containerd v2.2.2 is now available with fixes for several production issues affecting the Container Runtime Interface (CRI), runtime behavior, and AppArmor policies. This is a recommended upgrade for anyone running containerd 2.2.x in production, particularly for Kubernetes clusters where the CNI fix prevents resource leaks that could eventually cause node failures.
CRI Fixes
The CRI plugin received multiple important fixes addressing real-world issues reported by production users:
- Registry mirror config migration: Fixed an issue where migrated CRI image configuration failed when using legacy registry mirrors. This affected clusters upgrading from older containerd versions with custom registry configurations, causing image pull failures in environments with strict registry requirements.
- Per-layer labels for snapshotters: Images now unpack with per-layer labels for runtime-specific snapshotters, enabling better integration with alternative storage backends like zfs, btrfs, and overlayfs variants with specific optimization needs.
- CNI DEL after restart: Fixed a critical bug where CNI DEL commands were never executed after a containerd restart. This could leave network resources dangling—IP addresses, network namespaces, and iptables rules—eventually exhausting IP pools and requiring node reboots.
- Error handling hardening: Registry error messages now strip potentially sensitive parameters like authentication tokens, reducing the risk of leaking credentials in logs and error reports.
Runtime Fixes
The runtime layer fixed two notable issues affecting container isolation and security:
- Mount flags in user namespaces: Fixed unintended dropping of mount flags for read-only bind-mounts when running in user namespaces. This affected rootless containers and hardened environments where read-only mounts are used for defense in depth.
- AppArmor unix sockets: Fixed an AppArmor bug that disallowed unix domain sockets on newer kernels (6.8+). This regression was particularly problematic for applications using Unix sockets for inter-process communication, including many databases and message queues.
Additional Fixes
The ctr development tool fixed an issue where ctr image mount failed with no such device errors when working with certain filesystem types. Memory metrics collection was also hardened to handle cases where memory constraints are not fully configured, preventing nil pointer dereferences that could crash the metrics subsystem.
Image pull performance was improved for registries with high latency, and error messages were enhanced to provide clearer diagnostics when registry operations fail. These quality-of-life improvements make debugging container operations significantly easier.
Upgrade Notes
This is a patch release—upgrades from 2.2.0 or 2.2.1 should be straightforward with no breaking changes. The CNI DEL fix alone justifies the upgrade for production clusters, as it prevents the gradual resource exhaustion that could lead to node instability. No configuration changes are required.
Ubuntu 26.04 LTS has updated its containerd packages to 2.2.2, making this version available through standard distribution channels for users on the latest Ubuntu release. Other distributions are expected to follow with updates in their regular cadence.
Teams running containerd in production should prioritize this update, especially if they have experienced network resource issues or are using AppArmor policies with Unix socket workloads.