Skip to content

Commit 2ee542e

Browse files
containerd2: upgrade to 2.2.4 (#17444)
Signed-off-by: Aadhar Agarwal <aadagarwal@microsoft.com>
1 parent 55956a5 commit 2ee542e

8 files changed

Lines changed: 160 additions & 1890 deletions

SPECS/containerd2/CVE-2026-34986.patch

Lines changed: 0 additions & 1046 deletions
This file was deleted.

SPECS/containerd2/CVE-2026-35469.patch

Lines changed: 0 additions & 658 deletions
This file was deleted.

SPECS/containerd2/containerd2.signatures.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,6 @@
22
"Signatures": {
33
"containerd.service": "a07bfcf412669b06673190b0779f48e652c9adcf1758289e849a00802804eec8",
44
"containerd.toml": "5b3821236f09b4c858e0e098bbe1400f4dbbb47d360e39d21c61858b088c2896",
5-
"containerd-2.1.6.tar.gz": "9b13537e5d61b9cf301295a807751447cc7c86fd79bb37ac5630455013d353a5"
5+
"containerd-2.2.4.tar.gz": "f73a4580a869426120bc99bcd812ac723701a8c934549f70c8a6067e30e1458d"
66
}
77
}

SPECS/containerd2/containerd2.spec

Lines changed: 17 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -1,11 +1,11 @@
11
%global debug_package %{nil}
22
%define upstream_name containerd
3-
%define commit_hash c74fd8780002eb26bd5940ae339d690d891221c2
3+
%define commit_hash 193637f7ee8ae5f5aa5248f49e7baa3e6164966e
44

55
Summary: Industry-standard container runtime
66
Name: %{upstream_name}2
7-
Version: 2.1.6
8-
Release: 4%{?dist}
7+
Version: 2.2.4
8+
Release: 1%{?dist}
99
License: ASL 2.0
1010
Group: Tools/Container
1111
URL: https://www.containerd.io
@@ -18,11 +18,9 @@ Source2: containerd.toml
1818

1919
Patch0: multi-snapshotters-support.patch
2020
Patch1: tardev-support.patch
21-
Patch2: fix-credential-leak-in-cri-errors.patch
22-
Patch3: CVE-2026-35469.patch
23-
Patch4: CVE-2026-34986.patch
24-
Patch5: CVE-2026-39882.patch
25-
Patch6: CVE-2026-33814.patch
21+
Patch2: CVE-2026-39882.patch
22+
Patch3: CVE-2026-33814.patch
23+
Patch4: fix-TestCgroupNamespace-cgroupv1.patch
2624

2725
%{?systemd_requires}
2826

@@ -99,6 +97,17 @@ fi
9997
%dir /opt/containerd/lib
10098

10199
%changelog
100+
* Thu May 21 2026 Aadhar Agarwal <aadagarwal@microsoft.com> - 2.2.4-1
101+
- Upgrade to 2.2.4
102+
- Pulls in CVE-2026-46680 fix (PR #13448 / 0a8f65bef)
103+
- Remove CVE-2026-34986.patch (in v2.2.4: go-jose/v4 v4.1.4, PR #13292 / 4413816ce)
104+
- Remove CVE-2026-35469.patch (in v2.2.3: spdystream v0.5.1 / 31bd34a06)
105+
- Remove fix-credential-leak-in-cri-errors.patch (in v2.2.2: PR #12491 / cb3ae2119)
106+
- Retain CVE-2026-39882.patch (otel v1.35.0 lacks PR #8108)
107+
- Retain CVE-2026-33814.patch (x/net v0.47.0 lacks 1e71bd86e)
108+
- Add fix-TestCgroupNamespace-cgroupv1.patch (PR #13240; allows %check on cgroup-v1 build hosts)
109+
- Regenerate multi-snapshotters-support.patch against v2.2.4 (upstream absorbed runtimeHandler plumbing in v2.2.3)
110+
102111
* Wed May 13 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.1.6-4
103112
- Patch for CVE-2026-33814
104113

Lines changed: 77 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,77 @@
1+
From 970b5d46bc30b5aafe16c4fbb245500f885cc9cd Mon Sep 17 00:00:00 2001
2+
From: Arjun Yogidas <arjunry@amazon.com>
3+
Date: Thu, 16 Apr 2026 18:24:24 +0000
4+
Subject: [PATCH] Fix TestCgroupNamespace failure on cgroups v1 hosts
5+
6+
Signed-off-by: Arjun Yogidas <arjunry@amazon.com>
7+
---
8+
.../cri/server/container_create_linux_test.go | 31 +++++++++++++++++--
9+
1 file changed, 28 insertions(+), 3 deletions(-)
10+
11+
diff --git a/internal/cri/server/container_create_linux_test.go b/internal/cri/server/container_create_linux_test.go
12+
index 8151be9a47c40..f376ee04535e2 100644
13+
--- a/internal/cri/server/container_create_linux_test.go
14+
+++ b/internal/cri/server/container_create_linux_test.go
15+
@@ -487,6 +487,8 @@ func TestPrivilegedBindMount(t *testing.T) {
16+
}
17+
}
18+
19+
+// TestCgroupNamespace verifies that a cgroup namespace is only assigned to
20+
+// non-privileged containers on cgroupv2 hosts.
21+
func TestCgroupNamespace(t *testing.T) {
22+
testPid := uint32(1234)
23+
c := newTestCRIService()
24+
@@ -498,27 +500,50 @@ func TestCgroupNamespace(t *testing.T) {
25+
tests := []struct {
26+
desc string
27+
privileged bool
28+
+ requireCgroupV2 bool
29+
expectCgroupNamespace bool
30+
}{
31+
{
32+
- desc: "non-privileged container should get cgroup namespace",
33+
+ desc: "cgroupv2: non-privileged container should get cgroup namespace",
34+
privileged: false,
35+
+ requireCgroupV2: true,
36+
expectCgroupNamespace: true,
37+
},
38+
{
39+
- desc: "privileged container should not get cgroup namespace",
40+
+ desc: "cgroupv2: privileged container should not get cgroup namespace",
41+
privileged: true,
42+
+ requireCgroupV2: true,
43+
+ expectCgroupNamespace: false,
44+
+ },
45+
+ {
46+
+ desc: "cgroupv1: non-privileged container should not get cgroup namespace",
47+
+ privileged: false,
48+
+ requireCgroupV2: false,
49+
+ expectCgroupNamespace: false,
50+
+ },
51+
+ {
52+
+ desc: "cgroupv1: privileged container should not get cgroup namespace",
53+
+ privileged: true,
54+
+ requireCgroupV2: false,
55+
expectCgroupNamespace: false,
56+
},
57+
}
58+
59+
for _, tt := range tests {
60+
t.Run(tt.desc, func(t *testing.T) {
61+
+ // Skip if the host's cgroup mode doesn't match what the test case requires.
62+
+ if tt.requireCgroupV2 && !isUnifiedCgroupsMode() {
63+
+ t.Skip("requires cgroups v2")
64+
+ }
65+
+ if !tt.requireCgroupV2 && isUnifiedCgroupsMode() {
66+
+ t.Skip("requires cgroups v1")
67+
+ }
68+
+
69+
containerConfig.Linux.SecurityContext.Privileged = tt.privileged
70+
sandboxConfig.Linux.SecurityContext.Privileged = tt.privileged
71+
72+
spec, err := c.buildContainerSpec(currentPlatform, t.Name(), testSandboxID, testPid, "", testContainerName, testImageName, containerConfig, sandboxConfig, imageConfig, nil, ociRuntime, nil)
73+
- assert.NoError(t, err)
74+
+ require.NoError(t, err)
75+
76+
hasCgroupNS := false
77+
for _, ns := range spec.Linux.Namespaces {

SPECS/containerd2/fix-credential-leak-in-cri-errors.patch

Lines changed: 0 additions & 109 deletions
This file was deleted.

0 commit comments

Comments
 (0)