Tags

runc release 1.3.0+ds1-3 for unstable

[dgit distro=debian split --quilt=gbp]
[dgit please-upload source=runc version=1.3.0+ds1-3 upstream-tag=upstream/1.3.0+ds1 upstream=34e2709ed5c748c2801ed88ac57dd92a2e4315b5]

Upstream version 1.3.0+ds1

runc v1.4.0-rc.1 -- "おめェもボスになったんだろぉ？"

This is the first release candidate of the runc 1.4.0 release. It
contains a couple of new features, but is mostly made up of some minor
bug fixes and some follow-ups for features deprecated in runc 1.3.0.

Users are strongly encouraged to test our release candidates over the
next two months so we can fix issues before the general release. You
should expect runc 1.4.0 to be released at the end of October 2025 (at
which point, runc 1.2.z will only receive high-severity security fixes
for 6 months and users are thus very strongly encouraged to migrate to a
newer version).

This version of runc requires Go 1.24 to build.

libcontainer API:

- The deprecated libcontainer/user package has been removed; use
  github.com/moby/sys/user instead. (#3999, #4617)
- libcontainer/apparmor variables containing public functions have been
  switched to wrapper functions. (#4725)

Breaking:

- runc update no longer allows --l3-cache-schema or --mem-bw-schema if
  linux.intelRdt was not present in the container’s original
  config.json.

  Without linux.intelRdt no CLOS (resctrl group) is created at container
  creation, so it is not possible to apply the updated options with runc
  update.

  Previously, this scenario did not work as expected. The runc update
  would create a new CLOS but fail to apply the schema, move only the
  init process (omitting children) to the new group, and leave the CLOS
  orphaned after container exit. (#4827)
- The deprecated --criu flag has been removed entirely, instead the criu
  binary in $PATH will be used. (#4722)

Added:

 * runc now supports the linux.netDevices field to allow for devices to
   be moved into container network namespaces seamlessly. (#4538)
 * runc update now supports per-device weight and iops cgroup limits.
   (#4775)
 * intel rdt: allow explicit assignment to root CLOS. (#4854)

Fixed:

 * Container processes will no longer inherit the CPU affinity of runc
   by default. Instead, the default CPU affinity of container processes
   will be the largest set of CPUs permitted by the container's cpuset
   cgroup and any other system restrictions (such as isolated CPUs).
   (#4041, #4815, #4858)
 * Use chown(uid, -1) when configuring the console inode, to avoid
   issues with unmapped GIDs. (#4679)
 * Add logging for the cases where failed keyring operations are ignored
   during setup. (#4676)
 * Optimise runc exec by avoiding calling into SELinux's Set.*Label when
   processLabel is not set. (#4354)
 * Fix mips64 builds for remap-rootfs. (#4723)
 * Setting linux.rootfsPropagation to shared or unbindable now functions
   properly. (#1755, #1815, #4724)
 * runc delete and runc stop can now correctly handle cases where runc
   create was killed during setup. Previously it was possible for the
   container to be in such a state that neither runc stop nor runc
   delete would be unable to kill or delete the container. (#4534,
   #4645, #4757)
 * Close seccomp agent connection to prevent resource leaks. (#4796)
 * runc update will no longer clear intelRdt state information. (#4828)
 * runc will now error out earlier if intelRdt is not enabled. (#4829)
 * Improve filesystem operations within intelRdt manager. (#4840, #4831)
 * Resolve a certain race between runc create and runc delete that would
   previously result in spurious errors. (#4735)
 * CI: skip bpf tests on misbehaving udev systems. (#4825)

Changes:

 * Use Go's built-in pidfd_send_signal(2) support when available.
   (#4666)
 * Make state.json 25% smaller. (#4685)
 * Migrate to Go 1.22+ features. (#4687, #4703)
 * Provide private wrappers around common syscalls to make -EINTR
   handling less cumbersome for the rest of runc. (#4697)
 * Ignore the dmem controller in our cgroup tests, as systemd does not
   yet support it. (#4806)
 * /proc/net/dev is no longer included in the permitted procfs overmount
   list. Its inclusion was almost certainly an error, and because
   /proc/net is a symlink to /proc/self/net, overmounting this was
   almost certainly never useful (and will be blocked by future kernel
   versions). (#4817)
 * Simplify the prepareCriuRestoreMounts logic for checkpoint-restore.
   (#4765)
 * Bump minimum Go version to 1.24. (#4851)
 * CI: migrate virtualised Fedora tests from Vagrant + Cirrus to Lima +
   GHA. We still use Cirrus for the AlmaLinux tests, since they can be
   run without virtualisation. (#4664)
 * CI: install fewer dependencies (#4671), bump shellcheck and bats
   versions (#4670).
 * CI: remove toolchain from go.mod and add a CI check to make sure it's
   never added accidentally. (#4717, #4721)
 * CI: do not allow exclude or replace directives in go.mod, to make
   sure that go install doesn't get accidentally broken. (#4750)
 * CI: fix exclusion rules and allow us to run jobs manually. (#4760)
 * CI: Switch to GitHub-hosted ARM runners. Thanks again to @alexellis
   for supporting runc's ARM CI up until now. (#4844, #4856)
 * Various dependency updates. (#4659, #4658, #4662, #4663, #4689,
   #4694, #4702, #4701, #4707, #4710, #4746, #4756, #4751, #4758, #4764,
   #4768, #4779, #4783, #4785, #4801, #4808, #4803, #4839, #4846, #4847,
   #4845, #4850, #4861, #4860)

Thanks to the following contributors for making this release possible:

 * Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 * Aleksa Sarai <cyphar@cyphar.com>
 * Andrei Vagin <avagin@gmail.com>
 * Antonio Ojea <aojea@google.com>
 * Antti Kervinen <antti.kervinen@intel.com>
 * Henry Chen <henry.chen@oss.cipunited.com>
 * HirazawaUi <695097494plus@gmail.com>
 * Kir Kolyshkin <kolyshkin@gmail.com>
 * Markus Lehtonen <markus.lehtonen@intel.com>
 * Martin Sivak <msivak@redhat.com>
 * Mikhail Dmitrichenko <m.dmitrichenko222@gmail.com>
 * Pavel Liubimov <prlyubimov@gmail.com>
 * Peter Hunt <pehunt@redhat.com>
 * Prajwal S N <prajwalnadig21@gmail.com>
 * Rodrigo Campos <rodrigoca@microsoft.com>
 * Sebastiaan van Stijn <thaJeztah@users.noreply.github.com>
 * Tigran Sogomonian <tsogomonian@astralinux.ru>
 * Yusuke Sakurai <yusuke.sakurai@3-shake.com>
 * jokemanfire <hu.dingyang@zte.com.cn>
 * lifubang <lifubang@acmcoder.com>
 * ningmingxiao <ning.mingxiao@zte.com.cn>

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

runc v1.2.7 -- "さんをつけろよデコ助野郎！"

This is the seventh patch release of the 1.2.z release branch of runc.
It contains some fixes for issues found in runc 1.3.z that were
considered "significant" bugfixes (as per our new release and support
policy) and thus be worth backporting.

Fixed:

 * Removed preemptive "full access to cgroups" warning when calling runc
   pause or runc unpause as an unprivileged user without
   --systemd-cgroups. Now the warning is only emitted if an actual
   permission error was encountered. (#4709, #4720)
 * Add time namespace to container config after checkpoint/restore. CRIU
   since version 3.14 uses a time namespace for checkpoint/restore,
   however it was not joining the time namespace in runc. (#4696, #4714)
 * Container processes will no longer inherit the CPU affinity of runc
   by default. Instead, the default CPU affinity of container processes
   will be the largest set of CPUs permitted by the container's cpuset
   cgroup and any other system restrictions (such as isolated CPUs).
   (#4041, #4815, #4858)
 * Close seccomp agent connection to prevent resource leaks. (#4796,
   #4800)
 * Several fixes to our CI, mainly related to AlmaLinux and CRIU.
   (#4670, #4728, #4736, #4742)
 * Setting linux.rootfsPropagation to shared or unbindable now functions
   properly. (#1755, #1815, #4724, #4791)
 * runc update will no longer clear intelRdt state information. (#4828,
   #4834)

Changed:

 * In runc 1.2, we changed our mount behaviour to correctly handle
   clearing flags. However, the error messages we returned did not
   provide as much information to users about what clearing flags were
   conflicting with locked mount flags. We now provide more diagnostic
   information if there is an error when in the fallback path to handle
   locked mount flags. (#4734, #4740)
 * Ignore the dmem controller in our cgroup tests, as systemd does not
   yet support it. (#4806, #4811)
 * /proc/net/dev is no longer included in the permitted procfs overmount
   list. Its inclusion was almost certainly an error, and because
   /proc/net is a symlink to /proc/self/net, overmounting this was
   almost certainly never useful (and will be blocked by future kernel
   versions). (#4817, #4820)
 * CI: Switch to GitHub-hosted ARM runners. Thanks again to @alexellis
   for supporting runc's ARM CI up until now. (#4844, #4856, #4867)
 * Simplify the prepareCriuRestoreMounts logic for checkpoint-restore.
   (#4765, #4872)

Thanks to the following contributors for making this release possible:

 * Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 * Aleksa Sarai <cyphar@cyphar.com>
 * Andrei Vagin <avagin@gmail.com>
 * Kir Kolyshkin <kolyshkin@gmail.com>
 * Markus Lehtonen <markus.lehtonen@intel.com>
 * Martin Sivak <msivak@redhat.com>
 * Pavel Liubimov <prlyubimov@gmail.com>
 * Peter Hunt <pehunt@redhat.com>
 * Rodrigo Campos <rodrigoca@microsoft.com>
 * Yusuke Sakurai <yusuke.sakurai@3-shake.com>
 * lfbzhm <lifubang@acmcoder.com>
 * ningmingxiao <ning.mingxiao@zte.com.cn>

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

runc v1.3.1 -- "この瓦礫の山でよぉ"

This is the first patch release of the 1.3.z release series of runc. It
primarily includes some minor fixes for issues found in 1.3.0.

Fixed:

 * Container processes will no longer inherit the CPU affinity of runc
   by default. Instead, the default CPU affinity of container processes
   will be the largest set of CPUs permitted by the container's cpuset
   cgroup and any other system restrictions (such as isolated CPUs).
   (#4041, #4815, #4858)
 * Setting linux.rootfsPropagation to shared or unbindable now functions
   properly. (#1755, #1815, #4724, #4789)
 * Close seccomp agent connection to prevent resource leaks. (#4796,
   #4799)
 * runc delete and runc stop can now correctly handle cases where runc
   create was killed during setup. Previously it was possible for the
   container to be in such a state that neither runc stop nor runc
   delete would be unable to kill or delete the container. (#4534,
   #4645, #4757, #4793)
 * runc update will no longer clear intelRdt state information. (#4828,
   #4833)
 * CI: Fix exclusion rules and allow us to run jobs manually. (#4760,
   #4763)

Changed:

 * Improvements to the deprecation warnings as part of the
   github.com/opencontainers/cgroups split. (#4784, #4788)
 * Ignore the dmem controller in our cgroup tests, as systemd does not
   yet support it. (#4806, #4811)
 * /proc/net/dev is no longer included in the permitted procfs overmount
   list. Its inclusion was almost certainly an error, and because
   /proc/net is a symlink to /proc/self/net, overmounting this was
   almost certainly never useful (and will be blocked by future kernel
   versions). (#4817, #4820)
 * Simplify the prepareCriuRestoreMounts logic for checkpoint-restore.
   (#4765, #4871)
 * CI: Bump golangci-lint to v2.1. (#4747, #4754)
 * CI: Switch to GitHub-hosted ARM runners. Thanks again to @alexellis
   for supporting runc's ARM CI up until now. (#4844, #4856, #4866)

Thanks to the following contributors who made this release possible:

 * Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 * Aleksa Sarai <cyphar@cyphar.com>
 * HirazawaUi <695097494plus@gmail.com>
 * Kir Kolyshkin <kolyshkin@gmail.com>
 * Markus Lehtonen <markus.lehtonen@intel.com>
 * Martin Sivak <msivak@redhat.com>
 * Pavel Liubimov <prlyubimov@gmail.com>
 * Peter Hunt <pehunt@redhat.com>
 * Rodrigo Campos <rata@users.noreply.github.com>
 * Yusuke Sakurai <yusuke.sakurai@3-shake.com>
 * lfbzhm <lifubang@acmcoder.com>
 * ningmingxiao <ning.mingxiao@zte.com.cn>

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

runc v1.3.0 -- "Mr. President, we must not allow a mine shaft gap!"

This is the first release of the 1.3.z release branch of runc. It
contains a few minor fixes for issues found in 1.3.0-rc.2.

This is the first release of runc that will follow our new release and
support policy (see RELEASES.md for more details). This means that, as
of this release:

 * As of this release, the runc 1.2.z release branch will now only
   recieve security and "significant" bugfixes.
 * Users are encouraged to plan migrating to runc 1.3.0 as soon as
   possible.
 * Due to its particular situation, runc 1.1.z is officially no longer
   supported and will no longer receieve any updates (not even for
   critical security issues). Users are urged (in the strongest possible
   terms) to upgrade to a supported version of runc.
 * Barring any future changes to our release policy, users should expect
   a runc 1.4.0 release in late October 2025.

Fixed:

 * Removed pre-emptive "full access to cgroups" warning when calling
   runc pause or runc unpause as an unprivileged user without
   --systemd-cgroups. Now the warning is only emitted if an actual
   permission error was encountered. (#4709)
 * Several fixes to our CI, mainly related to AlmaLinux and CRIU.
   (#4670, #4728, #4736)

Changed:

 * In runc 1.2, we changed our mount behaviour to correctly handle
   clearing flags. However, the error messages we returned did not
   provide as much information to users about what clearing flags were
   conflicting with locked mount flags. We now provide more diagnostic
   information if there is an error when in the fallback path to handle
   locked mount flags. (#4734)
 * Upgrade our CI to use golangci-lint v2.0. (#4692)
 * runc version information is now filled in using //go:embed rather
   than being set through Makefile. This allows go install or other
   non-make builds to contain the correct version information. Note that
   "make EXTRA_VERSION=..." still works. (#418)
 * Remove exclude directives from our go.mod for broken cilium/ebpf
   versions. v0.17.3 resolved the issue we had, and exclude directives
   are incompatible with go install. (#4748)

Thanks to the following contributors for making this release possible:

 * Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 * Aleksa Sarai <cyphar@cyphar.com>
 * Kir Kolyshkin <kolyshkin@gmail.com>
 * Rodrigo Campos <rodrigoca@microsoft.com>
 * lifubang <lifubang@acmcoder.com>

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

runc v1.3.0-rc.2 -- "Eppur si muove."

This is the second release candidate of the runc 1.3.0 release. It
contains a few fixes for issues found in rc.1.

This is the first release series that will follow our new release
policy, meaning that users should expect runc 1.3.0 to be released at
the end of April 2025, at which point the support policy for the runc
1.2.z branch will change. Please see the new RELEASES.md document for
more information.

Users are strongly encouraged to test our release candidates so we can
fix issues before the general release.

Fixes:

 * Use the container's `/etc/passwd` to set the `HOME` env var. After a refactor
   for 1.3, we were setting it reading the host's `/etc/passwd` file instead.
   (#4693, #4688)
 * Override `HOME` env var if it's set to the empty string. This fixes a
   regression after the same refactor for 1.3 and aligns the behavior with older
   versions of runc. (#4711)
 * Add time namespace to container config after checkpoint/restore. CRIU since
   version 3.14 uses a time namespace for checkpoint/restore, however it was not
   joining the time namespace in runc. (#4705)

Thanks to the following contributors for making this release possible:

 * Rodrigo Campos <rodrigoca@microsoft.com>
 * Rudi Heitbaum <rudi@heitbaum.com>
 * Kir Kolyshkin <kolyshkin@gmail.com>
 * lifubang <lifubang@acmcoder.com>
 * Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 * Andrei Vagin <avagin@gmail.com>

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

runc v1.2.6 -- "Hasta la victoria, siempre."

This is the sixth patch release in the 1.2.z series of runc.
It primarily fixes an issue with runc exec vs time namespace,
and a compatibility issue with older kernels.

* Fix a stall issue that would happen if setting `O_CLOEXEC` with
  `CloseExecFrom` failed (#4647).
* `runc` now properly handles joining time namespaces (such as with `runc
  exec`). Previously we would attempt to set the time offsets when joining,
  which would fail. (#4635, #4649)
* Handle `EINTR` retries correctly for socket-related direct
  `golang.org/x/sys/unix` system calls. (#4650)
* We no longer use `F_SEAL_FUTURE_WRITE` when sealing the runc binary, as it
  turns out this had some unfortunate bugs in older kernel versions and was
  never necessary in the first place. (#4651, #4640)
* Remove `Fexecve` helper from `libcontainer/system`. Runc 1.2.1 removed
  runc-dmz, but we forgot to remove this helper added only for that. (#4646)
* Use Go 1.23 for official builds, run CI with Go 1.24 and drop Ubuntu 20.04
  from CI. We need to drop Ubuntu 20.04 from CI because Github Actions
  announced it's already deprecated and it will be discontinued soon. (#4648)

Thanks to the following contributors who made this release possible:

 * Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 * Aleksa Sarai <cyphar@cyphar.com>
 * Evan Phoenix <evan@phx.io>
 * Kir Kolyshkin <kolyshkin@gmail.com>
 * lifubang <lifubang@acmcoder.com>
 * Rodrigo Campos <rodrigoca@microsoft.com>
 * Tomasz Duda <tomaszduda23@gmail.com>

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

runc v1.3.0-rc.1 -- "No tengo miedo al invierno, con tu recuerdo lleno de sol."

This is the first release candidate of the runc 1.3.0 release. It
contains a couple of new features, but is mostly made up of some minor
(but notable) API changes to libcontainer as well as a series of bug
fixes.

This is the first release series that will follow our new release
policy, meaning that user should expect runc 1.3.0 to be released at the
end of April 2025, at which point the support policy for the runc 1.2.z
branch will change. Please see the new RELEASES.md document for more
information.

Users are strongly encouraged to test our release candidates over the
next two months so we can fix issues before the general release.

API Changes:

 * configs.CommandHook struct has changed, Command is now a pointer.
   Also, configs.NewCommandHook now accepts a *Command. (#4325)
 * The Process struct has User string field replaced with numeric UID
   and GID fields, and AdditionalGroups changed its type from []string
   to []int. Essentially, resolution of user and group names to IDs is
   no longer performed by libcontainer, so if a libcontainer user
   previously relied on this feature, now they have to convert names to
   IDs before calling libcontainer; it is recommended to use Go package
   github.com/moby/sys/user for that. (#3999)
 * Move libcontainer/cgroups to a separate repository. (#4618)

Fixes:

 * runc exec -p no longer ignores specified ioPriority and scheduler
   settings. Similarly, libcontainer's Container.Start and Container.Run
   methods no longer ignore Process.IOPriority and Process.Scheduler
   settings. (#4585)
 * We no longer use F_SEAL_FUTURE_WRITE when sealing the runc binary, as
   it turns out this had some unfortunate bugs in older kernel versions
   and was never necessary in the first place. (#4641, #4640)
 * runc now uses a more flexible method of joining namespaces, which
   better matches the behaviour of nsenter(8). This is mainly useful for
   users that create a container with a runc-managed user namespace but
   want the container to join some externally-managed namespace as well.
   (#4492)
 * runc now properly handles joining time namespaces (such as with runc
   exec). Previously we would attempt to set the time offsets when
   joining, which would fail. (#4635, #4636)
 * Handle EINTR retries correctly for socket-related direct
   golang.org/x/sys/unix system calls. (#4637)
 * Handle close_range(2) errors more gracefully. (#4596)
 * Fix a stall issue that would happen if setting O_CLOEXEC with
   CloseExecFrom failed (#4599).
 * Handle errors on older kernels when resetting ambient capabilities
   more gracefully. (#4597)

Changed:

 * runc now has an official release policy to help provide more
   consistency around our release schedules and better define our
   support policy for old release branches. See RELEASES.md for more
   details. (#4557)
 * Improved performance by switching to strings.Cut where appropriate.
   (#4470)
 * The minimum Go version of runc is now Go 1.23. (#4598)
 * Updated builds to libseccomp v2.5.6. (#4625)

Added:

 + runc has been updated to support OCI runtime-spec 1.2.1. (#4653)
 + CPU affinity support for runc exec. (#4327)
 + CRIU support can be disabled using the build tag runc_nocriu. (#4547)
 + Support to get the pidfd of the container via CLI flag pidfd-socket.
   (#4045)
 + Support skip-in-flight and link-remap options for CRIU. (#4627)
 + Support cgroup v1 mounted with noprefix. (#4513)

Thanks to the following contributors for making this release possible:

 * Adam Korczynski <adam@adalogics.com>
 * Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 * Aleksa Sarai <cyphar@cyphar.com>
 * Brad Davidson <brad.davidson@rancher.com>
 * Daniel Levi-Minzi <dleviminzi@gmail.com>
 * Evan Phoenix <evan@phx.io>
 * Jian Wen <wenjianhn@gmail.com>
 * Kir Kolyshkin <kolyshkin@gmail.com>
 * Rin Arakaki <rnarkkx@gmail.com>
 * Rodrigo Campos <rodrigoca@microsoft.com>
 * Sebastiaan van Stijn <github@gone.nl>
 * Tomasz Duda <tomaszduda23@gmail.com>
 * Wei Fu <fuweid89@gmail.com>
 * Yangzhao Hjh <yangzhao.hjh@alibaba-inc.com>
 * lifubang <lifubang@acmcoder.com>

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

runc v1.2.5 -- "Мороз и солнце; день чудесный!"

This is the fifth patch release in the 1.2.z series of runc. It
primarily fixes an issue caused by an upstream systemd bug.

 * There was a regression in systemd v230 which made the way we define device
   rule restrictions require a systemctl daemon-reload for our transient
   units. This caused issues for workloads using NVIDIA GPUs. Workaround the
   upstream regression by re-arranging how the unit properties are defined.
   (#4568, #4612, #4615)
 * Dependency github.com/cyphar/filepath-securejoin is updated to v0.4.1,
   to allow projects that vendor runc to bump it as well. (#4608)
 * CI: fixed criu-dev compilation. (#4611)
 * Dependency golang.org/x/net is updated to 0.33.0. (#4632)

Thanks to the following contributors who made this release possible:

 * Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 * Aleksa Sarai <cyphar@cyphar.com>
 * Brad Davidson <brad.davidson@rancher.com>
 * Jian Wen <wenjianhn@gmail.com>
 * Kir Kolyshkin <kolyshkin@gmail.com>
 * Rodrigo Campos <rata@users.noreply.github.com>
 * lifubang <lifubang@acmcoder.com>

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

runc v1.2.4 -- "Христос се роди!"

This is the fourth patch release of the 1.2.z release branch of runc. It
includes a fix for a regression introduced in 1.2.0 related to the
default device list.

 * Re-add tun/tap devices to built-in allowed devices lists.

   In runc 1.2.0 we removed these devices from the default allow-list
   (which were added seemingly by accident early in Docker's history) as
   a precaution in order to try to reduce the attack surface of device
   inodes available to most containers (#3468). At the time we thought
   that the vast majority of users using tun/tap would already be
   specifying what devices they need (such as by using `--device` with
   Docker/Podman) as opposed to doing the `mknod` manually, and thus
   there would've been no user-visible change.

   Unfortunately, it seems that this regressed a noticeable number of
   users (and not all higher-level tools provide easy ways to specify
   devices to allow) and so this change needed to be reverted. Users
   that do not need these devices are recommended to explicitly disable
   them by adding deny rules in their container configuration. (#4555,
   #4556)

Thanks to all of the contributors who made this release possible:

 * Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 * Aleksa Sarai <cyphar@cyphar.com>
 * Kir Kolyshkin <kolyshkin@gmail.com>
 * lifubang <lifubang@acmcoder.com>

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

runc v1.2.3 -- "Winter is not a season, it's a celebration."

This is the third patch release of the 1.2.z release branch of runc. It
primarily fixes some minor regressions introduced in 1.2.0.

 * Fixed a regression in use of securejoin.MkdirAll, where multiple
   runc processes racing to create the same mountpoint in a shared rootfs
   would result in spurious EEXIST errors. In particular, this regression
   caused issues with BuildKit. (#4543, #4550)
 * Fixed a regression in eBPF support for pre-5.6 kernels after upgrading
   Cilium's eBPF library version to 0.16 in runc. (#3008, #4551)

Thanks to all of the contributors who made this release possible:

 * Aleksa Sarai <cyphar@cyphar.com>
 * Kir Kolyshkin <kolyshkin@gmail.com>
 * lifubang <lifubang@acmcoder.com>

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

runc v1.2.2 -- "Specialization is for insects."

This is the second patch release of the 1.2.z branch of runc. It
includes two fixes for problems introduced in runc 1.2.0, as well as
some documentation improvements surrounding the overlayfs /proc/self/exe
protections.

 * Fixed the failure of `runc delete` on a rootless container with no
   dedicated cgroup on a system with read-only `/sys/fs/cgroup` mount.
   This is a regression in runc 1.2.0, causing a failure when using
   rootless buildkit. (#4518, #4531)
 * Using runc on a system where /run/runc and /usr/bin are on different
   filesystems no longer results in harmless but annoying messages
   ("overlayfs: "xino" feature enabled using 3 upper inode bits")
   appearing in the kernel log. (#4508, #4530)
 * Better memfd-bind documentation. (#4530)

Thanks to all of the contributors who made this release possible:

 * Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 * Aleksa Sarai <cyphar@cyphar.com>
 * Austin Vazquez <macedonv@amazon.com>
 * Kir Kolyshkin <kolyshkin@gmail.com>
 * Rodrigo Campos <rodrigoca@microsoft.com>
 * lfbzhm <lifubang@acmcoder.com>

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

runc release 1.1.15+ds1-1 for unstable (sid) [dgit]

[dgit distro=debian split --quilt=gbp]

runc release 1.1.15+ds1-1 for unstable (sid)

(maintainer view tag generated by dgit --quilt=gbp)

[dgit distro=debian split --quilt=gbp]

Upstream version 1.1.15

Debian release 1.1.12+ds1-5.1

runc v1.2.1 -- "No existe una escuela que enseñe a vivir."

This is the first patch release of the 1.2.z series of runc. It includes
a critical bugfix for an issue that manifested on SELinux-based
distributions distributions and was blocking containerd from updating to
runc 1.2.z.

In addition, runc-dmz (added in 1.2.0) has been removed entirely. This
was opt-out (due to the many limitations it had), but the late addition
of the overlayfs-based CVE-2019-5736 protection made it no longer
necessary at all.

 + Became root after joining an existing user namespace. Otherwise, runc
   won't have permissions to configure some mounts when running under
   SELinux and runc is not creating the user namespace. (#4466, #4477)
 - Remove dependency on `golang.org/x/sys/execabs` from go.mod. (#4480)
 - Remove runc-dmz, that had many limitations, and is mostly made obsolete by
   the new protection mechanism added in v1.2.0. Note that runc-dmz was only
   available only in the 1.2.0 release and required to set an environment variable
   to opt-in. (#4488)
 * The `script/check-config.sh` script now checks for overlayfs support. (#4494)
 * When using cgroups v2, allow to set or update memory limit to "unlimited"
   and swap limit to a specific value. (#4501)

Thanks to all of the contributors who made this release possible:

 * Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 * Aleksa Sarai <cyphar@cyphar.com>
 * Kir Kolyshkin <kolyshkin@gmail.com>
 * Rodrigo Campos <rodrigoca@microsoft.com>
 * Wei Fu <fuweid89@gmail.com>
 * lifubang <lifubang@acmcoder.com>

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

v1.2.0 -- "できるときにできることをやるんだ。それが今だ。"

This is long-awaited release of runc 1.2.0! The primary changes from rc3
are general improvements and fixes for minor regressions related to the
new /proc/self/exe cloning logic in runc 1.2, follow-on patches related
to CVE-2024-45310, as well as some other minor changes.

 + In order to alleviate the remaining concerns around the memory usage
   and (arguably somewhat unimportant, but measurable) performance
   overhead of memfds for cloning `/proc/self/exe`, we have added a new
   protection using `overlayfs` that is used if you have enough
   privileges and the running kernel supports it. It has effectively no
   performance nor memory overhead (compared to no cloning at all).
   (#4448)
 * The original fix for CVE-2024-45310 was intentionally very limited in
   scope to make it easier to review, however it also did not handle all
   possible `os.MkdirAll` cases and thus could lead to regressions. We
   have switched to the more complete implementation in the newer
   versions of `github.com/cyphar/filepath-securejoin`. (#4393, #4400,
   #4421, #4430)
 * In certain situations (a system with lots of mounts or racing mounts)
   we could accidentally end up leaking mounts from the container into
   the host. This has been fixed. (#4417)
 * The fallback logic for `O_TMPFILE` clones of `/proc/self/exe` had a
   minor bug that would cause us to miss non-`noexec` directories and
   thus fail to start containers on some systems. (#4444)
 * Sometimes the cloned `/proc/self/exe` file descriptor could be placed
   in a way that it would get clobbered by the Go runtime. We had a fix
   for this already but it turns out it could still break in rare
   circumstances, but it has now been fixed. (#4294, #4452)
 * It is not possible for `runc kill` to work properly in some specific
   configurations (such as rootless containers with no cgroups and a
   shared pid namespace). We now output a warning for such
   configurations. (#4398)
 * memfd-bind: update the documentation and make path handling with the
   systemd unit more idiomatic. (#4428)
 * We now use v0.16 of Cilium's eBPF library, including fixes that quite
   a few downstreams asked for. (#4397, #4396)
 * Some internal `runc init` synchronisation that was no longer
   necessary (due to the `/proc/self/exe` cloning move to Go) was
   removed. (#4441)

Thanks to all of the contributors who made this release possible:

 * Akhil Mohan <akhilerm@gmail.com>
 * Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 * Aleksa Sarai <cyphar@cyphar.com>
 * Amir M. Ghazanfari <a.m.ghazanfari76@gmail.com>
 * Kir Kolyshkin <kolyshkin@gmail.com>
 * Rafael Roquetto <rafael.roquetto@grafana.com>
 * Rodrigo Campos <rodrigoca@microsoft.com>
 * Sebastiaan van Stijn <github@gone.nl>
 * Stavros Panakakis <stavrospanakakis@gmail.com>
 * lifubang <lifubang@acmcoder.com>

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

v1.1.14 -- "How, dear sir, did you cross the flood? By not stopping, friend, and by not straining I crossed the flood."

This is the fifteenth patch release in the 1.1.z release branch of runc.
It fixes a few issues with seccomp, leaked mounts, and system performance.

 * The `-ENOSYS` seccomp stub is now always generated for the native
   architecture that `runc` is running on. This is needed to work around some
   arguably specification-incompliant behaviour from Docker on architectures
   such as ppc64le, where the allowed architecture list is set to `null`. This
   ensures that we always generate at least one `-ENOSYS` stub for the native
   architecture even with these weird configs. (#4391)
 * On a system with older kernel, reading `/proc/self/mountinfo` may skip some
   entries, as a consequence runc may not properly set mount propagation,
   causing container mounts leak onto the host mount namespace. (#2404, #4425)
 * In order to fix performance issues in the "lightweight" bindfd protection
   against [CVE-2019-5736], the temporary `ro` bind-mount of `/proc/self/exe`
   has been removed. runc now creates a binary copy in all cases. (#4392, #2532)

Thanks to all of the contributors who made this release possible:

 * Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 * Aleksa Sarai <cyphar@cyphar.com>
 * Kir Kolyshkin <kolyshkin@gmail.com>
 * lifubang <lifubang@acmcoder.com>
 * Rodrigo Campos <rodrigoca@microsoft.com>