Skip to content

@cyphar cyphar released this Mar 21, 2017 · 1629 commits to master since this release

NOTE: This release's artefacts were updated on 2020-07-30 to correct an
LGPL compliance issue (we previously did not include the source code of
libseccomp or libapparmor with our releases) and thus we had to recompile
our runc binaries to be sure we were distributing the correct version of
libseccomp and libapparmor. All of the binaries are still signed by the
same maintainer key, and thus can still be easily validated.

Features:

  • Add slice management support to the systemd cgroup driver. Checks are
    done to make sure that systemd supports the feature. #1084
  • Support for readonly mount labels. #1112
  • Add a tmpcopyup mount extension for tmpfs mounts that are mounted over
    already existing directories, allowing for the contents of a volume to
    be copied up transparently. #845
  • Switch our pivot_root usage to no longer require temporary
    directories, improving the state of containters running in entirely
    readonly contexts. #1125 #1148
  • Allow updating of rt_period_us and rt_runtime_us in cpuacct cgroup.
  • Reimplement console handling to use AF_UNIX sockets such that the
    console is created inside the container's (namespaced) devpts
    instance, solving a wide variety of historical pty bugs with runC.
    #1018 #1356
  • Support overlayfs in mounts. #1314
  • Support creating devices with types 'p' and 'u'. #1321
  • Add --preserve-fds=N to create and run commands. #1320
  • Add pre-dump and parent-path to checkpoint. #1001
  • Update to runtime-spec v1.0.0-rc5. #1370

Fixes:

  • Remove check for binding to /. #1090
  • Ensure we log to logrus on command errors. #1089
  • Don't enable kmem limits if they're not specified in the config. #1095
  • Handle cases where specs.Resources.* members would cause null
    dereferences. #1111 #1116
  • Fix bugs in the GetProcessStartTime implementation. #1136
  • Make sysctl config validation checks handle network namespaces more
    gracefully. #1138 #1149
  • Guarantee correct namespace creation ordering. This is part of the
    rootless container patchset, and is also required in certain SELinux
    setups. #977
  • Stop screwing around with '\n' in console output. #1146
  • Fix cpuset.cpu_exclusive handling. #1194
  • Sync HookState with the OCI specification. #1201
  • Split remounting mountpoints and bindmounts, resolving issues with
    mount options being dropped in certain cases. #1222
  • Fix leftover cgroup directory issue. #1196
  • Handle config.Devices and config.MaskPaths in checkpoint. #1110.
  • Don't create combined cgroup subsystem names. #1268
  • Ignore cgroupv2 mountpoints, fixing issues with systemd v232. #1266
  • Race condition when synchronising with children and grandchildren in
    nsexec.c. #1237
  • Fix state checks to no longer depend on _LIBCONTAINER being present in
    the environment, fixing both bugs as well as being part of the
    rootless container patchset. #1317
  • Fix systemd-notify when using different PID namespaces, and allow
    detach+notify socket. #1308
  • Don't fchown when inheriting stdio, which is necessary for rootless
    containers in certain scenarios. #1354
  • Fix cpu.cfs_quota_us being changed when systemd is reloaded. #1344
  • Add devices to whitelist for LXD, to make runC under LXC/LXD work
    better. #1327
  • Many improvements to testing. #1121 #1131 #1132 #1147

Security:

Static Linking Notices

The runc binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc acting
as a "work that uses the Library":

The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.


Thanks to all of the contributors that made this release possible:

Assets 10
You can’t perform that action at this time.