Runc - CLI tool for spawning and running containers according to the OCI specification

Overview

runc

Go Report Card GoDoc CII Best Practices gha/validate gha/ci

Introduction

runc is a CLI tool for spawning and running containers on Linux according to the OCI specification.

Releases

You can find official releases of runc on the release page.

Security

The reporting process and disclosure communications are outlined here.

Security Audit

A third party security audit was performed by Cure53, you can see the full report here.

Building

runc only supports Linux. It must be built with Go version 1.16 or higher.

In order to enable seccomp support you will need to install libseccomp on your platform.

e.g. libseccomp-devel for CentOS, or libseccomp-dev for Ubuntu

# create a 'github.com/opencontainers' in your GOPATH/src
cd github.com/opencontainers
git clone https://github.com/opencontainers/runc
cd runc

make
sudo make install

You can also use go get to install to your GOPATH, assuming that you have a github.com parent folder already created under src:

go get github.com/opencontainers/runc
cd $GOPATH/src/github.com/opencontainers/runc
make
sudo make install

runc will be installed to /usr/local/sbin/runc on your system.

Build Tags

runc supports optional build tags for compiling support of various features, with some of them enabled by default (see BUILDTAGS in top-level Makefile).

To change build tags from the default, set the BUILDTAGS variable for make, e.g. to disable seccomp:

make BUILDTAGS=""
Build Tag Feature Enabled by default Dependency
seccomp Syscall filtering yes libseccomp

The following build tags were used earlier, but are now obsoleted:

  • nokmem (since runc v1.0.0-rc94 kernel memory settings are ignored)
  • apparmor (since runc v1.0.0-rc93 the feature is always enabled)
  • selinux (since runc v1.0.0-rc93 the feature is always enabled)

Running the test suite

runc currently supports running its test suite via Docker. To run the suite just type make test.

make test

There are additional make targets for running the tests outside of a container but this is not recommended as the tests are written with the expectation that they can write and remove anywhere.

You can run a specific test case by setting the TESTFLAGS variable.

# make test TESTFLAGS="-run=SomeTestFunction"

You can run a specific integration test by setting the TESTPATH variable.

# make test TESTPATH="/checkpoint.bats"

You can run a specific rootless integration test by setting the ROOTLESS_TESTPATH variable.

# make test ROOTLESS_TESTPATH="/checkpoint.bats"

You can run a test using your container engine's flags by setting CONTAINER_ENGINE_BUILD_FLAGS and CONTAINER_ENGINE_RUN_FLAGS variables.

# make test CONTAINER_ENGINE_BUILD_FLAGS="--build-arg http_proxy=http://yourproxy/" CONTAINER_ENGINE_RUN_FLAGS="-e http_proxy=http://yourproxy/"

Dependencies Management

runc uses Go Modules for dependencies management. Please refer to Go Modules for how to add or update new dependencies.

# Update vendored dependencies
make vendor
# Verify all dependencies
make verify-dependencies

Using runc

Please note that runc is a low level tool not designed with an end user in mind. It is mostly employed by other higher level container software.

Therefore, unless there is some specific use case that prevents the use of tools like Docker or Podman, it is not recommended to use runc directly.

If you still want to use runc, here's how.

Creating an OCI Bundle

In order to use runc you must have your container in the format of an OCI bundle. If you have Docker installed you can use its export method to acquire a root filesystem from an existing Docker container.

# create the top most bundle directory
mkdir /mycontainer
cd /mycontainer

# create the rootfs directory
mkdir rootfs

# export busybox via Docker into the rootfs directory
docker export $(docker create busybox) | tar -C rootfs -xvf -

After a root filesystem is populated you just generate a spec in the format of a config.json file inside your bundle. runc provides a spec command to generate a base template spec that you are then able to edit. To find features and documentation for fields in the spec please refer to the specs repository.

runc spec

Running Containers

Assuming you have an OCI bundle from the previous step you can execute the container in two different ways.

The first way is to use the convenience command run that will handle creating, starting, and deleting the container after it exits.

# run as root
cd /mycontainer
runc run mycontainerid

If you used the unmodified runc spec template this should give you a sh session inside the container.

The second way to start a container is using the specs lifecycle operations. This gives you more power over how the container is created and managed while it is running. This will also launch the container in the background so you will have to edit the config.json to remove the terminal setting for the simple examples below (see more details about runc terminal handling). Your process field in the config.json should look like this below with "terminal": false and "args": ["sleep", "5"].

        "process": {
                "terminal": false,
                "user": {
                        "uid": 0,
                        "gid": 0
                },
                "args": [
                        "sleep", "5"
                ],
                "env": [
                        "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
                        "TERM=xterm"
                ],
                "cwd": "/",
                "capabilities": {
                        "bounding": [
                                "CAP_AUDIT_WRITE",
                                "CAP_KILL",
                                "CAP_NET_BIND_SERVICE"
                        ],
                        "effective": [
                                "CAP_AUDIT_WRITE",
                                "CAP_KILL",
                                "CAP_NET_BIND_SERVICE"
                        ],
                        "inheritable": [
                                "CAP_AUDIT_WRITE",
                                "CAP_KILL",
                                "CAP_NET_BIND_SERVICE"
                        ],
                        "permitted": [
                                "CAP_AUDIT_WRITE",
                                "CAP_KILL",
                                "CAP_NET_BIND_SERVICE"
                        ],
                        "ambient": [
                                "CAP_AUDIT_WRITE",
                                "CAP_KILL",
                                "CAP_NET_BIND_SERVICE"
                        ]
                },
                "rlimits": [
                        {
                                "type": "RLIMIT_NOFILE",
                                "hard": 1024,
                                "soft": 1024
                        }
                ],
                "noNewPrivileges": true
        },

Now we can go through the lifecycle operations in your shell.

# run as root
cd /mycontainer
runc create mycontainerid

# view the container is created and in the "created" state
runc list

# start the process inside the container
runc start mycontainerid

# after 5 seconds view that the container has exited and is now in the stopped state
runc list

# now delete the container
runc delete mycontainerid

This allows higher level systems to augment the containers creation logic with setup of various settings after the container is created and/or before it is deleted. For example, the container's network stack is commonly set up after create but before start.

Rootless containers

runc has the ability to run containers without root privileges. This is called rootless. You need to pass some parameters to runc in order to run rootless containers. See below and compare with the previous version.

Note: In order to use this feature, "User Namespaces" must be compiled and enabled in your kernel. There are various ways to do this depending on your distribution:

  • Confirm CONFIG_USER_NS=y is set in your kernel configuration (normally found in /proc/config.gz)
  • Arch/Debian: echo 1 > /proc/sys/kernel/unprivileged_userns_clone
  • RHEL/CentOS 7: echo 28633 > /proc/sys/user/max_user_namespaces

Run the following commands as an ordinary user:

# Same as the first example
mkdir ~/mycontainer
cd ~/mycontainer
mkdir rootfs
docker export $(docker create busybox) | tar -C rootfs -xvf -

# The --rootless parameter instructs runc spec to generate a configuration for a rootless container, which will allow you to run the container as a non-root user.
runc spec --rootless

# The --root parameter tells runc where to store the container state. It must be writable by the user.
runc --root /tmp/runc run mycontainerid

Supervisors

runc can be used with process supervisors and init systems to ensure that containers are restarted when they exit. An example systemd unit file looks something like this.

[Unit]
Description=Start My Container

[Service]
Type=forking
ExecStart=/usr/local/sbin/runc run -d --pid-file /run/mycontainerid.pid mycontainerid
ExecStopPost=/usr/local/sbin/runc delete mycontainerid
WorkingDirectory=/mycontainer
PIDFile=/run/mycontainerid.pid

[Install]
WantedBy=multi-user.target

More documentation

License

The code and docs are released under the Apache 2.0 license.

Comments
  • Consoles, consoles, consoles.

    Consoles, consoles, consoles.

    This is the big console rewrite. For some design information, see this. TODO list:

    • [x] Implement the console masterfd passing.
    • [x] Rewrite parts of tty.go to work with the new setup.
    • [x] Remove --console and add --console-socket.
      • [x] Need to figure out a sane protocol for sending things to --console-socket.
      • [x] Write a small implementation of a --console-socket consumer as a sanity check [can be done in a separate PR].
    • [x] Figure out how to make the test suite behave.
      • [x] TestExecInTTY.
      • [x] bats integration.
    • [x] Need to figure out why runC is blocking on recvfd().

    Fixes #814, #910, docker/docker#11462, docker/docker#8755 and countless other issues. ~~Depends on #975, #977.~~ docker/docker#9212 and similar issues are not fixed by this patchset, as we still need to consider how to handle /dev/console in certain cases.

    Signed-off-by: Aleksa Sarai [email protected]

    status/0-triage 
    opened by cyphar 133
  • Rootless Containers

    Rootless Containers

    This enables the support for "rootless container mode". There are certain restrictions on what non-root users can do, resulting in several runC features not being available. ~~There are no checks in place at the moment to make this clear to users.~~ I've implemented the config validation.

    • All cgroup operations require having write access to your current cgroup directory. By default, the directories are owned by root and have the mode 0755. This means that we cannot set up any cgroups, or join cgroups. Therefore new cgroup namespace doesn't fix this for us either, but hopefully we can get a patch upstream to fix this. But we should still improve cgroup handling so that we apply any cgroups we can if we have write access to the directory.
    • setgroups(2) cannot be used in a non-privileged user namespace setup. We also have to set /proc/self/setgroups to "deny".
    • We cannot map any user other than ourselves in a rootless container, which means that any user-related directives won't work. You can only be "root".

    If you want to use this, you have to make sure you remove the gid=5 entry from the /dev/pts mount, and only map your own user in the namespace.

    Here's runc start working in both root and rootless setup: it works

    And here's runc exec working in both root and rootless setup: it also works

    TODO

    • [x] Provide a meaningful error message if the user specifies a configuration which maps more than one user (or doesn't map the effective user).
    • [x] Provide a meaningful error message (don't just ignore it) if the user tries to use the user directive to run as a different user.
    • [x] Provide a meaningful error message (don't just ignore it) if the user tries to specify any cgroup settings. Currently we can't provide cgroup settings (though it should be possible if the user just so happens to own the cgroup they currently reside in).
    • [x] runc exec doesn't work, and we should be able to implement it. This actually complicates the code in nsenter.c which checks whether the container is unprivileged. setgroup needs special treatment.
    • [x] runc exec doesnt' work with root running the exec and a rootless container (ironically). This is because we autodetect the rootless parameter on run, which isn't accurate. This can be fixed by storing the rootless flag in the state.json.
    • [x] rootless should be passed to the init through netlink. Currently we are doing the rootless check in two places and it doesn't make sense to do the check in nsenter.c -- we might actually have to do it with capability checks in the future.
    • [x] runc events doesn't work because the rootless.Manager doesn't appear to manage the paths properly, so it can't get any data from the cgroups.
    • [x] Add runc spec --rootless.
    • [x] loadContainer doesn't properly load the cgroup manager for the container, because the API forces that to happen (libcontainer.New() takes the cgroup manager as an argument). We can probably fix this by making it load the cgroup manager from the container state (but it might be ugly). Without this, we can't even hope to have runc pause and runc resume working.
    • :x: Currently the cgroup setup is binary (either we use cgroups or we don't). But since cgroupv1 lets you have different permissions on different hierarchies, we should check for each subsystem that we have access to create a subtree in that cgroup. Then we can support several setups (as well as the kernel patch I've proposed). This would require many changes in config validation. In addition, we would have to store what cgroups we are using in a bitmask (like in the kernel).
      • :x: This would require adding a bunch of tests to libcontainer/cgroup/rootless. Luckily we already all of the mock stuff we need in cgroupfs.
    • [x] Add unit tests to:
      • [x] libcontainer/config/validate/rootless
      • [x] libcontainer/specconv/spec_linux.go with Rootless == true.
      • :x: ~~libcontainer/cgroup/rootless~~ (not necessary at the moment)
    • [x] ~~Detaching doesn't work due to a bug in runC with --console and user namespaces. #814 and #883~~
    • [x] Add a setup for testing the rootless containers so we can make sure there's no regressions in this set up. We can try running the whole test suite (minus cgroups and a few other things). ~~All of the sniff tests should work.~~ The sniff tests are no more. ~~THIS IS CURRENTLY BLOCKED ON FIXING THE --console BUG.~~ The console bug has been fixed as part of #1018.
      • [x] We have to refactor all of the tests to use a wrapper around runc (so we can mess around with arguments in rootless mode).
      • [x] Also, we need to skip certain tests in rootless mode, since they are not supported.
    • [x] We currently cannot use network namespaces in a rootless container setup (and still connect to the network). A fix for this is to use the host network, but that currently doesn't work in runC (#799). It should also be noted that things like ping don't work in rootless containers (user namespace issues). #807 fixes the validation issue.
      • [x] Figure out why we still can't talk to the internet.
    • :x: Switch container.Processes() to join the container PID namespace, enumerate the list of PIDs and then send them over a UNIX socket (this causes the PIDs to be translated). The end result is to not require cgroups to enumerate PIDs (which actually isn't a good idea since processes may join sub-cgroups). This is necessary for runc ps and similar things to work properly.
      • :x: There are some unanswered questions about sending the PIDs though, because you need CAP_SYS_ADMIN in order to send a different PID. And there's also a valid question about atomicity (enumeration is not atomic, reading from cgroup.procs is).

    Open Questions

    What works?

    • As unprivileged user:
      • :x: ~~runc checkpoint~~ (while potentially possible, not implemented)
      • [x] runc create (#814)
      • [x] runc create --console (#814)
      • [x] runc delete
      • :x: ~~runc events~~ (not really useful -- cgroups)
      • [x] runc exec
      • [x] runc exec --console (#814)
      • [x] runc kill
      • [x] runc list
        • [x] with containers not readable by us.
      • :x: ~~runc pause~~ (cgroups)
      • :x: ~~runc ps~~ (cgroups)
      • :x: ~~runc restore~~ (while potentially possible, not implemented)
      • :x: ~~runc resume~~ (cgroups)
      • [x] runc run
      • [x] runc run -d --console (#814)
      • [x] runc spec
      • [x] runc start (create doesn't work -- #814)
      • [x] runc state
      • :x: ~~runc update~~ (cgroups)
    • As root:
      • :x: ~~runc checkpoint~~ (while potentially possible, not implemented)
      • [x] runc delete
      • :x: ~~runc events~~ (not really useful -- cgroups)
      • [x] runc exec
      • [x] runc exec --console (#814)
      • [x] runc kill
      • [x] runc list
      • :x: ~~runc pause~~ (cgroups)
      • :x: runc ps (cgroups)
      • :x: ~~runc restore~~ (while potentially possible, not implemented)
      • :x: ~~runc resume~~ (cgroups)
      • [x] runc run
      • [x] runc run -d --console (#814)
      • [x] runc spec
      • [x] runc start (create doesn't work -- #814)
      • [x] runc state
      • :x: ~~runc update~~ (cgroups)

    Kernel Patches

    • CLONE_NEWCGROUP fix to allow unprivileged processes to allow us to create subtrees.
      • [x] v1: https://lkml.org/lkml/2016/5/1/77
      • [x] v2: https://lkml.org/lkml/2016/5/1/87
      • [x] v3: https://lkml.org/lkml/2016/5/2/280
      • :x: v4: https://lkml.org/lkml/2016/5/13/576

    Implements #38.

    Signed-off-by: Aleksa Sarai [email protected]

    status/0-triage 
    opened by cyphar 76
  • cgroups: add pids controller support

    cgroups: add pids controller support

    Add support for the pids cgroup controller, a recent feature that is (see: will be) available in Linux 4.3.

    Closes #382

    Signed-off-by: Aleksa Sarai [email protected]

    opened by cyphar 75
  • Adjust runc to new opencontainers/specs version

    Adjust runc to new opencontainers/specs version

    I deleted possibility to specify config file from commands for now. Until we decide how it'll be done. Also I changed runc spec interface to write config files instead of output them.

    status/0-triage 
    opened by LK4D4 72
  • seccomp filter should return ENOSYS for unknown syscalls

    seccomp filter should return ENOSYS for unknown syscalls

    Currently, the seccomp filter installed on Linux returns EPERM even for system calls that are unknown. This is problematic when new system calls are added by Linux. Programs wishing to use the new system call will try to call it, and will implement a fallback mechanism when ENOSYS is returned (indicating the kernel doesn't support the call). However, when using containers, it will likely receive EPERM instead, failing instead of trying the fallback path.

    In addition to the list of acceptable syscalls, the container definition should include a maximum known syscall number. The seccomp filter should be configured such that calls above the maximum return ENOSYS. When new syscalls are added, the maximum can be increased after the seccomp policy is updated.

    opened by jethrogb 66
  • Open bind mount sources from the host userns

    Open bind mount sources from the host userns

    The source of the bind mount might not be accessible in a different usernamespace because a component of the source path might not be traversed under the users and groups mapped inside the user namespace. This caused errors such as the following:

      # time="2020-06-22T13:48:26Z" level=error msg="container_linux.go:367:
      starting container process caused: process_linux.go:459:
      container init caused: rootfs_linux.go:58:
      mounting \"/tmp/busyboxtest/source-inaccessible/dir\"
      to rootfs at \"/tmp/inaccessible\" caused:
      stat /tmp/busyboxtest/source-inaccessible/dir: permission denied"
    

    To solve this problem, this patch performs the following:

    1. in nsexec.c, it opens the source path in the host userns (so we have the right permissions to open it) but in the container mntns (so the kernel cross mntns mount check let us mount it later: https://github.com/torvalds/linux/blob/v5.8/fs/namespace.c#L2312).
    2. in nsexec.c, it passes the file descriptors of the source to the child process with SCM_RIGHTS.
    3. In runc-init in Golang, it finishes the mounts while inside the userns even without access to the some components of the source paths.

    Passing the fds with SCM_RIGHTS is necessary because once the child process is in the container mntns, it is already in the container userns so it cannot temporarily join the host mntns.

    This patch uses the existing mechanism with LIBCONTAINER* environment variables to pass the file descriptors from runc to runc init.

    This patch uses the existing mechanism with the Netlink-style bootstrap to pass information about the list of source mounts to nsexec.c.


    Fixes: https://github.com/opencontainers/runc/issues/2484

    TODO:

    • [x] It does not work yet when the bind mount is configured as read-only in config.json.
    • [x] Unit tests fail.
    • [x] a single env var to pass on all the mount fds
    impact/changelog 
    opened by alban 64
  • Support running runc as non/less privileged user

    Support running runc as non/less privileged user

    Right now runc requires to be run as root where technically it should be possible to run containers as unprivileged user (at least if user namespaces are used)

    opened by discordianfish 54
  • libcontainer: add support for Intel RDT/CAT in runc

    libcontainer: add support for Intel RDT/CAT in runc

    v5 commits: 4d2756c116315cd30b7ded82dfbb4bca78ceb627 libcontainer: add test cases for Intel RDT/CAT 692f6e1e27b2e4d38e1c9e0b463f7d1bfe3f7492 libcontainer: add support for Intel RDT/CAT in runc af3b0d9dce34fb0e91c58d823d0ad48268b0f988 libcontainer/SPEC.md: add documentation for Intel RDT/CAT

    Changes in v5: Reworked code according to @crosbymichael and @hqhq's comments:

    1. https://github.com/opencontainers/runc/pull/1279#issuecomment-319085278
    2. https://github.com/opencontainers/runc/pull/1279#issuecomment-320008325
    3. https://github.com/opencontainers/runc/pull/1279#issuecomment-319917615
    • Obsoleted the design of "refactor resource manager interface": removed generic resourceManagers, isolated IntelRdt functions without touching cgroups code, removed the static map with static keys on resourceManagers set.
    • Simplified IntelRdtManager implementation, removed "dead and empty" methods - GetPids(), GetAllPids(), Freeze(). Kept the required methods set - Apply(), GetStats(), Destroy(), GetPath(), and Set().
    • Re-implemented GetStats(), isolated cgroups.Stats and intelrdt.Stats and kept type safety on the Stats.
    • Changed test stuffs according to the functional rework.
    • Added read-only L3 cache info (CbmMask, MinCbmBits, and NumClosids) into Intelrdt.Stats. Runc users could run "runc events" to fetch the information, which helps know more about L3 cache capabilities and how to set correct L3 cache schema in different Intel Xeon platforms.

    v4 commits: b1c836632b1d426a66b0e39abbac3df176177bd2 libcontainer: add support for Intel RDT/CAT in runc 48d8ffe6b84a8d647cf1622a0b02a544752ac791 libcontainer/SPEC.md: add documentation for Intel RDT/CAT 8851a0db77a65b42f72e6711356dd401204ad436 libcontainer: refactor resource manager interface 80648193d0add2b155844e558634b41eabb9116f vendor: specs-go: update specs for Intel RDT/CAT

    Changes in v4: Rebased to latest master branch.


    v3 commits: be25a2030bec8113434e53e0ee1b99a6e0bfc7ed libcontainer: add support for Intel RDT/CAT in runc 96fd05fc7ab0bcca414efc3e9e4894dbe1df0e5d libcontainer/SPEC.md: add documentation for Intel RDT/CAT d5ac70d5ae68b514421a7c7f60475189191c70f1 libcontainer: refactor resource manager interface c302b704bedd62e7655a401697f1a4a79085bcc0 vendor: specs-go: update specs for Intel RDT/CAT

    Changes in v3: Addressed comment https://github.com/opencontainers/runc/pull/1279#discussion_r116414850 from @yummypeng :

    • Add parameter path to record IntelRdtPath in NewIntelRdtManager.

    v2 commits (for keeping records in code review): ab32d21313aa82dd6c88b24c1bfcbaf8a970dcea libcontainer: add support for Intel RDT/CAT in runc 5972fd56b5f59444a1a7260c84f915515622e297 libcontainer/SPEC.md: add documentation for Intel RDT/CAT 7f8b32107131150a581b62ad0f2665c8a03abbf1 libcontainer: refactor resource manager interface 9b03a51cbfaad7d0a2afe7c9667ac21d1799dcb0 vendor: specs-go: update specs for Intel RDT/CAT

    Changes in v2: Addressed the comments from @hqhq and @yummypeng :

    • Added intelrdt config validator.
    • Removed resctrl filesystem re-mount logic in isIntelRdtMounted().
    • Optimized IsIntelRdtEnabled() to avoid unnecessary time-consuming mount points parsing.
    • Changed Intel RDT related json items to snake_case style.
    • Fixed some redundant codes with regard to intelRdtPath.
    • Fixed potential null pointer issue in IntelRdtManager.Set().
    • Fixed some typos (Sets, num_closids and etc.)
    • Improved libcontainer/SPEC.md: added minimal supported kernel version, provided a more sophisticated config example.

    v1 commits (for keeping records in code review): 4752fd2f639a38eb6ef6c2e030252098cd11d9f0 libcontainer: add support for Intel RDT/CAT in runc c8486a7a8866b5ce4264ee0a17e54292a0f56fbf libcontainer/SPEC.md: add documentation for Intel RDT/CAT aefd02ae210105573dabbb90ace3ab70943504ce libcontainer: refactor resource manager interface 8e8e5d96e6ad7dfefcd0f7d49a8d8c0b5cba0ef6 vendor: specs-go: update specs for Intel RDT/CAT


    This PR fixes issue #433

    About Intel RDT/CAT feature: Intel platforms with new Xeon CPU support Intel Resource Director Technology (RDT). Cache Allocation Technology (CAT) is a sub-feature of RDT, which currently supports L3 cache resource allocation.

    This feature provides a way for the software to restrict cache allocation to a defined 'subset' of L3 cache which may be overlapping with other 'subsets'. The different subsets are identified by class of service (CLOS) and each CLOS has a capacity bitmask (CBM).

    For more information about Intel RDT/CAT can be found in the section 17.17 of Intel Software Developer Manual.

    About Intel RDT/CAT kernel interface: In Linux 4.10 kernel or newer, the interface is defined and exposed via "resource control" filesystem, which is a "cgroup-like" interface.

    Comparing with cgroups, it has similar process management lifecycle and interfaces in a container. But unlike cgroups' hierarchy, it has single level filesystem layout.

    Intel RDT "resource control" filesystem hierarchy:

    mount -t resctrl resctrl /sys/fs/resctrl
    tree /sys/fs/resctrl
    /sys/fs/resctrl/
    |-- info
    |   |-- L3
    |       |-- cbm_mask
    |       |-- min_cbm_bits
    |       |-- num_closids
    |-- cpus
    |-- schemata
    |-- tasks
    |-- <container_id>
        |-- cpus
        |-- schemata
        |-- tasks
    

    For runc, we can make use of tasks and schemata configuration for L3 cache resource constraints.

    The file tasks has a list of tasks that belongs to this group (e.g., <container_id>" group). Tasks can be added to a group by writing the task ID to the "tasks" file (which will automatically remove them from the previous group to which they belonged). New tasks created by fork(2) and clone(2) are added to the same group as their parent. If a pid is not in any sub group, it Is in root group.

    The file schemata has allocation bitmasks/values for L3 cache on each socket, which contains L3 cache id and capacity bitmask (CBM).

    	Format: "L3:<cache_id0>=<cbm0>;<cache_id1>=<cbm1>;..."
    

    For example, on a two-socket machine, L3's schema line could be L3:0=ff;1=c0 which means L3 cache id 0's CBM is 0xff, and L3 cache id 1's CBM is 0xc0.

    The valid L3 cache CBM is a contiguous bits set and number of bits that can be set is less than the max bit. The max bits in the CBM is varied among supported Intel Xeon platforms. In Intel RDT "resource control" filesystem layout, the CBM in a group should be a subset of the CBM in root. Kernel will check if it is valid when writing. e.g., 0xfffff in root indicates the max bits of CBM is 20 bits, which mapping to entire L3 cache capacity. Some valid CBM values to set in a group: 0xf, 0xf0, 0x3ff, 0x1f00 and etc.

    For more information about Intel RDT/CAT kernel interface:
    https://www.kernel.org/doc/Documentation/x86/intel_rdt_ui.txt

    An example for runc:

    Consider a two-socket machine with two L3 caches where the default CBM is
    0xfffff and the max CBM length is 20 bits. With this configuration, tasks
    inside the container only have access to the "upper" 80% of L3 cache id 0 and
    the "lower" 50% L3 cache id 1:
    
    "linux": {
    	"intelRdt": {
    		"l3CacheSchema": "L3:0=ffff0;1=3ff"
    	}
    }
    

    Signed-off-by: Xiaochen Shen [email protected]

    opened by xiaochenshen 45
  • provides a new flag to make rootfs all sharable|slave|private propagation settable

    provides a new flag to make rootfs all sharable|slave|private propagation settable

    This is a port of https://github.com/docker/libcontainer/pull/632

    Current a container has to nsenter the host's mount namespace to mount filesystem and share with other containers. This approach doesn't work if the filesystem mount calls helper utility (/sbin/mount.XXX). This limitation makes containerized kubelet unable to mount certain filesystems.

    This commit provides a new flag to make rootfs sharable. Since moving a shared rootfs is semantically confusing for pivot_root(2) and MS_MOVE. A new function changeRoot() is provided to switch rootfs to new destination.

    opened by rootfs 44
  • libcontainer: call Prestart, Poststart hooks from correct places

    libcontainer: call Prestart, Poststart hooks from correct places

    So far Prestart, Poststart hooks have been called from the context of create, which does not satisfy the runtime spec. That's why the runtime-tools validation tests like hooks_stdin.t have failed. Let's move call sites of Prestart, Poststart to correct places.

    Unfortunately as for the Poststart hook, in practice it's not possible to tell whether a specific call site is from create context or run context. That's why we needed to allow Create and Run methods to accept another parameter action (of type CtAct). Doing that, it's possible to set a variable initProcess.IsCreate that allows us distinguish Create from Run. That's why the first commit libcontainer: move CtAct to libcontainer is needed.

    I tested runtime-tools' validation/hooks_stdin.t with this PR of runc, and it worked fine. Though if there would be unexpected breakage from changing like this, please let me know.

    It depends on a pending PR https://github.com/opencontainers/runc/pull/1741. See also https://github.com/opencontainers/runc/issues/1710.

    /cc @wking @liangchenye

    opened by dongsupark 43
  • chown cgroup to process uid in container namespace

    chown cgroup to process uid in container namespace

    Delegating cgroups to the container enables more complex workloads, including systemd-based workloads. The OCI runtime-spec was recently updated to explicitly admit such delegation, through specification of cgroup ownership semantics:

    https://github.com/opencontainers/runtime-spec/pull/1123

    Pursuant to the updated OCI runtime-spec, change the ownership of the container's cgroup directory and particular files therein, when using cgroups v2 and when the cgroupfs is to be mounted read/write.

    As a result of this change, systemd workloads can run in isolated user namespaces on OpenShift when the sandbox's cgroupfs is mounted read/write.

    It might be possible to implement this feature in other cgroup managers, but that work is deferred.

    enhancement area/cgroupv2 area/systemd impact/changelog 
    opened by frasertweedale 42
  • build(deps): bump golang.org/x/sys from 0.3.0 to 0.4.0

    build(deps): bump golang.org/x/sys from 0.3.0 to 0.4.0

    Bumps golang.org/x/sys from 0.3.0 to 0.4.0.

    Commits
    • b60007c unix: add Uvmexp and SysctlUvmexp for NetBSD
    • b751db5 unix: gofmt hurd files after CL 459895
    • b360406 unix: support TIOCGETA on GNU/Hurd
    • 3086868 unix: regen on OpenBSD 7.2
    • 2b11e6b unix: remove Mclpool from openbsd types
    • 7c6badc unix: convert openbsd/mips64 to direct libc calls
    • 3b1fc93 unix: avoid allocations for common uses of Readv, Writev, etc.
    • 2204b66 cpu: parse /proc/cpuinfo on linux/arm64 on old kernels when needed
    • 72f772c unix: offs2lohi should shift by bits, not bytes
    • cffae8e unix: add ClockGettime on *bsd and solaris
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies go 
    opened by dependabot[bot] 0
  • build(deps): bump golang.org/x/net from 0.4.0 to 0.5.0

    build(deps): bump golang.org/x/net from 0.4.0 to 0.5.0

    Bumps golang.org/x/net from 0.4.0 to 0.5.0.

    Commits
    • 8e0e7d8 go.mod: update golang.org/x dependencies
    • 7805fdc http2: rewrite inbound flow control tracking
    • 2aa8215 nettest: use RoutedInterface for probing network stack capability
    • ad92d3d websocket: don't recommend Gorilla
    • e1ec361 http2: fix race in TestCanonicalHeaderCacheGrowth
    • See full diff in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies go 
    opened by dependabot[bot] 0
  • Runc reports an error after upgrading the patch (from runc 1.0.0-rc3): `two checks on same syscall argument`

    Runc reports an error after upgrading the patch (from runc 1.0.0-rc3): `two checks on same syscall argument`

    I am based on the 1.0.0-rc3 version and want to incorporate the patch https://github.com/opencontainers/runc/commit/7a8d7162f9d72f20d83eaa36aeb5426deecd58f2,After integration, the error message "libcontainer: container start initialization failed: two checks on same syscall argument container_linux.go:330: starting container process caused "two checks on same syscall argument"" was reported.

    wontfix 
    opened by kamizjw 2
  • Cgroup manager: Add a MakeThreaded() method

    Cgroup manager: Add a MakeThreaded() method

    Currently, there's no way to make a cgroup threaded via cgroup manager. Therefore, in Kubevirt, I had to implement it myself [1][2].

    As I think this will be helpful to many, not just Kubevirt, this PR adds a MakeThreaded() method to cgroups manager. Obviously it is relevant to v2 only, for v1 it acts as a no-op.

    Fixes #3690

    [1] PR that implements this in Kubevirt: https://github.com/kubevirt/kubevirt/pull/8869 [2] Implemented in commit: https://github.com/kubevirt/kubevirt/pull/8869/commits/868ca2138355206bc0836dba11104dcadfe4b507

    opened by iholder101 7
  • RunC issue with Docker on CentOS 9 (`mount /var/run/docker.sock (via /proc/self/fd/6), flags: 0x44000: permission denied: unknown`)

    RunC issue with Docker on CentOS 9 (`mount /var/run/docker.sock (via /proc/self/fd/6), flags: 0x44000: permission denied: unknown`)

    I want to mention this issue here: https://github.com/docker/cli/issues/3914

    Description

    Issue im having right now is: Command: docker start portainer Error: Error response from daemon: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error mounting "/var/run/docker.sock" to rootfs at "/var/run/docker.sock": change mount propagation through procfd: mount /var/run/docker.sock (via /proc/self/fd/6), flags: 0x44000: permission denied: unknown Error: failed to start containers: portainer

    I checked the permissions on /var/run.docker.sock and also the permissions and groups. All seems allright. It was working before the update this morning.

    And when trying run hello_world

    docker: Error response from daemon: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error setting cgroup config for procHooks process: load program: permission denied: unknown. ERRO[0000] error waiting for container: context canceled Reproduce

    dnf update && upgrade on CentOS machine Expected behavior

    I want to start the docker container, but cant. docker version

    Client: Docker Engine - Community Version: 20.10.21 API version: 1.41 Go version: go1.18.7 Git commit: baeda1f Built: Tue Oct 25 18:02:16 2022 OS/Arch: linux/amd64 Context: default Experimental: true

    Server: Docker Engine - Community Engine: Version: 20.10.21 API version: 1.41 (minimum version 1.12) Go version: go1.18.7 Git commit: 3056208 Built: Tue Oct 25 18:00:01 2022 OS/Arch: linux/amd64 Experimental: false containerd: Version: 1.6.12 GitCommit: a05d175400b1145e5e6a735a6710579d181e7fb0 runc: Version: 1.1.4 GitCommit: v1.1.4-0-g5fd4c4d docker-init: Version: 0.19.0 GitCommit: de40ad0

    docker info

    Client: Context: default Debug Mode: false Plugins: app: Docker App (Docker Inc., v0.9.1-beta3) buildx: Docker Buildx (Docker Inc., v0.9.1-docker) compose: Docker Compose (Docker Inc., v2.12.2) scan: Docker Scan (Docker Inc., v0.21.0)

    Server: Containers: 7 Running: 0 Paused: 0 Stopped: 7 Images: 5 Server Version: 20.10.21 Storage Driver: overlay2 Backing Filesystem: xfs Supports d_type: true Native Overlay Diff: true userxattr: false Logging Driver: json-file Cgroup Driver: systemd Cgroup Version: 2 Plugins: Volume: local Network: bridge host ipvlan macvlan null overlay Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog Swarm: inactive Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc Default Runtime: runc Init Binary: docker-init containerd version: a05d175400b1145e5e6a735a6710579d181e7fb0 runc version: v1.1.4-0-g5fd4c4d init version: de40ad0 Security Options: seccomp Profile: default cgroupns Kernel Version: 5.14.0-205.el9.x86_64 Operating System: CentOS Stream 9 OSType: linux Architecture: x86_64 CPUs: 2 Total Memory: 7.507GiB Name: Docker-01 ID: OPR3:RGC3:5JUT:UJBU:IDMO:S5UG:O2JP:KSV7:Q3XI:MA26:QKUJ:WR3A Docker Root Dir: /var/lib/docker Debug Mode: false Registry: https://index.docker.io/v1/ Labels: Experimental: false Insecure Registries: 127.0.0.0/8 Live Restore Enabled: false

    opened by Samsonait 3
Releases(v1.1.4)
  • v1.1.4(Aug 25, 2022)

    This is the fourth patch release in the 1.1.z series of runc, primarily fixing a regression introduced in 1.1.3 related to device rules. It also fixes a few other bugs.

    • Fix mounting via wrong proc fd. When the user and mount namespaces are used, and the bind mount is followed by the cgroup mount in the spec, the cgroup was mounted using the bind mount's mount fd. (#3511)
    • Switch kill() in libcontainer/nsenter to sane_kill(). (#3536)
    • Fix "permission denied" error from runc run on noexec fs. (#3541)
    • Fix failed exec after systemctl daemon-reload. Due to a regression in v1.1.3, the DeviceAllow=char-pts rwm rule was no longer added and was causing an error open /dev/pts/0: operation not permitted: unknown when systemd was reloaded. (#3554)

    Static Linking Notices

    The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

    The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.

    However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.


    Thanks to all of the contributors who made this release possible:

    Signed-off-by: Aleksa Sarai [email protected]

    Source code(tar.gz)
    Source code(zip)
    libseccomp-2.5.4.tar.gz(622.29 KB)
    libseccomp-2.5.4.tar.gz.asc(833 bytes)
    runc.amd64(8.99 MB)
    runc.amd64.asc(854 bytes)
    runc.arm64(8.64 MB)
    runc.arm64.asc(854 bytes)
    runc.armel(7.79 MB)
    runc.armel.asc(854 bytes)
    runc.armhf(7.64 MB)
    runc.armhf.asc(854 bytes)
    runc.ppc64le(9.12 MB)
    runc.ppc64le.asc(854 bytes)
    runc.s390x(9.12 MB)
    runc.s390x.asc(854 bytes)
    runc.sha256sum(1.41 KB)
    runc.tar.xz(1.34 MB)
    runc.tar.xz.asc(854 bytes)
  • v1.1.3(Jun 9, 2022)

    This is the third release of the 1.1.z series of runc, and contains various minor improvements and bugfixes.

    • Our seccomp -ENOSYS stub now correctly handles multiplexed syscalls on s390 and s390x. This solves the issue where syscalls the host kernel did not support would return -EPERM despite the existence of the -ENOSYS stub code (this was due to how s390x does syscall multiplexing). (#3478)
    • Retry on dbus disconnect logic in libcontainer/cgroups/systemd now works as intended; this fix does not affect runc binary itself but is important for libcontainer users such as Kubernetes. (#3476)
    • Inability to compile with recent clang due to an issue with duplicate constants in libseccomp-golang. (#3477)
    • When using systemd cgroup driver, skip adding device paths that don't exist, to stop systemd from emitting warnings about those paths. (#3504)
    • Socket activation was failing when more than 3 sockets were used. (#3494)
    • Various CI fixes. (#3472, #3479)
    • Allow to bind mount /proc/sys/kernel/ns_last_pid to inside container. (#3493)
    • runc static binaries are now linked against libseccomp v2.5.4. (#3481)

    Static Linking Notices

    The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

    The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.

    However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.


    Thanks to all of the contributors who made this release possible:

    Signed-off-by: Aleksa Sarai [email protected]

    Source code(tar.gz)
    Source code(zip)
    libseccomp-2.5.4.tar.gz(622.29 KB)
    libseccomp-2.5.4.tar.gz.asc(833 bytes)
    runc.amd64(8.98 MB)
    runc.amd64.asc(854 bytes)
    runc.arm64(8.63 MB)
    runc.arm64.asc(854 bytes)
    runc.armel(7.78 MB)
    runc.armel.asc(854 bytes)
    runc.armhf(7.64 MB)
    runc.armhf.asc(854 bytes)
    runc.ppc64le(9.12 MB)
    runc.ppc64le.asc(854 bytes)
    runc.s390x(9.11 MB)
    runc.s390x.asc(854 bytes)
    runc.sha256sum(1.41 KB)
    runc.tar.xz(1.34 MB)
    runc.tar.xz.asc(854 bytes)
  • v1.1.2(May 11, 2022)

    This is the second patch release of the runc 1.1 release branch. It fixes CVE-2022-29162, a minor security issue (which appears to not be exploitable) related to process capabilities.

    This is a similar bug to the ones found and fixed in Docker and containerd recently (CVE-2022-24769).

    • A bug was found in runc where runc exec --cap executed processes with non-empty inheritable Linux process capabilities, creating an atypical Linux environment. For more information, see GHSA-f3fp-gc8g-vw66 and CVE-2022-29162.
    • runc spec no longer sets any inheritable capabilities in the created example OCI spec (config.json) file.

    Static Linking Notices

    The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

    The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.

    However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.

    Source code(tar.gz)
    Source code(zip)
    libseccomp-2.5.3.tar.gz(622.62 KB)
    libseccomp-2.5.3.tar.gz.asc(833 bytes)
    runc.amd64(8.98 MB)
    runc.amd64.asc(854 bytes)
    runc.arm64(8.63 MB)
    runc.arm64.asc(854 bytes)
    runc.armel(7.78 MB)
    runc.armel.asc(854 bytes)
    runc.armhf(7.63 MB)
    runc.armhf.asc(854 bytes)
    runc.ppc64le(9.12 MB)
    runc.ppc64le.asc(854 bytes)
    runc.s390x(9.11 MB)
    runc.s390x.asc(854 bytes)
    runc.sha256sum(1.41 KB)
    runc.tar.xz(1.34 MB)
    runc.tar.xz.asc(854 bytes)
  • v1.1.1(Mar 29, 2022)

    This is the first stable release in the 1.1 branch, fixing a few issues with runc 1.1.0.

    Fixed:

    • runc run/start can now run a container with read-only /dev in OCI spec, rather than error out. (#3355)
    • runc exec now ensures that --cgroup argument is a sub-cgroup. (#3403)
    • libcontainer systemd v2 manager no longer errors out if one of the files listed in /sys/kernel/cgroup/delegate do not exist in container's cgroup. (#3387, #3404)
    • Loosen OCI spec validation to avoid bogus "Intel RDT is not supported" error. (#3406)
    • libcontainer/cgroups no longer panics in cgroup v1 managers if stat of /sys/fs/cgroup/unified returns an error other than ENOENT. (#3435)

    Static Linking Notices

    The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

    The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.

    However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.


    Thanks to all of the contributors who made this release possible:

    Signed-off-by: Kir Kolyshkin [email protected]

    Source code(tar.gz)
    Source code(zip)
    libseccomp-2.5.3.tar.gz(622.62 KB)
    libseccomp-2.5.3.tar.gz.asc(833 bytes)
    runc.amd64(8.97 MB)
    runc.amd64.asc(854 bytes)
    runc.arm64(8.63 MB)
    runc.arm64.asc(854 bytes)
    runc.armel(7.78 MB)
    runc.armel.asc(854 bytes)
    runc.armhf(7.63 MB)
    runc.armhf.asc(854 bytes)
    runc.ppc64le(9.12 MB)
    runc.ppc64le.asc(854 bytes)
    runc.s390x(9.10 MB)
    runc.s390x.asc(854 bytes)
    runc.sha256sum(1.41 KB)
    runc.tar.xz(1.34 MB)
    runc.tar.xz.asc(854 bytes)
  • v1.1.0(Jan 17, 2022)

    This release only contains very minor changes from v1.1.0-rc.1 and is the first release of the 1.1.y release series of runc. We do not plan to make any new releases of the 1.0.y release series of runc, so users are strongly encouraged to update to 1.1.0.

    Changed:

    • libcontainer will now refuse to build without the nsenter package being correctly compiled (specifically this requires CGO to be enabled). This should avoid folks accidentally creating broken runc binaries (and incorrectly importing our internal libraries into their projects). (#3331)

    Static Linking Notices

    The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

    The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.

    However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.


    Thanks to the following people who made this release possible:

    Signed-off-by: Aleksa Sarai [email protected]

    Source code(tar.gz)
    Source code(zip)
    libseccomp-2.5.3.tar.gz(622.62 KB)
    libseccomp-2.5.3.tar.gz.asc(833 bytes)
    runc.amd64(8.97 MB)
    runc.amd64.asc(854 bytes)
    runc.arm64(8.63 MB)
    runc.arm64.asc(854 bytes)
    runc.armel(7.78 MB)
    runc.armel.asc(854 bytes)
    runc.armhf(7.63 MB)
    runc.armhf.asc(854 bytes)
    runc.ppc64le(9.12 MB)
    runc.ppc64le.asc(854 bytes)
    runc.s390x(9.10 MB)
    runc.s390x.asc(854 bytes)
    runc.sha256sum(1.41 KB)
    runc.tar.xz(1.34 MB)
    runc.tar.xz.asc(854 bytes)
  • v1.1.0-rc.1(Dec 14, 2021)

    This release is the first release candidate for the next minor release following runc 1.0. It contains all of the bugfixes included in runc 1.0 patch releases (up to and including 1.0.3).

    A fair few new features have been added, and several features have been deprecated (with plans for removal in runc 1.2). At the moment we only plan to do a single release candidate for runc 1.1, and once 1.1.0 is released we will not continue updating the 1.0.z runc branch.

    Deprecated:

    • runc run/start now warns if a new container cgroup is non-empty or frozen; this warning will become an error in runc 1.2. (#3132, #3223)
    • runc can only be built with Go 1.16 or later from this release onwards. (#3100, #3245)

    Removed:

    • cgroup.GetHugePageSizes has been removed entirely, and been replaced with cgroup.HugePageSizes which is more efficient. (#3234)
    • intelrdt.GetIntelRdtPath has been removed. Users who were using this function to get the intelrdt root should use the new intelrdt.Root instead. (#2920, #3239)

    Added:

    • Add support for RDMA cgroup added in Linux 4.11. (#2883)
    • runc exec now produces exit code of 255 when the exec failed. This may help in distinguishing between runc exec failures (such as invalid options, non-running container or non-existent binary etc.) and failures of the command being executed. (#3073)
    • runc run: new --keep option to skip removal exited containers artefacts. This might be useful to check the state (e.g. of cgroup controllers) after the container has exited. (#2817, #2825)
    • seccomp: add support for SCMP_ACT_KILL_PROCESS and SCMP_ACT_KILL_THREAD (the latter is just an alias for SCMP_ACT_KILL). (#3204)
    • seccomp: add support for SCMP_ACT_NOTIFY (seccomp actions). This allows users to create sophisticated seccomp filters where syscalls can be efficiently emulated by privileged processes on the host. (#2682)
    • checkpoint/restore: add an option (--lsm-mount-context) to set a different LSM mount context on restore. (#3068)
    • runc releases are now cross-compiled for several architectures. Static builds for said architectures will be available for all future releases. (#3197)
    • intelrdt: support ClosID parameter. (#2920)
    • runc exec --cgroup: an option to specify a (non-top) in-container cgroup to use for the process being executed. (#3040, #3059)
    • cgroup v1 controllers now support hybrid hierarchy (i.e. when on a cgroup v1 machine a cgroup2 filesystem is mounted to /sys/fs/cgroup/unified, runc run/exec now adds the container to the appropriate cgroup under it). (#2087, #3059)
    • sysctl: allow slashes in sysctl names, to better match sysctl(8)'s behaviour. (#3254, #3257)
    • mounts: add support for bind-mounts which are inaccessible after switching the user namespace. Note that this does not permit the container any additional access to the host filesystem, it simply allows containers to have bind-mounts configured for paths the user can access but have restrictive access control settings for other users. (#2576)
    • Add support for recursive mount attributes using mount_setattr(2). These have the same names as the proposed mount(8) options -- just prepend r to the option name (such as rro). (#3272)
    • Add runc features subcommand to allow runc users to detect what features runc has been built with. This includes critical information such as supported mount flags, hook names, and so on. Note that the output of this command is subject to change and will not be considered stable until runc 1.2 at the earliest. The runtime-spec specification for this feature is being developed in opencontainers/runtime-spec#1130. (#3296)

    Changed:

    • system: improve performance of /proc/$pid/stat parsing. (#2696)
    • cgroup2: when /sys/fs/cgroup is configured as a read-write mount, change the ownership of certain cgroup control files (as per /sys/kernel/cgroup/delegate) to allow for proper deferral to the container process. (#3057)
    • docs: series of improvements to man pages to make them easier to read and use. (#3032)

    Libcontainer API:

    • internal api: remove internal error types and handling system, switch to Go wrapped errors. (#3033)
    • New configs.Cgroup structure fields (#3177):
      • Systemd (whether to use systemd cgroup manager); and
      • Rootless (whether to use rootless cgroups).
    • New cgroups/manager package aiming to simplify cgroup manager instantiation. (#3177)
    • All cgroup managers' instantiation methods now initialize cgroup paths and can return errors. This allows to use any cgroup manager method (e.g. Exists, Destroy, Set, GetStats) right after instantiation, which was not possible before (as paths were initialized in Apply only). (#3178)

    Fixed:

    • nsenter: do not try to close already-closed fds during container setup and bail on close(2) failures. (#3058)
    • runc checkpoint/restore: fixed for containers with an external bind mount which destination is a symlink. (#3047).
    • cgroup: improve openat2 handling for cgroup directory handle hardening. (#3030)
    • runc delete -f now succeeds (rather than timing out) on a paused container. (#3134)
    • runc run/start/exec now refuses a frozen cgroup (paused container in case of exec). Users can disable this using --ignore-paused. (#3132, #3223)
    • config: do not permit null bytes in mount fields. (#3287)

    Static Linking Notices

    The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

    The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.

    However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.


    Thanks to the following people who made this release possible:

    Signed-off-by: Aleksa Sarai [email protected]

    Source code(tar.gz)
    Source code(zip)
    libseccomp-2.5.3.tar.gz(622.62 KB)
    libseccomp-2.5.3.tar.gz.asc(833 bytes)
    runc.amd64(8.97 MB)
    runc.amd64.asc(854 bytes)
    runc.arm64(8.63 MB)
    runc.arm64.asc(854 bytes)
    runc.armel(7.78 MB)
    runc.armel.asc(854 bytes)
    runc.armhf(7.63 MB)
    runc.armhf.asc(854 bytes)
    runc.ppc64le(9.12 MB)
    runc.ppc64le.asc(854 bytes)
    runc.s390x(9.10 MB)
    runc.s390x.asc(854 bytes)
    runc.sha256sum(1.41 KB)
    runc.tar.xz(1.34 MB)
    runc.tar.xz.asc(854 bytes)
  • v1.0.3(Dec 6, 2021)

    This is the third stable release in the 1.0 branch, fixing a handful of medium priority issues related to mounts and cgroups, as well as a potential security vulnerability.

    This release is expected to be the last point release in the 1.0 branch, as we are planning to release runc 1.1 in the near future.

    Security:

    • A potential vulnerability was discovered in runc (related to an internal usage of netlink), however upon further investigation we discovered that while this bug was exploitable on the master branch of runc, no released version of runc could be exploited using this bug. The exploit required being able to create a netlink attribute with a length that would overflow a uint16 but this was not possible in any released version of runc. For more information, see GHSA-v95c-p5hm-xq8f and CVE-2021-43784.

      Due to an abundance of caution we decided to do an emergency release with this fix, but to reiterate we do not believe this vulnerability was possible to exploit. Thanks to Felix Wilhelm from Google Project Zero for discovering and reporting this vulnerability so quickly.

    Bugfixes:

    • Fixed inability to start a container with read-write bind mount of a read-only fuse host mount (#3292)
    • Fixed inability to start when read-only /dev in set in spec (#3277)
    • Fixed not removing sub-cgroups upon container delete, when rootless cgroup v2 is used with older systemd (#3297)
    • Fixed returning error from GetStats when hugetlb is unsupported (which causes excessive logging for kubernetes) (#3295)
    • [CI only] Fixed criu 3.16 compatibility issue (#3282)
    • [CI only] Add Go 1.17 to the testing matrix (#3299)

    Enhancements:

    • Improved an error message when dbus-user-session is not installed and rootless + cgroup2 + systemd are used (#3212)

    Static Linking Notices

    The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

    The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.

    However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.


    Thanks to all of the contributors who made this release possible:

    Signed-off-by: Aleksa Sarai [email protected]

    Source code(tar.gz)
    Source code(zip)
    libseccomp-2.5.1.tar.gz(623.83 KB)
    libseccomp-2.5.1.tar.gz.asc(833 bytes)
    runc.amd64(9.16 MB)
    runc.amd64.asc(854 bytes)
    runc.sha256sum(1.03 KB)
    runc.tar.xz(1.35 MB)
    runc.tar.xz.asc(854 bytes)
  • v1.0.2(Aug 23, 2021)

    This is the second stable release in the 1.0 branch, fixing a few medium and high priority issues, including one that affect Kubernetes using runc's libcontainer.

    Bugfixes:

    • Fixed a failure to set CPU quota period in some cases on cgroup v1. (#3115)
    • Fixed the inability to start a container with the "adding seccomp filter rule for syscall ..." error, caused by redundant seccomp rules (i.e. those that has action equal to the default one). Such redundant rules are now skipped. (#3129)
    • Made release builds reproducible from now on. (#3142)
    • Fixed a rare debug log race in runc init, which can result in occasional harmful "failed to decode ..." errors from runc run or exec. (#3130)
    • Fixed the check in cgroup v1 systemd manager if a container needs to be frozen before Set, and add a setting to skip such freeze unconditionally. The previous fix for that issue, done in runc 1.0.1, was not working. (#3167)

    Static Linking Notices

    The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

    The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.

    However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.


    Thanks to all of the contributors who made this release possible:

    Signed-off-by: Aleksa Sarai [email protected]

    Source code(tar.gz)
    Source code(zip)
    libseccomp-2.5.1.tar.gz(623.83 KB)
    libseccomp-2.5.1.tar.gz.asc(833 bytes)
    runc.amd64(9.58 MB)
    runc.amd64.asc(858 bytes)
    runc.sha256sum(1.03 KB)
    runc.tar.xz(1.34 MB)
    runc.tar.xz.asc(858 bytes)
  • v1.0.1(Jul 16, 2021)

    This is the first stable release in the 1.0 branch, fixing a few medium and high priority issues with runc 1.0.0, including a few that affect Kubernetes' usage of libcontainer.

    Bugfixes:

    • Fixed occasional runc exec/run failure ("interrupted system call") on an Azure volume. (#3074)
    • Fixed "unable to find groups ... token too long" error with /etc/group containing lines longer than 64K characters. (#3079)
    • cgroup/systemd/v1: fix leaving cgroup frozen after Set if a parent cgroup is frozen. This is a regression in 1.0.0, not affecting runc itself but some of libcontainer users (e.g Kubernetes). (#3085)
    • cgroupv2: bpf: Ignore inaccessible existing programs in case of permission error when handling replacement of existing bpf cgroup programs. This fixes a regression in 1.0.0, where some SELinux policies would block runc from being able to run entirely. (#3087)
    • cgroup/systemd/v2: don't freeze cgroup on Set. (#3092)
    • cgroup/systemd/v1: avoid unnecessary freeze on Set. (#3093)

    Static Linking Notices

    The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

    The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.

    However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.


    Thanks to all of the contributors who made this release possible:

    Signed-off-by: Aleksa Sarai [email protected]

    Source code(tar.gz)
    Source code(zip)
    libseccomp-2.5.1.tar.gz(623.83 KB)
    libseccomp-2.5.1.tar.gz.asc(833 bytes)
    runc.amd64(12.17 MB)
    runc.amd64.asc(854 bytes)
    runc.sha256sum(1.03 KB)
    runc.tar.xz(1.34 MB)
    runc.tar.xz.asc(854 bytes)
  • v1.0.0(Jun 22, 2021)

    This release has quite a few last-minute bug-fixes and various correctness and performance improvements (almost all of which are related to cgroup handling), and is the first non-rc release of runc in 5 years (v1.0.0-rc1 was released in 2016). It's been a very long road, and we thank the many contributors and maintainers that helped us get to this point (approximately 422 people in total).

    As runc follows Semantic Versioning, we will endeavor to not make any breaking changes without bumping the major version number of runc.

    However, it should be noted that Go API usage of runc's internal implementation (libcontainer) is not covered by this policy -- for historical reasons, this code was not moved into an "internal" package (this feature did not exist in Go at the time) and because certain projects currently depend on this, we have not yet moved this code into an internal package. Despite this, we reserve the right to make breaking changes in our Go APIs (though we will note such changes in our changelog, and will try to avoid needless disruption if possible).

    Breaking changes:

    • Removed libcontainer/configs.Device* identifiers (deprecated since rc94, use libcontainer/devices) (#2999)
    • Removed libcontainer/system.RunningInUserNS function (deprecated since rc94, use libcontainer/userns) (#2999)

    Deprecations:

    • The usage of relative paths for mountpoints will now produce a warning (such configurations are outside of the spec, and in future runc will produce an error when given such configurations). (#2917, #3004)

    Bugfixes:

    • cgroupv2: devices: rework the filter generation to produce consistent results with cgroupv1, and always clobber any existing eBPF program(s) to fix runc update and avoid leaking eBPF programs (resulting in errors when managing containers). (#2951)
    • cgroupv2: correctly convert "number of IOs" statistics in a cgroupv1-compatible way. (#2965, #2967, #2968, #2964)
    • cgroupv2: support larger than 32-bit IO statistics on 32-bit architectures.
    • cgroupv2: wait for freeze to finish before returning from the freezing code, optimize the method for checking whether a cgroup is frozen. (#2955)
    • cgroups/systemd: fixed "retry on dbus disconnect" logic introduced in rc94
    • cgroups/systemd: fixed returning "unit already exists" error from a systemd cgroup manager (regression in rc94) (#2997, #2996)

    Improvements:

    • cgroupv2: support SkipDevices with systemd driver (#2958, #3019)
    • cgroup/systemd: return, not ignore, stop unit error from Destroy (#2946)
    • Fix all golangci-lint failures. (#2781, #2962)
    • Make "runc --version" output sane even when built with go get or otherwise outside of our build scripts. (#2962)
    • cgroups: set SkipDevices during runc update (so we don't modify cgroups at all during runc update). (#2994)
    • cgroup1: blkio: support BFQ weights. (#3010)
    • cgroupv2: set per-device io weights if BFQ IO scheduler is available. (#3022)

    Static Linking Notices

    The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

    The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.

    However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.


    Thanks to the following people who made this release possible:

    Vote: +5 -0 %2 Signed-off-by: Aleksa Sarai [email protected]

    Source code(tar.gz)
    Source code(zip)
    libseccomp-2.5.1.tar.gz(623.83 KB)
    libseccomp-2.5.1.tar.gz.asc(833 bytes)
    runc.amd64(12.14 MB)
    runc.amd64.asc(858 bytes)
    runc.sha256sum(1.03 KB)
    runc.tar.xz(1.34 MB)
    runc.tar.xz.asc(858 bytes)
  • v1.0.0-rc95(May 19, 2021)

    This release of runc contains a fix for CVE-2021-30465, and users are strongly recommended to update (especially if you are providing semi-limited access to spawn containers to untrusted users).

    Aside from this security fix, only a few other changes were made since v1.0.0-rc94 (the only user-visible change was the addition of support for defaultErrnoRet in seccomp profiles).

    Static Linking Notices

    The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

    The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.

    However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.


    Thanks to the following people who made this release possible:

    Due to the nature of this release, it didn't go through the normal public release procedure. However, this break from procedure was agreed upon on the security mailing list.

    Signed-off-by: Aleksa Sarai [email protected]

    Source code(tar.gz)
    Source code(zip)
    libseccomp-2.5.1.tar.gz(623.83 KB)
    libseccomp-2.5.1.tar.gz.asc(833 bytes)
    runc.amd64(14.37 MB)
    runc.amd64.asc(854 bytes)
    runc.sha256sum(1.03 KB)
    runc.tar.xz(1.30 MB)
    runc.tar.xz.asc(854 bytes)
  • v1.0.0-rc94(May 10, 2021)

    This release fixes several regressions found in v1.0.0-rc93. We recommend users update as soon as possible. This release includes the following notable changes:

    Potentially breaking changes:

    • cgroupv1: kernel memory limits are now always ignored, as kmemcg has been effectively deprecated by the kernel. Users should make use of regular memory cgroup controls. (#2840)
    • libcontainer/cgroups: cgroup managers' Set now accept configs.Resources rather than configs.Cgroups (#2906)
    • libcontainer/cgroups/systemd: reconnect and retry in case dbus connection is closed (after dbus restart) (#2923)
    • libcontainer/cgroups/systemd: don't set limits in Apply (#2814)

    Bugfixes:

    • seccomp: fix 32-bit compilation errors (regression in rc93, #2783)
    • cgroupv2: blkio weight value conversion fix (#2786)
    • runc init: fix a hang caused by deadlock in seccomp/ebpf loading code (regression in rc93, #2871)
    • runc start: fix "chdir to cwd: permission denied" for some setups (regression in rc93, #2894)
    • s390: fix broken terminal (regression in rc93, #2898)

    Improvements:

    • runc start/exec: better diagnostics when container limits are too low (#2812)
    • runc start/exec: better cleanup after failed runc init (#2855)
    • cgroupv1: improve freezing chances (#2941, #2918, #2791)
    • cgroupv2: multiple GetStats improvements (#2816, #2873)
    • cgroupv2: fallback to setting io.weight if io.bfq.weight is not available (#2820)
    • capabilities: WARN, not ERROR, for unknown / unavailable capabilities (#2854)

    Static Linking Notices

    The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

    The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.

    However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.


    Thanks to the following people who made this release possible:

    Vote: +6 -0 !1 Signed-off-by: Aleksa Sarai [email protected]

    Source code(tar.gz)
    Source code(zip)
    libseccomp-2.5.1.tar.gz(623.83 KB)
    libseccomp-2.5.1.tar.gz.asc(833 bytes)
    runc.amd64(14.36 MB)
    runc.amd64.asc(854 bytes)
    runc.sha256sum(1.03 KB)
    runc.tar.xz(1.30 MB)
    runc.tar.xz.asc(854 bytes)
  • v1.0.0-rc93(Feb 4, 2021)

    This is the last feature-rich RC release and we are in a feature-freeze until 1.0. 1.0.0~rc94 will be released in a few weeks with minimal bug fixes only, and 1.0.0 will be released soon afterwards.

    • runc's cgroupv2 support is no longer considered experimental. It is now believed to be fully ready for production deployments. In addition, runc's cgroup code has been improved:

      • The systemd cgroup driver has been improved to be more resilient and handle more systemd properties correctly.
      • We now make use of openat2(2) when possible to improve the security of cgroup operations (in future runc will be wholesale ported to libpathrs to get this protection in all codepaths).
    • runc's mountinfo parsing code has been reworked significantly, making container startup times significantly faster and less wasteful in general.

    • runc now has special handling for seccomp profiles to avoid making new syscalls unusable for glibc. This is done by installing a custom prefix to all seccomp filters which returns -ENOSYS for syscalls that are newer than any syscall in the profile (meaning they have a larger syscall number).

      This should not cause any regressions (because previously users would simply get -EPERM rather than -ENOSYS, and the rule applied above is the most conservative rule possible) but please report any regressions you find as a result of this change -- in particular, programs which have special fallback code that is only run in the case of -EPERM.

    • runc now supports the following new runtime-spec features:

      • The umask of a container can now be specified.
      • The new Linux 5.9 capabilities (CAP_PERFMON, CAP_BPF, and CAP_CHECKPOINT_RESTORE) are now supported.
      • The "unified" cgroup configuration option, which allows users to explicitly specify the limits based on the cgroup file names rather than abstracting them through OCI configuration. This is currently limited in scope to cgroupv2.
    • Various rootless containers improvements:

      • runc will no longer cause conflicts if a user specifies a custom device which conflicts with a user-configured device -- the user device takes precedence.
      • runc no longer panics if /sys/fs/cgroup is missing in rootless mode.
    • runc --root is now always treated as local to the current working directory.

    • The --no-pivot-root hardening was improved to handle nested mounts properly (please note that we still strongly recommend that users do not use --no-pivot-root -- it is still an insecure option).

    • A large number of code cleanliness and other various cleanups, including fairly large changes to our tests and CI to make them all run more efficiently.

    For packagers the following changes have been made which will have impact on your packaging of runc:

    • The "selinux" and "apparmor" buildtags have been removed, and now all runc builds will have SELinux and AppArmor support enabled. Note that "seccomp" is still optional (though we very highly recommend you enable it).

    • make install DESTDIR= now functions correctly.

    Static Linking Notices

    The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

    The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.

    However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.


    Thanks to the following people who made this release possible:

    Vote: +6 -0 #1 Signed-off-by: Aleksa Sarai [email protected]

    Source code(tar.gz)
    Source code(zip)
    libseccomp-2.5.1.tar.gz(623.83 KB)
    libseccomp-2.5.1.tar.gz.asc(833 bytes)
    runc.amd64(14.07 MB)
    runc.amd64.asc(833 bytes)
    runc.sha256sum(1.01 KB)
    runc.tar.xz(1.20 MB)
    runc.tar.xz.asc(833 bytes)
  • v1.0.0-rc92(Aug 6, 2020)

    This release contains a hotfix to solve a regression in v1.0.0-rc91 that concerns Docker (this only affects Docker's vendoring of libcontainer, not the usage of runc as the runtime):

    • Fix helpers used by Docker to correctly handle symlinks in /dev (when running with --privileged containers).

    As well as some other improvements:

    • Updates to CRIU support.
    • Improvements to cgroupfs performance and correctness.

    Static Linking Notices

    The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

    The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.

    However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.


    Thanks to the following people who made this release possible:

    Vote: +4 -0 #3 Signed-off-by: Aleksa Sarai [email protected]

    Source code(tar.gz)
    Source code(zip)
    libseccomp-2.4.3.tar.gz(584.12 KB)
    libseccomp-2.4.3.tar.gz.asc(833 bytes)
    runc.amd64(13.45 MB)
    runc.amd64.asc(854 bytes)
    runc.sha256sum(1.21 KB)
    runc.tar.xz(1.16 MB)
    runc.tar.xz.asc(854 bytes)
  • v1.0.0-rc91(Jul 2, 2020)

    This is intended to be the second-last RC release, with -rc92 having very few large changes so that we can release runc 1.0 (at long last).

    NOTE: This release's artefacts were updated on 2020-07-30 to correct an LGPL compliance issue (we previously did not include the source code of libseccomp with our releases) and thus we had to recompile our runc binaries to be sure we were distributing the correct version of libseccomp. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.

    NOTE: This release's artefacts were updated on 2021-04-07, to correct an issue with the .tar.xz archive from 2020-07-30 (the archive had malformed paths due to a bug in historical release scripts -- which caused the update on 2020-07-30 to change the checksum of the source code archive). See #2895 for more details. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.

    • The long-awaited hooks changes have been merged into runc. This was one of the few remaining spec-related issues which were blocking us from releasing runc 1.0. Existing hook users will not be affected by this change, but runc now supports additional hooks that we expect users to migrate to eventually. The new hooks are:

      • createRuntime (replacement for the now-deprecated prestart)
      • createContainer
      • startContainer
    • A large amount of effort has been undertaken to support cgroupv2 within runc. The support is still considered experimental, but it is mostly functional at this point. Please report any bugs you find when running under cgroupv2-only systems.

    • A minor-severity security bug was fixed. The devices list would be in allow-by-default mode from the outset, meaning that users would have to explicitly specify they wish to deny all device access at the beginning of the configuration. While this would normally be considered a high-severity vulnerability, all known users of runc had worked around this issue several years ago (hence why this fairly obvious bug was masked).

      In addition, the devices list code has been massively improved such that it will attempt to avoid causing spurrious errors in the container (such as while writing to /dev/null) when doing devices cgroup updates.

    • A security audit of runc was conducted in 2019, and the report PDF is now included in the runc repository. The previous release of runc has already addressed the security issues found in that report.

    Static Linking Notices

    The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

    The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.

    However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.


    Thanks to the following people who made this release possible:

    NOTE: For those who are confused by the massive version jump (rc10 to rc91), this was done to avoid issues with SemVer and lexical comparisons -- there haven't been 90 other release candidates. Please also note that runc 1.0.0-rc90 is identical to 1.0.0-rc10. See #2399 for more details.

    Vote: +7 -0 #0 Signed-off-by: Aleksa Sarai [email protected]

    Source code(tar.gz)
    Source code(zip)
    libseccomp-2.5.1.tar.gz(623.83 KB)
    libseccomp-2.5.1.tar.gz.asc(833 bytes)
    runc.amd64(12.23 MB)
    runc.amd64.asc(858 bytes)
    runc.sha256sum(1.21 KB)
    runc.tar.xz(1.07 MB)
    runc.tar.xz.asc(858 bytes)
  • v1.0.0-rc90(Jun 2, 2020)

    This release is identical to v1.0.0-rc10 (and thus the version string in the binary will be v1.0.0-rc10).

    The purpose of this release is to resolve an issue with our versioning scheme (in particular, the format we've used under SemVer means that the "-rcNN" string suffix is sorted lexicographically rather than in the classic sort -V order).

    Because we cannot do a post-1.0 release yet, this is a workaround to make sure that systems such as Go modules correctly update to the latest runc release. See #2399 for more details.

    The next release (which would've originally been called -rc11) will be 1.0.0-rc91. I'm sorry.

    NOTE: This release's artefacts were updated on 2020-07-30 to correct an LGPL compliance issue (we previously did not include the source code of libseccomp with our releases) and thus we had to recompile our runc binaries to be sure we were distributing the correct version of libseccomp. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.

    NOTE: This release's artefacts were updated on 2021-04-07, to correct an issue with the .tar.xz archive from 2020-07-30 (the archive had malformed paths due to a bug in historical release scripts -- which caused the update on 2020-07-30 to change the checksum of the source code archive). See #2895 for more details. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.

    Static Linking Notices

    The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

    The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.

    However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.

    Signed-off-by: Aleksa Sarai [email protected]

    Source code(tar.gz)
    Source code(zip)
    libseccomp-2.5.1.tar.gz(623.83 KB)
    libseccomp-2.5.1.tar.gz.asc(833 bytes)
    runc.amd64(10.34 MB)
    runc.amd64.asc(858 bytes)
    runc.sha256sum(1.21 KB)
    runc.tar.xz(726.05 KB)
    runc.tar.xz.asc(858 bytes)
  • v1.0.0-rc10(Jan 24, 2020)

    This is a hot-fix for v1.0.0~rc9, primarily fixing CVE-2019-19921. Given that the relevant runtime-spec PR which was considered a blocker has been merged the next rc release of runc should be the last one before 1.0.0.

    Other notable changes include:

    • Fixing an exec-fifo race that could be triggered under Kubernetes (opencontainers/runc#2185).
    • Partial cgroupv2 support (opencontainers/runc#2209 for remaining issues).

    NOTE: This release's artefacts were updated on 2020-07-30 to correct an LGPL compliance issue (we previously did not include the source code of libseccomp with our releases) and thus we had to recompile our runc binaries to be sure we were distributing the correct version of libseccomp. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.

    NOTE: This release's artefacts were updated on 2021-04-07, to correct an issue with the .tar.xz archive from 2020-07-30 (the archive had malformed paths due to a bug in historical release scripts -- which caused the update on 2020-07-30 to change the checksum of the source code archive). See #2895 for more details. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.

    Static Linking Notices

    The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

    The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.

    However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.


    Thanks to the following people who made this release possible:

    Vote: +4 -0 #1 Signed-off-by: Aleksa Sarai [email protected]

    Source code(tar.gz)
    Source code(zip)
    libseccomp-2.5.1.tar.gz(623.83 KB)
    libseccomp-2.5.1.tar.gz.asc(833 bytes)
    runc.amd64(10.34 MB)
    runc.amd64.asc(858 bytes)
    runc.sha256sum(1.21 KB)
    runc.tar.xz(726.05 KB)
    runc.tar.xz.asc(858 bytes)
  • v1.0.0-rc9(Oct 5, 2019)

    This is a hot-fix for v1.0.0~rc8, primarily fixing CVE-2019-16884.

    NOTE: This release's artefacts were updated on 2020-07-30 to correct an LGPL compliance issue (we previously did not include the source code of libseccomp with our releases) and thus we had to recompile our runc binaries to be sure we were distributing the correct version of libseccomp. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.

    NOTE: This release's artefacts were updated on 2021-04-07, to correct an issue with the .tar.xz archive from 2020-07-30 (the archive had malformed paths due to a bug in historical release scripts -- which caused the update on 2020-07-30 to change the checksum of the source code archive). See #2895 for more details. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.

    Static Linking Notices

    The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

    The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.

    However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.


    Thanks to the following people who made this release possible:

    Vote: +4 -0 #1 Signed-off-by: Aleksa Sarai [email protected]

    Source code(tar.gz)
    Source code(zip)
    libseccomp-2.5.1.tar.gz(623.83 KB)
    libseccomp-2.5.1.tar.gz.asc(833 bytes)
    runc.amd64(9.44 MB)
    runc.amd64.asc(858 bytes)
    runc.sha256sum(1.21 KB)
    runc.tar.xz(694.51 KB)
    runc.tar.xz.asc(858 bytes)
  • v1.0.0-rc8(Apr 26, 2019)

    This is a hot-fix for v1.0.0-rc7, and fixes a regression on old kernels (which don't support keycreate labeling). Users are strongly encouraged to update, as this regression was introduced in 1.0.0-rc7 and has blocked many users from updating to mitigate CVE-2019-5736.

    Bugs: #2032 #2031 #2043

    At the moment the only outlying issue before we can release 1.0.0 is some spec discussions we are having about OCI hooks and how to handle the integration with existing NVIDIA hooks. We will do our best to finish this work as soon as we can.

    NOTE: This release's artefacts were updated on 2020-07-30 to correct an LGPL compliance issue (we previously did not include the source code of libseccomp with our releases) and thus we had to recompile our runc binaries to be sure we were distributing the correct version of libseccomp. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.

    NOTE: This release's artefacts were updated on 2021-04-07, to correct an issue with the .tar.xz archive from 2020-07-30 (the archive had malformed paths due to a bug in historical release scripts -- which caused the update on 2020-07-30 to change the checksum of the source code archive). See #2895 for more details. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.

    Static Linking Notices

    The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

    The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.

    However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.


    Thanks to the following people who made this release possible:

    Signed-off-by: Aleksa Sarai [email protected]

    Source code(tar.gz)
    Source code(zip)
    libseccomp-2.5.1.tar.gz(623.83 KB)
    libseccomp-2.5.1.tar.gz.asc(833 bytes)
    runc.amd64(9.32 MB)
    runc.amd64.asc(858 bytes)
    runc.sha256sum(1.21 KB)
    runc.tar.xz(591.62 KB)
    runc.tar.xz.asc(858 bytes)
  • v1.0.0-rc7(Mar 28, 2019)

    WARNING: There is a regression in this release for old kernels, which we are working on fixing in #2031.

    Due to CVE-2019-5736, we had to do another -rc release so users can update. We hope to be able to release 1.0.0 in the near future (there is still an outstanding spec-compliance issue with OCI hooks which we need to resolve first).

    This also updates runc to a vendored commit of the runtime-spec rather than a full release, which will hopefully be rectified with runc 1.0.0.

    NOTE: This release's artefacts were updated on 2020-07-30 to correct an LGPL compliance issue (we previously did not include the source code of libseccomp with our releases) and thus we had to recompile our runc binaries to be sure we were distributing the correct version of libseccomp. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.

    NOTE: This release's artefacts were updated on 2021-04-07, to correct an issue with the .tar.xz archive from 2020-07-30 (the archive had malformed paths due to a bug in historical release scripts -- which caused the update on 2020-07-30 to change the checksum of the source code archive). See #2895 for more details. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.

    Security:

    • Mitigate CVE-2019-5736. This is an updated version of the patch series sent out on openwall and we encourage users to update. #1982 #1984

      NOTE: This mitigation WILL NOT WORK if you run untrusted containers with host uid 0 and give them CAP_SYS_ADMIN (the protection operates through a hidden read-only bind-mount which can be re-mounted by CAP_SYS_ADMIN privileged users).

      Put simply -- we consider granting CAP_SYS_ADMIN to untrusted containers without user namespaces to be fundamentally insecure, as such we do not consider this to be a security issue.

      If you want an additional host-level mitigation, use chattr +i on the host file to ensure containers without CAP_LINUX_IMMUTABLE cannot write to it -- even with CAP_SYS_ADMIN. But as above, if you give CAP_LINUX_IMMUTABLE to a container you will have problems.

      An alternative is to bind-mount a sealed memfd copy of the runc binary over the binary (runc will detect this and will not attempt further mitigation, because sealed memfds are fundamentally unmodifiable) but this requires more in-depth work by administrators.

    • There appear to be production users of --no-pivot-root, which is something that we absolutely recommend against and do not consider to be a secure configuration -- since pivot_root(2) has many security properties that are not possible to provide with just chroot(2).

      However, a specific issue was discovered which we decided to mitigate in order to avoid production users being exploited by it. This security issue is not elligible for a CVE because it requires an insecure configuration (--no-pivot-root). #1962

    Features:

    • Add intelrdt support for MBA to runc (a new intelrdt feature available in Linux 4.18+). #1919
    • Add support for specifying a CRIU configuration file for checkpoint/restore (which makes use of a new org.criu.config annotation). #1933 #1964
    • Add support for "runc exec --preserve-fds". #1995
    • Added support for SELinux labeling of keyrings. #2012

    Fixes:

    • Correct handling of "runc kill" when a container is stopped or paused. #1934 #1943
    • Error out if built with nokmem and kmemcg limits were requested. #1939
    • Update check-config.sh to be in line with Docker's. #1942
    • Improve handling of kmem and the systemd cgroup driver. #1960
    • Improve resilience of adding setns tasks to cgroups. #1950
    • Remove (broken) detection of .scope for systemd. #1978
    • Fix console hanging with preserve-fds, where not enough fds have actually been provided to runc (which is a very common mistake when using --preserve-fds). #2000
    • Create bind-mounts when restoring. #1968
    • Fix regression of zombie "runc init" processes. #2023

    Static Linking Notices

    The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

    The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.

    However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.


    Thanks to all of the contributors that made this release possible:

    With special thanks and well-wishes to Victor Marmol and Rohit Jnagal, who have both decided to give up their maintainership. Thanks for all of your contributions over the years, and good luck with your future endeavours!

    Signed-off-by: Aleksa Sarai [email protected]

    Source code(tar.gz)
    Source code(zip)
    libseccomp-2.5.1.tar.gz(623.83 KB)
    libseccomp-2.5.1.tar.gz.asc(833 bytes)
    runc.amd64(9.32 MB)
    runc.amd64.asc(858 bytes)
    runc.sha256sum(1.21 KB)
    runc.tar.xz(591.85 KB)
    runc.tar.xz.asc(858 bytes)
  • v1.0.0-rc6(Nov 22, 2018)

    This is the final feature release of runc before 1.0, rather than 1.0 itself. The reason for this is that, during the preparations for this release (which was originally meant to be 1.0) it was brought up that there were several spec-compliance problems. One of these was related to hook ordering, and upon trying to fix them it turns out that many users (notably the NVIDIA OCI hooks) make use of our incorrect hook ordering. Many of the proposed solutions to this problem all require a lot of time and co-ordination, and thus would stall this release indefinitely.

    So, the idea is to have an intermediate release which will mark a freeze-on-everything-except-spec-compliance-bugs. No other changes will be included pre-1.0 (aside from security patches obviously).

    NOTE: This release's artefacts were updated on 2020-07-30 to correct an LGPL compliance issue (we previously did not include the source code of libseccomp with our releases) and thus we had to recompile our runc binaries to be sure we were distributing the correct version of libseccomp. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.

    NOTE: This release's artefacts were updated on 2021-04-07, to correct an issue with the .tar.xz archive from 2020-07-30 (the archive had malformed paths due to a bug in historical release scripts -- which caused the update on 2020-07-30 to change the checksum of the source code archive). See #2895 for more details. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.

    Features:

    • Upgrade to using Go 1.10. #1711
    • Upgrade to CRIU 3.11. #1711 #1864 #1935 #1936
    • Allow for checkpoint-restore into a foreign network namespace. #1849
    • The "type" field for bind-mounts is now ignored. This is important, because many users incorrectly assume that "type" defines a bind-mount and not "options". Previously you had to set both. #1753 #1845
    • "setgroups=allow" is now possible in rootless mode, but requires the use of the privileged newgidmap helper (fully-rootless still requires "setgroups=deny"). #1693
    • Rootless mode can now safely ignore a read-only cgroupfs. #1759 #1806
    • Several aspects of rootless mode are now used inside user namespaces. This is necessary for a bunch of useful things (such as running Docker inside an user namespace), but did cause some breakages. We think they've all been fixed -- but if not please submit an issue! #1688 #1808 #1816 #1862
    • Improve kernel.{domain,host}name sysctl handling, to allow the NIS domainname to be set from Docker or other callers without an OCI spec change. #1827
    • Add documentation for one of the more confusion parts of runc, how terminals are handled (including an explanation of --console-socket). All the gory details and recommendations are available in docs/terminals.md. #1730
    • Allow /proc to be bind-mounted over (useful for rootless containers). #1832
    • Ignore ENOSYS for keyctl(2) operations. This is necessary to get Docker working with LXC under the default seccomp profile (which is what ChromeOS uses). #1893
    • Add support for the Intel RDT/MBA resource control system. #1632 #1913
    • Allow building with completely-disabled kmemcg support, to get around problems with broken kernels (RHEL 7.5 can oops with kmemcg accounting enabled). #1921 #1922 #1930
    • Add support for cgroup namespaces, which in turn fixes a few other issues we encountered with the previous code (which could be moving us to a cgroup during Go execution). #1916

    Fixes:

    • Namespace creation with user namespaces now plays a bit nicer with SELinux and IPC (which had a bug where the in-kernel mqueue mount would have the wrong tag if using unshare(CLONE_NEWUSER|CLONE_NEWIPC)). This is done to avoid future problems with broken kernel integration. #1562
    • Mild refactor of libcontainer/user. #1749
    • Fix null-pointer-exception when no cgroups were set. #1752
    • Various DBus and systemd related changes for the systemd-cgroup driver. #1754 #1772 #1776 #1781 #1805 #1917
    • Apply SELinux label to masked directories. #1756
    • Obey the XDG spec and set the sticky bit on runc's root when using XDG_RUNTIME_DIR (in rootless mode). #1760
    • Only configure network namespaces if we are creating them. #1777
    • Fix race in runc-exec against a currently-exiting pid1. #1812
    • Forward GOMAXPROCS to try to reduce the number of threads started by 'runc init'. Unforunately there's no way to stop Go from spawning new threads so this is more of a recommendation. #1830
    • Fix tmpcopyup in cases where /tmp is not a private mount. #1873
    • Whitelist /proc/loadavg for bind-mounting. #1882
    • Protect against deletion of runc state directory with a containerid of "..", as well as the addition of other path hardening code. #1883
    • Handle duplicated cgroupfs mountpoint entries more sanely, to make runc work on distributions that use-and-abuse shared subtrees. #1817
    • Fix console hanging in several cases. #1895 #1897
    • Lock-to-a-thread during 'runc init' to ensure that that we don't switch threads and run within a different SELinux label. #1814
    • Respect cgroupPath when trying to find the cgroupfs mountpoint (which can happen in cases where containers are given different cgroupfs mounts). #1872
    • And many other minor changes, many from first-time contributors! #1746 #1748 #1749 #1784 #1779 #1785 #1796 #1819 #1825 #1836 #1824 #1820 #1838 #1840 #1841 #1867 #1871 #1855 #1854 #1874 #1868 #1886 #1892 #1858 #1894 #1908 #1880 #1910 #1915 #1903 #1922 #1926 #1928 #1925 #1911

    Fixes (for spec violations):

    • Don't set a container to "running" when exec-ing into it (because it might be in the "created" state). #1771
    • oom_score_adj is now no longer modified if it was unspecified in config.json (this was a spec violation). #1759
    • Set "status" in hook stdin, as well as switch to using *spec.State to avoid JSON-representation drift. #1741

    Static Linking Notices

    The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

    The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.

    However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.


    Thanks to all of the contributors that made this release possible:

    Signed-off-by: Aleksa Sarai [email protected]

    Source code(tar.gz)
    Source code(zip)
    libseccomp-2.5.1.tar.gz(623.83 KB)
    libseccomp-2.5.1.tar.gz.asc(833 bytes)
    runc.amd64(9.23 MB)
    runc.amd64.asc(858 bytes)
    runc.sha256sum(1.21 KB)
    runc.tar.xz(527.53 KB)
    runc.tar.xz.asc(858 bytes)
  • v1.0.0-rc5(Feb 27, 2018)

    This is planned to be the final -rc release of runc. While we really haven't followed the rules for release candidates (with huge features introduced each release, and with massive gaps between releases) the hope is that once we've release 1.0.0 we will be much more liberal with releases in future. Let's see how that pans out. :P

    NOTE: This release's artefacts were updated on 2020-07-30 to correct an LGPL compliance issue (we previously did not include the source code of libseccomp with our releases) and thus we had to recompile our runc binaries to be sure we were distributing the correct version of libseccomp. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.

    NOTE: This release's artefacts were updated on 2021-04-07, to correct an issue with the .tar.xz archive from 2020-07-30 (the archive had malformed paths due to a bug in historical release scripts -- which caused the update on 2020-07-30 to change the checksum of the source code archive). See #2895 for more details. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.

    Features:

    • Support cgroups in rootless containers. This is a continuation of the previous work done, and allows for users that have specialised setups (such as having the LXC pam_cg.so module set up) to use cgroups with rootless containers. #1540
    • Add support for newuidmap and newgidmap with rootless containers. This is a continuation of some previous work, and allows users that have /etc/sub{uid,gid} configured to use the shadow-utils setuid helpers. Note that this support doesn't restrict users that don't want to use setuid binaries at all. #1529
    • runc will now use a chroot when mount namespaces aren't provided in the config.json. While chroot does have its (many) downsides, this does allow for specialised configurations to work properly. #1702
    • Expose annotations to hooks, so that the hook can have more direct information about the container it is being run against. #1687
    • Add "runc exec --additional-gids" support. #1608
    • Allow more signals to be sent with "runc kill" than are defined by Go's syscall package. #1706
    • Emit an error if users try to use MS_PRIVATE with --no-pivot, as that is simply not safe. #1606
    • Add support for "unbindable" and "runbindable" as rootfs propagation. #1655
    • Implement intelrdt support in runc. #1279 #1590
    • Add support for lazy migration with CRIU. This includes the addition of "runc checkpoint httpd" which acts as a remote pagefault request server. #1541
    • Add MIPS support. #1475

    Fixes:

    • Delay seccomp application as late as possible, to reduce the syscall footprint of runc on profiles. #1569

    • Fix --read-only containers with user namespaces, which would previously fail under Docker because of privilege problems when trying to do the read-only remount. #1572

    • Switch away from stateDirFd entirely. This is an improvement over the protections we added for CVE-2016-9962, and protects against many other possible container escape bugs. #1570

    • Handle races between "runc start" and "runc delete" over the exec FIFO correctly, and avoid blocking "runc start" indefinitely. #1698

    • Correctly generate seccomp profiles that place requirements on syscall arguments, as well as multi-argument restrictions. #1616 #1424

    • Prospective patch for remounting of old-root during pivot_root. This is intended to solve one of the many "mount leak" bugs that have been popping up recently -- caused by lots of container churn and host mounts being pinned during container setup. #1500

    • Fix "runc exec" on big-endian architectures. #1727

    • Correct systemd slice expansion to work with cAdvisor. #1722

    • Fix races against systemd cgroup scope creation. #1683

    • Do not wait for signalled processes if libcontainer is running in a process that is a subreaper. #1678

    • Remove dependency on libapparmor entirely, and just use /proc/$pid/attr directly. #1675

    • Improvements to our integration tests. #1661 #1629 #1528

    • Handle systemd's quirky CPUQuotaPerSecUSec handling in fractions-of-a-percent edge-cases. #1651

    • Remove docker/docker import in runc by moving the package to runc. #1644

    • Switch from docker's pkg/symlink to cyphar/filepath-securejoin. #1622

    • Enable integration and unit tests on arm64. #1642 #1640

    • Add /proc/scsi to masked paths (mirror of Docker's CVE-2017-16539). #1641

    • Add several tests for specconv. #1626 #1619

    • Add more extensive tests for terminal handling. #1357

    • Always write freezer state during retry-loop, to avoid an indefinite hang when new tasks are spawned in the container. #1610

    • Create cwd when it doesn't exist in the container. #1604

    • Set initial console size based on process spec, to avoid SIGWINCH races where initial console size is completely wrong. #1275

    • Small fixes for static builds. #1579 #1577

    • Use epoll for PTY IO, to avoid issues with systemd's SAK protections. #1455

    • Update state.json after a "runc update". #1558

    • Switch to umoci's release scripts, to use a more "standardised" and distribution-friendly release scheme. Several makefile-fixes included as well. #1554 #1542 #1555

    • Reap "runc:[1:CHILD]" to avoid intermediate zombies building up. #1506

    • Use CRIU's RPC to check the version. #1535

    • Always save own namespace paths rather than the path given during start-up, to avoid issues where the path disappears afterwards. #1477

    • Fix that we incorrectly set the owners of devices. This is still (subtly) broken in user namespaces, but will be fixed in a future version. #1743

    • Lots of other miscellaneous fixes and cleanups, many of which were written by first-time contributors. Thanks for contributing, and welcome to the project! #1729 #1724 #1695 #1685 #1703 #1699 #1682 #1665 #1667 #1669 #1654 #1664 #1660 #1645 #1640 #1621 #1607 #1206 #1615 #1614 #1453 #1613 #1600 #1599 #1598 #1597 #1593 #1586 #1588 #1587 #1589 #1575 #1578 #1573 #1561 #1560 #1559 #1556 #1551 #1553 #1548 #1544 #1545 #1537

    Removals:

    • Andrej Vagin stepped down as a maintainer. Thanks for all of your hard work Andrej, and have fun working on your other projects! #1543

    Static Linking Notices

    The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

    The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.

    However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.


    Thanks to all of the contributors that made this release possible:

    Vote: +5 -0 #2 Signed-off-by: Aleksa Sarai [email protected]

    Source code(tar.gz)
    Source code(zip)
    libseccomp-2.5.1.tar.gz(623.83 KB)
    libseccomp-2.5.1.tar.gz.asc(833 bytes)
    runc.amd64(9.23 MB)
    runc.amd64.asc(858 bytes)
    runc.sha256sum(1.21 KB)
    runc.tar.xz(515.60 KB)
    runc.tar.xz.asc(858 bytes)
  • v1.0.0-rc4(Aug 10, 2017)

    NOTE: This release's artefacts were updated on 2020-07-30 to correct an LGPL compliance issue (we previously did not include the source code of libseccomp or libapparmor with our releases) and thus we had to recompile our runc binaries to be sure we were distributing the correct version of libseccomp and libapparmor. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.

    NOTE: This release's artefacts were updated on 2021-04-07, to correct an issue with the .tar.xz archive from 2020-07-30 (the archive had malformed paths due to a bug in historical release scripts -- which caused the update on 2020-07-30 to change the checksum of the source code archive). See #2895 for more details. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.

    Features:

    • runc now supports v1.0.0 of the OCI runtime specification. #1527
    • Rootless containers support has been released. The current state of this feature is that it only supports single-{uid,gid} mappings as an unprivileged user, and cgroups are completely unsupported. Work is being done to improve this. #774
    • Rather than relying on CRIU version nnumbers, actually check if the system supports pre-dumping. #1371
    • Allow the PIDs cgroup limit to be updated. #1423
    • Add support for checkpoint/restore of containers with orphaned PTYs (which is effectively all containers with terminal=true). #1355
    • Permit prestart hooks to modify the cgroup configuration of a container. #1239
    • Add support for a wide variety of mount options. #1460
    • Expose memory.use_hierarchy in MemoryStats. #1378

    Fixes:

    • Fix incorrect handling of systems without the freezer cgroup. #1387
    • Many, many changes to switch away from Go's "syscall" stdlib to "golang.org/x/sys/unix". #1394 #1398 #1442 #1464 #1467 #1470 #1474 #1478 #1491 #1482 #1504 #1519 #1530
    • Set cgroup resources when restoring a container. #1399
    • Switch back to using /sbin as the installation directory. #1406
    • Remove the arbitrary container ID length restriction. #1435
    • Make container force deletion ignore non-existent containers. #1451
    • Improve handling of arbitrary cgroup mount locations when populating cpuset. #1372
    • Make the SaneTerminal interface public. #1479
    • Fix cases where runc would report a container to be in a "Running" state if the init was a zombie or dead. #1489
    • Do not set supplementary groups for numeric users. #1450
    • Fix various issues with the "owner" field in runc-list. #1516
    • Many other miscellaneous fixes, some of which were made by first-time contributors. Thanks, and welcome to the project! #1406 #1400 #1365 #1396 #1402 #1414 #1412 #1408 #1418 #1425 #1428 #1436 #1433 #1438 #1410 #1447 #1388 #1484 #1481 #1496 #1245 #1524 #1534 #1526 #1533

    Removals:

    • Remove any semblance of non-Linux support. #1502
    • We no longer use shfmt for testing. #1510

    Static Linking Notices

    The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

    The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.

    However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.


    Thanks to all of the contributors that made this release possible:

    Vote-Closed: [Wed Aug 9 05:28:38 UTC 2017] Vote-Results: [+5 -0 /2]

    Source code(tar.gz)
    Source code(zip)
    apparmor-2.13.6.tar.gz(7.05 MB)
    apparmor-2.13.6.tar.gz.asc(870 bytes)
    libseccomp-2.5.1.tar.gz(623.83 KB)
    libseccomp-2.5.1.tar.gz.asc(833 bytes)
    runc.amd64(10.04 MB)
    runc.amd64.asc(858 bytes)
    runc.sha256sum(1.39 KB)
    runc.tar.xz(474.82 KB)
    runc.tar.xz.asc(858 bytes)
  • v1.0.0-rc3(Mar 21, 2017)

    NOTE: This release's artefacts were updated on 2020-07-30 to correct an LGPL compliance issue (we previously did not include the source code of libseccomp or libapparmor with our releases) and thus we had to recompile our runc binaries to be sure we were distributing the correct version of libseccomp and libapparmor. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.

    NOTE: This release's artefacts were updated on 2021-04-07, to correct an issue with the .tar.xz archive from 2020-07-30 (the archive had malformed paths due to a bug in historical release scripts -- which caused the update on 2020-07-30 to change the checksum of the source code archive). See #2895 for more details. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.

    Features:

    • Add slice management support to the systemd cgroup driver. Checks are done to make sure that systemd supports the feature. #1084
    • Support for readonly mount labels. #1112
    • Add a tmpcopyup mount extension for tmpfs mounts that are mounted over already existing directories, allowing for the contents of a volume to be copied up transparently. #845
    • Switch our pivot_root usage to no longer require temporary directories, improving the state of containters running in entirely readonly contexts. #1125 #1148
    • Allow updating of rt_period_us and rt_runtime_us in cpuacct cgroup.
    • Reimplement console handling to use AF_UNIX sockets such that the console is created inside the container's (namespaced) devpts instance, solving a wide variety of historical pty bugs with runC. #1018 #1356
    • Support overlayfs in mounts. #1314
    • Support creating devices with types 'p' and 'u'. #1321
    • Add --preserve-fds=N to create and run commands. #1320
    • Add pre-dump and parent-path to checkpoint. #1001
    • Update to runtime-spec v1.0.0-rc5. #1370

    Fixes:

    • Remove check for binding to /. #1090
    • Ensure we log to logrus on command errors. #1089
    • Don't enable kmem limits if they're not specified in the config. #1095
    • Handle cases where specs.Resources.* members would cause null dereferences. #1111 #1116
    • Fix bugs in the GetProcessStartTime implementation. #1136
    • Make sysctl config validation checks handle network namespaces more gracefully. #1138 #1149
    • Guarantee correct namespace creation ordering. This is part of the rootless container patchset, and is also required in certain SELinux setups. #977
    • Stop screwing around with '\n' in console output. #1146
    • Fix cpuset.cpu_exclusive handling. #1194
    • Sync HookState with the OCI specification. #1201
    • Split remounting mountpoints and bindmounts, resolving issues with mount options being dropped in certain cases. #1222
    • Fix leftover cgroup directory issue. #1196
    • Handle config.Devices and config.MaskPaths in checkpoint. #1110.
    • Don't create combined cgroup subsystem names. #1268
    • Ignore cgroupv2 mountpoints, fixing issues with systemd v232. #1266
    • Race condition when synchronising with children and grandchildren in nsexec.c. #1237
    • Fix state checks to no longer depend on _LIBCONTAINER being present in the environment, fixing both bugs as well as being part of the rootless container patchset. #1317
    • Fix systemd-notify when using different PID namespaces, and allow detach+notify socket. #1308
    • Don't fchown when inheriting stdio, which is necessary for rootless containers in certain scenarios. #1354
    • Fix cpu.cfs_quota_us being changed when systemd is reloaded. #1344
    • Add devices to whitelist for LXD, to make runC under LXC/LXD work better. #1327
    • Many improvements to testing. #1121 #1131 #1132 #1147

    Security:

    • Several fixes for CVE-2016-9962. 5d93fed3d27f #1274

    Static Linking Notices

    The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

    The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.

    However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.


    Thanks to all of the contributors that made this release possible:

    Source code(tar.gz)
    Source code(zip)
    apparmor-2.13.6.tar.gz(7.05 MB)
    apparmor-2.13.6.tar.gz.asc(870 bytes)
    libseccomp-2.5.1.tar.gz(623.83 KB)
    libseccomp-2.5.1.tar.gz.asc(833 bytes)
    runc.amd64(9.86 MB)
    runc.amd64.asc(858 bytes)
    runc.sha256sum(1.39 KB)
    runc.tar.xz(329.28 KB)
    runc.tar.xz.asc(858 bytes)
  • v1.0.0-rc2(Oct 1, 2016)

    NOTE: This release's artefacts were updated on 2020-07-30 to correct an LGPL compliance issue (we previously did not include the source code of libseccomp or libapparmor with our releases) and thus we had to recompile our runc binaries to be sure we were distributing the correct version of libseccomp and libapparmor. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.

    NOTE: This release's artefacts were updated on 2021-04-07, to correct an issue with the .tar.xz archive from 2020-07-30 (the archive had malformed paths due to a bug in historical release scripts -- which caused the update on 2020-07-30 to change the checksum of the source code archive). See #2895 for more details. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.

    Features

    • {create,run}: add --no-new-keyring flag so that a new session keyring is not created for the container and the calling process's keyring is inherited.
    • restore: add --empty-ns flag to tell CRIU to only create a network namespace for a container and not populate it (allowing higher levels to correctly handle re-creating the network namespace).
    • {create,start}: use a FIFO rather than signals to signal the starting of a container. This removes the Go version restriction, and also avoids potential issues with Go's signal handling.
    • exec: allow additional groups to be overridden.
    • delete: add --force flag.
    • exec: disable the subreaper option entirely, because the option causes many issues with reparenting in the context of containers. This is not a complete fix, which is intended to land for -rc3. Using the removed option will be silently ignored by runC.
    • {create,run}: add support for masking directories with MaskPaths.
    • delete: allow for the deletion of multiple containers in one cmdline.
    • build: add make release for distributions.

    Fixes

    • Major improvements and fixes to CLI handling. Now commands like runc ps and runc exec will act sanely when you're trying to use flags that are not meant to be parsed by runC.
    • Set the cp.rt_* cgroup options correctly so that runC running in SCHED_RR (realtime) mode can operate properly.
    • Massive improvements to kmem limit detection to ensure that we only attempt to change memory.kmem.* if it is safe to do so.
    • Part of a major cleanup of the nsenter code, with more intended to land before -rc3.
    • Restored containers now have a start time, which is the time that the new container was started (not when the original container was started).
    • Fix the default cgroupPath behaviour, so that we actually attach to subcgroups of all of the caller's current cgroups (rather than using the devices cgroup path for all other cgroups)
    • Support 32bit UIDs on i386 with the setuid32(2) syscall.
    • Add /proc/timer_list to the set of default masked paths.
    • Do not create /dev/fuse by default.
    • Parse cgroupPath correctly if it contains ':'.
    • Add some more debugging information for the test suite, along with fixes for race conditions and other issues. In addition, add more integration tests for edge conditions.
    • Improve check-config.sh script to handle more cases.
    • Fix incorrect type when setting of net_cls classid.
    • Lots of fixes to help pages and man pages.
    • *: append -dirty to the version if the git repo is unclean.
    • Fix the JSON tags for CpuRt* options.
    • Cleanups to the rootfs setup code.
    • Improve error messages related to SELinux.

    Static Linking Notices

    The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

    The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.

    However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.


    Thanks to all of the contributors that made this release possible:

    Source code(tar.gz)
    Source code(zip)
    apparmor-2.13.6.tar.gz(7.05 MB)
    apparmor-2.13.6.tar.gz.asc(870 bytes)
    libseccomp-2.5.1.tar.gz(623.83 KB)
    libseccomp-2.5.1.tar.gz.asc(833 bytes)
    runc.amd64(9.61 MB)
    runc.amd64.asc(858 bytes)
    runc.sha256sum(521 bytes)
    runc.tar.xz(396.42 KB)
    runc.tar.xz.asc(858 bytes)
  • v1.0.0-rc1(Jun 3, 2016)

    runc 1.0 Release Candidate 1

    This is the first of the release candidates for OCI's runtime specification and runc version 1.0. Runc is now using the runtime-spec 1.0.0-rc1 release.

    Breaking Changes

    The large breaking change from the previous versions of runc to 1.0 is the create and start command changes. The previous start command functionality has been moved to the run command. runc run mycontainer. runc start does not perform the operations that it did before this release.

    Create -> Start -> Delete

    By splitting the create and start phase for a container it allows higher level systems to modify the container before the user defined process is started.

    A simple example of using this new workflow would look something like this from the command line:

    # create the container with the specified configuration 
    runc create mycontainer
    
    # at the point that create returns the container's environment is fully setup but the user's specified process has not run
    
    # you can place network interfaces inside the container 
    # you can exec into the container
    # you can modify the mount namespaces
    runc exec mycontainer ps aux
    
    # after your setup is complete you can start the user defined process
    runc start mycontainer
    
    # after start returns the user defied process inside your OCI config is running
    
    # whenever the container exits you must delete the container removing any existing resources it still has
    runc delete mycontainer
    

    If you want the previous functionality where runc did this for you, use the runc run command.

    Container State

    You can get the container state and status by using the runc state command:

    runc state mycontainer

    {
      "ociVersion": "1.0.0-rc1",
      "id": "mycontainer",
      "pid": 18917,
      "bundlePath": "/containers/mycontainer",
      "rootfsPath": "/containers/mycontainer/rootfs",
      "status": "running",
      "created": "2016-06-03T21:23:42.401668933Z",
      "annotations": {
        "something": "else"
      }
    }
    

    ps command

    A ps command was added to show the processes inside the container:

    runc ps influxdb
    UID        PID  PPID  C STIME TTY          TIME CMD
    1000  18936 18917  0 14:23 ?        00:00:06 influxd -config /home/influxdb/influxdb.conf
    

    Other Updates

    • Added seccomp support for more architectures
    • Stable stats output
    • Added update command for dynamically updating container resources
    • bash completion and man pages

    Please help in testing and please report any issues to the issue tracker on github. Thanks!

    • OCI Maintainers

    Usage

    NAME:
       runc - Open Container Initiative runtime
    
    runc is a command line client for running applications packaged according to
    the Open Container Initiative (OCI) format and is a compliant implementation of the
    Open Container Initiative specification.
    
    runc integrates well with existing process supervisors to provide a production
    container runtime environment for applications. It can be used with your
    existing process monitoring tools and the container will be spawned as a
    direct child of the process supervisor.
    
    Containers are configured using bundles. A bundle for a container is a directory
    that includes a specification file named "config.json" and a root filesystem.
    The root filesystem contains the contents of the container.
    
    To start a new instance of a container:
    
        # runc start [ -b bundle ] <container-id>
    
    Where "<container-id>" is your name for the instance of the container that you
    are starting. The name you provide for the container instance must be unique on
    your host. Providing the bundle directory using "-b" is optional. The default
    value for "bundle" is the current directory.
    
    USAGE:
       runc [global options] command [command options] [arguments...]
    
    VERSION:
       1.0.0-rc1
    commit: 04f275d4601ca7e5ff9460cec7f65e8dd15443ec
    spec: 1.0.0-rc1
    
    COMMANDS:
         checkpoint checkpoint a running container
         create create a container
         delete delete any resources held by the container often used with detached containers
         events display container events such as OOM notifications, cpu, memory, and IO usage statistics
         exec   execute new process inside the container
         init   initialize the namespaces and launch the process (do not call it outside of runc)
         kill   kill sends the specified signal (default: SIGTERM) to the container's init process
         list   lists containers started by runc with the given root
         pause  pause suspends all processes inside the container
         ps     ps displays the processes running inside a container
         restore    restore a container from a previous checkpoint
         resume resumes all processes that have been previously paused
         run    create and run a container
         spec   create a new specification file
         start  start signals a created container to execute the user defined process
         state  output the state of a container
         update update container resource constraints
    
    GLOBAL OPTIONS:
       --debug      enable debug output for logging
       --log value      set the log file path where internal debug information is written (default: "/dev/null")
       --log-format value   set the format used by logs ('text' (default), or 'json') (default: "text")
       --root value     root directory for storage of container state (this should be located in tmpfs) (default: "/run/runc")
       --criu value     path to the criu binary used for checkpoint and restore (default: "criu")
       --systemd-cgroup enable systemd cgroup support, expects cgroupsPath to be of form "slice:prefix:name" for e.g. "system.slice:runc:434234"
       --help, -h       show help
       --version, -v    print the version
    
    
    Source code(tar.gz)
    Source code(zip)
  • v0.1.1(Apr 25, 2016)

  • v0.1.0(Apr 12, 2016)

    This release updates runc to the OCI runtime specification v0.5.0 and includes various fixes and features.

    Features:

    • cgroups: pid limits and stats
    • cgroups: kmem stats
    • systemd cgroup support
    • libcontainer specconv package
    • no pivot root option
    • numeric ids are treated as uid/gid
    • hook improvements

    Bug Fixes:

    • log flushing
    • atomic pid file creation
    • init error recovery
    • seccomp logging removed
    • delete container on aborted start
    • /dev bind mount handling
    Source code(tar.gz)
    Source code(zip)
  • v0.0.9(Mar 11, 2016)

    runc 0.0.9

    This new release of runc includes the specification v0.4 changes. The backwards incompatible changes includes moving process specific settings like capabilities, rlimits, apparmor, and selinux process label from the container configuration to the process configuration. Be sure to update your config.json files for these changes or they will not be applied to the container. You can always use the runc spec command to generate a compatible config.json based on the specification version that runc is currently using.

    Updates:

    • In this release runc has better support for errors and logging for use with the --log flag.
    • Improved namespace sharing for joining PID namespaces.
    • Allow all mount types inside the container's mount namespace.
    • Updated masked and readonly paths for container's /proc.
    • Better IO handling for container's STDIO.
    • Unique session keyring support for containers.
    • Container label support.
    • No new privileges support.
    • Various bug fixes and performance improvements.
    NAME:
       runc - Open Container Initiative runtime
    
    runc is a command line client for running applications packaged according to
    the Open Container Format (OCF) and is a compliant implementation of the
    Open Container Initiative specification.
    
    runc integrates well with existing process supervisors to provide a production
    container runtime environment for applications. It can be used with your
    existing process monitoring tools and the container will be spawned as a
    direct child of the process supervisor.
    
    Containers are configured using bundles. A bundle for a container is a directory
    that includes a specification file named "config.json" and a root filesystem.
    The root filesystem contains the contents of the container. 
    
    To start a new instance of a container:
    
        # runc start [ -b bundle ] <container-id>
    
    Where "<container-id>" is your name for the instance of the container that you
    are starting. The name you provide for the container instance must be unique on
    your host. Providing the bundle directory using "-b" is optional. The default
    value for "bundle" is the current directory.
    
    USAGE:
       runc [global options] command [command options] [arguments...]
    
    VERSION:
       0.0.9
    spec version 0.4.0
    
    COMMANDS:
       checkpoint   checkpoint a running container
       delete   delete any resources held by the container often used with detached containers
       events   display container events such as OOM notifications, cpu, memory, IO and network stats
       exec     execute new process inside the container
       init     init is used to initialize the containers namespaces and launch the users process.
        This command should not be called outside of runc.
    
       kill     kill sends the specified signal (default: SIGTERM) to the container's init process
       list     lists containers started by runc with the given root
       pause    pause suspends all processes inside the container
       restore  restore a container from a previous checkpoint
       resume   resumes all processes that have been previously paused
       spec     create a new specification file
       start    create and run a container
       state    output the state of a container
       help, h  Shows a list of commands or help for one command
    
    GLOBAL OPTIONS:
       --debug      enable debug output for logging
       --log "/dev/null"    set the log file path where internal debug information is written
       --log-format "text"  set the format used by logs ('text' (default), or 'json')
       --root "/run/runc"   root directory for storage of container state (this should be located in tmpfs)
       --criu "criu"    path to the criu binary used for checkpoint and restore
       --help, -h       show help
       --version, -v    print the version
    
    
    Source code(tar.gz)
    Source code(zip)
  • v0.0.8(Feb 10, 2016)

    runc 0.0.8

    This new release of runc supports the OCI runtime specification version 0.3.0. It includes changes such as the unified configuration file, separation of device creation and access, and many other usability updates.

    New features

    Detach

    The detach flag allows runc to exit after it spawns the container and reparents the process to system init. You no longer have a long running runc process as the parent of the container.

    runc start -d test
    

    Pid file

    The pid-file flag allows runc to write the pid of the process run inside the container to a file so that existing init systems can wait on it and allows runc to exit.

    runc start -d --pid-file test.pid test
    

    Delete command

    The delete command allows runc to delete the container's state after it has exited for use with the detach flag.

    runc delete test
    

    List command

    The list command will list all containers running on a system that were spawned by runc.

    > runc list
    ID          PID         STATUS      CREATED
    test        15278       running     2016-02-10T22:21:09.415768192Z
    

    Exec command updates

    The exec command now allows you to use a json file for the process configuration or pass the arguments and settings via flags and args.

    > runc exec --tty --env TEST=1 -- test ps aux
    USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
    root         1  0.0  0.0   4476   900 ?        Ss+  22:23   0:00 sh
    root        13  0.0  0.0  15600  2116 ?        Rs+  22:23   0:00 ps aux
    

    Container ids

    Container ids are required for every command in runc. You pass the container id as argument 1 to the commands to specify which container you want to interact with. This was always the case before in runc but hidden behind a --id flag.

    > runc start test
    > runc events test
    > runc kill test
    

    Update to spec 0.3.0

    Be sure to use the runc spec command to generate a new base template for your containers based on the specification and the unified configuration file.

    NAME:
       runc - Open Container Initiative runtime
    
    runc is a command line client for running applications packaged according to
    the Open Container Format (OCF) and is a compliant implementation of the
    Open Container Initiative specification.
    
    runc integrates well with existing process supervisors to provide a production
    container runtime environment for applications. It can be used with your
    existing process monitoring tools and the container will be spawned as a
    direct child of the process supervisor.
    
    After creating config files for your root filesystem with runc, you can execute 
    a container in your shell by running:
    
        # cd /mycontainer
        # runc start [ -b bundle ] <container-id>
    
    If not specified, the default value for the 'bundle' is the current directory.
    'Bundle' is the directory where 'config.json' must be located.
    
    USAGE:
       runc [global options] command [command options] [arguments...]
    
    VERSION:
       0.0.8
    spec version 0.3.0
    
    COMMANDS:
       checkpoint   checkpoint a running container
       delete       delete any resources held by the container often used with detached containers
       events       display container events such as OOM notifications, cpu, memory, IO and network stats
       exec         execute new process inside the container
       kill         kill sends the specified signal (default: SIGTERM) to the container's init process
       list         lists containers started by runc with the given root
       pause        pause suspends all processes inside the container
       restore      restore a container from a previous checkpoint
       resume       resumes all processes that have been previously paused
       spec         create a new specification file
       start        create and run a container
       help, h      Shows a list of commands or help for one command
    
    GLOBAL OPTIONS:
       --debug                                      enable debug output for logging
       --log                                        set the log file path where internal debug information is written
       --log-format "text"                          set the format used by logs ('text' (default), or 'json')
       --root "/run/opencontainer/containers"       root directory for storage of container state (this should be located in tmpfs)
       --criu "criu"                                path to the criu binary used for checkpoint and restore
       --help, -h                                   show help
       --version, -v                                print the version
    

    MD5 hases for the downloadable runc binaries in this release are:

    • runc-amd64: 966cf271c2923b64d2d7ad0be9ffdc6e
    Source code(tar.gz)
    Source code(zip)
Owner
Open Container Initiative
Creating open standards around container technology
Open Container Initiative
oci-image and oci-runtime spec in rust.

oci-lib Oci-Spec for your container runtime or container registry. Oci-lib is a rust port for original oci spec written in go. Following crate contain

flouthoc 12 Mar 10, 2022
Tool to monitor the statistics and the energy consumption of docker containers

Docker Activity Docker activity is a tool to monitor the statistics of your containers and output their energy consumption. Warning It's still in earl

Jérémie Drouet 39 Dec 6, 2022
insject is a tool for poking at containers. It enables you to run an arbitrary command in a container or any mix of Linux namespaces.

Insject insject is a tool for poking at containers. It enables you to run an arbitrary command in a container or any mix of Linux namespaces. It suppo

NCC Group Plc 44 Nov 9, 2022
Inspect and dump OCI images.

reinlinsen ?? rl is a tool to inspect and dump OCI images or single image layers. Installation From source If you have cargo installed you can just ru

Tobias Brumhard 5 May 11, 2023
A secure container runtime with OCI interface

Quark Container Welcome to Quark Container. This repository is the home of Quark Containers code. What's Quark Container Quark Container is high perfo

null 175 Dec 29, 2022
Experimental implementation of the oci-runtime in Rust

youki Experimental implementation of the oci-runtime in Rust Overview youki is an implementation of runtime-spec in Rust, referring to runc. This proj

utam0k 12 Sep 23, 2022
Easy to use, extendable, OCI-compliant container runtime written in pure Rust

PURA - Lightweight & OCI-compliant container runtime Pura is an experimental Linux container runtime written in pure and dependency-minimal Rust. The

Branimir Malesevic 73 Jan 9, 2023
🐳 📦 Bringing docker containers to your AUR helper since 2022

zeus Releases | CI | Issues | Installing | Building Zeus. A simple AUR helper which utilizes docker containers allowing developers and users alike to

1337 16 Dec 17, 2022
Krustlet: Kubernetes Kubelet in Rust for running WASM

Krustlet: Kubernetes Kubelet in Rust for running WASM ?? ?? This project is highly experimental. ?? ?? It should not be used in production workloads.

null 103 Dec 29, 2022
Valheim Docker powered by Odin. The Valheim dedicated gameserver manager which is designed with resiliency in mind by providing automatic updates, world backup support, and a user friendly cli interface.

Valheim Docker If you are looking for a guide on how to get started click here Mod Support! It is supported to launch the server with BepInEx but!!!!!

Michael 657 Dec 30, 2022
An infrastructure-as-code and deployment tool for Roblox.

Rocat ?? An infrastructure-as-code and deployment tool for Roblox. ⚠ Please note that this is an early release and the API is unstable. Releases follo

Blake Mealey 45 Dec 29, 2022
An infrastructure-as-code and deployment tool for Roblox.

Mantle ?? An infrastructure-as-code and deployment tool for Roblox. ⚠ Please note that this is an early release and the API is unstable. Releases foll

Blake Mealey 44 Dec 22, 2022
Shallow Container is a light-weight container tool written in Rust.

Shallow Container is a light-weight container tool written in Rust. It is totally for proof-of-concept and may not suit for production environment.

Rui Li 14 Apr 8, 2022
A lite tool to make systemd work in any container(Windows Subsystem for Linux 2, Docker, Podman, etc.)

Angea Naming from hydrangea(アジサイ) A lite tool to make systemd work in any container(Windows Subsystem for Linux 2, Docker, Podman, etc.) WSL1 is not s

いんしさくら 16 Dec 5, 2022
Docker images for compiling static Rust binaries using musl-libc and musl-gcc, with static versions of useful C libraries. Supports openssl and diesel crates.

rust-musl-builder: Docker container for easily building static Rust binaries Source on GitHub Changelog UPDATED: Major updates in this release which m

Eric Kidd 1.3k Jan 1, 2023
Habitat is open source software that creates platform-independent build artifacts and provides built-in deployment and management capabilities.

Habitat is open source software that creates platform-independent build artifacts and provides built-in deployment and management capabilities. The go

Habitat 2.4k Dec 27, 2022
A buildpack for Rust applications on Heroku, with full support for Rustup, cargo and build caching.

Heroku buildpack for Rust This is a Heroku buildpack for Rust with support for cargo and rustup. Features include: Caching of builds between deploymen

Eric Kidd 502 Nov 7, 2022
Desktop launcher to install and use Holochain apps locally

Holochain Launcher A cross-platform executable that launches a local Holochain conductor, and installs and opens apps. Feedback is immensely welcome i

Holochain 58 Dec 30, 2022
Rust Kubernetes client and controller runtime

kube-rs Rust client for Kubernetes in the style of a more generic client-go, a runtime abstraction inspired by controller-runtime, and a derive macro

kube-rs 1.8k Jan 8, 2023