Pre-release

@cyphar cyphar released this Mar 21, 2017 · 523 commits to master since this release

Assets 7

Features:

  • Add slice management support to the systemd cgroup driver. Checks are
    done to make sure that systemd supports the feature. #1084
  • Support for readonly mount labels. #1112
  • Add a tmpcopyup mount extension for tmpfs mounts that are mounted over
    already existing directories, allowing for the contents of a volume to
    be copied up transparently. #845
  • Switch our pivot_root usage to no longer require temporary
    directories, improving the state of containters running in entirely
    readonly contexts. #1125 #1148
  • Allow updating of rt_period_us and rt_runtime_us in cpuacct cgroup.
  • Reimplement console handling to use AF_UNIX sockets such that the
    console is created inside the container's (namespaced) devpts
    instance, solving a wide variety of historical pty bugs with runC.
    #1018 #1356
  • Support overlayfs in mounts. #1314
  • Support creating devices with types 'p' and 'u'. #1321
  • Add --preserve-fds=N to create and run commands. #1320
  • Add pre-dump and parent-path to checkpoint. #1001
  • Update to runtime-spec v1.0.0-rc5. #1370

Fixes:

  • Remove check for binding to /. #1090
  • Ensure we log to logrus on command errors. #1089
  • Don't enable kmem limits if they're not specified in the config. #1095
  • Handle cases where specs.Resources.* members would cause null
    dereferences. #1111 #1116
  • Fix bugs in the GetProcessStartTime implementation. #1136
  • Make sysctl config validation checks handle network namespaces more
    gracefully. #1138 #1149
  • Guarantee correct namespace creation ordering. This is part of the
    rootless container patchset, and is also required in certain SELinux
    setups. #977
  • Stop screwing around with '\n' in console output. #1146
  • Fix cpuset.cpu_exclusive handling. #1194
  • Sync HookState with the OCI specification. #1201
  • Split remounting mountpoints and bindmounts, resolving issues with
    mount options being dropped in certain cases. #1222
  • Fix leftover cgroup directory issue. #1196
  • Handle config.Devices and config.MaskPaths in checkpoint. #1110.
  • Don't create combined cgroup subsystem names. #1268
  • Ignore cgroupv2 mountpoints, fixing issues with systemd v232. #1266
  • Race condition when synchronising with children and grandchildren in
    nsexec.c. #1237
  • Fix state checks to no longer depend on _LIBCONTAINER being present in
    the environment, fixing both bugs as well as being part of the
    rootless container patchset. #1317
  • Fix systemd-notify when using different PID namespaces, and allow
    detach+notify socket. #1308
  • Don't fchown when inheriting stdio, which is necessary for rootless
    containers in certain scenarios. #1354
  • Fix cpu.cfs_quota_us being changed when systemd is reloaded. #1344
  • Add devices to whitelist for LXD, to make runC under LXC/LXD work
    better. #1327
  • Many improvements to testing. #1121 #1131 #1132 #1147

Security:

Thanks to all of the contributors that made this release possible: