runc v1.2.7 -- "さんをつけろよデコ助野郎!" This is the seventh patch release of the 1.2.z release branch of runc. It contains some fixes for issues found in runc 1.3.z that were considered "significant" bugfixes (as per our new release and support policy) and thus be worth backporting. Fixed: * Removed preemptive "full access to cgroups" warning when calling runc pause or runc unpause as an unprivileged user without --systemd-cgroups. Now the warning is only emitted if an actual permission error was encountered. (#4709, #4720) * Add time namespace to container config after checkpoint/restore. CRIU since version 3.14 uses a time namespace for checkpoint/restore, however it was not joining the time namespace in runc. (#4696, #4714) * Container processes will no longer inherit the CPU affinity of runc by default. Instead, the default CPU affinity of container processes will be the largest set of CPUs permitted by the container's cpuset cgroup and any other system restrictions (such as isolated CPUs). (#4041, #4815, #4858) * Close seccomp agent connection to prevent resource leaks. (#4796, #4800) * Several fixes to our CI, mainly related to AlmaLinux and CRIU. (#4670, #4728, #4736, #4742) * Setting linux.rootfsPropagation to shared or unbindable now functions properly. (#1755, #1815, #4724, #4791) * runc update will no longer clear intelRdt state information. (#4828, #4834) Changed: * In runc 1.2, we changed our mount behaviour to correctly handle clearing flags. However, the error messages we returned did not provide as much information to users about what clearing flags were conflicting with locked mount flags. We now provide more diagnostic information if there is an error when in the fallback path to handle locked mount flags. (#4734, #4740) * Ignore the dmem controller in our cgroup tests, as systemd does not yet support it. (#4806, #4811) * /proc/net/dev is no longer included in the permitted procfs overmount list. Its inclusion was almost certainly an error, and because /proc/net is a symlink to /proc/self/net, overmounting this was almost certainly never useful (and will be blocked by future kernel versions). (#4817, #4820) * CI: Switch to GitHub-hosted ARM runners. Thanks again to @alexellis for supporting runc's ARM CI up until now. (#4844, #4856, #4867) * Simplify the prepareCriuRestoreMounts logic for checkpoint-restore. (#4765, #4872) Thanks to the following contributors for making this release possible: * Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> * Aleksa Sarai <cyphar@cyphar.com> * Andrei Vagin <avagin@gmail.com> * Kir Kolyshkin <kolyshkin@gmail.com> * Markus Lehtonen <markus.lehtonen@intel.com> * Martin Sivak <msivak@redhat.com> * Pavel Liubimov <prlyubimov@gmail.com> * Peter Hunt <pehunt@redhat.com> * Rodrigo Campos <rodrigoca@microsoft.com> * Yusuke Sakurai <yusuke.sakurai@3-shake.com> * lfbzhm <lifubang@acmcoder.com> * ningmingxiao <ning.mingxiao@zte.com.cn> Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>