rpms/containerd
1
0
Fork 0
Code Issues 4 Pull requests Projects Releases Packages Wiki Activity Actions

Upstream update available: containerd 2.1.4 → 2.3.0 #5

New issue
Open
opened 2026-05-20 02:10:59 +03:00 by sbelikov · 0 comments
sbelikov commented 2026-05-20 02:10:59 +03:00
Owner
Copy link

Upstream update available: containerd 2.1.42.3.0

Package

  • Package: containerd
  • RPM name: containerd
  • Branch: niceos-5.2
  • Current EVR: 2.1.4-1
  • Update class: minor
  • Compare method: python_rpm
  • Update policy: leaf
  • Risk tags: github-upstream

Upstream

Signals

  • Security-relevant keywords detected: False
  • Policy blocked: False
  • Policy reason: -
  • Labels: ai-summary, bot, needs-build, needs-triage, priority/medium, update/minor, upstream-update, upstream/github

NiceSOFT AI preliminary stability analysis

1. Краткий вывод

Upstream containerd обновился с 2.1.4 до 2.3.0; это minor-апдейт, но с заметным объёмом изменений и явными compatibility-risk сигналами. Для НАЙС.ОС такое обновление нельзя считать blind autopush: оно подходит только как manual review candidate с обязательной проверкой упаковки и runtime-совместимости. По текущим данным не block, но и не issue-only, так как релиз помечен upstream как LTS и подписан/verified.

2. Риск для НАЙС.ОС

Risk: high

Причины:

  • upstream-релиз v2.3.0 — не точечный bugfix, а крупный minor update с большим количеством изменений;
  • есть explicit Breaking-сигнал: изменения в OCI hook adjustment owners и запрет запятых в plugin names;
  • присутствуют runtime/shim protocol изменения и значительная dependency churn;
  • для enterprise/RHEL-like политики это означает высокий риск для Kubernetes/node-runtime сценариев и local integration code.

3. Что изменилось upstream

Проверяемые факты по containerd v2.3.0:

  • релиз v2.3.0 выпущен upstream и помечен как Latest;
  • tag signed/verified;
  • это third minor release of containerd 2.x;
  • upstream описывает новую cadence, aligned with Kubernetes release schedule, примерно раз в 4 месяца;
  • 2.3 обозначен как first annual LTS release, с планируемой поддержкой минимум 2 года;
  • в релиз-нотах перечислены изменения в:
    • core runtime,
    • CRI,
    • image distribution/storage,
    • NRI,
    • snapshotters,
    • ctr;
  • из заметных новшеств:
    • transfer types for container filesystem copy,
    • trace ID injection into logs,
    • OpenTelemetry propagation in plugin-client RPCs,
    • plugin config migration on load,
    • sandbox API spec field,
    • host networking with user namespaces in CRI,
    • per-layer labels during image unpack,
    • EROFS/zstd support,
    • dm-verity support for the EROFS snapshotter,
    • new NRI capabilities exposing user IDs, seccomp, rlimits, sysctls, CDI devices;
  • runtime-facing изменения включают:
    • configured socket directory for shim bootstrap,
    • shim bootstrap protocol,
    • fix for binary logging driver startup behavior,
    • new filtered cgroups stats API,
    • updated OOMKilled event handling;
  • dependency churn substantial: обновления containerd/api, containerd/cgroups/v3, containerd/nri, containernetworking/plugins, opencontainers/runtime-spec, k8s.io/*, grpc, wazero, otel и др.;
  • compare scope между v2.2.0...v2.3.0 очень большой: 853 commits и 2,068 files changed.

4. Security/CVE

Подтверждённых CVE, привязанных к v2.3.0, не найдено.
В доступных источниках релиз представлен как feature/stability update, а не как security-only update. Если нужен security-апгрейд, advisories следует проверить отдельно, но сейчас CVE не утверждаем.

5. ABI/API/CLI/config риск

Risk: medium-high

Что известно:

  • есть явные изменения в runtime/shim поведении;
  • новые/изменённые элементы:
    • shim bootstrap protocol,
    • configured socket directory,
    • sandbox API spec field,
    • OpenTelemetry propagation,
    • plugin config migration on load;
  • в release notes есть Breaking-сигнал:
    • OCI hook adjustment owners now accumulate,
    • commas are disallowed in plugin names;
  • также упомянута деприкация shim.Command.

Вывод:

  • риск для CLI/config/runtime поведения реальный;
  • ABI на уровне C/API в источниках не описан, поэтому unknown/manual review для низкоуровневого ABI;
  • для конфигов и интеграций с plugins/NRI/CRI риск выше среднего.

6. Риск для RPM-сборки и dist-git

Что проверить в SPECS, SOURCES, патчах и build metadata:

  • актуальность SPECS/containerd.spec;
  • не изменились ли BuildRequires / Requires;
  • не сломались ли патчи после upstream-добавлений;
  • не нужно ли обновить:
    • version/release EVR,
    • source URLs,
    • checksums / source-lock,
    • license / documentation references;
  • проверить %check, если он есть, на новые upstream tests/expectations;
  • проверить source integrity manifests в SOURCES/ и необходимость их регенерации;
  • проверить file ownership / subpackage layout / build flags;
  • оценить, не требуется ли дополнительная работа по vendor/deps sync из-за значительной dependency churn;
  • проверить SBOM / supply-chain manifests, если они ведутся в dist-git.

7. Риск для системы и зависимых компонентов

Risk: high

Обновление может затронуть:

  • Kubernetes/node runtime behavior;
  • CRI-поведение;
  • shims и service startup;
  • NRI hooks и plugin naming conventions;
  • image unpack/storage path, включая EROFS/zstd/dm-verity сценарии;
  • observability/logging из-за trace ID injection и OpenTelemetry propagation;
  • reverse dependencies, которые ожидают старое bootstrap/shim поведение или старые plugin conventions.

Это не выглядит как purely internal package refresh: есть заметные изменения runtime behavior, потенциально видимые пользователям и automation.

8. Проверки мейнтейнера

Чеклист перед PR/merge:

  • сверить containerd.spec с upstream 2.3.0;
  • проверить и при необходимости обновить Source/SOURCES manifests;
  • пересмотреть BuildRequires и Requires;
  • убедиться, что все downstream patches всё ещё применяются;
  • проверить, не затронуты ли local config defaults и service unit integration;
  • прогнать %check / package tests;
  • отдельно проверить CRI-шлюз, shim bootstrap, startup path;
  • проверить совместимость с NRI/plugin naming, особенно из-за Breaking section;
  • протестировать Kubernetes-node сценарий, если пакет используется там;
  • проверить image unpack path, EROFS/zstd, CDI devices, seccomp/rlimits/sysctls;
  • убедиться, что source lock/checksums/manifest regenerated;
  • при наличии — обновить SBOM / provenance metadata;
  • зафиксировать manual review conclusion в issue.

9. Рекомендация

blocked manual review

10. Источники

Источники, найденные web_search

  1. github.com — releases
  2. github.com — containerd
  3. specs.niceos.ru — dive
  4. github.com — releases
  5. github.com — containerd
  6. specs.niceos.ru — runc
  7. github.com — runtime v2.md
  8. github.com — containerd 2.0.md
  9. github.com — releases
  10. github.com — config.md
  11. github.com — releases
  12. specs.niceos.ru — tmux

Upstream release notes / description

Welcome to the v2.3.0 release of containerd!

The third minor release of containerd 2.x focuses on continued stability alongside
new features and improvements. This is the third time-based release for containerd.

Starting with containerd 2.3, the project has moved to release cadence aligned with
the Kubernetes release schedule, with new minor releases about every 4 months. The
containerd 2.3 release is also the first annual LTS (Long Term Stable) release under
this new schedule, with support planned for at least two years. Direct upgrades
between sequential LTS releases (e.g., 1.7 to 2.3) will be tested and supported.

Highlights

  • Add transfer types for container filesystem copy (#13165)
  • Add option to inject trace ID to logs (#13117)
  • Propagate OpenTelemetry traces in outgoing RPCs from plugin clients (#13113)
  • Update plugin config migration to run on load (#12608)
  • Update sandbox API to include spec field (#12840)

Container Runtime Interface (CRI)

  • Allow containers to use user namespaces with host networking (#12518)
  • Wire UpdatePodSandboxResources to Sandbox API (#13118)
  • Unpack images with per-layer labels for specific runtime (#12835)
  • Populate ImageId field in container status (#12787)
  • Set annotations parameter in CreateSandbox request (#12566)
  • Add background stats collector to calculate UsageNanoCores for containers and pod sandboxes (#12629)

Image Distribution

  • Support zstd-wrapped EROFS layers (#13185)
  • Add os.features support for EROFS native container images (#13091)
  • Add EROFS layer media type (#12567)

Image Storage

  • Add dmverity support to the erofs snapshotter (#12502)
  • Use fsmount API to avoid PAGE_SIZE limit for erofs (#12783)

Node Resource Interface (NRI)

  • Pass container user (uid, gids) to plugins (#12769)
  • Pass seccomp policy to plugins (#12768)
  • Pass any POSIX rlimits to plugins (#12765)
  • Pass extended container status to NRI. (#12770)
  • Pass injected CDI devices to plugins (#12767)
  • Pass linux sysctl to plugins (#12766)
  • Use dedicated RPC calls for all pod and container life-cycle events via the NRI wire protocol (containerd/nri#274)
  • Add basic metrics collection for the NRI framework (containerd/nri#277)
  • Exchange NRI versions between plugins and the runtime during registration (containerd/nri#271)
  • Enable adjusting Linux memory policy from NRI plugins (containerd/nri#166)
  • Close plugins if initial synchronization fails to prevent unregistered connections (containerd/nri#279)
  • Accumulate owners for OCI hook adjustments, disallowing commas in plugin names (containerd/nri#264)
  • Add nri_no_wasm build tag to allow disabling WASM support at compile time (containerd/nri#253)
  • Support direct adjustment of the intelRdt container configuration (containerd/nri#215)
  • Allow setting kernel scheduling policy attributes via NRI (containerd/nri#160)
  • Allow adjusting Linux network devices via NRI (containerd/nri#157)
  • Add support for sysctl adjustment via NRI (containerd/nri#248)
  • Expose container user, group, and supplemental group IDs to plugins (containerd/nri#230)

Runtime

  • Add configured socket directory to shim bootstrap protocol (#12785)
  • Introduce shim bootstrap protocol (#12786)
  • Fix binary logging driver not blocking container start on failure (#12595)
  • Use new filtered cgroups stats API (#12901)
  • Update OOMKilled event handling (#12714)

Snapshotters

  • Propagate parent chain ID and diff ID via labels during snapshot preparation (#13071)

ctr development tool

  • Detect vendor in CDI specs to generate device IDs for --gpus in ctr (#12839)

Breaking

  • Accumulate owners for OCI hook adjustments, disallowing commas in plugin names (containerd/nri#264)

Deprecations

...[truncated 10173 chars]

NiceOS maintainer checklist

  • Confirm that the detected version is a stable upstream release.
  • Check upstream changelog for security fixes, ABI/API changes and build-system changes.
  • Check ABI/API compatibility and reverse dependencies.
  • Download source into NiceOS lookaside storage.
  • Update Version and related fields in SPECS/*.spec only if policy allows it.
  • Regenerate SOURCES/sources.lock.json, manifests, metadata and SBOM.
  • Build SRPM/RPM in a clean NiceOS buildroot.
  • Run package smoke tests.
  • Link PR/build logs and close this issue after update or triage.

Bot metadata

  • Tool: niceos_upstream_monitor.py 2.1.2-openai-deep
  • Generated at: 2026-05-19T23:10:54Z
<!-- niceos-upstream-monitor:fingerprint=upstream-update:containerd:2.3.0 --> <!-- niceos-upstream-monitor:package=containerd --> <!-- niceos-upstream-monitor:current=2.1.4 --> <!-- niceos-upstream-monitor:latest=2.3.0 --> # Upstream update available: `containerd` `2.1.4` → `2.3.0` ## Package - Package: `containerd` - RPM name: `containerd` - Branch: `niceos-5.2` - Current EVR: `2.1.4-1` - Update class: `minor` - Compare method: `python_rpm` - Update policy: `leaf` - Risk tags: `github-upstream` ## Upstream - Upstream type: `github` - Upstream project: `containerd/containerd` - Upstream URL: <a href="https://github.com/containerd/containerd" target="_blank" rel="noopener noreferrer">github.com — containerd</a> - Detected version: `2.3.0` - Tag/release: `v2.3.0` - Source: `github_release_latest` - Published: `2026-04-30T19:35:05Z` - Release URL: <a href="https://github.com/containerd/containerd/releases/tag/v2.3.0" target="_blank" rel="noopener noreferrer">github.com — v2.3.0</a> - Source URL: <a href="https://api.github.com/repos/containerd/containerd/tarball/v2.3.0" target="_blank" rel="noopener noreferrer">api.github.com — v2.3.0</a> - Pre-release: `False` ## Signals - Security-relevant keywords detected: `False` - Policy blocked: `False` - Policy reason: `-` - Labels: `ai-summary, bot, needs-build, needs-triage, priority/medium, update/minor, upstream-update, upstream/github` ## NiceSOFT AI preliminary stability analysis ### 1. Краткий вывод Upstream `containerd` обновился с `2.1.4` до `2.3.0`; это **minor**-апдейт, но с заметным объёмом изменений и явными compatibility-risk сигналами. Для НАЙС.ОС такое обновление **нельзя считать blind autopush**: оно подходит только как **manual review** candidate с обязательной проверкой упаковки и runtime-совместимости. По текущим данным **не block**, но и не issue-only, так как релиз помечен upstream как **LTS** и подписан/verified. ### 2. Риск для НАЙС.ОС **Risk: high** Причины: - upstream-релиз `v2.3.0` — не точечный bugfix, а крупный minor update с большим количеством изменений; - есть **explicit Breaking**-сигнал: изменения в OCI hook adjustment owners и запрет запятых в plugin names; - присутствуют runtime/shim protocol изменения и значительная dependency churn; - для enterprise/RHEL-like политики это означает высокий риск для Kubernetes/node-runtime сценариев и local integration code. ### 3. Что изменилось upstream Проверяемые факты по `containerd v2.3.0`: - релиз `v2.3.0` выпущен upstream и помечен как **Latest**; - tag **signed/verified**; - это **third minor release of containerd 2.x**; - upstream описывает новую cadence, aligned with Kubernetes release schedule, примерно раз в 4 месяца; - `2.3` обозначен как **first annual LTS release**, с планируемой поддержкой минимум 2 года; - в релиз-нотах перечислены изменения в: - core runtime, - CRI, - image distribution/storage, - NRI, - snapshotters, - `ctr`; - из заметных новшеств: - transfer types for container filesystem copy, - trace ID injection into logs, - OpenTelemetry propagation in plugin-client RPCs, - plugin config migration on load, - sandbox API `spec` field, - host networking with user namespaces in CRI, - per-layer labels during image unpack, - EROFS/zstd support, - dm-verity support for the EROFS snapshotter, - new NRI capabilities exposing user IDs, seccomp, rlimits, sysctls, CDI devices; - runtime-facing изменения включают: - configured socket directory for shim bootstrap, - shim bootstrap protocol, - fix for binary logging driver startup behavior, - new filtered cgroups stats API, - updated OOMKilled event handling; - dependency churn substantial: обновления `containerd/api`, `containerd/cgroups/v3`, `containerd/nri`, `containernetworking/plugins`, `opencontainers/runtime-spec`, `k8s.io/*`, `grpc`, `wazero`, `otel` и др.; - compare scope между `v2.2.0...v2.3.0` очень большой: **853 commits** и **2,068 files changed**. ### 4. Security/CVE Подтверждённых CVE, привязанных к `v2.3.0`, **не найдено**. В доступных источниках релиз представлен как feature/stability update, а не как security-only update. Если нужен security-апгрейд, advisories следует проверить отдельно, но **сейчас CVE не утверждаем**. ### 5. ABI/API/CLI/config риск **Risk: medium-high** Что известно: - есть явные изменения в runtime/shim поведении; - новые/изменённые элементы: - shim bootstrap protocol, - configured socket directory, - sandbox API `spec` field, - OpenTelemetry propagation, - plugin config migration on load; - в release notes есть **Breaking**-сигнал: - OCI hook adjustment owners now accumulate, - commas are disallowed in plugin names; - также упомянута деприкация `shim.Command`. Вывод: - риск для CLI/config/runtime поведения **реальный**; - ABI на уровне C/API в источниках не описан, поэтому **unknown/manual review** для низкоуровневого ABI; - для конфигов и интеграций с plugins/NRI/CRI риск выше среднего. ### 6. Риск для RPM-сборки и dist-git Что проверить в `SPECS`, `SOURCES`, патчах и build metadata: - актуальность `SPECS/containerd.spec`; - не изменились ли `BuildRequires` / `Requires`; - не сломались ли патчи после upstream-добавлений; - не нужно ли обновить: - version/release EVR, - source URLs, - checksums / source-lock, - license / documentation references; - проверить `%check`, если он есть, на новые upstream tests/expectations; - проверить source integrity manifests в `SOURCES/` и необходимость их регенерации; - проверить file ownership / subpackage layout / build flags; - оценить, не требуется ли дополнительная работа по vendor/deps sync из-за значительной dependency churn; - проверить SBOM / supply-chain manifests, если они ведутся в dist-git. ### 7. Риск для системы и зависимых компонентов **Risk: high** Обновление может затронуть: - Kubernetes/node runtime behavior; - CRI-поведение; - shims и service startup; - NRI hooks и plugin naming conventions; - image unpack/storage path, включая EROFS/zstd/dm-verity сценарии; - observability/logging из-за trace ID injection и OpenTelemetry propagation; - reverse dependencies, которые ожидают старое bootstrap/shim поведение или старые plugin conventions. Это не выглядит как purely internal package refresh: есть заметные изменения runtime behavior, потенциально видимые пользователям и automation. ### 8. Проверки мейнтейнера Чеклист перед PR/merge: - [ ] сверить `containerd.spec` с upstream `2.3.0`; - [ ] проверить и при необходимости обновить `Source`/`SOURCES` manifests; - [ ] пересмотреть `BuildRequires` и `Requires`; - [ ] убедиться, что все downstream patches всё ещё применяются; - [ ] проверить, не затронуты ли local config defaults и service unit integration; - [ ] прогнать `%check` / package tests; - [ ] отдельно проверить CRI-шлюз, shim bootstrap, startup path; - [ ] проверить совместимость с NRI/plugin naming, особенно из-за Breaking section; - [ ] протестировать Kubernetes-node сценарий, если пакет используется там; - [ ] проверить image unpack path, EROFS/zstd, CDI devices, seccomp/rlimits/sysctls; - [ ] убедиться, что source lock/checksums/manifest regenerated; - [ ] при наличии — обновить SBOM / provenance metadata; - [ ] зафиксировать manual review conclusion в issue. ### 9. Рекомендация **blocked manual review** ### 10. Источники - <a href="https://github.com/containerd/containerd/releases/tag/v2.3.0" target="_blank" rel="noopener noreferrer">containerd v2.3.0 release</a> - <a href="https://github.com/containerd/containerd/releases" target="_blank" rel="noopener noreferrer">containerd releases</a> - <a href="https://github.com/containerd/containerd/compare/v2.2.0...v2.3.0" target="_blank" rel="noopener noreferrer">containerd compare v2.2.0...v2.3.0</a> - <a href="https://github.com/containerd/containerd/security/advisories" target="_blank" rel="noopener noreferrer">containerd security advisories</a> - <a href="https://specs.niceos.ru/rpms/containerd" target="_blank" rel="noopener noreferrer">NiceOS containerd package</a> - <a href="https://specs.niceos.ru/rpms/containerd/src/branch/niceos-5.2/SOURCES" target="_blank" rel="noopener noreferrer">NiceOS containerd SOURCES</a> - <a href="https://specs.niceos.ru/rpms/containerd/src/branch/niceos-5.2/SPECS" target="_blank" rel="noopener noreferrer">NiceOS containerd SPECS</a> ### Источники, найденные web_search 1. <a href="https://github.com/containerd/containerd/releases" target="_blank" rel="noopener noreferrer">github.com — releases</a> 2. <a href="https://github.com/containerd/containerd" target="_blank" rel="noopener noreferrer">github.com — containerd</a> 3. <a href="https://specs.niceos.ru/rpms/dive" target="_blank" rel="noopener noreferrer">specs.niceos.ru — dive</a> 4. <a href="https://github.com/docker/packaging/releases" target="_blank" rel="noopener noreferrer">github.com — releases</a> 5. <a href="https://github.com/containerd" target="_blank" rel="noopener noreferrer">github.com — containerd</a> 6. <a href="https://specs.niceos.ru/rpms/runc" target="_blank" rel="noopener noreferrer">specs.niceos.ru — runc</a> 7. <a href="https://github.com/containerd/containerd/blob/main/docs/runtime-v2.md" target="_blank" rel="noopener noreferrer">github.com — runtime v2.md</a> 8. <a href="https://github.com/containerd/containerd/blob/main/docs/containerd-2.0.md" target="_blank" rel="noopener noreferrer">github.com — containerd 2.0.md</a> 9. <a href="https://github.com/containerd/containerd/releases?after=v1.0.0-alpha1" target="_blank" rel="noopener noreferrer">github.com — releases</a> 10. <a href="https://github.com/containerd/containerd/blob/main/docs/cri/config.md" target="_blank" rel="noopener noreferrer">github.com — config.md</a> 11. <a href="https://github.com/kubernetes/release/releases" target="_blank" rel="noopener noreferrer">github.com — releases</a> 12. <a href="https://specs.niceos.ru/rpms/tmux" target="_blank" rel="noopener noreferrer">specs.niceos.ru — tmux</a> ## Upstream release notes / description Welcome to the v2.3.0 release of containerd! The third minor release of containerd 2.x focuses on continued stability alongside new features and improvements. This is the third time-based release for containerd. Starting with containerd 2.3, the project has moved to release cadence aligned with the Kubernetes release schedule, with new minor releases about every 4 months. The containerd 2.3 release is also the first annual LTS (Long Term Stable) release under this new schedule, with support planned for at least two years. Direct upgrades between sequential LTS releases (e.g., 1.7 to 2.3) will be tested and supported. ### Highlights * Add transfer types for container filesystem copy (<a href="https://github.com/containerd/containerd/pull/13165" target="_blank" rel="noopener noreferrer">#13165</a>) * Add option to inject trace ID to logs (<a href="https://github.com/containerd/containerd/pull/13117" target="_blank" rel="noopener noreferrer">#13117</a>) * Propagate OpenTelemetry traces in outgoing RPCs from plugin clients (<a href="https://github.com/containerd/containerd/pull/13113" target="_blank" rel="noopener noreferrer">#13113</a>) * Update plugin config migration to run on load (<a href="https://github.com/containerd/containerd/pull/12608" target="_blank" rel="noopener noreferrer">#12608</a>) * Update sandbox API to include spec field (<a href="https://github.com/containerd/containerd/pull/12840" target="_blank" rel="noopener noreferrer">#12840</a>) #### Container Runtime Interface (CRI) * Allow containers to use user namespaces with host networking (<a href="https://github.com/containerd/containerd/pull/12518" target="_blank" rel="noopener noreferrer">#12518</a>) * Wire UpdatePodSandboxResources to Sandbox API (<a href="https://github.com/containerd/containerd/pull/13118" target="_blank" rel="noopener noreferrer">#13118</a>) * Unpack images with per-layer labels for specific runtime (<a href="https://github.com/containerd/containerd/pull/12835" target="_blank" rel="noopener noreferrer">#12835</a>) * Populate ImageId field in container status (<a href="https://github.com/containerd/containerd/pull/12787" target="_blank" rel="noopener noreferrer">#12787</a>) * Set annotations parameter in CreateSandbox request (<a href="https://github.com/containerd/containerd/pull/12566" target="_blank" rel="noopener noreferrer">#12566</a>) * Add background stats collector to calculate UsageNanoCores for containers and pod sandboxes (<a href="https://github.com/containerd/containerd/pull/12629" target="_blank" rel="noopener noreferrer">#12629</a>) #### Image Distribution * Support zstd-wrapped EROFS layers (<a href="https://github.com/containerd/containerd/pull/13185" target="_blank" rel="noopener noreferrer">#13185</a>) * Add os.features support for EROFS native container images (<a href="https://github.com/containerd/containerd/pull/13091" target="_blank" rel="noopener noreferrer">#13091</a>) * Add EROFS layer media type (<a href="https://github.com/containerd/containerd/pull/12567" target="_blank" rel="noopener noreferrer">#12567</a>) #### Image Storage * Add dmverity support to the erofs snapshotter (<a href="https://github.com/containerd/containerd/pull/12502" target="_blank" rel="noopener noreferrer">#12502</a>) * Use fsmount API to avoid PAGE_SIZE limit for erofs (<a href="https://github.com/containerd/containerd/pull/12783" target="_blank" rel="noopener noreferrer">#12783</a>) #### Node Resource Interface (NRI) * Pass container user (uid, gids) to plugins (<a href="https://github.com/containerd/containerd/pull/12769" target="_blank" rel="noopener noreferrer">#12769</a>) * Pass seccomp policy to plugins (<a href="https://github.com/containerd/containerd/pull/12768" target="_blank" rel="noopener noreferrer">#12768</a>) * Pass any POSIX rlimits to plugins (<a href="https://github.com/containerd/containerd/pull/12765" target="_blank" rel="noopener noreferrer">#12765</a>) * Pass extended container status to NRI. (<a href="https://github.com/containerd/containerd/pull/12770" target="_blank" rel="noopener noreferrer">#12770</a>) * Pass injected CDI devices to plugins (<a href="https://github.com/containerd/containerd/pull/12767" target="_blank" rel="noopener noreferrer">#12767</a>) * Pass linux sysctl to plugins (<a href="https://github.com/containerd/containerd/pull/12766" target="_blank" rel="noopener noreferrer">#12766</a>) * Use dedicated RPC calls for all pod and container life-cycle events via the NRI wire protocol (<a href="https://github.com/containerd/nri/pull/274" target="_blank" rel="noopener noreferrer">containerd/nri#274</a>) * Add basic metrics collection for the NRI framework (<a href="https://github.com/containerd/nri/pull/277" target="_blank" rel="noopener noreferrer">containerd/nri#277</a>) * Exchange NRI versions between plugins and the runtime during registration (<a href="https://github.com/containerd/nri/pull/271" target="_blank" rel="noopener noreferrer">containerd/nri#271</a>) * Enable adjusting Linux memory policy from NRI plugins (<a href="https://github.com/containerd/nri/pull/166" target="_blank" rel="noopener noreferrer">containerd/nri#166</a>) * Close plugins if initial synchronization fails to prevent unregistered connections (<a href="https://github.com/containerd/nri/pull/279" target="_blank" rel="noopener noreferrer">containerd/nri#279</a>) * Accumulate owners for OCI hook adjustments, disallowing commas in plugin names (<a href="https://github.com/containerd/nri/pull/264" target="_blank" rel="noopener noreferrer">containerd/nri#264</a>) * Add nri_no_wasm build tag to allow disabling WASM support at compile time (<a href="https://github.com/containerd/nri/pull/253" target="_blank" rel="noopener noreferrer">containerd/nri#253</a>) * Support direct adjustment of the intelRdt container configuration (<a href="https://github.com/containerd/nri/pull/215" target="_blank" rel="noopener noreferrer">containerd/nri#215</a>) * Allow setting kernel scheduling policy attributes via NRI (<a href="https://github.com/containerd/nri/pull/160" target="_blank" rel="noopener noreferrer">containerd/nri#160</a>) * Allow adjusting Linux network devices via NRI (<a href="https://github.com/containerd/nri/pull/157" target="_blank" rel="noopener noreferrer">containerd/nri#157</a>) * Add support for sysctl adjustment via NRI (<a href="https://github.com/containerd/nri/pull/248" target="_blank" rel="noopener noreferrer">containerd/nri#248</a>) * Expose container user, group, and supplemental group IDs to plugins (<a href="https://github.com/containerd/nri/pull/230" target="_blank" rel="noopener noreferrer">containerd/nri#230</a>) #### Runtime * Add configured socket directory to shim bootstrap protocol (<a href="https://github.com/containerd/containerd/pull/12785" target="_blank" rel="noopener noreferrer">#12785</a>) * Introduce shim bootstrap protocol (<a href="https://github.com/containerd/containerd/pull/12786" target="_blank" rel="noopener noreferrer">#12786</a>) * Fix binary logging driver not blocking container start on failure (<a href="https://github.com/containerd/containerd/pull/12595" target="_blank" rel="noopener noreferrer">#12595</a>) * Use new filtered cgroups stats API (<a href="https://github.com/containerd/containerd/pull/12901" target="_blank" rel="noopener noreferrer">#12901</a>) * Update OOMKilled event handling (<a href="https://github.com/containerd/containerd/pull/12714" target="_blank" rel="noopener noreferrer">#12714</a>) #### Snapshotters * Propagate parent chain ID and diff ID via labels during snapshot preparation (<a href="https://github.com/containerd/containerd/pull/13071" target="_blank" rel="noopener noreferrer">#13071</a>) #### ctr development tool * Detect vendor in CDI specs to generate device IDs for --gpus in ctr (<a href="https://github.com/containerd/containerd/pull/12839" target="_blank" rel="noopener noreferrer">#12839</a>) #### Breaking * Accumulate owners for OCI hook adjustments, disallowing commas in plugin names (<a href="https://github.com/containerd/nri/pull/264" target="_blank" rel="noopener noreferrer">containerd/nri#264</a>) #### Deprecations * Deprecate shim.Command ([#13319](<a href="https://github.com/contain" target="_blank" rel="noopener noreferrer">github.com — contain</a> ...[truncated 10173 chars] ## NiceOS maintainer checklist - [ ] Confirm that the detected version is a stable upstream release. - [ ] Check upstream changelog for security fixes, ABI/API changes and build-system changes. - [ ] Check ABI/API compatibility and reverse dependencies. - [ ] Download source into NiceOS lookaside storage. - [ ] Update `Version` and related fields in `SPECS/*.spec` only if policy allows it. - [ ] Regenerate `SOURCES/sources.lock.json`, manifests, metadata and SBOM. - [ ] Build SRPM/RPM in a clean NiceOS buildroot. - [ ] Run package smoke tests. - [ ] Link PR/build logs and close this issue after update or triage. ## Bot metadata - Tool: `niceos_upstream_monitor.py 2.1.2-openai-deep` - Generated at: `2026-05-19T23:10:54Z`
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
niceos-5.2
No results found.
Labels
Clear labels   
ai-summary
Issue contains local NiceSOFT AI generated preliminary analysis

  
auto-analysis
Created by niceos_cve_create_issues.py

  
bot
Created by automation

  
cve
Created by niceos_cve_create_issues.py

  
match-cpe-range
Created by niceos_cve_create_issues.py

  
needs-build
Needs build verification

  
needs-triage
Needs maintainer triage

  
priority/high
High priority

  
priority/medium
Medium priority

  
security
Created by niceos_cve_create_issues.py

  
security-release
Release notes mention security fixes or CVE

  
severity-high
Created by niceos_cve_create_issues.py

  
source-niceos-scan
Created by niceos_cve_create_issues.py

  
source-nvd
Created by niceos_cve_create_issues.py

  
update/minor
Minor update

  
upstream-update
New upstream version is available

  
upstream/github
GitHub upstream

No labels
ai-summary
auto-analysis
bot
cve
match-cpe-range
needs-build
needs-triage
priority/high
priority/medium
security
security-release
severity-high
source-niceos-scan
source-nvd
update/minor
upstream-update
upstream/github
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
rpms/containerd#5
No description provided.