VERSION: release v1.5.0-rc.1

[cyphar]

Draft until #5103 is merged.

---

runc v1.5.0-rc.1 -- "憎しみを束ねてもそれは脆い！"

This is the first release candidate of the runc 1.5.0 release. It
contains a couple of new features, but is mostly made up of various
cleanups (such as the removal of many deprecated APIs) and improvements.
runc v1.5.0-rc.1 includes all of the patches backported to runc v1.4.1.

Users are strongly encouraged to test our release candidates over the
next two months so we can fix issues before the general release. You
should expect runc 1.5.0 to be released at the end of April 2026 (at
which point, runc 1.3.z will only receive high-severity security fixes
for 6 months and runc 1.2.z will become unmaintained -- users are thus
very strongly encouraged to migrate to a newer version).

libcontainer API:

- The following deprecated Go APIs have been removed:
  - "CleanPath", "StripRoot", and "WithProcfd" from
    "libcontainer/utils". Note that "WithProcfdFile" has not been
    removed (due to import cycle issues) but is instead marked as
    internal in its godoc comment. (#5051)
  - All of the cgroup-related types and functions from
    "libcontainer/configs" which are now maintained in
    "github.com/opencontainers/cgroups" (#5141):
    - "libcontainer/configs.Cgroup"
    - "libcontainer/configs.Resources"
    - "libcontainer/configs.FreezerState"
    - "libcontainer/configs.LinuxRdma"
    - "libcontainer/configs.BlockIODevice"
    - "libcontainer/configs.WeightDevice"
    - "libcontainer/configs.ThrottleDevice"
    - "libcontainer/configs.HugepageLimit"
    - "libcontainer/configs.IfPrioMap"
    - "libcontainer/configs.Undefined"
    - "libcontainer/configs.Frozen"
    - "libcontainer/configs.Thawed"
    - "libcontainer/configs.NewWeightDevice"
    - "libcontainer/configs.NewThrottleDevice"
  - "libcontainer/configs.HookList.RunHooks". (#5141)
  - "libcontainer/configs.MPOL_*" (#5141)
  - All of the types in "libcontainer/devices" which are now maintained
    in "github.com/opencontainers/cgroups/devices/config" (#5141):
    - "libcontainer/devices.Wildcard"
    - "libcontainer/devices.WildcardDevice"
    - "libcontainer/devices.BlockDevice"
    - "libcontainer/devices.CharDevice"
    - "libcontainer/devices.FifoDevice"
    - "libcontainer/devices.Device"
    - "libcontainer/devices.Permissions"
    - "libcontainer/devices.Type"
    - "libcontainer/devices.Rule"
- "libcontainer.Process" methods ("Wait", "Pid", "Signal") and
  "libcontainer/configs.Config" methods ("HostUID", "HostRootUID",
  "HostGID", "HostRootGID") now use pointer receivers. (#5088)
- The example code for libcontainer has been moved out of a README and
  into a proper Example* test file that will be compile-tested by our
  CI. As mentioned elsewhere, we still *do not* recommend users make use
  of the libcontainer API directly. (#5127)

Deprecated:

- The "libcontainer/configs.Mount.Relabel" configuration field (used to
  relabel mounts with the "z" and "Z" "pseudo" mount options) was never
  accessible outside of the libcontainer API, and in practice the
  relabel logic has always lived in higher level runtimes. It has been
  made into a no-op and the field will be removed entirely in runc 1.7.
  (#5152, #5160)

Removed:

- The memfd-bind helper binary has been removed, as it has never been
  particularly useful and was completely obsoleted by the changes to
  /proc/self/exe sealing we introduced in runc 1.2.0. (#5141)

Added:

- User-namespaced containers can now configure user.* sysctls. (#4889)
- Preliminary loong64 support. (#4938)
- Intel RDT: the RDT subdirectory is now only removed if runc created
  it, matching the updated runtime-spec guidance. (#3832, #5155)

Changed:

- Our release binaries and default build configuration now use libpathrs
  by default, providing better hardening against certain kinds of
  attacks. Users of runc should not see any changes as a result of this,
  but packagers will need to adjust their packaging accordingly. runc can
  still be built without libpathrs (by building without the libpathrs
  build tag), but we currently plan to make runc 1.6 *require*
  libpathrs. (#5103)
- "runc exec" will now request systemd to move the "exec" process into
  the container cgroup, making the procedure more rootless-friendly.
  (#4822)
- seccomp: minor documentation updates. (#4902)
- Errors from "runc init" have historically been quite painful to
  understand and debug, we have made several improvements to make them
  more comprehensive and thus useful when debugging issues. (#4951,
  #4928)
- Update spec conformance documentation for OCI runtime-spec v1.3.0.
  (#4948, #5150)
- Our release archives now have the name "runc-$version.tar.xz" to make
  distro packaging a little easier by matching the filename to the
  top-level directory name in the archive. (#5052)

Thanks to the following contributors for making this release possible:

 * Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 * Aleksa Sarai <aleksa@amutable.com>
 * Antti Kervinen <antti.kervinen@intel.com>
 * Ariel Otilibili <otilibil@eurecom.fr>
 * Arina Cherednik <arinacherednik034@gmail.com>
 * Curd Becker <me@curd-becker.de>
 * Dimitri John Ledkov <dimitri.ledkov@surgut.co.uk>
 * Donet Tom <donettom@linux.ibm.com>
 * Efim Verzakov <efimverzakov@gmail.com>
 * Ismo Puustinen <ismo.puustinen@intel.com>
 * Joshua Rogers <MegaManSec@users.noreply.github.com>
 * Kir Kolyshkin <kolyshkin@gmail.com>
 * Lei Wang <ssst0n3@gmail.com>
 * Li Fubang <lifubang@acmcoder.com>
 * Luke Hinds <luke@stacklok.com>
 * Markus Lehtonen <markus.lehtonen@intel.com>
 * Osama Abdelkader <osama.abdelkader@gmail.com>
 * Phil Estes <estesp@gmail.com>
 * Ricardo Branco <rbranco@suse.de>
 * Rodrigo Campos Catelin <rodrigo@amutable.com>
 * Tianon Gravi <admwiggin@gmail.com>
 * Tycho Andersen <tycho@tycho.pizza>
 * Tõnis Tiigi <tonistiigi@gmail.com>
 * Vishal Chourasia <vishalc@linux.ibm.com>
 * zhaixiaojuan <zhaixiaojuan@loongson.cn>

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

[rata]

Thanks! I checked all the PR numbers point to the right commits. I wish next time I remember to render it as markdown to review, so with a mouse hover I can check it's what I expect :)

[rata]

Some dependabot PRs (like this and this) are failing because the new min version by those modules is go 1.25. Given that 1.24 is out of support, shouldn't we update before the final 1.5.0 release?

[cyphar]

@rata I've opened #5169 but we can merge that after rc1.

[rata]

LGTM. This seems to be on top of 1.4.1 now :)