Skip to content

Releases: opencontainers/runc

runc 1.0-rc93 -- "I never could get the hang of Thursdays."

04 Feb 00:18
@cyphar cyphar
v1.0.0-rc93
This tag was signed with the committer’s verified signature. The key has been revoked.
cyphar Aleksa Sarai
GPG key ID: 9D94B96321B9D012
Revoked
Learn about vigilant mode.
12644e6
This commit was signed with the committer’s verified signature. The key has been revoked.
cyphar Aleksa Sarai
GPG key ID: 9D94B96321B9D012
Revoked
Learn about vigilant mode.
Compare
Choose a tag to compare
runc 1.0-rc93 -- "I never could get the hang of Thursdays."

This is the last feature-rich RC release and we are in a feature-freeze until
1.0. 1.0.0~rc94 will be released in a few weeks with minimal bug fixes only,
and 1.0.0 will be released soon afterwards.

  • runc's cgroupv2 support is no longer considered experimental. It is now
    believed to be fully ready for production deployments. In addition, runc's
    cgroup code has been improved:

    • The systemd cgroup driver has been improved to be more resilient and
      handle more systemd properties correctly.
    • We now make use of openat2(2) when possible to improve the security of
      cgroup operations (in future runc will be wholesale ported to libpathrs to
      get this protection in all codepaths).

  • runc's mountinfo parsing code has been reworked significantly, making
    container startup times significantly faster and less wasteful in general.

  • runc now has special handling for seccomp profiles to avoid making new
    syscalls unusable for glibc. This is done by installing a custom prefix to
    all seccomp filters which returns -ENOSYS for syscalls that are newer than
    any syscall in the profile (meaning they have a larger syscall number).

    This should not cause any regressions (because previously users would simply
    get -EPERM rather than -ENOSYS, and the rule applied above is the most
    conservative rule possible) but please report any regressions you find as a
    result of this change -- in particular, programs which have special fallback
    code that is only run in the case of -EPERM.

  • runc now supports the following new runtime-spec features:

    • The umask of a container can now be specified.
    • The new Linux 5.9 capabilities (CAP_PERFMON, CAP_BPF, and
      CAP_CHECKPOINT_RESTORE) are now supported.
    • The "unified" cgroup configuration option, which allows users to explicitly
      specify the limits based on the cgroup file names rather than abstracting
      them through OCI configuration. This is currently limited in scope to
      cgroupv2.

  • Various rootless containers improvements:

    • runc will no longer cause conflicts if a user specifies a custom device
      which conflicts with a user-configured device -- the user device takes
      precedence.
    • runc no longer panics if /sys/fs/cgroup is missing in rootless mode.

  • runc --root is now always treated as local to the current working directory.

  • The --no-pivot-root hardening was improved to handle nested mounts properly
    (please note that we still strongly recommend that users do not use
    --no-pivot-root -- it is still an insecure option).

  • A large number of code cleanliness and other various cleanups, including
    fairly large changes to our tests and CI to make them all run more
    efficiently.

For packagers the following changes have been made which will have impact on
your packaging of runc:

  • The "selinux" and "apparmor" buildtags have been removed, and now all runc
    builds will have SELinux and AppArmor support enabled. Note that "seccomp"
    is still optional (though we very highly recommend you enable it).

  • make install DESTDIR= now functions correctly.

Static Linking Notices

The runc binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc acting
as a "work that uses the Library":

The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.

Thanks to the following people who made this release possible:

Vote: +6 -0 #1
Signed-off-by: Aleksa Sarai [email protected]

Assets 9
Loading

runc 1.0-rc92 -- "Almost, but not quite, entirely unlike tea."

06 Aug 05:22
@cyphar cyphar
v1.0.0-rc92
This tag was signed with the committer’s verified signature. The key has been revoked.
cyphar Aleksa Sarai
GPG key ID: 9D94B96321B9D012
Revoked
Learn about vigilant mode.
ff819c7
Compare
Choose a tag to compare
runc 1.0-rc92 -- "Almost, but not quite, entirely unlike tea."

This release contains a hotfix to solve a regression in v1.0.0-rc91 that
concerns Docker (this only affects Docker's vendoring of libcontainer,
not the usage of runc as the runtime):

  • Fix helpers used by Docker to correctly handle symlinks in /dev (when running
    with --privileged containers).

As well as some other improvements:

  • Updates to CRIU support.
  • Improvements to cgroupfs performance and correctness.

Static Linking Notices

The runc binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc acting
as a "work that uses the Library":

The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.

Thanks to the following people who made this release possible:

Vote: +4 -0 #3
Signed-off-by: Aleksa Sarai [email protected]

Assets 9
Loading

runc 1.0-rc91 -- "Just Hook a Right Over Here"

02 Jul 01:20
@cyphar cyphar
v1.0.0-rc91
This tag was signed with the committer’s verified signature.
cyphar Aleksa Sarai
GPG key ID: 9E18AA267DDB8DB4
Learn about vigilant mode.
24a3cf8
Compare
Choose a tag to compare
runc 1.0-rc91 -- "Just Hook a Right Over Here"

This is intended to be the second-last RC release, with -rc92 having
very few large changes so that we can release runc 1.0 (at long last).

NOTE: This release's artefacts were updated on 2020-07-30 to correct an
LGPL compliance issue (we previously did not include the source code of
libseccomp with our releases) and thus we had to recompile our runc
binaries to be sure we were distributing the correct version of libseccomp.
All of the binaries are still signed by the same maintainer key, and thus can
still be easily validated.

NOTE: This release's artefacts were updated on 2021-04-07, to correct an
issue with the .tar.xz archive from 2020-07-30 (the archive had malformed
paths due to a bug in historical release scripts -- which caused the update
on 2020-07-30 to change the checksum of the source code archive). See #2895
for more details. All of the binaries are still signed by the same maintainer
key, and thus can still be easily validated.

  • The long-awaited hooks changes have been merged into runc. This was
    one of the few remaining spec-related issues which were blocking us
    from releasing runc 1.0. Existing hook users will not be affected by
    this change, but runc now supports additional hooks that we expect
    users to migrate to eventually. The new hooks are:

    • createRuntime (replacement for the now-deprecated prestart)
    • createContainer
    • startContainer

  • A large amount of effort has been undertaken to support cgroupv2
    within runc. The support is still considered experimental, but it is
    mostly functional at this point. Please report any bugs you find when
    running under cgroupv2-only systems.

  • A minor-severity security bug was fixed. The devices list would
    be in allow-by-default mode from the outset, meaning that users would
    have to explicitly specify they wish to deny all device access at the
    beginning of the configuration. While this would normally be
    considered a high-severity vulnerability, all known users of runc had
    worked around this issue several years ago (hence why this fairly
    obvious bug was masked).

    In addition, the devices list code has been massively improved such
    that it will attempt to avoid causing spurrious errors in the
    container (such as while writing to /dev/null) when doing devices
    cgroup updates.

  • A security audit of runc was conducted in 2019, and the report PDF is
    now included in the runc repository. The previous release of runc
    has already addressed the security issues found in that report.

Static Linking Notices

The runc binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc acting
as a "work that uses the Library":

The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.

Thanks to the following people who made this release possible:

NOTE: For those who are confused by the massive version jump (rc10
to rc91), this was done to avoid issues with SemVer and lexical
comparisons -- there haven't been 90 other release candidates. Please
also note that runc 1.0.0-rc90 is identical to 1.0.0-rc10. See #2399
for more details.

Vote: +7 -0 #0
Signed-off-by: Aleksa Sarai [email protected]

Assets 9
Loading

runc 1.0-rc90 -- "We Have To Go Back!"

02 Jun 03:07
@cyphar cyphar
v1.0.0-rc90
This tag was signed with the committer’s verified signature.
cyphar Aleksa Sarai
GPG key ID: 9E18AA267DDB8DB4
Learn about vigilant mode.
dc9208a
This commit was signed with the committer’s verified signature.
cyphar Aleksa Sarai
GPG key ID: 9E18AA267DDB8DB4
Learn about vigilant mode.
Compare
Choose a tag to compare
runc 1.0-rc90 -- "We Have To Go Back!"

This release is identical to v1.0.0-rc10 (and thus the version string in
the binary will be v1.0.0-rc10).

The purpose of this release is to resolve an issue with our versioning
scheme (in particular, the format we've used under SemVer means that the
"-rcNN" string suffix is sorted lexicographically rather than in the
classic sort -V order).

Because we cannot do a post-1.0 release yet, this is a workaround to
make sure that systems such as Go modules correctly update to the latest
runc release. See #2399 for more details.

The next release (which would've originally been called -rc11) will be
1.0.0-rc91. I'm sorry.

NOTE: This release's artefacts were updated on 2020-07-30 to correct an
LGPL compliance issue (we previously did not include the source code of
libseccomp with our releases) and thus we had to recompile our runc
binaries to be sure we were distributing the correct version of libseccomp.
All of the binaries are still signed by the same maintainer key, and thus can
still be easily validated.

NOTE: This release's artefacts were updated on 2021-04-07, to correct an
issue with the .tar.xz archive from 2020-07-30 (the archive had malformed
paths due to a bug in historical release scripts -- which caused the update
on 2020-07-30 to change the checksum of the source code archive). See #2895
for more details. All of the binaries are still signed by the same maintainer
key, and thus can still be easily validated.

Static Linking Notices

The runc binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc acting
as a "work that uses the Library":

The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.

Signed-off-by: Aleksa Sarai [email protected]

Assets 9
Loading

runc 1.0-rc10 -- "Procfs Strikes Back"

24 Jan 03:04
@cyphar cyphar
v1.0.0-rc10
This tag was signed with the committer’s verified signature.
cyphar Aleksa Sarai
GPG key ID: 9E18AA267DDB8DB4
Learn about vigilant mode.
dc9208a
This commit was signed with the committer’s verified signature.
cyphar Aleksa Sarai
GPG key ID: 9E18AA267DDB8DB4
Learn about vigilant mode.
Compare
Choose a tag to compare
runc 1.0-rc10 -- "Procfs Strikes Back"

This is a hot-fix for v1.0.0~rc9, primarily fixing CVE-2019-19921. Given
that the relevant runtime-spec PR which was considered a blocker has
been merged the next rc release of runc should be the last one before
1.0.0.

Other notable changes include:

  • Fixing an exec-fifo race that could be triggered under Kubernetes (#2185).
  • Partial cgroupv2 support (#2209 for remaining issues).

NOTE: This release's artefacts were updated on 2020-07-30 to correct an
LGPL compliance issue (we previously did not include the source code of
libseccomp with our releases) and thus we had to recompile our runc
binaries to be sure we were distributing the correct version of libseccomp.
All of the binaries are still signed by the same maintainer key, and thus can
still be easily validated.

NOTE: This release's artefacts were updated on 2021-04-07, to correct an
issue with the .tar.xz archive from 2020-07-30 (the archive had malformed
paths due to a bug in historical release scripts -- which caused the update
on 2020-07-30 to change the checksum of the source code archive). See #2895
for more details. All of the binaries are still signed by the same maintainer
key, and thus can still be easily validated.

Static Linking Notices

The runc binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc acting
as a "work that uses the Library":

The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.

Thanks to the following people who made this release possible:

Vote: +4 -0 #1
Signed-off-by: Aleksa Sarai [email protected]

Assets 9
Loading

runc 1.0-rc9 -- "Watch out for that first step, it's a doozy!"

05 Oct 11:38
@cyphar cyphar
v1.0.0-rc9
This tag was signed with the committer’s verified signature.
cyphar Aleksa Sarai
GPG key ID: 9E18AA267DDB8DB4
Learn about vigilant mode.
d736ef1
This commit was signed with the committer’s verified signature.
cyphar Aleksa Sarai
GPG key ID: 9E18AA267DDB8DB4
Learn about vigilant mode.
Compare
Choose a tag to compare
runc 1.0-rc9 -- "Watch out for that first step, it's a doozy!"

This is a hot-fix for v1.0.0~rc8, primarily fixing CVE-2019-16884.

NOTE: This release's artefacts were updated on 2020-07-30 to correct an
LGPL compliance issue (we previously did not include the source code of
libseccomp with our releases) and thus we had to recompile our runc
binaries to be sure we were distributing the correct version of libseccomp.
All of the binaries are still signed by the same maintainer key, and thus can
still be easily validated.

NOTE: This release's artefacts were updated on 2021-04-07, to correct an
issue with the .tar.xz archive from 2020-07-30 (the archive had malformed
paths due to a bug in historical release scripts -- which caused the update
on 2020-07-30 to change the checksum of the source code archive). See #2895
for more details. All of the binaries are still signed by the same maintainer
key, and thus can still be easily validated.

Static Linking Notices

The runc binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc acting
as a "work that uses the Library":

The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.

Thanks to the following people who made this release possible:

Vote: +4 -0 #1
Signed-off-by: Aleksa Sarai [email protected]

Assets 9
Loading

runc 1.0-rc8 -- "Oops, We Did It Again!"

26 Apr 05:07
@cyphar cyphar
v1.0.0-rc8
This tag was signed with the committer’s verified signature.
cyphar Aleksa Sarai
GPG key ID: 9E18AA267DDB8DB4
Learn about vigilant mode.
425e105
This commit was signed with the committer’s verified signature.
cyphar Aleksa Sarai
GPG key ID: 9E18AA267DDB8DB4
Learn about vigilant mode.
Compare
Choose a tag to compare
runc 1.0-rc8 -- "Oops, We Did It Again!"

This is a hot-fix for v1.0.0-rc7, and fixes a regression on old kernels
(which don't support keycreate labeling). Users are strongly encouraged
to update, as this regression was introduced in 1.0.0-rc7 and has
blocked many users from updating to mitigate CVE-2019-5736.

Bugs: #2032 #2031 #2043

At the moment the only outlying issue before we can release 1.0.0 is
some spec discussions we are having about OCI hooks and how to handle
the integration with existing NVIDIA hooks. We will do our best to
finish this work as soon as we can.

NOTE: This release's artefacts were updated on 2020-07-30 to correct an
LGPL compliance issue (we previously did not include the source code of
libseccomp with our releases) and thus we had to recompile our runc
binaries to be sure we were distributing the correct version of libseccomp.
All of the binaries are still signed by the same maintainer key, and thus can
still be easily validated.

NOTE: This release's artefacts were updated on 2021-04-07, to correct an
issue with the .tar.xz archive from 2020-07-30 (the archive had malformed
paths due to a bug in historical release scripts -- which caused the update
on 2020-07-30 to change the checksum of the source code archive). See #2895
for more details. All of the binaries are still signed by the same maintainer
key, and thus can still be easily validated.

Static Linking Notices

The runc binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc acting
as a "work that uses the Library":

The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.

Thanks to the following people who made this release possible:

Signed-off-by: Aleksa Sarai [email protected]

Assets 9
Loading

runc 1.0-rc7 -- "The Eleventh Hour"

28 Mar 17:06
@cyphar cyphar
v1.0.0-rc7
This tag was signed with the committer’s verified signature.
cyphar Aleksa Sarai
GPG key ID: 9E18AA267DDB8DB4
Learn about vigilant mode.
69ae5da
This commit was signed with the committer’s verified signature.
cyphar Aleksa Sarai
GPG key ID: 9E18AA267DDB8DB4
Learn about vigilant mode.
Compare
Choose a tag to compare
runc 1.0-rc7 -- "The Eleventh Hour"

WARNING: There is a regression in this release for old kernels, which we are working on fixing in #2031.

Due to CVE-2019-5736, we had to do another -rc release so users can update. We
hope to be able to release 1.0.0 in the near future (there is still an
outstanding spec-compliance issue with OCI hooks which we need to resolve
first).

This also updates runc to a vendored commit of the runtime-spec rather than a
full release, which will hopefully be rectified with runc 1.0.0.

NOTE: This release's artefacts were updated on 2020-07-30 to correct an
LGPL compliance issue (we previously did not include the source code of
libseccomp with our releases) and thus we had to recompile our runc
binaries to be sure we were distributing the correct version of libseccomp.
All of the binaries are still signed by the same maintainer key, and thus can
still be easily validated.

NOTE: This release's artefacts were updated on 2021-04-07, to correct an
issue with the .tar.xz archive from 2020-07-30 (the archive had malformed
paths due to a bug in historical release scripts -- which caused the update
on 2020-07-30 to change the checksum of the source code archive). See #2895
for more details. All of the binaries are still signed by the same maintainer
key, and thus can still be easily validated.

Security:

  • Mitigate CVE-2019-5736. This is an updated version of the patch series sent
    out on openwall and we encourage users to update. #1982 #1984

    NOTE: This mitigation WILL NOT WORK if you run untrusted containers with
    host uid 0 and give them CAP_SYS_ADMIN (the protection operates through a
    hidden read-only bind-mount which can be re-mounted by CAP_SYS_ADMIN
    privileged users).

    Put simply -- we consider granting CAP_SYS_ADMIN to untrusted containers
    without user namespaces to be fundamentally insecure, as such we do not
    consider this to be a security issue    .

    If you want an additional host-level mitigation, use chattr +i on the
    host file to ensure containers without CAP_LINUX_IMMUTABLE cannot write to
    it -- even with CAP_SYS_ADMIN. But as above, if you give
    CAP_LINUX_IMMUTABLE to a container you will have problems.

    An alternative is to bind-mount a sealed memfd copy of the runc binary over
    the binary (runc will detect this and will not attempt further mitigation,
    because sealed memfds are fundamentally unmodifiable) but this requires
    more in-depth work by administrators.

  • There appear to be production users of --no-pivot-root, which is something
    that we absolutely recommend against and do not consider to be a secure
    configuration     -- since pivot_root(2) has many security properties that are
    not possible to provide with just chroot(2).

    However, a specific issue was discovered which we decided to mitigate in
    order to avoid production users being exploited by it. This security issue
    is not elligible for a CVE because it requires an insecure configuration
    (--no-pivot-root). #1962

Features:

  • Add intelrdt support for MBA to runc (a new intelrdt feature available in
    Linux 4.18+). #1919
  • Add support for specifying a CRIU configuration file for checkpoint/restore
    (which makes use of a new org.criu.config annotation). #1933 #1964
  • Add support for "runc exec --preserve-fds". #1995
  • Added support for SELinux labeling of keyrings. #2012

Fixes:

  • Correct handling of "runc kill" when a container is stopped or paused.
    #1934 #1943
  • Error out if built with nokmem and kmemcg limits were requested. #1939
  • Update check-config.sh to be in line with Docker's. #1942
  • Improve handling of kmem and the systemd cgroup driver. #1960
  • Improve resilience of adding setns tasks to cgroups. #1950
  • Remove (broken) detection of .scope for systemd. #1978
  • Fix console hanging with preserve-fds, where not enough fds have actually
    been provided to runc (which is a very common mistake when using
    --preserve-fds). #2000
  • Create bind-mounts when restoring. #1968
  • Fix regression of zombie "runc init" processes. #2023

Static Linking Notices

The runc binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc acting
as a "work that uses the Library":

The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.

Thanks to all of the contributors that made this release possible:

With special thanks and well-wishes to Victor Marmol and Rohit Jnagal, who have
both decided to give up their maintainership. Thanks for all of your
contributions over the years, and good luck with your future endeavours!

Signed-off-by: Aleksa Sarai [email protected]

Assets 9
Loading

runc 1.0-rc6 -- "For Real This Time"

22 Nov 11:50
@cyphar cyphar
v1.0.0-rc6
This tag was signed with the committer’s verified signature.
cyphar Aleksa Sarai
GPG key ID: 9E18AA267DDB8DB4
Learn about vigilant mode.
ccb5efd
This commit was signed with the committer’s verified signature.
cyphar Aleksa Sarai
GPG key ID: 9E18AA267DDB8DB4
Learn about vigilant mode.
Compare
Choose a tag to compare
runc 1.0-rc6 -- "For Real This Time"

This is the final feature release of runc before 1.0, rather than 1.0
itself. The reason for this is that, during the preparations for this
release (which was originally meant to be 1.0) it was brought up that
there were several spec-compliance problems. One of these was related to
hook ordering, and upon trying to fix them it turns out that many users
(notably the NVIDIA OCI hooks) make use of our incorrect hook ordering.
Many of the proposed solutions to this problem all require a lot of time
and co-ordination, and thus would stall this release indefinitely.

So, the idea is to have an intermediate release which will mark a
freeze-on-everything-except-spec-compliance-bugs. No other changes will
be included pre-1.0 (aside from security patches obviously).

NOTE: This release's artefacts were updated on 2020-07-30 to correct an
LGPL compliance issue (we previously did not include the source code of
libseccomp with our releases) and thus we had to recompile our runc
binaries to be sure we were distributing the correct version of libseccomp.
All of the binaries are still signed by the same maintainer key, and thus can
still be easily validated.

NOTE: This release's artefacts were updated on 2021-04-07, to correct an
issue with the .tar.xz archive from 2020-07-30 (the archive had malformed
paths due to a bug in historical release scripts -- which caused the update
on 2020-07-30 to change the checksum of the source code archive). See #2895
for more details. All of the binaries are still signed by the same maintainer
key, and thus can still be easily validated.

Features:

  • Upgrade to using Go 1.10. #1711
  • Upgrade to CRIU 3.11. #1711 #1864 #1935 #1936
  • Allow for checkpoint-restore into a foreign network namespace. #1849
  • The "type" field for bind-mounts is now ignored. This is important, because
    many users incorrectly assume that "type" defines a bind-mount and not
    "options". Previously you had to set both. #1753 #1845
  • "setgroups=allow" is now possible in rootless mode, but requires the use of
    the privileged newgidmap helper (fully-rootless still requires
    "setgroups=deny"). #1693
  • Rootless mode can now safely ignore a read-only cgroupfs. #1759 #1806
  • Several aspects of rootless mode are now used inside user namespaces. This
    is necessary for a bunch of useful things (such as running Docker inside an
    user namespace), but did cause some breakages. We think they've all been
    fixed -- but if not please submit an issue! #1688 #1808 #1816 #1862
  • Improve kernel.{domain,host}name sysctl handling, to allow the NIS
    domainname to be set from Docker or other callers without an OCI spec
    change. #1827
  • Add documentation for one of the more confusion parts of runc, how terminals
    are handled (including an explanation of --console-socket). All the gory
    details and recommendations are available in docs/terminals.md. #1730
  • Allow /proc to be bind-mounted over (useful for rootless containers). #1832
  • Ignore ENOSYS for keyctl(2) operations. This is necessary to get Docker
    working with LXC under the default seccomp profile (which is what ChromeOS
    uses). #1893
  • Add support for the Intel RDT/MBA resource control system. #1632 #1913
  • Allow building with completely-disabled kmemcg support, to get around
    problems with broken kernels (RHEL 7.5 can oops with kmemcg accounting
    enabled). #1921 #1922 #1930
  • Add support for cgroup namespaces, which in turn fixes a few other issues we
    encountered with the previous code (which could be moving us to a cgroup
    during Go execution). #1916

Fixes:

  • Namespace creation with user namespaces now plays a bit nicer with SELinux
    and IPC (which had a bug where the in-kernel mqueue mount would have the
    wrong tag if using unshare(CLONE_NEWUSER|CLONE_NEWIPC)). This is done to
    avoid future problems with broken kernel integration. #1562
  • Mild refactor of libcontainer/user. #1749
  • Fix null-pointer-exception when no cgroups were set. #1752
  • Various DBus and systemd related changes for the systemd-cgroup driver.
    #1754 #1772 #1776 #1781 #1805 #1917
  • Apply SELinux label to masked directories. #1756
  • Obey the XDG spec and set the sticky bit on runc's root when using
    XDG_RUNTIME_DIR (in rootless mode). #1760
  • Only configure network namespaces if we are creating them. #1777
  • Fix race in runc-exec against a currently-exiting pid1. #1812
  • Forward GOMAXPROCS to try to reduce the number of threads started by 'runc
    init'. Unforunately there's no way to stop Go from spawning new threads so
    this is more of a recommendation. #1830
  • Fix tmpcopyup in cases where /tmp is not a private mount. #1873
  • Whitelist /proc/loadavg for bind-mounting. #1882
  • Protect against deletion of runc state directory with a containerid of "..",
    as well as the addition of other path hardening code. #1883
  • Handle duplicated cgroupfs mountpoint entries more sanely, to make runc work
    on distributions that use-and-abuse shared subtrees. #1817
  • Fix console hanging in several cases. #1895 #1897
  • Lock-to-a-thread during 'runc init' to ensure that that we don't switch
    threads and run within a different SELinux label. #1814
  • Respect cgroupPath when trying to find the cgroupfs mountpoint (which can
    happen in cases where containers are given different cgroupfs mounts). #1872
  • And many other minor changes, many from first-time contributors! #1746 #1748
    #1749 #1784 #1779 #1785 #1796 #1819 #1825 #1836 #1824 #1820 #1838 #1840
    #1841 #1867 #1871 #1855 #1854 #1874 #1868 #1886 #1892 #1858 #1894 #1908
    #1880 #1910 #1915 #1903 #1922 #1926 #1928 #1925 #1911

Fixes (for spec violations):

  • Don't set a container to "running" when exec-ing into it (because it might
    be in the "created" state). #1771
  • oom_score_adj is now no longer modified if it was unspecified in config.json
    (this was a spec violation). #1759
  • Set "status" in hook stdin, as well as switch to using *spec.State to avoid
    JSON-representation drift. #1741

Static Linking Notices

The runc binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc acting
as a "work that uses the Library":

The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.

Thanks to all of the contributors that made this release possible:

Signed-off-by: Aleksa Sarai [email protected]

Assets 9
Loading

runc 1.0-rc5 -- "The Final Stretch"

27 Feb 17:31
@cyphar cyphar
v1.0.0-rc5
This tag was signed with the committer’s verified signature.
cyphar Aleksa Sarai
GPG key ID: 9E18AA267DDB8DB4
Learn about vigilant mode.
4fc53a8
This commit was signed with the committer’s verified signature.
cyphar Aleksa Sarai
GPG key ID: 9E18AA267DDB8DB4
Learn about vigilant mode.
Compare
Choose a tag to compare
runc 1.0-rc5 -- "The Final Stretch"

This is planned to be the final -rc release of runc. While we really
haven't followed the rules for release candidates (with huge features
introduced each release, and with massive gaps between releases) the
hope is that once we've release 1.0.0 we will be much more liberal with
releases in future. Let's see how that pans out. :P

NOTE: This release's artefacts were updated on 2020-07-30 to correct an
LGPL compliance issue (we previously did not include the source code of
libseccomp with our releases) and thus we had to recompile our runc
binaries to be sure we were distributing the correct version of libseccomp.
All of the binaries are still signed by the same maintainer key, and thus can
still be easily validated.

NOTE: This release's artefacts were updated on 2021-04-07, to correct an
issue with the .tar.xz archive from 2020-07-30 (the archive had malformed
paths due to a bug in historical release scripts -- which caused the update
on 2020-07-30 to change the checksum of the source code archive). See #2895
for more details. All of the binaries are still signed by the same maintainer
key, and thus can still be easily validated.

Features:

  • Support cgroups in rootless containers. This is a continuation of the
    previous work done, and allows for users that have specialised setups
    (such as having the LXC pam_cg.so module set up) to use cgroups with
    rootless containers. #1540
  • Add support for newuidmap and newgidmap with rootless containers.
    This is a continuation of some previous work, and allows users that
    have /etc/sub{uid,gid} configured to use the shadow-utils setuid
    helpers. Note that this support doesn't restrict users that don't want
    to use setuid binaries at all. #1529
  • runc will now use a chroot when mount namespaces aren't provided in
    the config.json. While chroot does have its (many) downsides, this
    does allow for specialised configurations to work properly. #1702
  • Expose annotations to hooks, so that the hook can have more direct
    information about the container it is being run against. #1687
  • Add "runc exec --additional-gids" support. #1608
  • Allow more signals to be sent with "runc kill" than are defined by
    Go's syscall package. #1706
  • Emit an error if users try to use MS_PRIVATE with --no-pivot, as that
    is simply not safe. #1606
  • Add support for "unbindable" and "runbindable" as rootfs propagation.
    #1655
  • Implement intelrdt support in runc. #1279 #1590
  • Add support for lazy migration with CRIU. This includes the addition
    of "runc checkpoint httpd" which acts as a remote pagefault request
    server. #1541
  • Add MIPS support. #1475

Fixes:

  • Delay seccomp application as late as possible, to reduce the syscall
    footprint of runc on profiles. #1569

  • Fix --read-only containers with user namespaces, which would
    previously fail under Docker because of privilege problems when trying
    to do the read-only remount. #1572

  • Switch away from stateDirFd entirely. This is an improvement over the
    protections we added for CVE-2016-9962, and protects against many
    other possible container escape bugs. #1570

  • Handle races between "runc start" and "runc delete" over the exec FIFO
    correctly, and avoid blocking "runc start" indefinitely. #1698

  • Correctly generate seccomp profiles that place requirements on syscall
    arguments, as well as multi-argument restrictions. #1616 #1424

  • Prospective patch for remounting of old-root during pivot_root. This
    is intended to solve one of the many "mount leak" bugs that have been
    popping up recently -- caused by lots of container churn and host
    mounts being pinned during container setup. #1500

  • Fix "runc exec" on big-endian architectures. #1727

  • Correct systemd slice expansion to work with cAdvisor. #1722

  • Fix races against systemd cgroup scope creation. #1683

  • Do not wait for signalled processes if libcontainer is running in a
    process that is a subreaper. #1678

  • Remove dependency on libapparmor entirely, and just use
    /proc/$pid/attr directly. #1675

  • Improvements to our integration tests. #1661 #1629 #1528

  • Handle systemd's quirky CPUQuotaPerSecUSec handling in
    fractions-of-a-percent edge-cases. #1651

  • Remove docker/docker import in runc by moving the package to runc.
    #1644

  • Switch from docker's pkg/symlink to cyphar/filepath-securejoin. #1622

  • Enable integration and unit tests on arm64. #1642 #1640

  • Add /proc/scsi to masked paths (mirror of Docker's CVE-2017-16539).
    #1641

  • Add several tests for specconv. #1626 #1619

  • Add more extensive tests for terminal handling. #1357

  • Always write freezer state during retry-loop, to avoid an indefinite
    hang when new tasks are spawned in the container. #1610

  • Create cwd when it doesn't exist in the container. #1604

  • Set initial console size based on process spec, to avoid SIGWINCH
    races where initial console size is completely wrong. #1275

  • Small fixes for static builds. #1579 #1577

  • Use epoll for PTY IO, to avoid issues with systemd's SAK protections.
    #1455

  • Update state.json after a "runc update". #1558

  • Switch to umoci's release scripts, to use a more "standardised" and
    distribution-friendly release scheme. Several makefile-fixes included
    as well. #1554 #1542 #1555

  • Reap "runc:[1:CHILD]" to avoid intermediate zombies building up. #1506

  • Use CRIU's RPC to check the version. #1535

  • Always save own namespace paths rather than the path given during
    start-up, to avoid issues where the path disappears afterwards. #1477

  • Fix that we incorrectly set the owners of devices. This is still (subtly)
    broken in user namespaces, but will be fixed in a future version. #1743

  • Lots of other miscellaneous fixes and cleanups, many of which were
    written by first-time contributors. Thanks for contributing, and
    welcome to the project! #1729 #1724 #1695 #1685 #1703 #1699 #1682
    #1665 #1667 #1669 #1654 #1664 #1660 #1645 #1640 #1621 #1607 #1206
    #1615 #1614 #1453 #1613 #1600 #1599 #1598 #1597 #1593 #1586 #1588
    #1587 #1589 #1575 #1578 #1573 #1561 #1560 #1559 #1556 #1551 #1553
    #1548 #1544 #1545 #1537

Removals:

  • Andrej Vagin stepped down as a maintainer. Thanks for all of your hard
    work Andrej, and have fun working on your other projects! #1543

Static Linking Notices

The runc binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc acting
as a "work that uses the Library":

The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.

Thanks to all of the contributors that made this release possible:

Vote: +5 -0 #2
Signed-off-by: Aleksa Sarai [email protected]

Assets 9
Loading