CLI tool for spawning and running containers according to the OCI specification
This is the third release of the 1.1.z series of runc, and contains various minor improvements and bugfixes.
-ENOSYS
stub now correctly handles multiplexed syscalls on
s390 and s390x. This solves the issue where syscalls the host kernel did not
support would return -EPERM
despite the existence of the -ENOSYS
stub
code (this was due to how s390x does syscall multiplexing). (#3478)The runc
binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc
acting
as a "work that uses the Library":
The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.
However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.
Thanks to all of the contributors who made this release possible:
Signed-off-by: Aleksa Sarai [email protected]
This is the second patch release of the runc 1.1 release branch. It fixes CVE-2022-29162, a minor security issue (which appears to not be exploitable) related to process capabilities.
This is a similar bug to the ones found and fixed in Docker and containerd recently (CVE-2022-24769).
runc spec
no longer sets any inheritable capabilities in the created
example OCI spec (config.json
) file.The runc
binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc
acting
as a "work that uses the Library":
The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.
However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.
This is the first stable release in the 1.1 branch, fixing a few issues with runc 1.1.0.
Fixed:
The runc
binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc
acting
as a "work that uses the Library":
The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.
However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.
Thanks to all of the contributors who made this release possible:
Signed-off-by: Kir Kolyshkin [email protected]
This release only contains very minor changes from v1.1.0-rc.1 and is the first release of the 1.1.y release series of runc. We do not plan to make any new releases of the 1.0.y release series of runc, so users are strongly encouraged to update to 1.1.0.
Changed:
The runc
binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc
acting
as a "work that uses the Library":
The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.
However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.
Thanks to the following people who made this release possible:
Signed-off-by: Aleksa Sarai [email protected]
This release is the first release candidate for the next minor release following runc 1.0. It contains all of the bugfixes included in runc 1.0 patch releases (up to and including 1.0.3).
A fair few new features have been added, and several features have been deprecated (with plans for removal in runc 1.2). At the moment we only plan to do a single release candidate for runc 1.1, and once 1.1.0 is released we will not continue updating the 1.0.z runc branch.
Deprecated:
Removed:
cgroup.GetHugePageSizes
has been removed entirely, and been replaced with
cgroup.HugePageSizes
which is more efficient. (#3234)intelrdt.GetIntelRdtPath
has been removed. Users who were using this
function to get the intelrdt root should use the new intelrdt.Root
instead. (#2920, #3239)Added:
--keep
option to skip removal exited containers artefacts.
This might be useful to check the state (e.g. of cgroup controllers) after
the container has exited. (#2817, #2825)SCMP_ACT_KILL_PROCESS
and SCMP_ACT_KILL_THREAD
(the latter is just an alias for SCMP_ACT_KILL
). (#3204)SCMP_ACT_NOTIFY
(seccomp actions). This allows
users to create sophisticated seccomp filters where syscalls can be
efficiently emulated by privileged processes on the host. (#2682)--lsm-mount-context
) to set
a different LSM mount context on restore. (#3068)sysctl(8)
's
behaviour. (#3254, #3257)mount_setattr(2)
. These
have the same names as the proposed mount(8)
options -- just prepend r
to the option name (such as rro
). (#3272)runc features
subcommand to allow runc users to detect what features
runc has been built with. This includes critical information such as
supported mount flags, hook names, and so on. Note that the output of this
command is subject to change and will not be considered stable until runc
1.2 at the earliest. The runtime-spec specification for this feature is
being developed in opencontainers/runtime-spec#1130. (#3296)Changed:
/proc/$pid/stat
parsing. (#2696)/sys/fs/cgroup
is configured as a read-write mount, change
the ownership of certain cgroup control files (as per
/sys/kernel/cgroup/delegate
) to allow for proper deferral to the container
process. (#3057)Libcontainer API:
Fixed:
runc delete -f
now succeeds (rather than timing out) on a paused
container. (#3134)--ignore-paused
. (#3132, #3223)The runc
binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc
acting
as a "work that uses the Library":
The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.
However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.
Thanks to the following people who made this release possible:
Signed-off-by: Aleksa Sarai [email protected]
This is the third stable release in the 1.0 branch, fixing a handful of medium priority issues related to mounts and cgroups, as well as a potential security vulnerability.
This release is expected to be the last point release in the 1.0 branch, as we are planning to release runc 1.1 in the near future.
Security:
A potential vulnerability was discovered in runc (related to an internal usage of netlink), however upon further investigation we discovered that while this bug was exploitable on the master branch of runc, no released version of runc could be exploited using this bug. The exploit required being able to create a netlink attribute with a length that would overflow a uint16 but this was not possible in any released version of runc. For more information, see GHSA-v95c-p5hm-xq8f and CVE-2021-43784.
Due to an abundance of caution we decided to do an emergency release with this fix, but to reiterate we do not believe this vulnerability was possible to exploit. Thanks to Felix Wilhelm from Google Project Zero for discovering and reporting this vulnerability so quickly.
Bugfixes:
Enhancements:
The runc
binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc
acting
as a "work that uses the Library":
The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.
However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.
Thanks to all of the contributors who made this release possible:
Signed-off-by: Aleksa Sarai [email protected]
This is the second stable release in the 1.0 branch, fixing a few medium and high priority issues, including one that affect Kubernetes using runc's libcontainer.
Bugfixes:
The runc
binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc
acting
as a "work that uses the Library":
The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.
However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.
Thanks to all of the contributors who made this release possible:
Signed-off-by: Aleksa Sarai [email protected]
This is the first stable release in the 1.0 branch, fixing a few medium and high priority issues with runc 1.0.0, including a few that affect Kubernetes' usage of libcontainer.
Bugfixes:
The runc
binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc
acting
as a "work that uses the Library":
The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.
However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.
Thanks to all of the contributors who made this release possible:
Signed-off-by: Aleksa Sarai [email protected]
This release has quite a few last-minute bug-fixes and various correctness and performance improvements (almost all of which are related to cgroup handling), and is the first non-rc release of runc in 5 years (v1.0.0-rc1 was released in 2016). It's been a very long road, and we thank the many contributors and maintainers that helped us get to this point (approximately 422 people in total).
As runc follows Semantic Versioning, we will endeavor to not make any breaking changes without bumping the major version number of runc.
However, it should be noted that Go API usage of runc's internal implementation (libcontainer) is not covered by this policy -- for historical reasons, this code was not moved into an "internal" package (this feature did not exist in Go at the time) and because certain projects currently depend on this, we have not yet moved this code into an internal package. Despite this, we reserve the right to make breaking changes in our Go APIs (though we will note such changes in our changelog, and will try to avoid needless disruption if possible).
Breaking changes:
Deprecations:
Bugfixes:
runc update
and avoid leaking eBPF programs
(resulting in errors when managing containers). (#2951)Improvements:
go get
or
otherwise outside of our build scripts. (#2962)runc update
). (#2994)The runc
binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc
acting
as a "work that uses the Library":
The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.
However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.
Thanks to the following people who made this release possible:
Vote: +5 -0 %2
Signed-off-by: Aleksa Sarai [email protected]
This release of runc contains a fix for CVE-2021-30465, and users are strongly recommended to update (especially if you are providing semi-limited access to spawn containers to untrusted users).
Aside from this security fix, only a few other changes were made since v1.0.0-rc94 (the only user-visible change was the addition of support for defaultErrnoRet in seccomp profiles).
The runc
binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc
acting
as a "work that uses the Library":
The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.
However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.
Thanks to the following people who made this release possible:
Due to the nature of this release, it didn't go through the normal public release procedure. However, this break from procedure was agreed upon on the security mailing list.
Signed-off-by: Aleksa Sarai [email protected]