Releases: opencontainers/runc
runc 1.0-rc94 -- "Time is an illusion. Lunchtime doubly so."
This release fixes several regressions found in v1.0.0-rc93. We
recommend users update as soon as possible. This release includes the
following notable changes:
Potentially breaking changes:
- cgroupv1: kernel memory limits are now always ignored, as kmemcg has
been effectively deprecated by the kernel. Users should make use of
regular memory cgroup controls. (#2840) - libcontainer/cgroups: cgroup managers'
Set
now accept
configs.Resources
rather thanconfigs.Cgroups
(#2906) - libcontainer/cgroups/systemd: reconnect and retry in case dbus
connection is closed (after dbus restart) (#2923) - libcontainer/cgroups/systemd: don't set limits in
Apply
(#2814)
Bugfixes:
- seccomp: fix 32-bit compilation errors (regression in rc93, #2783)
- cgroupv2: blkio weight value conversion fix (#2786)
- runc init: fix a hang caused by deadlock in seccomp/ebpf loading code
(regression in rc93, #2871) - runc start: fix "chdir to cwd: permission denied" for some setups
(regression in rc93, #2894) - s390: fix broken terminal (regression in rc93, #2898)
Improvements:
- runc start/exec: better diagnostics when container limits are too low
(#2812) - runc start/exec: better cleanup after failed runc init (#2855)
- cgroupv1: improve freezing chances (#2941, #2918, #2791)
- cgroupv2: multiple GetStats improvements (#2816, #2873)
- cgroupv2: fallback to setting io.weight if io.bfq.weight is not
available (#2820) - capabilities: WARN, not ERROR, for unknown / unavailable capabilities
(#2854)
Static Linking Notices
The runc
binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc
acting
as a "work that uses the Library":
The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.
However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.
Thanks to the following people who made this release possible:
- Adam Korcz adam@adalogics.com
- Adrian Reber areber@redhat.com
- Akihiro Suda akihiro.suda.cz@hco.ntt.co.jp
- Aleksa Sarai cyphar@cyphar.com
- Ben Hutchings ben.hutchings@essensium.com
- Danail Branekov danailster@gmail.com
- Daniel Dao dqminh89@gmail.com
- Enrico Weigelt info@metux.net
- Iceber Gu wei.cai-nat@daocloud.io
- Kenta Tada Kenta.Tada@sony.com
- Kieron Browne kbrowne@vmware.com
- Kir Kolyshkin kolyshkin@gmail.com
- Liang Zhou zhoul110@chinatelecom.cn
- Liu Hua weldonliu@tencent.com
- Mauricio Vásquez mauricio@kinvolk.io
- Mrunal Patel mrunal@me.com
- Odin Ugedal odin@uged.al
- Peter Hunt pehunt@redhat.com
- Qiang Huang h.huangqiang@huawei.com
- Ryosuke Hanatsuka hanatsuu@gmail.com
- Sascha Grunert sgrunert@redhat.com
- Sebastiaan van Stijn github@gone.nl
- Shengjing Zhu zhsj@debian.org
- Shiming Zhang wzshiming@foxmail.com
- Vasiliy Ulyanov vulyanov@suse.de
Vote: +6 -0 !1
Signed-off-by: Aleksa Sarai cyphar@cyphar.com
runc 1.0-rc93 -- "I never could get the hang of Thursdays."
This is the last feature-rich RC release and we are in a feature-freeze until
1.0. 1.0.0~rc94 will be released in a few weeks with minimal bug fixes only,
and 1.0.0 will be released soon afterwards.
-
runc's cgroupv2 support is no longer considered experimental. It is now
believed to be fully ready for production deployments. In addition, runc's
cgroup code has been improved:- The systemd cgroup driver has been improved to be more resilient and
handle more systemd properties correctly. - We now make use of openat2(2) when possible to improve the security of
cgroup operations (in future runc will be wholesale ported to libpathrs to
get this protection in all codepaths).
- The systemd cgroup driver has been improved to be more resilient and
-
runc's mountinfo parsing code has been reworked significantly, making
container startup times significantly faster and less wasteful in general. -
runc now has special handling for seccomp profiles to avoid making new
syscalls unusable for glibc. This is done by installing a custom prefix to
all seccomp filters which returns -ENOSYS for syscalls that are newer than
any syscall in the profile (meaning they have a larger syscall number).This should not cause any regressions (because previously users would simply
get -EPERM rather than -ENOSYS, and the rule applied above is the most
conservative rule possible) but please report any regressions you find as a
result of this change -- in particular, programs which have special fallback
code that is only run in the case of -EPERM. -
runc now supports the following new runtime-spec features:
- The umask of a container can now be specified.
- The new Linux 5.9 capabilities (CAP_PERFMON, CAP_BPF, and
CAP_CHECKPOINT_RESTORE) are now supported. - The "unified" cgroup configuration option, which allows users to explicitly
specify the limits based on the cgroup file names rather than abstracting
them through OCI configuration. This is currently limited in scope to
cgroupv2.
-
Various rootless containers improvements:
- runc will no longer cause conflicts if a user specifies a custom device
which conflicts with a user-configured device -- the user device takes
precedence. - runc no longer panics if /sys/fs/cgroup is missing in rootless mode.
- runc will no longer cause conflicts if a user specifies a custom device
-
runc --root is now always treated as local to the current working directory.
-
The --no-pivot-root hardening was improved to handle nested mounts properly
(please note that we still strongly recommend that users do not use
--no-pivot-root -- it is still an insecure option). -
A large number of code cleanliness and other various cleanups, including
fairly large changes to our tests and CI to make them all run more
efficiently.
For packagers the following changes have been made which will have impact on
your packaging of runc:
-
The "selinux" and "apparmor" buildtags have been removed, and now all runc
builds will have SELinux and AppArmor support enabled. Note that "seccomp"
is still optional (though we very highly recommend you enable it). -
make install DESTDIR= now functions correctly.
Static Linking Notices
The runc
binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc
acting
as a "work that uses the Library":
The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.
However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.
Thanks to the following people who made this release possible:
- acetang aceapril@126.com
- Adrian Reber areber@redhat.com
- Akihiro Suda akihiro.suda.cz@hco.ntt.co.jp
- Aleksa Sarai cyphar@cyphar.com
- Amim Knabben amim.knabben@gmail.com
- An Long aisk1988@gmail.com
- Aos Dabbagh aosdab@gmail.com
- Ashok Pon Kumar ashokponkumar@gmail.com
- Cesar Talledo ctalledo@nestybox.com
- Chaitanya Bandi kbandi@cs.stonybrook.edu
- Cory Bennett cbennett@netflix.com
- Daniel J Walsh dwalsh@redhat.com
- Eduardo Vega edvegavalerio@gmail.com
- Feng Sun loyou85@gmail.com
- Giuseppe Scrivano gscrivan@redhat.com
- Jeff Zvier zvier20@gmail.com
- Kenta Tada Kenta.Tada@sony.com
- Kir Kolyshkin kolyshkin@gmail.com
- Manabu Sugimoto Manabu.Sugimoto@sony.com
- Mauricio Vásquez mauricio@kinvolk.io
- Michael Crosby crosbymichael@gmail.com
- Mrunal Patel mrunalp@gmail.com
- Paweł Szulik pawel.szulik@intel.com
- Peter Hunt pehunt@redhat.com
- Piotr Wagner piotr.wagner@intel.com
- Sascha Grunert sgrunert@suse.com
- SataQiu 1527062125@qq.com
- Sebastiaan van Stijn github@gone.nl
- Shengjing Zhu zhsj@debian.org
- Shukui Yang keloyangsk@gmail.com
- wangtianxia sometimesnaive@sjtu.edu.cn
- Wei Fu fuweid89@gmail.com
- Xiaochen Shen xiaochen.shen@intel.com
- Xiaodong Liu liuxiaodong@loongson.cn
Vote: +6 -0 #1
Signed-off-by: Aleksa Sarai cyphar@cyphar.com
runc 1.0-rc92 -- "Almost, but not quite, entirely unlike tea."
This release contains a hotfix to solve a regression in v1.0.0-rc91 that
concerns Docker (this only affects Docker's vendoring of libcontainer,
not the usage of runc as the runtime):
- Fix helpers used by Docker to correctly handle symlinks in /dev (when running
with --privileged containers).
As well as some other improvements:
- Updates to CRIU support.
- Improvements to cgroupfs performance and correctness.
Static Linking Notices
The runc
binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc
acting
as a "work that uses the Library":
The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.
However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.
Thanks to the following people who made this release possible:
- Adrian Reber areber@redhat.com
- Akihiro Suda akihiro.suda.cz@hco.ntt.co.jp
- Aleksa Sarai cyphar@cyphar.com
- Daniel J Walsh dwalsh@redhat.com
- Giuseppe Scrivano gscrivan@redhat.com
- John Hwang john.f.hwang@gmail.com
- Kir Kolyshkin kolyshkin@gmail.com
- Lokesh Mandvekar lsm5@fedoraproject.org
- Mrunal Patel mrunalp@gmail.com
- Sebastiaan van Stijn github@gone.nl
- tjucoder chinesecoder@foxmail.com
- Xiaodong Liu liuxiaodong@loongson.cn
- Xiaoyu Zhang mateuszhang@tencent.com
- zvier zvier20@gmail.com
Vote: +4 -0 #3
Signed-off-by: Aleksa Sarai cyphar@cyphar.com
runc 1.0-rc91 -- "Just Hook a Right Over Here"
This is intended to be the second-last RC release, with -rc92
having
very few large changes so that we can release runc 1.0 (at long last).
NOTE: This release's artefacts were updated on 2020-07-30 to correct an
LGPL compliance issue (we previously did not include the source code of
libseccomp
with our releases) and thus we had to recompile ourrunc
binaries to be sure we were distributing the correct version oflibseccomp
.
All of the binaries are still signed by the same maintainer key, and thus can
still be easily validated.
NOTE: This release's artefacts were updated on 2021-04-07, to correct an
issue with the .tar.xz archive from 2020-07-30 (the archive had malformed
paths due to a bug in historical release scripts -- which caused the update
on 2020-07-30 to change the checksum of the source code archive). See #2895
for more details. All of the binaries are still signed by the same maintainer
key, and thus can still be easily validated.
-
The long-awaited hooks changes have been merged into runc. This was
one of the few remaining spec-related issues which were blocking us
from releasing runc 1.0. Existing hook users will not be affected by
this change, but runc now supports additional hooks that we expect
users to migrate to eventually. The new hooks are:createRuntime
(replacement for the now-deprecatedprestart
)createContainer
startContainer
-
A large amount of effort has been undertaken to support cgroupv2
within runc. The support is still considered experimental, but it is
mostly functional at this point. Please report any bugs you find when
running under cgroupv2-only systems. -
A minor-severity security bug was fixed. The devices list would
be in allow-by-default mode from the outset, meaning that users would
have to explicitly specify they wish to deny all device access at the
beginning of the configuration. While this would normally be
considered a high-severity vulnerability, all known users of runc had
worked around this issue several years ago (hence why this fairly
obvious bug was masked).In addition, the devices list code has been massively improved such
that it will attempt to avoid causing spurrious errors in the
container (such as while writing to/dev/null
) when doing devices
cgroup updates. -
A security audit of runc was conducted in 2019, and the report PDF is
now included in the runc repository. The previous release of runc
has already addressed the security issues found in that report.
Static Linking Notices
The runc
binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc
acting
as a "work that uses the Library":
The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.
However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.
Thanks to the following people who made this release possible:
- Adrian Reber areber@redhat.com
- Akihiro Suda akihiro.suda.cz@hco.ntt.co.jp
- Alban Crequy alban@kinvolk.io
- Aleksa Sarai asarai@suse.de
- Alice Frosi afrosi@de.ibm.com
- Amye Scavarda Perrin amye@linuxfoundation.org
- Andrei Vagin avagin@gmail.com
- Boris Popovschi zyqsempai@mail.ru
- Brian Goff cpuguy83@gmail.com
- Chris Aniszczyk caniszczyk@gmail.com
- Danail Branekov danailster@gmail.com
- Giuseppe Scrivano gscrivan@redhat.com
- iwankgb maciej.iwanowski@intel.com
- John Hwang John.F.Hwang@gmail.com
- Katarzyna Kujawa katarzyna.kujawa@intel.com
- Kenta Tada Kenta.Tada@sony.com
- Kir Kolyshkin kolyshkin@gmail.com
- Kir Kolyshkin kolyshkin@users.noreply.github.com
- Kohei Ota kela@inductor.me
- l00397676 lujingxiao@huawei.com
- Lifubang lifubang@acmcoder.com
- Mario Nitchev marionitchev@gmail.com
- Michael Crosby crosbymichael@gmail.com
- Mrunal Patel mrunalp@gmail.com
- Odin Ugedal odin@ugedal.com
- Paweł Szulik pawel.szulik@intel.com
- Peter Hunt pehunt@redhat.com
- Pradyumna Agrawal pradyumnaa@vmware.com
- Qiang Huang h.huangqiang@huawei.com
- Renaud Gaubert rgaubert@nvidia.com
- Sascha Grunert sgrunert@suse.com
- Sebastiaan van Stijn github@gone.nl
- SiYu Zhao d.chaser.zsy@gmail.com
- Ted Yu yuzhihong@gmail.com
- Tianjia Zhang tianjia.zhang@linux.alibaba.com
- Tianon Gravi admwiggin@gmail.com
- Tobias Klauser tklauser@distanz.ch
- wanghuaiqing wanghuaiqing@loongson.cn
- W. Trevor King wking@tremily.us
- Yulia Nedyalkova julianedialkova@hotmail.com
- zyu yuzhihong@gmail.com
NOTE: For those who are confused by the massive version jump (
rc10
torc91
), this was done to avoid issues with SemVer and lexical
comparisons -- there haven't been 90 other release candidates. Please
also note that runc1.0.0-rc90
is identical to1.0.0-rc10
. See #2399
for more details.
Vote: +7 -0 #0
Signed-off-by: Aleksa Sarai asarai@suse.de
runc 1.0-rc90 -- "We Have To Go Back!"
This release is identical to v1.0.0-rc10 (and thus the version string in
the binary will be v1.0.0-rc10).
The purpose of this release is to resolve an issue with our versioning
scheme (in particular, the format we've used under SemVer means that the
"-rcNN" string suffix is sorted lexicographically rather than in the
classic sort -V
order).
Because we cannot do a post-1.0 release yet, this is a workaround to
make sure that systems such as Go modules correctly update to the latest
runc release. See #2399 for more details.
The next release (which would've originally been called -rc11) will be
1.0.0-rc91. I'm sorry.
NOTE: This release's artefacts were updated on 2020-07-30 to correct an
LGPL compliance issue (we previously did not include the source code of
libseccomp
with our releases) and thus we had to recompile ourrunc
binaries to be sure we were distributing the correct version oflibseccomp
.
All of the binaries are still signed by the same maintainer key, and thus can
still be easily validated.
NOTE: This release's artefacts were updated on 2021-04-07, to correct an
issue with the .tar.xz archive from 2020-07-30 (the archive had malformed
paths due to a bug in historical release scripts -- which caused the update
on 2020-07-30 to change the checksum of the source code archive). See #2895
for more details. All of the binaries are still signed by the same maintainer
key, and thus can still be easily validated.
Static Linking Notices
The runc
binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc
acting
as a "work that uses the Library":
The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.
However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.
Signed-off-by: Aleksa Sarai asarai@suse.de
runc 1.0-rc10 -- "Procfs Strikes Back"
This is a hot-fix for v1.0.0~rc9, primarily fixing CVE-2019-19921. Given
that the relevant runtime-spec PR which was considered a blocker has
been merged the next rc release of runc should be the last one before
1.0.0.
Other notable changes include:
- Fixing an exec-fifo race that could be triggered under Kubernetes (#2185).
- Partial cgroupv2 support (#2209 for remaining issues).
NOTE: This release's artefacts were updated on 2020-07-30 to correct an
LGPL compliance issue (we previously did not include the source code of
libseccomp
with our releases) and thus we had to recompile ourrunc
binaries to be sure we were distributing the correct version oflibseccomp
.
All of the binaries are still signed by the same maintainer key, and thus can
still be easily validated.
NOTE: This release's artefacts were updated on 2021-04-07, to correct an
issue with the .tar.xz archive from 2020-07-30 (the archive had malformed
paths due to a bug in historical release scripts -- which caused the update
on 2020-07-30 to change the checksum of the source code archive). See #2895
for more details. All of the binaries are still signed by the same maintainer
key, and thus can still be easily validated.
Static Linking Notices
The runc
binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc
acting
as a "work that uses the Library":
The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.
However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.
Thanks to the following people who made this release possible:
- Akihiro Suda akihiro.suda.cz@hco.ntt.co.jp
- Aleksa Sarai asarai@suse.de
- James Peach jpeach@apache.org
- Jordan Liggitt liggitt@google.com
- Julia Nedialkova julianedialkova@hotmail.com
- Julio Montes julio.montes@intel.com
- Kevin Kelani kkelani@gmail.com
- Kurnia D Win kurnia.d.win@gmail.com
- Manuel Rüger manuel@rueg.eu
- Michael Crosby crosbymichael@gmail.com
- Mrunal Patel mrunal@me.com
- Qiang Huang h.huangqiang@huawei.com
- Radostin Stoyanov rstoyanov1@gmail.com
- Sascha Grunert sgrunert@suse.com
- tianye15 tianye15@yq01-ps-www007cc6e83.yq01.baidu.com
Vote: +4 -0 #1
Signed-off-by: Aleksa Sarai asarai@suse.de
runc 1.0-rc9 -- "Watch out for that first step, it's a doozy!"
This is a hot-fix for v1.0.0~rc8, primarily fixing CVE-2019-16884.
NOTE: This release's artefacts were updated on 2020-07-30 to correct an
LGPL compliance issue (we previously did not include the source code of
libseccomp
with our releases) and thus we had to recompile ourrunc
binaries to be sure we were distributing the correct version oflibseccomp
.
All of the binaries are still signed by the same maintainer key, and thus can
still be easily validated.
NOTE: This release's artefacts were updated on 2021-04-07, to correct an
issue with the .tar.xz archive from 2020-07-30 (the archive had malformed
paths due to a bug in historical release scripts -- which caused the update
on 2020-07-30 to change the checksum of the source code archive). See #2895
for more details. All of the binaries are still signed by the same maintainer
key, and thus can still be easily validated.
Static Linking Notices
The runc
binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc
acting
as a "work that uses the Library":
The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.
However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.
Thanks to the following people who made this release possible:
- Adrian Reber areber@redhat.com
- Akihiro Suda akihiro.suda.cz@hco.ntt.co.jp
- Aleksa Sarai asarai@suse.de
- Andreas Stocker astocker@anexia-it.com
- blacktop blacktop@users.noreply.github.com
- Carlos de Paula me@carlosedp.com
- Danail Branekov danailster@gmail.com
- Daniel J Walsh dwalsh@redhat.com
- Erik Sipsma sipsma@amazon.com
- Filipe Brandenburger filbranden@gmail.com
- Georgi Sabev georgethebeatle@gmail.com
- Giuseppe Scrivano gscrivan@redhat.com
- Howard Zhang howard.zhang@arm.com
- Joe Burianek joe.burianek@pantheon.io
- Jonathan Rudenberg jonathan@titanous.com
- Julien Durillon julien.durillon@gmail.com
- Kenta Tada Kenta.Tada@sony.com
- Lifubang lifubang@acmcoder.com
- Marco Vedovati mvedovati@suse.com
- Michael Crosby crosbymichael@gmail.com
- Mrunal Patel mrunal@me.com
- Odin Ugedal odin@ugedal.com
- Qiang Huang h.huangqiang@huawei.com
- sashayakovtseva sasha@sylabs.io
- Sebastiaan van Stijn github@gone.nl
- Xiaochen Shen xiaochen.shen@intel.com
- Xiao YongBiao xyb4638@gmail.com
Vote: +4 -0 #1
Signed-off-by: Aleksa Sarai asarai@suse.de
runc 1.0-rc8 -- "Oops, We Did It Again!"
This is a hot-fix for v1.0.0-rc7, and fixes a regression on old kernels
(which don't support keycreate labeling). Users are strongly encouraged
to update, as this regression was introduced in 1.0.0-rc7 and has
blocked many users from updating to mitigate CVE-2019-5736.
At the moment the only outlying issue before we can release 1.0.0 is
some spec discussions we are having about OCI hooks and how to handle
the integration with existing NVIDIA hooks. We will do our best to
finish this work as soon as we can.
NOTE: This release's artefacts were updated on 2020-07-30 to correct an
LGPL compliance issue (we previously did not include the source code of
libseccomp
with our releases) and thus we had to recompile ourrunc
binaries to be sure we were distributing the correct version oflibseccomp
.
All of the binaries are still signed by the same maintainer key, and thus can
still be easily validated.
NOTE: This release's artefacts were updated on 2021-04-07, to correct an
issue with the .tar.xz archive from 2020-07-30 (the archive had malformed
paths due to a bug in historical release scripts -- which caused the update
on 2020-07-30 to change the checksum of the source code archive). See #2895
for more details. All of the binaries are still signed by the same maintainer
key, and thus can still be easily validated.
Static Linking Notices
The runc
binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc
acting
as a "work that uses the Library":
The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.
However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.
Thanks to the following people who made this release possible:
- Aleksa Sarai asarai@suse.de
- Daniel J Walsh dwalsh@redhat.com
- lifubang lifubang@acmcoder.com
- Michael Crosby crosbymichael@gmail.com
- Mrunal Patel mrunal@me.com
Signed-off-by: Aleksa Sarai asarai@suse.de
runc 1.0-rc7 -- "The Eleventh Hour"
WARNING: There is a regression in this release for old kernels, which we are working on fixing in #2031.
Due to CVE-2019-5736, we had to do another -rc release so users can update. We
hope to be able to release 1.0.0 in the near future (there is still an
outstanding spec-compliance issue with OCI hooks which we need to resolve
first).
This also updates runc to a vendored commit of the runtime-spec rather than a
full release, which will hopefully be rectified with runc 1.0.0.
NOTE: This release's artefacts were updated on 2020-07-30 to correct an
LGPL compliance issue (we previously did not include the source code of
libseccomp
with our releases) and thus we had to recompile ourrunc
binaries to be sure we were distributing the correct version oflibseccomp
.
All of the binaries are still signed by the same maintainer key, and thus can
still be easily validated.
NOTE: This release's artefacts were updated on 2021-04-07, to correct an
issue with the .tar.xz archive from 2020-07-30 (the archive had malformed
paths due to a bug in historical release scripts -- which caused the update
on 2020-07-30 to change the checksum of the source code archive). See #2895
for more details. All of the binaries are still signed by the same maintainer
key, and thus can still be easily validated.
Security:
-
Mitigate CVE-2019-5736. This is an updated version of the patch series sent
out on openwall and we encourage users to update. #1982 #1984NOTE: This mitigation WILL NOT WORK if you run untrusted containers with
host uid 0 and give them CAP_SYS_ADMIN (the protection operates through a
hidden read-only bind-mount which can be re-mounted by CAP_SYS_ADMIN
privileged users).Put simply -- we consider granting CAP_SYS_ADMIN to untrusted containers
without user namespaces to be fundamentally insecure, as such we do not
consider this to be a security issue.If you want an additional host-level mitigation, use
chattr +i
on the
host file to ensure containers without CAP_LINUX_IMMUTABLE cannot write to
it -- even with CAP_SYS_ADMIN. But as above, if you give
CAP_LINUX_IMMUTABLE to a container you will have problems.An alternative is to bind-mount a sealed memfd copy of the runc binary over
the binary (runc will detect this and will not attempt further mitigation,
because sealed memfds are fundamentally unmodifiable) but this requires
more in-depth work by administrators. -
There appear to be production users of --no-pivot-root, which is something
that we absolutely recommend against and do not consider to be a secure
configuration -- since pivot_root(2) has many security properties that are
not possible to provide with just chroot(2).However, a specific issue was discovered which we decided to mitigate in
order to avoid production users being exploited by it. This security issue
is not elligible for a CVE because it requires an insecure configuration
(--no-pivot-root). #1962
Features:
- Add intelrdt support for MBA to runc (a new intelrdt feature available in
Linux 4.18+). #1919 - Add support for specifying a CRIU configuration file for checkpoint/restore
(which makes use of a new org.criu.config annotation). #1933 #1964 - Add support for "runc exec --preserve-fds". #1995
- Added support for SELinux labeling of keyrings. #2012
Fixes:
- Correct handling of "runc kill" when a container is stopped or paused.
#1934 #1943 - Error out if built with nokmem and kmemcg limits were requested. #1939
- Update check-config.sh to be in line with Docker's. #1942
- Improve handling of kmem and the systemd cgroup driver. #1960
- Improve resilience of adding setns tasks to cgroups. #1950
- Remove (broken) detection of .scope for systemd. #1978
- Fix console hanging with preserve-fds, where not enough fds have actually
been provided to runc (which is a very common mistake when using
--preserve-fds). #2000 - Create bind-mounts when restoring. #1968
- Fix regression of zombie "runc init" processes. #2023
Static Linking Notices
The runc
binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc
acting
as a "work that uses the Library":
The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.
However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.
Thanks to all of the contributors that made this release possible:
- Ace-Tang aceapril@126.com
- Adrian Reber areber@redhat.com
- Aleksa Sarai asarai@suse.de
- Alex Fang littlelightlittlefire@gmail.com
- Christian Brauner christian.brauner@ubuntu.com
- Danail Branekov danailster@gmail.com
- Daniel, Dao Quang Minh dqminh89@gmail.com
- Daniel J Walsh dwalsh@redhat.com
- Filipe Brandenburger filbranden@google.com
- Giuseppe Scrivano gscrivan@redhat.com
- JoeWrightss zhoulin.xie@daocloud.io
- John Howard jhoward@microsoft.com
- Justin Cormack justin.cormack@docker.com
- Kenta Tada Kenta.Tada@sony.com
- Lifubang lifubang@acmcoder.com
- Michael Crosby crosbymichael@gmail.com
- Mrunal Patel mrunal@me.com
- Tom Godkin tgodkin@pivotal.io
- Vincent Batts vbatts@hashbangbash.com
- Xiaochen Shen xiaochen.shen@intel.com
With special thanks and well-wishes to Victor Marmol and Rohit Jnagal, who have
both decided to give up their maintainership. Thanks for all of your
contributions over the years, and good luck with your future endeavours!
Signed-off-by: Aleksa Sarai asarai@suse.de
runc 1.0-rc6 -- "For Real This Time"
This is the final feature release of runc before 1.0, rather than 1.0
itself. The reason for this is that, during the preparations for this
release (which was originally meant to be 1.0) it was brought up that
there were several spec-compliance problems. One of these was related to
hook ordering, and upon trying to fix them it turns out that many users
(notably the NVIDIA OCI hooks) make use of our incorrect hook ordering.
Many of the proposed solutions to this problem all require a lot of time
and co-ordination, and thus would stall this release indefinitely.
So, the idea is to have an intermediate release which will mark a
freeze-on-everything-except-spec-compliance-bugs. No other changes will
be included pre-1.0 (aside from security patches obviously).
NOTE: This release's artefacts were updated on 2020-07-30 to correct an
LGPL compliance issue (we previously did not include the source code of
libseccomp
with our releases) and thus we had to recompile ourrunc
binaries to be sure we were distributing the correct version oflibseccomp
.
All of the binaries are still signed by the same maintainer key, and thus can
still be easily validated.
NOTE: This release's artefacts were updated on 2021-04-07, to correct an
issue with the .tar.xz archive from 2020-07-30 (the archive had malformed
paths due to a bug in historical release scripts -- which caused the update
on 2020-07-30 to change the checksum of the source code archive). See #2895
for more details. All of the binaries are still signed by the same maintainer
key, and thus can still be easily validated.
Features:
- Upgrade to using Go 1.10. #1711
- Upgrade to CRIU 3.11. #1711 #1864 #1935 #1936
- Allow for checkpoint-restore into a foreign network namespace. #1849
- The "type" field for bind-mounts is now ignored. This is important, because
many users incorrectly assume that "type" defines a bind-mount and not
"options". Previously you had to set both. #1753 #1845 - "setgroups=allow" is now possible in rootless mode, but requires the use of
the privileged newgidmap helper (fully-rootless still requires
"setgroups=deny"). #1693 - Rootless mode can now safely ignore a read-only cgroupfs. #1759 #1806
- Several aspects of rootless mode are now used inside user namespaces. This
is necessary for a bunch of useful things (such as running Docker inside an
user namespace), but did cause some breakages. We think they've all been
fixed -- but if not please submit an issue! #1688 #1808 #1816 #1862 - Improve kernel.{domain,host}name sysctl handling, to allow the NIS
domainname to be set from Docker or other callers without an OCI spec
change. #1827 - Add documentation for one of the more confusion parts of runc, how terminals
are handled (including an explanation of --console-socket). All the gory
details and recommendations are available in docs/terminals.md. #1730 - Allow /proc to be bind-mounted over (useful for rootless containers). #1832
- Ignore ENOSYS for keyctl(2) operations. This is necessary to get Docker
working with LXC under the default seccomp profile (which is what ChromeOS
uses). #1893 - Add support for the Intel RDT/MBA resource control system. #1632 #1913
- Allow building with completely-disabled kmemcg support, to get around
problems with broken kernels (RHEL 7.5 can oops with kmemcg accounting
enabled). #1921 #1922 #1930 - Add support for cgroup namespaces, which in turn fixes a few other issues we
encountered with the previous code (which could be moving us to a cgroup
during Go execution). #1916
Fixes:
- Namespace creation with user namespaces now plays a bit nicer with SELinux
and IPC (which had a bug where the in-kernel mqueue mount would have the
wrong tag if using unshare(CLONE_NEWUSER|CLONE_NEWIPC)). This is done to
avoid future problems with broken kernel integration. #1562 - Mild refactor of libcontainer/user. #1749
- Fix null-pointer-exception when no cgroups were set. #1752
- Various DBus and systemd related changes for the systemd-cgroup driver.
#1754 #1772 #1776 #1781 #1805 #1917 - Apply SELinux label to masked directories. #1756
- Obey the XDG spec and set the sticky bit on runc's root when using
XDG_RUNTIME_DIR (in rootless mode). #1760 - Only configure network namespaces if we are creating them. #1777
- Fix race in runc-exec against a currently-exiting pid1. #1812
- Forward GOMAXPROCS to try to reduce the number of threads started by 'runc
init'. Unforunately there's no way to stop Go from spawning new threads so
this is more of a recommendation. #1830 - Fix tmpcopyup in cases where /tmp is not a private mount. #1873
- Whitelist /proc/loadavg for bind-mounting. #1882
- Protect against deletion of runc state directory with a containerid of "..",
as well as the addition of other path hardening code. #1883 - Handle duplicated cgroupfs mountpoint entries more sanely, to make runc work
on distributions that use-and-abuse shared subtrees. #1817 - Fix console hanging in several cases. #1895 #1897
- Lock-to-a-thread during 'runc init' to ensure that that we don't switch
threads and run within a different SELinux label. #1814 - Respect cgroupPath when trying to find the cgroupfs mountpoint (which can
happen in cases where containers are given different cgroupfs mounts). #1872 - And many other minor changes, many from first-time contributors! #1746 #1748
#1749 #1784 #1779 #1785 #1796 #1819 #1825 #1836 #1824 #1820 #1838 #1840
#1841 #1867 #1871 #1855 #1854 #1874 #1868 #1886 #1892 #1858 #1894 #1908
#1880 #1910 #1915 #1903 #1922 #1926 #1928 #1925 #1911
Fixes (for spec violations):
- Don't set a container to "running" when exec-ing into it (because it might
be in the "created" state). #1771 - oom_score_adj is now no longer modified if it was unspecified in config.json
(this was a spec violation). #1759 - Set "status" in hook stdin, as well as switch to using *spec.State to avoid
JSON-representation drift. #1741
Static Linking Notices
The runc
binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc
acting
as a "work that uses the Library":
The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.
However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.
Thanks to all of the contributors that made this release possible:
- Ace-Tang aceapril@126.com
- Adrian Reber areber@redhat.com
- Akihiro Suda suda.akihiro@lab.ntt.co.jp
- Alban Crequy alban@kinvolk.io
- Aleksa Sarai asarai@suse.de
- Alex Glikson alex.glikson@gmail.com
- Andrei Vagin avagin@virtuozzo.com
- Antonio Murdaca runcom@redhat.com
- Bin Chen nk@devicu.com
- ChangFeng changfeng@pinduoduo.com
- Chris Aniszczyk caniszczyk@gmail.com
- Danail Branekov danailster@gmail.com
- Daniel, Dao Quang Minh dqminh89@gmail.com
- Daniel J Walsh dwalsh@redhat.com
- Denys Smirnov denys@sourced.tech
- Derek Carr decarr@redhat.com
- dlorenc lorenc.d@gmail.com
- Dmitry Smirnov onlyjob@member.fsf.org
- Dominik Süß dominik@suess.wtf
- Filipe Brandenburger filbranden@google.com
- Giuseppe Scrivano gscrivan@redhat.com
- Harald Nordgren haraldnordgren@gmail.com
- Jay Kamat jaygkamat@gmail.com
- Jonathan Marler johnnymarler@gmail.com
- Kenta Tada Kenta.Tada@sony.com
- Kir Kolyshkin kolyshkin@gmail.com
- Lifubang lifubang@acmcoder.com
- Lin Yang lin.a.yang@intel.com
- Marco Vedovati mvedovati@suse.com
- Michael Crosby crosbymichael@gmail.com
- Mike Brown brownwm@us.ibm.com
- Mrunal Patel mrunalp@gmail.com
- Nalin Dahyabhai nalin@redhat.com
- Qiang Huang h.huangqiang@huawei.com
- Sebastien Boeuf sebastien.boeuf@intel.com
- Sergio Lopez slp@redhat.com
- Tamal Saha tamal@appscode.com
- Tibor Vass tibor@docker.com
- vikaschoudhary16 choudharyvikas16@gmail.com
- Vincent Batts vbatts@hashbangbash.com
- W. Trevor King wking@tremily.us
- Xiaochen Shen xiaochen.shen@intel.com
- Yan Zhu yanzhu@alauda.io
- Yuanhong Peng pengyuanhong@huawei.com
Signed-off-by: Aleksa Sarai asarai@suse.de