Add containerd2 package and upgrade runc version to 1.2.1 and libseccomp to 2.5.5

[liunan-ms]

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

• The toolchain has been rebuilt successfully (or no changes were made to it)
• The toolchain/worker package manifests are up-to-date
• Any updated packages successfully build (or no packages were changed)
• Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
• Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
• All package sources are available
• cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
• LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
• All source files have up-to-date hashes in the *.signatures.json files
• sudo make go-tidy-all and sudo make go-test-coverage pass
• Documentation has been updated to match any changes to the build system
• Ready to merge

---

Summary

What does the PR accomplish, why was it needed?
As containerd 2.0 GA recently, we want to provide containerd 2.0 in azure linux 3.0 to enhance our distro. Before fully validating it, we wanted to keep the current containerd version in the existing package and offer container 2.0 in a new package so that users can try and test as their needs.

Change Log

• Created a standalone containerd 2.0.0 package
• Upgrade libseccomp to 2.5.5 as other older version is no longer supported upstream
• Bump runc version to 1.2.1 required by containerd 2.0.0

Does this affect the toolchain?

NO

Test Methodology

• Pipeline build id: 673740

[hbeberman]

changelog should be updated to mention that the 2.5.5 version bump is for libseccomp, if its necessary.

[hbeberman]

Was this version bump required to build containerd/runc?

[liunan-ms]

Yes, runc requires libseccomp 2.5.5, and libseccomp v2.5.4 is no longer supported upstream, a more recent release is suggested to use. I will add the version bump of libseccomp and runc into the containerd changelog as well.

[hbeberman]

I would get rid of these moby-containerd provides/obsoletes. Users still calling containerd "moby-containerd" in their install scripts could unknowingly get this 2.0 package because of this.

[hbeberman]

Is there a reason we need to pin to a lower version of golang?

[liunan-ms]

Great point. containerd 2.0 requires golang1.22 or above (doc) and runc is also built with both golang 1.22 and1.23 in its CI workflow. so I think we can remove this golang version restriction. @mfrw could you please confirm we could remove it?

[liunan-ms]

Confirmed by Falak and removed the golang version restriction.

[mfrw]

Ack on removal on golang version constraint.

[reubeno]

Have we reviewed the changelog to see what's changed between 1.1.12 and 1.2.1? Were there breaking changes that would affect containerd v1 and/or other container hosting scenarios? What other risks might there be of this upgrade?

Also, I see that runc 1.2.2 has already been released and claims to have fixes for some regressions introduced in 1.2.0. Should we be picking that up instead?

[reubeno]

I see a number of "breaking changes" listed in the 1.2.0 series in the release notes for runc, but don't have the right domain knowledge to know how likely they are to be impactful to any of our customers. Is this something that's been previously evaluated?