Skip to content

runc 1.0-rc5 -- "The Final Stretch"

Compare
Choose a tag to compare
@cyphar cyphar released this 27 Feb 17:31
v1.0.0-rc5
This tag was signed with the committer’s verified signature.
cyphar Aleksa Sarai
GPG key ID: 9E18AA267DDB8DB4
Learn about vigilant mode.
4fc53a8
This commit was signed with the committer’s verified signature.
cyphar Aleksa Sarai
GPG key ID: 9E18AA267DDB8DB4
Learn about vigilant mode.

This is planned to be the final -rc release of runc. While we really
haven't followed the rules for release candidates (with huge features
introduced each release, and with massive gaps between releases) the
hope is that once we've release 1.0.0 we will be much more liberal with
releases in future. Let's see how that pans out. :P

NOTE: This release's artefacts were updated on 2020-07-30 to correct an
LGPL compliance issue (we previously did not include the source code of
libseccomp with our releases) and thus we had to recompile our runc
binaries to be sure we were distributing the correct version of libseccomp.
All of the binaries are still signed by the same maintainer key, and thus can
still be easily validated.

NOTE: This release's artefacts were updated on 2021-04-07, to correct an
issue with the .tar.xz archive from 2020-07-30 (the archive had malformed
paths due to a bug in historical release scripts -- which caused the update
on 2020-07-30 to change the checksum of the source code archive). See #2895
for more details. All of the binaries are still signed by the same maintainer
key, and thus can still be easily validated.

Features:

  • Support cgroups in rootless containers. This is a continuation of the
    previous work done, and allows for users that have specialised setups
    (such as having the LXC pam_cg.so module set up) to use cgroups with
    rootless containers. #1540
  • Add support for newuidmap and newgidmap with rootless containers.
    This is a continuation of some previous work, and allows users that
    have /etc/sub{uid,gid} configured to use the shadow-utils setuid
    helpers. Note that this support doesn't restrict users that don't want
    to use setuid binaries at all. #1529
  • runc will now use a chroot when mount namespaces aren't provided in
    the config.json. While chroot does have its (many) downsides, this
    does allow for specialised configurations to work properly. #1702
  • Expose annotations to hooks, so that the hook can have more direct
    information about the container it is being run against. #1687
  • Add "runc exec --additional-gids" support. #1608
  • Allow more signals to be sent with "runc kill" than are defined by
    Go's syscall package. #1706
  • Emit an error if users try to use MS_PRIVATE with --no-pivot, as that
    is simply not safe. #1606
  • Add support for "unbindable" and "runbindable" as rootfs propagation.
    #1655
  • Implement intelrdt support in runc. #1279 #1590
  • Add support for lazy migration with CRIU. This includes the addition
    of "runc checkpoint httpd" which acts as a remote pagefault request
    server. #1541
  • Add MIPS support. #1475

Fixes:

  • Delay seccomp application as late as possible, to reduce the syscall
    footprint of runc on profiles. #1569

  • Fix --read-only containers with user namespaces, which would
    previously fail under Docker because of privilege problems when trying
    to do the read-only remount. #1572

  • Switch away from stateDirFd entirely. This is an improvement over the
    protections we added for CVE-2016-9962, and protects against many
    other possible container escape bugs. #1570

  • Handle races between "runc start" and "runc delete" over the exec FIFO
    correctly, and avoid blocking "runc start" indefinitely. #1698

  • Correctly generate seccomp profiles that place requirements on syscall
    arguments, as well as multi-argument restrictions. #1616 #1424

  • Prospective patch for remounting of old-root during pivot_root. This
    is intended to solve one of the many "mount leak" bugs that have been
    popping up recently -- caused by lots of container churn and host
    mounts being pinned during container setup. #1500

  • Fix "runc exec" on big-endian architectures. #1727

  • Correct systemd slice expansion to work with cAdvisor. #1722

  • Fix races against systemd cgroup scope creation. #1683

  • Do not wait for signalled processes if libcontainer is running in a
    process that is a subreaper. #1678

  • Remove dependency on libapparmor entirely, and just use
    /proc/$pid/attr directly. #1675

  • Improvements to our integration tests. #1661 #1629 #1528

  • Handle systemd's quirky CPUQuotaPerSecUSec handling in
    fractions-of-a-percent edge-cases. #1651

  • Remove docker/docker import in runc by moving the package to runc.
    #1644

  • Switch from docker's pkg/symlink to cyphar/filepath-securejoin. #1622

  • Enable integration and unit tests on arm64. #1642 #1640

  • Add /proc/scsi to masked paths (mirror of Docker's CVE-2017-16539).
    #1641

  • Add several tests for specconv. #1626 #1619

  • Add more extensive tests for terminal handling. #1357

  • Always write freezer state during retry-loop, to avoid an indefinite
    hang when new tasks are spawned in the container. #1610

  • Create cwd when it doesn't exist in the container. #1604

  • Set initial console size based on process spec, to avoid SIGWINCH
    races where initial console size is completely wrong. #1275

  • Small fixes for static builds. #1579 #1577

  • Use epoll for PTY IO, to avoid issues with systemd's SAK protections.
    #1455

  • Update state.json after a "runc update". #1558

  • Switch to umoci's release scripts, to use a more "standardised" and
    distribution-friendly release scheme. Several makefile-fixes included
    as well. #1554 #1542 #1555

  • Reap "runc:[1:CHILD]" to avoid intermediate zombies building up. #1506

  • Use CRIU's RPC to check the version. #1535

  • Always save own namespace paths rather than the path given during
    start-up, to avoid issues where the path disappears afterwards. #1477

  • Fix that we incorrectly set the owners of devices. This is still (subtly)
    broken in user namespaces, but will be fixed in a future version. #1743

  • Lots of other miscellaneous fixes and cleanups, many of which were
    written by first-time contributors. Thanks for contributing, and
    welcome to the project! #1729 #1724 #1695 #1685 #1703 #1699 #1682
    #1665 #1667 #1669 #1654 #1664 #1660 #1645 #1640 #1621 #1607 #1206
    #1615 #1614 #1453 #1613 #1600 #1599 #1598 #1597 #1593 #1586 #1588
    #1587 #1589 #1575 #1578 #1573 #1561 #1560 #1559 #1556 #1551 #1553
    #1548 #1544 #1545 #1537

Removals:

  • Andrej Vagin stepped down as a maintainer. Thanks for all of your hard
    work Andrej, and have fun working on your other projects! #1543

Static Linking Notices

The runc binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc acting
as a "work that uses the Library":

The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.

Thanks to all of the contributors that made this release possible:

Vote: +5 -0 #2
Signed-off-by: Aleksa Sarai asarai@suse.de

Assets 9