containerd · AkihiroSuda · Sep 1, 2025 · Aug 29, 2025 · Aug 29, 2025 · Aug 29, 2025
diff --git a/.github/workflows/workflow-test.yml b/.github/workflows/workflow-test.yml
@@ -141,9 +141,9 @@ jobs:
       go-version: 1.25
       windows-cni-version: v0.3.1
       docker-version: 5:28.0.4-1~ubuntu.24.04~noble
-      containerd-version: 2.1.3
+      containerd-version: 2.1.4
       # Note: these as for amd64
-      containerd-sha: 436cc160c33b37ec25b89fb5c72fc879ab2b3416df5d7af240c3e9c2f4065d3c
+      containerd-sha: 316d510a0428276d931023f72c09fdff1a6ba81d6cc36f31805fea6a3c88f515
       containerd-service-sha: 1941362cbaa89dd591b99c32b050d82c583d3cd2e5fa63085d7017457ec5fca8
       linux-cni-version: v1.7.1
       linux-cni-sha: 1a28a0506bfe5bcdc981caf1a49eeab7e72da8321f1119b7be85f22621013098
diff --git a/Dockerfile b/Dockerfile
@@ -17,14 +17,14 @@
 
 # Basic deps
 # @BINARY: the binary checksums are verified via Dockerfile.d/SHA256SUMS.d/<COMPONENT>-<VERSION>
-ARG CONTAINERD_VERSION=v2.1.3@c787fb98911740dd3ff2d0e45ce88cdf01410486
+ARG CONTAINERD_VERSION=v2.1.4@75cb2b7193e4e490e9fbdc236c0e811ccaba3376
 ARG RUNC_VERSION=v1.3.0@4ca628d1d4c974f92d24daccb901aa078aad748e
 ARG CNI_PLUGINS_VERSION=v1.7.1@BINARY
 
 # Extra deps: Build
 ARG BUILDKIT_VERSION=v0.23.2@BINARY
 # Extra deps: Lazy-pulling
-ARG STARGZ_SNAPSHOTTER_VERSION=v0.16.3@BINARY
+ARG STARGZ_SNAPSHOTTER_VERSION=v0.17.0@BINARY
 # Extra deps: Encryption
 ARG IMGCRYPT_VERSION=v2.0.1@c377ec98ff79ec9205eabf555ebd2ea784738c6c
 # Extra deps: Rootless
@@ -48,14 +48,14 @@ ARG GO_VERSION=1.25
 ARG UBUNTU_VERSION=24.04
 ARG CONTAINERIZED_SYSTEMD_VERSION=v0.1.1
 ARG GOTESTSUM_VERSION=v1.12.3
-ARG NYDUS_VERSION=v2.3.2
+ARG NYDUS_VERSION=v2.3.5
 ARG SOCI_SNAPSHOTTER_VERSION=0.11.1
 ARG KUBO_VERSION=v0.37.0
 
 FROM --platform=$BUILDPLATFORM tonistiigi/xx:1.6.1@sha256:923441d7c25f1e2eb5789f82d987693c47b8ed987c4ab3b075d6ed2b5d6779a3 AS xx
 
 
-FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-bookworm AS build-base
+FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-trixie AS build-base
 COPY --from=xx / /
 ENV DEBIAN_FRONTEND=noninteractive
 RUN apt-get update -qq && apt-get install -qq --no-install-recommends \

diff --git a/Dockerfile.d/SHA256SUMS.d/stargz-snapshotter-v0.16.3 b/Dockerfile.d/SHA256SUMS.d/stargz-snapshotter-v0.16.3
diff --git a/Dockerfile.d/SHA256SUMS.d/stargz-snapshotter-v0.17.0 b/Dockerfile.d/SHA256SUMS.d/stargz-snapshotter-v0.17.0
@@ -0,0 +1,3 @@
+e3cd9aed03a0fc82adc2484a3fe94381d21f52d998419e15ca019744d27e18b7  stargz-snapshotter-v0.17.0-linux-amd64.tar.gz
+9b3e85729885d7b5c4a3b7b67a8c8048065f60b2098fec17251f256d49bb24bb  stargz-snapshotter-v0.17.0-linux-arm64.tar.gz
+f1cf855870af16a653d8acb9daa3edf84687c2c05323cb958f078fb148af3eec  stargz-snapshotter.service
diff --git a/docs/dev/auditing_dockerfile.md b/docs/dev/auditing_dockerfile.md
@@ -34,7 +34,7 @@ is the local ip of the Charles proxy (non-localhost)
 
 Add the following stages in the dockerfile:
 ```dockerfile
-FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-bookworm AS hack-build-base-debian
+FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-trixie AS hack-build-base-debian
 RUN apt-get update -qq; apt-get -qq install ca-certificates
 COPY charles-ssl-proxying-certificate.crt /usr/local/share/ca-certificates/
 RUN update-ca-certificates
@@ -52,7 +52,7 @@ RUN update-ca-certificates
 
 Then replace any later "FROM" with our modified bases:
 ```
-golang:${GO_VERSION}-bookworm => hack-build-base-debian
+golang:${GO_VERSION}-trixie => hack-build-base-debian
 golang:${GO_VERSION}-alpine => hack-build-base
 ubuntu:${UBUNTU_VERSION} => hack-base
 ```