Skip to content

runc 1.0-rc2
Compare
Choose a tag to compare
@cyphar cyphar released this 01 Oct 08:34
v1.0.0-rc2
This tag was signed with the committer’s verified signature.
cyphar Aleksa Sarai
GPG key ID: 9E18AA267DDB8DB4
Learn about vigilant mode.
c91b5be

NOTE: This release's artefacts were updated on 2020-07-30 to correct an
LGPL compliance issue (we previously did not include the source code of
libseccomp or libapparmor with our releases) and thus we had to recompile
our runc binaries to be sure we were distributing the correct version of
libseccomp and libapparmor. All of the binaries are still signed by the
same maintainer key, and thus can still be easily validated.

NOTE: This release's artefacts were updated on 2021-04-07, to correct an
issue with the .tar.xz archive from 2020-07-30 (the archive had malformed
paths due to a bug in historical release scripts -- which caused the update
on 2020-07-30 to change the checksum of the source code archive). See #2895
for more details. All of the binaries are still signed by the same maintainer
key, and thus can still be easily validated.

Features

  • {create,run}: add --no-new-keyring flag so that a new session keyring
    is not created for the container and the calling process's keyring is
    inherited.
  • restore: add --empty-ns flag to tell CRIU to only create a network
    namespace for a container and not populate it (allowing higher levels
    to correctly handle re-creating the network namespace).
  • {create,start}: use a FIFO rather than signals to signal the starting
    of a container. This removes the Go version restriction, and also
    avoids potential issues with Go's signal handling.
  • exec: allow additional groups to be overridden.
  • delete: add --force flag.
  • exec: disable the subreaper option entirely, because the option
    causes many issues with reparenting in the context of containers.
    This is not a complete fix, which is intended to land for -rc3. Using
    the removed option will be silently ignored by runC.
  • {create,run}: add support for masking directories with MaskPaths.
  • delete: allow for the deletion of multiple containers in one cmdline.
  • build: add make release for distributions.

Fixes

  • Major improvements and fixes to CLI handling. Now commands like
    runc ps and runc exec will act sanely when you're trying to use
    flags that are not meant to be parsed by runC.
  • Set the cp.rt_* cgroup options correctly so that runC running in
    SCHED_RR (realtime) mode can operate properly.
  • Massive improvements to kmem limit detection to ensure that we only
    attempt to change memory.kmem.* if it is safe to do so.
  • Part of a major cleanup of the nsenter code, with more intended to
    land before -rc3.
  • Restored containers now have a start time, which is the time that the
    new container was started (not when the original container was
    started).
  • Fix the default cgroupPath behaviour, so that we actually attach to
    subcgroups of all of the caller's current cgroups (rather than using
    the devices cgroup path for all other cgroups)
  • Support 32bit UIDs on i386 with the setuid32(2) syscall.
  • Add /proc/timer_list to the set of default masked paths.
  • Do not create /dev/fuse by default.
  • Parse cgroupPath correctly if it contains ':'.
  • Add some more debugging information for the test suite, along with
    fixes for race conditions and other issues. In addition, add more
    integration tests for edge conditions.
  • Improve check-config.sh script to handle more cases.
  • Fix incorrect type when setting of net_cls classid.
  • Lots of fixes to help pages and man pages.
  • *: append -dirty to the version if the git repo is unclean.
  • Fix the JSON tags for CpuRt* options.
  • Cleanups to the rootfs setup code.
  • Improve error messages related to SELinux.

Static Linking Notices

The runc binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc acting
as a "work that uses the Library":

The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.

Thanks to all of the contributors that made this release possible:

Assets 11
Loading