Hello containerd 2.1

containerd 2.1 is here! Delivering new features and improvements, this release also launches our new six-month cadence – just half a year after containerd 2.0.

Features and enhancements

The release notes have the complete rundown, but these are the standouts for me:

• Easier Large Dataset Management in Kubernetes with OCI Image Volumes: Now you can use OCI images directly as volumes for your pods. This simplifies distributing large datasets by keeping them separate from your application’s main image. Why this is a big deal:

  • Streamlined Credentials & Storage: Access data using the same registry and credentials you already use for your container images – no need for a separate storage solution.
  • Efficient Data Access (Lazy Loading): Built on containerd’s snapshotter extension point, this allows for “on-demand” data loading with lazy-loading implementations like stargz-snapshotter and (and GKE image streaming, once containerd 2.1 becomes available in GKE), improving startup times. (Disclosure: I am a Google employee working on GKE.)

• Transfer Service Now Default for CRI Image Pulls: In containerd 2.1, the CRI plugin defaults to using the transfer service. This change integrates the streamlined image pull mechanisms introduced in containerd 2.0 directly into the Kubernetes runtime interface. This update also lays the groundwork for features like image verifier plugins to be used with Kubernetes. (Please note some limitations, detailed in the documentation).

• Faster Image Downloads: containerd 2.1 speeds up the download of large container images using multiple simultaneous HTTP range requests to fetch different parts of an image layer at once.

• EROFS snapshotter - EROFS is a filesystem optimized for fast read-only operations and is a good fit for container images.

• Writable cgroups for unprivileged containers - Unprivileged containers can now manage cgroups and further divide their resources among internal child processes. This option is not enabled by default but can be enabled in the CRI plugin configuration.

Feature removals

containerd 2.1 completes the deprecation of two features which were highlighted in our containerd 2.0 release. These are:

1. Schema 1 images - This old format of Docker images was deprecated in containerd 1.7 and disabled by default in containerd 2.0. Schema 1 images are now fully unsupported in containerd 2.1; users should migrate to OCI images or Docker schema 2 images.
2. Go-plugin library (.so) runtime plugins - This feature was added based on Go’s support for building .so libraries on Linux. Unfortunately, these were extremely difficult to build and run correctly, and the maintainers have had no evidence of community use. This feature was deprecated in containerd 2.0 and is now removed.

New release cadence

To better serve the wider container ecosystem, we’ve adopted a predictable, six-month release cadence for containerd. This shift is a direct result of our maintainer summit in January, where we reflected on the 2.0 release and discussed containerd’s crucial role. We concluded that our previous strategy of releasing based on feature completion created uncertainty around release timing, making it challenging for the community to plan and integrate with containerd. This new time-based approach directly addresses these concerns, promoting easier adoption and greater reliability for everyone using containerd.