Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cgroup2: TODO list #2209

Closed
AkihiroSuda opened this issue Jan 14, 2020 · 3 comments
Closed

cgroup2: TODO list #2209

AkihiroSuda opened this issue Jan 14, 2020 · 3 comments
Labels
help wanted

Comments

@AkihiroSuda
Copy link
Member

AkihiroSuda commented Jan 14, 2020
edited
Loading

EDIT: this tracker was superseded by #2315
This was referenced Jan 14, 2020
Closed
Closed
@crosbymichael crosbymichael mentioned this issue Jan 21, 2020
Closed
11 tasks
AkihiroSuda added a commit to AkihiroSuda/docker that referenced this issue Jan 24, 2020
@AkihiroSuda
update runc binary to v1.0.0-rc10 (CVE-2019-19921)
cd43c1d 
Notable changes:
* Fix CVE-2019-19921 (Volume mount race condition with shared mounts): opencontainers/runc#2207
* Fix exec FIFO race: opencontainers/runc#2185
* Basic support for cgroup v2.  Almost feature-complete, but still missing support for systemd mode in rootless.
  See also opencontainers/runc#2209 for the known issues.

Full changes: opencontainers/runc@v1.0.0-rc9...v1.0.0-rc10

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
@AkihiroSuda AkihiroSuda mentioned this issue Jan 24, 2020
Merged
AkihiroSuda added a commit to AkihiroSuda/docker that referenced this issue Jan 24, 2020
@AkihiroSuda
update runc library to v1.0.0-rc10 (CVE-2019-19921)
6d68080 
Notable changes:
* Fix CVE-2019-19921 (Volume mount race condition with shared mounts): opencontainers/runc#2207
* Fix exec FIFO race: opencontainers/runc#2185
* Basic support for cgroup v2.  Almost feature-complete, but still missing support for systemd mode in rootless.
  See also opencontainers/runc#2209 for the known issues.

Full changes: opencontainers/runc@v1.0.0-rc9...v1.0.0-rc10

Also updates go-selinux: opencontainers/selinux@3a1f366...5215b18
(See containerd/cri#1383 (comment))

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
docker-jenkins pushed a commit to docker-archive/docker-ce that referenced this issue Jan 25, 2020
@AkihiroSuda
update runc binary to v1.0.0-rc10 (CVE-2019-19921)
b3b3398 
Notable changes:
* Fix CVE-2019-19921 (Volume mount race condition with shared mounts): opencontainers/runc#2207
* Fix exec FIFO race: opencontainers/runc#2185
* Basic support for cgroup v2.  Almost feature-complete, but still missing support for systemd mode in rootless.
  See also opencontainers/runc#2209 for the known issues.

Full changes: opencontainers/runc@v1.0.0-rc9...v1.0.0-rc10

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Upstream-commit: cd43c1d1ac81a37dc8f9aad16d33949df80ac5b9
Component: engine
docker-jenkins pushed a commit to docker-archive/docker-ce that referenced this issue Jan 25, 2020
@AkihiroSuda
update runc library to v1.0.0-rc10 (CVE-2019-19921)
ca3fb06 
Notable changes:
* Fix CVE-2019-19921 (Volume mount race condition with shared mounts): opencontainers/runc#2207
* Fix exec FIFO race: opencontainers/runc#2185
* Basic support for cgroup v2.  Almost feature-complete, but still missing support for systemd mode in rootless.
  See also opencontainers/runc#2209 for the known issues.

Full changes: opencontainers/runc@v1.0.0-rc9...v1.0.0-rc10

Also updates go-selinux: opencontainers/selinux@3a1f366...5215b18
(See containerd/cri#1383 (comment))

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Upstream-commit: 6d6808090736ac76e908e78aa6894f5586c7d243
Component: engine
@thaJeztah thaJeztah mentioned this issue Feb 4, 2020
Merged
thaJeztah pushed a commit to thaJeztah/docker that referenced this issue Feb 4, 2020
@AkihiroSuda @thaJeztah
update runc binary to v1.0.0-rc10 (CVE-2019-19921)
3bd1759 
Notable changes:
* Fix CVE-2019-19921 (Volume mount race condition with shared mounts): opencontainers/runc#2207
* Fix exec FIFO race: opencontainers/runc#2185
* Basic support for cgroup v2.  Almost feature-complete, but still missing support for systemd mode in rootless.
  See also opencontainers/runc#2209 for the known issues.

Full changes: opencontainers/runc@v1.0.0-rc9...v1.0.0-rc10

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit cd43c1d)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
thaJeztah pushed a commit to thaJeztah/docker that referenced this issue Feb 4, 2020
@AkihiroSuda @thaJeztah
update runc library to v1.0.0-rc10 (CVE-2019-19921)
d3dab1f 
Notable changes:
* Fix CVE-2019-19921 (Volume mount race condition with shared mounts): opencontainers/runc#2207
* Fix exec FIFO race: opencontainers/runc#2185
* Basic support for cgroup v2.  Almost feature-complete, but still missing support for systemd mode in rootless.
  See also opencontainers/runc#2209 for the known issues.

Full changes: opencontainers/runc@v1.0.0-rc9...v1.0.0-rc10

Also updates go-selinux: opencontainers/selinux@3a1f366...5215b18
(See containerd/cri#1383 (comment))

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit 6d68080)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
docker-jenkins pushed a commit to docker-archive/docker-ce that referenced this issue Feb 5, 2020
@AkihiroSuda @thaJeztah
update runc binary to v1.0.0-rc10 (CVE-2019-19921)
4b4ef42 
Notable changes:
* Fix CVE-2019-19921 (Volume mount race condition with shared mounts): opencontainers/runc#2207
* Fix exec FIFO race: opencontainers/runc#2185
* Basic support for cgroup v2.  Almost feature-complete, but still missing support for systemd mode in rootless.
  See also opencontainers/runc#2209 for the known issues.

Full changes: opencontainers/runc@v1.0.0-rc9...v1.0.0-rc10

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit cd43c1d1ac81a37dc8f9aad16d33949df80ac5b9)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 3bd1759f804a53d15685e22eab7d609bb1fa556b
Component: engine
docker-jenkins pushed a commit to docker-archive/docker-ce that referenced this issue Feb 5, 2020
@AkihiroSuda @thaJeztah
update runc library to v1.0.0-rc10 (CVE-2019-19921)
6e493ff 
Notable changes:
* Fix CVE-2019-19921 (Volume mount race condition with shared mounts): opencontainers/runc#2207
* Fix exec FIFO race: opencontainers/runc#2185
* Basic support for cgroup v2.  Almost feature-complete, but still missing support for systemd mode in rootless.
  See also opencontainers/runc#2209 for the known issues.

Full changes: opencontainers/runc@v1.0.0-rc9...v1.0.0-rc10

Also updates go-selinux: opencontainers/selinux@3a1f366...5215b18
(See containerd/cri#1383 (comment))

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit 6d6808090736ac76e908e78aa6894f5586c7d243)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: d3dab1f618d6e8c81d0704ac4e93bb2843c2dadf
Component: engine
@tgross tgross mentioned this issue Feb 20, 2020
Closed
@AkihiroSuda AkihiroSuda mentioned this issue Mar 4, 2020
Closed
@AkihiroSuda
Copy link
Member Author

AkihiroSuda commented Apr 1, 2020
edited
Loading

Trying to implement the support for rootless systemd, but still got stuck because godbus doesn't seem to support user namespaces 😭

AkihiroSuda@1f642d9
https://github.com/godbus/dbus/blob/v5.0.3/auth.go#L56-L57
https://github.com/coreos/go-systemd/blob/5a0db84d3dc459ccdc6ffcc44b1c452bf9f171cb/dbus/dbus.go#L213

cc @giuseppe

EDIT: #2281 seems work

@kolyshkin
Copy link
Contributor

 CI: enable integration test (rootful)

This is addressed by #2295 (we still need more tests though)

@dead10ck dead10ck mentioned this issue Apr 15, 2020
Open
3 tasks
@kolyshkin kolyshkin mentioned this issue Apr 15, 2020
Closed
@AkihiroSuda
Copy link
Member Author

this tracker was superseded by #2315

This was referenced Jun 2, 2020
Closed
Merged
Merged
This was referenced Jun 2, 2020
Merged
Closed
Closed
Merged
bors bot added a commit to containers/buildah that referenced this issue Jun 8, 2020
@bors @dependabot-preview
Merge #2396 #2397
916332a 
2396: Bump github.com/containers/storage from 1.20.1 to 1.20.2 r=rhatdan a=dependabot-preview[bot]

Bumps [github.com/containers/storage](https://github.com/containers/storage) from 1.20.1 to 1.20.2.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a href="https://github.com/containers/storage/releases">github.com/containers/storage's releases</a>.</em></p>
<blockquote>
<h2>v1.20.2</h2>
<pre><code>Add back skip_mount_home
Update git validation EPOCH
build(deps): bump github.com/opencontainers/runc from 1.0.0-rc9 to 1.0.0-rc90
build(deps): bump github.com/klauspost/compress from 1.10.5 to 1.10.7
build(deps): bump github.com/stretchr/testify from 1.5.1 to 1.6.0
unbreak build on mipsen
</code></pre>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/containers/storage/commit/e43b6d0a370bf26e3147f3ab10fad29cc25620f9"><code>e43b6d0</code></a> Bump to v1.20.2</li>
<li><a href="https://github.com/containers/storage/commit/80f21246e8e6ec24acf10a2d083573ed55b4c60f"><code>80f2124</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/containers/storage/issues/639">#639</a> from rhatdan/skip</li>
<li><a href="https://github.com/containers/storage/commit/0bfdcdb942abc97a6f9c3a63c4c4b77dc849450b"><code>0bfdcdb</code></a> Add back skip_mount_home</li>
<li><a href="https://github.com/containers/storage/commit/aa26d1860a7ab2f1a79c79d9beac8ab01c9a64a0"><code>aa26d18</code></a> Update git validation EPOCH</li>
<li><a href="https://github.com/containers/storage/commit/8fad529da3a4e5dbcb3f1fc1bc009bc857a4968b"><code>8fad529</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/containers/storage/issues/637">#637</a> from containers/dependabot/go_modules/github.com/klau...</li>
<li><a href="https://github.com/containers/storage/commit/17acc0ffa10e07fd71a8d84161e269564b72b90d"><code>17acc0f</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/containers/storage/issues/638">#638</a> from containers/dependabot/go_modules/github.com/open...</li>
<li><a href="https://github.com/containers/storage/commit/24e8e852d0dc09a1cef1ebe9a20446c83129470a"><code>24e8e85</code></a> build(deps): bump github.com/opencontainers/runc</li>
<li><a href="https://github.com/containers/storage/commit/b9dafa698726b5f070599dde6038999cf62c83c2"><code>b9dafa6</code></a> build(deps): bump github.com/klauspost/compress from 1.10.6 to 1.10.7</li>
<li><a href="https://github.com/containers/storage/commit/873116d157fad490a878cdfd0277dc3fc0c34950"><code>873116d</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/containers/storage/issues/636">#636</a> from containers/dependabot/go_modules/github.com/stre...</li>
<li><a href="https://github.com/containers/storage/commit/0a7c48440c25ec26b4a710c03c957e665f4b2649"><code>0a7c484</code></a> build(deps): bump github.com/stretchr/testify from 1.5.1 to 1.6.0</li>
<li>Additional commits viewable in <a href="https://github.com/containers/storage/compare/v1.20.1...v1.20.2">compare view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility score](https://api.dependabot.com/badges/compatibility_score?dependency-name=github.com/containers/storage&package-manager=go_modules&previous-version=1.20.1&new-version=1.20.2)](https://dependabot.com/compatibility-score/?dependency-name=github.com/containers/storage&package-manager=go_modules&previous-version=1.20.1&new-version=1.20.2)

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
- `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com):
- Update frequency (including time of day and day of week)
- Pull request limits (per update run and/or open at any time)
- Out-of-range updates (receive only lockfile updates, if desired)
- Security updates (receive only security updates, if desired)



</details>

2397: Bump github.com/opencontainers/runc from 1.0.0-rc9 to 1.0.0-rc90 r=rhatdan a=dependabot-preview[bot]

Bumps [github.com/opencontainers/runc](https://github.com/opencontainers/runc) from 1.0.0-rc9 to 1.0.0-rc90.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a href="https://github.com/opencontainers/runc/releases">github.com/opencontainers/runc's releases</a>.</em></p>
<blockquote>
<h2>runc 1.0-rc90 -- &quot;We Have To Go Back!&quot;</h2>
<p>This release is <em>identical</em> to v1.0.0-rc10 (and thus the version string in
the binary will be v1.0.0-rc10).</p>
<p>The purpose of this release is to resolve an issue with our versioning
scheme (in particular, the format we've used under SemVer means that the
&quot;-rcNN&quot; string suffix is sorted lexicographically rather than in the
classic <code>sort -V</code> order).</p>
<p>Because we cannot do a post-1.0 release yet, this is a workaround to
make sure that systems such as Go modules correctly update to the latest
runc release. See <a href="https://github-redirect.dependabot.com/opencontainers/runc/issues/2399">#2399</a> for more details.</p>
<p>The next release (which would've originally been called -rc11) will be
1.0.0-rc91. I'm sorry.</p>
<p>Signed-off-by: Aleksa Sarai <a href="mailto:asarai@suse.de">asarai@suse.de</a></p>
<h2>runc 1.0-rc10 -- &quot;Procfs Strikes Back&quot;</h2>
<p>This is a hot-fix for v1.0.0~rc9, primarily fixing CVE-2019-19921. Given
that the <a href="https://github-redirect.dependabot.com/opencontainers/runtime-spec/pull/1008">relevant runtime-spec PR which was considered a blocker has
been merged</a> the next rc release of runc should be the last one before
1.0.0.</p>
<p>Other notable changes include:</p>
<ul>
<li>Fixing an exec-fifo race that could be triggered under Kubernetes (opencontainers/runc#2185).</li>
<li>Partial cgroupv2 support (opencontainers/runc#2209 for remaining issues).</li>
</ul>
<p>Thanks to the following people who made this release possible:</p>
<ul>
<li>Akihiro Suda <a href="mailto:akihiro.suda.cz@hco.ntt.co.jp">akihiro.suda.cz@hco.ntt.co.jp</a></li>
<li>Aleksa Sarai <a href="mailto:asarai@suse.de">asarai@suse.de</a></li>
<li>James Peach <a href="mailto:jpeach@apache.org">jpeach@apache.org</a></li>
<li>Jordan Liggitt <a href="mailto:liggitt@google.com">liggitt@google.com</a></li>
<li>Julia Nedialkova <a href="mailto:julianedialkova@hotmail.com">julianedialkova@hotmail.com</a></li>
<li>Julio Montes <a href="mailto:julio.montes@intel.com">julio.montes@intel.com</a></li>
<li>Kevin Kelani <a href="mailto:kkelani@gmail.com">kkelani@gmail.com</a></li>
<li>Kurnia D Win <a href="mailto:kurnia.d.win@gmail.com">kurnia.d.win@gmail.com</a></li>
<li>Manuel Rüger <a href="mailto:manuel@rueg.eu">manuel@rueg.eu</a></li>
<li>Michael Crosby <a href="mailto:crosbymichael@gmail.com">crosbymichael@gmail.com</a></li>
<li>Mrunal Patel <a href="mailto:mrunal@me.com">mrunal@me.com</a></li>
<li>Qiang Huang <a href="mailto:h.huangqiang@huawei.com">h.huangqiang@huawei.com</a></li>
<li>Radostin Stoyanov <a href="mailto:rstoyanov1@gmail.com">rstoyanov1@gmail.com</a></li>
<li>Sascha Grunert <a href="mailto:sgrunert@suse.com">sgrunert@suse.com</a></li>
<li>tianye15 <a href="mailto:tianye15@yq01-ps-www007cc6e83.yq01.baidu.com">tianye15@yq01-ps-www007cc6e83.yq01.baidu.com</a></li>
</ul>
<p>Vote: <code>+4 -0 [#1](https://github.com/opencontainers/runc/issues/1)</code>
Signed-off-by: Aleksa Sarai <a href="mailto:asarai@suse.de">asarai@suse.de</a></p>
</tr></table> ... (truncated)
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/opencontainers/runc/commit/dc9208a3303feef5b3839f4323d9beb36df0a9dd"><code>dc9208a</code></a> VERSION: update to 1.0.0~rc10</li>
<li><a href="https://github.com/opencontainers/runc/commit/2fc03cc11c775b7a8b2e48d7ee447cb9bef32ad0"><code>2fc03cc</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/opencontainers/runc/issues/2207">#2207</a> from cyphar/fix-double-volume-attack</li>
<li><a href="https://github.com/opencontainers/runc/commit/3291d66b98445bd7f7d02eac7f2bca2ac2c56942"><code>3291d66</code></a> rootfs: do not permit /proc mounts to non-directories</li>
<li><a href="https://github.com/opencontainers/runc/commit/f6fb7a0338c3ea8488bd9bd7cc7667b113aff8d8"><code>f6fb7a0</code></a> merge branch 'pr-2133'</li>
<li><a href="https://github.com/opencontainers/runc/commit/709377ca558df88ea538852c9310b700f140fc9b"><code>709377c</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/opencontainers/runc/issues/2198">#2198</a> from AkihiroSuda/criu-master</li>
<li><a href="https://github.com/opencontainers/runc/commit/55f8c254beb00f916c115a7034f7eee0cfd657a1"><code>55f8c25</code></a> temporarily disable CRIU tests</li>
<li><a href="https://github.com/opencontainers/runc/commit/5c20ea1472dbeeebdb1bcef31a09888890a25b3a"><code>5c20ea1</code></a> fix merging <a href="https://github-redirect.dependabot.com/opencontainers/runc/issues/2177">#2177</a> and <a href="https://github-redirect.dependabot.com/opencontainers/runc/issues/2169">#2169</a></li>
<li><a href="https://github.com/opencontainers/runc/commit/5cc0deaf7a089a91a5ce4b81f835b64fcc4778d6"><code>5cc0dea</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/opencontainers/runc/issues/2169">#2169</a> from AkihiroSuda/split-fs</li>
<li><a href="https://github.com/opencontainers/runc/commit/2b52db75279ca687e18156de86d845876e9ef35d"><code>2b52db7</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/opencontainers/runc/issues/2177">#2177</a> from devimc/topic/libcontainer/kata-containers</li>
<li><a href="https://github.com/opencontainers/runc/commit/a88592a63474e6976030b4fbded41dd445152236"><code>a88592a</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/opencontainers/runc/issues/2185">#2185</a> from liggitt/exec-race</li>
<li>Additional commits viewable in <a href="https://github.com/opencontainers/runc/compare/v1.0.0-rc9...v1.0.0-rc90">compare view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility score](https://api.dependabot.com/badges/compatibility_score?dependency-name=github.com/opencontainers/runc&package-manager=go_modules&previous-version=1.0.0-rc9&new-version=1.0.0-rc90)](https://dependabot.com/compatibility-score/?dependency-name=github.com/opencontainers/runc&package-manager=go_modules&previous-version=1.0.0-rc9&new-version=1.0.0-rc90)

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
- `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com):
- Update frequency (including time of day and day of week)
- Pull request limits (per update run and/or open at any time)
- Out-of-range updates (receive only lockfile updates, if desired)
- Security updates (receive only security updates, if desired)



</details>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
bors bot added a commit to containers/buildah that referenced this issue Jun 8, 2020
@bors @dependabot-preview
Merge #2397
8c538bf 
2397: Bump github.com/opencontainers/runc from 1.0.0-rc9 to 1.0.0-rc90 r=rhatdan a=dependabot-preview[bot]

Bumps [github.com/opencontainers/runc](https://github.com/opencontainers/runc) from 1.0.0-rc9 to 1.0.0-rc90.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a href="https://github.com/opencontainers/runc/releases">github.com/opencontainers/runc's releases</a>.</em></p>
<blockquote>
<h2>runc 1.0-rc90 -- &quot;We Have To Go Back!&quot;</h2>
<p>This release is <em>identical</em> to v1.0.0-rc10 (and thus the version string in
the binary will be v1.0.0-rc10).</p>
<p>The purpose of this release is to resolve an issue with our versioning
scheme (in particular, the format we've used under SemVer means that the
&quot;-rcNN&quot; string suffix is sorted lexicographically rather than in the
classic <code>sort -V</code> order).</p>
<p>Because we cannot do a post-1.0 release yet, this is a workaround to
make sure that systems such as Go modules correctly update to the latest
runc release. See <a href="https://github-redirect.dependabot.com/opencontainers/runc/issues/2399">#2399</a> for more details.</p>
<p>The next release (which would've originally been called -rc11) will be
1.0.0-rc91. I'm sorry.</p>
<p>Signed-off-by: Aleksa Sarai <a href="mailto:asarai@suse.de">asarai@suse.de</a></p>
<h2>runc 1.0-rc10 -- &quot;Procfs Strikes Back&quot;</h2>
<p>This is a hot-fix for v1.0.0~rc9, primarily fixing CVE-2019-19921. Given
that the <a href="https://github-redirect.dependabot.com/opencontainers/runtime-spec/pull/1008">relevant runtime-spec PR which was considered a blocker has
been merged</a> the next rc release of runc should be the last one before
1.0.0.</p>
<p>Other notable changes include:</p>
<ul>
<li>Fixing an exec-fifo race that could be triggered under Kubernetes (opencontainers/runc#2185).</li>
<li>Partial cgroupv2 support (opencontainers/runc#2209 for remaining issues).</li>
</ul>
<p>Thanks to the following people who made this release possible:</p>
<ul>
<li>Akihiro Suda <a href="mailto:akihiro.suda.cz@hco.ntt.co.jp">akihiro.suda.cz@hco.ntt.co.jp</a></li>
<li>Aleksa Sarai <a href="mailto:asarai@suse.de">asarai@suse.de</a></li>
<li>James Peach <a href="mailto:jpeach@apache.org">jpeach@apache.org</a></li>
<li>Jordan Liggitt <a href="mailto:liggitt@google.com">liggitt@google.com</a></li>
<li>Julia Nedialkova <a href="mailto:julianedialkova@hotmail.com">julianedialkova@hotmail.com</a></li>
<li>Julio Montes <a href="mailto:julio.montes@intel.com">julio.montes@intel.com</a></li>
<li>Kevin Kelani <a href="mailto:kkelani@gmail.com">kkelani@gmail.com</a></li>
<li>Kurnia D Win <a href="mailto:kurnia.d.win@gmail.com">kurnia.d.win@gmail.com</a></li>
<li>Manuel Rüger <a href="mailto:manuel@rueg.eu">manuel@rueg.eu</a></li>
<li>Michael Crosby <a href="mailto:crosbymichael@gmail.com">crosbymichael@gmail.com</a></li>
<li>Mrunal Patel <a href="mailto:mrunal@me.com">mrunal@me.com</a></li>
<li>Qiang Huang <a href="mailto:h.huangqiang@huawei.com">h.huangqiang@huawei.com</a></li>
<li>Radostin Stoyanov <a href="mailto:rstoyanov1@gmail.com">rstoyanov1@gmail.com</a></li>
<li>Sascha Grunert <a href="mailto:sgrunert@suse.com">sgrunert@suse.com</a></li>
<li>tianye15 <a href="mailto:tianye15@yq01-ps-www007cc6e83.yq01.baidu.com">tianye15@yq01-ps-www007cc6e83.yq01.baidu.com</a></li>
</ul>
<p>Vote: <code>+4 -0 [#1](https://github.com/opencontainers/runc/issues/1)</code>
Signed-off-by: Aleksa Sarai <a href="mailto:asarai@suse.de">asarai@suse.de</a></p>
</tr></table> ... (truncated)
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/opencontainers/runc/commit/dc9208a3303feef5b3839f4323d9beb36df0a9dd"><code>dc9208a</code></a> VERSION: update to 1.0.0~rc10</li>
<li><a href="https://github.com/opencontainers/runc/commit/2fc03cc11c775b7a8b2e48d7ee447cb9bef32ad0"><code>2fc03cc</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/opencontainers/runc/issues/2207">#2207</a> from cyphar/fix-double-volume-attack</li>
<li><a href="https://github.com/opencontainers/runc/commit/3291d66b98445bd7f7d02eac7f2bca2ac2c56942"><code>3291d66</code></a> rootfs: do not permit /proc mounts to non-directories</li>
<li><a href="https://github.com/opencontainers/runc/commit/f6fb7a0338c3ea8488bd9bd7cc7667b113aff8d8"><code>f6fb7a0</code></a> merge branch 'pr-2133'</li>
<li><a href="https://github.com/opencontainers/runc/commit/709377ca558df88ea538852c9310b700f140fc9b"><code>709377c</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/opencontainers/runc/issues/2198">#2198</a> from AkihiroSuda/criu-master</li>
<li><a href="https://github.com/opencontainers/runc/commit/55f8c254beb00f916c115a7034f7eee0cfd657a1"><code>55f8c25</code></a> temporarily disable CRIU tests</li>
<li><a href="https://github.com/opencontainers/runc/commit/5c20ea1472dbeeebdb1bcef31a09888890a25b3a"><code>5c20ea1</code></a> fix merging <a href="https://github-redirect.dependabot.com/opencontainers/runc/issues/2177">#2177</a> and <a href="https://github-redirect.dependabot.com/opencontainers/runc/issues/2169">#2169</a></li>
<li><a href="https://github.com/opencontainers/runc/commit/5cc0deaf7a089a91a5ce4b81f835b64fcc4778d6"><code>5cc0dea</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/opencontainers/runc/issues/2169">#2169</a> from AkihiroSuda/split-fs</li>
<li><a href="https://github.com/opencontainers/runc/commit/2b52db75279ca687e18156de86d845876e9ef35d"><code>2b52db7</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/opencontainers/runc/issues/2177">#2177</a> from devimc/topic/libcontainer/kata-containers</li>
<li><a href="https://github.com/opencontainers/runc/commit/a88592a63474e6976030b4fbded41dd445152236"><code>a88592a</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/opencontainers/runc/issues/2185">#2185</a> from liggitt/exec-race</li>
<li>Additional commits viewable in <a href="https://github.com/opencontainers/runc/compare/v1.0.0-rc9...v1.0.0-rc90">compare view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility score](https://api.dependabot.com/badges/compatibility_score?dependency-name=github.com/opencontainers/runc&package-manager=go_modules&previous-version=1.0.0-rc9&new-version=1.0.0-rc90)](https://dependabot.com/compatibility-score/?dependency-name=github.com/opencontainers/runc&package-manager=go_modules&previous-version=1.0.0-rc9&new-version=1.0.0-rc90)

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
- `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com):
- Update frequency (including time of day and day of week)
- Pull request limits (per update run and/or open at any time)
- Out-of-range updates (receive only lockfile updates, if desired)
- Security updates (receive only security updates, if desired)



</details>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kolyshkin @AkihiroSuda