Tags give the ability to mark specific points in history as being important
-
-
-
-
-
-
v1.0.0-rc95
b9ee9c63 · ·v1.0.0-rc95 -- "Just when I thought I was out, they pull me back in." This release of runc contains a fix for CVE-2021-30465[1], and users are strongly recommended to update (especially if you are providing semi-limited access to spawn containers to untrusted users). Aside from this security fix, only a few other changes were made since v1.0.0-rc94 (the only user-visible change was the addition of support for defaultErrnoRet in seccomp profiles). Thanks to the following people who made this release possible: * Aleksa Sarai <cyphar@cyphar.com> * Giuseppe Scrivano <gscrivan@redhat.com> * Kir Kolyshkin <kolyshkin@gmail.com> * Mrunal Patel <mrunal@me.com> Due to the nature of this release, it didn't go through the normal public release procedure. However, this break from procedure was agreed upon on the security mailing list. [1]: https://github.com/opencontainers/runc/security/advisories/GHSA-c3xm-pvg7-gh7r Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
-
-
-
v1.0.0-rc94
2c7861bc · ·v1.0.0-rc94 -- "Time is an illusion. Lunchtime doubly so." This release fixes several regressions found in v1.0.0-rc93. We recommend users update as soon as possible. This release includes the following notable changes: Potentially breaking changes: * cgroupv1: kernel memory limits are now always ignored, as kmemcg has been effectively deprecated by the kernel. Users should make use of regular memory cgroup controls. (#2840) * libcontainer/cgroups: cgroup managers' `Set` now accept `configs.Resources` rather than `configs.Cgroups` (#2906) * libcontainer/cgroups/systemd: reconnect and retry in case dbus connection is closed (after dbus restart) (#2923) * libcontainer/cgroups/systemd: don't set limits in `Apply` (#2814) Bugfixes: * seccomp: fix 32-bit compilation errors (regression in rc93, #2783) * cgroupv2: blkio weight value conversion fix (#2786) * runc init: fix a hang caused by deadlock in seccomp/ebpf loading code (regression in rc93, #2871) * runc start: fix "chdir to cwd: permission denied" for some setups (regression in rc93, #2894) * s390: fix broken terminal (regression in rc93, #2898) Improvements: * runc start/exec: better diagnostics when container limits are too low (#2812) * runc start/exec: better cleanup after failed runc init (#2855) * cgroupv1: improve freezing chances (#2941, #2918, #2791) * cgroupv2: multiple GetStats improvements (#2816, #2873) * cgroupv2: fallback to setting io.weight if io.bfq.weight is not available (#2820) * capabilities: WARN, not ERROR, for unknown / unavailable capabilities (#2854) Thanks to the following people who made this release possible: * Adam Korcz <adam@adalogics.com> * Adrian Reber <areber@redhat.com> * Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> * Aleksa Sarai <cyphar@cyphar.com> * Ben Hutchings <ben.hutchings@essensium.com> * Danail Branekov <danailster@gmail.com> * Daniel Dao <dqminh89@gmail.com> * Enrico Weigelt <info@metux.net> * Iceber Gu <wei.cai-nat@daocloud.io> * Kenta Tada <Kenta.Tada@sony.com> * Kieron Browne <kbrowne@vmware.com> * Kir Kolyshkin <kolyshkin@gmail.com> * Liang Zhou <zhoul110@chinatelecom.cn> * Liu Hua <weldonliu@tencent.com> * Mauricio Vásquez <mauricio@kinvolk.io> * Mrunal Patel <mrunal@me.com> * Odin Ugedal <odin@uged.al> * Peter Hunt <pehunt@redhat.com> * Qiang Huang <h.huangqiang@huawei.com> * Ryosuke Hanatsuka <hanatsuu@gmail.com> * Sascha Grunert <sgrunert@redhat.com> * Sebastiaan van Stijn <github@gone.nl> * Shengjing Zhu <zhsj@debian.org> * Shiming Zhang <wzshiming@foxmail.com> * Vasiliy Ulyanov <vulyanov@suse.de> Vote: +6 -0 !1 Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
-
-
debian/1.0.0_rc93.144.g6538f9f2+ds1-1
af81a18e · ·runc Debian release 1.0.0~rc93.144.g6538f9f2+ds1-1
-
-
-
-
-
v1.0.0-rc93
12644e61 · ·v1.0.0~rc93 -- "I never could get the hang of Thursdays." This is the last feature-rich RC release and we are in a feature-freeze until 1.0. 1.0.0~rc94 will be released in a few weeks with minimal bug fixes only, and 1.0.0 will be released soon afterwards. * runc's cgroupv2 support is no longer considered experimental. It is now believed to be fully ready for production deployments. In addition, runc's cgroup code has been improved: - The systemd cgroup driver has been improved to be more resilient and handle more systemd properties correctly. - We now make use of openat2(2) when possible to improve the security of cgroup operations (in future runc will be wholesale ported to libpathrs to get this protection in all codepaths). * runc's mountinfo parsing code has been reworked significantly, making container startup times significantly faster and less wasteful in general. * runc now has special handling for seccomp profiles to avoid making new syscalls unusable for glibc. This is done by installing a custom prefix to all seccomp filters which returns -ENOSYS for syscalls that are newer than any syscall in the profile (meaning they have a larger syscall number). This should not cause any regressions (because previously users would simply get -EPERM rather than -ENOSYS, and the rule applied above is the most conservative rule possible) but please report any regressions you find as a result of this change -- in particular, programs which have special fallback code that is only run in the case of -EPERM. * runc now supports the following new runtime-spec features: - The umask of a container can now be specified. - The new Linux 5.9 capabilities (CAP_PERFMON, CAP_BPF, and CAP_CHECKPOINT_RESTORE) are now supported. - The "unified" cgroup configuration option, which allows users to explicitly specify the limits based on the cgroup file names rather than abstracting them through OCI configuration. This is currently limited in scope to cgroupv2. * Various rootless containers improvements: - runc will no longer cause conflicts if a user specifies a custom device which conflicts with a user-configured device -- the user device takes precedence. - runc no longer panics if /sys/fs/cgroup is missing in rootless mode. * runc --root is now always treated as local to the current working directory. * The --no-pivot-root hardening was improved to handle nested mounts properly (please note that we still strongly recommend that users do not use --no-pivot-root -- it is still an insecure option). * A large number of code cleanliness and other various cleanups, including fairly large changes to our tests and CI to make them all run more efficiently. For packagers the following changes have been made which will have impact on your packaging of runc: * The "selinux" and "apparmor" buildtags have been removed, and now all runc builds will have SELinux and AppArmor support enabled. Note that "seccomp" is still optional (though we very highly recommend you enable it). * make install DESTDIR= now functions correctly. Thanks to the following people who made this release possible: * acetang <aceapril@126.com> * Adrian Reber <areber@redhat.com> * Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> * Aleksa Sarai <cyphar@cyphar.com> * Amim Knabben <amim.knabben@gmail.com> * An Long <aisk1988@gmail.com> * Aos Dabbagh <aosdab@gmail.com> * Ashok Pon Kumar <ashokponkumar@gmail.com> * Cesar Talledo <ctalledo@nestybox.com> * Chaitanya Bandi <kbandi@cs.stonybrook.edu> * Cory Bennett <cbennett@netflix.com> * Daniel J Walsh <dwalsh@redhat.com> * Eduardo Vega <edvegavalerio@gmail.com> * Feng Sun <loyou85@gmail.com> * Giuseppe Scrivano <gscrivan@redhat.com> * Jeff Zvier <zvier20@gmail.com> * Kenta Tada <Kenta.Tada@sony.com> * Kir Kolyshkin <kolyshkin@gmail.com> * Manabu Sugimoto <Manabu.Sugimoto@sony.com> * Mauricio Vásquez <mauricio@kinvolk.io> * Michael Crosby <crosbymichael@gmail.com> * Mrunal Patel <mrunalp@gmail.com> * Paweł Szulik <pawel.szulik@intel.com> * Peter Hunt <pehunt@redhat.com> * Piotr Wagner <piotr.wagner@intel.com> * Sascha Grunert <sgrunert@suse.com> * SataQiu <1527062125@qq.com> * Sebastiaan van Stijn <github@gone.nl> * Shengjing Zhu <zhsj@debian.org> * Shukui Yang <keloyangsk@gmail.com> * wangtianxia <sometimesnaive@sjtu.edu.cn> * Wei Fu <fuweid89@gmail.com> * Xiaochen Shen <xiaochen.shen@intel.com> * Xiaodong Liu <liuxiaodong@loongson.cn> Vote: +6 -0 #1 Signed-off-by: Aleksa Sarai <cyphar@cyphar.com> -
debian/1.0.0_rc92.425.g7e3c3e8c+ds1-1
1ab95643 · ·runc Debian release 1.0.0~rc92.425.g7e3c3e8c+ds1-1
-
-
debian/1.0.0_rc92.372.gc69ae759+ds1-1
5f77dd52 · ·runc Debian release 1.0.0~rc92.372.gc69ae759+ds1-1
-