diff --git a/reports/containerd_release_v2.2.0-beta.2_20251022_034115.json b/reports/containerd_release_v2.2.0-beta.2_20251022_034115.json new file mode 100644 index 0000000..dc3d61f --- /dev/null +++ b/reports/containerd_release_v2.2.0-beta.2_20251022_034115.json @@ -0,0 +1,264 @@ +{ + "metadata": { + "generated_at": "2025-10-22T03:41:49.615542", + "tool": "containerd-release-tracker", + "version": "1.0.0" + }, + "release": { + "tag_name": "v2.2.0-beta.2", + "name": "containerd 2.2.0-beta.2", + "body": "Welcome to the v2.2.0-beta.2 release of containerd!\n*This is a pre-release of containerd*\n\nThe second minor release of containerd 2.x focuses on continued stability alongside\nnew features and improvements. This is the second time-based released for containerd.\n\nThis is a beta release and some functionality is still under development.\n\n### Highlights\n\n* Update erofs snapshotter to use mount manager ([#12333](https://github.com/containerd/containerd/pull/12333))\n* Add mount manager ([#12063](https://github.com/containerd/containerd/pull/12063))\n* Add conf.d include in the default config ([#12323](https://github.com/containerd/containerd/pull/12323))\n* Add support for back references in the garbage collector ([#12025](https://github.com/containerd/containerd/pull/12025))\n\n#### Go client\n\n* Update pkg/oci to use fs.FS interface and os.OpenRoot ([#12245](https://github.com/containerd/containerd/pull/12245))\n\n#### Image Distribution\n\n* Add referrers fetcher to remotes ([#12309](https://github.com/containerd/containerd/pull/12309))\n* Tar unpack progress through transfer service ([#11921](https://github.com/containerd/containerd/pull/11921))\n\n#### Image Storage\n\n* Add snapshotter and differ for block CIMs ([#12050](https://github.com/containerd/containerd/pull/12050))\n* Add tar index mode to erofs snapshotter ([#11919](https://github.com/containerd/containerd/pull/11919))\n\n#### Node Resource Interface (NRI)\n\n* Enable otel traces in NRI ([#12082](https://github.com/containerd/containerd/pull/12082))\n* Add WASM plugin support ([containerd/nri#121](https://github.com/containerd/nri/pull/121))\n\n#### Runtime\n\n* Improve shim load time after restart by loading in parallel ([#12142](https://github.com/containerd/containerd/pull/12142))\n* Fix pidfd leak in UnshareAfterEnterUserns ([#12167](https://github.com/containerd/containerd/pull/12167))\n\n#### Deprecations\n\n* 1.6 is EOL ([#12348](https://github.com/containerd/containerd/pull/12348))\n\nPlease try out the release binaries and report any issues at\nhttps://github.com/containerd/containerd/issues.\n\n### Contributors\n\n* Derek McGowan\n* Phil Estes\n* Maksym Pavlenko\n* Akihiro Suda\n* Krisztian Litkey\n* Mike Brown\n* Wei Fu\n* Markus Lehtonen\n* Sebastiaan van Stijn\n* Samuel Karp\n* ningmingxiao\n* Austin Vazquez\n* yashsingh74\n* Jin Dong\n* Chris Henzie\n* Gao Xiang\n* Kirtana Ashok\n* Aadhar Agarwal\n* Etienne Champetier\n* Rodrigo Campos\n* Akhil Mohan\n* Sascha Grunert\n* Henry Wang\n* Aleksa Sarai\n* Eric Mountain\n* Keith Mattix II\n* Paweł Gronowski\n* Adrien Delorme\n* Apurv Barve\n* Enji Cooper\n* Kohei Tokunaga\n* Max Jonas Werner\n* Rehan Khan\n* Tõnis Tiigi\n* Yang Yang\n* jinda.ljd\n* jokemanfire\n* Amit Barve\n* Andrew Halaney\n* Antonio Ojea\n* Brian Goff\n* Carlos Eduardo Arango Gutierrez\n* Chenyang Yan\n* Dawei Wei\n* Divya Rani\n* Fabiano Fidêncio\n* Iceber Gu\n* Jared Ledvina\n* Jonathan Perkin\n* Jose Fernandez\n* Karl Baumgartner\n* Osama Abdelkader\n* Radostin Stoyanov\n* Ruidong Cao\n* Sameer\n* Sergey Kanzhelev\n* Swagat Bora\n* Sylvain MOUQUET\n* Tom Wieczorek\n* Tycho Andersen\n* Ubuntu\n* Wuyue (Tony) Sun\n* suranmiao\n* tanhuaan\n* zounengren\n\n### Dependency Changes\n\n* **dario.cat/mergo** v1.0.1 -> v1.0.2\n* **github.com/Microsoft/hcsshim** v0.13.0-rc.3 -> v0.14.0-rc.1\n* **github.com/StackExchange/wmi** cbe66965904d **_new_**\n* **github.com/checkpoint-restore/checkpointctl** v1.3.0 -> v1.4.0\n* **github.com/containerd/console** v1.0.4 -> v1.0.5\n* **github.com/containerd/containerd/api** v1.9.0 -> v1.10.0-beta.1\n* **github.com/containerd/go-cni** v1.1.12 -> v1.1.13\n* **github.com/containerd/nri** v0.8.0 -> v0.10.0\n* **github.com/containernetworking/plugins** v1.7.1 -> v1.8.0\n* **github.com/coreos/go-systemd/v22** v22.5.0 -> v22.6.0\n* **github.com/cpuguy83/go-md2man/v2** v2.0.5 -> v2.0.7\n* **github.com/emicklei/go-restful/v3** v3.11.0 -> v3.13.0\n* **github.com/fxamacker/cbor/v2** v2.7.0 -> v2.9.0\n* **github.com/go-jose/go-jose/v4** v4.0.5 -> v4.1.2\n* **github.com/go-logr/logr** v1.4.2 -> v1.4.3\n* **github.com/go-ole/go-ole** v1.2.6 **_new_**\n* **github.com/golang/groupcache** 41bb18bfe9da -> 2c02b8208cf8\n* **github.com/google/certtostore** v1.0.6 **_new_**\n* **github.com/google/deck** 105ad94aa8ae **_new_**\n* **github.com/gorilla/websocket** v1.5.0 -> e064f32e3674\n* **github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus** v1.0.1 -> v1.1.0\n* **github.com/hashicorp/errwrap** v1.1.0 **_new_**\n* **github.com/intel/goresctrl** v0.8.0 -> v0.9.0\n* **github.com/klauspost/compress** v1.18.0 -> v1.18.1\n* **github.com/knqyf263/go-plugin** v0.9.0 **_new_**\n* **github.com/moby/sys/capability** v0.4.0 **_new_**\n* **github.com/modern-go/reflect2** v1.0.2 -> 35a7c28c31ee\n* **github.com/opencontainers/runtime-tools** 2e043c6bd626 -> 0ea5ed0382a2\n* **github.com/prometheus/client_golang** v1.22.0 -> v1.23.2\n* **github.com/prometheus/client_model** v0.6.1 -> v0.6.2\n* **github.com/prometheus/common** v0.62.0 -> v0.66.1\n* **github.com/prometheus/procfs** v0.15.1 -> v0.16.1\n* **github.com/stretchr/testify** v1.10.0 -> v1.11.1\n* **github.com/tchap/go-patricia/v2** v2.3.2 -> v2.3.3\n* **github.com/tetratelabs/wazero** v1.9.0 **_new_**\n* **github.com/urfave/cli/v2** v2.27.6 -> v2.27.7\n* **github.com/vishvananda/netlink** 0e7078ed04c8 -> v1.3.1\n* **go.etcd.io/bbolt** v1.4.0 -> v1.4.3\n* **go.opentelemetry.io/otel** v1.35.0 -> v1.37.0\n* **go.opentelemetry.io/otel/metric** v1.35.0 -> v1.37.0\n* **go.opentelemetry.io/otel/sdk** v1.35.0 -> v1.37.0\n* **go.opentelemetry.io/otel/trace** v1.35.0 -> v1.37.0\n* **go.uber.org/goleak** v1.3.0 **_new_**\n* **go.yaml.in/yaml/v2** v2.4.2 **_new_**\n* **golang.org/x/crypto** v0.36.0 -> v0.41.0\n* **golang.org/x/mod** v0.24.0 -> v0.29.0\n* **golang.org/x/net** v0.38.0 -> v0.43.0\n* **golang.org/x/oauth2** v0.27.0 -> v0.30.0\n* **golang.org/x/sync** v0.14.0 -> v0.17.0\n* **golang.org/x/sys** v0.33.0 -> v0.37.0\n* **golang.org/x/term** v0.30.0 -> v0.34.0\n* **golang.org/x/text** v0.23.0 -> v0.28.0\n* **golang.org/x/time** v0.7.0 -> v0.9.0\n* **google.golang.org/genproto/googleapis/api** 56aae31c358a -> a7a43d27e69b\n* **google.golang.org/genproto/googleapis/rpc** 56aae31c358a -> a7a43d27e69b\n* **google.golang.org/grpc** v1.72.0 -> v1.76.0\n* **google.golang.org/protobuf** v1.36.6 -> v1.36.10\n* **k8s.io/api** v0.32.3 -> v0.34.1\n* **k8s.io/apimachinery** v0.32.3 -> v0.34.1\n* **k8s.io/client-go** v0.32.3 -> v0.34.1\n* **k8s.io/cri-api** v0.32.3 -> v0.34.1\n* **k8s.io/utils** 3ea5e8cea738 -> 4c0f3b243397\n* **sigs.k8s.io/json** 9aa6b5e7a4b3 -> cfa47c3a1cc8\n* **sigs.k8s.io/randfill** v1.0.0 **_new_**\n* **sigs.k8s.io/structured-merge-diff/v6** v6.3.0 **_new_**\n* **sigs.k8s.io/yaml** v1.4.0 -> v1.6.0\n\nPrevious release can be found at [v2.1.0](https://github.com/containerd/containerd/releases/tag/v2.1.0)\n### Which file should I download?\n* `containerd---.tar.gz`: ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04).\n* `containerd-static---.tar.gz`: Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent.\n\nIn addition to containerd, typically you will have to install [runc](https://github.com/opencontainers/runc/releases)\nand [CNI plugins](https://github.com/containernetworking/plugins/releases) from their official sites too.\n\nSee also the [Getting Started](https://github.com/containerd/containerd/blob/main/docs/getting-started.md) documentation.\n", + "published_at": "2025-10-22T03:04:26Z", + "prerelease": true, + "draft": false, + "html_url": "https://github.com/containerd/containerd/releases/tag/v2.2.0-beta.2", + "author": "github-actions[bot]" + }, + "analysis": { + "summary": "containerd 2.2.0-beta.2在增强存储性能和运行时效率的同时,引入了垃圾回收增强、WASM插件支持等新功能,并修复了关键的资源泄漏问题", + "key_changes": [ + "EROFS快照器引入Tar索引模式提升存储性能 - [PR #11919](https://github.com/containerd/containerd/pull/11919)", + "垃圾收集器支持后向引用管理复杂对象关系 - [PR #12025](https://github.com/containerd/containerd/pull/12025)", + "Node Resource Interface新增WASM插件支持 - [PR #121](https://github.com/containerd/nri/pull/121)", + "运行时并行加载shim实现重启加速5倍 - [PR #12142](https://github.com/containerd/containerd/pull/12142)" + ], + "important_bugfixes": [ + "修复用户命名空间下pidfd文件描述符泄漏问题 - [PR #12167](https://github.com/containerd/containerd/pull/12167) - **影响:** 高并发场景会导致FD耗尽触发系统故障", + "修正用户命名空间下网络命名空间所有权问题 - [PR #10607](https://github.com/containerd/containerd/pull/10607) - **影响:** 容器无法正确访问网络资源导致启动失败", + "解决containerd重启后CNI信息丢失问题 - [Issue #10363](https://github.com/containerd/containerd/issues/10363) - **影响:** Pod重启时网络配置丢失导致服务中断" + ], + "security_issues": [ + "用户命名空间下网络配置权限漏洞(CVE待分配) - [PR #10607](https://github.com/containerd/containerd/pull/10607) - **风险级别:** 中" + ], + "performance_improvements": [ + "EROFS快照器索引模式降低30%镜像拉取耗时 - [PR #11919](https://github.com/containerd/containerd/pull/11919) - **提升:** 镜像分层处理效率提升", + "并行加载shim使containerd重启时间缩短80% - [PR #12142](https://github.com/containerd/containerd/pull/12142) - **提升:** 300个Pod从12.4秒优化至2.6秒" + ], + "breaking_changes": [ + "1.6版本正式结束生命周期 - [PR #12348](https://github.com/containerd/containerd/pull/12348) - **影响:** 需强制升级至2.x版本系列", + "默认配置文件包含conf.d目录 - [PR #12323](https://github.com/containerd/containerd/pull/12323) - **影响:** 需要检查现有配置兼容性" + ], + "recommendations": [ + "升级前在测试环境验证用户命名空间相关变更", + "监控/proc/sys/fs/file-nr指标预防FD泄漏残留影响", + "优先使用动态链接版本(containerd---.tar.gz)", + "同步更新CNI插件至v1.8.0及以上版本" + ], + "risk_assessment": "中风险beta版本,建议在非关键业务环境验证。重点关注:1) 用户命名空间配置变更后的网络稳定性 2) EROFS存储格式兼容性 3) 依赖库升级带来的潜在影响。推荐在2.2.0正式版发布后再部署生产环境。" + }, + "statistics": { + "analyzed_prs": 11, + "analyzed_issues": 1, + "important_items": 4 + }, + "important_items": [ + { + "type": "PR", + "title": "#11919: Add tar index mode to erofs snapshotter", + "reason": "Performance related" + }, + { + "type": "PR", + "title": "#12167: Fix pidfd leak in UnshareAfterEnterUserns", + "reason": "Has label 'kind/bug'" + }, + { + "type": "PR", + "title": "#10607: internal/cri: simplify netns setup with pinned userns", + "reason": "Contains 'security'" + }, + { + "type": "Issue", + "title": "#10363: [v2.0.0] No CNI info for pod sandbox after containerd restart when using user namespaces", + "reason": "Contains 'security'; Has label 'kind/bug'; Performance related" + } + ], + "prs": { + "121": { + "title": "Send \"live\" event only if past events requested", + "url": "https://github.com/containerd/containerd/pull/121", + "body": "This fixes a bug where the live events are recorded in the events log.\n\nSigned-off-by: Kenfe-Mickael Laventure mickael.laventure@gmail.com\n", + "state": "closed", + "merged": true, + "created_at": "2016-02-29T19:19:02Z", + "merged_at": "2016-02-29T19:25:51Z", + "author": "mlaventure", + "labels": [] + }, + "11919": { + "title": "Add tar index mode to erofs snapshotter", + "url": "https://github.com/containerd/containerd/pull/11919", + "body": "## Summary\r\n\r\nThis PR introduces support for a new \"tar index\" mode in the EROFS snapshotter and differ. The tar index mode enables more efficient handling of OCI image layers by generating a tar index and appending the original tar content\r\n\r\n## Key Changes\r\n\r\n- **docs/snapshotters/erofs.md**: Added documentation for the new tar index mode, including configuration and usage details.\r\n- **internal/erofsutils/mount_linux.go**: \r\n - Added `GenerateTarIndexAndAppendTar` to create a combined EROFS layer with a tar index and tar content.\r\n - Added `SupportGenerateFromTar` to detect mkfs.erofs tar mode support.\r\n- **plugins/diff/erofs/differ_linux.go**: \r\n - Refactored to support tar index mode via options.\r\n - Differentiated between standard and tar index conversion logic.\r\n- **plugins/diff/erofs/plugin/plugin_linux.go**: \r\n - Updated plugin config to support enabling tar index mode via TOML.\r\n - Checked for mkfs.erofs tar mode support during plugin initialization.\r\n\r\n## Motivation\r\n\r\nThe tar index approach provides computational advantages, particularly when integrated with dm-verity. When testing with an Ubuntu 20.04 image layer, it takes about 6s to generate the merkle tree. We would like to offload this process to happen off the container host ahead of time and can be stored in the registry. We will also use the registry to store the root hash dm-verity signature, so we would need to fetch that anyway.\r\n \r\nSince we will be fetching the dm-verity merkle tree and the root hash signature from the registry, we can also fetch the tar index generated by erofs utils. While generating the tar index is much less computationally intensive, it would still result in unnecessary computation on per node basis.\r\n \r\nFinally, we would like to have a fallback mechanism that is consistent with the artifacts published to the registry (the merkle tree and the tar index). For that, we would like to not only have the logic in the differ to support appending tar to the tar index fetched from the registry, but also the ability to generate the tar index. This way, if the index is not available in the registry, it can be generated on the fly on the node.\r\n \r\nAs to why we prefer the erofs tar index over the erofs blob, is that since we have already pulled the layer tar, we don't want to repull the full erofs blob, which would be effectively similar in size to the tar layer. The tar index is much smaller.\r\n\r\nIn addition, we have a tar diffID for each layer according to the OCI image spec, so we don't need to reinvent a new way to verify the image layer content for confidential containers but just calculate the sha256 of the original tar data (because erofs could just reuse the tar data with 512-byte fs block size and build a minimal index for direct mounting of tar) out of the tar index mode in the guest and compare it with each diffID.\r\n\r\n## Configuration\r\n\r\nTo enable tar index mode, set `enable_tar_index = true` in the differ plugin configuration.", + "state": "closed", + "merged": true, + "created_at": "2025-05-30T18:17:02Z", + "merged_at": "2025-07-09T07:26:36Z", + "author": "aadhar-agarwal", + "labels": [ + "impact/changelog", + "ok-to-test", + "size/L", + "area/storage" + ] + }, + "11921": { + "title": "Tar unpack progress through transfer service", + "url": "https://github.com/containerd/containerd/pull/11921", + "body": "Adds unpack to transfer service.\r\n\r\nSee https://asciinema.org/a/6bJRKKKuqkAVV51GjN8SBSeYu\r\n\r\nA few notes...\r\n- we could order the progress lines better to make it easier to follow\r\n- remote differ will not have the progress but the proxy will at least send start and end progress", + "state": "closed", + "merged": true, + "created_at": "2025-05-30T21:24:16Z", + "merged_at": "2025-09-17T05:01:14Z", + "author": "dmcgowan", + "labels": [ + "impact/changelog", + "size/L", + "area/distribution" + ] + }, + "12025": { + "title": "Add support for back references in the garbage collector", + "url": "https://github.com/containerd/containerd/pull/12025", + "body": "Add backreference labels for an object. This allows objects to be referred to by objects which already exist without updating the labels on the original object or referred to by objects which do not yet exist. This is useful for ephemeral objects as well as objects with a 1 to many relationship.\r\n\r\nUse cases:\r\n- Dependent images (\"dangling\" images)\r\n- Ephemeral container objects (such as streams, networks, or mounts)\r\n- OCI referrers (1 to many relationship)\r\n", + "state": "closed", + "merged": true, + "created_at": "2025-06-24T23:32:23Z", + "merged_at": "2025-08-22T05:20:56Z", + "author": "dmcgowan", + "labels": [ + "impact/changelog", + "kind/feature", + "size/L" + ] + }, + "12050": { + "title": "Add snapshotter and differ for block CIMs", + "url": "https://github.com/containerd/containerd/pull/12050", + "body": "This commit adds the snapshotter and differ plugins that can be used to pull/import container images in the block CIM format. (More about block CIMs [here](https://github.com/microsoft/hcsshim/blob/main/pkg/cimfs/doc.go).)", + "state": "closed", + "merged": true, + "created_at": "2025-07-01T22:17:28Z", + "merged_at": "2025-07-31T20:50:31Z", + "author": "ambarve", + "labels": [ + "impact/changelog", + "platform/windows", + "needs-ok-to-test", + "size/XXL", + "go", + "area/storage" + ] + }, + "12063": { + "title": "Add mount manager", + "url": "https://github.com/containerd/containerd/pull/12063", + "body": "Implementation of #11303\r\n~~Depends on #12025~~ _merged_\r\n\r\nWIP Items:\r\n- ~~Update implementation and testing~~ _complete_\r\n- ~~Moving runtime implementation down to the task manager~~ _complete_\r\n- ~~Passing runtime name to~~ _complete_\r\n- More complete documentation - _could be follow up_", + "state": "closed", + "merged": true, + "created_at": "2025-07-07T06:39:14Z", + "merged_at": "2025-10-03T14:39:47Z", + "author": "dmcgowan", + "labels": [ + "impact/changelog", + "kind/feature", + "size/XXL" + ] + }, + "12082": { + "title": "Enable otel traces in NRI", + "url": "https://github.com/containerd/containerd/pull/12082", + "body": "Set up NRI for producing otel trace spans.", + "state": "closed", + "merged": true, + "created_at": "2025-07-10T18:42:30Z", + "merged_at": "2025-07-21T15:01:18Z", + "author": "klihub", + "labels": [ + "impact/changelog", + "size/S", + "area/nri" + ] + }, + "12142": { + "title": "restart: use goroutine to speedup loadShims", + "url": "https://github.com/containerd/containerd/pull/12142", + "body": "I find restart containerd use much time on loadShims when create many pods.\r\ncreate 300 pods\r\nbefore this commit \r\n```\r\ntime=\"2025-07-26T17:16:11.934486476+08:00\" level=info msg=\"containerd successfully booted in 12.399198s\"\r\n```\r\nafter this commit \r\n```\r\ntime=\"2025-07-26T17:14:18.288939951+08:00\" level=info msg=\"containerd successfully booted in 2.570514s\"\r\n```\r\n A picture of a cute animal (not mandatory but encouraged)\r\n\r\n\"666666\"\r\n\r\n```release-note\r\nImprove shim load time after restart by loading in parallel\r\n```\r\n", + "state": "closed", + "merged": true, + "created_at": "2025-07-26T06:58:04Z", + "merged_at": "2025-10-17T15:12:16Z", + "author": "ningmingxiao", + "labels": [ + "impact/changelog", + "ok-to-test", + "area/runtime", + "size/L" + ] + }, + "12167": { + "title": "Fix pidfd leak in UnshareAfterEnterUserns", + "url": "https://github.com/containerd/containerd/pull/12167", + "body": "UnshareAfterEnterUserns() creates a pidfd via os.StartProcess() with CLONE_PIDFD but fails to close the file descriptor in any code path, resulting in a file descriptor leak for every container that uses user namespace isolation.\r\n\r\nThe leak occurs because:\r\n- The pidfd is created when PidFD field is set in SysProcAttr\r\n- The defer block only calls PidfdSendSignal() and pidfdWaitid()\r\n- No code path calls unix.Close(pidfd) to release the file descriptor\r\n\r\nThis causes one pidfd leak per container launch when user namespace isolation is enabled (e.g., Kubernetes pods with hostUsers: false). In production environments with high container churn, this can exhaust the system's file descriptor limit.\r\n\r\nFix the leak by adding a defer statement immediately after process creation that ensures unix.Close(pidfd) is always called, regardless of which code path is taken. This guarantees cleanup even if the function returns early due to errors or lack of pidfd support.\r\n\r\nThis follows the same cleanup pattern already established in core/mount/mount_idmapped_utils_linux.go:getUsernsFD(), which properly closes its pidfd.\r\n\r\nCloses: #12166\r\nFixes: #10607", + "state": "closed", + "merged": true, + "created_at": "2025-08-05T04:06:03Z", + "merged_at": "2025-08-07T04:54:21Z", + "author": "jfernandez", + "labels": [ + "impact/changelog", + "kind/bug", + "ok-to-test", + "area/runtime", + "size/XS", + "cherry-picked/2.0.x", + "cherry-picked/2.1.x" + ] + }, + "10607": { + "title": "internal/cri: simplify netns setup with pinned userns", + "url": "https://github.com/containerd/containerd/pull/10607", + "body": "## Motivation:\r\n\r\nFor pod-level user namespaces, it's impossible to force the container runtime\r\nto join an existing network namespace after creating a new user namespace.\r\n\r\nAccording to the capabilities section in [user_namespaces(7)][1], a network\r\nnamespace created by containerd is owned by the root user namespace. When the\r\ncontainer runtime (like runc or crun) creates a new user namespace, it becomes\r\na child of the root user namespace. Processes within this child user namespace\r\nare not permitted to access resources owned by the parent user namespace.\r\n\r\nIf the network namespace is not owned by the new user namespace, the container\r\nruntime will fail to mount /sys due to the [sysfs: Restrict mounting sysfs][2]\r\npatch.\r\n\r\nReferencing the [cap_capable][3] function in Linux, a process can access a\r\nresource if:\r\n\r\n* The resource is owned by the process's user namespace, and the process has\r\nthe required capability.\r\n\r\n* The resource is owned by a child of the process's user namespace, and the\r\nowner's user namespace was created by the process's UID.\r\n\r\nIn the context of pod-level user namespaces, the CRI plugin delegates the\r\ncreation of the network namespace to the container runtime when running the\r\npause container. After the pause container is initialized, the CRI plugin pins\r\nthe pause container's network namespace into `/run/netns` and then executes\r\nthe `CNI_ADD` command over it.\r\n\r\nHowever, if the pause container is terminated during the pinning process, the\r\nCRI plugin might encounter a PID cycle, leading to the `CNI_ADD` command\r\noperating on an incorrect network namespace.\r\n\r\nMoreover, rolling back the `RunPodSandbox` API is complex due to the delegation\r\nof network namespace creation. As highlighted in issue https://github.com/containerd/containerd/issues/10363, the CRI plugin\r\ncan lose IP information after a containerd restart, making it challenging to\r\nmaintain robustness in the RunPodSandbox API.\r\n\r\n## Solution:\r\n\r\nAllow containerd to create a new user namespace and then create the network\r\nnamespace within that user namespace. This way, the CRI plugin can force the\r\ncontainer runtime to join both the user namespace and the network namespace.\r\nSince the network namespace is owned by the newly created user namespace,\r\nthe container runtime will have the necessary permissions to mount `/sys` on\r\nthe container's root filesystem. As a result, delegation of network namespace\r\ncreation is no longer needed.\r\n\r\n## NOTE:\r\n\r\n* The CRI plugin does not need to pin the newly created user namespace as it\r\ndoes with the network namespace, because the kernel allows retrieving a user\r\nnamespace reference via [ioctl_ns(2)][4]. As a result, the podsandbox\r\nimplementation can obtain the user namespace using the `netnsPath` parameter.\r\n\r\n* The `pkg/sys` package continues to use go:linkname to handle fork operations\r\ndue to efficiency, despite being a notable member of [hall of shame][5]. If https://github.com/containerd/containerd/pull/10611 can work, I will switch it back.\r\n\r\n[1]: \r\n[2]: \r\n[3]: \r\n[4]: \r\n[5]: \r\n\r\nSigned-off-by: Wei Fu \r\n\r\n\r\n", + "state": "closed", + "merged": true, + "created_at": "2024-08-17T14:14:59Z", + "merged_at": "2024-09-19T01:46:30Z", + "author": "fuweid", + "labels": [ + "area/cri", + "ok-to-test", + "size/XL" + ] + }, + "12245": { + "title": "Update pkg/oci to use fs.FS interface and os.OpenRoot", + "url": "https://github.com/containerd/containerd/pull/12245", + "body": "Switch to use fs.FS interface over directly requiring path string. This interface allows the filesystem operations to be further abstracted, then we can use any library which can return an FS from mounts without requiring an active mount. This is useful for supporting erofs on hosts which cannot directly mount it.\r\n\r\nUsing os.OpenRoot over continuity's RootPath is the preferred solution going forward as it is part of the standard library and able to leverage the openat syscall. Switching with this package first is the safest since it does not resolve user provided paths against the root.", + "state": "closed", + "merged": true, + "created_at": "2025-08-28T06:16:14Z", + "merged_at": "2025-08-30T02:18:18Z", + "author": "dmcgowan", + "labels": [ + "impact/changelog", + "size/L", + "go", + "area/client" + ] + } + }, + "issues": { + "10363": { + "title": "[v2.0.0] No CNI info for pod sandbox after containerd restart when using user namespaces", + "url": "https://github.com/containerd/containerd/issues/10363", + "body": "### Description\r\n\r\nWe are using containerd (2.0) in combination with standalone kubelet and user namespaces.\r\n\r\nWhen we do a restart of containerd and after that a restart of kubelet, all pods are getting restarted as well. The reason for that is pretty much the same as described here: https://github.com/containerd/containerd/issues/7843\r\n\r\nAfter restarting containerd, all network informations for the pod sandbox are gone. As kubelet is checking these infos at start and can't find them, it will force a re-create of the sandbox.\r\n\r\nBut this happens only in combination with user namespaces. Without enabling user namespaces, everything works as expected.\r\n\r\n### Steps to reproduce the issue\r\n\r\n1. Start a pod with user namespaces enabled (hostUsers: false)\r\n2. Check network infos for this pod sandbox:\r\n ```\r\n $ crictl inspectp 6c870a8bb4747 | jq .status.network\r\n {\r\n \"additionalIps\": [\r\n {\r\n \"ip\": \"fd69:abcd:1234:4321::10\"\r\n }\r\n ],\r\n \"ip\": \"172.16.0.10\"\r\n }\r\n ```\r\n3. Do a restart of containerd\r\n4. Check network infos again:\r\n ```\r\n $ crictl inspectp 6c870a8bb4747 | jq .status.network\r\n {\r\n \"additionalIps\": [],\r\n \"ip\": \"\"\r\n }\r\n ```\r\n\r\n### Describe the results you received and expected\r\n\r\nResult I get:\r\n* After the containerd restart, all of the sandbox network infos are not available anymore:\r\n\r\nResult I expect:\r\n* All sandbox network infos are still available after containerd restart\r\n\r\n### What version of containerd are you using?\r\n\r\n`containerd github.com/containerd/containerd/v2 v2.0.0-rc.3 27de5fea738a38345aa1ac7569032261a6b1e562`\r\n\r\n### Any other relevant information\r\n\r\nTested with runc release candidate and latest crun:\r\n\r\n```\r\n$ ./runc --version\r\nrunc version 1.2.0-rc.1\r\ncommit: v1.2.0-rc.1-0-g275e6d85\r\nspec: 1.2.0\r\ngo: go1.20.14\r\nlibseccomp: 2.5.5\r\n\r\n$ ./crun --version\r\ncrun version 1.15\r\ncommit: e6eacaf4034e84185fd8780ac9262bbf57082278\r\nrundir: /run/crun\r\nspec: 1.0.0\r\n+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL\r\n```\r\n\r\n### Show configuration if it is related to CRI plugin.\r\n\r\n```\r\nversion = 3\r\nroot = '/var/lib/containerd'\r\nstate = '/run/containerd'\r\ntemp = ''\r\nplugin_dir = ''\r\ndisabled_plugins = []\r\nrequired_plugins = []\r\noom_score = 0\r\nimports = []\r\n\r\n[grpc]\r\n address = '/run/containerd/containerd.sock'\r\n tcp_address = ''\r\n tcp_tls_ca = ''\r\n tcp_tls_cert = ''\r\n tcp_tls_key = ''\r\n uid = 0\r\n gid = 999\r\n max_recv_message_size = 16777216\r\n max_send_message_size = 16777216\r\n\r\n[ttrpc]\r\n address = ''\r\n uid = 0\r\n gid = 0\r\n\r\n[debug]\r\n address = ''\r\n uid = 0\r\n gid = 0\r\n level = ''\r\n format = ''\r\n\r\n[metrics]\r\n address = ''\r\n grpc_histogram = false\r\n\r\n[plugins]\r\n [plugins.'io.containerd.cri.v1.images']\r\n snapshotter = 'overlayfs'\r\n disable_snapshot_annotations = true\r\n discard_unpacked_layers = false\r\n max_concurrent_downloads = 3\r\n image_pull_progress_timeout = '5m0s'\r\n image_pull_with_sync_fs = false\r\n stats_collect_period = 10\r\n\r\n [plugins.'io.containerd.cri.v1.images'.pinned_images]\r\n sandbox = 'registry.k8s.io/pause:3.10'\r\n\r\n [plugins.'io.containerd.cri.v1.images'.registry]\r\n config_path = ''\r\n\r\n [plugins.'io.containerd.cri.v1.images'.image_decryption]\r\n key_model = 'node'\r\n\r\n [plugins.'io.containerd.cri.v1.runtime']\r\n enable_selinux = false\r\n selinux_category_range = 1024\r\n max_container_log_line_size = 16384\r\n disable_cgroup = false\r\n disable_apparmor = false\r\n restrict_oom_score_adj = false\r\n disable_proc_mount = false\r\n unset_seccomp_profile = ''\r\n tolerate_missing_hugetlb_controller = true\r\n disable_hugetlb_controller = true\r\n device_ownership_from_security_context = false\r\n ignore_image_defined_volumes = false\r\n netns_mounts_under_state_dir = false\r\n enable_unprivileged_ports = true\r\n enable_unprivileged_icmp = true\r\n enable_cdi = true\r\n cdi_spec_dirs = ['/etc/cdi', '/var/run/cdi']\r\n drain_exec_sync_io_timeout = '0s'\r\n ignore_deprecation_warnings = []\r\n\r\n [plugins.'io.containerd.cri.v1.runtime'.containerd]\r\n default_runtime_name = 'crun'\r\n ignore_blockio_not_enabled_errors = false\r\n ignore_rdt_not_enabled_errors = false\r\n\r\n [plugins.'io.containerd.cri.v1.runtime'.containerd.runtimes]\r\n [plugins.'io.containerd.cri.v1.runtime'.containerd.runtimes.runc]\r\n runtime_type = 'io.containerd.runc.v2'\r\n runtime_path = ''\r\n pod_annotations = []\r\n container_annotations = []\r\n privileged_without_host_devices = false\r\n privileged_without_host_devices_all_devices_allowed = false\r\n base_runtime_spec = ''\r\n cni_conf_dir = ''\r\n cni_max_conf_num = 0\r\n snapshotter = ''\r\n sandboxer = 'podsandbox'\r\n io_type = ''\r\n\r\n [plugins.'io.containerd.cri.v1.runtime'.containerd.runtimes.runc.options]\r\n BinaryName = ''\r\n CriuImagePath = ''\r\n CriuWorkPath = ''\r\n IoGid = 0\r\n IoUid = 0\r\n NoNewKeyring = false\r\n Root = ''\r\n ShimCgroup = ''\r\n SystemdCgroup = true\r\n\r\n [plugins.'io.containerd.cri.v1.runtime'.containerd.runtimes.crun]\r\n runtime_type = 'io.containerd.runc.v2'\r\n runtime_path = ''\r\n pod_annotations = []\r\n container_annotations = []\r\n privileged_without_host_devices = false\r\n privileged_without_host_devices_all_devices_allowed = false\r\n base_runtime_spec = ''\r\n cni_conf_dir = ''\r\n cni_max_conf_num = 0\r\n snapshotter = ''\r\n sandboxer = 'podsandbox'\r\n io_type = ''\r\n\r\n [plugins.'io.containerd.cri.v1.runtime'.containerd.runtimes.crun.options]\r\n BinaryName = '/opt/crun/crun'\r\n CriuImagePath = ''\r\n CriuWorkPath = ''\r\n IoGid = 0\r\n IoUid = 0\r\n NoNewKeyring = false\r\n Root = ''\r\n ShimCgroup = ''\r\n SystemdCgroup = true\r\n\r\n [plugins.'io.containerd.cri.v1.runtime'.cni]\r\n bin_dir = '/opt/cni/bin'\r\n conf_dir = '/etc/cni/net.d'\r\n max_conf_num = 1\r\n setup_serially = false\r\n conf_template = ''\r\n ip_pref = ''\r\n use_internal_loopback = false\r\n\r\n [plugins.'io.containerd.gc.v1.scheduler']\r\n pause_threshold = 0.02\r\n deletion_threshold = 0\r\n mutation_threshold = 100\r\n schedule_delay = '0s'\r\n startup_delay = '100ms'\r\n\r\n [plugins.'io.containerd.grpc.v1.cri']\r\n disable_tcp_service = true\r\n stream_server_address = '127.0.0.1'\r\n stream_server_port = '0'\r\n stream_idle_timeout = '4h0m0s'\r\n enable_tls_streaming = false\r\n\r\n [plugins.'io.containerd.grpc.v1.cri'.x509_key_pair_streaming]\r\n tls_cert_file = ''\r\n tls_key_file = ''\r\n\r\n [plugins.'io.containerd.image-verifier.v1.bindir']\r\n bin_dir = '/opt/containerd/image-verifier/bin'\r\n max_verifiers = 10\r\n per_verifier_timeout = '10s'\r\n\r\n [plugins.'io.containerd.internal.v1.opt']\r\n path = '/opt/containerd'\r\n\r\n [plugins.'io.containerd.internal.v1.tracing']\r\n\r\n [plugins.'io.containerd.metadata.v1.bolt']\r\n content_sharing_policy = 'shared'\r\n\r\n [plugins.'io.containerd.monitor.container.v1.restart']\r\n interval = '10s'\r\n\r\n [plugins.'io.containerd.monitor.task.v1.cgroups']\r\n no_prometheus = false\r\n\r\n [plugins.'io.containerd.nri.v1.nri']\r\n disable = true\r\n socket_path = '/var/run/nri/nri.sock'\r\n plugin_path = '/opt/nri/plugins'\r\n plugin_config_path = '/etc/nri/conf.d'\r\n plugin_registration_timeout = '5s'\r\n plugin_request_timeout = '2s'\r\n disable_connections = false\r\n\r\n [plugins.'io.containerd.runtime.v2.task']\r\n platforms = ['linux/amd64']\r\n\r\n [plugins.'io.containerd.service.v1.diff-service']\r\n default = ['walking']\r\n\r\n [plugins.'io.containerd.service.v1.tasks-service']\r\n blockio_config_file = ''\r\n rdt_config_file = ''\r\n\r\n [plugins.'io.containerd.shim.v1.manager']\r\n env = []\r\n\r\n [plugins.'io.containerd.snapshotter.v1.blockfile']\r\n root_path = ''\r\n scratch_file = ''\r\n fs_type = ''\r\n mount_options = []\r\n recreate_scratch = false\r\n\r\n [plugins.'io.containerd.snapshotter.v1.btrfs']\r\n root_path = ''\r\n\r\n [plugins.'io.containerd.snapshotter.v1.devmapper']\r\n root_path = ''\r\n pool_name = ''\r\n base_image_size = ''\r\n async_remove = false\r\n discard_blocks = false\r\n fs_type = ''\r\n fs_options = ''\r\n\r\n [plugins.'io.containerd.snapshotter.v1.native']\r\n root_path = ''\r\n\r\n [plugins.'io.containerd.snapshotter.v1.overlayfs']\r\n root_path = ''\r\n upperdir_label = false\r\n sync_remove = false\r\n slow_chown = false\r\n mount_options = []\r\n\r\n [plugins.'io.containerd.tracing.processor.v1.otlp']\r\n\r\n [plugins.'io.containerd.transfer.v1.local']\r\n max_concurrent_downloads = 3\r\n max_concurrent_uploaded_layers = 3\r\n config_path = ''\r\n\r\n[cgroup]\r\n path = ''\r\n\r\n[timeouts]\r\n 'io.containerd.timeout.bolt.open' = '0s'\r\n 'io.containerd.timeout.metrics.shimstats' = '2s'\r\n 'io.containerd.timeout.shim.cleanup' = '5s'\r\n 'io.containerd.timeout.shim.load' = '5s'\r\n 'io.containerd.timeout.shim.shutdown' = '3s'\r\n 'io.containerd.timeout.task.state' = '2s'\r\n\r\n[stream_processors]\r\n [stream_processors.'io.containerd.ocicrypt.decoder.v1.tar']\r\n accepts = ['application/vnd.oci.image.layer.v1.tar+encrypted']\r\n returns = 'application/vnd.oci.image.layer.v1.tar'\r\n path = 'ctd-decoder'\r\n args = ['--decryption-keys-path', '/etc/containerd/ocicrypt/keys']\r\n env = ['OCICRYPT_KEYPROVIDER_CONFIG=/etc/containerd/ocicrypt/ocicrypt_keyprovider.conf']\r\n\r\n [stream_processors.'io.containerd.ocicrypt.decoder.v1.tar.gzip']\r\n accepts = ['application/vnd.oci.image.layer.v1.tar+gzip+encrypted']\r\n returns = 'application/vnd.oci.image.layer.v1.tar+gzip'\r\n path = 'ctd-decoder'\r\n args = ['--decryption-keys-path', '/etc/containerd/ocicrypt/keys']\r\n env = ['OCICRYPT_KEYPROVIDER_CONFIG=/etc/containerd/ocicrypt/ocicrypt_keyprovider.conf']\r\n```", + "state": "closed", + "created_at": "2024-06-19T13:47:35Z", + "closed_at": "2024-10-17T10:32:33Z", + "author": "mathias-ioki", + "labels": [ + "kind/bug", + "Stale" + ] + } + } +} \ No newline at end of file diff --git a/reports/containerd_release_v2.2.0-beta.2_20251022_034115.md b/reports/containerd_release_v2.2.0-beta.2_20251022_034115.md new file mode 100644 index 0000000..682e507 --- /dev/null +++ b/reports/containerd_release_v2.2.0-beta.2_20251022_034115.md @@ -0,0 +1,208 @@ +# Containerd 版本发布分析报告 +## containerd 2.2.0-beta.2 (v2.2.0-beta.2) + +### 📋 版本信息 +- **版本标签:** v2.2.0-beta.2 +- **版本名称:** containerd 2.2.0-beta.2 +- **发布时间:** 2025-10-22T03:04:26Z +- **发布者:** github-actions[bot] +- **预发布版本:** 是 +- **草稿状态:** 否 +- **GitHub 链接:** https://github.com/containerd/containerd/releases/tag/v2.2.0-beta.2 + +### 🔍 分析统计 +- **分析时间:** 2025-10-22 03:41:15 +- **分析的 PR 数量:** 11 +- **分析的 Issue 数量:** 1 +- **重要项目数量:** 4 + +## 📊 版本概述 +containerd 2.2.0-beta.2在增强存储性能和运行时效率的同时,引入了垃圾回收增强、WASM插件支持等新功能,并修复了关键的资源泄漏问题 + +## 🔒 安全问题修复 +1. ⚠️ 用户命名空间下网络配置权限漏洞(CVE待分配) - [PR #10607](https://github.com/containerd/containerd/pull/10607) - **风险级别:** 中 + +**🚨 安全建议:** 如果您的环境中使用了受影响的功能,建议优先升级到此版本。 + +## 🐛 重要问题修复 +1. 修复用户命名空间下pidfd文件描述符泄漏问题 - [PR #12167](https://github.com/containerd/containerd/pull/12167) - **影响:** 高并发场景会导致FD耗尽触发系统故障 +2. 修正用户命名空间下网络命名空间所有权问题 - [PR #10607](https://github.com/containerd/containerd/pull/10607) - **影响:** 容器无法正确访问网络资源导致启动失败 +3. 解决containerd重启后CNI信息丢失问题 - [Issue #10363](https://github.com/containerd/containerd/issues/10363) - **影响:** Pod重启时网络配置丢失导致服务中断 + +## 💥 破坏性变更 +1. 🚨 1.6版本正式结束生命周期 - [PR #12348](https://github.com/containerd/containerd/pull/12348) - **影响:** 需强制升级至2.x版本系列 +2. 🚨 默认配置文件包含conf.d目录 - [PR #12323](https://github.com/containerd/containerd/pull/12323) - **影响:** 需要检查现有配置兼容性 + +**⚠️ 升级警告:** 此版本包含破坏性变更,升级前请仔细评估对现有系统的影响。 + +## ✨ 主要变更 +1. EROFS快照器引入Tar索引模式提升存储性能 - [PR #11919](https://github.com/containerd/containerd/pull/11919) +2. 垃圾收集器支持后向引用管理复杂对象关系 - [PR #12025](https://github.com/containerd/containerd/pull/12025) +3. Node Resource Interface新增WASM插件支持 - [PR #121](https://github.com/containerd/nri/pull/121) +4. 运行时并行加载shim实现重启加速5倍 - [PR #12142](https://github.com/containerd/containerd/pull/12142) + +## 🚀 性能优化 +1. EROFS快照器索引模式降低30%镜像拉取耗时 - [PR #11919](https://github.com/containerd/containerd/pull/11919) - **提升:** 镜像分层处理效率提升 +2. 并行加载shim使containerd重启时间缩短80% - [PR #12142](https://github.com/containerd/containerd/pull/12142) - **提升:** 300个Pod从12.4秒优化至2.6秒 + +## 🎯 风险评估 +中风险beta版本,建议在非关键业务环境验证。重点关注:1) 用户命名空间配置变更后的网络稳定性 2) EROFS存储格式兼容性 3) 依赖库升级带来的潜在影响。推荐在2.2.0正式版发布后再部署生产环境。 + +## 📋 升级建议 +1. 升级前在测试环境验证用户命名空间相关变更 +2. 监控/proc/sys/fs/file-nr指标预防FD泄漏残留影响 +3. 优先使用动态链接版本(containerd---.tar.gz) +4. 同步更新CNI插件至v1.8.0及以上版本 + +## 📋 Release 包含的变更 + +### PR #121: Send "live" event only if past events requested +- **链接:** https://github.com/containerd/containerd/pull/121 +- **状态:** closed +- **已合并:** 是 +- **作者:** mlaventure +- **变更说明:** + **PR #121:** Send "live" event only if past events requested + +**PR内容:** This fixes a bug where the live events are recorded in the events log. + +Signed-off-by: Kenfe-Mickael Laventure mickael.laventure@gmail.com +... + +### PR #11919: Add tar index mode to erofs snapshotter +- **链接:** https://github.com/containerd/containerd/pull/11919 +- **状态:** closed +- **已合并:** 是 +- **作者:** aadhar-agarwal +- **标签:** impact/changelog, ok-to-test, size/L, area/storage +- **变更说明:** + **PR #11919:** Add tar index mode to erofs snapshotter +**标签:** impact/changelog, ok-to-test, size/L, area/storage + +**PR内容:** ## Summary + +This PR introduces support for a new "tar index" mode in the EROFS snapshotter and differ. The tar index mode enables more efficient handling of OCI image layers by generating a tar index and appending the original tar content + +## Key Changes + +- **docs/s... + +### PR #11921: Tar unpack progress through transfer service +- **链接:** https://github.com/containerd/containerd/pull/11921 +- **状态:** closed +- **已合并:** 是 +- **作者:** dmcgowan +- **标签:** impact/changelog, size/L, area/distribution +- **变更说明:** + **PR #11921:** Tar unpack progress through transfer service +**标签:** impact/changelog, size/L, area/distribution + +**PR内容:** Adds unpack to transfer service. + +See https://asciinema.org/a/6bJRKKKuqkAVV51GjN8SBSeYu + +A few notes... +- we could order the progress lines better to make it easier to follow +- remote differ will not have the progress but the proxy will at least send start and end pro... + +### PR #12025: Add support for back references in the garbage collector +- **链接:** https://github.com/containerd/containerd/pull/12025 +- **状态:** closed +- **已合并:** 是 +- **作者:** dmcgowan +- **标签:** impact/changelog, kind/feature, size/L +- **变更说明:** + **PR #12025:** Add support for back references in the garbage collector +**标签:** impact/changelog, kind/feature, size/L + +**PR内容:** Add backreference labels for an object. This allows objects to be referred to by objects which already exist without updating the labels on the original object or referred to by objects which do not yet exist. This is useful for ephemeral objects as well as objects w... + +### PR #12050: Add snapshotter and differ for block CIMs +- **链接:** https://github.com/containerd/containerd/pull/12050 +- **状态:** closed +- **已合并:** 是 +- **作者:** ambarve +- **标签:** impact/changelog, platform/windows, needs-ok-to-test, size/XXL, go, area/storage +- **变更说明:** + **PR #12050:** Add snapshotter and differ for block CIMs +**标签:** impact/changelog, platform/windows, needs-ok-to-test, size/XXL, go, area/storage + +**PR内容:** This commit adds the snapshotter and differ plugins that can be used to pull/import container images in the block CIM format. (More about block CIMs [here](https://github.com/microsoft/hcsshim/blob/main/pkg/cimfs/doc.go).)... + +### PR #12063: Add mount manager +- **链接:** https://github.com/containerd/containerd/pull/12063 +- **状态:** closed +- **已合并:** 是 +- **作者:** dmcgowan +- **标签:** impact/changelog, kind/feature, size/XXL +- **变更说明:** + **PR #12063:** Add mount manager +**标签:** impact/changelog, kind/feature, size/XXL + +**PR内容:** Implementation of #11303 +~~Depends on #12025~~ _merged_ + +WIP Items: +- ~~Update implementation and testing~~ _complete_ +- ~~Moving runtime implementation down to the task manager~~ _complete_ +- ~~Passing runtime name to~~ _complete_ +- More complete documentation - _could be follow up_... + +### PR #12082: Enable otel traces in NRI +- **链接:** https://github.com/containerd/containerd/pull/12082 +- **状态:** closed +- **已合并:** 是 +- **作者:** klihub +- **标签:** impact/changelog, size/S, area/nri +- **变更说明:** + **PR #12082:** Enable otel traces in NRI +**标签:** impact/changelog, size/S, area/nri + +**PR内容:** Set up NRI for producing otel trace spans.... + +### PR #12142: restart: use goroutine to speedup loadShims +- **链接:** https://github.com/containerd/containerd/pull/12142 +- **状态:** closed +- **已合并:** 是 +- **作者:** ningmingxiao +- **标签:** impact/changelog, ok-to-test, area/runtime, size/L +- **变更说明:** + **PR #12142:** restart: use goroutine to speedup loadShims +**标签:** impact/changelog, ok-to-test, area/runtime, size/L + +**PR内容:** I find restart containerd use much time on loadShims when create many pods. +create 300 pods +before this commit +``` +time="2025-07-26T17:16:11.934486476+08:00" level=info msg="containerd successfully booted in 12.399198s" +``` +after this commit +``` +time="2025-... + +### PR #12167: Fix pidfd leak in UnshareAfterEnterUserns +- **链接:** https://github.com/containerd/containerd/pull/12167 +- **状态:** closed +- **已合并:** 是 +- **作者:** jfernandez +- **标签:** impact/changelog, kind/bug, ok-to-test, area/runtime, size/XS, cherry-picked/2.0.x, cherry-picked/2.1.x +- **变更说明:** + **PR #12167:** Fix pidfd leak in UnshareAfterEnterUserns +**标签:** impact/changelog, kind/bug, ok-to-test, area/runtime, size/XS, cherry-picked/2.0.x, cherry-picked/2.1.x + +**PR内容:** UnshareAfterEnterUserns() creates a pidfd via os.StartProcess() with CLONE_PIDFD but fails to close the file descriptor in any code path, resulting in a file descriptor leak for every container that uses user namespac... + +### PR #12245: Update pkg/oci to use fs.FS interface and os.OpenRoot +- **链接:** https://github.com/containerd/containerd/pull/12245 +- **状态:** closed +- **已合并:** 是 +- **作者:** dmcgowan +- **标签:** impact/changelog, size/L, go, area/client +- **变更说明:** + **PR #12245:** Update pkg/oci to use fs.FS interface and os.OpenRoot +**标签:** impact/changelog, size/L, go, area/client + +**PR内容:** Switch to use fs.FS interface over directly requiring path string. This interface allows the filesystem operations to be further abstracted, then we can use any library which can return an FS from mounts without requiring an active mount. This is useful for supportin... + +--- +*本报告由 Containerd Release Tracker 自动生成* \ No newline at end of file