chore(deps): update containerd (main)

[elastic-renovate-prod]

This PR contains the following updates:

Package	Type	Update	Change
github.com/containerd/containerd/v2	indirect	patch	v2.2.1 -> v2.2.2
github.com/containerd/platforms	indirect	patch	v1.0.0-rc.2 -> v1.0.0-rc.3

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

containerd/containerd (github.com/containerd/containerd/v2)

v2.2.2: containerd 2.2.2

Compare Source

Welcome to the v2.2.2 release of containerd!

The second patch release for containerd 2.2 contains various fixes and improvements.

Highlights

Container Runtime Interface (CRI)

• Fix migrated CRI image config when using legacy registry mirrors (#​12987)
• Unpack images with per-layer labels for runtime-specific snapshotters (#​12936)
• Fix CNI issue where DEL is never executed after a restart (#​12926)
• Harden error handling to strip potentially-sensitive registry parameters (#​12804)
• Fix nil pointer dereference in container spec memory metrics when memory constraints are not fully configured (#​12731)
• Use the specified runtime handler when pulling images (#​12721)
• Reduce noisy CDI logs (#​12717)
• Fix regression for pulling encrypted images (#​12712)

Runtime

• Fix unintended dropping of mount flags for read-only bind-mounts in user namespaces (#​12944)
• Fix AppArmor bug disallowing unix domain sockets on newer kernels (#​12897)

ctr development tool

• Fix ctr image mount failing with "no such device" (#​12831)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Maksym Pavlenko
• Akhil Mohan
• Samuel Karp
• Wei Fu
• Michael Zappa
• Phil Estes
• Fabiano Fidêncio
• Jérôme Poulin
• Luke Hinds
• Aadhar Agarwal
• Akihiro Suda
• Alex Chernyakhovsky
• Chris Adeniyi-Jones
• Kazuyoshi Kato
• Rodrigo Campos
• Sebastiaan van Stijn
• You Binhao
• ningmingxiao
• qiuxue

Changes

48 commits

• Prepare release notes for v2.2.2 (#​12998)
  • 7e6ecf434 Prepare release notes for v2.2.2
• Fix migrated CRI image config when using legacy registry mirrors (#​12987)
  • a20dead7c set default config_path in plugin init
• Unpack images with per-layer labels for runtime-specific snapshotters (#​12936)
  • a5f83d8c2 cri: unpack images with per-layer labels for runtime-specific snapshotters
• ci: modprobe xt_comment on almalinux (#​12957)
  • 68855cb0b ci: modprobe xt_comment on almalinux
• Fix unintended dropping of mount flags for read-only bind-mounts in user namespaces (#​12944)
  • ef7a8beb3 core/mount: add test for getUnprivilegedMountFlags
  • 07b2cc07e core/mount: fix getUnprivilegedMountFlags iterating over indices instead of values
• Fix CNI issue where DEL is never executed after a restart (#​12926)
  • 54101116f add integration test for cni result nil
  • d44c4384e address comment
  • f1835270b fix issue where cni del is never executed
• Fix AppArmor bug disallowing unix domain sockets on newer kernels (#​12897)
  • 6c05047b4 apparmor: explicitly set abi/3.0
• ci: add build/test go1.26.0, drop go1.24 (#​12917)
  • 5dbf1b915 update golangci-lint to v2.9.0 with go1.26 support
  • 8ec695ebe remove windows/arm from cross build
  • b9c22a6e3 ci: build/test go1.26.0
• integration: Fix TestImageLoad() failure on CI (#​12906)
  • 09b876a81 integration: Fix TestImageLoad() failure on CI
• cri: Fix image volumes with user namespaces (#​12885)
  • 172ba65b6 cri: Fix image volumes with user namespaces
• update to go1.24.13, go1.25.7 (#​12871)
  • b4240ef87 update to go1.24.13, go1.25.7
  • 94dbfaea7 ci: bump go 1.24.12, 1.25.6
• ci: set fetch-depth for containerd to 0 for version parsing (#​12875)
  • e46a7a286 set fetch-depth for containerd to 0 for version parsing
• Fix ctr image mount failing with "no such device" (#​12831)
  • 1d7908273 core/mount/manager: fix bind mount missing rbind option
  • 3d509bcd3 core/mount/manager: add tests for WithTemporary option
• Harden error handling to strip potentially-sensitive registry parameters (#​12804)
  • cb3ae2119 fix: sanitize error before gRPC return to prevent credential leak in pod events
• bump google.golang.org/grpc from 1.76.0 to 1.78.0 (#​12739)
  • 533a2552e build(deps): bump google.golang.org/grpc from 1.77.0 to 1.78.0
  • b120237fb build(deps): bump google.golang.org/grpc from 1.76.0 to 1.77.0
• Fix nil pointer dereference in container spec memory metrics when memory constraints are not fully configured (#​12731)
  • 4be4e5156 Fix nil pointer dereference in container spec memory metrics
• cri: emit warning for concurrent CreateContainer (#​12735)
  • a76eb698a cri: emit warning for concurrent CreateContainer
• Use the specified runtime handler when pulling images (#​12721)
  • 3d2e188b1 cri: Use the runtimeHandler parameter in PullImage
• Reduce noisy CDI logs (#​12717)
  • 633057382 cri: move noisy CDI logs to debug level
• Fix regression for pulling encrypted images (#​12712)
  • 8a7409e2e Reinstate image decryption

Dependency Changes

• github.com/go-jose/go-jose/v4 v4.1.2 -> v4.1.3
• go.opentelemetry.io/auto/sdk v1.1.0 -> v1.2.1
• go.opentelemetry.io/otel v1.37.0 -> v1.38.0
• go.opentelemetry.io/otel/metric v1.37.0 -> v1.38.0
• go.opentelemetry.io/otel/sdk v1.37.0 -> v1.38.0
• go.opentelemetry.io/otel/trace v1.37.0 -> v1.38.0
• golang.org/x/oauth2 v0.30.0 -> v0.32.0
• google.golang.org/genproto/googleapis/api a7a43d2 -> ab9386a
• google.golang.org/genproto/googleapis/rpc a7a43d2 -> ab9386a
• google.golang.org/grpc v1.76.0 -> v1.78.0

Previous release can be found at v2.2.1

Which file should I download?

• containerd-<VERSION>-<OS>-<ARCH>.tar.gz: ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04).
• containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz: Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent.

In addition to containerd, typically you will have to install runc
and CNI plugins from their official sites too.

See also the Getting Started documentation.

containerd/platforms (github.com/containerd/platforms)

v1.0.0-rc.3

Compare Source

What's Changed

• Update GitHub actions by @​dmcgowan in https://github.com/containerd/platforms/pull/27
• Add support for OS Features in the format by @​dmcgowan in https://github.com/containerd/platforms/pull/16
• Match and Compare platforms with OSFeatures by @​dmcgowan in https://github.com/containerd/platforms/pull/20
• Add encoding to os version and features by @​dmcgowan in https://github.com/containerd/platforms/pull/28

Full Changelog: containerd/platforms@v1.0.0-rc.2...v1.0.0-rc.3

---

Configuration

📅 Schedule: Branch creation - "* 1 * * 1-5" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.