Releases: opencontainers/runc
runc 1.0 -- "A wizard is never late, nor is he early, he arrives precisely when he means to."
This release has quite a few last-minute bug-fixes and various correctness and
performance improvements (almost all of which are related to cgroup handling),
and is the first non-rc release of runc in 5 years (v1.0.0-rc1 was released in
2016). It's been a very long road, and we thank the many contributors and
maintainers that helped us get to this point (approximately 422 people in
total).
As runc follows Semantic Versioning, we will endeavor to not make any
breaking changes without bumping the major version number of runc.
However, it should be noted that Go API usage of runc's internal
implementation (libcontainer) is not covered by this policy -- for
historical reasons, this code was not moved into an "internal" package
(this feature did not exist in Go at the time) and because certain
projects currently depend on this, we have not yet moved this code into
an internal package. Despite this, we reserve the right to make breaking
changes in our Go APIs (though we will note such changes in our
changelog, and will try to avoid needless disruption if possible).
Breaking changes:
- Removed libcontainer/configs.Device* identifiers (deprecated since rc94,
use libcontainer/devices) (#2999) - Removed libcontainer/system.RunningInUserNS function (deprecated since
rc94, use libcontainer/userns) (#2999)
Deprecations:
- The usage of relative paths for mountpoints will now produce a warning
(such configurations are outside of the spec, and in future runc will
produce an error when given such configurations). (#2917, #3004)
Bugfixes:
- cgroupv2: devices: rework the filter generation to produce consistent
results with cgroupv1, and always clobber any existing eBPF
program(s) to fixrunc update
and avoid leaking eBPF programs
(resulting in errors when managing containers). (#2951) - cgroupv2: correctly convert "number of IOs" statistics in a
cgroupv1-compatible way. (#2965, #2967, #2968, #2964) - cgroupv2: support larger than 32-bit IO statistics on 32-bit architectures.
- cgroupv2: wait for freeze to finish before returning from the freezing
code, optimize the method for checking whether a cgroup is frozen. (#2955) - cgroups/systemd: fixed "retry on dbus disconnect" logic introduced in rc94
- cgroups/systemd: fixed returning "unit already exists" error from a systemd
cgroup manager (regression in rc94) (#2997, #2996)
Improvements:
- cgroupv2: support SkipDevices with systemd driver (#2958, #3019)
- cgroup/systemd: return, not ignore, stop unit error from Destroy (#2946)
- Fix all golangci-lint failures. (#2781, #2962)
- Make "runc --version" output sane even when built with
go get
or
otherwise outside of our build scripts. (#2962) - cgroups: set SkipDevices during runc update (so we don't modify
cgroups at all duringrunc update
). (#2994) - cgroup1: blkio: support BFQ weights. (#3010)
- cgroupv2: set per-device io weights if BFQ IO scheduler is available.
(#3022)
Static Linking Notices
The runc
binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc
acting
as a "work that uses the Library":
The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.
However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.
Thanks to the following people who made this release possible:
- Adrian Reber areber@redhat.com
- Akihiro Suda akihiro.suda.cz@hco.ntt.co.jp
- Aleksa Sarai cyphar@cyphar.com
- Antti Kervinen antti.kervinen@intel.com
- Daniel, Dao Quang Minh dqminh89@gmail.com
- Enrico Weigelt info@metux.net
- Kir Kolyshkin kolyshkin@gmail.com
- Michael Crosby michael@thepasture.io
- Mrunal Patel mrunal@me.com
- Peter Hunt pehunt@redhat.com
- Qiang Huang h.huangqiang@huawei.com
- Sebastiaan van Stijn github@gone.nl
- Shiming Zhang wzshiming@foxmail.com
- Yashpal Choudhary yashpal.c1995@gmail.com
Vote: +5 -0 %2
Signed-off-by: Aleksa Sarai cyphar@cyphar.com
runc 1.0-rc95 -- "Just when I thought I was out, they pull me back in."
This release of runc contains a fix for CVE-2021-30465, and users are
strongly recommended to update (especially if you are providing
semi-limited access to spawn containers to untrusted users).
Aside from this security fix, only a few other changes were made since
v1.0.0-rc94 (the only user-visible change was the addition of support
for defaultErrnoRet in seccomp profiles).
Static Linking Notices
The runc
binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc
acting
as a "work that uses the Library":
The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.
However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.
Thanks to the following people who made this release possible:
- Aleksa Sarai cyphar@cyphar.com
- Giuseppe Scrivano gscrivan@redhat.com
- Kir Kolyshkin kolyshkin@gmail.com
- Mrunal Patel mrunal@me.com
Due to the nature of this release, it didn't go through the normal
public release procedure. However, this break from procedure was agreed
upon on the security mailing list.
Signed-off-by: Aleksa Sarai cyphar@cyphar.com
runc 1.0-rc94 -- "Time is an illusion. Lunchtime doubly so."
This release fixes several regressions found in v1.0.0-rc93. We
recommend users update as soon as possible. This release includes the
following notable changes:
Potentially breaking changes:
- cgroupv1: kernel memory limits are now always ignored, as kmemcg has
been effectively deprecated by the kernel. Users should make use of
regular memory cgroup controls. (#2840) - libcontainer/cgroups: cgroup managers'
Set
now accept
configs.Resources
rather thanconfigs.Cgroups
(#2906) - libcontainer/cgroups/systemd: reconnect and retry in case dbus
connection is closed (after dbus restart) (#2923) - libcontainer/cgroups/systemd: don't set limits in
Apply
(#2814)
Bugfixes:
- seccomp: fix 32-bit compilation errors (regression in rc93, #2783)
- cgroupv2: blkio weight value conversion fix (#2786)
- runc init: fix a hang caused by deadlock in seccomp/ebpf loading code
(regression in rc93, #2871) - runc start: fix "chdir to cwd: permission denied" for some setups
(regression in rc93, #2894) - s390: fix broken terminal (regression in rc93, #2898)
Improvements:
- runc start/exec: better diagnostics when container limits are too low
(#2812) - runc start/exec: better cleanup after failed runc init (#2855)
- cgroupv1: improve freezing chances (#2941, #2918, #2791)
- cgroupv2: multiple GetStats improvements (#2816, #2873)
- cgroupv2: fallback to setting io.weight if io.bfq.weight is not
available (#2820) - capabilities: WARN, not ERROR, for unknown / unavailable capabilities
(#2854)
Static Linking Notices
The runc
binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc
acting
as a "work that uses the Library":
The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.
However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.
Thanks to the following people who made this release possible:
- Adam Korcz adam@adalogics.com
- Adrian Reber areber@redhat.com
- Akihiro Suda akihiro.suda.cz@hco.ntt.co.jp
- Aleksa Sarai cyphar@cyphar.com
- Ben Hutchings ben.hutchings@essensium.com
- Danail Branekov danailster@gmail.com
- Daniel Dao dqminh89@gmail.com
- Enrico Weigelt info@metux.net
- Iceber Gu wei.cai-nat@daocloud.io
- Kenta Tada Kenta.Tada@sony.com
- Kieron Browne kbrowne@vmware.com
- Kir Kolyshkin kolyshkin@gmail.com
- Liang Zhou zhoul110@chinatelecom.cn
- Liu Hua weldonliu@tencent.com
- Mauricio Vásquez mauricio@kinvolk.io
- Mrunal Patel mrunal@me.com
- Odin Ugedal odin@uged.al
- Peter Hunt pehunt@redhat.com
- Qiang Huang h.huangqiang@huawei.com
- Ryosuke Hanatsuka hanatsuu@gmail.com
- Sascha Grunert sgrunert@redhat.com
- Sebastiaan van Stijn github@gone.nl
- Shengjing Zhu zhsj@debian.org
- Shiming Zhang wzshiming@foxmail.com
- Vasiliy Ulyanov vulyanov@suse.de
Vote: +6 -0 !1
Signed-off-by: Aleksa Sarai cyphar@cyphar.com
runc 1.0-rc93 -- "I never could get the hang of Thursdays."
This is the last feature-rich RC release and we are in a feature-freeze until
1.0. 1.0.0~rc94 will be released in a few weeks with minimal bug fixes only,
and 1.0.0 will be released soon afterwards.
-
runc's cgroupv2 support is no longer considered experimental. It is now
believed to be fully ready for production deployments. In addition, runc's
cgroup code has been improved:- The systemd cgroup driver has been improved to be more resilient and
handle more systemd properties correctly. - We now make use of openat2(2) when possible to improve the security of
cgroup operations (in future runc will be wholesale ported to libpathrs to
get this protection in all codepaths).
- The systemd cgroup driver has been improved to be more resilient and
-
runc's mountinfo parsing code has been reworked significantly, making
container startup times significantly faster and less wasteful in general. -
runc now has special handling for seccomp profiles to avoid making new
syscalls unusable for glibc. This is done by installing a custom prefix to
all seccomp filters which returns -ENOSYS for syscalls that are newer than
any syscall in the profile (meaning they have a larger syscall number).This should not cause any regressions (because previously users would simply
get -EPERM rather than -ENOSYS, and the rule applied above is the most
conservative rule possible) but please report any regressions you find as a
result of this change -- in particular, programs which have special fallback
code that is only run in the case of -EPERM. -
runc now supports the following new runtime-spec features:
- The umask of a container can now be specified.
- The new Linux 5.9 capabilities (CAP_PERFMON, CAP_BPF, and
CAP_CHECKPOINT_RESTORE) are now supported. - The "unified" cgroup configuration option, which allows users to explicitly
specify the limits based on the cgroup file names rather than abstracting
them through OCI configuration. This is currently limited in scope to
cgroupv2.
-
Various rootless containers improvements:
- runc will no longer cause conflicts if a user specifies a custom device
which conflicts with a user-configured device -- the user device takes
precedence. - runc no longer panics if /sys/fs/cgroup is missing in rootless mode.
- runc will no longer cause conflicts if a user specifies a custom device
-
runc --root is now always treated as local to the current working directory.
-
The --no-pivot-root hardening was improved to handle nested mounts properly
(please note that we still strongly recommend that users do not use
--no-pivot-root -- it is still an insecure option). -
A large number of code cleanliness and other various cleanups, including
fairly large changes to our tests and CI to make them all run more
efficiently.
For packagers the following changes have been made which will have impact on
your packaging of runc:
-
The "selinux" and "apparmor" buildtags have been removed, and now all runc
builds will have SELinux and AppArmor support enabled. Note that "seccomp"
is still optional (though we very highly recommend you enable it). -
make install DESTDIR= now functions correctly.
Static Linking Notices
The runc
binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc
acting
as a "work that uses the Library":
The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.
However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.
Thanks to the following people who made this release possible:
- acetang aceapril@126.com
- Adrian Reber areber@redhat.com
- Akihiro Suda akihiro.suda.cz@hco.ntt.co.jp
- Aleksa Sarai cyphar@cyphar.com
- Amim Knabben amim.knabben@gmail.com
- An Long aisk1988@gmail.com
- Aos Dabbagh aosdab@gmail.com
- Ashok Pon Kumar ashokponkumar@gmail.com
- Cesar Talledo ctalledo@nestybox.com
- Chaitanya Bandi kbandi@cs.stonybrook.edu
- Cory Bennett cbennett@netflix.com
- Daniel J Walsh dwalsh@redhat.com
- Eduardo Vega edvegavalerio@gmail.com
- Feng Sun loyou85@gmail.com
- Giuseppe Scrivano gscrivan@redhat.com
- Jeff Zvier zvier20@gmail.com
- Kenta Tada Kenta.Tada@sony.com
- Kir Kolyshkin kolyshkin@gmail.com
- Manabu Sugimoto Manabu.Sugimoto@sony.com
- Mauricio Vásquez mauricio@kinvolk.io
- Michael Crosby crosbymichael@gmail.com
- Mrunal Patel mrunalp@gmail.com
- Paweł Szulik pawel.szulik@intel.com
- Peter Hunt pehunt@redhat.com
- Piotr Wagner piotr.wagner@intel.com
- Sascha Grunert sgrunert@suse.com
- SataQiu 1527062125@qq.com
- Sebastiaan van Stijn github@gone.nl
- Shengjing Zhu zhsj@debian.org
- Shukui Yang keloyangsk@gmail.com
- wangtianxia sometimesnaive@sjtu.edu.cn
- Wei Fu fuweid89@gmail.com
- Xiaochen Shen xiaochen.shen@intel.com
- Xiaodong Liu liuxiaodong@loongson.cn
Vote: +6 -0 #1
Signed-off-by: Aleksa Sarai cyphar@cyphar.com
runc 1.0-rc92 -- "Almost, but not quite, entirely unlike tea."
This release contains a hotfix to solve a regression in v1.0.0-rc91 that
concerns Docker (this only affects Docker's vendoring of libcontainer,
not the usage of runc as the runtime):
- Fix helpers used by Docker to correctly handle symlinks in /dev (when running
with --privileged containers).
As well as some other improvements:
- Updates to CRIU support.
- Improvements to cgroupfs performance and correctness.
Static Linking Notices
The runc
binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc
acting
as a "work that uses the Library":
The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.
However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.
Thanks to the following people who made this release possible:
- Adrian Reber areber@redhat.com
- Akihiro Suda akihiro.suda.cz@hco.ntt.co.jp
- Aleksa Sarai cyphar@cyphar.com
- Daniel J Walsh dwalsh@redhat.com
- Giuseppe Scrivano gscrivan@redhat.com
- John Hwang john.f.hwang@gmail.com
- Kir Kolyshkin kolyshkin@gmail.com
- Lokesh Mandvekar lsm5@fedoraproject.org
- Mrunal Patel mrunalp@gmail.com
- Sebastiaan van Stijn github@gone.nl
- tjucoder chinesecoder@foxmail.com
- Xiaodong Liu liuxiaodong@loongson.cn
- Xiaoyu Zhang mateuszhang@tencent.com
- zvier zvier20@gmail.com
Vote: +4 -0 #3
Signed-off-by: Aleksa Sarai cyphar@cyphar.com
runc 1.0-rc91 -- "Just Hook a Right Over Here"
This is intended to be the second-last RC release, with -rc92
having
very few large changes so that we can release runc 1.0 (at long last).
NOTE: This release's artefacts were updated on 2020-07-30 to correct an
LGPL compliance issue (we previously did not include the source code of
libseccomp
with our releases) and thus we had to recompile ourrunc
binaries to be sure we were distributing the correct version oflibseccomp
.
All of the binaries are still signed by the same maintainer key, and thus can
still be easily validated.
NOTE: This release's artefacts were updated on 2021-04-07, to correct an
issue with the .tar.xz archive from 2020-07-30 (the archive had malformed
paths due to a bug in historical release scripts -- which caused the update
on 2020-07-30 to change the checksum of the source code archive). See #2895
for more details. All of the binaries are still signed by the same maintainer
key, and thus can still be easily validated.
-
The long-awaited hooks changes have been merged into runc. This was
one of the few remaining spec-related issues which were blocking us
from releasing runc 1.0. Existing hook users will not be affected by
this change, but runc now supports additional hooks that we expect
users to migrate to eventually. The new hooks are:createRuntime
(replacement for the now-deprecatedprestart
)createContainer
startContainer
-
A large amount of effort has been undertaken to support cgroupv2
within runc. The support is still considered experimental, but it is
mostly functional at this point. Please report any bugs you find when
running under cgroupv2-only systems. -
A minor-severity security bug was fixed. The devices list would
be in allow-by-default mode from the outset, meaning that users would
have to explicitly specify they wish to deny all device access at the
beginning of the configuration. While this would normally be
considered a high-severity vulnerability, all known users of runc had
worked around this issue several years ago (hence why this fairly
obvious bug was masked).In addition, the devices list code has been massively improved such
that it will attempt to avoid causing spurrious errors in the
container (such as while writing to/dev/null
) when doing devices
cgroup updates. -
A security audit of runc was conducted in 2019, and the report PDF is
now included in the runc repository. The previous release of runc
has already addressed the security issues found in that report.
Static Linking Notices
The runc
binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc
acting
as a "work that uses the Library":
The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.
However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.
Thanks to the following people who made this release possible:
- Adrian Reber areber@redhat.com
- Akihiro Suda akihiro.suda.cz@hco.ntt.co.jp
- Alban Crequy alban@kinvolk.io
- Aleksa Sarai asarai@suse.de
- Alice Frosi afrosi@de.ibm.com
- Amye Scavarda Perrin amye@linuxfoundation.org
- Andrei Vagin avagin@gmail.com
- Boris Popovschi zyqsempai@mail.ru
- Brian Goff cpuguy83@gmail.com
- Chris Aniszczyk caniszczyk@gmail.com
- Danail Branekov danailster@gmail.com
- Giuseppe Scrivano gscrivan@redhat.com
- iwankgb maciej.iwanowski@intel.com
- John Hwang John.F.Hwang@gmail.com
- Katarzyna Kujawa katarzyna.kujawa@intel.com
- Kenta Tada Kenta.Tada@sony.com
- Kir Kolyshkin kolyshkin@gmail.com
- Kir Kolyshkin kolyshkin@users.noreply.github.com
- Kohei Ota kela@inductor.me
- l00397676 lujingxiao@huawei.com
- Lifubang lifubang@acmcoder.com
- Mario Nitchev marionitchev@gmail.com
- Michael Crosby crosbymichael@gmail.com
- Mrunal Patel mrunalp@gmail.com
- Odin Ugedal odin@ugedal.com
- Paweł Szulik pawel.szulik@intel.com
- Peter Hunt pehunt@redhat.com
- Pradyumna Agrawal pradyumnaa@vmware.com
- Qiang Huang h.huangqiang@huawei.com
- Renaud Gaubert rgaubert@nvidia.com
- Sascha Grunert sgrunert@suse.com
- Sebastiaan van Stijn github@gone.nl
- SiYu Zhao d.chaser.zsy@gmail.com
- Ted Yu yuzhihong@gmail.com
- Tianjia Zhang tianjia.zhang@linux.alibaba.com
- Tianon Gravi admwiggin@gmail.com
- Tobias Klauser tklauser@distanz.ch
- wanghuaiqing wanghuaiqing@loongson.cn
- W. Trevor King wking@tremily.us
- Yulia Nedyalkova julianedialkova@hotmail.com
- zyu yuzhihong@gmail.com
NOTE: For those who are confused by the massive version jump (
rc10
torc91
), this was done to avoid issues with SemVer and lexical
comparisons -- there haven't been 90 other release candidates. Please
also note that runc1.0.0-rc90
is identical to1.0.0-rc10
. See #2399
for more details.
Vote: +7 -0 #0
Signed-off-by: Aleksa Sarai asarai@suse.de
runc 1.0-rc90 -- "We Have To Go Back!"
This release is identical to v1.0.0-rc10 (and thus the version string in
the binary will be v1.0.0-rc10).
The purpose of this release is to resolve an issue with our versioning
scheme (in particular, the format we've used under SemVer means that the
"-rcNN" string suffix is sorted lexicographically rather than in the
classic sort -V
order).
Because we cannot do a post-1.0 release yet, this is a workaround to
make sure that systems such as Go modules correctly update to the latest
runc release. See #2399 for more details.
The next release (which would've originally been called -rc11) will be
1.0.0-rc91. I'm sorry.
NOTE: This release's artefacts were updated on 2020-07-30 to correct an
LGPL compliance issue (we previously did not include the source code of
libseccomp
with our releases) and thus we had to recompile ourrunc
binaries to be sure we were distributing the correct version oflibseccomp
.
All of the binaries are still signed by the same maintainer key, and thus can
still be easily validated.
NOTE: This release's artefacts were updated on 2021-04-07, to correct an
issue with the .tar.xz archive from 2020-07-30 (the archive had malformed
paths due to a bug in historical release scripts -- which caused the update
on 2020-07-30 to change the checksum of the source code archive). See #2895
for more details. All of the binaries are still signed by the same maintainer
key, and thus can still be easily validated.
Static Linking Notices
The runc
binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc
acting
as a "work that uses the Library":
The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.
However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.
Signed-off-by: Aleksa Sarai asarai@suse.de
runc 1.0-rc10 -- "Procfs Strikes Back"
This is a hot-fix for v1.0.0~rc9, primarily fixing CVE-2019-19921. Given
that the relevant runtime-spec PR which was considered a blocker has
been merged the next rc release of runc should be the last one before
1.0.0.
Other notable changes include:
- Fixing an exec-fifo race that could be triggered under Kubernetes (#2185).
- Partial cgroupv2 support (#2209 for remaining issues).
NOTE: This release's artefacts were updated on 2020-07-30 to correct an
LGPL compliance issue (we previously did not include the source code of
libseccomp
with our releases) and thus we had to recompile ourrunc
binaries to be sure we were distributing the correct version oflibseccomp
.
All of the binaries are still signed by the same maintainer key, and thus can
still be easily validated.
NOTE: This release's artefacts were updated on 2021-04-07, to correct an
issue with the .tar.xz archive from 2020-07-30 (the archive had malformed
paths due to a bug in historical release scripts -- which caused the update
on 2020-07-30 to change the checksum of the source code archive). See #2895
for more details. All of the binaries are still signed by the same maintainer
key, and thus can still be easily validated.
Static Linking Notices
The runc
binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc
acting
as a "work that uses the Library":
The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.
However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.
Thanks to the following people who made this release possible:
- Akihiro Suda akihiro.suda.cz@hco.ntt.co.jp
- Aleksa Sarai asarai@suse.de
- James Peach jpeach@apache.org
- Jordan Liggitt liggitt@google.com
- Julia Nedialkova julianedialkova@hotmail.com
- Julio Montes julio.montes@intel.com
- Kevin Kelani kkelani@gmail.com
- Kurnia D Win kurnia.d.win@gmail.com
- Manuel Rüger manuel@rueg.eu
- Michael Crosby crosbymichael@gmail.com
- Mrunal Patel mrunal@me.com
- Qiang Huang h.huangqiang@huawei.com
- Radostin Stoyanov rstoyanov1@gmail.com
- Sascha Grunert sgrunert@suse.com
- tianye15 tianye15@yq01-ps-www007cc6e83.yq01.baidu.com
Vote: +4 -0 #1
Signed-off-by: Aleksa Sarai asarai@suse.de
runc 1.0-rc9 -- "Watch out for that first step, it's a doozy!"
This is a hot-fix for v1.0.0~rc8, primarily fixing CVE-2019-16884.
NOTE: This release's artefacts were updated on 2020-07-30 to correct an
LGPL compliance issue (we previously did not include the source code of
libseccomp
with our releases) and thus we had to recompile ourrunc
binaries to be sure we were distributing the correct version oflibseccomp
.
All of the binaries are still signed by the same maintainer key, and thus can
still be easily validated.
NOTE: This release's artefacts were updated on 2021-04-07, to correct an
issue with the .tar.xz archive from 2020-07-30 (the archive had malformed
paths due to a bug in historical release scripts -- which caused the update
on 2020-07-30 to change the checksum of the source code archive). See #2895
for more details. All of the binaries are still signed by the same maintainer
key, and thus can still be easily validated.
Static Linking Notices
The runc
binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc
acting
as a "work that uses the Library":
The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.
However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.
Thanks to the following people who made this release possible:
- Adrian Reber areber@redhat.com
- Akihiro Suda akihiro.suda.cz@hco.ntt.co.jp
- Aleksa Sarai asarai@suse.de
- Andreas Stocker astocker@anexia-it.com
- blacktop blacktop@users.noreply.github.com
- Carlos de Paula me@carlosedp.com
- Danail Branekov danailster@gmail.com
- Daniel J Walsh dwalsh@redhat.com
- Erik Sipsma sipsma@amazon.com
- Filipe Brandenburger filbranden@gmail.com
- Georgi Sabev georgethebeatle@gmail.com
- Giuseppe Scrivano gscrivan@redhat.com
- Howard Zhang howard.zhang@arm.com
- Joe Burianek joe.burianek@pantheon.io
- Jonathan Rudenberg jonathan@titanous.com
- Julien Durillon julien.durillon@gmail.com
- Kenta Tada Kenta.Tada@sony.com
- Lifubang lifubang@acmcoder.com
- Marco Vedovati mvedovati@suse.com
- Michael Crosby crosbymichael@gmail.com
- Mrunal Patel mrunal@me.com
- Odin Ugedal odin@ugedal.com
- Qiang Huang h.huangqiang@huawei.com
- sashayakovtseva sasha@sylabs.io
- Sebastiaan van Stijn github@gone.nl
- Xiaochen Shen xiaochen.shen@intel.com
- Xiao YongBiao xyb4638@gmail.com
Vote: +4 -0 #1
Signed-off-by: Aleksa Sarai asarai@suse.de
runc 1.0-rc8 -- "Oops, We Did It Again!"
This is a hot-fix for v1.0.0-rc7, and fixes a regression on old kernels
(which don't support keycreate labeling). Users are strongly encouraged
to update, as this regression was introduced in 1.0.0-rc7 and has
blocked many users from updating to mitigate CVE-2019-5736.
At the moment the only outlying issue before we can release 1.0.0 is
some spec discussions we are having about OCI hooks and how to handle
the integration with existing NVIDIA hooks. We will do our best to
finish this work as soon as we can.
NOTE: This release's artefacts were updated on 2020-07-30 to correct an
LGPL compliance issue (we previously did not include the source code of
libseccomp
with our releases) and thus we had to recompile ourrunc
binaries to be sure we were distributing the correct version oflibseccomp
.
All of the binaries are still signed by the same maintainer key, and thus can
still be easily validated.
NOTE: This release's artefacts were updated on 2021-04-07, to correct an
issue with the .tar.xz archive from 2020-07-30 (the archive had malformed
paths due to a bug in historical release scripts -- which caused the update
on 2020-07-30 to change the checksum of the source code archive). See #2895
for more details. All of the binaries are still signed by the same maintainer
key, and thus can still be easily validated.
Static Linking Notices
The runc
binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc
acting
as a "work that uses the Library":
The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.
However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.
Thanks to the following people who made this release possible:
- Aleksa Sarai asarai@suse.de
- Daniel J Walsh dwalsh@redhat.com
- lifubang lifubang@acmcoder.com
- Michael Crosby crosbymichael@gmail.com
- Mrunal Patel mrunal@me.com
Signed-off-by: Aleksa Sarai asarai@suse.de