This is the fourth patch release in the 1.1.z series of runc, primarily fixing a regression introduced in 1.1.3 related to device rules. It also fixes a few other bugs.

• Fix mounting via wrong proc fd. When the user and mount namespaces are used, and the bind mount is followed by the cgroup mount in the spec, the cgroup was mounted using the bind mount's mount fd. (#3511)
• Switch kill() in libcontainer/nsenter to sane_kill(). (#3536)
• Fix "permission denied" error from runc run on noexec fs. (#3541)
• Fix failed exec after systemctl daemon-reload. Due to a regression in v1.1.3, the DeviceAllow=char-pts rwm rule was no longer added and was causing an error open /dev/pts/0: operation not permitted: unknown when systemd was reloaded. (#3554)

Static Linking Notices

The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

• libseccomp

The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.

Thanks to all of the contributors who made this release possible:

• Akihiro Suda [email protected]
• Aleksa Sarai [email protected]
• guodong [email protected]
• Kir Kolyshkin [email protected]
• Mrunal Patel [email protected]

Signed-off-by: Aleksa Sarai [email protected]

This is the third release of the 1.1.z series of runc, and contains various minor improvements and bugfixes.

• Our seccomp -ENOSYS stub now correctly handles multiplexed syscalls on s390 and s390x. This solves the issue where syscalls the host kernel did not support would return -EPERM despite the existence of the -ENOSYS stub code (this was due to how s390x does syscall multiplexing). (#3478)
• Retry on dbus disconnect logic in libcontainer/cgroups/systemd now works as intended; this fix does not affect runc binary itself but is important for libcontainer users such as Kubernetes. (#3476)
• Inability to compile with recent clang due to an issue with duplicate constants in libseccomp-golang. (#3477)
• When using systemd cgroup driver, skip adding device paths that don't exist, to stop systemd from emitting warnings about those paths. (#3504)
• Socket activation was failing when more than 3 sockets were used. (#3494)
• Various CI fixes. (#3472, #3479)
• Allow to bind mount /proc/sys/kernel/ns_last_pid to inside container. (#3493)
• runc static binaries are now linked against libseccomp v2.5.4. (#3481)

Static Linking Notices

The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

• libseccomp

The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.

Thanks to all of the contributors who made this release possible:

• Akihiro Suda [email protected]
• Aleksa Sarai [email protected]
• CrazyMax [email protected]
• Erik Sjölund [email protected]
• Irwin D'Souza [email protected]
• Kang Chen [email protected]
• Kir Kolyshkin [email protected]
• Sebastiaan van Stijn [email protected]

Signed-off-by: Aleksa Sarai [email protected]

This is the second patch release of the runc 1.1 release branch. It fixes CVE-2022-29162, a minor security issue (which appears to not be exploitable) related to process capabilities.

This is a similar bug to the ones found and fixed in Docker and containerd recently (CVE-2022-24769).

• A bug was found in runc where runc exec --cap executed processes with non-empty inheritable Linux process capabilities, creating an atypical Linux environment. For more information, see GHSA-f3fp-gc8g-vw66 and CVE-2022-29162.
• runc spec no longer sets any inheritable capabilities in the created example OCI spec (config.json) file.

Static Linking Notices

The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

• libseccomp

The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.

This is the first stable release in the 1.1 branch, fixing a few issues with runc 1.1.0.

Fixed:

• runc run/start can now run a container with read-only /dev in OCI spec, rather than error out. (#3355)
• runc exec now ensures that --cgroup argument is a sub-cgroup. (#3403)
• libcontainer systemd v2 manager no longer errors out if one of the files listed in /sys/kernel/cgroup/delegate do not exist in container's cgroup. (#3387, #3404)
• Loosen OCI spec validation to avoid bogus "Intel RDT is not supported" error. (#3406)
• libcontainer/cgroups no longer panics in cgroup v1 managers if stat of /sys/fs/cgroup/unified returns an error other than ENOENT. (#3435)

Static Linking Notices

The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

• libseccomp

The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.

Thanks to all of the contributors who made this release possible:

• Akihiro Suda [email protected]
• Aleksa Sarai [email protected]
• Kir Kolyshkin [email protected]
• lifubang [email protected]
• Markus Lehtonen [email protected]

Signed-off-by: Kir Kolyshkin [email protected]

This release only contains very minor changes from v1.1.0-rc.1 and is the first release of the 1.1.y release series of runc. We do not plan to make any new releases of the 1.0.y release series of runc, so users are strongly encouraged to update to 1.1.0.

Changed:

• libcontainer will now refuse to build without the nsenter package being correctly compiled (specifically this requires CGO to be enabled). This should avoid folks accidentally creating broken runc binaries (and incorrectly importing our internal libraries into their projects). (#3331)

Static Linking Notices

The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

• libseccomp

The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.

Thanks to the following people who made this release possible:

• Akihiro Suda [email protected]
• Aleksa Sarai [email protected]
• Kir Kolyshkin [email protected]

Signed-off-by: Aleksa Sarai [email protected]

This release is the first release candidate for the next minor release following runc 1.0. It contains all of the bugfixes included in runc 1.0 patch releases (up to and including 1.0.3).

A fair few new features have been added, and several features have been deprecated (with plans for removal in runc 1.2). At the moment we only plan to do a single release candidate for runc 1.1, and once 1.1.0 is released we will not continue updating the 1.0.z runc branch.

Deprecated:

• runc run/start now warns if a new container cgroup is non-empty or frozen; this warning will become an error in runc 1.2. (#3132, #3223)
• runc can only be built with Go 1.16 or later from this release onwards. (#3100, #3245)

Removed:

• cgroup.GetHugePageSizes has been removed entirely, and been replaced with cgroup.HugePageSizes which is more efficient. (#3234)
• intelrdt.GetIntelRdtPath has been removed. Users who were using this function to get the intelrdt root should use the new intelrdt.Root instead. (#2920, #3239)

Added:

• Add support for RDMA cgroup added in Linux 4.11. (#2883)
• runc exec now produces exit code of 255 when the exec failed. This may help in distinguishing between runc exec failures (such as invalid options, non-running container or non-existent binary etc.) and failures of the command being executed. (#3073)
• runc run: new --keep option to skip removal exited containers artefacts. This might be useful to check the state (e.g. of cgroup controllers) after the container has exited. (#2817, #2825)
• seccomp: add support for SCMP_ACT_KILL_PROCESS and SCMP_ACT_KILL_THREAD (the latter is just an alias for SCMP_ACT_KILL). (#3204)
• seccomp: add support for SCMP_ACT_NOTIFY (seccomp actions). This allows users to create sophisticated seccomp filters where syscalls can be efficiently emulated by privileged processes on the host. (#2682)
• checkpoint/restore: add an option (--lsm-mount-context) to set a different LSM mount context on restore. (#3068)
• runc releases are now cross-compiled for several architectures. Static builds for said architectures will be available for all future releases. (#3197)
• intelrdt: support ClosID parameter. (#2920)
• runc exec --cgroup: an option to specify a (non-top) in-container cgroup to use for the process being executed. (#3040, #3059)
• cgroup v1 controllers now support hybrid hierarchy (i.e. when on a cgroup v1 machine a cgroup2 filesystem is mounted to /sys/fs/cgroup/unified, runc run/exec now adds the container to the appropriate cgroup under it). (#2087, #3059)
• sysctl: allow slashes in sysctl names, to better match sysctl(8)'s behaviour. (#3254, #3257)
• mounts: add support for bind-mounts which are inaccessible after switching the user namespace. Note that this does not permit the container any additional access to the host filesystem, it simply allows containers to have bind-mounts configured for paths the user can access but have restrictive access control settings for other users. (#2576)
• Add support for recursive mount attributes using mount_setattr(2). These have the same names as the proposed mount(8) options -- just prepend r to the option name (such as rro). (#3272)
• Add runc features subcommand to allow runc users to detect what features runc has been built with. This includes critical information such as supported mount flags, hook names, and so on. Note that the output of this command is subject to change and will not be considered stable until runc 1.2 at the earliest. The runtime-spec specification for this feature is being developed in opencontainers/runtime-spec#1130. (#3296)

Changed:

• system: improve performance of /proc/$pid/stat parsing. (#2696)
• cgroup2: when /sys/fs/cgroup is configured as a read-write mount, change the ownership of certain cgroup control files (as per /sys/kernel/cgroup/delegate) to allow for proper deferral to the container process. (#3057)
• docs: series of improvements to man pages to make them easier to read and use. (#3032)

Libcontainer API:

• internal api: remove internal error types and handling system, switch to Go wrapped errors. (#3033)
• New configs.Cgroup structure fields (#3177):
  • Systemd (whether to use systemd cgroup manager); and
  • Rootless (whether to use rootless cgroups).
• New cgroups/manager package aiming to simplify cgroup manager instantiation. (#3177)
• All cgroup managers' instantiation methods now initialize cgroup paths and can return errors. This allows to use any cgroup manager method (e.g. Exists, Destroy, Set, GetStats) right after instantiation, which was not possible before (as paths were initialized in Apply only). (#3178)

Fixed:

• nsenter: do not try to close already-closed fds during container setup and bail on close(2) failures. (#3058)
• runc checkpoint/restore: fixed for containers with an external bind mount which destination is a symlink. (#3047).
• cgroup: improve openat2 handling for cgroup directory handle hardening. (#3030)
• runc delete -f now succeeds (rather than timing out) on a paused container. (#3134)
• runc run/start/exec now refuses a frozen cgroup (paused container in case of exec). Users can disable this using --ignore-paused. (#3132, #3223)
• config: do not permit null bytes in mount fields. (#3287)

Static Linking Notices

The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

• libseccomp

The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.

Thanks to the following people who made this release possible:

• Adrian Reber [email protected]
• Akihiro Suda [email protected]
• Alban Crequy [email protected]
• Aleksa Sarai [email protected]
• Dave Chen [email protected]
• flouthoc [email protected]
• Fraser Tweedale [email protected]
• Itamar Holder [email protected]
• Kailun Qin [email protected]
• Kang Chen [email protected]
• Kir Kolyshkin [email protected]
• lifubang [email protected]
• Liu Hua [email protected]
• Maksim An [email protected]
• Markus Lehtonen [email protected]
• Mauricio Vásquez [email protected]
• Mengjiao Liu [email protected]
• Mrunal Patel [email protected]
• Neil Johnson [email protected]
• Odin Ugedal [email protected]
• Piotr Resztak [email protected]
• Qiang Huang [email protected]
• Rodrigo Campos [email protected]
• Sascha Grunert [email protected]
• Sebastiaan van Stijn [email protected]
• Shengjing Zhu [email protected]
• xiadanni [email protected]

Signed-off-by: Aleksa Sarai [email protected]

This is the third stable release in the 1.0 branch, fixing a handful of medium priority issues related to mounts and cgroups, as well as a potential security vulnerability.

This release is expected to be the last point release in the 1.0 branch, as we are planning to release runc 1.1 in the near future.

Security:

• A potential vulnerability was discovered in runc (related to an internal usage of netlink), however upon further investigation we discovered that while this bug was exploitable on the master branch of runc, no released version of runc could be exploited using this bug. The exploit required being able to create a netlink attribute with a length that would overflow a uint16 but this was not possible in any released version of runc. For more information, see GHSA-v95c-p5hm-xq8f and CVE-2021-43784.

  Due to an abundance of caution we decided to do an emergency release with this fix, but to reiterate we do not believe this vulnerability was possible to exploit. Thanks to Felix Wilhelm from Google Project Zero for discovering and reporting this vulnerability so quickly.

Bugfixes:

• Fixed inability to start a container with read-write bind mount of a read-only fuse host mount (#3292)
• Fixed inability to start when read-only /dev in set in spec (#3277)
• Fixed not removing sub-cgroups upon container delete, when rootless cgroup v2 is used with older systemd (#3297)
• Fixed returning error from GetStats when hugetlb is unsupported (which causes excessive logging for kubernetes) (#3295)
• [CI only] Fixed criu 3.16 compatibility issue (#3282)
• [CI only] Add Go 1.17 to the testing matrix (#3299)

Enhancements:

• Improved an error message when dbus-user-session is not installed and rootless + cgroup2 + systemd are used (#3212)

Static Linking Notices

The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

• libseccomp

The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.

Thanks to all of the contributors who made this release possible:

• Akihiro Suda [email protected]
• Aleksa Sarai [email protected]
• Kailun Qin [email protected]
• Kang Chen [email protected]
• Kir Kolyshkin [email protected]
• Odin Ugedal [email protected]
• Sebastiaan van Stijn [email protected]

Signed-off-by: Aleksa Sarai [email protected]

This is the second stable release in the 1.0 branch, fixing a few medium and high priority issues, including one that affect Kubernetes using runc's libcontainer.

Bugfixes:

• Fixed a failure to set CPU quota period in some cases on cgroup v1. (#3115)
• Fixed the inability to start a container with the "adding seccomp filter rule for syscall ..." error, caused by redundant seccomp rules (i.e. those that has action equal to the default one). Such redundant rules are now skipped. (#3129)
• Made release builds reproducible from now on. (#3142)
• Fixed a rare debug log race in runc init, which can result in occasional harmful "failed to decode ..." errors from runc run or exec. (#3130)
• Fixed the check in cgroup v1 systemd manager if a container needs to be frozen before Set, and add a setting to skip such freeze unconditionally. The previous fix for that issue, done in runc 1.0.1, was not working. (#3167)

Static Linking Notices

The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

• libseccomp

The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.

Thanks to all of the contributors who made this release possible:

• Adrian Reber [email protected]
• Akihiro Suda [email protected]
• Aleksa Sarai [email protected]
• Kir Kolyshkin [email protected]
• Mrunal Patel [email protected]
• Odin Ugedal [email protected]

Signed-off-by: Aleksa Sarai [email protected]

This is the first stable release in the 1.0 branch, fixing a few medium and high priority issues with runc 1.0.0, including a few that affect Kubernetes' usage of libcontainer.

Bugfixes:

• Fixed occasional runc exec/run failure ("interrupted system call") on an Azure volume. (#3074)
• Fixed "unable to find groups ... token too long" error with /etc/group containing lines longer than 64K characters. (#3079)
• cgroup/systemd/v1: fix leaving cgroup frozen after Set if a parent cgroup is frozen. This is a regression in 1.0.0, not affecting runc itself but some of libcontainer users (e.g Kubernetes). (#3085)
• cgroupv2: bpf: Ignore inaccessible existing programs in case of permission error when handling replacement of existing bpf cgroup programs. This fixes a regression in 1.0.0, where some SELinux policies would block runc from being able to run entirely. (#3087)
• cgroup/systemd/v2: don't freeze cgroup on Set. (#3092)
• cgroup/systemd/v1: avoid unnecessary freeze on Set. (#3093)

Static Linking Notices

The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

• libseccomp

The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.

Thanks to all of the contributors who made this release possible:

• Aleksa Sarai [email protected]
• Kir Kolyshkin [email protected]
• Maksim An [email protected]
• Mrunal Patel [email protected]
• Odin Ugedal [email protected]

Signed-off-by: Aleksa Sarai [email protected]

This release has quite a few last-minute bug-fixes and various correctness and performance improvements (almost all of which are related to cgroup handling), and is the first non-rc release of runc in 5 years (v1.0.0-rc1 was released in 2016). It's been a very long road, and we thank the many contributors and maintainers that helped us get to this point (approximately 422 people in total).

As runc follows Semantic Versioning, we will endeavor to not make any breaking changes without bumping the major version number of runc.

However, it should be noted that Go API usage of runc's internal implementation (libcontainer) is not covered by this policy -- for historical reasons, this code was not moved into an "internal" package (this feature did not exist in Go at the time) and because certain projects currently depend on this, we have not yet moved this code into an internal package. Despite this, we reserve the right to make breaking changes in our Go APIs (though we will note such changes in our changelog, and will try to avoid needless disruption if possible).

Breaking changes:

• Removed libcontainer/configs.Device* identifiers (deprecated since rc94, use libcontainer/devices) (#2999)
• Removed libcontainer/system.RunningInUserNS function (deprecated since rc94, use libcontainer/userns) (#2999)

Deprecations:

• The usage of relative paths for mountpoints will now produce a warning (such configurations are outside of the spec, and in future runc will produce an error when given such configurations). (#2917, #3004)

Bugfixes:

• cgroupv2: devices: rework the filter generation to produce consistent results with cgroupv1, and always clobber any existing eBPF program(s) to fix runc update and avoid leaking eBPF programs (resulting in errors when managing containers). (#2951)
• cgroupv2: correctly convert "number of IOs" statistics in a cgroupv1-compatible way. (#2965, #2967, #2968, #2964)
• cgroupv2: support larger than 32-bit IO statistics on 32-bit architectures.
• cgroupv2: wait for freeze to finish before returning from the freezing code, optimize the method for checking whether a cgroup is frozen. (#2955)
• cgroups/systemd: fixed "retry on dbus disconnect" logic introduced in rc94
• cgroups/systemd: fixed returning "unit already exists" error from a systemd cgroup manager (regression in rc94) (#2997, #2996)

Improvements:

• cgroupv2: support SkipDevices with systemd driver (#2958, #3019)
• cgroup/systemd: return, not ignore, stop unit error from Destroy (#2946)
• Fix all golangci-lint failures. (#2781, #2962)
• Make "runc --version" output sane even when built with go get or otherwise outside of our build scripts. (#2962)
• cgroups: set SkipDevices during runc update (so we don't modify cgroups at all during runc update). (#2994)
• cgroup1: blkio: support BFQ weights. (#3010)
• cgroupv2: set per-device io weights if BFQ IO scheduler is available. (#3022)

Static Linking Notices

The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

• libseccomp

The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.

Thanks to the following people who made this release possible:

• Adrian Reber [email protected]
• Akihiro Suda [email protected]
• Aleksa Sarai [email protected]
• Antti Kervinen [email protected]
• Daniel, Dao Quang Minh [email protected]
• Enrico Weigelt [email protected]
• Kir Kolyshkin [email protected]
• Michael Crosby [email protected]
• Mrunal Patel [email protected]
• Peter Hunt [email protected]
• Qiang Huang [email protected]
• Sebastiaan van Stijn [email protected]
• Shiming Zhang [email protected]
• Yashpal Choudhary [email protected]

Vote: +5 -0 %2 Signed-off-by: Aleksa Sarai [email protected]

This release of runc contains a fix for CVE-2021-30465, and users are strongly recommended to update (especially if you are providing semi-limited access to spawn containers to untrusted users).

Aside from this security fix, only a few other changes were made since v1.0.0-rc94 (the only user-visible change was the addition of support for defaultErrnoRet in seccomp profiles).

Static Linking Notices

The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

• libseccomp

The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.

Thanks to the following people who made this release possible:

• Aleksa Sarai [email protected]
• Giuseppe Scrivano [email protected]
• Kir Kolyshkin [email protected]
• Mrunal Patel [email protected]

Due to the nature of this release, it didn't go through the normal public release procedure. However, this break from procedure was agreed upon on the security mailing list.

Signed-off-by: Aleksa Sarai [email protected]

This release fixes several regressions found in v1.0.0-rc93. We recommend users update as soon as possible. This release includes the following notable changes:

Potentially breaking changes:

• cgroupv1: kernel memory limits are now always ignored, as kmemcg has been effectively deprecated by the kernel. Users should make use of regular memory cgroup controls. (#2840)
• libcontainer/cgroups: cgroup managers' Set now accept configs.Resources rather than configs.Cgroups (#2906)
• libcontainer/cgroups/systemd: reconnect and retry in case dbus connection is closed (after dbus restart) (#2923)
• libcontainer/cgroups/systemd: don't set limits in Apply (#2814)

Bugfixes:

• seccomp: fix 32-bit compilation errors (regression in rc93, #2783)
• cgroupv2: blkio weight value conversion fix (#2786)
• runc init: fix a hang caused by deadlock in seccomp/ebpf loading code (regression in rc93, #2871)
• runc start: fix "chdir to cwd: permission denied" for some setups (regression in rc93, #2894)
• s390: fix broken terminal (regression in rc93, #2898)

Improvements:

• runc start/exec: better diagnostics when container limits are too low (#2812)
• runc start/exec: better cleanup after failed runc init (#2855)
• cgroupv1: improve freezing chances (#2941, #2918, #2791)
• cgroupv2: multiple GetStats improvements (#2816, #2873)
• cgroupv2: fallback to setting io.weight if io.bfq.weight is not available (#2820)
• capabilities: WARN, not ERROR, for unknown / unavailable capabilities (#2854)

Static Linking Notices

The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

• libseccomp

The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.

Thanks to the following people who made this release possible:

• Adam Korcz [email protected]
• Adrian Reber [email protected]
• Akihiro Suda [email protected]
• Aleksa Sarai [email protected]
• Ben Hutchings [email protected]
• Danail Branekov [email protected]
• Daniel Dao [email protected]
• Enrico Weigelt [email protected]
• Iceber Gu [email protected]
• Kenta Tada [email protected]
• Kieron Browne [email protected]
• Kir Kolyshkin [email protected]
• Liang Zhou [email protected]
• Liu Hua [email protected]
• Mauricio Vásquez [email protected]
• Mrunal Patel [email protected]
• Odin Ugedal [email protected]
• Peter Hunt [email protected]
• Qiang Huang [email protected]
• Ryosuke Hanatsuka [email protected]
• Sascha Grunert [email protected]
• Sebastiaan van Stijn [email protected]
• Shengjing Zhu [email protected]
• Shiming Zhang [email protected]
• Vasiliy Ulyanov [email protected]

Vote: +6 -0 !1 Signed-off-by: Aleksa Sarai [email protected]

This is the last feature-rich RC release and we are in a feature-freeze until 1.0. 1.0.0~rc94 will be released in a few weeks with minimal bug fixes only, and 1.0.0 will be released soon afterwards.

• runc's cgroupv2 support is no longer considered experimental. It is now believed to be fully ready for production deployments. In addition, runc's cgroup code has been improved:

  • The systemd cgroup driver has been improved to be more resilient and handle more systemd properties correctly.
  • We now make use of openat2(2) when possible to improve the security of cgroup operations (in future runc will be wholesale ported to libpathrs to get this protection in all codepaths).

• runc's mountinfo parsing code has been reworked significantly, making container startup times significantly faster and less wasteful in general.

• runc now has special handling for seccomp profiles to avoid making new syscalls unusable for glibc. This is done by installing a custom prefix to all seccomp filters which returns -ENOSYS for syscalls that are newer than any syscall in the profile (meaning they have a larger syscall number).

  This should not cause any regressions (because previously users would simply get -EPERM rather than -ENOSYS, and the rule applied above is the most conservative rule possible) but please report any regressions you find as a result of this change -- in particular, programs which have special fallback code that is only run in the case of -EPERM.

• runc now supports the following new runtime-spec features:

  • The umask of a container can now be specified.
  • The new Linux 5.9 capabilities (CAP_PERFMON, CAP_BPF, and CAP_CHECKPOINT_RESTORE) are now supported.
  • The "unified" cgroup configuration option, which allows users to explicitly specify the limits based on the cgroup file names rather than abstracting them through OCI configuration. This is currently limited in scope to cgroupv2.

• Various rootless containers improvements:

  • runc will no longer cause conflicts if a user specifies a custom device which conflicts with a user-configured device -- the user device takes precedence.
  • runc no longer panics if /sys/fs/cgroup is missing in rootless mode.

• runc --root is now always treated as local to the current working directory.

• The --no-pivot-root hardening was improved to handle nested mounts properly (please note that we still strongly recommend that users do not use --no-pivot-root -- it is still an insecure option).

• A large number of code cleanliness and other various cleanups, including fairly large changes to our tests and CI to make them all run more efficiently.

For packagers the following changes have been made which will have impact on your packaging of runc:

• The "selinux" and "apparmor" buildtags have been removed, and now all runc builds will have SELinux and AppArmor support enabled. Note that "seccomp" is still optional (though we very highly recommend you enable it).

• make install DESTDIR= now functions correctly.

Static Linking Notices

The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

• libseccomp

The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.

Thanks to the following people who made this release possible:

• acetang [email protected]
• Adrian Reber [email protected]
• Akihiro Suda [email protected]
• Aleksa Sarai [email protected]
• Amim Knabben [email protected]
• An Long [email protected]
• Aos Dabbagh [email protected]
• Ashok Pon Kumar [email protected]
• Cesar Talledo [email protected]
• Chaitanya Bandi [email protected]
• Cory Bennett [email protected]
• Daniel J Walsh [email protected]
• Eduardo Vega [email protected]
• Feng Sun [email protected]
• Giuseppe Scrivano [email protected]
• Jeff Zvier [email protected]
• Kenta Tada [email protected]
• Kir Kolyshkin [email protected]
• Manabu Sugimoto [email protected]
• Mauricio Vásquez [email protected]
• Michael Crosby [email protected]
• Mrunal Patel [email protected]
• Paweł Szulik [email protected]
• Peter Hunt [email protected]
• Piotr Wagner [email protected]
• Sascha Grunert [email protected]
• SataQiu [email protected]
• Sebastiaan van Stijn [email protected]
• Shengjing Zhu [email protected]
• Shukui Yang [email protected]
• wangtianxia [email protected]
• Wei Fu [email protected]
• Xiaochen Shen [email protected]
• Xiaodong Liu [email protected]

Vote: +6 -0 #1 Signed-off-by: Aleksa Sarai [email protected]

This release contains a hotfix to solve a regression in v1.0.0-rc91 that concerns Docker (this only affects Docker's vendoring of libcontainer, not the usage of runc as the runtime):

• Fix helpers used by Docker to correctly handle symlinks in /dev (when running with --privileged containers).

As well as some other improvements:

• Updates to CRIU support.
• Improvements to cgroupfs performance and correctness.

Static Linking Notices

The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

• libseccomp

The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.

Thanks to the following people who made this release possible:

• Adrian Reber [email protected]
• Akihiro Suda [email protected]
• Aleksa Sarai [email protected]
• Daniel J Walsh [email protected]
• Giuseppe Scrivano [email protected]
• John Hwang [email protected]
• Kir Kolyshkin [email protected]
• Lokesh Mandvekar [email protected]
• Mrunal Patel [email protected]
• Sebastiaan van Stijn [email protected]
• tjucoder [email protected]
• Xiaodong Liu [email protected]
• Xiaoyu Zhang [email protected]
• zvier [email protected]

Vote: +4 -0 #3 Signed-off-by: Aleksa Sarai [email protected]

This is intended to be the second-last RC release, with -rc92 having very few large changes so that we can release runc 1.0 (at long last).

NOTE: This release's artefacts were updated on 2020-07-30 to correct an LGPL compliance issue (we previously did not include the source code of libseccomp with our releases) and thus we had to recompile our runc binaries to be sure we were distributing the correct version of libseccomp. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.

NOTE: This release's artefacts were updated on 2021-04-07, to correct an issue with the .tar.xz archive from 2020-07-30 (the archive had malformed paths due to a bug in historical release scripts -- which caused the update on 2020-07-30 to change the checksum of the source code archive). See #2895 for more details. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.

• The long-awaited hooks changes have been merged into runc. This was one of the few remaining spec-related issues which were blocking us from releasing runc 1.0. Existing hook users will not be affected by this change, but runc now supports additional hooks that we expect users to migrate to eventually. The new hooks are:

  • createRuntime (replacement for the now-deprecated prestart)
  • createContainer
  • startContainer

• A large amount of effort has been undertaken to support cgroupv2 within runc. The support is still considered experimental, but it is mostly functional at this point. Please report any bugs you find when running under cgroupv2-only systems.

• A minor-severity security bug was fixed. The devices list would be in allow-by-default mode from the outset, meaning that users would have to explicitly specify they wish to deny all device access at the beginning of the configuration. While this would normally be considered a high-severity vulnerability, all known users of runc had worked around this issue several years ago (hence why this fairly obvious bug was masked).

  In addition, the devices list code has been massively improved such that it will attempt to avoid causing spurrious errors in the container (such as while writing to /dev/null) when doing devices cgroup updates.

• A security audit of runc was conducted in 2019, and the report PDF is now included in the runc repository. The previous release of runc has already addressed the security issues found in that report.

Static Linking Notices

The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

• libseccomp

The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.

Thanks to the following people who made this release possible:

• Adrian Reber [email protected]
• Akihiro Suda [email protected]
• Alban Crequy [email protected]
• Aleksa Sarai [email protected]
• Alice Frosi [email protected]
• Amye Scavarda Perrin [email protected]
• Andrei Vagin [email protected]
• Boris Popovschi [email protected]
• Brian Goff [email protected]
• Chris Aniszczyk [email protected]
• Danail Branekov [email protected]
• Giuseppe Scrivano [email protected]
• iwankgb [email protected]
• John Hwang [email protected]
• Katarzyna Kujawa [email protected]
• Kenta Tada [email protected]
• Kir Kolyshkin [email protected]
• Kir Kolyshkin [email protected]
• Kohei Ota [email protected]
• l00397676 [email protected]
• Lifubang [email protected]
• Mario Nitchev [email protected]
• Michael Crosby [email protected]
• Mrunal Patel [email protected]
• Odin Ugedal [email protected]
• Paweł Szulik [email protected]
• Peter Hunt [email protected]
• Pradyumna Agrawal [email protected]
• Qiang Huang [email protected]
• Renaud Gaubert [email protected]
• Sascha Grunert [email protected]
• Sebastiaan van Stijn [email protected]
• SiYu Zhao [email protected]
• Ted Yu [email protected]
• Tianjia Zhang [email protected]
• Tianon Gravi [email protected]
• Tobias Klauser [email protected]
• wanghuaiqing [email protected]
• W. Trevor King [email protected]
• Yulia Nedyalkova [email protected]
• zyu [email protected]

NOTE: For those who are confused by the massive version jump (rc10 to rc91), this was done to avoid issues with SemVer and lexical comparisons -- there haven't been 90 other release candidates. Please also note that runc 1.0.0-rc90 is identical to 1.0.0-rc10. See #2399 for more details.

Vote: +7 -0 #0 Signed-off-by: Aleksa Sarai [email protected]

This release is identical to v1.0.0-rc10 (and thus the version string in the binary will be v1.0.0-rc10).

The purpose of this release is to resolve an issue with our versioning scheme (in particular, the format we've used under SemVer means that the "-rcNN" string suffix is sorted lexicographically rather than in the classic sort -V order).

Because we cannot do a post-1.0 release yet, this is a workaround to make sure that systems such as Go modules correctly update to the latest runc release. See #2399 for more details.

The next release (which would've originally been called -rc11) will be 1.0.0-rc91. I'm sorry.

NOTE: This release's artefacts were updated on 2020-07-30 to correct an LGPL compliance issue (we previously did not include the source code of libseccomp with our releases) and thus we had to recompile our runc binaries to be sure we were distributing the correct version of libseccomp. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.

NOTE: This release's artefacts were updated on 2021-04-07, to correct an issue with the .tar.xz archive from 2020-07-30 (the archive had malformed paths due to a bug in historical release scripts -- which caused the update on 2020-07-30 to change the checksum of the source code archive). See #2895 for more details. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.

Static Linking Notices

The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

• libseccomp

The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.

Signed-off-by: Aleksa Sarai [email protected]

This is a hot-fix for v1.0.0~rc9, primarily fixing CVE-2019-19921. Given that the relevant runtime-spec PR which was considered a blocker has been merged the next rc release of runc should be the last one before 1.0.0.

Other notable changes include:

• Fixing an exec-fifo race that could be triggered under Kubernetes (opencontainers/runc#2185).
• Partial cgroupv2 support (opencontainers/runc#2209 for remaining issues).

NOTE: This release's artefacts were updated on 2020-07-30 to correct an LGPL compliance issue (we previously did not include the source code of libseccomp with our releases) and thus we had to recompile our runc binaries to be sure we were distributing the correct version of libseccomp. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.

NOTE: This release's artefacts were updated on 2021-04-07, to correct an issue with the .tar.xz archive from 2020-07-30 (the archive had malformed paths due to a bug in historical release scripts -- which caused the update on 2020-07-30 to change the checksum of the source code archive). See #2895 for more details. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.

Static Linking Notices

The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

• libseccomp

The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.

Thanks to the following people who made this release possible:

• Akihiro Suda [email protected]
• Aleksa Sarai [email protected]
• James Peach [email protected]
• Jordan Liggitt [email protected]
• Julia Nedialkova [email protected]
• Julio Montes [email protected]
• Kevin Kelani [email protected]
• Kurnia D Win [email protected]
• Manuel Rüger [email protected]
• Michael Crosby [email protected]
• Mrunal Patel [email protected]
• Qiang Huang [email protected]
• Radostin Stoyanov [email protected]
• Sascha Grunert [email protected]
• tianye15 [email protected]

Vote: +4 -0 #1 Signed-off-by: Aleksa Sarai [email protected]

This is a hot-fix for v1.0.0~rc8, primarily fixing CVE-2019-16884.

NOTE: This release's artefacts were updated on 2020-07-30 to correct an LGPL compliance issue (we previously did not include the source code of libseccomp with our releases) and thus we had to recompile our runc binaries to be sure we were distributing the correct version of libseccomp. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.

NOTE: This release's artefacts were updated on 2021-04-07, to correct an issue with the .tar.xz archive from 2020-07-30 (the archive had malformed paths due to a bug in historical release scripts -- which caused the update on 2020-07-30 to change the checksum of the source code archive). See #2895 for more details. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.

Static Linking Notices

The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

• libseccomp

The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.

Thanks to the following people who made this release possible:

• Adrian Reber [email protected]
• Akihiro Suda [email protected]
• Aleksa Sarai [email protected]
• Andreas Stocker [email protected]
• blacktop [email protected]
• Carlos de Paula [email protected]
• Danail Branekov [email protected]
• Daniel J Walsh [email protected]
• Erik Sipsma [email protected]
• Filipe Brandenburger [email protected]
• Georgi Sabev [email protected]
• Giuseppe Scrivano [email protected]
• Howard Zhang [email protected]
• Joe Burianek [email protected]
• Jonathan Rudenberg [email protected]
• Julien Durillon [email protected]
• Kenta Tada [email protected]
• Lifubang [email protected]
• Marco Vedovati [email protected]
• Michael Crosby [email protected]
• Mrunal Patel [email protected]
• Odin Ugedal [email protected]
• Qiang Huang [email protected]
• sashayakovtseva [email protected]
• Sebastiaan van Stijn [email protected]
• Xiaochen Shen [email protected]
• Xiao YongBiao [email protected]

Vote: +4 -0 #1 Signed-off-by: Aleksa Sarai [email protected]

This is a hot-fix for v1.0.0-rc7, and fixes a regression on old kernels (which don't support keycreate labeling). Users are strongly encouraged to update, as this regression was introduced in 1.0.0-rc7 and has blocked many users from updating to mitigate CVE-2019-5736.

Bugs: #2032 #2031 #2043

At the moment the only outlying issue before we can release 1.0.0 is some spec discussions we are having about OCI hooks and how to handle the integration with existing NVIDIA hooks. We will do our best to finish this work as soon as we can.

NOTE: This release's artefacts were updated on 2020-07-30 to correct an LGPL compliance issue (we previously did not include the source code of libseccomp with our releases) and thus we had to recompile our runc binaries to be sure we were distributing the correct version of libseccomp. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.

NOTE: This release's artefacts were updated on 2021-04-07, to correct an issue with the .tar.xz archive from 2020-07-30 (the archive had malformed paths due to a bug in historical release scripts -- which caused the update on 2020-07-30 to change the checksum of the source code archive). See #2895 for more details. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.

Static Linking Notices

The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

• libseccomp

The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.

Thanks to the following people who made this release possible:

• Aleksa Sarai [email protected]
• Daniel J Walsh [email protected]
• lifubang [email protected]
• Michael Crosby [email protected]
• Mrunal Patel [email protected]

Signed-off-by: Aleksa Sarai [email protected]

WARNING: There is a regression in this release for old kernels, which we are working on fixing in #2031.

Due to CVE-2019-5736, we had to do another -rc release so users can update. We hope to be able to release 1.0.0 in the near future (there is still an outstanding spec-compliance issue with OCI hooks which we need to resolve first).

This also updates runc to a vendored commit of the runtime-spec rather than a full release, which will hopefully be rectified with runc 1.0.0.

NOTE: This release's artefacts were updated on 2020-07-30 to correct an LGPL compliance issue (we previously did not include the source code of libseccomp with our releases) and thus we had to recompile our runc binaries to be sure we were distributing the correct version of libseccomp. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.

NOTE: This release's artefacts were updated on 2021-04-07, to correct an issue with the .tar.xz archive from 2020-07-30 (the archive had malformed paths due to a bug in historical release scripts -- which caused the update on 2020-07-30 to change the checksum of the source code archive). See #2895 for more details. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.

Security:

• Mitigate CVE-2019-5736. This is an updated version of the patch series sent out on openwall and we encourage users to update. #1982 #1984

  NOTE: This mitigation WILL NOT WORK if you run untrusted containers with host uid 0 and give them CAP_SYS_ADMIN (the protection operates through a hidden read-only bind-mount which can be re-mounted by CAP_SYS_ADMIN privileged users).

  Put simply -- we consider granting CAP_SYS_ADMIN to untrusted containers without user namespaces to be fundamentally insecure, as such we do not consider this to be a security issue.

  If you want an additional host-level mitigation, use chattr +i on the host file to ensure containers without CAP_LINUX_IMMUTABLE cannot write to it -- even with CAP_SYS_ADMIN. But as above, if you give CAP_LINUX_IMMUTABLE to a container you will have problems.

  An alternative is to bind-mount a sealed memfd copy of the runc binary over the binary (runc will detect this and will not attempt further mitigation, because sealed memfds are fundamentally unmodifiable) but this requires more in-depth work by administrators.

• There appear to be production users of --no-pivot-root, which is something that we absolutely recommend against and do not consider to be a secure configuration -- since pivot_root(2) has many security properties that are not possible to provide with just chroot(2).

  However, a specific issue was discovered which we decided to mitigate in order to avoid production users being exploited by it. This security issue is not elligible for a CVE because it requires an insecure configuration (--no-pivot-root). #1962

Features:

• Add intelrdt support for MBA to runc (a new intelrdt feature available in Linux 4.18+). #1919
• Add support for specifying a CRIU configuration file for checkpoint/restore (which makes use of a new org.criu.config annotation). #1933 #1964
• Add support for "runc exec --preserve-fds". #1995

• Added support for SELinux labeling of keyrings. #2012

Fixes:

• Correct handling of "runc kill" when a container is stopped or paused. #1934 #1943
• Error out if built with nokmem and kmemcg limits were requested. #1939
• Update check-config.sh to be in line with Docker's. #1942
• Improve handling of kmem and the systemd cgroup driver. #1960
• Improve resilience of adding setns tasks to cgroups. #1950

• Remove (broken) detection of .scope for systemd. #1978

• Fix console hanging with preserve-fds, where not enough fds have actually been provided to runc (which is a very common mistake when using --preserve-fds). #2000
• Create bind-mounts when restoring. #1968
• Fix regression of zombie "runc init" processes. #2023

Static Linking Notices

The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

• libseccomp

The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.

Thanks to all of the contributors that made this release possible:

• Ace-Tang [email protected]
• Adrian Reber [email protected]
• Aleksa Sarai [email protected]
• Alex Fang [email protected]
• Christian Brauner [email protected]
• Danail Branekov [email protected]
• Daniel, Dao Quang Minh [email protected]
• Daniel J Walsh [email protected]
• Filipe Brandenburger [email protected]
• Giuseppe Scrivano [email protected]
• JoeWrightss [email protected]
• John Howard [email protected]
• Justin Cormack [email protected]
• Kenta Tada [email protected]
• Lifubang [email protected]
• Michael Crosby [email protected]
• Mrunal Patel [email protected]
• Tom Godkin [email protected]
• Vincent Batts [email protected]
• Xiaochen Shen [email protected]

With special thanks and well-wishes to Victor Marmol and Rohit Jnagal, who have both decided to give up their maintainership. Thanks for all of your contributions over the years, and good luck with your future endeavours!

Signed-off-by: Aleksa Sarai [email protected]

This is the final feature release of runc before 1.0, rather than 1.0 itself. The reason for this is that, during the preparations for this release (which was originally meant to be 1.0) it was brought up that there were several spec-compliance problems. One of these was related to hook ordering, and upon trying to fix them it turns out that many users (notably the NVIDIA OCI hooks) make use of our incorrect hook ordering. Many of the proposed solutions to this problem all require a lot of time and co-ordination, and thus would stall this release indefinitely.

So, the idea is to have an intermediate release which will mark a freeze-on-everything-except-spec-compliance-bugs. No other changes will be included pre-1.0 (aside from security patches obviously).

NOTE: This release's artefacts were updated on 2020-07-30 to correct an LGPL compliance issue (we previously did not include the source code of libseccomp with our releases) and thus we had to recompile our runc binaries to be sure we were distributing the correct version of libseccomp. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.

NOTE: This release's artefacts were updated on 2021-04-07, to correct an issue with the .tar.xz archive from 2020-07-30 (the archive had malformed paths due to a bug in historical release scripts -- which caused the update on 2020-07-30 to change the checksum of the source code archive). See #2895 for more details. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.

Features:

• Upgrade to using Go 1.10. #1711
• Upgrade to CRIU 3.11. #1711 #1864 #1935 #1936
• Allow for checkpoint-restore into a foreign network namespace. #1849
• The "type" field for bind-mounts is now ignored. This is important, because many users incorrectly assume that "type" defines a bind-mount and not "options". Previously you had to set both. #1753 #1845
• "setgroups=allow" is now possible in rootless mode, but requires the use of the privileged newgidmap helper (fully-rootless still requires "setgroups=deny"). #1693
• Rootless mode can now safely ignore a read-only cgroupfs. #1759 #1806
• Several aspects of rootless mode are now used inside user namespaces. This is necessary for a bunch of useful things (such as running Docker inside an user namespace), but did cause some breakages. We think they've all been fixed -- but if not please submit an issue! #1688 #1808 #1816 #1862
• Improve kernel.{domain,host}name sysctl handling, to allow the NIS domainname to be set from Docker or other callers without an OCI spec change. #1827
• Add documentation for one of the more confusion parts of runc, how terminals are handled (including an explanation of --console-socket). All the gory details and recommendations are available in docs/terminals.md. #1730
• Allow /proc to be bind-mounted over (useful for rootless containers). #1832
• Ignore ENOSYS for keyctl(2) operations. This is necessary to get Docker working with LXC under the default seccomp profile (which is what ChromeOS uses). #1893
• Add support for the Intel RDT/MBA resource control system. #1632 #1913
• Allow building with completely-disabled kmemcg support, to get around problems with broken kernels (RHEL 7.5 can oops with kmemcg accounting enabled). #1921 #1922 #1930
• Add support for cgroup namespaces, which in turn fixes a few other issues we encountered with the previous code (which could be moving us to a cgroup during Go execution). #1916

Fixes:

• Namespace creation with user namespaces now plays a bit nicer with SELinux and IPC (which had a bug where the in-kernel mqueue mount would have the wrong tag if using unshare(CLONE_NEWUSER|CLONE_NEWIPC)). This is done to avoid future problems with broken kernel integration. #1562
• Mild refactor of libcontainer/user. #1749
• Fix null-pointer-exception when no cgroups were set. #1752
• Various DBus and systemd related changes for the systemd-cgroup driver. #1754 #1772 #1776 #1781 #1805 #1917
• Apply SELinux label to masked directories. #1756
• Obey the XDG spec and set the sticky bit on runc's root when using XDG_RUNTIME_DIR (in rootless mode). #1760
• Only configure network namespaces if we are creating them. #1777
• Fix race in runc-exec against a currently-exiting pid1. #1812
• Forward GOMAXPROCS to try to reduce the number of threads started by 'runc init'. Unforunately there's no way to stop Go from spawning new threads so this is more of a recommendation. #1830
• Fix tmpcopyup in cases where /tmp is not a private mount. #1873
• Whitelist /proc/loadavg for bind-mounting. #1882
• Protect against deletion of runc state directory with a containerid of "..", as well as the addition of other path hardening code. #1883
• Handle duplicated cgroupfs mountpoint entries more sanely, to make runc work on distributions that use-and-abuse shared subtrees. #1817
• Fix console hanging in several cases. #1895 #1897
• Lock-to-a-thread during 'runc init' to ensure that that we don't switch threads and run within a different SELinux label. #1814
• Respect cgroupPath when trying to find the cgroupfs mountpoint (which can happen in cases where containers are given different cgroupfs mounts). #1872
• And many other minor changes, many from first-time contributors! #1746 #1748 #1749 #1784 #1779 #1785 #1796 #1819 #1825 #1836 #1824 #1820 #1838 #1840 #1841 #1867 #1871 #1855 #1854 #1874 #1868 #1886 #1892 #1858 #1894 #1908 #1880 #1910 #1915 #1903 #1922 #1926 #1928 #1925 #1911

Fixes (for spec violations):

• Don't set a container to "running" when exec-ing into it (because it might be in the "created" state). #1771
• oom_score_adj is now no longer modified if it was unspecified in config.json (this was a spec violation). #1759
• Set "status" in hook stdin, as well as switch to using *spec.State to avoid JSON-representation drift. #1741

Static Linking Notices

The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

• libseccomp

The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.

Thanks to all of the contributors that made this release possible:

• Ace-Tang [email protected]
• Adrian Reber [email protected]
• Akihiro Suda [email protected]
• Alban Crequy [email protected]
• Aleksa Sarai [email protected]
• Alex Glikson [email protected]
• Andrei Vagin [email protected]
• Antonio Murdaca [email protected]
• Bin Chen [email protected]
• ChangFeng [email protected]
• Chris Aniszczyk [email protected]
• Danail Branekov [email protected]
• Daniel, Dao Quang Minh [email protected]
• Daniel J Walsh [email protected]
• Denys Smirnov [email protected]
• Derek Carr [email protected]
• dlorenc [email protected]
• Dmitry Smirnov [email protected]
• Dominik Süß [email protected]
• Filipe Brandenburger [email protected]
• Giuseppe Scrivano [email protected]
• Harald Nordgren [email protected]
• Jay Kamat [email protected]
• Jonathan Marler [email protected]
• Kenta Tada [email protected]
• Kir Kolyshkin [email protected]
• Lifubang [email protected]
• Lin Yang [email protected]
• Marco Vedovati [email protected]
• Michael Crosby [email protected]
• Mike Brown [email protected]
• Mrunal Patel [email protected]
• Nalin Dahyabhai [email protected]
• Qiang Huang [email protected]
• Sebastien Boeuf [email protected]
• Sergio Lopez [email protected]
• Tamal Saha [email protected]
• Tibor Vass [email protected]
• vikaschoudhary16 [email protected]
• Vincent Batts [email protected]
• W. Trevor King [email protected]
• Xiaochen Shen [email protected]
• Yan Zhu [email protected]
• Yuanhong Peng [email protected]

Signed-off-by: Aleksa Sarai [email protected]

This is planned to be the final -rc release of runc. While we really haven't followed the rules for release candidates (with huge features introduced each release, and with massive gaps between releases) the hope is that once we've release 1.0.0 we will be much more liberal with releases in future. Let's see how that pans out. :P

NOTE: This release's artefacts were updated on 2020-07-30 to correct an LGPL compliance issue (we previously did not include the source code of libseccomp with our releases) and thus we had to recompile our runc binaries to be sure we were distributing the correct version of libseccomp. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.

NOTE: This release's artefacts were updated on 2021-04-07, to correct an issue with the .tar.xz archive from 2020-07-30 (the archive had malformed paths due to a bug in historical release scripts -- which caused the update on 2020-07-30 to change the checksum of the source code archive). See #2895 for more details. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.

Features:

• Support cgroups in rootless containers. This is a continuation of the previous work done, and allows for users that have specialised setups (such as having the LXC pam_cg.so module set up) to use cgroups with rootless containers. #1540
• Add support for newuidmap and newgidmap with rootless containers. This is a continuation of some previous work, and allows users that have /etc/sub{uid,gid} configured to use the shadow-utils setuid helpers. Note that this support doesn't restrict users that don't want to use setuid binaries at all. #1529
• runc will now use a chroot when mount namespaces aren't provided in the config.json. While chroot does have its (many) downsides, this does allow for specialised configurations to work properly. #1702
• Expose annotations to hooks, so that the hook can have more direct information about the container it is being run against. #1687
• Add "runc exec --additional-gids" support. #1608
• Allow more signals to be sent with "runc kill" than are defined by Go's syscall package. #1706
• Emit an error if users try to use MS_PRIVATE with --no-pivot, as that is simply not safe. #1606
• Add support for "unbindable" and "runbindable" as rootfs propagation. #1655
• Implement intelrdt support in runc. #1279 #1590
• Add support for lazy migration with CRIU. This includes the addition of "runc checkpoint httpd" which acts as a remote pagefault request server. #1541
• Add MIPS support. #1475

Fixes:

• Delay seccomp application as late as possible, to reduce the syscall footprint of runc on profiles. #1569

• Fix --read-only containers with user namespaces, which would previously fail under Docker because of privilege problems when trying to do the read-only remount. #1572

• Switch away from stateDirFd entirely. This is an improvement over the protections we added for CVE-2016-9962, and protects against many other possible container escape bugs. #1570

• Handle races between "runc start" and "runc delete" over the exec FIFO correctly, and avoid blocking "runc start" indefinitely. #1698

• Correctly generate seccomp profiles that place requirements on syscall arguments, as well as multi-argument restrictions. #1616 #1424

• Prospective patch for remounting of old-root during pivot_root. This is intended to solve one of the many "mount leak" bugs that have been popping up recently -- caused by lots of container churn and host mounts being pinned during container setup. #1500

• Fix "runc exec" on big-endian architectures. #1727

• Correct systemd slice expansion to work with cAdvisor. #1722

• Fix races against systemd cgroup scope creation. #1683

• Do not wait for signalled processes if libcontainer is running in a process that is a subreaper. #1678

• Remove dependency on libapparmor entirely, and just use /proc/$pid/attr directly. #1675

• Improvements to our integration tests. #1661 #1629 #1528

• Handle systemd's quirky CPUQuotaPerSecUSec handling in fractions-of-a-percent edge-cases. #1651

• Remove docker/docker import in runc by moving the package to runc. #1644

• Switch from docker's pkg/symlink to cyphar/filepath-securejoin. #1622

• Enable integration and unit tests on arm64. #1642 #1640

• Add /proc/scsi to masked paths (mirror of Docker's CVE-2017-16539). #1641

• Add several tests for specconv. #1626 #1619

• Add more extensive tests for terminal handling. #1357

• Always write freezer state during retry-loop, to avoid an indefinite hang when new tasks are spawned in the container. #1610

• Create cwd when it doesn't exist in the container. #1604

• Set initial console size based on process spec, to avoid SIGWINCH races where initial console size is completely wrong. #1275

• Small fixes for static builds. #1579 #1577

• Use epoll for PTY IO, to avoid issues with systemd's SAK protections. #1455

• Update state.json after a "runc update". #1558

• Switch to umoci's release scripts, to use a more "standardised" and distribution-friendly release scheme. Several makefile-fixes included as well. #1554 #1542 #1555

• Reap "runc:[1:CHILD]" to avoid intermediate zombies building up. #1506

• Use CRIU's RPC to check the version. #1535

• Always save own namespace paths rather than the path given during start-up, to avoid issues where the path disappears afterwards. #1477

• Fix that we incorrectly set the owners of devices. This is still (subtly) broken in user namespaces, but will be fixed in a future version. #1743

• Lots of other miscellaneous fixes and cleanups, many of which were written by first-time contributors. Thanks for contributing, and welcome to the project! #1729 #1724 #1695 #1685 #1703 #1699 #1682 #1665 #1667 #1669 #1654 #1664 #1660 #1645 #1640 #1621 #1607 #1206 #1615 #1614 #1453 #1613 #1600 #1599 #1598 #1597 #1593 #1586 #1588 #1587 #1589 #1575 #1578 #1573 #1561 #1560 #1559 #1556 #1551 #1553 #1548 #1544 #1545 #1537

Removals:

• Andrej Vagin stepped down as a maintainer. Thanks for all of your hard work Andrej, and have fun working on your other projects! #1543

Static Linking Notices

The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

• libseccomp

The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.

Thanks to all of the contributors that made this release possible:

• Adrian Reber [email protected]
• Akihiro Suda [email protected]
• Aleksa Sarai [email protected]
• Alex Fang [email protected]
• Allen Sun [email protected]
• Andrei Vagin [email protected]
• Antonio Murdaca [email protected]
• Bin Lu [email protected]
• Danail Branekov [email protected]
• Daniel, Dao Quang Minh [email protected]
• Ed King [email protected]
• Euan Kemp [email protected]
• Giuseppe Scrivano [email protected]
• Jianyong Wu [email protected]
• Kenfe-Mickael Laventure [email protected]
• Konstantinos Karampogias [email protected]
• leitwolf7 [email protected]
• Lorenzo Fontana [email protected]
• Ma Shimiao [email protected]
• Matthew Heon [email protected]
• Michael Crosby [email protected]
• Mrunal Patel [email protected]
• Nikolas Sepos [email protected]
• Peter Morjan [email protected]
• Petros Angelatos [email protected]
• Qiang Huang [email protected]
• ravisantoshgudimetla [email protected]
• s7v7nislands [email protected]
• Sebastien Boeuf [email protected]
• Seth Jennings [email protected]
• Steven Hartland [email protected]
• Sumit Sanghrajka [email protected]
• Taeung Song [email protected]
• Thomas Hipp [email protected]
• Tobias Klauser [email protected]
• Tom Godkin [email protected]
• Tycho Andersen [email protected]
• Valentin Kulesh [email protected]
• vikaschoudhary16 [email protected]
• Vincent Demeester [email protected]
• Vladimir Stefanovic [email protected]
• vsoch [email protected]
• Will Martin [email protected]
• W. Trevor King [email protected]
• Xiaochen Shen [email protected]
• ynirk [email protected]
• Yong Tang [email protected]
• Yuanhong Peng [email protected]
• yupeng [email protected]

Vote: +5 -0 #2 Signed-off-by: Aleksa Sarai [email protected]

NOTE: This release's artefacts were updated on 2020-07-30 to correct an LGPL compliance issue (we previously did not include the source code of libseccomp or libapparmor with our releases) and thus we had to recompile our runc binaries to be sure we were distributing the correct version of libseccomp and libapparmor. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.

NOTE: This release's artefacts were updated on 2021-04-07, to correct an issue with the .tar.xz archive from 2020-07-30 (the archive had malformed paths due to a bug in historical release scripts -- which caused the update on 2020-07-30 to change the checksum of the source code archive). See #2895 for more details. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.

Features:

• runc now supports v1.0.0 of the OCI runtime specification. #1527
• Rootless containers support has been released. The current state of this feature is that it only supports single-{uid,gid} mappings as an unprivileged user, and cgroups are completely unsupported. Work is being done to improve this. #774
• Rather than relying on CRIU version nnumbers, actually check if the system supports pre-dumping. #1371
• Allow the PIDs cgroup limit to be updated. #1423
• Add support for checkpoint/restore of containers with orphaned PTYs (which is effectively all containers with terminal=true). #1355
• Permit prestart hooks to modify the cgroup configuration of a container. #1239
• Add support for a wide variety of mount options. #1460
• Expose memory.use_hierarchy in MemoryStats. #1378

Fixes:

• Fix incorrect handling of systems without the freezer cgroup. #1387
• Many, many changes to switch away from Go's "syscall" stdlib to "golang.org/x/sys/unix". #1394 #1398 #1442 #1464 #1467 #1470 #1474 #1478 #1491 #1482 #1504 #1519 #1530
• Set cgroup resources when restoring a container. #1399
• Switch back to using /sbin as the installation directory. #1406
• Remove the arbitrary container ID length restriction. #1435
• Make container force deletion ignore non-existent containers. #1451
• Improve handling of arbitrary cgroup mount locations when populating cpuset. #1372
• Make the SaneTerminal interface public. #1479
• Fix cases where runc would report a container to be in a "Running" state if the init was a zombie or dead. #1489
• Do not set supplementary groups for numeric users. #1450
• Fix various issues with the "owner" field in runc-list. #1516
• Many other miscellaneous fixes, some of which were made by first-time contributors. Thanks, and welcome to the project! #1406 #1400 #1365 #1396 #1402 #1414 #1412 #1408 #1418 #1425 #1428 #1436 #1433 #1438 #1410 #1447 #1388 #1484 #1481 #1496 #1245 #1524 #1534 #1526 #1533

Removals:

• Remove any semblance of non-Linux support. #1502
• We no longer use shfmt for testing. #1510

Static Linking Notices

The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

• libseccomp
• libapparmor

The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.

• Adrian Reber [email protected]
• Aleksa Sarai [email protected]
• Andrei Vagin [email protected]
• Antonio Murdaca [email protected]
• chchliang [email protected]
• Christy Perez [email protected]
• Craig Furman [email protected]
• CuiHaozhi [email protected]
• Daniel, Dao Quang Minh [email protected]
• Derek Carr [email protected]
• Harshal Patil [email protected]
• Jonh Wendell [email protected]
• Justin Cormack [email protected]
• Kang Liang [email protected]
• Kenfe-Mickael Laventure [email protected]
• Konstantinos Karampogias [email protected]
• Ma Shimiao [email protected]
• Michael Crosby [email protected]
• Mrunal Patel [email protected]
• Qiang Huang [email protected]
• Steven Hartland [email protected]
• Tim Potter [email protected]
• Tobias Klauser [email protected]
• Valentin Rothberg [email protected]
• Vincent Batts [email protected]
• Wentao Zhang [email protected]
• Will Martin [email protected]
• W. Trevor King [email protected]
• yangshukui [email protected]
• Zhang Wei [email protected]

Vote-Closed: [Wed Aug 9 05:28:38 UTC 2017] Vote-Results: [+5 -0 /2]

NOTE: This release's artefacts were updated on 2020-07-30 to correct an LGPL compliance issue (we previously did not include the source code of libseccomp or libapparmor with our releases) and thus we had to recompile our runc binaries to be sure we were distributing the correct version of libseccomp and libapparmor. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.

NOTE: This release's artefacts were updated on 2021-04-07, to correct an issue with the .tar.xz archive from 2020-07-30 (the archive had malformed paths due to a bug in historical release scripts -- which caused the update on 2020-07-30 to change the checksum of the source code archive). See #2895 for more details. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.

Features:

• Add slice management support to the systemd cgroup driver. Checks are done to make sure that systemd supports the feature. #1084
• Support for readonly mount labels. #1112
• Add a tmpcopyup mount extension for tmpfs mounts that are mounted over already existing directories, allowing for the contents of a volume to be copied up transparently. #845

• Switch our pivot_root usage to no longer require temporary directories, improving the state of containters running in entirely readonly contexts. #1125 #1148

• Allow updating of rt_period_us and rt_runtime_us in cpuacct cgroup.
• Reimplement console handling to use AF_UNIX sockets such that the console is created inside the container's (namespaced) devpts instance, solving a wide variety of historical pty bugs with runC. #1018 #1356

• Support overlayfs in mounts. #1314

• Support creating devices with types 'p' and 'u'. #1321
• Add --preserve-fds=N to create and run commands. #1320
• Add pre-dump and parent-path to checkpoint. #1001
• Update to runtime-spec v1.0.0-rc5. #1370

Fixes:

• Remove check for binding to /. #1090
• Ensure we log to logrus on command errors. #1089
• Don't enable kmem limits if they're not specified in the config. #1095
• Handle cases where specs.Resources.* members would cause null dereferences. #1111 #1116
• Fix bugs in the GetProcessStartTime implementation. #1136
• Make sysctl config validation checks handle network namespaces more gracefully. #1138 #1149
• Guarantee correct namespace creation ordering. This is part of the rootless container patchset, and is also required in certain SELinux setups. #977
• Stop screwing around with '\n' in console output. #1146
• Fix cpuset.cpu_exclusive handling. #1194
• Sync HookState with the OCI specification. #1201
• Split remounting mountpoints and bindmounts, resolving issues with mount options being dropped in certain cases. #1222
• Fix leftover cgroup directory issue. #1196
• Handle config.Devices and config.MaskPaths in checkpoint. #1110.
• Don't create combined cgroup subsystem names. #1268
• Ignore cgroupv2 mountpoints, fixing issues with systemd v232. #1266
• Race condition when synchronising with children and grandchildren in nsexec.c. #1237
• Fix state checks to no longer depend on _LIBCONTAINER being present in the environment, fixing both bugs as well as being part of the rootless container patchset. #1317
• Fix systemd-notify when using different PID namespaces, and allow detach+notify socket. #1308
• Don't fchown when inheriting stdio, which is necessary for rootless containers in certain scenarios. #1354
• Fix cpu.cfs_quota_us being changed when systemd is reloaded. #1344
• Add devices to whitelist for LXD, to make runC under LXC/LXD work better. #1327
• Many improvements to testing. #1121 #1131 #1132 #1147

Security:

• Several fixes for CVE-2016-9962. 5d93fed3d27f #1274

Static Linking Notices

The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

• libseccomp
• libapparmor

The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.

Thanks to all of the contributors that made this release possible:

• Qiang Huang [email protected]
• Aleksa Sarai [email protected]
• Mrunal Patel [email protected]
• Michael Crosby [email protected]
• Wang Long [email protected]
• Daniel, Dao Quang Minh [email protected]
• rajasec [email protected]
• Zhang Wei [email protected]
• Steven Hartland [email protected]
• Giuseppe Scrivano [email protected]
• Shukui Yang [email protected]
• Ma Shimiao [email protected]
• Daniel Dao [email protected]
• CuiHaozhi [email protected]
• Antonio Murdaca [email protected]
• Xianglin Gao [email protected]
• Lei Jitang [email protected]
• Justin Cormack [email protected]
• Dan Walsh [email protected]
• Daniel Martí [email protected]
• Ce Gao [email protected]
• allencloud [email protected]
• Alexander Morozov [email protected]
• yupeng [email protected]
• Yuanhong Peng [email protected]
• Yong Tang [email protected]
• xuxinkun [email protected]
• Xianlu Bird [email protected]
• William Martin [email protected]
• Wentao Zhang [email protected]
• Vivek Goyal [email protected]
• Samuel Ortiz [email protected]
• rainrambler [email protected]
• Mohammad Arab [email protected]
• Michal Rostecki [email protected]
• Máximo Cuadros [email protected]
• Kenfe-Mickael Laventure [email protected]
• Ian Campbell [email protected]
• Harry Zhang [email protected]
• Fengtu Wang [email protected]
• Eric Paris [email protected]
• Derek Carr [email protected]
• Deng Guangxing [email protected]
• CuiHaozhi [email protected]
• Crazykev [email protected]
• Chris Aniszczyk [email protected]
• Casey Callendrello [email protected]
• Carlton-Semple [email protected]
• Brian Goff [email protected]
• Andrew Vagin [email protected]

NOTE: This release's artefacts were updated on 2020-07-30 to correct an LGPL compliance issue (we previously did not include the source code of libseccomp or libapparmor with our releases) and thus we had to recompile our runc binaries to be sure we were distributing the correct version of libseccomp and libapparmor. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.

NOTE: This release's artefacts were updated on 2021-04-07, to correct an issue with the .tar.xz archive from 2020-07-30 (the archive had malformed paths due to a bug in historical release scripts -- which caused the update on 2020-07-30 to change the checksum of the source code archive). See #2895 for more details. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.

Features

• {create,run}: add --no-new-keyring flag so that a new session keyring is not created for the container and the calling process's keyring is inherited.
• restore: add --empty-ns flag to tell CRIU to only create a network namespace for a container and not populate it (allowing higher levels to correctly handle re-creating the network namespace).
• {create,start}: use a FIFO rather than signals to signal the starting of a container. This removes the Go version restriction, and also avoids potential issues with Go's signal handling.
• exec: allow additional groups to be overridden.
• delete: add --force flag.
• exec: disable the subreaper option entirely, because the option causes many issues with reparenting in the context of containers. This is not a complete fix, which is intended to land for -rc3. Using the removed option will be silently ignored by runC.
• {create,run}: add support for masking directories with MaskPaths.
• delete: allow for the deletion of multiple containers in one cmdline.
• build: add make release for distributions.

Fixes

• Major improvements and fixes to CLI handling. Now commands like runc ps and runc exec will act sanely when you're trying to use flags that are not meant to be parsed by runC.
• Set the cp.rt_* cgroup options correctly so that runC running in SCHED_RR (realtime) mode can operate properly.
• Massive improvements to kmem limit detection to ensure that we only attempt to change memory.kmem.* if it is safe to do so.
• Part of a major cleanup of the nsenter code, with more intended to land before -rc3.
• Restored containers now have a start time, which is the time that the new container was started (not when the original container was started).
• Fix the default cgroupPath behaviour, so that we actually attach to subcgroups of all of the caller's current cgroups (rather than using the devices cgroup path for all other cgroups)
• Support 32bit UIDs on i386 with the setuid32(2) syscall.
• Add /proc/timer_list to the set of default masked paths.
• Do not create /dev/fuse by default.
• Parse cgroupPath correctly if it contains ':'.
• Add some more debugging information for the test suite, along with fixes for race conditions and other issues. In addition, add more integration tests for edge conditions.
• Improve check-config.sh script to handle more cases.
• Fix incorrect type when setting of net_cls classid.
• Lots of fixes to help pages and man pages.
• *: append -dirty to the version if the git repo is unclean.
• Fix the JSON tags for CpuRt* options.
• Cleanups to the rootfs setup code.
• Improve error messages related to SELinux.

Static Linking Notices

The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

• libseccomp
• libapparmor

The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.

Thanks to all of the contributors that made this release possible:

• Akihiro Suda [email protected]
• Aleksa Sarai [email protected]
• Alexander Morozov [email protected]
• Andrew Vagin [email protected]
• Ben [email protected]
• Buddha Prakash [email protected]
• Carl Henrik Lunde [email protected]
• Christian Brauner [email protected]
• Dam Thomason [email protected]
• Dan Walsh [email protected]
• Daniel, Dao Quang Minh [email protected]
• Davanum Srinivas [email protected]
• Euan Kemp [email protected]
• Guilherme Rezende [email protected]
• Haiyan Meng [email protected]
• Hushan Jia [email protected]
• Jiuyue Ma [email protected]
• Johnny Bieren [email protected]
• Jonathan Boulle [email protected]
• Justin Cormack [email protected]
• Kenfe-Mickael Laventure [email protected]
• Michael Crosby [email protected]
• Mike Brown [email protected]
• Mrunal Patel [email protected]
• Peng Gao [email protected]
• Petar Petrov [email protected]
• Phil Estes [email protected]
• Qiang Huang [email protected]
• Serge Hallyn [email protected]
• Seth Jennings [email protected]
• Shukui Yang [email protected]
• Tristan Cacqueray [email protected]
• Vishnu kannan [email protected]
• Wang Long [email protected]
• Yang Hongyang [email protected]
• Yen-Lin Chen [email protected]
• Yuanhong Peng [email protected]
• Zhang Wei [email protected]
• Zhao Lei [email protected]
• rajasec [email protected]
• xiekeyang [email protected]

runc 1.0 Release Candidate 1

This is the first of the release candidates for OCI's runtime specification and runc version 1.0. Runc is now using the runtime-spec 1.0.0-rc1 release.

Breaking Changes

The large breaking change from the previous versions of runc to 1.0 is the create and start command changes. The previous start command functionality has been moved to the run command. runc run mycontainer. runc start does not perform the operations that it did before this release.

Create -> Start -> Delete

By splitting the create and start phase for a container it allows higher level systems to modify the container before the user defined process is started.

A simple example of using this new workflow would look something like this from the command line:

# create the container with the specified configuration 
runc create mycontainer

# at the point that create returns the container's environment is fully setup but the user's specified process has not run

# you can place network interfaces inside the container 
# you can exec into the container
# you can modify the mount namespaces
runc exec mycontainer ps aux

# after your setup is complete you can start the user defined process
runc start mycontainer

# after start returns the user defied process inside your OCI config is running

# whenever the container exits you must delete the container removing any existing resources it still has
runc delete mycontainer

If you want the previous functionality where runc did this for you, use the runc run command.

Container State

You can get the container state and status by using the runc state command:

runc state mycontainer

{
  "ociVersion": "1.0.0-rc1",
  "id": "mycontainer",
  "pid": 18917,
  "bundlePath": "/containers/mycontainer",
  "rootfsPath": "/containers/mycontainer/rootfs",
  "status": "running",
  "created": "2016-06-03T21:23:42.401668933Z",
  "annotations": {
    "something": "else"
  }
}

ps command

A ps command was added to show the processes inside the container:

runc ps influxdb
UID        PID  PPID  C STIME TTY          TIME CMD
1000  18936 18917  0 14:23 ?        00:00:06 influxd -config /home/influxdb/influxdb.conf

Other Updates

• Added seccomp support for more architectures
• Stable stats output
• Added update command for dynamically updating container resources
• bash completion and man pages

Please help in testing and please report any issues to the issue tracker on github. Thanks!

• OCI Maintainers

Usage

NAME:
   runc - Open Container Initiative runtime

runc is a command line client for running applications packaged according to
the Open Container Initiative (OCI) format and is a compliant implementation of the
Open Container Initiative specification.

runc integrates well with existing process supervisors to provide a production
container runtime environment for applications. It can be used with your
existing process monitoring tools and the container will be spawned as a
direct child of the process supervisor.

Containers are configured using bundles. A bundle for a container is a directory
that includes a specification file named "config.json" and a root filesystem.
The root filesystem contains the contents of the container.

To start a new instance of a container:

    # runc start [ -b bundle ] <container-id>

Where "<container-id>" is your name for the instance of the container that you
are starting. The name you provide for the container instance must be unique on
your host. Providing the bundle directory using "-b" is optional. The default
value for "bundle" is the current directory.

USAGE:
   runc [global options] command [command options] [arguments...]

VERSION:
   1.0.0-rc1
commit: 04f275d4601ca7e5ff9460cec7f65e8dd15443ec
spec: 1.0.0-rc1

COMMANDS:
     checkpoint checkpoint a running container
     create create a container
     delete delete any resources held by the container often used with detached containers
     events display container events such as OOM notifications, cpu, memory, and IO usage statistics
     exec   execute new process inside the container
     init   initialize the namespaces and launch the process (do not call it outside of runc)
     kill   kill sends the specified signal (default: SIGTERM) to the container's init process
     list   lists containers started by runc with the given root
     pause  pause suspends all processes inside the container
     ps     ps displays the processes running inside a container
     restore    restore a container from a previous checkpoint
     resume resumes all processes that have been previously paused
     run    create and run a container
     spec   create a new specification file
     start  start signals a created container to execute the user defined process
     state  output the state of a container
     update update container resource constraints

GLOBAL OPTIONS:
   --debug      enable debug output for logging
   --log value      set the log file path where internal debug information is written (default: "/dev/null")
   --log-format value   set the format used by logs ('text' (default), or 'json') (default: "text")
   --root value     root directory for storage of container state (this should be located in tmpfs) (default: "/run/runc")
   --criu value     path to the criu binary used for checkpoint and restore (default: "criu")
   --systemd-cgroup enable systemd cgroup support, expects cgroupsPath to be of form "slice:prefix:name" for e.g. "system.slice:runc:434234"
   --help, -h       show help
   --version, -v    print the version

runc 0.1.1

This release includes a bug fix for adding the selinux mount label in the specification.

This release updates runc to the OCI runtime specification v0.5.0 and includes various fixes and features.

Features:

• cgroups: pid limits and stats
• cgroups: kmem stats
• systemd cgroup support
• libcontainer specconv package
• no pivot root option
• numeric ids are treated as uid/gid
• hook improvements

Bug Fixes:

• log flushing
• atomic pid file creation
• init error recovery
• seccomp logging removed
• delete container on aborted start
• /dev bind mount handling

runc 0.0.9

This new release of runc includes the specification v0.4 changes. The backwards incompatible changes includes moving process specific settings like capabilities, rlimits, apparmor, and selinux process label from the container configuration to the process configuration. Be sure to update your config.json files for these changes or they will not be applied to the container. You can always use the runc spec command to generate a compatible config.json based on the specification version that runc is currently using.

Updates:

• In this release runc has better support for errors and logging for use with the --log flag.
• Improved namespace sharing for joining PID namespaces.
• Allow all mount types inside the container's mount namespace.
• Updated masked and readonly paths for container's /proc.
• Better IO handling for container's STDIO.
• Unique session keyring support for containers.
• Container label support.
• No new privileges support.
• Various bug fixes and performance improvements.

NAME:
   runc - Open Container Initiative runtime

runc is a command line client for running applications packaged according to
the Open Container Format (OCF) and is a compliant implementation of the
Open Container Initiative specification.

runc integrates well with existing process supervisors to provide a production
container runtime environment for applications. It can be used with your
existing process monitoring tools and the container will be spawned as a
direct child of the process supervisor.

Containers are configured using bundles. A bundle for a container is a directory
that includes a specification file named "config.json" and a root filesystem.
The root filesystem contains the contents of the container. 

To start a new instance of a container:

    # runc start [ -b bundle ] <container-id>

Where "<container-id>" is your name for the instance of the container that you
are starting. The name you provide for the container instance must be unique on
your host. Providing the bundle directory using "-b" is optional. The default
value for "bundle" is the current directory.

USAGE:
   runc [global options] command [command options] [arguments...]

VERSION:
   0.0.9
spec version 0.4.0

COMMANDS:
   checkpoint   checkpoint a running container
   delete   delete any resources held by the container often used with detached containers
   events   display container events such as OOM notifications, cpu, memory, IO and network stats
   exec     execute new process inside the container
   init     init is used to initialize the containers namespaces and launch the users process.
    This command should not be called outside of runc.

   kill     kill sends the specified signal (default: SIGTERM) to the container's init process
   list     lists containers started by runc with the given root
   pause    pause suspends all processes inside the container
   restore  restore a container from a previous checkpoint
   resume   resumes all processes that have been previously paused
   spec     create a new specification file
   start    create and run a container
   state    output the state of a container
   help, h  Shows a list of commands or help for one command

GLOBAL OPTIONS:
   --debug      enable debug output for logging
   --log "/dev/null"    set the log file path where internal debug information is written
   --log-format "text"  set the format used by logs ('text' (default), or 'json')
   --root "/run/runc"   root directory for storage of container state (this should be located in tmpfs)
   --criu "criu"    path to the criu binary used for checkpoint and restore
   --help, -h       show help
   --version, -v    print the version

runc 0.0.8

This new release of runc supports the OCI runtime specification version 0.3.0. It includes changes such as the unified configuration file, separation of device creation and access, and many other usability updates.

New features

Detach

The detach flag allows runc to exit after it spawns the container and reparents the process to system init. You no longer have a long running runc process as the parent of the container.

runc start -d test

Pid file

The pid-file flag allows runc to write the pid of the process run inside the container to a file so that existing init systems can wait on it and allows runc to exit.

runc start -d --pid-file test.pid test

Delete command

The delete command allows runc to delete the container's state after it has exited for use with the detach flag.

runc delete test

List command

The list command will list all containers running on a system that were spawned by runc.

> runc list
ID          PID         STATUS      CREATED
test        15278       running     2016-02-10T22:21:09.415768192Z

Exec command updates

The exec command now allows you to use a json file for the process configuration or pass the arguments and settings via flags and args.

> runc exec --tty --env TEST=1 -- test ps aux
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.0   4476   900 ?        Ss+  22:23   0:00 sh
root        13  0.0  0.0  15600  2116 ?        Rs+  22:23   0:00 ps aux

Container ids

Container ids are required for every command in runc. You pass the container id as argument 1 to the commands to specify which container you want to interact with. This was always the case before in runc but hidden behind a --id flag.

> runc start test
> runc events test
> runc kill test

Update to spec 0.3.0

Be sure to use the runc spec command to generate a new base template for your containers based on the specification and the unified configuration file.

NAME:
   runc - Open Container Initiative runtime

runc is a command line client for running applications packaged according to
the Open Container Format (OCF) and is a compliant implementation of the
Open Container Initiative specification.

runc integrates well with existing process supervisors to provide a production
container runtime environment for applications. It can be used with your
existing process monitoring tools and the container will be spawned as a
direct child of the process supervisor.

After creating config files for your root filesystem with runc, you can execute 
a container in your shell by running:

    # cd /mycontainer
    # runc start [ -b bundle ] <container-id>

If not specified, the default value for the 'bundle' is the current directory.
'Bundle' is the directory where 'config.json' must be located.

USAGE:
   runc [global options] command [command options] [arguments...]

VERSION:
   0.0.8
spec version 0.3.0

COMMANDS:
   checkpoint   checkpoint a running container
   delete       delete any resources held by the container often used with detached containers
   events       display container events such as OOM notifications, cpu, memory, IO and network stats
   exec         execute new process inside the container
   kill         kill sends the specified signal (default: SIGTERM) to the container's init process
   list         lists containers started by runc with the given root
   pause        pause suspends all processes inside the container
   restore      restore a container from a previous checkpoint
   resume       resumes all processes that have been previously paused
   spec         create a new specification file
   start        create and run a container
   help, h      Shows a list of commands or help for one command

GLOBAL OPTIONS:
   --debug                                      enable debug output for logging
   --log                                        set the log file path where internal debug information is written
   --log-format "text"                          set the format used by logs ('text' (default), or 'json')
   --root "/run/opencontainer/containers"       root directory for storage of container state (this should be located in tmpfs)
   --criu "criu"                                path to the criu binary used for checkpoint and restore
   --help, -h                                   show help
   --version, -v                                print the version

MD5 hases for the downloadable runc binaries in this release are:

• runc-amd64: 966cf271c2923b64d2d7ad0be9ffdc6e