ricardobranco777", + "labels": [ + "kind/test", + "cherry-picked/1.7.x", + "size/XS", + "cherry-picked/2.1.x", + "cherry-picked/2.2.x" + ] + } + }, + "issues": { + "12683": { + "title": "[Go 1.24] v2.2.0 fails to create containers from images having /etc/{passwd,group} symlinked to an absolute path", + "url": "https://github.com/containerd/containerd/issues/12683", + "body": "### Description\n\nContainer creation with containerd 2.2.0 fails with `path escapes from parent` errors for images that contain `/etc/passwd` and `/etc/group` as absolute symlinks.\nPrevious versions of containerd, like 2.1.5 (and 1.7.28), are able to create containers from such images without errors.\nUsing relative symlinks instead of absolute ones for both files does not produce the error.\n\nApparently containerd tries to open `/etc/passwd` and `/etc/group` for user and group name resolution[^1] but misinterprets the absolute target path of those symlinks as being rooted in the host's file system rather than the container's file system.\n\n[^1]: https://github.com/containerd/containerd/blob/v2.2.0/vendor/github.com/moby/sys/user/user.go#L274\n\n### Steps to reproduce the issue\n\nTry to run `ctr containers create docker.io/nixos/nix:2.32.2 nixos-2-32-2` on Ubuntu 24.04 with containerd v2.2.0 installed.\nIn that container image `/etc/passwd` is a symlink into `/nix/store/`.\n\n```console\nroot@debug-containerd-220:~# uname -a\nLinux debug-containerd-220 6.8.0-45-generic #45-Ubuntu SMP PREEMPT_DYNAMIC Fri Aug 30 12:02:04 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux\nroot@debug-containerd-220:~# grep -E '^(NAME|VERSION)=' /etc/os-release \nNAME=\"Ubuntu\"\nVERSION=\"24.04.1 LTS (Noble Numbat)\"\nroot@debug-containerd-220:~# apt install containerd.io='2.2.0-*'\nroot@debug-containerd-220:~# containerd --version\ncontainerd containerd.io v2.2.0 1c4457e00facac03ce1d75f7b6777a7a851e5c41\nroot@debug-containerd-220:~# ctr image pull docker.io/nixos/nix:2.32.2\n.......\napplication/vnd.oci.image.index.v1+json sha256:04abdb9c74e0bd20913ca84e4704419af31e49e901cd57253ed8f9762def28fd\nCompleted pull from OCI Registry (docker.io/nixos/nix:2.32.2) elapsed: 24.6s total: 97.3 M (4.0 MiB/s)\nroot@debug-containerd-220:~# ctr containers create docker.io/nixos/nix:2.32.2 nixos-2-32-2\nctr: mount callback failed on /tmp/containerd-mount263707551: openat etc/passwd: path escapes from parent\n```\n\nTo narrow down the issue I've built 3 container images:\n1. one that matches the original\n2. one that has the absolute symlink at `/etc/passwd` replaced with a relative one\n3. one that has the absolute symlink at `/etc/passwd` as well as `/etc/group` replaced with relative ones\n\nI observed that container creation succeeds only with the third image.\n\n```console\nroot@debug-containerd-220:~# mkdir ./nix-2-32-2-containerfiles\nroot@debug-containerd-220:~# cat <<\"EOF\" > nix-2-32-2-containerfiles/original\nFROM docker.io/nixos/nix:2.32.2\nEOF\nroot@debug-containerd-220:~# cat <<\"EOF\" > nix-2-32-2-containerfiles/rel-passwd-symlink\nFROM docker.io/nixos/nix:2.32.2\nRUN ln --symbolic --force \"$(realpath --relative-to=/etc /etc/passwd)\" /etc/passwd\nEOF\nroot@debug-containerd-220:~# cat <<\"EOF\" > nix-2-32-2-containerfiles/rel-passwd-group-symlink\nFROM docker.io/nixos/nix:2.32.2\nRUN \\\n\tln --symbolic --force \"$(realpath --relative-to=/etc /etc/passwd)\" /etc/passwd; \\\n\tln --symbolic --force \"$(realpath --relative-to=/etc /etc/group)\" /etc/group\nEOF\nroot@debug-containerd-220:~# \nroot@debug-containerd-220:~# mkdir ./empty-dir\nroot@debug-containerd-220:~# for containerfile in nix-2-32-2-containerfiles/*; do podman build --tag localhost/nix-2-32-2:$(basename $containerfile) --file $containerfile ./empty-dir; podman image save localhost/nix-2-32-2:$(basename $containerfile) | ctr image import /dev/stdin; done\n.......\nSuccessfully tagged localhost/nix-2-32-2:original\nSuccessfully tagged docker.io/nixos/nix:2.32.2\nf9b3c7811e275e67142fd4cd66a4ae1bd90ae3dd7d50b5e839b1a000690800a1\nlocalhost/nix 2 32 2:original \tsaved\t\napplication/vnd.docker.distribution.manifest.v2+json sha256:e233d4e348d00873f4136271143e988790564d3f3eac13ac05ec8fda418755f7\n.......\nSuccessfully tagged localhost/nix-2-32-2:rel-passwd-group-symlink\n947f41d91c5c423efb85c089312579f3551a5defb9f7df3f1878fef85ffc77f9\nlocalhost/nix 2 32 2:rel passwd group sy\tsaved\t\napplication/vnd.docker.distribution.manifest.v2+json sha256:423394ddd5fb52ce13c9ee71f5326a3c9d25db0e32a1c506efe41515d4bbdc02\n.......\nSuccessfully tagged localhost/nix-2-32-2:rel-passwd-symlink\n8f6201eaf0ce9e89fc7aed5e9c4442349a7a46c36cf363f35c2f51f331ade829\nlocalhost/nix 2 32 2:rel passwd symlink \tsaved\t\napplication/vnd.docker.distribution.manifest.v2+json sha256:51a0a6acdcfb2d30b1db1d73804f5dd19d928f1269a9431a857929fc8ccf5c21\n.......\nroot@debug-containerd-220:~# ctr container create localhost/nix-2-32-2:original nix-2-32-2-original\nctr: mount callback failed on /tmp/containerd-mount3757137550: openat etc/passwd: path escapes from parent\nroot@debug-containerd-220:~# echo $?\n1\nroot@debug-containerd-220:~# ctr container create localhost/nix-2-32-2:rel-passwd-symlink nix-2-32-2-rel-passwd-symlink\nctr: mount callback failed on /tmp/containerd-mount2612271920: openat etc/group: path escapes from parent\nroot@debug-containerd-220:~# echo $?\n1\nroot@debug-containerd-220:~# ctr container create localhost/nix-2-32-2:rel-passwd-group-symlink nix-2-32-2-rel-passwd-group-symlink\nroot@debug-containerd-220:~# echo $?\n0\nroot@debug-containerd-220:~# \n```\n\nI've also tested all 3 images against containerd 2.1.5 which yielded no errors.\n\n```console\nroot@debug-containerd-220:~# apt remove --purge containerd.io && apt install containerd.io='2.1.5-*'\n.......\nroot@debug-containerd-220:~# ctr container delete nix-2-32-2-original nix-2-32-2-rel-passwd-group-symlink nix-2-32-2-rel-passwd-symlink\nroot@debug-containerd-220:~# ctr container create localhost/nix-2-32-2:original nix-2-32-2-original\nroot@debug-containerd-220:~# echo $?\n0\nroot@debug-containerd-220:~# ctr container create localhost/nix-2-32-2:rel-passwd-symlink nix-2-32-2-rel-passwd-symlink\nroot@debug-containerd-220:~# echo $?\n0\nroot@debug-containerd-220:~# ctr container create localhost/nix-2-32-2:rel-passwd-group-symlink nix-2-32-2-rel-passwd-group-symlink\nroot@debug-containerd-220:~# echo $?\n0\n```\n\n### Describe the results you received and expected\n\nTrying to create a container from the `docker.io/nixos/nix:2.32.2` image with containerd 2.2.0, fails with `ctr: mount callback failed on /tmp/containerd-mount3757137550: openat etc/passwd: path escapes from parent`.\n\nPrevious versions of containerd, like 2.1.5 (and 1.7.28), are able to create a container from said image without errors.\n\nModifying the image so that `/etc/passwd` and `/etc/group` are relative instead of absolute symlinks, makes containerd 2.2.0 succeed with creating a container.\n\nI expect containerd 2.2.0 to handle absolute symlinks for both files like in previous versions.\n\n### What version of containerd are you using?\n\n```console\nroot@debug-containerd-220:~# containerd --version\ncontainerd containerd.io v2.2.0 1c4457e00facac03ce1d75f7b6777a7a851e5c41\n```\n\n### Any other relevant information\n\ncontainerd 2.2.0 is built with go 1.24.3[^2] whereas containerd 1.7.28 is built with go 1.23.0[^3].\ngo 1.24 introduces a check[^4] that may produce the \"path escapes from parent\" error[^5] that I've experienced.\n\n[^2]: https://github.com/containerd/containerd/blob/v2.2.0/go.mod#L3\n[^3]: https://github.com/containerd/containerd/blob/v2.1.5/go.mod#L3\n[^4]: https://github.com/golang/go/commit/43d90c6a14e7b3fd1b3b8085b8071a09231c4b62#diff-47957b402486ac2a9d4182ae5fa01371df1eb7abab86e1c543b5d1af3fc4deccR15\n[^5]: https://github.com/golang/go/commit/43d90c6a14e7b3fd1b3b8085b8071a09231c4b62#diff-9104369aad12ebcc262dc47f26321742fe4b10d31e30bc53832e869f4a7b3bceR401\n\n### Show configuration if it is related to CRI plugin.\n\n```console\nroot@debug-containerd-220:~# cat /etc/containerd/config.toml \n# Copyright 2018-2022 Docker Inc.\n\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n\n# http://www.apache.org/licenses/LICENSE-2.0\n\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\ndisabled_plugins = [\"cri\"]\n\n#root = \"/var/lib/containerd\"\n#state = \"/run/containerd\"\n#subreaper = true\n#oom_score = 0\n\n#[grpc]\n# address = \"/run/containerd/containerd.sock\"\n# uid = 0\n# gid = 0\n\n#[debug]\n# address = \"/run/containerd/debug.sock\"\n# uid = 0\n# gid = 0\n# level = \"info\"\n```", + "state": "closed", + "created_at": "2025-12-13T14:36:11Z", + "closed_at": "2026-03-12T08:37:40Z", + "author": "brunosc-cah", + "labels": [ + "kind/bug", + "area/runtime" + ] + }, + "13030": { + "title": "whiteout files not honored by max_concurrent_unpacks > 1", + "url": "https://github.com/containerd/containerd/issues/13030", + "body": "### Description\n\nWhen running with max_parallel_unpacks > 1, you will not honor whiteout files, meaning files deleted in later layers are present in the final overlayfs.\n\n### Steps to reproduce the issue\n\nKind of a wordy way of reproducing below, running the containerfile with the config makes it clear but I wanted to play around with the `ctr` commands :D \n\nHere's a simple containerfile:\n```\n$ cat Containerfile\nFROM fedora\n\nRUN touch /this-will-be-deleted\nRUN rm /this-will-be-deleted\n\nCMD [\"/bin/bash\", \"-c\", \"if [[ -e /this-will-be-deleted ]]; then exit 1; fi; exit 0\"]\n```\n\nHere's a config.toml\n```\n$ cat /tmp/containerd.toml\nroot = \"/tmp/containerd-test/root\"\nstate = \"/tmp/containerd-test/state\"\n\n[grpc]\n address = \"/tmp/containerd-test/containerd.sock\"\n\n[plugins]\n [plugins.'io.containerd.transfer.v1.local']\n max_concurrent_unpacks = 2\n```\n\nHere's the result pulling, running, and examining the outputs:\n```\n# sudo ctr -a /tmp/containerd-test/containerd.sock images pull docker.io/ajhalaney/whiteout:latest\ndocker.io/ajhalaney/whiteout:latest fetching image content\ndocker.io/ajhalaney/whiteout:latest fetching image content\ndocker.io/ajhalaney/whiteout:latest fetching image content\ndocker.io/ajhalaney/whiteout:latest fetching image content\ndocker.io/ajhalaney/whiteout:latest fetching image content\ndocker.io/ajhalaney/whiteout:latest fetching image content\ndocker.io/ajhalaney/whiteout:latest fetching image content\ndocker.io/ajhalaney/whiteout:latest fetching image content\ndocker.io/ajhalaney/whiteout:latest saved\n└──manifest (0c0ddd905833) complete |++++++++++++++++++++++++++++++++++++++|\n ├──config (6b43f146ae7a) complete |++++++++++++++++++++++++++++++++++++++|\n ├──layer (6fedc8898b61) extracted |++++++++++++++++++++++++++++++++++++++|\n ├──layer (c08102457b12) extracted |++++++++++++++++++++++++++++++++++++++|\n └──layer (f81a0d9bcd09) extracted |++++++++++++++++++++++++++++++++++++++|\napplication/vnd.oci.image.manifest.v1+json sha256:0c0ddd90583366057cb127a7b2026299f8cadda06a2a025b11222946480e7d7b\nCompleted pull from OCI Registry (docker.io/ajhalaney/whiteout:latest) elapsed: 3.7 s total: 58.0 M (15.5 MiB/s)\n\n# sudo ctr -a /tmp/containerd-test/containerd.sock images ls\nREF TYPE DIGEST SIZE PLATFORMS LABELS\ndocker.io/ajhalaney/whiteout:latest application/vnd.oci.image.manifest.v1+json sha256:0c0ddd90583366057cb127a7b2026299f8cadda06a2a025b11222946480e7d7b 58.0 MiB linux/amd64 -\n\n# sudo ctr -a /tmp/containerd-test/containerd.sock snapshots --snapshotter overlayfs ls\nKEY PARENT KIND\nsha256:aa7b92b02603d4da7e30a20768f6e90f871f53c7d8fb008d2a98a35e12d25903 sha256:e95d9d0e6f87fd222a38defaf3ded0b7f009e2d2bed719ae89927a810ba25f75 Committed\nsha256:e95d9d0e6f87fd222a38defaf3ded0b7f009e2d2bed719ae89927a810ba25f75 sha256:fbf251198d865bcc0302539eac8fc14533bce6e70eaa008da56576c9bd2c73ac Committed\nsha256:fbf251198d865bcc0302539eac8fc14533bce6e70eaa008da56576c9bd2c73ac Committed\n\n# sudo ./bin/ctr -a /tmp/containerd-test/containerd.sock snapshots --snapshotter overlayfs prepare test-active sha256:aa7b92b02603d4da7e30a20768f6e90f871f53c7d8fb008d2a98a35e12d25903\n\nsudo ./bin/ctr -a /tmp/containerd-test/containerd.sock snapshots --snapshotter overlayfs mounts /tmp/pointless test-active\nmount -t overlay overlay /tmp/pointless -o workdir=/tmp/containerd-test/root/io.containerd.snapshotter.v1.overlayfs/snapshots/4/work,upperdir=/tmp/containerd-test/root/io.containerd.snapshotter.v1.overlayfs/snapshots/4/fs,lowerdir=/tmp/containerd-test/root/io.containerd.snapshotter.v1.overlayfs/snapshots/3/fs:/tmp/containerd-test/root/io.containerd.snapshotter.v1.overlayfs/snapshots/2/fs:/tmp/containerd-test/root/io.containerd.snapshotter.v1.overlayfs/snapshots/1/fs,index=off\n\n# find /tmp/containerd-test/ -name this-will-be-deleted\n/tmp/containerd-test/root/io.containerd.snapshotter.v1.overlayfs/snapshots/2/fs/this-will-be-deleted\n# ls -lah /tmp/containerd-test/root/io.containerd.snapshotter.v1.overlayfs/snapshots/2/fs/this-will-be-deleted\n-rw-r--r--. 1 root root 0 Mar 13 15:28 /tmp/containerd-test/root/io.containerd.snapshotter.v1.overlayfs/snapshots/2/fs/this-will-be-deleted\n\n# sudo ./bin/ctr -a /tmp/containerd-test/containerd.sock run --rm --snapshotter overlayfs docker.io/ajhalaney/whiteout:latest test\n# echo $?\n1\n```\nYou'd expect to find a character device in layer 3 there to delete the file in overlayfs.\n\n\n\n### Describe the results you received and expected\n\nRedoing the same thing (after cleanup), but with `max_concurrent_unpacks = 1`:\n```\n(skipping setup)\n# find /tmp/containerd-test/ -name this-will-be-deleted\n/tmp/containerd-test/root/io.containerd.snapshotter.v1.overlayfs/snapshots/3/fs/this-will-be-deleted\n/tmp/containerd-test/root/io.containerd.snapshotter.v1.overlayfs/snapshots/2/fs/this-will-be-deleted\n\n# ls -lah /tmp/containerd-test/root/io.containerd.snapshotter.v1.overlayfs/snapshots/3/fs/this-will-be-deleted /tmp/containerd-test/root/io.containerd.snapshotter.v1.overlayfs/snapshots/2/fs/this-will-be-deleted\n-rw-r--r--. 1 root root 0 Mar 13 15:28 /tmp/containerd-test/root/io.containerd.snapshotter.v1.overlayfs/snapshots/2/fs/this-will-be-deleted\nc---------. 1 root root 0, 0 Mar 13 16:26 /tmp/containerd-test/root/io.containerd.snapshotter.v1.overlayfs/snapshots/3/fs/this-will-be-deleted\n\n# sudo ./bin/ctr -a /tmp/containerd-test/containerd.sock run --rm --snapshotter overlayfs docker.io/ajhalaney/whiteout:latest test\n# echo $?\n0\n```\nThat works great! \n\n\n### What version of containerd are you using?\n\nv2.2.0-436-gb4848858e b4848858efde49fb53df4aa9023a67b3e98d43a3\n\n### Any other relevant information\n\n\n\n\n### Show configuration if it is related to CRI plugin.\n\n_No response_", + "state": "closed", + "created_at": "2026-03-13T21:30:33Z", + "closed_at": "2026-03-25T20:55:45Z", + "author": "halaney", + "labels": [ + "kind/bug", + "priority/P1", + "area/distribution", + "status/accepted" + ] + } + } +} \ No newline at end of file diff --git a/reports/containerd_release_v2.2.3_20260414_184052.md b/reports/containerd_release_v2.2.3_20260414_184052.md new file mode 100644 index 0000000..724c7dc --- /dev/null +++ b/reports/containerd_release_v2.2.3_20260414_184052.md @@ -0,0 +1,223 @@ +# Containerd 版本发布分析报告 +## containerd 2.2.3 (v2.2.3) + +### 📋 版本信息 +- **版本标签:** v2.2.3 +- **版本名称:** containerd 2.2.3 +- **发布时间:** 2026-04-14T17:38:30Z +- **发布者:** github-actions[bot] +- **预发布版本:** 否 +- **草稿状态:** 否 +- **GitHub 链接:** https://github.com/containerd/containerd/releases/tag/v2.2.3 + +### 🔍 分析统计 +- **分析时间:** 2026-04-14 18:40:52 +- **分析的 PR 数量:** 19 +- **分析的 Issue 数量:** 2 +- **重要项目数量:** 17 + +## 📊 版本概述 +containerd 2.2.3 是一个重要的补丁版本,主要修复了多个影响容器创建、镜像解压和安全性的关键Bug,并包含一个安全更新。 + +## 🔒 安全问题修复 +1. ⚠️ 更新spdystream依赖以修复CVE-2026-35469 - [PR #13217](https://github.com/containerd/containerd/pull/13217) - **风险级别:** 中(具体细节需参考上游公告) +2. ⚠️ 修复tar提取中的TOCTOU竞争条件漏洞 - [PR #12971](https://github.com/containerd/containerd/pull/12971) - **风险级别:** 低(属于防御性加固) +3. ⚠️ 更新Go至1.25.8/1.26.2,包含多个Go运行时安全修复(如crypto/x509, html/template等) - [PR #13011](https://github.com/containerd/containerd/pull/13011) - **风险级别:** 中(修复了Go标准库中的安全漏洞) + +**🚨 安全建议:** 如果您的环境中使用了受影响的功能,建议优先升级到此版本。 + +## 🐛 重要问题修复 +1. 修复绝对符号链接处理:解决使用Go 1.24时,因/etc/passwd或/etc/group为绝对符号链接导致容器创建失败的问题 - [PR #13015](https://github.com/containerd/containerd/pull/13015) - **影响:** 使用NixOS风格镜像或类似配置的系统将无法创建容器 +2. 修复tar提取中的TOCTOU竞争条件:增强安全性,防止潜在的竞争条件攻击 - [PR #12971](https://github.com/containerd/containerd/pull/12971) - **影响:** 降低在镜像提取过程中因竞争条件导致的安全风险 +3. 修复并行解压时忽略whiteout文件的问题:确保在启用`max_concurrent_unpacks`时,被删除的文件正确隐藏 - [PR #13125](https://github.com/containerd/containerd/pull/13125) - **影响:** 已删除的文件可能错误地出现在容器文件系统中,导致应用行为异常 +4. 为/etc/group应用绝对符号链接解析:扩展修复范围,确保组信息查找也支持绝对符号链接 - [PR #13019](https://github.com/containerd/containerd/pull/13019) - **影响:** 与上述/etc/passwd问题类似,影响用户组解析和容器启动 + +## 💥 破坏性变更 +1. 🚨 无明显的破坏性变更。此版本主要为向后兼容的Bug修复和安全更新。 + +**⚠️ 升级警告:** 此版本包含破坏性变更,升级前请仔细评估对现有系统的影响。 + +## ✨ 主要变更 +1. 修复特权容器cgroup挂载选项,防止意外修改主机cgroup设置 - [PR #13120](https://github.com/containerd/containerd/pull/13120) +2. 确保UpdatePodSandbox返回正确的Unimplemented错误码,改善Kubernetes兼容性 - [PR #13023](https://github.com/containerd/containerd/pull/13023) +3. 修复并行解压时忽略whiteout文件的问题,确保文件系统层正确性 - [PR #13125](https://github.com/containerd/containerd/pull/13125) +4. 更新runc至v1.3.5,包含上游修复和改进 - [PR #13061](https://github.com/containerd/containerd/pull/13061) + +## 🚀 性能优化 +1. 在差异计算中启用挂载管理器,修复使用某些快照程序(如EROFS)时的层提取错误 - [PR #13198](https://github.com/containerd/containerd/pull/13198) - **提升:** 提高与特定文件系统和快照程序的兼容性,减少提取失败 +2. 更新Go版本至1.25.9和1.26.2,通常包含性能改进和垃圾回收优化 - [PR #13190](https://github.com/containerd/containerd/pull/13190) - **提升:** 整体运行时性能和稳定性提升 + +## 🎯 风险评估 +整体风险评估:**低风险**。这是一个补丁版本,主要包含关键Bug修复和安全更新,未引入新功能或架构变更。建议在下一个维护窗口安排升级。需要特别关注的方面是:1) 特权容器的cgroup行为变化;2) 绝对符号链接处理的修复是否会影响现有基于NixOS或类似定制镜像的容器。升级后应监控容器创建成功率和运行时稳定性。 + +## 📋 升级建议 +1. **建议尽快安排升级**,特别是如果您使用NixOS风格镜像、启用了并行解压(`max_concurrent_unpacks > 1`),或运行特权容器。 +2. 升级前,请在测试环境中验证与您的工作负载的兼容性,重点关注容器创建和镜像拉取流程。 +3. 如果您的环境对安全性要求高,应优先考虑此版本,因为它包含了Go语言的安全修复和一个CVE修复。 +4. 升级时,建议同时将`runc`更新至v1.3.5,以获取完整的运行时修复。 +5. 对于使用Windows容器并采用进程隔离的场景,此版本修复了客户端挂载根目录的支持,相关用户应进行验证。 + +## 📋 Release 包含的变更 + +### PR #12971: [release/2.2] Fix TOCTOU race bug in tar extraction +- **链接:** https://github.com/containerd/containerd/pull/12971 +- **状态:** closed +- **已合并:** 是 +- **作者:** k8s-infra-cherrypick-robot +- **标签:** impact/changelog, size/XS, area/distribution +- **变更说明:** + **PR #12971:** [release/2.2] Fix TOCTOU race bug in tar extraction +**标签:** impact/changelog, size/XS, area/distribution + +**原始PR #12961:** Fix TOCTOU race bug in tar extraction +**原始PR标签:** kind/bug, size/XS +**原始PR内容:** See https://github.com/containerd/containerd/security/advisories/GHSA-ww5g-h6rh-8wm3 for a conversation around this particular bug. + +**Cherry-pick PR内容:** This is an automated che... + +### PR #13011: [release/2.2 backport] update to go1.25.8, test go1.26.1 +- **链接:** https://github.com/containerd/containerd/pull/13011 +- **状态:** closed +- **已合并:** 是 +- **作者:** thaJeztah +- **标签:** size/S, go, area/toolchain +- **变更说明:** + **PR #13011:** [release/2.2 backport] update to go1.25.8, test go1.26.1 +**标签:** size/S, go, area/toolchain + +**原始PR #12985:** update to go1.25.8, test go1.26.1 +**原始PR标签:** cherry-pick/1.7.x, size/S, area/toolchain, cherry-picked/2.1.x, cherry-picked/2.2.x +**原始PR内容:** go1.25.8 (released 2026-03-05) includes security fixes to the html/template, net/url, and os packages, as well as bug fixes to the... + +### PR #13015: [release/2.2] fix(oci): handle absolute symlinks in rootfs user lookup +- **链接:** https://github.com/containerd/containerd/pull/13015 +- **状态:** closed +- **已合并:** 是 +- **作者:** k8s-infra-cherrypick-robot +- **标签:** impact/changelog, area/runtime, size/L, go, area/client +- **变更说明:** + **PR #13015:** [release/2.2] fix(oci): handle absolute symlinks in rootfs user lookup +**标签:** impact/changelog, area/runtime, size/L, go, area/client + +**原始PR #12732:** fix(oci): handle absolute symlinks in rootfs user lookup +**原始PR标签:** size/L, go, area/client, cherry-picked/2.2.x +**原始PR内容:** ### Analysis +This PR addresses a regression/behavior change introduced with Go 1.24 builds regarding s... + +### PR #13019: [release/2.2] fix(oci): apply absolute symlink resolution to /etc/group +- **链接:** https://github.com/containerd/containerd/pull/13019 +- **状态:** closed +- **已合并:** 是 +- **作者:** k8s-infra-cherrypick-robot +- **标签:** impact/changelog, area/runtime, size/M, go +- **变更说明:** + **PR #13019:** [release/2.2] fix(oci): apply absolute symlink resolution to /etc/group +**标签:** impact/changelog, area/runtime, size/M, go + +**原始PR #12925:** fix(oci): apply absolute symlink resolution to /etc/group +**原始PR标签:** cherry-pick/1.7.x, size/M, go, area/client, cherry-pick/2.1.x, cherry-picked/2.2.x +**原始PR内容:** This is a follow-up to PR #12732. + +As noted by @TheColorman, while the pr... + +### PR #13023: [release/2.2] cri: UpdatePodSandbox should return Unimplemented +- **链接:** https://github.com/containerd/containerd/pull/13023 +- **状态:** closed +- **已合并:** 是 +- **作者:** samuelkarp +- **标签:** impact/changelog, area/cri, size/XS +- **变更说明:** + **PR #13023:** [release/2.2] cri: UpdatePodSandbox should return Unimplemented +**标签:** impact/changelog, area/cri, size/XS + +**PR内容:** errgrpc will correctly translate ErrNotImplemented to GRPC's Unimplemented, but a plain error will be returned directly. + +```release-note +Ensure UpdatePodSandbox returns Unimplemented instead of a generic error +```... + +### PR #13061: [release/2.2] update runc binary to v1.3.5 +- **链接:** https://github.com/containerd/containerd/pull/13061 +- **状态:** closed +- **已合并:** 是 +- **作者:** thaJeztah +- **标签:** impact/changelog, area/runtime, size/XS +- **变更说明:** + **PR #13061:** [release/2.2] update runc binary to v1.3.5 +**标签:** impact/changelog, area/runtime, size/XS + +**PR内容:** release notes: https://github.com/opencontainers/runc/releases/tag/v1.3.5 +full diff: https://github.com/opencontainers/runc/compare/v1.3.4...v1.3.5 + +```release-note +Update runc to v1.3.5 +```... + +### PR #13066: [release/2.2] Fix vagrant on CI +- **链接:** https://github.com/containerd/containerd/pull/13066 +- **状态:** closed +- **已合并:** 是 +- **作者:** k8s-infra-cherrypick-robot +- **标签:** size/XS +- **变更说明:** + **PR #13066:** [release/2.2] Fix vagrant on CI +**标签:** size/XS + +**原始PR #13055:** Fix vagrant on CI +**原始PR标签:** size/XS +**原始PR内容:** Recent jobs started to fail: + +```bash + default: NOCHANGE: partition 4 is size 123318239. it cannot be grown +The SSH command responded with a non-zero exit status. Vagrant +assumes that this means the command failed. The output for this command +should be in t... + +### PR #13120: [release/2.2] Preserve cgroup mount options for privileged containers +- **链接:** https://github.com/containerd/containerd/pull/13120 +- **状态:** closed +- **已合并:** 是 +- **作者:** k8s-infra-cherrypick-robot +- **标签:** impact/changelog, area/cri, size/L +- **变更说明:** + **PR #13120:** [release/2.2] Preserve cgroup mount options for privileged containers +**标签:** impact/changelog, area/cri, size/L + +**原始PR #12952:** Preserve cgroup mount options for privileged containers +**原始PR标签:** kind/bug, area/cri, size/L, cherry-picked/2.1.x, cherry-picked/2.2.x +**原始PR内容:** Privileged containers don't have a cgroup namespace, so by default they run in the host's cgroup names... + +### PR #13125: [release/2.2] Tweak mount info for overlayfs in case of parallel unpack +- **链接:** https://github.com/containerd/containerd/pull/13125 +- **状态:** closed +- **已合并:** 是 +- **作者:** k8s-infra-cherrypick-robot +- **标签:** impact/changelog, area/snapshotters, size/L +- **变更说明:** + **PR #13125:** [release/2.2] Tweak mount info for overlayfs in case of parallel unpack +**标签:** impact/changelog, area/snapshotters, size/L + +**原始PR #13115:** Tweak mount info for overlayfs in case of parallel unpack +**原始PR标签:** kind/bug, size/L, cherry-pick/2.2.x +**原始PR内容:** Fixes: https://github.com/containerd/containerd/issues/13030 + +Alternative to: https://github.com/containerd/containerd/p... + +### PR #13154: [release/2.2] Skip TestExportAndImportMultiLayer on s390x +- **链接:** https://github.com/containerd/containerd/pull/13154 +- **状态:** closed +- **已合并:** 是 +- **作者:** k8s-infra-cherrypick-robot +- **标签:** kind/test, size/XS +- **变更说明:** + **PR #13154:** [release/2.2] Skip TestExportAndImportMultiLayer on s390x +**标签:** kind/test, size/XS + +**原始PR #13149:** Skip TestExportAndImportMultiLayer on s390x +**原始PR标签:** kind/test, cherry-picked/1.7.x, size/XS, cherry-picked/2.1.x, cherry-picked/2.2.x +**原始PR内容:** Skip TestExportAndImportMultiLayer on s390x + +The test image `ghcr.io/containerd/volume-copy-up:2.`1 does not include a manifest... + +--- +*本报告由 Containerd Release Tracker 自动生成* \ No newline at end of file