v1.2.0 -- "できるときにできることをやるんだ。それが今だ。" This is long-awaited release of runc 1.2.0! The primary changes from rc3 are general improvements and fixes for minor regressions related to the new /proc/self/exe cloning logic in runc 1.2, follow-on patches related to CVE-2024-45310, as well as some other minor changes. + In order to alleviate the remaining concerns around the memory usage and (arguably somewhat unimportant, but measurable) performance overhead of memfds for cloning `/proc/self/exe`, we have added a new protection using `overlayfs` that is used if you have enough privileges and the running kernel supports it. It has effectively no performance nor memory overhead (compared to no cloning at all). (#4448) * The original fix for CVE-2024-45310 was intentionally very limited in scope to make it easier to review, however it also did not handle all possible `os.MkdirAll` cases and thus could lead to regressions. We have switched to the more complete implementation in the newer versions of `github.com/cyphar/filepath-securejoin`. (#4393, #4400, #4421, #4430) * In certain situations (a system with lots of mounts or racing mounts) we could accidentally end up leaking mounts from the container into the host. This has been fixed. (#4417) * The fallback logic for `O_TMPFILE` clones of `/proc/self/exe` had a minor bug that would cause us to miss non-`noexec` directories and thus fail to start containers on some systems. (#4444) * Sometimes the cloned `/proc/self/exe` file descriptor could be placed in a way that it would get clobbered by the Go runtime. We had a fix for this already but it turns out it could still break in rare circumstances, but it has now been fixed. (#4294, #4452) * It is not possible for `runc kill` to work properly in some specific configurations (such as rootless containers with no cgroups and a shared pid namespace). We now output a warning for such configurations. (#4398) * memfd-bind: update the documentation and make path handling with the systemd unit more idiomatic. (#4428) * We now use v0.16 of Cilium's eBPF library, including fixes that quite a few downstreams asked for. (#4397, #4396) * Some internal `runc init` synchronisation that was no longer necessary (due to the `/proc/self/exe` cloning move to Go) was removed. (#4441) Thanks to all of the contributors who made this release possible: * Akhil Mohan <akhilerm@gmail.com> * Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> * Aleksa Sarai <cyphar@cyphar.com> * Amir M. Ghazanfari <a.m.ghazanfari76@gmail.com> * Kir Kolyshkin <kolyshkin@gmail.com> * Rafael Roquetto <rafael.roquetto@grafana.com> * Rodrigo Campos <rodrigoca@microsoft.com> * Sebastiaan van Stijn <github@gone.nl> * Stavros Panakakis <stavrospanakakis@gmail.com> * lifubang <lifubang@acmcoder.com> Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>