build(deps): bump github.com/containerd/containerd/v2 from 2.0.7 to 2.0.9 in /cmd

[dependabot]

Bumps github.com/containerd/containerd/v2 from 2.0.7 to 2.0.9.

Release notes

Sourced from github.com/containerd/containerd/v2's releases.

containerd 2.0.9

Welcome to the v2.0.9 release of containerd!

The ninth patch release for containerd 2.0 includes various bug fixes and updates, including a security fix.

• containerd

  • CVE-2026-46680

• Ensure container exit events are not lost during containerd restart (#11633)

• Apply hardening to avoid TOCTOU race in tar extraction (#13237)

• Fix handling of out-of-range USER values in OCI spec to avoid unexpected username/group lookups (#13449)

• Apply hardening to block AF_ALG in default socket policy (#13407)

• Support both "volatile" and "fsync=volatile" mount options for volatile snapshotter (#13298)

• Fix bugs in sandbox service affecting sandbox creation configuration and event publishing (#13271)

• Set AppArmor abi conditionally to support versions < 3.0 (#13277)

Please try out the release binaries and report any issues at https://github.com/containerd/containerd/issues.

• Samuel Karp
• Chris Henzie
• Maksym Pavlenko
• Paweł Gronowski
• Wei Fu
• Brian Goff
• LEI WANG
• Shachar Tal
• William Myers
• ningmingxiao

• 2da65b8bd Prepare release notes for v2.0.9
• oci: return explicit error for out-of-range USER values (#13449)
  • 1a3d1c85e oci: return explicit error for out-of-range USER values
• seccomp: Block AF_ALG in default socket policy (#13407)
  • fa2a97505 seccomp: Block AF_ALG in default socket policy
  • 4b2b07879 seccomp: Document socket rule scope and socketcall limitation
• Support both styles of volatile mount option (#13298)
  • ea56c9605 Support both styles of volatile mount option
• backport: sandbox: forward Create fields, fix event topics (#13271)
  • 3d34dc820 sandbox: forward Create fields, fix event topics
• apparmor: Set abi conditionally (#13277)
  • 4b260843e apparmor: Set abi conditionally
• Add GitHub Action for k8s node e2e tests (#13257)
  • 3e9c4d1e0 Add GitHub Action for k8s node e2e tests
• Fix TOCTOU race bug in tar extraction (#13237)

... (truncated)

Commits

• afde7ca Merge pull request #13456 from samuelkarp/prepare-release-2.0.9
• 2da65b8 Prepare release notes for v2.0.9
• ccc69f9 Merge pull request #13449 from samuelkarp/oci-withuser-errrange-2.0
• 820aaf5 Merge pull request #13407 from k8s-infra-cherrypick-robot/cherry-pick-13327-t...
• fa2a975 seccomp: Block AF_ALG in default socket policy
• 4b2b078 seccomp: Document socket rule scope and socketcall limitation
• 1a3d1c8 oci: return explicit error for out-of-range USER values
• 414a5e2 Merge pull request #13298 from chrishenzie/release/2.0-volatile
• ea56c96 Support both styles of volatile mount option
• 3afbec4 Merge pull request #13271 from estesp/backport-13260-2.0
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.