Pre-release

runC Release Candidate 2

@cyphar cyphar released this Oct 1, 2016 · 231 commits to master since this release

Features

  • {create,run}: add --no-new-keyring flag so that a new session keyring is not created for the container and the calling process's keyring is inherited.
  • restore: add --empty-ns flag to tell CRIU to only create a network namespace for a container and not populate it (allowing higher levels to correctly handle re-creating the network namespace).
  • {create,start}: use a FIFO rather than signals to signal the starting of a container. This removes the Go version restriction, and also avoids potential issues with Go's signal handling.
  • exec: allow additional groups to be overridden.
  • delete: add --force flag.
  • exec: disable the subreaper option entirely, because the option causes many issues with reparenting in the context of containers. This is not a complete fix, which is intended to land for -rc3. Using the removed option will be silently ignored by runC.
  • {create,run}: add support for masking directories with MaskPaths.
  • delete: allow for the deletion of multiple containers in one cmdline.
  • build: add make release for distributions.

Fixes

  • Major improvements and fixes to CLI handling. Now commands like runc ps and runc exec will act sanely when you're trying to use flags that are not meant to be parsed by runC.
  • Set the cp.rt_* cgroup options correctly so that runC running in SCHED_RR (realtime) mode can operate properly.
  • Massive improvements to kmem limit detection to ensure that we only attempt to change memory.kmem.* if it is safe to do so.
  • Part of a major cleanup of the nsenter code, with more intended to land before -rc3.
  • Restored containers now have a start time, which is the time that the new container was started (not when the original container was started).
  • Fix the default cgroupPath behaviour, so that we actually attach to subcgroups of all of the caller's current cgroups (rather than using the devices cgroup path for all other cgroups)
  • Support 32bit UIDs on i386 with the setuid32(2) syscall.
  • Add /proc/timer_list to the set of default masked paths.
  • Do not create /dev/fuse by default.
  • Parse cgroupPath correctly if it contains ':'.
  • Add some more debugging information for the test suite, along with fixes for race conditions and other issues. In addition, add more integration tests for edge conditions.
  • Improve check-config.sh script to handle more cases.
  • Fix incorrect type when setting of net_cls classid.
  • Lots of fixes to help pages and man pages.
  • *: append -dirty to the version if the git repo is unclean.
  • Fix the JSON tags for CpuRt* options.
  • Cleanups to the rootfs setup code.
  • Improve error messages related to SELinux.

Thanks to all of the contributors that made this release possible:

Downloads

runc 1.0 Release Candidate 1

@crosbymichael crosbymichael released this Jun 3, 2016 · 483 commits to master since this release

runc 1.0 Release Candidate 1

This is the first of the release candidates for OCI's runtime specification and runc version 1.0. Runc is now using the runtime-spec 1.0.0-rc1 release.

Breaking Changes

The large breaking change from the previous versions of runc to 1.0 is the create and start command changes. The previous start command functionality has been moved to the run command. runc run mycontainer. runc start does not perform the operations that it did before this release.

Create -> Start -> Delete

By splitting the create and start phase for a container it allows higher level systems to modify the container before the user defined process is started.

A simple example of using this new workflow would look something like this from the command line:

# create the container with the specified configuration 
runc create mycontainer

# at the point that create returns the container's environment is fully setup but the user's specified process has not run

# you can place network interfaces inside the container 
# you can exec into the container
# you can modify the mount namespaces
runc exec mycontainer ps aux

# after your setup is complete you can start the user defined process
runc start mycontainer

# after start returns the user defied process inside your OCI config is running

# whenever the container exits you must delete the container removing any existing resources it still has
runc delete mycontainer

If you want the previous functionality where runc did this for you, use the runc run command.

Container State

You can get the container state and status by using the runc state command:

runc state mycontainer

{
  "ociVersion": "1.0.0-rc1",
  "id": "mycontainer",
  "pid": 18917,
  "bundlePath": "/containers/mycontainer",
  "rootfsPath": "/containers/mycontainer/rootfs",
  "status": "running",
  "created": "2016-06-03T21:23:42.401668933Z",
  "annotations": {
    "something": "else"
  }
}

ps command

A ps command was added to show the processes inside the container:

runc ps influxdb
UID        PID  PPID  C STIME TTY          TIME CMD
1000  18936 18917  0 14:23 ?        00:00:06 influxd -config /home/influxdb/influxdb.conf

Other Updates

  • Added seccomp support for more architectures
  • Stable stats output
  • Added update command for dynamically updating container resources
  • bash completion and man pages

Please help in testing and please report any issues to the issue tracker on github. Thanks!

  • OCI Maintainers

Usage

NAME:
   runc - Open Container Initiative runtime

runc is a command line client for running applications packaged according to
the Open Container Initiative (OCI) format and is a compliant implementation of the
Open Container Initiative specification.

runc integrates well with existing process supervisors to provide a production
container runtime environment for applications. It can be used with your
existing process monitoring tools and the container will be spawned as a
direct child of the process supervisor.

Containers are configured using bundles. A bundle for a container is a directory
that includes a specification file named "config.json" and a root filesystem.
The root filesystem contains the contents of the container.

To start a new instance of a container:

    # runc start [ -b bundle ] <container-id>

Where "<container-id>" is your name for the instance of the container that you
are starting. The name you provide for the container instance must be unique on
your host. Providing the bundle directory using "-b" is optional. The default
value for "bundle" is the current directory.

USAGE:
   runc [global options] command [command options] [arguments...]

VERSION:
   1.0.0-rc1
commit: 04f275d4601ca7e5ff9460cec7f65e8dd15443ec
spec: 1.0.0-rc1

COMMANDS:
     checkpoint checkpoint a running container
     create create a container
     delete delete any resources held by the container often used with detached containers
     events display container events such as OOM notifications, cpu, memory, and IO usage statistics
     exec   execute new process inside the container
     init   initialize the namespaces and launch the process (do not call it outside of runc)
     kill   kill sends the specified signal (default: SIGTERM) to the container's init process
     list   lists containers started by runc with the given root
     pause  pause suspends all processes inside the container
     ps     ps displays the processes running inside a container
     restore    restore a container from a previous checkpoint
     resume resumes all processes that have been previously paused
     run    create and run a container
     spec   create a new specification file
     start  start signals a created container to execute the user defined process
     state  output the state of a container
     update update container resource constraints

GLOBAL OPTIONS:
   --debug      enable debug output for logging
   --log value      set the log file path where internal debug information is written (default: "/dev/null")
   --log-format value   set the format used by logs ('text' (default), or 'json') (default: "text")
   --root value     root directory for storage of container state (this should be located in tmpfs) (default: "/run/runc")
   --criu value     path to the criu binary used for checkpoint and restore (default: "criu")
   --systemd-cgroup enable systemd cgroup support, expects cgroupsPath to be of form "slice:prefix:name" for e.g. "system.slice:runc:434234"
   --help, -h       show help
   --version, -v    print the version

Downloads

runc 0.1.1

@crosbymichael crosbymichael released this Apr 25, 2016 · 677 commits to master since this release

runc 0.1.1

This release includes a bug fix for adding the selinux mount label in the specification.

Downloads

Runc v0.1.0

@crosbymichael crosbymichael released this Apr 12, 2016 · 679 commits to master since this release

This release updates runc to the OCI runtime specification v0.5.0 and includes various fixes and features.

Features:

  • cgroups: pid limits and stats
  • cgroups: kmem stats
  • systemd cgroup support
  • libcontainer specconv package
  • no pivot root option
  • numeric ids are treated as uid/gid
  • hook improvements

Bug Fixes:

  • log flushing
  • atomic pid file creation
  • init error recovery
  • seccomp logging removed
  • delete container on aborted start
  • /dev bind mount handling

Downloads

runc 0.0.9 and specification 0.4.0

@crosbymichael crosbymichael released this Mar 10, 2016 · 826 commits to master since this release

runc 0.0.9

This new release of runc includes the specification v0.4 changes. The backwards incompatible changes includes moving process specific settings like capabilities, rlimits, apparmor, and selinux process label from the container configuration to the process configuration. Be sure to update your config.json files for these changes or they will not be applied to the container. You can always use the runc spec command to generate a compatible config.json based on the specification version that runc is currently using.

Updates:

  • In this release runc has better support for errors and logging for use with the --log flag.
  • Improved namespace sharing for joining PID namespaces.
  • Allow all mount types inside the container's mount namespace.
  • Updated masked and readonly paths for container's /proc.
  • Better IO handling for container's STDIO.
  • Unique session keyring support for containers.
  • Container label support.
  • No new privileges support.
  • Various bug fixes and performance improvements.
NAME:
   runc - Open Container Initiative runtime

runc is a command line client for running applications packaged according to
the Open Container Format (OCF) and is a compliant implementation of the
Open Container Initiative specification.

runc integrates well with existing process supervisors to provide a production
container runtime environment for applications. It can be used with your
existing process monitoring tools and the container will be spawned as a
direct child of the process supervisor.

Containers are configured using bundles. A bundle for a container is a directory
that includes a specification file named "config.json" and a root filesystem.
The root filesystem contains the contents of the container. 

To start a new instance of a container:

    # runc start [ -b bundle ] <container-id>

Where "<container-id>" is your name for the instance of the container that you
are starting. The name you provide for the container instance must be unique on
your host. Providing the bundle directory using "-b" is optional. The default
value for "bundle" is the current directory.

USAGE:
   runc [global options] command [command options] [arguments...]

VERSION:
   0.0.9
spec version 0.4.0

COMMANDS:
   checkpoint   checkpoint a running container
   delete   delete any resources held by the container often used with detached containers
   events   display container events such as OOM notifications, cpu, memory, IO and network stats
   exec     execute new process inside the container
   init     init is used to initialize the containers namespaces and launch the users process.
    This command should not be called outside of runc.

   kill     kill sends the specified signal (default: SIGTERM) to the container's init process
   list     lists containers started by runc with the given root
   pause    pause suspends all processes inside the container
   restore  restore a container from a previous checkpoint
   resume   resumes all processes that have been previously paused
   spec     create a new specification file
   start    create and run a container
   state    output the state of a container
   help, h  Shows a list of commands or help for one command

GLOBAL OPTIONS:
   --debug      enable debug output for logging
   --log "/dev/null"    set the log file path where internal debug information is written
   --log-format "text"  set the format used by logs ('text' (default), or 'json')
   --root "/run/runc"   root directory for storage of container state (this should be located in tmpfs)
   --criu "criu"    path to the criu binary used for checkpoint and restore
   --help, -h       show help
   --version, -v    print the version

Downloads

Release 0.0.8 for runc and specification 0.3.0

@crosbymichael crosbymichael released this Feb 10, 2016 · 968 commits to master since this release

runc 0.0.8

This new release of runc supports the OCI runtime specification version 0.3.0. It includes changes such as the unified configuration file, separation of device creation and access, and many other usability updates.

New features

Detach

The detach flag allows runc to exit after it spawns the container and reparents the process to system init. You no longer have a long running runc process as the parent of the container.

runc start -d test

Pid file

The pid-file flag allows runc to write the pid of the process run inside the container to a file so that existing init systems can wait on it and allows runc to exit.

runc start -d --pid-file test.pid test

Delete command

The delete command allows runc to delete the container's state after it has exited for use with the detach flag.

runc delete test

List command

The list command will list all containers running on a system that were spawned by runc.

> runc list
ID          PID         STATUS      CREATED
test        15278       running     2016-02-10T22:21:09.415768192Z

Exec command updates

The exec command now allows you to use a json file for the process configuration or pass the arguments and settings via flags and args.

> runc exec --tty --env TEST=1 -- test ps aux
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.0   4476   900 ?        Ss+  22:23   0:00 sh
root        13  0.0  0.0  15600  2116 ?        Rs+  22:23   0:00 ps aux

Container ids

Container ids are required for every command in runc. You pass the container id as argument 1 to the commands to specify which container you want to interact with. This was always the case before in runc but hidden behind a --id flag.

> runc start test
> runc events test
> runc kill test

Update to spec 0.3.0

Be sure to use the runc spec command to generate a new base template for your containers based on the specification and the unified configuration file.

NAME:
   runc - Open Container Initiative runtime

runc is a command line client for running applications packaged according to
the Open Container Format (OCF) and is a compliant implementation of the
Open Container Initiative specification.

runc integrates well with existing process supervisors to provide a production
container runtime environment for applications. It can be used with your
existing process monitoring tools and the container will be spawned as a
direct child of the process supervisor.

After creating config files for your root filesystem with runc, you can execute 
a container in your shell by running:

    # cd /mycontainer
    # runc start [ -b bundle ] <container-id>

If not specified, the default value for the 'bundle' is the current directory.
'Bundle' is the directory where 'config.json' must be located.

USAGE:
   runc [global options] command [command options] [arguments...]

VERSION:
   0.0.8
spec version 0.3.0

COMMANDS:
   checkpoint   checkpoint a running container
   delete       delete any resources held by the container often used with detached containers
   events       display container events such as OOM notifications, cpu, memory, IO and network stats
   exec         execute new process inside the container
   kill         kill sends the specified signal (default: SIGTERM) to the container's init process
   list         lists containers started by runc with the given root
   pause        pause suspends all processes inside the container
   restore      restore a container from a previous checkpoint
   resume       resumes all processes that have been previously paused
   spec         create a new specification file
   start        create and run a container
   help, h      Shows a list of commands or help for one command

GLOBAL OPTIONS:
   --debug                                      enable debug output for logging
   --log                                        set the log file path where internal debug information is written
   --log-format "text"                          set the format used by logs ('text' (default), or 'json')
   --root "/run/opencontainer/containers"       root directory for storage of container state (this should be located in tmpfs)
   --criu "criu"                                path to the criu binary used for checkpoint and restore
   --help, -h                                   show help
   --version, -v                                print the version

MD5 hases for the downloadable runc binaries in this release are:

  • runc-amd64: 966cf271c2923b64d2d7ad0be9ffdc6e

Downloads

Release v0.0.7

@LK4D4 LK4D4 released this Jan 26, 2016 · 1020 commits to master since this release

This release includes the following changes:

  • Do not use stream encoders
  • Update github.com/opencontainers/specs to a7b50925d8996923d99e1c50750131e20b743067
  • cgroup: systemd: properly expand systemd slice names
  • Remove the nullState
  • Revert "update date in README"
  • Add build status badge
  • Allow switch to anything from nullState
  • Fix various state bugs for pause and destroy
  • cgroups: set memory cgroups in Set
  • Only set cwd when not empty
  • Fix comment of swap limit
  • Add support for just joining in apply using cgroup paths
  • Remove some hard coded strings
  • Handle seccomp proc parsing errors
  • Embed Resources for backward compatibility
  • add seccomp.IsEnabled() function
  • cleanup old hack dir
  • Check that cwd is absolute
  • update go version to 1.5.3 in dockerfile and cleanup
  • Make cwd required
  • Update README of libcontainer
  • Only validate post-hyphen field length on cgroup mounts
  • libcontainer: set cgroup config late
  • libcontainer: cgroups: loudly fail with Set
  • libcontainer: cgroups: don't Set in Apply
  • libcontainer: cgroups: add pids controller support
  • cgroups: fs: fix cgroup.Parent path sanitisation
  • Do not create devices when in user namespace
  • Revert to non-recursive GetPids, add recursive GetAllPids
  • selinux: add SelinuxSetEnforceMode implementation
  • update date in README
  • Add --console to specify path to use from runc
  • Do not allow access to /dev/tty{0,1}
  • Add white list for bind mount check
  • Fix typo word in SPEC.md
  • libcontainer: Add support for memcg pressure notifications
  • Cleanup Godeps
  • Revert "cgroups: add pids controller support"
  • libcontainer: set cgroup config late
  • libcontainer: cgroups: loudly fail with Set
  • libcontainer: cgroups: don't Set in Apply
  • libcontainer: cgroups: add pids controller support
  • Caclulate NLA_HDRLEN as gccgo workaround
  • Add state pattern for container state transition
  • Move the cgroups setting into a Resources struct
  • Move linux only Process.InitializeIO behind the linux build flag.
  • Replace docker units package with new docker/go-units.
  • Move STDIO initialization to libcontainer.Process
  • Fixing TestSetFilecon in selinux test step
  • Adding selinux label
  • make localtest failure with selinux enabled
  • Add spec version to runC version cli

Downloads

Release v0.0.6

@mrunalp mrunalp released this Dec 11, 2015 · 1121 commits to master since this release

This release includes the following changes:

  • fix minor typo
  • Remove the timeframe for v1 spec
  • Export console New func
  • setns: replace env with netlink for bootstrap data
  • systemd: support cgroup parent with specified slice
  • libcontainer: network_linux.go: fix go vet
  • Fixing xattr test step issue
  • libcontainer: configs: create cgroup_unsupported.go in order to build on darwin as well
  • Fixing minor typo in usage
  • setns: add bootstrap data
  • Adding error conditions when apparmor disabled
  • README.md: clarify OCI JSON files

Downloads

  • Nov 20, 2015

    v0.0.5

    Release v0.0.5
    It includes next changes:
    
    * godeps: update go-systemd to v4 and godbus/dbus to v3
    * libcontainer: configs: extend unsupported os
    * Fix comment to be consistent with the code
    * Userns container in containers
    * static binary \o/
    * adding support for --bundle -b to start, restore, and spec; fixes issue #310
    * Add seccomp trace support
    * Change my email address
    * Fix race setting process opts
    * Integrate poststart hooks with spec
    * Add Poststart hook to libcontainer config
    * Validate process configuration for runc exec
    * Add some comments about cgroup
    * Refactor cgroupData
    * Rename parent and data
    * Windows: Refactor Container interface
    * Add more context around some error cases
    * Docker needs to know whether the user requested a relabel
    * README.md: fix description for runc with systemd
    * Windows: Refactor state struct
    * Windows: Tidy libcontainer\devices
    * Fixes build tags on cgroups\fs\*.go
    * Windows: Refactor configs/cgroup.go
    * Windows: Factor down criu_opts
    * Add the conversion of architectures for seccomp config
    * Fixing typo in the comment for exit
    * Remove naked return
    * Remove fatalf function; unused.
    * libcontainer/SPEC.md: fix /dev/stdio symlinks
    * Correct intuition for setupDev
    * Unify behavior for memory cgroup
    * Cgroup set order for systemd
    * Use array instead of map for cgroup subsystems
    * Add Name() to cgroup subsystems
    * Set cpuset.cpus and cpuset.mems before join the cgroup
    * Add ability to use json structured logging format.
    * Reorder checks in Walk to avoid panics
    * Get PIDs from cgroups recursively
    * Add criu related debug output
    * Add option to support criu manage cgroups mode for dump and restore
    * Validate label options
    * change named to names
    * Fix for race from error on process start
    * Add additional gids support
    * Bump up github.com/opencontainers/specs to cf8dd120937acc3593708f99304c51cfd0f73240
    * nsexec: Align clone child stack ptr to 16
    * bump docker pkgs
    * Fix name in MAINTAINERS list
    * cgroups: Add name=systemd to list of subsystems
    * cgroups: Add a name cgroup
    * Allow numeric groups for containers without /etc/group
    * change uid to gid in func HostGID
    * Adjust runc to new opencontainers/specs version
    * exec_test.go: Test case for rootfsPropagation="private"
    * exec_test.go: Test cases for rootfsPropagation=rslave
    * Make pivotDir rprivate
    * Make parent mount of container root private if it is shared.
    * Start parsing rootfsPropagation and make it effective
    * Replace config.Privatefs with config.RootPropagation
    * Fix reOpenDevNull
    * Only remount if requested flags differ from current
    * Run tests for all HugetlbSizes
    * Systemd: Join perf_event cgroup
    * Add memory reservation support for systemd
    * Check for failure on /dev/mqueue and try again without labeling
    * /proc and /sys do not support labeling
    * Update github.com/syndtr/gocapability/capability to 2c00daeb6c3b45114c80ac44119e7b8801fdd852
    * Move mount methods out of configs pkg
    * Add version to HookState to make it json-compatible with spec State
    * hooks: Integrate spec hooks with libcontainer
    * Libcontainer: Add support for multiple architectures in Seccomp
    * Change mount dest after resolving symlinks
    * no need to use p.cmd.Process.Pid in function, use p.pid() instead.
    * Ignore changing /dev/null permissions if used in STDIO
    * script: test_Dockerfile: install criu from source
    * Enter existing user namespace if present
    * Cleanup unused func arguments
    * README.md: Update the config example
    * Fix STDIO permissions when container user not root
    * Fix STDIO ownership for non-tty processes
    * script: test_Dockerfile: update criu version
    * update the command usage for `runc start`
    * libcontainer: Allow passing mount propagation flags
    * close config file after loaded
    * simple refactor for the options of `runc spec`
    * update the command usage of `runc`
    * Update README for the CAP prefix change
    * Add CAP prefix for capabilities
    * Adjust runc to new opencontainers/specs version
    * Add testing docs in README
    * make localtest failure on removing seccomp flag
    * Add all support build tags for runc features
    * c/r: create cgroups to restore a container
    * mount: don't read /proc/self/cgroup many times
    * Rework ParseCgroupFile
    * Remove old netlink library
    * Use github.com/vishvananda/netlink for networking
    * Minor comments fix
    * Fixing checkpoint issue
    * Always remount for bind mount
    * Add Andrey Vagin as maintainer
  • Sep 11, 2015