runc v1.3.0-rc.1 -- "No tengo miedo al invierno, con tu recuerdo llen…

…o de sol."

This is the first release candidate of the runc 1.3.0 release. It
contains a couple of new features, but is mostly made up of some minor
(but notable) API changes to libcontainer as well as a series of bug
fixes.

This is the first release series that will follow our new release
policy, meaning that user should expect runc 1.3.0 to be released at the
end of April 2025, at which point the support policy for the runc 1.2.z
branch will change. Please see the new RELEASES.md document for more
information.

Users are strongly encouraged to test our release candidates over the
next two months so we can fix issues before the general release.

API Changes:

 * configs.CommandHook struct has changed, Command is now a pointer.
   Also, configs.NewCommandHook now accepts a *Command. (#4325)
 * The Process struct has User string field replaced with numeric UID
   and GID fields, and AdditionalGroups changed its type from []string
   to []int. Essentially, resolution of user and group names to IDs is
   no longer performed by libcontainer, so if a libcontainer user
   previously relied on this feature, now they have to convert names to
   IDs before calling libcontainer; it is recommended to use Go package
   github.com/moby/sys/user for that. (#3999)
 * Move libcontainer/cgroups to a separate repository. (#4618)

Fixes:

 * runc exec -p no longer ignores specified ioPriority and scheduler
   settings. Similarly, libcontainer's Container.Start and Container.Run
   methods no longer ignore Process.IOPriority and Process.Scheduler
   settings. (#4585)
 * We no longer use F_SEAL_FUTURE_WRITE when sealing the runc binary, as
   it turns out this had some unfortunate bugs in older kernel versions
   and was never necessary in the first place. (#4641, #4640)
 * runc now uses a more flexible method of joining namespaces, which
   better matches the behaviour of nsenter(8). This is mainly useful for
   users that create a container with a runc-managed user namespace but
   want the container to join some externally-managed namespace as well.
   (#4492)
 * runc now properly handles joining time namespaces (such as with runc
   exec). Previously we would attempt to set the time offsets when
   joining, which would fail. (#4635, #4636)
 * Handle EINTR retries correctly for socket-related direct
   golang.org/x/sys/unix system calls. (#4637)
 * Handle close_range(2) errors more gracefully. (#4596)
 * Fix a stall issue that would happen if setting O_CLOEXEC with
   CloseExecFrom failed (#4599).
 * Handle errors on older kernels when resetting ambient capabilities
   more gracefully. (#4597)

Changed:

 * runc now has an official release policy to help provide more
   consistency around our release schedules and better define our
   support policy for old release branches. See RELEASES.md for more
   details. (#4557)
 * Improved performance by switching to strings.Cut where appropriate.
   (#4470)
 * The minimum Go version of runc is now Go 1.23. (#4598)
 * Updated builds to libseccomp v2.5.6. (#4625)

Added:

 + runc has been updated to support OCI runtime-spec 1.2.1. (#4653)
 + CPU affinity support for runc exec. (#4327)
 + CRIU support can be disabled using the build tag runc_nocriu. (#4547)
 + Support to get the pidfd of the container via CLI flag pidfd-socket.
   (#4045)
 + Support skip-in-flight and link-remap options for CRIU. (#4627)
 + Support cgroup v1 mounted with noprefix. (#4513)

Thanks to the following contributors for making this release possible:

 * Adam Korczynski <adam@adalogics.com>
 * Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 * Aleksa Sarai <cyphar@cyphar.com>
 * Brad Davidson <brad.davidson@rancher.com>
 * Daniel Levi-Minzi <dleviminzi@gmail.com>
 * Evan Phoenix <evan@phx.io>
 * Jian Wen <wenjianhn@gmail.com>
 * Kir Kolyshkin <kolyshkin@gmail.com>
 * Rin Arakaki <rnarkkx@gmail.com>
 * Rodrigo Campos <rodrigoca@microsoft.com>
 * Sebastiaan van Stijn <github@gone.nl>
 * Tomasz Duda <tomaszduda23@gmail.com>
 * Wei Fu <fuweid89@gmail.com>
 * Yangzhao Hjh <yangzhao.hjh@alibaba-inc.com>
 * lifubang <lifubang@acmcoder.com>

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

runc v1.2.5 -- "Мороз и солнце; день чудесный!"

This is the fifth patch release in the 1.2.z series of runc. It
primarily fixes an issue caused by an upstream systemd bug.

 * There was a regression in systemd v230 which made the way we define device
   rule restrictions require a systemctl daemon-reload for our transient
   units. This caused issues for workloads using NVIDIA GPUs. Workaround the
   upstream regression by re-arranging how the unit properties are defined.
   (#4568, #4612, #4615)
 * Dependency github.com/cyphar/filepath-securejoin is updated to v0.4.1,
   to allow projects that vendor runc to bump it as well. (#4608)
 * CI: fixed criu-dev compilation. (#4611)
 * Dependency golang.org/x/net is updated to 0.33.0. (#4632)

Thanks to the following contributors who made this release possible:

 * Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 * Aleksa Sarai <cyphar@cyphar.com>
 * Brad Davidson <brad.davidson@rancher.com>
 * Jian Wen <wenjianhn@gmail.com>
 * Kir Kolyshkin <kolyshkin@gmail.com>
 * Rodrigo Campos <rata@users.noreply.github.com>
 * lifubang <lifubang@acmcoder.com>

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

runc v1.2.4 -- "Христос се роди!"

This is the fourth patch release of the 1.2.z release branch of runc. It
includes a fix for a regression introduced in 1.2.0 related to the
default device list.

 * Re-add tun/tap devices to built-in allowed devices lists.

   In runc 1.2.0 we removed these devices from the default allow-list
   (which were added seemingly by accident early in Docker's history) as
   a precaution in order to try to reduce the attack surface of device
   inodes available to most containers (#3468). At the time we thought
   that the vast majority of users using tun/tap would already be
   specifying what devices they need (such as by using `--device` with
   Docker/Podman) as opposed to doing the `mknod` manually, and thus
   there would've been no user-visible change.

   Unfortunately, it seems that this regressed a noticeable number of
   users (and not all higher-level tools provide easy ways to specify
   devices to allow) and so this change needed to be reverted. Users
   that do not need these devices are recommended to explicitly disable
   them by adding deny rules in their container configuration. (#4555,
   #4556)

Thanks to all of the contributors who made this release possible:

 * Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 * Aleksa Sarai <cyphar@cyphar.com>
 * Kir Kolyshkin <kolyshkin@gmail.com>
 * lifubang <lifubang@acmcoder.com>

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

runc v1.2.3 -- "Winter is not a season, it's a celebration."

This is the third patch release of the 1.2.z release branch of runc. It
primarily fixes some minor regressions introduced in 1.2.0.

 * Fixed a regression in use of securejoin.MkdirAll, where multiple
   runc processes racing to create the same mountpoint in a shared rootfs
   would result in spurious EEXIST errors. In particular, this regression
   caused issues with BuildKit. (#4543, #4550)
 * Fixed a regression in eBPF support for pre-5.6 kernels after upgrading
   Cilium's eBPF library version to 0.16 in runc. (#3008, #4551)

Thanks to all of the contributors who made this release possible:

 * Aleksa Sarai <cyphar@cyphar.com>
 * Kir Kolyshkin <kolyshkin@gmail.com>
 * lifubang <lifubang@acmcoder.com>

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

runc v1.2.2 -- "Specialization is for insects."

This is the second patch release of the 1.2.z branch of runc. It
includes two fixes for problems introduced in runc 1.2.0, as well as
some documentation improvements surrounding the overlayfs /proc/self/exe
protections.

 * Fixed the failure of `runc delete` on a rootless container with no
   dedicated cgroup on a system with read-only `/sys/fs/cgroup` mount.
   This is a regression in runc 1.2.0, causing a failure when using
   rootless buildkit. (#4518, #4531)
 * Using runc on a system where /run/runc and /usr/bin are on different
   filesystems no longer results in harmless but annoying messages
   ("overlayfs: "xino" feature enabled using 3 upper inode bits")
   appearing in the kernel log. (#4508, #4530)
 * Better memfd-bind documentation. (#4530)

Thanks to all of the contributors who made this release possible:

 * Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 * Aleksa Sarai <cyphar@cyphar.com>
 * Austin Vazquez <macedonv@amazon.com>
 * Kir Kolyshkin <kolyshkin@gmail.com>
 * Rodrigo Campos <rodrigoca@microsoft.com>
 * lfbzhm <lifubang@acmcoder.com>

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

runc v1.2.1 -- "No existe una escuela que enseñe a vivir."

This is the first patch release of the 1.2.z series of runc. It includes
a critical bugfix for an issue that manifested on SELinux-based
distributions distributions and was blocking containerd from updating to
runc 1.2.z.

In addition, runc-dmz (added in 1.2.0) has been removed entirely. This
was opt-out (due to the many limitations it had), but the late addition
of the overlayfs-based CVE-2019-5736 protection made it no longer
necessary at all.

 + Became root after joining an existing user namespace. Otherwise, runc
   won't have permissions to configure some mounts when running under
   SELinux and runc is not creating the user namespace. (#4466, #4477)
 - Remove dependency on `golang.org/x/sys/execabs` from go.mod. (#4480)
 - Remove runc-dmz, that had many limitations, and is mostly made obsolete by
   the new protection mechanism added in v1.2.0. Note that runc-dmz was only
   available only in the 1.2.0 release and required to set an environment variable
   to opt-in. (#4488)
 * The `script/check-config.sh` script now checks for overlayfs support. (#4494)
 * When using cgroups v2, allow to set or update memory limit to "unlimited"
   and swap limit to a specific value. (#4501)

Thanks to all of the contributors who made this release possible:

 * Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 * Aleksa Sarai <cyphar@cyphar.com>
 * Kir Kolyshkin <kolyshkin@gmail.com>
 * Rodrigo Campos <rodrigoca@microsoft.com>
 * Wei Fu <fuweid89@gmail.com>
 * lifubang <lifubang@acmcoder.com>

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

v1.2.0 -- "できるときにできることをやるんだ。それが今だ。"

This is long-awaited release of runc 1.2.0! The primary changes from rc3
are general improvements and fixes for minor regressions related to the
new /proc/self/exe cloning logic in runc 1.2, follow-on patches related
to CVE-2024-45310, as well as some other minor changes.

 + In order to alleviate the remaining concerns around the memory usage
   and (arguably somewhat unimportant, but measurable) performance
   overhead of memfds for cloning `/proc/self/exe`, we have added a new
   protection using `overlayfs` that is used if you have enough
   privileges and the running kernel supports it. It has effectively no
   performance nor memory overhead (compared to no cloning at all).
   (#4448)
 * The original fix for CVE-2024-45310 was intentionally very limited in
   scope to make it easier to review, however it also did not handle all
   possible `os.MkdirAll` cases and thus could lead to regressions. We
   have switched to the more complete implementation in the newer
   versions of `github.com/cyphar/filepath-securejoin`. (#4393, #4400,
   #4421, #4430)
 * In certain situations (a system with lots of mounts or racing mounts)
   we could accidentally end up leaking mounts from the container into
   the host. This has been fixed. (#4417)
 * The fallback logic for `O_TMPFILE` clones of `/proc/self/exe` had a
   minor bug that would cause us to miss non-`noexec` directories and
   thus fail to start containers on some systems. (#4444)
 * Sometimes the cloned `/proc/self/exe` file descriptor could be placed
   in a way that it would get clobbered by the Go runtime. We had a fix
   for this already but it turns out it could still break in rare
   circumstances, but it has now been fixed. (#4294, #4452)
 * It is not possible for `runc kill` to work properly in some specific
   configurations (such as rootless containers with no cgroups and a
   shared pid namespace). We now output a warning for such
   configurations. (#4398)
 * memfd-bind: update the documentation and make path handling with the
   systemd unit more idiomatic. (#4428)
 * We now use v0.16 of Cilium's eBPF library, including fixes that quite
   a few downstreams asked for. (#4397, #4396)
 * Some internal `runc init` synchronisation that was no longer
   necessary (due to the `/proc/self/exe` cloning move to Go) was
   removed. (#4441)

Thanks to all of the contributors who made this release possible:

 * Akhil Mohan <akhilerm@gmail.com>
 * Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 * Aleksa Sarai <cyphar@cyphar.com>
 * Amir M. Ghazanfari <a.m.ghazanfari76@gmail.com>
 * Kir Kolyshkin <kolyshkin@gmail.com>
 * Rafael Roquetto <rafael.roquetto@grafana.com>
 * Rodrigo Campos <rodrigoca@microsoft.com>
 * Sebastiaan van Stijn <github@gone.nl>
 * Stavros Panakakis <stavrospanakakis@gmail.com>
 * lifubang <lifubang@acmcoder.com>

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

v1.1.14 -- "How, dear sir, did you cross the flood? By not stopping, …

…friend, and by not straining I crossed the flood."

This is the fifteenth patch release in the 1.1.z release branch of runc.
It fixes a few issues with seccomp, leaked mounts, and system performance.

 * The `-ENOSYS` seccomp stub is now always generated for the native
   architecture that `runc` is running on. This is needed to work around some
   arguably specification-incompliant behaviour from Docker on architectures
   such as ppc64le, where the allowed architecture list is set to `null`. This
   ensures that we always generate at least one `-ENOSYS` stub for the native
   architecture even with these weird configs. (#4391)
 * On a system with older kernel, reading `/proc/self/mountinfo` may skip some
   entries, as a consequence runc may not properly set mount propagation,
   causing container mounts leak onto the host mount namespace. (#2404, #4425)
 * In order to fix performance issues in the "lightweight" bindfd protection
   against [CVE-2019-5736], the temporary `ro` bind-mount of `/proc/self/exe`
   has been removed. runc now creates a binary copy in all cases. (#4392, #2532)

Thanks to all of the contributors who made this release possible:

 * Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 * Aleksa Sarai <cyphar@cyphar.com>
 * Kir Kolyshkin <kolyshkin@gmail.com>
 * lifubang <lifubang@acmcoder.com>
 * Rodrigo Campos <rodrigoca@microsoft.com>

v1.2.0-rc.3 -- "The supreme happiness of life is the conviction that …

…we are loved."

This is the third release candidate for the 1.2.0 branch of runc. It includes
all patches and bugfixes included in runc 1.1 patch releases (up to and
including 1.1.14) and also includes a fix for a low severity security issue
(CVE-2024-45310).

 * Fix CVE-2024-45310, a low-severity attack that allowed maliciously
   configured containers to create empty files and directories on the host.
 + Document build prerequisites for different platforms. (#4353)
 * Try to delete exec fifo file when failure in creation. (#4319)
 * Revert "libcontainer: seccomp: pass around *os.File for notifyfd". (#4337)
 * Fix link to gvariant documentation in systemd docs. (#4369)
 * Remove pre-go1.17 build-tags. (#4329)
 * libct/userns: assorted (godoc) improvements. (#4330)
 * libct/userns: split userns detection from internal userns code. (#4331)
 * rootfs: consolidate mountpoint creation logic. (#4359)
 * Add Go 1.23, drop 1.21. (#4360)
 * Revert "allow overriding VERSION value in Makefile" and add EXTRA_VERSION.
   (#4370)
 * Mv contrib/cmd tests/cmd (except memfd-bind). (#4377)
 * Makefile: Don't read COMMIT, BUILDTAGS, EXTRA_BUILDTAGS from env vars.
   (#4380)

Thanks to all of the contributors who made this release possible:

 * Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 * Aleksa Sarai <cyphar@cyphar.com>
 * Avi Deitcher <avi@deitcher.net>
 * Kir Kolyshkin <kolyshkin@gmail.com>
 * Rodrigo Campos <rodrigoca@microsoft.com>
 * Sebastiaan van Stijn <github@gone.nl>
 * lifubang <lifubang@acmcoder.com>
 * ver4a <verca@uncontrol.me>

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

v1.1.14 -- "年を取っていいことは、驚かなくなることね。"

This is the fourteenth patch release in the 1.1.z release branch of
runc. It includes a fix for a low severity security issue
(CVE-2024-45310) as well as some minor build-related fixes (including Go
1.23 support).

 * Fix CVE-2024-45310, a low-severity attack that allowed maliciously
   configured containers to create empty files and directories on the host.
 * Add support for Go 1.23. (#4360, #4372)
 * Revert "allow overriding VERSION value in Makefile" and add EXTRA_VERSION.
   (#4370, #4382)
 * rootfs: consolidate mountpoint creation logic. (#4359)

Thanks to all of the contributors who made this release possible:

 * Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 * Aleksa Sarai <cyphar@cyphar.com>
 * Kir Kolyshkin <kolyshkin@gmail.com>
 * Rodrigo Campos <rodrigoca@microsoft.com>
 * Sebastiaan van Stijn <thaJeztah@users.noreply.github.com>
 * lifubang <lifubang@acmcoder.com>

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>