runc v1.4.0-rc.2 -- "私の役目は信じるかどうかではない。行うかどうかだ。" This is the second release candidate of the runc 1.4.0 release. It includes a few minor features that did not make the cut-off for v1.4.0-rc.1 (namely CLONE_INTO_CGROUP support and some new Intel RDT features). Users are strongly encouraged to test our release candidates over the next month so we can fix issues before the general release. You should expect runc 1.4.0 to be released at the end of October 2025 (at which point, runc 1.2.z will only receive high-severity security fixes for 6 months and users are thus very strongly encouraged to migrate to a newer version). libcontainer API: * The deprecated libcontainer/userns package has been removed; use github.com/moby/sys/userns instead. (#4910, #4911) Added: * Allow setting user.* sysctls for user-namespaced containers, as they are namespaced and thus safe to configure. (#4889, #4892) * Add support for using clone3(2)'s CLONE_INTO_CGROUP flag when configuring the runc exec process. This also included some internal changes to how we add processes to containers. (#4822, #4812, #4920) * Add support for configuring the NUMA pmemory policy for a container with set_mempolicy(2). (opencontainers/runtime-spec#1282, #4726, #4915) * Add support for intelRdt.schemata to allow for configuration of all schemas in resctrl. (opencontainers/runtime-spec#1230, #4830, #4915) * Add support for intelRdt.enableMonitoring to allow for per-container resctrl monitoring. This replaces the old intelRdt.enableCMT and intelRdt.enableMBM options which were never implemented by runc and have been removed from the runtime-spec. (opencontainers/runtime-spec#1287, #4832, #4921) Fixed: * Configure personality(2) before applying seccomp profiles. (#4900, #4903) * Fixed integration test failure on ppc64, caused by 64K page size so the kernel was rounding memory limit to 64K. (#4841, #4895, #4893) * seccompagent: fix fd close loop to prevent closing stdio in the error path. (#4913, #4923) Thanks to the following contributors for making this release possible: * Aleksa Sarai <cyphar@cyphar.com> * Antti Kervinen <antti.kervinen@intel.com> * Donet Tom <donettom@linux.ibm.com> * Joshua Rogers <MegaManSec@users.noreply.github.com> * Kir Kolyshkin <kolyshkin@gmail.com> * Markus Lehtonen <markus.lehtonen@intel.com> * Rodrigo Campos <rodrigoca@microsoft.com> * Tycho Andersen <tycho@tycho.pizza> * Vishal Chourasia <vishalc@linux.ibm.com> * Li Fubang <lifubang@acmcoder.com> Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>