diff --git a/reports/containerd_release_api_v1.11.0-beta.2_20260415_154122.json b/reports/containerd_release_api_v1.11.0-beta.2_20260415_154122.json new file mode 100644 index 0000000..09ea774 --- /dev/null +++ b/reports/containerd_release_api_v1.11.0-beta.2_20260415_154122.json @@ -0,0 +1,265 @@ +{ + "metadata": { + "generated_at": "2026-04-15T15:42:57.718868", + "tool": "containerd-release-tracker", + "version": "1.0.0" + }, + "release": { + "tag_name": "api/v1.11.0-beta.2", + "name": "containerd API 1.11.0-beta.2", + "body": "Welcome to the api/v1.11.0-beta.2 release of containerd!\n*This is a pre-release of containerd*\n\nThe 12th release for the containerd 1.x API aligns with the containerd 2.3 release.\n\n### Highlights\n\n* Add transfer types for container filesystem copy ([#13165](https://github.com/containerd/containerd/pull/13165))\n* Introduce shim bootstrap protocol ([#12786](https://github.com/containerd/containerd/pull/12786))\n* Update sandbox API to include spec field ([#12840](https://github.com/containerd/containerd/pull/12840))\n\n#### Runtime\n\n* Add configured socket directory to shim bootstrap protocol ([#12785](https://github.com/containerd/containerd/pull/12785))\n\nPlease try out the release binaries and report any issues at\nhttps://github.com/containerd/containerd/issues.\n\n### Contributors\n\n* Maksym Pavlenko\n* Derek McGowan\n* Wei Fu\n* Akihiro Suda\n* Gao Xiang\n* Sebastiaan van Stijn\n\n### Changes\n
43 commits\n

\n\n* Make shim socket directory use configured directory ([#12785](https://github.com/containerd/containerd/pull/12785))\n * [`d806373fe`](https://github.com/containerd/containerd/commit/d806373feb1bf9e753a4beaf5b092c5176baa2c3) Make shim socket directory use configured state\n* Update bootstrap API log level definition ([#13208](https://github.com/containerd/containerd/pull/13208))\n * [`2c102c6cb`](https://github.com/containerd/containerd/commit/2c102c6cbebbc1dabe31eb0740a1803fcce56c4e) Update bootstrap API log level definition\n* Add transfer types for container filesystem copy ([#13165](https://github.com/containerd/containerd/pull/13165))\n * [`121f3a21e`](https://github.com/containerd/containerd/commit/121f3a21e438cd8c18c6d76cbab1514ee2a8d8d2) Add transfer types for container filesystem copy\n* Introduce shim bootstrap protocol ([#12786](https://github.com/containerd/containerd/pull/12786))\n * [`16b7ce254`](https://github.com/containerd/containerd/commit/16b7ce254959e62927896aecc033e86b0a10dc31) Address code review suggestions\n * [`9bf65dcf0`](https://github.com/containerd/containerd/commit/9bf65dcf0275341a75b9e56454e5ebe599bcc90f) Use enums instead of strings for capabilities and log level\n * [`9dc864fd0`](https://github.com/containerd/containerd/commit/9dc864fd0feefd907aba16ba98cf453dd16df694) Switch to proto instead of json\n * [`3fbdb132b`](https://github.com/containerd/containerd/commit/3fbdb132bf4fb2f59995b9fc632c0ad507ff98f6) Fix module path\n * [`1852a4758`](https://github.com/containerd/containerd/commit/1852a4758ea70e12ada6bc98c45258a001c9f6bc) Remove testify dependency from api\n * [`0f55bdd49`](https://github.com/containerd/containerd/commit/0f55bdd49c41ba2a43d6595bdd827b6ba4ed4987) Fix extensions API and update tests\n * [`d957b1bf5`](https://github.com/containerd/containerd/commit/d957b1bf53914443e28a3a7ab63824ea2e6c22ed) Use log level instead of debug flag\n * [`31d0bbbad`](https://github.com/containerd/containerd/commit/31d0bbbad7723c8555b299f1dc12f7173390b2ec) Include containerd version when launching shim\n * [`f71c2e421`](https://github.com/containerd/containerd/commit/f71c2e4211c9cbae06c582222d200c8756a84845) Reformat and clean proto files\n * [`9e9a095fe`](https://github.com/containerd/containerd/commit/9e9a095feb43c6b6a84fe1f4b2331977ebb92b91) Read spec annotations from file\n * [`3831fc806`](https://github.com/containerd/containerd/commit/3831fc80630879870327fde99f66b12959c973f0) Fix reading from stdin\n * [`5ea993b48`](https://github.com/containerd/containerd/commit/5ea993b48d29e620dba6f90746a98ff0a4a29f65) Pass runc options as a separate extension\n * [`e72145b19`](https://github.com/containerd/containerd/commit/e72145b192de6542dfb86554cda512e37f46eb5e) Update vendor\n * [`790b0ead7`](https://github.com/containerd/containerd/commit/790b0ead7bc4e234b5ce90b9a1225b60bad34d75) Implement shim bootstrap protocol\n* Add `os.features` support for EROFS native container images ([#13091](https://github.com/containerd/containerd/pull/13091))\n * [`146930e91`](https://github.com/containerd/containerd/commit/146930e91de7598fa93161cb96d16208f1eff866) api: add `os_features` to api/types/platform.proto\n* build(deps): bump google.golang.org/grpc from 1.59.0 to 1.79.3 in /api ([#13099](https://github.com/containerd/containerd/pull/13099))\n * [`d323efc2b`](https://github.com/containerd/containerd/commit/d323efc2bfaf8425c8a2f1ceeb34e8230eb16f8d) build(deps): bump google.golang.org/grpc from 1.59.0 to 1.79.3 in /api\n* Prepare release notes for api/v1.11.0-beta.0 ([#13045](https://github.com/containerd/containerd/pull/13045))\n * [`aac6b5348`](https://github.com/containerd/containerd/commit/aac6b53488f05253f88fb061fed6674630feb41f) Prepare release notes for api/v1.11.0-beta.0\n* api: regenerate and re-vendor protos ([#12913](https://github.com/containerd/containerd/pull/12913))\n * [`4b4eb6715`](https://github.com/containerd/containerd/commit/4b4eb67150b724e0c0450cc92f295b8d6582ca9a) api: regenerate and re-vendor protos\n* Remove Container field from sandbox metadata ([#12840](https://github.com/containerd/containerd/pull/12840))\n * [`8ccf18724`](https://github.com/containerd/containerd/commit/8ccf18724f691f7f5503faf0b004334eb9f92cf3) Update sandbox API to include spec field\n* Use buf to format proto files ([#12841](https://github.com/containerd/containerd/pull/12841))\n * [`ca1c5b2d3`](https://github.com/containerd/containerd/commit/ca1c5b2d3db8c620c26ab9674b7ccb9a4b023a63) Reformat and revendor proto files\n * [`2a87c9d7d`](https://github.com/containerd/containerd/commit/2a87c9d7d29a5d947fa671a0d7b52f449835fd11) Add .editorconfig for proto files\n* Generate api/next.txtpb and name module ([#12815](https://github.com/containerd/containerd/pull/12815))\n * [`472e0a8e7`](https://github.com/containerd/containerd/commit/472e0a8e7ada278b7aa376173eca20ad0a0348be) Generate next.txtpb to replace next.pb.txt\n * [`f58dbbda0`](https://github.com/containerd/containerd/commit/f58dbbda0b34bea75f714e82463eb0706c06d30d) Add buf.build repository name for publishing API\n* Migrate from protobuild to buf ([#12762](https://github.com/containerd/containerd/pull/12762))\n * [`dac9721fa`](https://github.com/containerd/containerd/commit/dac9721faf891205ed46105cd38340bc3bceabcb) Drop outdated pb.txt files\n * [`6a6283193`](https://github.com/containerd/containerd/commit/6a6283193b6f865c35529717068259bf54ccc307) Update pb files\n * [`57782b717`](https://github.com/containerd/containerd/commit/57782b7175f743489010c348a8f59da720140722) Move buf configuration under api/\n * [`39991b661`](https://github.com/containerd/containerd/commit/39991b6617041c8c5b471f11f08461f36cc6719f) Use relative import intead of GOPATH style imports\n * [`eb586b5ef`](https://github.com/containerd/containerd/commit/eb586b5ef2e20c5f845f28d5e9cd5f5e8e10885d) Regenerate proto files\n

\n
\n\n### Dependency Changes\n\n* **golang.org/x/net** v0.38.0 -> v0.48.0\n* **golang.org/x/sys** v0.31.0 -> v0.39.0\n* **golang.org/x/text** v0.23.0 -> v0.32.0\n* **google.golang.org/genproto/googleapis/rpc** c3f982113cda -> ff82c1b0f217\n* **google.golang.org/grpc** v1.59.0 -> v1.79.3\n* **google.golang.org/protobuf** v1.33.0 -> v1.36.10\n\nPrevious release can be found at [api/v1.10.0](https://github.com/containerd/containerd/releases/tag/api/v1.10.0)\n", + "published_at": "2026-04-15T14:30:08Z", + "prerelease": true, + "draft": false, + "html_url": "https://github.com/containerd/containerd/releases/tag/api/v1.11.0-beta.2", + "author": "github-actions[bot]" + }, + "analysis": { + "summary": "这是 containerd API v1.11.0 的第二个 Beta 版本,主要为即将到来的 containerd 2.3 版本提供 API 支持,核心变更包括引入新的 shim 引导协议、更新沙箱 API 以及添加容器文件系统复制功能。", + "key_changes": [ + "引入 shim 引导协议,统一并标准化 containerd 向 shim 传递参数的方式,取代原有的混合传递机制(CLI参数、环境变量、stdin) - [PR #12786](https://github.com/containerd/containerd/pull/12786)", + "更新沙箱 API,移除对 pause 容器的直接依赖,为未来支持更多沙箱实现(如基于 VM 的沙箱)铺平道路 - [PR #12840](https://github.com/containerd/containerd/pull/12840)", + "为容器文件系统复制操作添加传输类型定义,为容器迁移、备份等高级功能提供底层 API 支持 - [PR #13165](https://github.com/containerd/containerd/pull/13165)", + "Shim 套接字目录现在使用 containerd 配置的目录,解决了 rootless 模式下默认目录不可写的问题 - [PR #12785](https://github.com/containerd/containerd/pull/12785)", + "为 EROFS 原生容器镜像添加 `os.features` 支持,改善使用 EROFS 快照器时的用户体验 - [PR #13091](https://github.com/containerd/containerd/pull/13091)" + ], + "important_bugfixes": [ + "Shim 套接字目录配置修复:解决了 rootless 模式下因硬编码路径导致 shim 无法创建套接字的问题 - [PR #12785](https://github.com/containerd/containerd/pull/12785) - **影响:** 此修复直接影响 rootless containerd 部署的稳定性和可用性,之前可能导致容器启动失败。", + "更新引导 API 日志级别定义,确保日志配置能正确传递到 shim - [PR #13208](https://github.com/containerd/containerd/pull/13208) - **影响:** 影响 shim 进程的日志输出级别,有助于生产环境调试。" + ], + "security_issues": [ + "升级 gRPC 依赖至 1.79.3,修复了路径头畸形时可能绕过 `grpc/authz` 等拦截器中基于路径的“拒绝”规则的授权绕过漏洞 - [PR #13099](https://github.com/containerd/containerd/pull/13099) - **风险级别:** 中高。该漏洞允许攻击者通过构造特定的非规范路径绕过授权检查,建议关注并计划升级。" + ], + "performance_improvements": [ + "将 Protobuf 工具链从 protobuild 迁移至 buf,提升了构建的可重复性和开发效率,并集成了格式化和 lint 功能 - [PR #12762](https://github.com/containerd/containerd/pull/12762) - **提升:** 主要提升开发体验和 CI 一致性,对运行时性能无直接影响。", + "使用 buf 格式化所有 proto 文件,确保 API 定义文件的风格统一 - [PR #12841](https://github.com/containerd/containerd/pull/12841) - **提升:** 提升代码可维护性,减少因格式不一致导致的合并冲突。" + ], + "breaking_changes": [ + "沙箱 API 变更:从沙箱元数据中移除了 `Container` 字段,依赖此字段直接访问 pause 容器信息的客户端(如某些 NRI 插件)需要调整代码,改为从沙箱存储中获取信息 - [PR #12840](https://github.com/containerd/containerd/pull/12840) - **影响:** 直接使用沙箱 API 的客户端需要适配。", + "Shim 启动协议变更:引入了新的 `BootstrapParams` 协议(通过 stdin 传递),并计划逐步弃用旧的参数传递方式(CLI 参数、部分环境变量)。虽然当前是增量式引入,但 shim 实现者需要关注此变化以确保未来兼容性 - [PR #12786](https://github.com/containerd/containerd/pull/12786) - **影响:** 自定义或第三方 shim 需要评估对新协议的支持。" + ], + "recommendations": [ + "**当前为 Beta 版本,不建议直接用于生产环境。** 建议在测试环境中部署此版本,重点验证与现有 shim(如 runc、gVisor)的兼容性,以及 rootless 模式下的功能。", + "如果开发了直接调用 containerd 沙箱 API 或管理 shim 的插件/工具,请立即基于此 Beta 版本开始兼容性测试和代码适配。", + "关注 gRPC 安全更新(PR #13099),虽然本次是 API 模块更新,但预示着 containerd 主项目也将升级。建议将此漏洞纳入安全风险评估。", + "计划升级至 containerd 2.3 的用户,应利用此 API 版本提前验证客户端(如 Kubernetes CRI 实现、自定义控制器)的兼容性。" + ], + "risk_assessment": "整体风险评估:中等。这是一个预发布(Beta)的 API 版本,主要风险在于与现有客户端和 shim 实现的兼容性。虽然包含重要的安全修复(gRPC),但破坏性变更(沙箱 API)要求下游进行适配。建议的升级时机是在 containerd 2.3 正式发布并经过充分测试后。需要特别关注的方面包括:1) 自定义 shim 对新引导协议的兼容性;2) 任何直接使用沙箱 API 的代码;3) rootless 部署模式下 shim 套接字路径的配置和行为。" + }, + "statistics": { + "analyzed_prs": 12, + "analyzed_issues": 0, + "important_items": 7 + }, + "important_items": [ + { + "type": "PR", + "title": "#12762: Migrate from protobuild to buf", + "reason": "Performance related" + }, + { + "type": "PR", + "title": "#12785: Make shim socket directory use configured directory", + "reason": "Performance related" + }, + { + "type": "PR", + "title": "#12786: Introduce shim bootstrap protocol", + "reason": "Performance related" + }, + { + "type": "PR", + "title": "#7061: [CRI] Remove image store", + "reason": "Performance related" + }, + { + "type": "PR", + "title": "#12815: Generate api/next.txtpb and name module", + "reason": "Performance related" + }, + { + "type": "PR", + "title": "#13045: Prepare release notes for api/v1.11.0-beta.0", + "reason": "Performance related" + }, + { + "type": "PR", + "title": "#13099: build(deps): bump google.golang.org/grpc from 1.59.0 to 1.79.3 in /api", + "reason": "Contains 'security'; Contains 'performance'; Cherry-pick or backport; Performance related" + } + ], + "prs": { + "12762": { + "title": "Migrate from protobuild to buf", + "url": "https://github.com/containerd/containerd/pull/12762", + "body": "This PR migrates from `Protobuild` (which we all love and use for quite some time) to [`buf`](https://github.com/bufbuild/buf) to manage our proto files.\r\n\r\nImmediate benefits:\r\n- No need to install `protoc` dependency. Mush simpler [CI setup](https://github.com/containerd/containerd/pull/12762/changes/edb3e0869706fa0d058f8530f7b563af9310eec3).\r\n- Much better local/CI reproducibility - all generators and dependencies are pinned in `buf.yaml` and `buf.lock`, so same output is expected everywhere. Only the `buf` binary need to be installed on the system to get things going.\r\n- No longer needs `containerd` to be in `GOPATH` (not strictly buf’s feature, but implemented in this PR)\r\n\r\nThere are also some longer term nice-to-have features that we could benefit from, which we don't have in protobuild:\r\n- Breaking change detector (we can run this on CI to guaranty API compatibility)\r\n- Linter\r\n- Formatter.\r\n\r\nI was able to generate exactly the same code with buf as it was before.\r\nThe only annoying thing is\r\n\r\n`// \tprotoc (unknown)`\r\n\r\nwhich seems to be expected when buf is not using external protoc binary (which we don't):\r\n\r\n> The protoc (unknown) line is being inserted by protoc-gen-go which we do not control. Part of the CodeGeneratorRequest passed to protoc-gen-go specifies the version of protoc being used, but buf is not, and doesn't use, protoc, so there is no appropriate answer here.\r\n\r\nMade a few follow up changes based on feedback:\r\n- Switched to relative imports (which `buf` supports natively), so workarounds in the `Makefile` no longer necessary.\r\n- Moved `buf` configuration files under `api/` directory", + "state": "closed", + "merged": true, + "created_at": "2026-01-08T23:33:25Z", + "merged_at": "2026-01-09T20:20:51Z", + "author": "mxpv", + "labels": [ + "size/XXL", + "area/toolchain" + ] + }, + "12785": { + "title": "Make shim socket directory use configured directory", + "url": "https://github.com/containerd/containerd/pull/12785", + "body": "Pass the socket directory from containerd to the shim via bootstrapparameters. The shim still decides the socket filename but now places it in the directory configured by containerd, ensuring proper ownership and permissions.\r\n\r\n**Why:** In rootless setups the default state directory (`/run/containerd/s`) may not be writable by the user. With the socket path hardcoded in the shim there was no way to override it. This change makes it configurable through the shim manager, with sensible defaults: root users keep the existing path under the state directory; non-root users fall back to a temp directory when the state directory is not owned by them.\r\n\r\n**Note:** The socket directory path should be kept short (≤ 32 characters) because the socket filename is a 64-character SHA256 hash and unix socket paths are limited to 104 bytes on macOS / 108 on Linux.\r\n\r\nChanges across three commits:\r\n - Pass configured socket directory to the shim via `BootstrapParams.socket_dir`\r\n - Remove unnecessary `mkdir` on the default state directory\r\n - Add `socket_dir` configuration to the shim manager with platform-aware defaults\r\n\r\n\r\n```release-note\r\nAdd configured socket directory to shim bootstrap protocol\r\n```\r\n", + "state": "closed", + "merged": true, + "created_at": "2026-01-14T07:30:46Z", + "merged_at": "2026-04-15T11:05:22Z", + "author": "dmcgowan", + "labels": [ + "impact/changelog", + "area/runtime", + "size/XL" + ] + }, + "12786": { + "title": "Introduce shim bootstrap protocol", + "url": "https://github.com/containerd/containerd/pull/12786", + "body": " Containerd needs to pass a bunch of parameters from the daemon down to the shim. Historically, we introduced several mechanisms to do it:\r\n- CLI arguments (-namespace, -id, -address, -publish-binary, -debug)\r\n- Env variables (TTRPC_ADDRESS, GRPC_ADDRESS, NAMESPACE, MAX_SHIM_VERSION, GOMAXPROCS, SCHED_CORE)\r\n- Some are passed via stdin (runtime options as protobuf)\r\n- spec.json file to read annotations from disk\r\n\r\nWe have a few cases where we need to introduce more parameters:\r\n- https://github.com/containerd/containerd/pull/12785\r\n- https://github.com/containerd/containerd/pull/12849\r\n- Further podsandbox/ work will require more configuration to be passed\r\n\r\nThis PR is a proposal to address the issues with 2 new structs:\r\n- `BootstrapParams` is passed via stdin with all configurations (at `shim -start`).\r\n- `BootstrapResult` is written by the shim to stdout.\r\n\r\nAnd deprecate everything else.\r\n\r\nThe structs are defined in protobuf, we can version it and detect breaking changes.\r\nAnd we'll use json to serialize/deserialize when launching a new shim instances.\r\n\r\nThe structs are also extensible enough to support more use cases in future.\r\n\r\nCompatibility:\r\n- `pkg/shim` is backward compatible. It uses the new bootstrap protocol by default and fallbacks to CLI/env/stdin.\r\n- containerd still provides CLI/env for backward compatibility. We should deprecate this approach in 2.3 and probably remove in 2.4?\r\n\r\n", + "state": "closed", + "merged": true, + "created_at": "2026-01-15T02:12:18Z", + "merged_at": "2026-04-08T22:07:51Z", + "author": "mxpv", + "labels": [ + "impact/changelog", + "size/XXL" + ] + }, + "12849": { + "title": "Remove image service dependency from podsandbox controller", + "url": "https://github.com/containerd/containerd/pull/12849", + "body": "This PR removes the last significant dependency on internal CRI APIs, opening the path for migration down to the shim. \r\n \r\nI've made several attempts to decouple the `Controller` from the rest of the CRI APIs, but it's challenging without major refactoring (see previous attempts: https://github.com/containerd/containerd/pull/7061). As a result, I've moved pause container pulling back to the CRI layer. Since almost every runtime today assumes pause containers anyway, this should not be a significant issue.\r\n \r\nIf/when we come up with a different solution, we can deprecate and remove this. Additionally, we can make this conditional once https://github.com/containerd/containerd/pull/12786 lands.", + "state": "closed", + "merged": true, + "created_at": "2026-02-03T03:21:37Z", + "merged_at": "2026-02-20T22:03:14Z", + "author": "mxpv", + "labels": [ + "area/cri", + "size/L" + ] + }, + "7061": { + "title": "[CRI] Remove image store", + "url": "https://github.com/containerd/containerd/pull/7061", + "body": "This PR refactors CRI and removes in-memory image store in favor of containerd's metadata image store. The goal is to simplify CRI code and rely more on containerd APIs instead of maintaining custom layers.\r\n\r\nSo instead of in-memory cache, this PR relies on containerd’s metadata store (and labels) to keep additional image information needed by CRI. It preserves existing logic with creating a separate image per reference, but now appends appropriate labels, so we can just use boltdb.\r\n\r\nLabels can be appended on demand, on event, or at daemon start - some of these may be removed in 2.0. Currently labels that we add - config digest (that CRI uses for image ID), image size, chain ID, etc.\r\n\r\nIn the new implementation search for image references narrows down to querying metadata store with all records that contain same image ID label. Queries are slower comparing to the original implementation, but boltdb still reasonably fast (also there is room for optimization if that will be a bottleneck). ", + "state": "closed", + "merged": false, + "created_at": "2022-06-14T23:17:51Z", + "merged_at": null, + "author": "mxpv", + "labels": [ + "area/cri", + "kind/refactor" + ] + }, + "12815": { + "title": "Generate api/next.txtpb and name module", + "url": "https://github.com/containerd/containerd/pull/12815", + "body": "`buf` will generate the protobuf text file which can be used for viewing all protobuf changes in one file and quickly diffing changes.\r\n\r\nAdd a module name to the buf.yaml to allow pushing. With the switch the buf and relative paths, without publishing the containerd protos are not importable without copying locally. Using the buf registy makes this easier for importers. There is no requirement to use the buf registry though.\r\n\r\n", + "state": "closed", + "merged": true, + "created_at": "2026-01-24T01:26:54Z", + "merged_at": "2026-01-24T06:49:33Z", + "author": "dmcgowan", + "labels": [ + "size/XXL", + "area/toolchain" + ] + }, + "12840": { + "title": "Remove Container field from sandbox metadata", + "url": "https://github.com/containerd/containerd/pull/12840", + "body": "There are multiple places in CRI which assume the use of pause containers and the podsandbox package. Since the goal of the Sandbox API is to abstract away the use of pause containers, we should not make such assumptions. \r\n\r\nThis PR removes the Container object for the pause container from Sandbox metadata. This was primarily used in NRI, so this PR refactors the code to fetch the necessary data from the metadata store instead.\r\n\r\n@chrishenzie could PTAL? This updates `nriPodSandbox` to fetch spec from sandbox store instead of task instance (we don't want to access pause container directly), so this, technically, amends lifecycle test, because the spec will remain available after stopping pod sandbox.\r\n\r\n\r\n```release-note\r\nUpdate sandbox API to include spec field\r\n```", + "state": "closed", + "merged": true, + "created_at": "2026-01-31T02:07:50Z", + "merged_at": "2026-02-18T05:33:05Z", + "author": "mxpv", + "labels": [ + "impact/changelog", + "size/XXL" + ] + }, + "12841": { + "title": "Use buf to format proto files", + "url": "https://github.com/containerd/containerd/pull/12841", + "body": "We've integrated `buf` in https://github.com/containerd/containerd/pull/12762 \r\n`buf` comes with an integrated linter and formatter. \r\n \r\nThis PR updates `Makefile` targets to use `buf format` to format proto files. \r\n \r\nOur current proto formatter is pretty rudimentary. It only requires tabs instead of spaces. But would happily pass everything else (like double tabs). \r\n \r\n`buf` is much more sophisticated and can handle pretty complex cases, which is nice.\r\nIt also comes with github actions integration out of the box. \r\n \r\nThe only downside is that `buf` accepts no configuration leaving no way to amend how proto files are formatted. \r\nAnd by default, they use 2 spaces instead of tabs. I'm not sure is this is going to be a deal breaker for us", + "state": "closed", + "merged": true, + "created_at": "2026-01-31T02:30:28Z", + "merged_at": "2026-02-07T08:33:02Z", + "author": "mxpv", + "labels": [ + "size/XXL", + "area/toolchain" + ] + }, + "12913": { + "title": "api: regenerate and re-vendor protos", + "url": "https://github.com/containerd/containerd/pull/12913", + "body": "Probably related to https://github.com/containerd/containerd/commit/ca1c5b2d3db8c620c26ab9674b7ccb9a4b023a63 (https://github.com/containerd/containerd/pull/12841).\r\n\r\nI got this diff when running `make protos`; let's see if CI agrees it's OK 😅 ", + "state": "closed", + "merged": true, + "created_at": "2026-02-17T13:06:25Z", + "merged_at": "2026-02-24T20:23:18Z", + "author": "thaJeztah", + "labels": [ + "size/XXL", + "go", + "area/toolchain" + ] + }, + "13045": { + "title": "Prepare release notes for api/v1.11.0-beta.0", + "url": "https://github.com/containerd/containerd/pull/13045", + "body": "First step in v2.3 beta process\r\n\r\n----\r\ncontainerd api/v1.11.0-beta.0\r\n\r\nWelcome to the api/v1.11.0-beta.0 release of containerd! \r\n*This is a pre-release of containerd*\r\n\r\nThe 12th release for the containerd 1.x API aligns with the containerd 2.3 release.\r\n\r\n### Highlights\r\n\r\n* Update sandbox API to include spec field ([#12840](https://github.com/containerd/containerd/pull/12840))\r\n\r\nPlease try out the release binaries and report any issues at\r\nhttps://github.com/containerd/containerd/issues.\r\n\r\n### Contributors\r\n\r\n* Maksym Pavlenko\r\n* Derek McGowan\r\n* Sebastiaan van Stijn\r\n* Wei Fu\r\n\r\n### Changes\r\n
17 commits\r\n

\r\n\r\n * [`aac6b5348`](https://github.com/containerd/containerd/commit/aac6b53488f05253f88fb061fed6674630feb41f) Prepare release notes for api/v1.11.0-beta.0\r\n* api: regenerate and re-vendor protos ([#12913](https://github.com/containerd/containerd/pull/12913))\r\n * [`4b4eb6715`](https://github.com/containerd/containerd/commit/4b4eb67150b724e0c0450cc92f295b8d6582ca9a) api: regenerate and re-vendor protos\r\n* Remove Container field from sandbox metadata ([#12840](https://github.com/containerd/containerd/pull/12840))\r\n * [`8ccf18724`](https://github.com/containerd/containerd/commit/8ccf18724f691f7f5503faf0b004334eb9f92cf3) Update sandbox API to include spec field\r\n* Use buf to format proto files ([#12841](https://github.com/containerd/containerd/pull/12841))\r\n * [`ca1c5b2d3`](https://github.com/containerd/containerd/commit/ca1c5b2d3db8c620c26ab9674b7ccb9a4b023a63) Reformat and revendor proto files\r\n * [`2a87c9d7d`](https://github.com/containerd/containerd/commit/2a87c9d7d29a5d947fa671a0d7b52f449835fd11) Add .editorconfig for proto files\r\n* Generate api/next.txtpb and name module ([#12815](https://github.com/containerd/containerd/pull/12815))\r\n * [`472e0a8e7`](https://github.com/containerd/containerd/commit/472e0a8e7ada278b7aa376173eca20ad0a0348be) Generate next.txtpb to replace next.pb.txt\r\n * [`f58dbbda0`](https://github.com/containerd/containerd/commit/f58dbbda0b34bea75f714e82463eb0706c06d30d) Add buf.build repository name for publishing API\r\n* Migrate from protobuild to buf ([#12762](https://github.com/containerd/containerd/pull/12762))\r\n * [`dac9721fa`](https://github.com/containerd/containerd/commit/dac9721faf891205ed46105cd38340bc3bceabcb) Drop outdated pb.txt files\r\n * [`6a6283193`](https://github.com/containerd/containerd/commit/6a6283193b6f865c35529717068259bf54ccc307) Update pb files\r\n * [`57782b717`](https://github.com/containerd/containerd/commit/57782b7175f743489010c348a8f59da720140722) Move buf configuration under api/\r\n * [`39991b661`](https://github.com/containerd/containerd/commit/39991b6617041c8c5b471f11f08461f36cc6719f) Use relative import intead of GOPATH style imports\r\n * [`eb586b5ef`](https://github.com/containerd/containerd/commit/eb586b5ef2e20c5f845f28d5e9cd5f5e8e10885d) Regenerate proto files\r\n

\r\n
\r\n\r\n### Dependency Changes\r\n\r\nThis release has no dependency changes\r\n\r\nPrevious release can be found at [api/v1.10.0](https://github.com/containerd/containerd/releases/tag/api/v1.10.0)\r\n\r\n", + "state": "closed", + "merged": true, + "created_at": "2026-03-17T01:35:52Z", + "merged_at": "2026-03-17T17:01:49Z", + "author": "dmcgowan", + "labels": [ + "size/S" + ] + }, + "13091": { + "title": "Add `os.features` support for EROFS native container images", + "url": "https://github.com/containerd/containerd/pull/13091", + "body": "~depends on #13080~ \r\nsupercedes #12784 \r\n\r\n**Note that users still need to explicitly specify the EROFS snapshotter in order to run the EROFS native images by design; it only improves the user experence of the unpacking process**\r\n\r\nFirst, it enhances the transfer service: If no snapshotter is specified and `os.features` contains \"erofs\", unpacking should use the EROFS snapshotter and differ.\r\n\r\nSecond, if no snapshotter is specified, _container run_ selects the default snapshotter. However, if `os.features` is set, we should always call `checkSnapshotterSupport()` so that containerd clients can report a clear error instead of the confusing layer extraction error out of overlayfs snapshotter.\r\n\r\nTested by the ubuntu-22.04 multi-manifest image (\"linux/amd64\" and \"linux(+erofs)/amd64\"):\r\n`ctr i pull --platform=\"linux(+erofs)\" docker.io/hsiangkao/ubuntu:22.04-platforms`\r\nand\r\n`ctr run --platform=\"linux(+erofs)/amd64\" --tty docker.io/hsiangkao/ubuntu:22.04-platforms test`\r\nand\r\n`ctr run --platform=\"linux(+erofs)/amd64\" --snapshotter erofs --tty docker.io/hsiangkao/ubuntu:22.04-platforms test`\r\n\r\nScreenshot (`docker.1ms.run` is a connectable mirror of `docker.io`):\r\n\"image\"\r\n", + "state": "closed", + "merged": true, + "created_at": "2026-03-23T02:55:10Z", + "merged_at": "2026-04-01T23:54:55Z", + "author": "hsiangkao", + "labels": [ + "kind/feature", + "size/XL", + "area/distribution" + ] + }, + "13099": { + "title": "build(deps): bump google.golang.org/grpc from 1.59.0 to 1.79.3 in /api", + "url": "https://github.com/containerd/containerd/pull/13099", + "body": "Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.59.0 to 1.79.3.\n
\nRelease notes\n

Sourced from google.golang.org/grpc's releases.

\n
\n

Release 1.79.3

\n

Security

\n\n

Release 1.79.2

\n

Bug Fixes

\n\n

Release 1.79.1

\n

Bug Fixes

\n\n

Release 1.79.0

\n

API Changes

\n\n

Behavior Changes

\n\n

New Features

\n\n

Bug Fixes

\n\n

Performance Improvements

\n\n\n
\n

... (truncated)

\n
\n
\nCommits\n\n
\n
\n\n\n[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=google.golang.org/grpc&package-manager=go_modules&previous-version=1.59.0&new-version=1.79.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n
\nDependabot commands and options\n
\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency\n- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)\nYou can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/containerd/containerd/network/alerts).\n\n
", + "state": "closed", + "merged": true, + "created_at": "2026-03-23T17:02:32Z", + "merged_at": "2026-03-23T19:23:32Z", + "author": "dependabot[bot]", + "labels": [ + "dependencies", + "size/M", + "go" + ] + } + }, + "issues": {} +} \ No newline at end of file diff --git a/reports/containerd_release_api_v1.11.0-beta.2_20260415_154122.md b/reports/containerd_release_api_v1.11.0-beta.2_20260415_154122.md new file mode 100644 index 0000000..ec12ba9 --- /dev/null +++ b/reports/containerd_release_api_v1.11.0-beta.2_20260415_154122.md @@ -0,0 +1,214 @@ +# Containerd 版本发布分析报告 +## containerd API 1.11.0-beta.2 (api/v1.11.0-beta.2) + +### 📋 版本信息 +- **版本标签:** api/v1.11.0-beta.2 +- **版本名称:** containerd API 1.11.0-beta.2 +- **发布时间:** 2026-04-15T14:30:08Z +- **发布者:** github-actions[bot] +- **预发布版本:** 是 +- **草稿状态:** 否 +- **GitHub 链接:** https://github.com/containerd/containerd/releases/tag/api/v1.11.0-beta.2 + +### 🔍 分析统计 +- **分析时间:** 2026-04-15 15:41:22 +- **分析的 PR 数量:** 12 +- **分析的 Issue 数量:** 0 +- **重要项目数量:** 7 + +## 📊 版本概述 +这是 containerd API v1.11.0 的第二个 Beta 版本,主要为即将到来的 containerd 2.3 版本提供 API 支持,核心变更包括引入新的 shim 引导协议、更新沙箱 API 以及添加容器文件系统复制功能。 + +## 🔒 安全问题修复 +1. ⚠️ 升级 gRPC 依赖至 1.79.3,修复了路径头畸形时可能绕过 `grpc/authz` 等拦截器中基于路径的“拒绝”规则的授权绕过漏洞 - [PR #13099](https://github.com/containerd/containerd/pull/13099) - **风险级别:** 中高。该漏洞允许攻击者通过构造特定的非规范路径绕过授权检查,建议关注并计划升级。 + +**🚨 安全建议:** 如果您的环境中使用了受影响的功能,建议优先升级到此版本。 + +## 🐛 重要问题修复 +1. Shim 套接字目录配置修复:解决了 rootless 模式下因硬编码路径导致 shim 无法创建套接字的问题 - [PR #12785](https://github.com/containerd/containerd/pull/12785) - **影响:** 此修复直接影响 rootless containerd 部署的稳定性和可用性,之前可能导致容器启动失败。 +2. 更新引导 API 日志级别定义,确保日志配置能正确传递到 shim - [PR #13208](https://github.com/containerd/containerd/pull/13208) - **影响:** 影响 shim 进程的日志输出级别,有助于生产环境调试。 + +## 💥 破坏性变更 +1. 🚨 沙箱 API 变更:从沙箱元数据中移除了 `Container` 字段,依赖此字段直接访问 pause 容器信息的客户端(如某些 NRI 插件)需要调整代码,改为从沙箱存储中获取信息 - [PR #12840](https://github.com/containerd/containerd/pull/12840) - **影响:** 直接使用沙箱 API 的客户端需要适配。 +2. 🚨 Shim 启动协议变更:引入了新的 `BootstrapParams` 协议(通过 stdin 传递),并计划逐步弃用旧的参数传递方式(CLI 参数、部分环境变量)。虽然当前是增量式引入,但 shim 实现者需要关注此变化以确保未来兼容性 - [PR #12786](https://github.com/containerd/containerd/pull/12786) - **影响:** 自定义或第三方 shim 需要评估对新协议的支持。 + +**⚠️ 升级警告:** 此版本包含破坏性变更,升级前请仔细评估对现有系统的影响。 + +## ✨ 主要变更 +1. 引入 shim 引导协议,统一并标准化 containerd 向 shim 传递参数的方式,取代原有的混合传递机制(CLI参数、环境变量、stdin) - [PR #12786](https://github.com/containerd/containerd/pull/12786) +2. 更新沙箱 API,移除对 pause 容器的直接依赖,为未来支持更多沙箱实现(如基于 VM 的沙箱)铺平道路 - [PR #12840](https://github.com/containerd/containerd/pull/12840) +3. 为容器文件系统复制操作添加传输类型定义,为容器迁移、备份等高级功能提供底层 API 支持 - [PR #13165](https://github.com/containerd/containerd/pull/13165) +4. Shim 套接字目录现在使用 containerd 配置的目录,解决了 rootless 模式下默认目录不可写的问题 - [PR #12785](https://github.com/containerd/containerd/pull/12785) +5. 为 EROFS 原生容器镜像添加 `os.features` 支持,改善使用 EROFS 快照器时的用户体验 - [PR #13091](https://github.com/containerd/containerd/pull/13091) + +## 🚀 性能优化 +1. 将 Protobuf 工具链从 protobuild 迁移至 buf,提升了构建的可重复性和开发效率,并集成了格式化和 lint 功能 - [PR #12762](https://github.com/containerd/containerd/pull/12762) - **提升:** 主要提升开发体验和 CI 一致性,对运行时性能无直接影响。 +2. 使用 buf 格式化所有 proto 文件,确保 API 定义文件的风格统一 - [PR #12841](https://github.com/containerd/containerd/pull/12841) - **提升:** 提升代码可维护性,减少因格式不一致导致的合并冲突。 + +## 🎯 风险评估 +整体风险评估:中等。这是一个预发布(Beta)的 API 版本,主要风险在于与现有客户端和 shim 实现的兼容性。虽然包含重要的安全修复(gRPC),但破坏性变更(沙箱 API)要求下游进行适配。建议的升级时机是在 containerd 2.3 正式发布并经过充分测试后。需要特别关注的方面包括:1) 自定义 shim 对新引导协议的兼容性;2) 任何直接使用沙箱 API 的代码;3) rootless 部署模式下 shim 套接字路径的配置和行为。 + +## 📋 升级建议 +1. **当前为 Beta 版本,不建议直接用于生产环境。** 建议在测试环境中部署此版本,重点验证与现有 shim(如 runc、gVisor)的兼容性,以及 rootless 模式下的功能。 +2. 如果开发了直接调用 containerd 沙箱 API 或管理 shim 的插件/工具,请立即基于此 Beta 版本开始兼容性测试和代码适配。 +3. 关注 gRPC 安全更新(PR #13099),虽然本次是 API 模块更新,但预示着 containerd 主项目也将升级。建议将此漏洞纳入安全风险评估。 +4. 计划升级至 containerd 2.3 的用户,应利用此 API 版本提前验证客户端(如 Kubernetes CRI 实现、自定义控制器)的兼容性。 + +## 📋 Release 包含的变更 + +### PR #12762: Migrate from protobuild to buf +- **链接:** https://github.com/containerd/containerd/pull/12762 +- **状态:** closed +- **已合并:** 是 +- **作者:** mxpv +- **标签:** size/XXL, area/toolchain +- **变更说明:** + **PR #12762:** Migrate from protobuild to buf +**标签:** size/XXL, area/toolchain + +**PR内容:** This PR migrates from `Protobuild` (which we all love and use for quite some time) to [`buf`](https://github.com/bufbuild/buf) to manage our proto files. + +Immediate benefits: +- No need to install `protoc` dependency. Mush simpler [CI setup](https://github.com/containerd/containerd/pull/12762/changes/edb... + +### PR #12785: Make shim socket directory use configured directory +- **链接:** https://github.com/containerd/containerd/pull/12785 +- **状态:** closed +- **已合并:** 是 +- **作者:** dmcgowan +- **标签:** impact/changelog, area/runtime, size/XL +- **变更说明:** + **PR #12785:** Make shim socket directory use configured directory +**标签:** impact/changelog, area/runtime, size/XL + +**PR内容:** Pass the socket directory from containerd to the shim via bootstrapparameters. The shim still decides the socket filename but now places it in the directory configured by containerd, ensuring proper ownership and permissions. + +**Why:** In rootless setups the default st... + +### PR #12786: Introduce shim bootstrap protocol +- **链接:** https://github.com/containerd/containerd/pull/12786 +- **状态:** closed +- **已合并:** 是 +- **作者:** mxpv +- **标签:** impact/changelog, size/XXL +- **变更说明:** + **PR #12786:** Introduce shim bootstrap protocol +**标签:** impact/changelog, size/XXL + +**PR内容:** Containerd needs to pass a bunch of parameters from the daemon down to the shim. Historically, we introduced several mechanisms to do it: +- CLI arguments (-namespace, -id, -address, -publish-binary, -debug) +- Env variables (TTRPC_ADDRESS, GRPC_ADDRESS, NAMESPACE, MAX_SHIM_VERSION, GOMAXPROCS, SCHED... + +### PR #12815: Generate api/next.txtpb and name module +- **链接:** https://github.com/containerd/containerd/pull/12815 +- **状态:** closed +- **已合并:** 是 +- **作者:** dmcgowan +- **标签:** size/XXL, area/toolchain +- **变更说明:** + **PR #12815:** Generate api/next.txtpb and name module +**标签:** size/XXL, area/toolchain + +**PR内容:** `buf` will generate the protobuf text file which can be used for viewing all protobuf changes in one file and quickly diffing changes. + +Add a module name to the buf.yaml to allow pushing. With the switch the buf and relative paths, without publishing the containerd protos are not importable with... + +### PR #12840: Remove Container field from sandbox metadata +- **链接:** https://github.com/containerd/containerd/pull/12840 +- **状态:** closed +- **已合并:** 是 +- **作者:** mxpv +- **标签:** impact/changelog, size/XXL +- **变更说明:** + **PR #12840:** Remove Container field from sandbox metadata +**标签:** impact/changelog, size/XXL + +**PR内容:** There are multiple places in CRI which assume the use of pause containers and the podsandbox package. Since the goal of the Sandbox API is to abstract away the use of pause containers, we should not make such assumptions. ... + +### PR #12841: Use buf to format proto files +- **链接:** https://github.com/containerd/containerd/pull/12841 +- **状态:** closed +- **已合并:** 是 +- **作者:** mxpv +- **标签:** size/XXL, area/toolchain +- **变更说明:** + **PR #12841:** Use buf to format proto files +**标签:** size/XXL, area/toolchain + +**PR内容:** We've integrated `buf` in https://github.com/containerd/containerd/pull/12762 +`buf` comes with an integrated linter and formatter. ... + +### PR #12913: api: regenerate and re-vendor protos +- **链接:** https://github.com/containerd/containerd/pull/12913 +- **状态:** closed +- **已合并:** 是 +- **作者:** thaJeztah +- **标签:** size/XXL, go, area/toolchain +- **变更说明:** + **PR #12913:** api: regenerate and re-vendor protos +**标签:** size/XXL, go, area/toolchain + +**PR内容:** Probably related to https://github.com/containerd/containerd/commit/ca1c5b2d3db8c620c26ab9674b7ccb9a4b023a63 (https://github.com/containerd/containerd/pull/12841). + +I got this diff when running `make protos`; let's see if CI agrees it's OK 😅 ... + +### PR #13045: Prepare release notes for api/v1.11.0-beta.0 +- **链接:** https://github.com/containerd/containerd/pull/13045 +- **状态:** closed +- **已合并:** 是 +- **作者:** dmcgowan +- **标签:** size/S +- **变更说明:** + **PR #13045:** Prepare release notes for api/v1.11.0-beta.0 +**标签:** size/S + +**PR内容:** First step in v2.3 beta process + +---- +containerd api/v1.11.0-beta.0 + +Welcome to the api/v1.11.0-beta.0 release of containerd! +*This is a pre-release of containerd* + +The 12th release for the containerd 1.x API aligns with the containerd 2.3 release. + +### Highlights + +* Update sandbox API to include... + +### PR #13091: Add `os.features` support for EROFS native container images +- **链接:** https://github.com/containerd/containerd/pull/13091 +- **状态:** closed +- **已合并:** 是 +- **作者:** hsiangkao +- **标签:** kind/feature, size/XL, area/distribution +- **变更说明:** + **PR #13091:** Add `os.features` support for EROFS native container images +**标签:** kind/feature, size/XL, area/distribution + +**PR内容:** ~depends on #13080~ +supercedes #12784 + +**Note that users still need to explicitly specify the EROFS snapshotter in order to run the EROFS native images by design; it only improves the user experence of the unpacking process** + +First, it enhances the trans... + +### PR #13099: build(deps): bump google.golang.org/grpc from 1.59.0 to 1.79.3 in /api +- **链接:** https://github.com/containerd/containerd/pull/13099 +- **状态:** closed +- **已合并:** 是 +- **作者:** dependabot[bot] +- **标签:** dependencies, size/M, go +- **变更说明:** + **PR #13099:** build(deps): bump google.golang.org/grpc from 1.59.0 to 1.79.3 in /api +**标签:** dependencies, size/M, go + +**PR内容:** Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.59.0 to 1.79.3. +
+Release notes +

Sourced from google.golang.org/grpc's releases.

+
+

R... + +--- +*本报告由 Containerd Release Tracker 自动生成* \ No newline at end of file