Runc Versions Save

CLI tool for spawning and running containers according to the OCI specification

v1.0.0-rc94

3 years ago

This release fixes several regressions found in v1.0.0-rc93. We recommend users update as soon as possible. This release includes the following notable changes:

Potentially breaking changes:

  • cgroupv1: kernel memory limits are now always ignored, as kmemcg has been effectively deprecated by the kernel. Users should make use of regular memory cgroup controls. (#2840)
  • libcontainer/cgroups: cgroup managers' Set now accept configs.Resources rather than configs.Cgroups (#2906)
  • libcontainer/cgroups/systemd: reconnect and retry in case dbus connection is closed (after dbus restart) (#2923)
  • libcontainer/cgroups/systemd: don't set limits in Apply (#2814)

Bugfixes:

  • seccomp: fix 32-bit compilation errors (regression in rc93, #2783)
  • cgroupv2: blkio weight value conversion fix (#2786)
  • runc init: fix a hang caused by deadlock in seccomp/ebpf loading code (regression in rc93, #2871)
  • runc start: fix "chdir to cwd: permission denied" for some setups (regression in rc93, #2894)
  • s390: fix broken terminal (regression in rc93, #2898)

Improvements:

  • runc start/exec: better diagnostics when container limits are too low (#2812)
  • runc start/exec: better cleanup after failed runc init (#2855)
  • cgroupv1: improve freezing chances (#2941, #2918, #2791)
  • cgroupv2: multiple GetStats improvements (#2816, #2873)
  • cgroupv2: fallback to setting io.weight if io.bfq.weight is not available (#2820)
  • capabilities: WARN, not ERROR, for unknown / unavailable capabilities (#2854)

Static Linking Notices

The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.

Thanks to the following people who made this release possible:

Vote: +6 -0 !1 Signed-off-by: Aleksa Sarai [email protected]

v1.0.0-rc93

3 years ago

This is the last feature-rich RC release and we are in a feature-freeze until 1.0. 1.0.0~rc94 will be released in a few weeks with minimal bug fixes only, and 1.0.0 will be released soon afterwards.

  • runc's cgroupv2 support is no longer considered experimental. It is now believed to be fully ready for production deployments. In addition, runc's cgroup code has been improved:

    • The systemd cgroup driver has been improved to be more resilient and handle more systemd properties correctly.
    • We now make use of openat2(2) when possible to improve the security of cgroup operations (in future runc will be wholesale ported to libpathrs to get this protection in all codepaths).

  • runc's mountinfo parsing code has been reworked significantly, making container startup times significantly faster and less wasteful in general.

  • runc now has special handling for seccomp profiles to avoid making new syscalls unusable for glibc. This is done by installing a custom prefix to all seccomp filters which returns -ENOSYS for syscalls that are newer than any syscall in the profile (meaning they have a larger syscall number).

    This should not cause any regressions (because previously users would simply get -EPERM rather than -ENOSYS, and the rule applied above is the most conservative rule possible) but please report any regressions you find as a result of this change -- in particular, programs which have special fallback code that is only run in the case of -EPERM.

  • runc now supports the following new runtime-spec features:

    • The umask of a container can now be specified.
    • The new Linux 5.9 capabilities (CAP_PERFMON, CAP_BPF, and CAP_CHECKPOINT_RESTORE) are now supported.
    • The "unified" cgroup configuration option, which allows users to explicitly specify the limits based on the cgroup file names rather than abstracting them through OCI configuration. This is currently limited in scope to cgroupv2.

  • Various rootless containers improvements:

    • runc will no longer cause conflicts if a user specifies a custom device which conflicts with a user-configured device -- the user device takes precedence.
    • runc no longer panics if /sys/fs/cgroup is missing in rootless mode.

  • runc --root is now always treated as local to the current working directory.

  • The --no-pivot-root hardening was improved to handle nested mounts properly (please note that we still strongly recommend that users do not use --no-pivot-root -- it is still an insecure option).

  • A large number of code cleanliness and other various cleanups, including fairly large changes to our tests and CI to make them all run more efficiently.

For packagers the following changes have been made which will have impact on your packaging of runc:

  • The "selinux" and "apparmor" buildtags have been removed, and now all runc builds will have SELinux and AppArmor support enabled. Note that "seccomp" is still optional (though we very highly recommend you enable it).

  • make install DESTDIR= now functions correctly.

Static Linking Notices

The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.

Thanks to the following people who made this release possible:

Vote: +6 -0 #1 Signed-off-by: Aleksa Sarai [email protected]

v1.0.0-rc92

3 years ago

This release contains a hotfix to solve a regression in v1.0.0-rc91 that concerns Docker (this only affects Docker's vendoring of libcontainer, not the usage of runc as the runtime):

  • Fix helpers used by Docker to correctly handle symlinks in /dev (when running with --privileged containers).

As well as some other improvements:

  • Updates to CRIU support.
  • Improvements to cgroupfs performance and correctness.

Static Linking Notices

The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.

Thanks to the following people who made this release possible:

Vote: +4 -0 #3 Signed-off-by: Aleksa Sarai [email protected]

v1.0.0-rc91

3 years ago

This is intended to be the second-last RC release, with -rc92 having very few large changes so that we can release runc 1.0 (at long last).

NOTE: This release's artefacts were updated on 2020-07-30 to correct an LGPL compliance issue (we previously did not include the source code of libseccomp with our releases) and thus we had to recompile our runc binaries to be sure we were distributing the correct version of libseccomp. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.

NOTE: This release's artefacts were updated on 2021-04-07, to correct an issue with the .tar.xz archive from 2020-07-30 (the archive had malformed paths due to a bug in historical release scripts -- which caused the update on 2020-07-30 to change the checksum of the source code archive). See #2895 for more details. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.

  • The long-awaited hooks changes have been merged into runc. This was one of the few remaining spec-related issues which were blocking us from releasing runc 1.0. Existing hook users will not be affected by this change, but runc now supports additional hooks that we expect users to migrate to eventually. The new hooks are:

    • createRuntime (replacement for the now-deprecated prestart)
    • createContainer
    • startContainer

  • A large amount of effort has been undertaken to support cgroupv2 within runc. The support is still considered experimental, but it is mostly functional at this point. Please report any bugs you find when running under cgroupv2-only systems.

  • A minor-severity security bug was fixed. The devices list would be in allow-by-default mode from the outset, meaning that users would have to explicitly specify they wish to deny all device access at the beginning of the configuration. While this would normally be considered a high-severity vulnerability, all known users of runc had worked around this issue several years ago (hence why this fairly obvious bug was masked).

    In addition, the devices list code has been massively improved such that it will attempt to avoid causing spurrious errors in the container (such as while writing to /dev/null) when doing devices cgroup updates.

  • A security audit of runc was conducted in 2019, and the report PDF is now included in the runc repository. The previous release of runc has already addressed the security issues found in that report.

Static Linking Notices

The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.

Thanks to the following people who made this release possible:

NOTE: For those who are confused by the massive version jump (rc10 to rc91), this was done to avoid issues with SemVer and lexical comparisons -- there haven't been 90 other release candidates. Please also note that runc 1.0.0-rc90 is identical to 1.0.0-rc10. See #2399 for more details.

Vote: +7 -0 #0 Signed-off-by: Aleksa Sarai [email protected]

v1.0.0-rc90

3 years ago

This release is identical to v1.0.0-rc10 (and thus the version string in the binary will be v1.0.0-rc10).

The purpose of this release is to resolve an issue with our versioning scheme (in particular, the format we've used under SemVer means that the "-rcNN" string suffix is sorted lexicographically rather than in the classic sort -V order).

Because we cannot do a post-1.0 release yet, this is a workaround to make sure that systems such as Go modules correctly update to the latest runc release. See #2399 for more details.

The next release (which would've originally been called -rc11) will be 1.0.0-rc91. I'm sorry.

NOTE: This release's artefacts were updated on 2020-07-30 to correct an LGPL compliance issue (we previously did not include the source code of libseccomp with our releases) and thus we had to recompile our runc binaries to be sure we were distributing the correct version of libseccomp. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.

NOTE: This release's artefacts were updated on 2021-04-07, to correct an issue with the .tar.xz archive from 2020-07-30 (the archive had malformed paths due to a bug in historical release scripts -- which caused the update on 2020-07-30 to change the checksum of the source code archive). See #2895 for more details. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.

Static Linking Notices

The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.

Signed-off-by: Aleksa Sarai [email protected]

v1.0.0-rc10

4 years ago

This is a hot-fix for v1.0.0~rc9, primarily fixing CVE-2019-19921. Given that the relevant runtime-spec PR which was considered a blocker has been merged the next rc release of runc should be the last one before 1.0.0.

Other notable changes include:

  • Fixing an exec-fifo race that could be triggered under Kubernetes (opencontainers/runc#2185).
  • Partial cgroupv2 support (opencontainers/runc#2209 for remaining issues).

NOTE: This release's artefacts were updated on 2020-07-30 to correct an LGPL compliance issue (we previously did not include the source code of libseccomp with our releases) and thus we had to recompile our runc binaries to be sure we were distributing the correct version of libseccomp. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.

NOTE: This release's artefacts were updated on 2021-04-07, to correct an issue with the .tar.xz archive from 2020-07-30 (the archive had malformed paths due to a bug in historical release scripts -- which caused the update on 2020-07-30 to change the checksum of the source code archive). See #2895 for more details. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.

Static Linking Notices

The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.

Thanks to the following people who made this release possible:

Vote: +4 -0 #1 Signed-off-by: Aleksa Sarai [email protected]

v1.0.0-rc9

4 years ago

This is a hot-fix for v1.0.0~rc8, primarily fixing CVE-2019-16884.

NOTE: This release's artefacts were updated on 2020-07-30 to correct an LGPL compliance issue (we previously did not include the source code of libseccomp with our releases) and thus we had to recompile our runc binaries to be sure we were distributing the correct version of libseccomp. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.

NOTE: This release's artefacts were updated on 2021-04-07, to correct an issue with the .tar.xz archive from 2020-07-30 (the archive had malformed paths due to a bug in historical release scripts -- which caused the update on 2020-07-30 to change the checksum of the source code archive). See #2895 for more details. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.

Static Linking Notices

The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.

Thanks to the following people who made this release possible:

Vote: +4 -0 #1 Signed-off-by: Aleksa Sarai [email protected]

v1.0.0-rc8

5 years ago

This is a hot-fix for v1.0.0-rc7, and fixes a regression on old kernels (which don't support keycreate labeling). Users are strongly encouraged to update, as this regression was introduced in 1.0.0-rc7 and has blocked many users from updating to mitigate CVE-2019-5736.

Bugs: #2032 #2031 #2043

At the moment the only outlying issue before we can release 1.0.0 is some spec discussions we are having about OCI hooks and how to handle the integration with existing NVIDIA hooks. We will do our best to finish this work as soon as we can.

NOTE: This release's artefacts were updated on 2020-07-30 to correct an LGPL compliance issue (we previously did not include the source code of libseccomp with our releases) and thus we had to recompile our runc binaries to be sure we were distributing the correct version of libseccomp. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.

NOTE: This release's artefacts were updated on 2021-04-07, to correct an issue with the .tar.xz archive from 2020-07-30 (the archive had malformed paths due to a bug in historical release scripts -- which caused the update on 2020-07-30 to change the checksum of the source code archive). See #2895 for more details. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.

Static Linking Notices

The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.

Thanks to the following people who made this release possible:

Signed-off-by: Aleksa Sarai [email protected]

v1.0.0-rc7

5 years ago

WARNING: There is a regression in this release for old kernels, which we are working on fixing in #2031.

Due to CVE-2019-5736, we had to do another -rc release so users can update. We hope to be able to release 1.0.0 in the near future (there is still an outstanding spec-compliance issue with OCI hooks which we need to resolve first).

This also updates runc to a vendored commit of the runtime-spec rather than a full release, which will hopefully be rectified with runc 1.0.0.

NOTE: This release's artefacts were updated on 2020-07-30 to correct an LGPL compliance issue (we previously did not include the source code of libseccomp with our releases) and thus we had to recompile our runc binaries to be sure we were distributing the correct version of libseccomp. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.

NOTE: This release's artefacts were updated on 2021-04-07, to correct an issue with the .tar.xz archive from 2020-07-30 (the archive had malformed paths due to a bug in historical release scripts -- which caused the update on 2020-07-30 to change the checksum of the source code archive). See #2895 for more details. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.

Security:

  • Mitigate CVE-2019-5736. This is an updated version of the patch series sent out on openwall and we encourage users to update. #1982 #1984

    NOTE: This mitigation WILL NOT WORK if you run untrusted containers with host uid 0 and give them CAP_SYS_ADMIN (the protection operates through a hidden read-only bind-mount which can be re-mounted by CAP_SYS_ADMIN privileged users).

    Put simply -- we consider granting CAP_SYS_ADMIN to untrusted containers without user namespaces to be fundamentally insecure, as such we do not consider this to be a security issue.

    If you want an additional host-level mitigation, use chattr +i on the host file to ensure containers without CAP_LINUX_IMMUTABLE cannot write to it -- even with CAP_SYS_ADMIN. But as above, if you give CAP_LINUX_IMMUTABLE to a container you will have problems.

    An alternative is to bind-mount a sealed memfd copy of the runc binary over the binary (runc will detect this and will not attempt further mitigation, because sealed memfds are fundamentally unmodifiable) but this requires more in-depth work by administrators.

  • There appear to be production users of --no-pivot-root, which is something that we absolutely recommend against and do not consider to be a secure configuration -- since pivot_root(2) has many security properties that are not possible to provide with just chroot(2).

    However, a specific issue was discovered which we decided to mitigate in order to avoid production users being exploited by it. This security issue is not elligible for a CVE because it requires an insecure configuration (--no-pivot-root). #1962

Features:

  • Add intelrdt support for MBA to runc (a new intelrdt feature available in Linux 4.18+). #1919
  • Add support for specifying a CRIU configuration file for checkpoint/restore (which makes use of a new org.criu.config annotation). #1933 #1964
  • Add support for "runc exec --preserve-fds". #1995
  • Added support for SELinux labeling of keyrings. #2012

Fixes:

  • Correct handling of "runc kill" when a container is stopped or paused. #1934 #1943
  • Error out if built with nokmem and kmemcg limits were requested. #1939
  • Update check-config.sh to be in line with Docker's. #1942
  • Improve handling of kmem and the systemd cgroup driver. #1960
  • Improve resilience of adding setns tasks to cgroups. #1950
  • Remove (broken) detection of .scope for systemd. #1978
  • Fix console hanging with preserve-fds, where not enough fds have actually been provided to runc (which is a very common mistake when using --preserve-fds). #2000
  • Create bind-mounts when restoring. #1968
  • Fix regression of zombie "runc init" processes. #2023

Static Linking Notices

The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.

Thanks to all of the contributors that made this release possible:

With special thanks and well-wishes to Victor Marmol and Rohit Jnagal, who have both decided to give up their maintainership. Thanks for all of your contributions over the years, and good luck with your future endeavours!

Signed-off-by: Aleksa Sarai [email protected]

v1.0.0-rc6

5 years ago

This is the final feature release of runc before 1.0, rather than 1.0 itself. The reason for this is that, during the preparations for this release (which was originally meant to be 1.0) it was brought up that there were several spec-compliance problems. One of these was related to hook ordering, and upon trying to fix them it turns out that many users (notably the NVIDIA OCI hooks) make use of our incorrect hook ordering. Many of the proposed solutions to this problem all require a lot of time and co-ordination, and thus would stall this release indefinitely.

So, the idea is to have an intermediate release which will mark a freeze-on-everything-except-spec-compliance-bugs. No other changes will be included pre-1.0 (aside from security patches obviously).

NOTE: This release's artefacts were updated on 2020-07-30 to correct an LGPL compliance issue (we previously did not include the source code of libseccomp with our releases) and thus we had to recompile our runc binaries to be sure we were distributing the correct version of libseccomp. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.

NOTE: This release's artefacts were updated on 2021-04-07, to correct an issue with the .tar.xz archive from 2020-07-30 (the archive had malformed paths due to a bug in historical release scripts -- which caused the update on 2020-07-30 to change the checksum of the source code archive). See #2895 for more details. All of the binaries are still signed by the same maintainer key, and thus can still be easily validated.

Features:

  • Upgrade to using Go 1.10. #1711
  • Upgrade to CRIU 3.11. #1711 #1864 #1935 #1936
  • Allow for checkpoint-restore into a foreign network namespace. #1849
  • The "type" field for bind-mounts is now ignored. This is important, because many users incorrectly assume that "type" defines a bind-mount and not "options". Previously you had to set both. #1753 #1845
  • "setgroups=allow" is now possible in rootless mode, but requires the use of the privileged newgidmap helper (fully-rootless still requires "setgroups=deny"). #1693
  • Rootless mode can now safely ignore a read-only cgroupfs. #1759 #1806
  • Several aspects of rootless mode are now used inside user namespaces. This is necessary for a bunch of useful things (such as running Docker inside an user namespace), but did cause some breakages. We think they've all been fixed -- but if not please submit an issue! #1688 #1808 #1816 #1862
  • Improve kernel.{domain,host}name sysctl handling, to allow the NIS domainname to be set from Docker or other callers without an OCI spec change. #1827
  • Add documentation for one of the more confusion parts of runc, how terminals are handled (including an explanation of --console-socket). All the gory details and recommendations are available in docs/terminals.md. #1730
  • Allow /proc to be bind-mounted over (useful for rootless containers). #1832
  • Ignore ENOSYS for keyctl(2) operations. This is necessary to get Docker working with LXC under the default seccomp profile (which is what ChromeOS uses). #1893
  • Add support for the Intel RDT/MBA resource control system. #1632 #1913
  • Allow building with completely-disabled kmemcg support, to get around problems with broken kernels (RHEL 7.5 can oops with kmemcg accounting enabled). #1921 #1922 #1930
  • Add support for cgroup namespaces, which in turn fixes a few other issues we encountered with the previous code (which could be moving us to a cgroup during Go execution). #1916

Fixes:

  • Namespace creation with user namespaces now plays a bit nicer with SELinux and IPC (which had a bug where the in-kernel mqueue mount would have the wrong tag if using unshare(CLONE_NEWUSER|CLONE_NEWIPC)). This is done to avoid future problems with broken kernel integration. #1562
  • Mild refactor of libcontainer/user. #1749
  • Fix null-pointer-exception when no cgroups were set. #1752
  • Various DBus and systemd related changes for the systemd-cgroup driver. #1754 #1772 #1776 #1781 #1805 #1917
  • Apply SELinux label to masked directories. #1756
  • Obey the XDG spec and set the sticky bit on runc's root when using XDG_RUNTIME_DIR (in rootless mode). #1760
  • Only configure network namespaces if we are creating them. #1777
  • Fix race in runc-exec against a currently-exiting pid1. #1812
  • Forward GOMAXPROCS to try to reduce the number of threads started by 'runc init'. Unforunately there's no way to stop Go from spawning new threads so this is more of a recommendation. #1830
  • Fix tmpcopyup in cases where /tmp is not a private mount. #1873
  • Whitelist /proc/loadavg for bind-mounting. #1882
  • Protect against deletion of runc state directory with a containerid of "..", as well as the addition of other path hardening code. #1883
  • Handle duplicated cgroupfs mountpoint entries more sanely, to make runc work on distributions that use-and-abuse shared subtrees. #1817
  • Fix console hanging in several cases. #1895 #1897
  • Lock-to-a-thread during 'runc init' to ensure that that we don't switch threads and run within a different SELinux label. #1814
  • Respect cgroupPath when trying to find the cgroupfs mountpoint (which can happen in cases where containers are given different cgroupfs mounts). #1872
  • And many other minor changes, many from first-time contributors! #1746 #1748 #1749 #1784 #1779 #1785 #1796 #1819 #1825 #1836 #1824 #1820 #1838 #1840 #1841 #1867 #1871 #1855 #1854 #1874 #1868 #1886 #1892 #1858 #1894 #1908 #1880 #1910 #1915 #1903 #1922 #1926 #1928 #1925 #1911

Fixes (for spec violations):

  • Don't set a container to "running" when exec-ing into it (because it might be in the "created" state). #1771
  • oom_score_adj is now no longer modified if it was unspecified in config.json (this was a spec violation). #1759
  • Set "status" in hook stdin, as well as switch to using *spec.State to avoid JSON-representation drift. #1741

Static Linking Notices

The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.

Thanks to all of the contributors that made this release possible:

Signed-off-by: Aleksa Sarai [email protected]