diff --git a/reports/containerd_release_v2.1.6_20251218_014009.json b/reports/containerd_release_v2.1.6_20251218_014009.json new file mode 100644 index 0000000..8e2898a --- /dev/null +++ b/reports/containerd_release_v2.1.6_20251218_014009.json @@ -0,0 +1,398 @@ +{ + "metadata": { + "generated_at": "2025-12-18T01:40:37.115149", + "tool": "containerd-release-tracker", + "version": "1.0.0" + }, + "release": { + "tag_name": "v2.1.6", + "name": "containerd 2.1.6", + "body": "Welcome to the v2.1.6 release of containerd!\n\nThe sixth patch release for containerd 2.1 contains various fixes and updates.\n\n### Highlights\n\n#### Runtime\n\n* **Update runc binary to v1.3.4** ([#12618](https://github.com/containerd/containerd/pull/12618))\n\nPlease try out the release binaries and report any issues at\nhttps://github.com/containerd/containerd/issues.\n\n### Contributors\n\n* Akihiro Suda\n* Derek McGowan\n* Mike Brown\n* Phil Estes\n* Austin Vazquez\n* Kirtana Ashok\n* Andrey Noskov\n* CrazyMax\n* Davanum Srinivas\n* Krisztian Litkey\n* Maksym Pavlenko\n* Michael Weibel\n* Paweł Gronowski\n* Sebastiaan van Stijn\n* Wei Fu\n\n### Changes\n
28 commits\n

\n\n* Prepare release notes for v2.1.6 ([#12653](https://github.com/containerd/containerd/pull/12653))\n * [`93f79087a`](https://github.com/containerd/containerd/commit/93f79087acf3fc3f01e80b354fbe2cea771304b6) Prepare release notes for v2.1.6\n* go.mod: containerd/zfs v2.0.0 ([#12655](https://github.com/containerd/containerd/pull/12655))\n * [`7e75db3a9`](https://github.com/containerd/containerd/commit/7e75db3a929414f46a3e7c8790ea0eec3288e394) build(deps): bump github.com/containerd/zfs/v2 from 2.0.0-rc.0 to 2.0.0\n* cri/nri: short-circuit nil adjustment. ([#12673](https://github.com/containerd/containerd/pull/12673))\n * [`2b8e11b12`](https://github.com/containerd/containerd/commit/2b8e11b12b97ada3d9741ebb29d0d8088ee3cbb8) cri/nri: short-circuit nil adjustment.\n* go.mod: github.com/containernetworking/plugins v1.9.0 ([#12659](https://github.com/containerd/containerd/pull/12659))\n * [`69efd067c`](https://github.com/containerd/containerd/commit/69efd067caca778588edd945a5e9f2a4feb156a6) go.mod: github.com/containernetworking/plugins v1.9.0\n* go.mod: golang.org/x/crypto v0.45.0 (drop support for Go 1.23) ([#12639](https://github.com/containerd/containerd/pull/12639))\n * [`e81678853`](https://github.com/containerd/containerd/commit/e816788537ca2b9484aa86da58391923e873f571) go.mod: golang.org/x/crypto v0.45.0\n * [`55a2d8c8d`](https://github.com/containerd/containerd/commit/55a2d8c8d0bf6c5a7481c8922eb5a351f82f9344) CI: drop Go 1.23\n * [`fd8e3c39b`](https://github.com/containerd/containerd/commit/fd8e3c39b952b2fb9278df64f9de4e46fa78dd36) Update Go requirements in BUILDING\n* core/runtime/v2: remove uses of otelgrpc.UnaryClientInterceptor ([#12623](https://github.com/containerd/containerd/pull/12623))\n * [`a4454c49a`](https://github.com/containerd/containerd/commit/a4454c49a66b48309c0d9a1f5c386daf5d692614) core/runtime/v2: remove uses of otelgrpc.UnaryClientInterceptor\n* Update runc binary to v1.3.4 ([#12618](https://github.com/containerd/containerd/pull/12618))\n * [`251f0a285`](https://github.com/containerd/containerd/commit/251f0a2854f7831ca040d7ba2dab181fd02f2240) runc: Update runc binary to v1.3.4\n* ci: bump Go 1.24.11, 1.25.5 ([#12626](https://github.com/containerd/containerd/pull/12626))\n * [`c07c29bca`](https://github.com/containerd/containerd/commit/c07c29bca60eeff9454b005e9856acfb12cfd68c) ci: bump Go 1.24.11, 1.25.5\n * [`e52817652`](https://github.com/containerd/containerd/commit/e528176522bc3df790ea923cfac15c18336ae429) ci: bump Go 1.24.10, 1.25.4\n * [`04bbb66e4`](https://github.com/containerd/containerd/commit/04bbb66e408602872693282063c080bb2e9e6cf9) ci(release): set GO_VERSION in Dockerfile\n* ci: update CIFuzz actions to support Ubuntu 24.04 ([#12633](https://github.com/containerd/containerd/pull/12633))\n * [`492987ccc`](https://github.com/containerd/containerd/commit/492987cccf044c4015ec35ce161606cc514de75e) ci: update CIFuzz actions to support Ubuntu 24.04\n* build(deps): bump github.com/opencontainers/selinux ([#12590](https://github.com/containerd/containerd/pull/12590))\n * [`55a25ec6e`](https://github.com/containerd/containerd/commit/55a25ec6efa335cdb9e6b56207643f33277be4d4) build(deps): bump github.com/opencontainers/selinux\n* Redact all query parameters in CRI error logs ([#12547](https://github.com/containerd/containerd/pull/12547))\n * [`b72d0dfe0`](https://github.com/containerd/containerd/commit/b72d0dfe0458e1b5f1e67ba70476fc4887ee5f08) fix: redact all query parameters in CRI error logs\n* Update 2.1 branch to no longer build as latest ([#12487](https://github.com/containerd/containerd/pull/12487))\n * [`ecd58bd65`](https://github.com/containerd/containerd/commit/ecd58bd6507cb6c566c68b440ceea5d7d99b3260) Update 2.1 branch to no longer build as latest\n

\n
\n\n### Changes from containerd/platforms\n
5 commits\n

\n\n* use windowsMatchComparer for OSVersion match order ([containerd/platforms#25](https://github.com/containerd/platforms/pull/25))\n * [`8c0d9f9`](https://github.com/containerd/platforms/commit/8c0d9f9835bbe848b9c6f6f4a3a23f7dc97de927) use windowsMatchComparer for OSVersion match order\n* Add WS2025 to Windows matcher and code optimizations ([containerd/platforms#24](https://github.com/containerd/platforms/pull/24))\n * [`8447b0a`](https://github.com/containerd/platforms/commit/8447b0ad126eb97a40c5bde800d38370a39ba52f) Update ci.yml\n * [`4549974`](https://github.com/containerd/platforms/commit/4549974181760492ffc528fae4d7f29620a2c67c) Add WS2025 to Windows matcher and code optimizations\n

\n
\n\n### Dependency Changes\n\n* **github.com/containerd/platforms** v1.0.0-rc.1 -> v1.0.0-rc.2\n* **github.com/containerd/zfs/v2** v2.0.0-rc.0 -> v2.0.0\n* **github.com/containernetworking/plugins** v1.7.1 -> v1.9.0\n* **github.com/coreos/go-systemd/v22** v22.5.0 -> v22.6.0\n* **github.com/cyphar/filepath-securejoin** v0.5.1 **_new_**\n* **github.com/go-logr/logr** v1.4.2 -> v1.4.3\n* **github.com/opencontainers/selinux** v1.12.0 -> v1.13.1\n* **github.com/vishvananda/netlink** 0e7078ed04c8 -> v1.3.1\n* **golang.org/x/crypto** v0.36.0 -> v0.45.0\n* **golang.org/x/mod** v0.24.0 -> v0.29.0\n* **golang.org/x/net** v0.38.0 -> v0.47.0\n* **golang.org/x/sync** v0.14.0 -> v0.18.0\n* **golang.org/x/sys** v0.33.0 -> v0.38.0\n* **golang.org/x/term** v0.30.0 -> v0.37.0\n* **golang.org/x/text** v0.23.0 -> v0.31.0\n* **google.golang.org/protobuf** v1.36.6 -> v1.36.7\n\nPrevious release can be found at [v2.1.5](https://github.com/containerd/containerd/releases/tag/v2.1.5)\n### Which file should I download?\n* `containerd---.tar.gz`: ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04).\n* `containerd-static---.tar.gz`: Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent.\n\nIn addition to containerd, typically you will have to install [runc](https://github.com/opencontainers/runc/releases)\nand [CNI plugins](https://github.com/containernetworking/plugins/releases) from their official sites too.\n\nSee also the [Getting Started](https://github.com/containerd/containerd/blob/main/docs/getting-started.md) documentation.\n", + "published_at": "2025-12-18T01:06:52Z", + "prerelease": false, + "draft": false, + "html_url": "https://github.com/containerd/containerd/releases/tag/v2.1.6", + "author": "github-actions[bot]" + }, + "analysis": { + "summary": "containerd 2.1.6 核心版本聚焦安全补丁和运行时稳定性改进,包含关键runc升级、golang安全漏洞修复及日志敏感信息防护", + "key_changes": [ + "更新runc至v1.3.4版本 - [PR #12618](https://github.com/containerd/containerd/pull/12618)", + "升级golang.org/x/crypto至v0.45.0并移除Go 1.23支持 - [PR #12639](https://github.com/containerd/containerd/pull/12639)", + "CRI错误日志全量参数脱敏 - [PR #12547](https://github.com/containerd/containerd/pull/12547)" + ], + "important_bugfixes": [ + "修复runc v1.3.4的tmpfs挂载模式回归问题 - [PR #12593](https://github.com/containerd/containerd/pull/12593) - **影响:** 容器启动失败风险", + "修复OpenTelemetry客户端拦截器兼容性问题 - [PR #12606](https://github.com/containerd/containerd/pull/12606) - **影响:** 监控数据采集异常" + ], + "security_issues": [ + "修复golang.org/x/crypto SSH组件3个高危漏洞(GO-2025-4135/4134/4116) - [PR #12639](https://github.com/containerd/containerd/pull/12639) - **风险级别:** 高", + "升级SELinux策略库至v1.13.1 - [PR #12528](https://github.com/containerd/containerd/pull/12528) - **风险级别:** 中" + ], + "performance_improvements": [ + "Solaris平台构建优化 - [PR #203](https://github.com/containerd/containerd/pull/203) - **提升:** 跨平台构建效率优化", + "CI流水线升级至Go 1.24.11/1.25.5 - [PR #12626](https://github.com/containerd/containerd/pull/12626) - **提升:** 工具链稳定性改进" + ], + "breaking_changes": [ + "移除Go 1.23编译支持 - [PR #12639](https://github.com/containerd/containerd/pull/12639) - **影响:** 需确保开发环境使用Go 1.24+" + ], + "recommendations": [ + "立即升级以修复SSH相关高危安全漏洞,特别是暴露SSH服务的环境", + "验证runtime版本兼容性,确保runc v1.3.4在生产环境无异常", + "审核日志配置,确认CRI接口错误日志无敏感参数泄露", + "构建环境需同步升级Go工具链至1.24.11或1.25.5" + ], + "risk_assessment": "整体风险等级:中。关键安全修复需优先处理,建议在2周内完成升级。特别注意:升级需同步更新runc二进制文件,测试环境需提前验证容器启动流程,Windows Server 2025平台用户需验证镜像兼容性" + }, + "statistics": { + "analyzed_prs": 19, + "analyzed_issues": 1, + "important_items": 12 + }, + "important_items": [ + { + "type": "PR", + "title": "#12487: Update 2.1 branch to no longer build as latest", + "reason": "Performance related" + }, + { + "type": "PR", + "title": "#12547: [release/2.1] Redact all query parameters in CRI error logs", + "reason": "Has label 'kind/bug'; Cherry-pick or backport" + }, + { + "type": "PR", + "title": "#12491: fix: redact all query parameters in CRI error logs", + "reason": "Has label 'kind/bug'" + }, + { + "type": "PR", + "title": "#12590: [release/2.1] build(deps): bump github.com/opencontainers/selinux", + "reason": "Cherry-pick or backport" + }, + { + "type": "PR", + "title": "#12528: build(deps): bump github.com/opencontainers/selinux from 1.12.0 to 1.13.1", + "reason": "Contains 'security'; Cherry-pick or backport; Performance related" + }, + { + "type": "PR", + "title": "#203: containerd build clean on Solaris", + "reason": "Performance related" + }, + { + "type": "PR", + "title": "#12618: [release/2.1] Update runc binary to v1.3.4", + "reason": "Cherry-pick or backport" + }, + { + "type": "PR", + "title": "#12593: [release/2.2] Update runc binary to v1.3.4", + "reason": "Contains 'regression'" + }, + { + "type": "PR", + "title": "#12623: [release/2.1] core/runtime/v2: remove uses of otelgrpc.UnaryClientInterceptor", + "reason": "Cherry-pick or backport" + }, + { + "type": "PR", + "title": "#12626: [release/2.1] ci: bump Go 1.24.11, 1.25.5", + "reason": "Cherry-pick or backport; Performance related" + }, + { + "type": "PR", + "title": "#12633: [release/2.1] ci: update CIFuzz actions to support Ubuntu 24.04", + "reason": "Cherry-pick or backport" + }, + { + "type": "PR", + "title": "#12639: [release/2.1] go.mod: golang.org/x/crypto v0.45.0 (drop support for Go 1.23)", + "reason": "Contains 'vulnerability'; Cherry-pick or backport" + } + ], + "prs": { + "12487": { + "title": "Update 2.1 branch to no longer build as latest", + "url": "https://github.com/containerd/containerd/pull/12487", + "body": "2.2 release will now build as latest, change this to false to prevent overwriting 2.2 builds.", + "state": "closed", + "merged": true, + "created_at": "2025-11-06T00:57:22Z", + "merged_at": "2025-11-06T01:26:58Z", + "author": "dmcgowan", + "labels": [ + "size/XS", + "github_actions" + ] + }, + "12547": { + "title": "[release/2.1] Redact all query parameters in CRI error logs", + "url": "https://github.com/containerd/containerd/pull/12547", + "body": "This is an automated cherry-pick of #12491\n\n/assign AkihiroSuda", + "state": "closed", + "merged": true, + "created_at": "2025-11-19T22:32:13Z", + "merged_at": "2025-11-21T00:48:17Z", + "author": "k8s-infra-cherrypick-robot", + "labels": [ + "kind/bug", + "area/cri", + "size/L" + ] + }, + "12491": { + "title": "fix: redact all query parameters in CRI error logs", + "url": "https://github.com/containerd/containerd/pull/12491", + "body": "Trying to fix #5453 \r\n\r\n", + "state": "closed", + "merged": true, + "created_at": "2025-11-06T11:57:28Z", + "merged_at": "2025-11-19T22:31:01Z", + "author": "andrey-noskov", + "labels": [ + "kind/bug", + "area/cri", + "cherry-picked/1.7.x", + "size/L", + "area/distribution", + "cherry-picked/2.1.x", + "cherry-picked/2.2.x" + ] + }, + "12590": { + "title": "[release/2.1] build(deps): bump github.com/opencontainers/selinux", + "url": "https://github.com/containerd/containerd/pull/12590", + "body": "Cherry-pick (not clean)\r\n- #12528", + "state": "closed", + "merged": true, + "created_at": "2025-11-28T02:18:49Z", + "merged_at": "2025-12-01T17:31:29Z", + "author": "AkihiroSuda", + "labels": [ + "dependencies", + "size/XXL" + ] + }, + "12528": { + "title": "build(deps): bump github.com/opencontainers/selinux from 1.12.0 to 1.13.1", + "url": "https://github.com/containerd/containerd/pull/12528", + "body": "Bumps [github.com/opencontainers/selinux](https://github.com/opencontainers/selinux) from 1.12.0 to 1.13.1.\n
\nRelease notes\n

Sourced from github.com/opencontainers/selinux's releases.

\n
\n

v1.13.1

\n

This release includes a minor update to reduce the minimum version\nrequirement of the github.com/cyphar/filepath-securejoin package from\nv0.6.0 to v0.5.1. We did not use any of the newer features, so\ndowngrading is a no-op but will help with downstreams that need to\nbackport github.com/opencontainers/selinux updates.

\n

What's Changed

\n\n

New Contributors

\n\n

Full Changelog: https://github.com/opencontainers/selinux/compare/v1.13.0...v1.13.1

\n

v1.13.0

\n

What's Changed

\n\n

Full Changelog: https://github.com/opencontainers/selinux/compare/v1.12.0...v1.13.0

\n
\n
\n
\nCommits\n
    \n
  • 5647f06 Merge pull request #242 from Luap99/securejoin
    • \n
  • 69a52b8 downgrade github.com/cyphar/filepath-securejoin to v0.5.1
    • \n
  • 6950c32 Merge pull request #240 from opencontainers/dependabot/github_actions/golangc...
    • \n
  • 9a88c88 build(deps): bump golangci/golangci-lint-action from 8 to 9
    • \n
  • 4be9937 Merge pull request #237 from cyphar/selinux-safe-procfs
    • \n
  • c8cfa6f selinux: migrate to pathrs-lite procfs API
    • \n
  • f2424d8 Merge pull request #236 from kolyshkin/modernize-ci
    • \n
  • 648ce7f ci: add go 1.25
    • \n
  • 916cab9 ci: bump golangci-lint to v2.5
    • \n
  • b42e5c8 all: format sources with latest gofumpt
    • \n
  • Additional commits viewable in compare view
    • \n
\n
\n
\n\n\n[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/opencontainers/selinux&package-manager=go_modules&previous-version=1.12.0&new-version=1.13.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n
\nDependabot commands and options\n
\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot merge` will merge this PR after your CI passes on it\n- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it\n- `@dependabot cancel merge` will cancel a previously requested merge and block automerging\n- `@dependabot reopen` will reopen this PR if it is closed\n- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually\n- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency\n- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)\n\n\n
", + "state": "closed", + "merged": true, + "created_at": "2025-11-17T23:09:12Z", + "merged_at": "2025-11-27T19:26:46Z", + "author": "dependabot[bot]", + "labels": [ + "dependencies", + "cherry-picked/1.7.x", + "size/XXL", + "go", + "cherry-picked/2.1.x", + "cherry-picked/2.2.x" + ] + }, + "230": { + "title": "uprev dependencies required for build clean on Solaris", + "url": "https://github.com/containerd/containerd/pull/230", + "body": "This PR uprevs pkg/term and runc/libcontainer in containerd such that they build on Solaris.\nThis is a dependency for #203.\n\nSigned-off-by: Amit Krishnan krish.amit@gmail.com\n", + "state": "closed", + "merged": true, + "created_at": "2016-05-02T20:58:24Z", + "merged_at": "2016-05-06T17:48:49Z", + "author": "amitkris", + "labels": [] + }, + "203": { + "title": "containerd build clean on Solaris", + "url": "https://github.com/containerd/containerd/pull/203", + "body": "This PR will build all 3 binaries containerd,containerd-shim and ctr on Solaris.\nThis PR is just build clean and I build these changes on Linux as well.\n\nThis PR has dependencies in various stages of completion (and therefore WIP until they're merged and vendored).\nThe code changes that are a part of this PR are stable and open to review.\n\nTODO:\n- [x] [github/docker/docker/pkg/term#22080](https://github.com/docker/docker/pull/22080): This adds support for the pkg/term package specifically on Solaris. It needs to be merged and vendored.\n- [x] opencontainers/runc : Solaris build clean support was merged. Needs to be vendored.\n\nSigned-off-by: Amit Krishnan krish.amit@gmail.com\n", + "state": "closed", + "merged": true, + "created_at": "2016-04-16T23:36:20Z", + "merged_at": "2016-05-19T17:12:50Z", + "author": "amitkris", + "labels": [] + }, + "235": { + "title": "Use the new runtime update command to process UpdateResources requests ", + "url": "https://github.com/containerd/containerd/pull/235", + "body": "", + "state": "closed", + "merged": true, + "created_at": "2016-05-09T17:28:31Z", + "merged_at": "2016-05-09T18:27:00Z", + "author": "mlaventure", + "labels": [] + }, + "236": { + "title": "Add version rpc", + "url": "https://github.com/containerd/containerd/pull/236", + "body": "", + "state": "closed", + "merged": true, + "created_at": "2016-05-09T20:20:47Z", + "merged_at": "2016-05-09T21:19:07Z", + "author": "mlaventure", + "labels": [] + }, + "237": { + "title": "Use state for container create", + "url": "https://github.com/containerd/containerd/pull/237", + "body": "This fixes the issues that are visible after updating docker with the latest version.\n\nhttps://github.com/docker/docker/pull/22511#issuecomment-217883025\n\nSigned-off-by: Michael Crosby crosbymichael@gmail.com\n", + "state": "closed", + "merged": true, + "created_at": "2016-05-09T21:46:16Z", + "merged_at": "2016-05-09T21:55:08Z", + "author": "crosbymichael", + "labels": [] + }, + "242": { + "title": "add uninstall target", + "url": "https://github.com/containerd/containerd/pull/242", + "body": "Signed-off-by: thomassong thomassong@tencent.com\n", + "state": "closed", + "merged": true, + "created_at": "2016-05-17T07:47:38Z", + "merged_at": "2016-05-18T16:24:00Z", + "author": "mYmNeo", + "labels": [] + }, + "12618": { + "title": "[release/2.1] Update runc binary to v1.3.4", + "url": "https://github.com/containerd/containerd/pull/12618", + "body": "This is an automated cherry-pick of #12593\n\n/assign dmcgowan", + "state": "closed", + "merged": true, + "created_at": "2025-12-03T20:19:39Z", + "merged_at": "2025-12-08T03:08:35Z", + "author": "k8s-infra-cherrypick-robot", + "labels": [ + "impact/changelog", + "area/runtime", + "size/XS" + ] + }, + "12593": { + "title": "[release/2.2] Update runc binary to v1.3.4", + "url": "https://github.com/containerd/containerd/pull/12593", + "body": "- Related to: https://github.com/containerd/containerd/issues/12484\r\n\r\nThis update includes a fix for a regression introduced in CVE-2025-52881 mitigation patches where the `mode=` argument was incorrectly applied to tmpfs mounts regardless of whether the target path existed.", + "state": "closed", + "merged": true, + "created_at": "2025-11-28T09:35:05Z", + "merged_at": "2025-12-03T20:17:00Z", + "author": "vvoland", + "labels": [ + "impact/changelog", + "cherry-picked/1.7.x", + "area/runtime", + "size/XS", + "cherry-picked/2.1.x" + ] + }, + "12623": { + "title": "[release/2.1] core/runtime/v2: remove uses of otelgrpc.UnaryClientInterceptor", + "url": "https://github.com/containerd/containerd/pull/12623", + "body": "This is an automated cherry-pick of #12606\n\n/assign thaJeztah", + "state": "closed", + "merged": true, + "created_at": "2025-12-04T08:29:38Z", + "merged_at": "2025-12-08T14:46:59Z", + "author": "k8s-infra-cherrypick-robot", + "labels": [ + "area/runtime", + "size/XS" + ] + }, + "12606": { + "title": "core/runtime/v2: remove uses of otelgrpc.UnaryClientInterceptor", + "url": "https://github.com/containerd/containerd/pull/12606", + "body": "- relates to https://github.com/containerd/containerd/pull/12604#issuecomment-3596523255\r\n- relates to https://github.com/open-telemetry/opentelemetry-go-contrib/pull/7125\r\n- relates to https://github.com/containerd/containerd/pull/10186\r\n\r\n\r\n\r\nThe otelgrpc.UnaryClientInterceptor and otelgrpc.StreamClientInterceptor options were deprecated and removed in favor of NewClientHandler.", + "state": "closed", + "merged": true, + "created_at": "2025-12-01T13:33:30Z", + "merged_at": "2025-12-01T19:37:05Z", + "author": "thaJeztah", + "labels": [ + "size/XS", + "cherry-picked/2.1.x", + "cherry-picked/2.2.x" + ] + }, + "12626": { + "title": "[release/2.1] ci: bump Go 1.24.11, 1.25.5", + "url": "https://github.com/containerd/containerd/pull/12626", + "body": "This change backports two changesets for Go toolchain maintenance.\r\n\r\n1. https://github.com/containerd/containerd/pull/12583\r\n2. https://github.com/containerd/containerd/pull/12615\r\n\r\nNote: the Dockerfile change is not strictly required but nice to have to simplify toolchain updates in stable branches.", + "state": "closed", + "merged": true, + "created_at": "2025-12-04T14:16:41Z", + "merged_at": "2025-12-08T03:08:13Z", + "author": "austinvazquez", + "labels": [ + "size/S", + "area/toolchain" + ] + }, + "12633": { + "title": "[release/2.1] ci: update CIFuzz actions to support Ubuntu 24.04", + "url": "https://github.com/containerd/containerd/pull/12633", + "body": "This is an automated cherry-pick of #12631\n\n/assign mikebrow", + "state": "closed", + "merged": true, + "created_at": "2025-12-06T21:52:49Z", + "merged_at": "2025-12-07T00:07:17Z", + "author": "k8s-infra-cherrypick-robot", + "labels": [ + "size/XS", + "github_actions" + ] + }, + "12631": { + "title": "ci: update CIFuzz actions to support Ubuntu 24.04", + "url": "https://github.com/containerd/containerd/pull/12631", + "body": "Update the OSS-Fuzz CIFuzz action references from commit abe2c06d (Oct 2024) to c8c1b257 (Dec 2025) which includes support for Ubuntu 24.04 base images. \r\n\r\nThe new version reads `base_os_version: ubuntu-24-04` from the containerd project.yaml.", + "state": "closed", + "merged": true, + "created_at": "2025-12-06T17:03:09Z", + "merged_at": "2025-12-06T19:52:19Z", + "author": "dims", + "labels": [ + "cherry-picked/1.7.x", + "size/XS", + "github_actions", + "cherry-picked/2.1.x", + "cherry-picked/2.2.x" + ] + }, + "12639": { + "title": "[release/2.1] go.mod: golang.org/x/crypto v0.45.0 (drop support for Go 1.23)", + "url": "https://github.com/containerd/containerd/pull/12639", + "body": "\r\nSilence the following govulncheck reports\r\n(\"you import and 3 vulnerabilities in modules you require, but your code doesn't appear to call these vulnerabilities\"):\r\n\r\n```\r\nVulnerability #1: GO-2025-4135\r\n Malformed constraint may cause denial of service in\r\n golang.org/x/crypto/ssh/agent\r\n More info: https://pkg.go.dev/vuln/GO-2025-4135\r\n Module: golang.org/x/crypto\r\n Found in: golang.org/x/crypto@v0.41.0\r\n Fixed in: golang.org/x/crypto@v0.45.0\r\n\r\nVulnerability #2: GO-2025-4134\r\n Unbounded memory consumption in golang.org/x/crypto/ssh\r\n More info: https://pkg.go.dev/vuln/GO-2025-4134\r\n Module: golang.org/x/crypto\r\n Found in: golang.org/x/crypto@v0.41.0\r\n Fixed in: golang.org/x/crypto@v0.45.0\r\n\r\nVulnerability #3: GO-2025-4116\r\n Potential denial of service in golang.org/x/crypto/ssh/agent\r\n More info: https://pkg.go.dev/vuln/GO-2025-4116\r\n Module: golang.org/x/crypto\r\n Found in: golang.org/x/crypto@v0.41.0\r\n Fixed in: golang.org/x/crypto@v0.43.0\r\n```\r\n\r\n\r\n- - -\r\n\r\nThis commit also drops the support for Go 1.23, and cherry-picks:\r\n- https://github.com/containerd/containerd/pull/12257", + "state": "closed", + "merged": true, + "created_at": "2025-12-08T04:28:50Z", + "merged_at": "2025-12-08T16:53:17Z", + "author": "AkihiroSuda", + "labels": [ + "dependencies", + "size/XXL" + ] + } + }, + "issues": { + "12484": { + "title": "[Docker, Inc.'s package] net.ipv4.ip_unprivileged_port_start permission denied only on 1.7.28-2~debian.13~trixie", + "url": "https://github.com/containerd/containerd/issues/12484", + "body": "### Description\n\nHi,\n\n**Given the bug, I'm not sure if it is the right place to report it. Don't hesitate to redirect me to the right person.**\n\nWhen using `containerd.io=1.7.28-2~debian.13~trixie` in a lxc (host is a proxmox server), running containers raise the following error:\n\n```\n$ docker run hello-world\ndocker: Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: open sysctl net.ipv4.ip_unprivileged_port_start file: reopen fd 8: permission denied: unknown\n```\n\nWhen rolling back to `containerd.io=1.7.28-1~debian.13~trixie` it works fine (at least for hello-world).\n\nWhat makes me think it is unrelated to the actual containerd.io binary is that both apt package give `containerd.io v1.7.28 b98a3aace656320842a23f4a392a33f46af97866` as their version (using `containerd --version`).\n\n### Steps to reproduce the issue\n\n1. in a lxc (unprivileged, nesting=1), on an up-to-date debian 13 (12 seems to have the same issue) with the normal docker installation (from docs.docker.com)\n2. run `docker run hello-world`\n\n\n### Describe the results you received and expected\n\nThe container does not start when using `1.7.28-2~debian.13~trixie` but it does with `1.7.28-1~debian.13~trixie`. The error is the following.\n\n```\ndocker: Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: open sysctl net.ipv4.ip_unprivileged_port_start file: reopen fd 8: permission denied: unknown\n```\n\n### What version of containerd are you using?\n\ncontainerd containerd.io v1.7.28 b98a3aace656320842a23f4a392a33f46af97866\n\n### Any other relevant information\n\nThe final test I did before posting this:\n\n```\nroot@test:~# apt update\n[...] \nAll packages are up to date. \nroot@test:~# apt list --installed | grep containerd\ncontainerd.io/trixie,now 1.7.28-2~debian.13~trixie amd64 [installed]\nroot@test:~# containerd --version\ncontainerd containerd.io v1.7.28 b98a3aace656320842a23f4a392a33f46af97866\nroot@test:~# docker run hello-world\ndocker: Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: open sysctl net.ipv4.ip_unprivileged_port_start file: reopen fd 8: permission denied: unknown\n\nRun 'docker run --help' for more information\nroot@test:~# apt install -y containerd.io=1.7.28-1~debian.13~trixie\n[...]\nroot@test:~# apt list --installed | grep containerd\ncontainerd.io/trixie,now 1.7.28-1~debian.13~trixie amd64 [installed,upgradable to: 1.7.28-2~debian.13~trixie]\nroot@test:~# containerd --version\ncontainerd containerd.io v1.7.28 b98a3aace656320842a23f4a392a33f46af97866\ndocker run hello-world\n\nHello from Docker!\n[...]\n```\n\nLet me know if it would be interesting to check on a bare bone machine.\n\n### Show configuration if it is related to CRI plugin.\n\n_No response_", + "state": "closed", + "created_at": "2025-11-05T17:31:00Z", + "closed_at": "2025-11-06T13:48:02Z", + "author": "Seb-sti1", + "labels": [ + "kind/external", + "kind/duplicate", + "kind/external/docker-packaging" + ] + } + } +} \ No newline at end of file diff --git a/reports/containerd_release_v2.1.6_20251218_014009.md b/reports/containerd_release_v2.1.6_20251218_014009.md new file mode 100644 index 0000000..7a3f1e7 --- /dev/null +++ b/reports/containerd_release_v2.1.6_20251218_014009.md @@ -0,0 +1,182 @@ +# Containerd 版本发布分析报告 +## containerd 2.1.6 (v2.1.6) + +### 📋 版本信息 +- **版本标签:** v2.1.6 +- **版本名称:** containerd 2.1.6 +- **发布时间:** 2025-12-18T01:06:52Z +- **发布者:** github-actions[bot] +- **预发布版本:** 否 +- **草稿状态:** 否 +- **GitHub 链接:** https://github.com/containerd/containerd/releases/tag/v2.1.6 + +### 🔍 分析统计 +- **分析时间:** 2025-12-18 01:40:09 +- **分析的 PR 数量:** 19 +- **分析的 Issue 数量:** 1 +- **重要项目数量:** 12 + +## 📊 版本概述 +containerd 2.1.6 核心版本聚焦安全补丁和运行时稳定性改进,包含关键runc升级、golang安全漏洞修复及日志敏感信息防护 + +## 🔒 安全问题修复 +1. ⚠️ 修复golang.org/x/crypto SSH组件3个高危漏洞(GO-2025-4135/4134/4116) - [PR #12639](https://github.com/containerd/containerd/pull/12639) - **风险级别:** 高 +2. ⚠️ 升级SELinux策略库至v1.13.1 - [PR #12528](https://github.com/containerd/containerd/pull/12528) - **风险级别:** 中 + +**🚨 安全建议:** 如果您的环境中使用了受影响的功能,建议优先升级到此版本。 + +## 🐛 重要问题修复 +1. 修复runc v1.3.4的tmpfs挂载模式回归问题 - [PR #12593](https://github.com/containerd/containerd/pull/12593) - **影响:** 容器启动失败风险 +2. 修复OpenTelemetry客户端拦截器兼容性问题 - [PR #12606](https://github.com/containerd/containerd/pull/12606) - **影响:** 监控数据采集异常 + +## 💥 破坏性变更 +1. 🚨 移除Go 1.23编译支持 - [PR #12639](https://github.com/containerd/containerd/pull/12639) - **影响:** 需确保开发环境使用Go 1.24+ + +**⚠️ 升级警告:** 此版本包含破坏性变更,升级前请仔细评估对现有系统的影响。 + +## ✨ 主要变更 +1. 更新runc至v1.3.4版本 - [PR #12618](https://github.com/containerd/containerd/pull/12618) +2. 升级golang.org/x/crypto至v0.45.0并移除Go 1.23支持 - [PR #12639](https://github.com/containerd/containerd/pull/12639) +3. CRI错误日志全量参数脱敏 - [PR #12547](https://github.com/containerd/containerd/pull/12547) + +## 🚀 性能优化 +1. Solaris平台构建优化 - [PR #203](https://github.com/containerd/containerd/pull/203) - **提升:** 跨平台构建效率优化 +2. CI流水线升级至Go 1.24.11/1.25.5 - [PR #12626](https://github.com/containerd/containerd/pull/12626) - **提升:** 工具链稳定性改进 + +## 🎯 风险评估 +整体风险等级:中。关键安全修复需优先处理,建议在2周内完成升级。特别注意:升级需同步更新runc二进制文件,测试环境需提前验证容器启动流程,Windows Server 2025平台用户需验证镜像兼容性 + +## 📋 升级建议 +1. 立即升级以修复SSH相关高危安全漏洞,特别是暴露SSH服务的环境 +2. 验证runtime版本兼容性,确保runc v1.3.4在生产环境无异常 +3. 审核日志配置,确认CRI接口错误日志无敏感参数泄露 +4. 构建环境需同步升级Go工具链至1.24.11或1.25.5 + +## 📋 Release 包含的变更 + +### PR #12487: Update 2.1 branch to no longer build as latest +- **链接:** https://github.com/containerd/containerd/pull/12487 +- **状态:** closed +- **已合并:** 是 +- **作者:** dmcgowan +- **标签:** size/XS, github_actions +- **变更说明:** + **PR #12487:** Update 2.1 branch to no longer build as latest +**标签:** size/XS, github_actions + +**PR内容:** 2.2 release will now build as latest, change this to false to prevent overwriting 2.2 builds.... + +### PR #12547: [release/2.1] Redact all query parameters in CRI error logs +- **链接:** https://github.com/containerd/containerd/pull/12547 +- **状态:** closed +- **已合并:** 是 +- **作者:** k8s-infra-cherrypick-robot +- **标签:** kind/bug, area/cri, size/L +- **变更说明:** + **PR #12547:** [release/2.1] Redact all query parameters in CRI error logs +**标签:** kind/bug, area/cri, size/L + +**原始PR #12491:** fix: redact all query parameters in CRI error logs +**原始PR标签:** kind/bug, area/cri, cherry-picked/1.7.x, size/L, area/distribution, cherry-picked/2.1.x, cherry-picked/2.2.x +**原始PR内容:** Trying to fix #5453 + + + +**Cherry-pick PR内容:** This is an automated cherry-pick of #... + +### PR #12590: [release/2.1] build(deps): bump github.com/opencontainers/selinux +- **链接:** https://github.com/containerd/containerd/pull/12590 +- **状态:** closed +- **已合并:** 是 +- **作者:** AkihiroSuda +- **标签:** dependencies, size/XXL +- **变更说明:** + **PR #12590:** [release/2.1] build(deps): bump github.com/opencontainers/selinux +**标签:** dependencies, size/XXL + +**PR内容:** Cherry-pick (not clean) +- #12528... + +### PR #12618: [release/2.1] Update runc binary to v1.3.4 +- **链接:** https://github.com/containerd/containerd/pull/12618 +- **状态:** closed +- **已合并:** 是 +- **作者:** k8s-infra-cherrypick-robot +- **标签:** impact/changelog, area/runtime, size/XS +- **变更说明:** + **PR #12618:** [release/2.1] Update runc binary to v1.3.4 +**标签:** impact/changelog, area/runtime, size/XS + +**原始PR #12593:** [release/2.2] Update runc binary to v1.3.4 +**原始PR标签:** impact/changelog, cherry-picked/1.7.x, area/runtime, size/XS, cherry-picked/2.1.x +**原始PR内容:** - Related to: https://github.com/containerd/containerd/issues/12484 + +This update includes a fix for a regression introduce... + +### PR #12623: [release/2.1] core/runtime/v2: remove uses of otelgrpc.UnaryClientInterceptor +- **链接:** https://github.com/containerd/containerd/pull/12623 +- **状态:** closed +- **已合并:** 是 +- **作者:** k8s-infra-cherrypick-robot +- **标签:** area/runtime, size/XS +- **变更说明:** + **PR #12623:** [release/2.1] core/runtime/v2: remove uses of otelgrpc.UnaryClientInterceptor +**标签:** area/runtime, size/XS + +**原始PR #12606:** core/runtime/v2: remove uses of otelgrpc.UnaryClientInterceptor +**原始PR标签:** size/XS, cherry-picked/2.1.x, cherry-picked/2.2.x +**原始PR内容:** - relates to https://github.com/containerd/containerd/pull/12604#issuecomment-3596523255 +- relates to https://github.... + +### PR #12626: [release/2.1] ci: bump Go 1.24.11, 1.25.5 +- **链接:** https://github.com/containerd/containerd/pull/12626 +- **状态:** closed +- **已合并:** 是 +- **作者:** austinvazquez +- **标签:** size/S, area/toolchain +- **变更说明:** + **PR #12626:** [release/2.1] ci: bump Go 1.24.11, 1.25.5 +**标签:** size/S, area/toolchain + +**PR内容:** This change backports two changesets for Go toolchain maintenance. + +1. https://github.com/containerd/containerd/pull/12583 +2. https://github.com/containerd/containerd/pull/12615 + +Note: the Dockerfile change is not strictly required but nice to have to simplify toolchain updates in stable bran... + +### PR #12633: [release/2.1] ci: update CIFuzz actions to support Ubuntu 24.04 +- **链接:** https://github.com/containerd/containerd/pull/12633 +- **状态:** closed +- **已合并:** 是 +- **作者:** k8s-infra-cherrypick-robot +- **标签:** size/XS, github_actions +- **变更说明:** + **PR #12633:** [release/2.1] ci: update CIFuzz actions to support Ubuntu 24.04 +**标签:** size/XS, github_actions + +**原始PR #12631:** ci: update CIFuzz actions to support Ubuntu 24.04 +**原始PR标签:** cherry-picked/1.7.x, size/XS, github_actions, cherry-picked/2.1.x, cherry-picked/2.2.x +**原始PR内容:** Update the OSS-Fuzz CIFuzz action references from commit abe2c06d (Oct 2024) to c8c1b257 (Dec 2025) which i... + +### PR #12639: [release/2.1] go.mod: golang.org/x/crypto v0.45.0 (drop support for Go 1.23) +- **链接:** https://github.com/containerd/containerd/pull/12639 +- **状态:** closed +- **已合并:** 是 +- **作者:** AkihiroSuda +- **标签:** dependencies, size/XXL +- **变更说明:** + **PR #12639:** [release/2.1] go.mod: golang.org/x/crypto v0.45.0 (drop support for Go 1.23) +**标签:** dependencies, size/XXL + +**PR内容:** +Silence the following govulncheck reports +("you import and 3 vulnerabilities in modules you require, but your code doesn't appear to call these vulnerabilities"): + +``` +Vulnerability #1: GO-2025-4135 + Malformed constraint may cause denial of service in +... + +--- +*本报告由 Containerd Release Tracker 自动生成* \ No newline at end of file