CLI tool for spawning and running containers according to the OCI specification
This release fixes several regressions found in v1.0.0-rc93. We recommend users update as soon as possible. This release includes the following notable changes:
Potentially breaking changes:
Set
now accept
configs.Resources
rather than configs.Cgroups
(#2906)Apply
(#2814)Bugfixes:
Improvements:
The runc
binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc
acting
as a "work that uses the Library":
The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.
However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.
Thanks to the following people who made this release possible:
Vote: +6 -0 !1
Signed-off-by: Aleksa Sarai [email protected]
This is the last feature-rich RC release and we are in a feature-freeze until 1.0. 1.0.0~rc94 will be released in a few weeks with minimal bug fixes only, and 1.0.0 will be released soon afterwards.
runc's cgroupv2 support is no longer considered experimental. It is now believed to be fully ready for production deployments. In addition, runc's cgroup code has been improved:
runc's mountinfo parsing code has been reworked significantly, making container startup times significantly faster and less wasteful in general.
runc now has special handling for seccomp profiles to avoid making new syscalls unusable for glibc. This is done by installing a custom prefix to all seccomp filters which returns -ENOSYS for syscalls that are newer than any syscall in the profile (meaning they have a larger syscall number).
This should not cause any regressions (because previously users would simply get -EPERM rather than -ENOSYS, and the rule applied above is the most conservative rule possible) but please report any regressions you find as a result of this change -- in particular, programs which have special fallback code that is only run in the case of -EPERM.
runc now supports the following new runtime-spec features:
Various rootless containers improvements:
runc --root is now always treated as local to the current working directory.
The --no-pivot-root hardening was improved to handle nested mounts properly (please note that we still strongly recommend that users do not use --no-pivot-root -- it is still an insecure option).
A large number of code cleanliness and other various cleanups, including fairly large changes to our tests and CI to make them all run more efficiently.
For packagers the following changes have been made which will have impact on your packaging of runc:
The "selinux" and "apparmor" buildtags have been removed, and now all runc builds will have SELinux and AppArmor support enabled. Note that "seccomp" is still optional (though we very highly recommend you enable it).
make install DESTDIR= now functions correctly.
The runc
binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc
acting
as a "work that uses the Library":
The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.
However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.
Thanks to the following people who made this release possible:
Vote: +6 -0 #1
Signed-off-by: Aleksa Sarai [email protected]
This release contains a hotfix to solve a regression in v1.0.0-rc91 that concerns Docker (this only affects Docker's vendoring of libcontainer, not the usage of runc as the runtime):
As well as some other improvements:
The runc
binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc
acting
as a "work that uses the Library":
The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.
However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.
Thanks to the following people who made this release possible:
Vote: +4 -0 #3
Signed-off-by: Aleksa Sarai [email protected]
This is intended to be the second-last RC release, with -rc92
having
very few large changes so that we can release runc 1.0 (at long last).
NOTE: This release's artefacts were updated on 2020-07-30 to correct an LGPL compliance issue (we previously did not include the source code of
libseccomp
with our releases) and thus we had to recompile ourrunc
binaries to be sure we were distributing the correct version oflibseccomp
. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.
NOTE: This release's artefacts were updated on 2021-04-07, to correct an issue with the .tar.xz archive from 2020-07-30 (the archive had malformed paths due to a bug in historical release scripts -- which caused the update on 2020-07-30 to change the checksum of the source code archive). See #2895 for more details. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.
The long-awaited hooks changes have been merged into runc. This was one of the few remaining spec-related issues which were blocking us from releasing runc 1.0. Existing hook users will not be affected by this change, but runc now supports additional hooks that we expect users to migrate to eventually. The new hooks are:
createRuntime
(replacement for the now-deprecated prestart
)createContainer
startContainer
A large amount of effort has been undertaken to support cgroupv2 within runc. The support is still considered experimental, but it is mostly functional at this point. Please report any bugs you find when running under cgroupv2-only systems.
A minor-severity security bug was fixed. The devices list would be in allow-by-default mode from the outset, meaning that users would have to explicitly specify they wish to deny all device access at the beginning of the configuration. While this would normally be considered a high-severity vulnerability, all known users of runc had worked around this issue several years ago (hence why this fairly obvious bug was masked).
In addition, the devices list code has been massively improved such
that it will attempt to avoid causing spurrious errors in the
container (such as while writing to /dev/null
) when doing devices
cgroup updates.
A security audit of runc was conducted in 2019, and the report PDF is now included in the runc repository. The previous release of runc has already addressed the security issues found in that report.
The runc
binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc
acting
as a "work that uses the Library":
The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.
However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.
Thanks to the following people who made this release possible:
NOTE: For those who are confused by the massive version jump (
rc10
torc91
), this was done to avoid issues with SemVer and lexical comparisons -- there haven't been 90 other release candidates. Please also note that runc1.0.0-rc90
is identical to1.0.0-rc10
. See #2399 for more details.
Vote: +7 -0 #0
Signed-off-by: Aleksa Sarai [email protected]
This release is identical to v1.0.0-rc10 (and thus the version string in the binary will be v1.0.0-rc10).
The purpose of this release is to resolve an issue with our versioning
scheme (in particular, the format we've used under SemVer means that the
"-rcNN" string suffix is sorted lexicographically rather than in the
classic sort -V
order).
Because we cannot do a post-1.0 release yet, this is a workaround to make sure that systems such as Go modules correctly update to the latest runc release. See #2399 for more details.
The next release (which would've originally been called -rc11) will be 1.0.0-rc91. I'm sorry.
NOTE: This release's artefacts were updated on 2020-07-30 to correct an LGPL compliance issue (we previously did not include the source code of
libseccomp
with our releases) and thus we had to recompile ourrunc
binaries to be sure we were distributing the correct version oflibseccomp
. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.
NOTE: This release's artefacts were updated on 2021-04-07, to correct an issue with the .tar.xz archive from 2020-07-30 (the archive had malformed paths due to a bug in historical release scripts -- which caused the update on 2020-07-30 to change the checksum of the source code archive). See #2895 for more details. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.
The runc
binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc
acting
as a "work that uses the Library":
The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.
However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.
Signed-off-by: Aleksa Sarai [email protected]
This is a hot-fix for v1.0.0~rc9, primarily fixing CVE-2019-19921. Given that the relevant runtime-spec PR which was considered a blocker has been merged the next rc release of runc should be the last one before 1.0.0.
Other notable changes include:
NOTE: This release's artefacts were updated on 2020-07-30 to correct an LGPL compliance issue (we previously did not include the source code of
libseccomp
with our releases) and thus we had to recompile ourrunc
binaries to be sure we were distributing the correct version oflibseccomp
. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.
NOTE: This release's artefacts were updated on 2021-04-07, to correct an issue with the .tar.xz archive from 2020-07-30 (the archive had malformed paths due to a bug in historical release scripts -- which caused the update on 2020-07-30 to change the checksum of the source code archive). See #2895 for more details. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.
The runc
binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc
acting
as a "work that uses the Library":
The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.
However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.
Thanks to the following people who made this release possible:
Vote: +4 -0 #1
Signed-off-by: Aleksa Sarai [email protected]
This is a hot-fix for v1.0.0~rc8, primarily fixing CVE-2019-16884.
NOTE: This release's artefacts were updated on 2020-07-30 to correct an LGPL compliance issue (we previously did not include the source code of
libseccomp
with our releases) and thus we had to recompile ourrunc
binaries to be sure we were distributing the correct version oflibseccomp
. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.
NOTE: This release's artefacts were updated on 2021-04-07, to correct an issue with the .tar.xz archive from 2020-07-30 (the archive had malformed paths due to a bug in historical release scripts -- which caused the update on 2020-07-30 to change the checksum of the source code archive). See #2895 for more details. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.
The runc
binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc
acting
as a "work that uses the Library":
The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.
However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.
Thanks to the following people who made this release possible:
Vote: +4 -0 #1
Signed-off-by: Aleksa Sarai [email protected]
This is a hot-fix for v1.0.0-rc7, and fixes a regression on old kernels (which don't support keycreate labeling). Users are strongly encouraged to update, as this regression was introduced in 1.0.0-rc7 and has blocked many users from updating to mitigate CVE-2019-5736.
Bugs: #2032 #2031 #2043
At the moment the only outlying issue before we can release 1.0.0 is some spec discussions we are having about OCI hooks and how to handle the integration with existing NVIDIA hooks. We will do our best to finish this work as soon as we can.
NOTE: This release's artefacts were updated on 2020-07-30 to correct an LGPL compliance issue (we previously did not include the source code of
libseccomp
with our releases) and thus we had to recompile ourrunc
binaries to be sure we were distributing the correct version oflibseccomp
. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.
NOTE: This release's artefacts were updated on 2021-04-07, to correct an issue with the .tar.xz archive from 2020-07-30 (the archive had malformed paths due to a bug in historical release scripts -- which caused the update on 2020-07-30 to change the checksum of the source code archive). See #2895 for more details. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.
The runc
binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc
acting
as a "work that uses the Library":
The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.
However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.
Thanks to the following people who made this release possible:
Signed-off-by: Aleksa Sarai [email protected]
WARNING: There is a regression in this release for old kernels, which we are working on fixing in #2031.
Due to CVE-2019-5736, we had to do another -rc release so users can update. We hope to be able to release 1.0.0 in the near future (there is still an outstanding spec-compliance issue with OCI hooks which we need to resolve first).
This also updates runc to a vendored commit of the runtime-spec rather than a full release, which will hopefully be rectified with runc 1.0.0.
NOTE: This release's artefacts were updated on 2020-07-30 to correct an LGPL compliance issue (we previously did not include the source code of
libseccomp
with our releases) and thus we had to recompile ourrunc
binaries to be sure we were distributing the correct version oflibseccomp
. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.
NOTE: This release's artefacts were updated on 2021-04-07, to correct an issue with the .tar.xz archive from 2020-07-30 (the archive had malformed paths due to a bug in historical release scripts -- which caused the update on 2020-07-30 to change the checksum of the source code archive). See #2895 for more details. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.
Mitigate CVE-2019-5736. This is an updated version of the patch series sent out on openwall and we encourage users to update. #1982 #1984
NOTE: This mitigation WILL NOT WORK if you run untrusted containers with host uid 0 and give them CAP_SYS_ADMIN (the protection operates through a hidden read-only bind-mount which can be re-mounted by CAP_SYS_ADMIN privileged users).
Put simply -- we consider granting CAP_SYS_ADMIN to untrusted containers without user namespaces to be fundamentally insecure, as such we do not consider this to be a security issue.
If you want an additional host-level mitigation, use chattr +i
on the
host file to ensure containers without CAP_LINUX_IMMUTABLE cannot write to
it -- even with CAP_SYS_ADMIN. But as above, if you give
CAP_LINUX_IMMUTABLE to a container you will have problems.
An alternative is to bind-mount a sealed memfd copy of the runc binary over the binary (runc will detect this and will not attempt further mitigation, because sealed memfds are fundamentally unmodifiable) but this requires more in-depth work by administrators.
There appear to be production users of --no-pivot-root, which is something that we absolutely recommend against and do not consider to be a secure configuration -- since pivot_root(2) has many security properties that are not possible to provide with just chroot(2).
However, a specific issue was discovered which we decided to mitigate in order to avoid production users being exploited by it. This security issue is not elligible for a CVE because it requires an insecure configuration (--no-pivot-root). #1962
The runc
binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc
acting
as a "work that uses the Library":
The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.
However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.
Thanks to all of the contributors that made this release possible:
With special thanks and well-wishes to Victor Marmol and Rohit Jnagal, who have both decided to give up their maintainership. Thanks for all of your contributions over the years, and good luck with your future endeavours!
Signed-off-by: Aleksa Sarai [email protected]
This is the final feature release of runc before 1.0, rather than 1.0 itself. The reason for this is that, during the preparations for this release (which was originally meant to be 1.0) it was brought up that there were several spec-compliance problems. One of these was related to hook ordering, and upon trying to fix them it turns out that many users (notably the NVIDIA OCI hooks) make use of our incorrect hook ordering. Many of the proposed solutions to this problem all require a lot of time and co-ordination, and thus would stall this release indefinitely.
So, the idea is to have an intermediate release which will mark a freeze-on-everything-except-spec-compliance-bugs. No other changes will be included pre-1.0 (aside from security patches obviously).
NOTE: This release's artefacts were updated on 2020-07-30 to correct an LGPL compliance issue (we previously did not include the source code of
libseccomp
with our releases) and thus we had to recompile ourrunc
binaries to be sure we were distributing the correct version oflibseccomp
. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.
NOTE: This release's artefacts were updated on 2021-04-07, to correct an issue with the .tar.xz archive from 2020-07-30 (the archive had malformed paths due to a bug in historical release scripts -- which caused the update on 2020-07-30 to change the checksum of the source code archive). See #2895 for more details. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.
Fixes (for spec violations):
The runc
binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc
acting
as a "work that uses the Library":
The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.
However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.
Thanks to all of the contributors that made this release possible:
Signed-off-by: Aleksa Sarai [email protected]