chore(deps): update module github.com/containerd/containerd to v1.7.32

[red-hat-konflux]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/containerd/containerd	v1.7.30 → v1.7.32

---

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

---

Release Notes

containerd/containerd (github.com/containerd/containerd)

v1.7.32: containerd 1.7.32

Compare Source

Welcome to the v1.7.32 release of containerd!

The thirty-second patch release for containerd 1.7 contains various fixes
and updates including a security patch.

• containerd

  • CVE-2026-46680

• Allow hosts.toml to contain only root-level fields without an explicit [host] section (#​10028)

• Fix handling of out-of-range USER values in OCI spec to avoid unexpected username/group lookups (#​13450)

• Apply hardening to block AF_ALG in default socket policy (#​13406)

• Support both "volatile" and "fsync=volatile" mount options for volatile snapshotter (#​13299)

• Set AppArmor abi conditionally to support versions < 3.0 (#​13273)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

• Maksym Pavlenko
• Chris Henzie
• Derek McGowan
• Paweł Gronowski
• Samuel Karp
• Wei Fu
• Brad Davidson
• Brian Goff
• LEI WANG
• Phil Estes

17 commits

• bc87d865c Prepare release notes for v1.7.32
• oci: return explicit error for out-of-range USER values (#​13450)
  • 503f47946 oci: return explicit error for out-of-range USER values
• seccomp: Block AF_ALG in default socket policy (#​13406)
  • e55b747d3 seccomp: Block AF_ALG in default socket policy
  • 4627a65f8 seccomp: Document socket rule scope and socketcall limitation
• Fix issue with empty host tree in hosts.toml (#​10028)
  • 24007441d Fix error parsing hosts.toml without any host tree
• Support both styles of volatile mount option (#​13299)
  • 940733149 Support both styles of volatile mount option
• apparmor: Set abi conditionally (#​13273)
  • 2b732c892 apparmor: Set abi conditionally
• Add GitHub Action for k8s node e2e tests (#​13258)
  • 0db1e143a Add GitHub Action for k8s node e2e tests
• Update release process after 1.7 (#​13236)
  • 3223a75c2 Update for latest updates to release tool
  • 1b30082eb Update release process after 1.7

This release has no dependency changes

Previous release can be found at v1.7.31

v1.7.31: containerd 1.7.31

Compare Source

Welcome to the v1.7.31 release of containerd!

The thirty-first patch release for containerd 1.7 contains various fixes
and updates including a security patch.

Security Updates

• spdystream
  • CVE-2026-35469

Highlights

Container Runtime Interface (CRI)

• Fix CNI issue where DEL is never executed after a restart (#​12931)
• Sanitize error before gRPC return to prevent possible credential leak in pod events (#​12805)
• Improve error message and add warning when concurrent container creation is detected (#​12744)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Samuel Karp
• Maksym Pavlenko
• Akhil Mohan
• Phil Estes
• Sebastiaan van Stijn
• Wei Fu
• Akihiro Suda
• Alex Chernyakhovsky
• Chris Henzie
• Michael Zappa
• Ricardo Branco
• Shachar Tal
• ningmingxiao
• yashsingh74

Changes

37 commits

• Prepare release notes for v1.7.31 (#​13221)
  • 7d2662653 Prepare release notes for v1.7.31
• update github.com/moby/spdystream v0.5.1 (#​13220)
  • 3f795c02a update github.com/moby/spdystream v0.5.1
• update to Go 1.25.9, 1.26.2 (#​13200)
  • 7b1e1b17b update to Go 1.25.9, 1.26.2
  • b673f2d42 update golangci-lint to v2.9.0 with go1.26 support
  • d88d8513a remove windows/arm from cross build
  • a763407b5 Ignore warnings for golangci-lint bump
  • 03dcd8360 ci: bump golangci from 6.5.2 to 7.0.0
• Update github.com/moby/spdystream v0.2.0->v0.5.0 (#​13176)
  • c08711218 Update github.com/moby/spdystream v0.2.0->v0.5.0
• Skip TestExportAndImportMultiLayer on s390x (#​13152)
  • 043548f6d Skip TestExportAndImportMultiLayer on s390x
• update runc binary to v1.3.5 (#​13059)
  • e99bd6050 [release/1.7] update runc binary to v1.3.5
• CODEOWNERS: mark Sam and Chris as owners for 1.7 (#​13069)
  • 3a3103aaf CODEOWNERS: mark Sam and Chris as owners for 1.7
• Fix vagrant on CI (#​13064)
  • 9b4cfa271 Ignore NOCHANGE error
• ci: modprobe xt_comment on almalinux (#​12959)
  • 53e9e73f0 ci: modprobe xt_comment on almalinux
• Fix TOCTOU race bug in tar extraction (#​12970)
  • 61c2733fd Fix TOCTOU race bug in tar extraction
• Fix CNI issue where CNI DEL is never executed (#​12931)
  • f854c1890 fix issue where cni del is never executed
• apparmor: explicitly set abi/3.0 (#​12899)
  • 5c091d92e apparmor: explicitly set abi/3.0
• backport: integration: Fix TestImageLoad() failure on CI (#​12908)
  • 177ac10fe integration: Fix TestImageLoad() failure on CI
• update to go1.24.13, go1.25.7 (#​12873)
  • 56da43d0f update to go1.24.13, go1.25.7
  • 5cb3cb9ba ci: bump go 1.24.12, 1.25.6
• fix: sanitize error before gRPC return to prevent credential leak in pod events (#​12805)
  • b1fa03843 fix: sanitize error before gRPC return to prevent credential leak in pod events
• cri: emit warning for concurrent CreateContainer (#​12744)
  • e2c93a42c cri: emit warning for concurrent CreateContainer

Dependency Changes

• github.com/moby/spdystream v0.2.0 -> v0.5.1

Previous release can be found at v1.7.30

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: red-hat-konflux[bot]
Once this PR has been reviewed and has the lgtm label, please assign rhopp for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[sonarqubecloud]

❌ The last analysis has failed.

See analysis details on SonarQube Cloud

[sonarqubecloud]

❌ The last analysis has failed.

See analysis details on SonarQube Cloud

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[konflux-ci-qe-bot]

Scenario: pr-e2e-tests
@red-hat-konflux[bot]: The following test has Failed, say /retest to rerun failed tests.

PipelineRun Name	Status	Rerun command	Build Log	Test Log
e2e-4.19-2gjkf	Failed	/retest	View Pipeline Log	View Test Logs

Inspecting Test Artifacts

To inspect your test artifacts, follow these steps:

1. Install ORAS (see the ORAS installation guide).
2. Download artifacts with the following commands:

mkdir -p oras-artifacts
cd oras-artifacts
oras pull quay.io/konflux-test-storage/rhtap-team/rhtap-cli:e2e-4.19-2gjkf

Test results analysis

<not enabled>

OCI Artifact Browser URL

<not enabled>