Skip to content

Releases: opencontainers/runc

runc 1.0-rc7 -- "The Eleventh Hour"

28 Mar 17:06
@cyphar cyphar
v1.0.0-rc7
This tag was signed with the committer’s verified signature.
cyphar Aleksa Sarai
GPG key ID: 9E18AA267DDB8DB4
Learn about vigilant mode.
69ae5da
This commit was signed with the committer’s verified signature.
cyphar Aleksa Sarai
GPG key ID: 9E18AA267DDB8DB4
Learn about vigilant mode.
Compare
Choose a tag to compare
runc 1.0-rc7 -- "The Eleventh Hour"

WARNING: There is a regression in this release for old kernels, which we are working on fixing in #2031.

Due to CVE-2019-5736, we had to do another -rc release so users can update. We
hope to be able to release 1.0.0 in the near future (there is still an
outstanding spec-compliance issue with OCI hooks which we need to resolve
first).

This also updates runc to a vendored commit of the runtime-spec rather than a
full release, which will hopefully be rectified with runc 1.0.0.

NOTE: This release's artefacts were updated on 2020-07-30 to correct an
LGPL compliance issue (we previously did not include the source code of
libseccomp with our releases) and thus we had to recompile our runc
binaries to be sure we were distributing the correct version of libseccomp.
All of the binaries are still signed by the same maintainer key, and thus can
still be easily validated.

NOTE: This release's artefacts were updated on 2021-04-07, to correct an
issue with the .tar.xz archive from 2020-07-30 (the archive had malformed
paths due to a bug in historical release scripts -- which caused the update
on 2020-07-30 to change the checksum of the source code archive). See #2895
for more details. All of the binaries are still signed by the same maintainer
key, and thus can still be easily validated.

Security:

  • Mitigate CVE-2019-5736. This is an updated version of the patch series sent
    out on openwall and we encourage users to update. #1982 #1984

    NOTE: This mitigation WILL NOT WORK if you run untrusted containers with
    host uid 0 and give them CAP_SYS_ADMIN (the protection operates through a
    hidden read-only bind-mount which can be re-mounted by CAP_SYS_ADMIN
    privileged users).

    Put simply -- we consider granting CAP_SYS_ADMIN to untrusted containers
    without user namespaces to be fundamentally insecure, as such we do not
    consider this to be a security issue    .

    If you want an additional host-level mitigation, use chattr +i on the
    host file to ensure containers without CAP_LINUX_IMMUTABLE cannot write to
    it -- even with CAP_SYS_ADMIN. But as above, if you give
    CAP_LINUX_IMMUTABLE to a container you will have problems.

    An alternative is to bind-mount a sealed memfd copy of the runc binary over
    the binary (runc will detect this and will not attempt further mitigation,
    because sealed memfds are fundamentally unmodifiable) but this requires
    more in-depth work by administrators.

  • There appear to be production users of --no-pivot-root, which is something
    that we absolutely recommend against and do not consider to be a secure
    configuration     -- since pivot_root(2) has many security properties that are
    not possible to provide with just chroot(2).

    However, a specific issue was discovered which we decided to mitigate in
    order to avoid production users being exploited by it. This security issue
    is not elligible for a CVE because it requires an insecure configuration
    (--no-pivot-root). #1962

Features:

  • Add intelrdt support for MBA to runc (a new intelrdt feature available in
    Linux 4.18+). #1919
  • Add support for specifying a CRIU configuration file for checkpoint/restore
    (which makes use of a new org.criu.config annotation). #1933 #1964
  • Add support for "runc exec --preserve-fds". #1995
  • Added support for SELinux labeling of keyrings. #2012

Fixes:

  • Correct handling of "runc kill" when a container is stopped or paused.
    #1934 #1943
  • Error out if built with nokmem and kmemcg limits were requested. #1939
  • Update check-config.sh to be in line with Docker's. #1942
  • Improve handling of kmem and the systemd cgroup driver. #1960
  • Improve resilience of adding setns tasks to cgroups. #1950
  • Remove (broken) detection of .scope for systemd. #1978
  • Fix console hanging with preserve-fds, where not enough fds have actually
    been provided to runc (which is a very common mistake when using
    --preserve-fds). #2000
  • Create bind-mounts when restoring. #1968
  • Fix regression of zombie "runc init" processes. #2023

Static Linking Notices

The runc binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc acting
as a "work that uses the Library":

The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.

Thanks to all of the contributors that made this release possible:

With special thanks and well-wishes to Victor Marmol and Rohit Jnagal, who have
both decided to give up their maintainership. Thanks for all of your
contributions over the years, and good luck with your future endeavours!

Signed-off-by: Aleksa Sarai asarai@suse.de

Assets 9

runc 1.0-rc6 -- "For Real This Time"

22 Nov 11:50
@cyphar cyphar
v1.0.0-rc6
This tag was signed with the committer’s verified signature.
cyphar Aleksa Sarai
GPG key ID: 9E18AA267DDB8DB4
Learn about vigilant mode.
ccb5efd
This commit was signed with the committer’s verified signature.
cyphar Aleksa Sarai
GPG key ID: 9E18AA267DDB8DB4
Learn about vigilant mode.
Compare
Choose a tag to compare
runc 1.0-rc6 -- "For Real This Time"

This is the final feature release of runc before 1.0, rather than 1.0
itself. The reason for this is that, during the preparations for this
release (which was originally meant to be 1.0) it was brought up that
there were several spec-compliance problems. One of these was related to
hook ordering, and upon trying to fix them it turns out that many users
(notably the NVIDIA OCI hooks) make use of our incorrect hook ordering.
Many of the proposed solutions to this problem all require a lot of time
and co-ordination, and thus would stall this release indefinitely.

So, the idea is to have an intermediate release which will mark a
freeze-on-everything-except-spec-compliance-bugs. No other changes will
be included pre-1.0 (aside from security patches obviously).

NOTE: This release's artefacts were updated on 2020-07-30 to correct an
LGPL compliance issue (we previously did not include the source code of
libseccomp with our releases) and thus we had to recompile our runc
binaries to be sure we were distributing the correct version of libseccomp.
All of the binaries are still signed by the same maintainer key, and thus can
still be easily validated.

NOTE: This release's artefacts were updated on 2021-04-07, to correct an
issue with the .tar.xz archive from 2020-07-30 (the archive had malformed
paths due to a bug in historical release scripts -- which caused the update
on 2020-07-30 to change the checksum of the source code archive). See #2895
for more details. All of the binaries are still signed by the same maintainer
key, and thus can still be easily validated.

Features:

  • Upgrade to using Go 1.10. #1711
  • Upgrade to CRIU 3.11. #1711 #1864 #1935 #1936
  • Allow for checkpoint-restore into a foreign network namespace. #1849
  • The "type" field for bind-mounts is now ignored. This is important, because
    many users incorrectly assume that "type" defines a bind-mount and not
    "options". Previously you had to set both. #1753 #1845
  • "setgroups=allow" is now possible in rootless mode, but requires the use of
    the privileged newgidmap helper (fully-rootless still requires
    "setgroups=deny"). #1693
  • Rootless mode can now safely ignore a read-only cgroupfs. #1759 #1806
  • Several aspects of rootless mode are now used inside user namespaces. This
    is necessary for a bunch of useful things (such as running Docker inside an
    user namespace), but did cause some breakages. We think they've all been
    fixed -- but if not please submit an issue! #1688 #1808 #1816 #1862
  • Improve kernel.{domain,host}name sysctl handling, to allow the NIS
    domainname to be set from Docker or other callers without an OCI spec
    change. #1827
  • Add documentation for one of the more confusion parts of runc, how terminals
    are handled (including an explanation of --console-socket). All the gory
    details and recommendations are available in docs/terminals.md. #1730
  • Allow /proc to be bind-mounted over (useful for rootless containers). #1832
  • Ignore ENOSYS for keyctl(2) operations. This is necessary to get Docker
    working with LXC under the default seccomp profile (which is what ChromeOS
    uses). #1893
  • Add support for the Intel RDT/MBA resource control system. #1632 #1913
  • Allow building with completely-disabled kmemcg support, to get around
    problems with broken kernels (RHEL 7.5 can oops with kmemcg accounting
    enabled). #1921 #1922 #1930
  • Add support for cgroup namespaces, which in turn fixes a few other issues we
    encountered with the previous code (which could be moving us to a cgroup
    during Go execution). #1916

Fixes:

  • Namespace creation with user namespaces now plays a bit nicer with SELinux
    and IPC (which had a bug where the in-kernel mqueue mount would have the
    wrong tag if using unshare(CLONE_NEWUSER|CLONE_NEWIPC)). This is done to
    avoid future problems with broken kernel integration. #1562
  • Mild refactor of libcontainer/user. #1749
  • Fix null-pointer-exception when no cgroups were set. #1752
  • Various DBus and systemd related changes for the systemd-cgroup driver.
    #1754 #1772 #1776 #1781 #1805 #1917
  • Apply SELinux label to masked directories. #1756
  • Obey the XDG spec and set the sticky bit on runc's root when using
    XDG_RUNTIME_DIR (in rootless mode). #1760
  • Only configure network namespaces if we are creating them. #1777
  • Fix race in runc-exec against a currently-exiting pid1. #1812
  • Forward GOMAXPROCS to try to reduce the number of threads started by 'runc
    init'. Unforunately there's no way to stop Go from spawning new threads so
    this is more of a recommendation. #1830
  • Fix tmpcopyup in cases where /tmp is not a private mount. #1873
  • Whitelist /proc/loadavg for bind-mounting. #1882
  • Protect against deletion of runc state directory with a containerid of "..",
    as well as the addition of other path hardening code. #1883
  • Handle duplicated cgroupfs mountpoint entries more sanely, to make runc work
    on distributions that use-and-abuse shared subtrees. #1817
  • Fix console hanging in several cases. #1895 #1897
  • Lock-to-a-thread during 'runc init' to ensure that that we don't switch
    threads and run within a different SELinux label. #1814
  • Respect cgroupPath when trying to find the cgroupfs mountpoint (which can
    happen in cases where containers are given different cgroupfs mounts). #1872
  • And many other minor changes, many from first-time contributors! #1746 #1748
    #1749 #1784 #1779 #1785 #1796 #1819 #1825 #1836 #1824 #1820 #1838 #1840
    #1841 #1867 #1871 #1855 #1854 #1874 #1868 #1886 #1892 #1858 #1894 #1908
    #1880 #1910 #1915 #1903 #1922 #1926 #1928 #1925 #1911

Fixes (for spec violations):

  • Don't set a container to "running" when exec-ing into it (because it might
    be in the "created" state). #1771
  • oom_score_adj is now no longer modified if it was unspecified in config.json
    (this was a spec violation). #1759
  • Set "status" in hook stdin, as well as switch to using *spec.State to avoid
    JSON-representation drift. #1741

Static Linking Notices

The runc binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc acting
as a "work that uses the Library":

The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.

Thanks to all of the contributors that made this release possible:

Signed-off-by: Aleksa Sarai asarai@suse.de

Assets 9

runc 1.0-rc5 -- "The Final Stretch"

27 Feb 17:31
@cyphar cyphar
v1.0.0-rc5
This tag was signed with the committer’s verified signature.
cyphar Aleksa Sarai
GPG key ID: 9E18AA267DDB8DB4
Learn about vigilant mode.
4fc53a8
This commit was signed with the committer’s verified signature.
cyphar Aleksa Sarai
GPG key ID: 9E18AA267DDB8DB4
Learn about vigilant mode.
Compare
Choose a tag to compare
runc 1.0-rc5 -- "The Final Stretch"

This is planned to be the final -rc release of runc. While we really
haven't followed the rules for release candidates (with huge features
introduced each release, and with massive gaps between releases) the
hope is that once we've release 1.0.0 we will be much more liberal with
releases in future. Let's see how that pans out. :P

NOTE: This release's artefacts were updated on 2020-07-30 to correct an
LGPL compliance issue (we previously did not include the source code of
libseccomp with our releases) and thus we had to recompile our runc
binaries to be sure we were distributing the correct version of libseccomp.
All of the binaries are still signed by the same maintainer key, and thus can
still be easily validated.

NOTE: This release's artefacts were updated on 2021-04-07, to correct an
issue with the .tar.xz archive from 2020-07-30 (the archive had malformed
paths due to a bug in historical release scripts -- which caused the update
on 2020-07-30 to change the checksum of the source code archive). See #2895
for more details. All of the binaries are still signed by the same maintainer
key, and thus can still be easily validated.

Features:

  • Support cgroups in rootless containers. This is a continuation of the
    previous work done, and allows for users that have specialised setups
    (such as having the LXC pam_cg.so module set up) to use cgroups with
    rootless containers. #1540
  • Add support for newuidmap and newgidmap with rootless containers.
    This is a continuation of some previous work, and allows users that
    have /etc/sub{uid,gid} configured to use the shadow-utils setuid
    helpers. Note that this support doesn't restrict users that don't want
    to use setuid binaries at all. #1529
  • runc will now use a chroot when mount namespaces aren't provided in
    the config.json. While chroot does have its (many) downsides, this
    does allow for specialised configurations to work properly. #1702
  • Expose annotations to hooks, so that the hook can have more direct
    information about the container it is being run against. #1687
  • Add "runc exec --additional-gids" support. #1608
  • Allow more signals to be sent with "runc kill" than are defined by
    Go's syscall package. #1706
  • Emit an error if users try to use MS_PRIVATE with --no-pivot, as that
    is simply not safe. #1606
  • Add support for "unbindable" and "runbindable" as rootfs propagation.
    #1655
  • Implement intelrdt support in runc. #1279 #1590
  • Add support for lazy migration with CRIU. This includes the addition
    of "runc checkpoint httpd" which acts as a remote pagefault request
    server. #1541
  • Add MIPS support. #1475

Fixes:

  • Delay seccomp application as late as possible, to reduce the syscall
    footprint of runc on profiles. #1569

  • Fix --read-only containers with user namespaces, which would
    previously fail under Docker because of privilege problems when trying
    to do the read-only remount. #1572

  • Switch away from stateDirFd entirely. This is an improvement over the
    protections we added for CVE-2016-9962, and protects against many
    other possible container escape bugs. #1570

  • Handle races between "runc start" and "runc delete" over the exec FIFO
    correctly, and avoid blocking "runc start" indefinitely. #1698

  • Correctly generate seccomp profiles that place requirements on syscall
    arguments, as well as multi-argument restrictions. #1616 #1424

  • Prospective patch for remounting of old-root during pivot_root. This
    is intended to solve one of the many "mount leak" bugs that have been
    popping up recently -- caused by lots of container churn and host
    mounts being pinned during container setup. #1500

  • Fix "runc exec" on big-endian architectures. #1727

  • Correct systemd slice expansion to work with cAdvisor. #1722

  • Fix races against systemd cgroup scope creation. #1683

  • Do not wait for signalled processes if libcontainer is running in a
    process that is a subreaper. #1678

  • Remove dependency on libapparmor entirely, and just use
    /proc/$pid/attr directly. #1675

  • Improvements to our integration tests. #1661 #1629 #1528

  • Handle systemd's quirky CPUQuotaPerSecUSec handling in
    fractions-of-a-percent edge-cases. #1651

  • Remove docker/docker import in runc by moving the package to runc.
    #1644

  • Switch from docker's pkg/symlink to cyphar/filepath-securejoin. #1622

  • Enable integration and unit tests on arm64. #1642 #1640

  • Add /proc/scsi to masked paths (mirror of Docker's CVE-2017-16539).
    #1641

  • Add several tests for specconv. #1626 #1619

  • Add more extensive tests for terminal handling. #1357

  • Always write freezer state during retry-loop, to avoid an indefinite
    hang when new tasks are spawned in the container. #1610

  • Create cwd when it doesn't exist in the container. #1604

  • Set initial console size based on process spec, to avoid SIGWINCH
    races where initial console size is completely wrong. #1275

  • Small fixes for static builds. #1579 #1577

  • Use epoll for PTY IO, to avoid issues with systemd's SAK protections.
    #1455

  • Update state.json after a "runc update". #1558

  • Switch to umoci's release scripts, to use a more "standardised" and
    distribution-friendly release scheme. Several makefile-fixes included
    as well. #1554 #1542 #1555

  • Reap "runc:[1:CHILD]" to avoid intermediate zombies building up. #1506

  • Use CRIU's RPC to check the version. #1535

  • Always save own namespace paths rather than the path given during
    start-up, to avoid issues where the path disappears afterwards. #1477

  • Fix that we incorrectly set the owners of devices. This is still (subtly)
    broken in user namespaces, but will be fixed in a future version. #1743

  • Lots of other miscellaneous fixes and cleanups, many of which were
    written by first-time contributors. Thanks for contributing, and
    welcome to the project! #1729 #1724 #1695 #1685 #1703 #1699 #1682
    #1665 #1667 #1669 #1654 #1664 #1660 #1645 #1640 #1621 #1607 #1206
    #1615 #1614 #1453 #1613 #1600 #1599 #1598 #1597 #1593 #1586 #1588
    #1587 #1589 #1575 #1578 #1573 #1561 #1560 #1559 #1556 #1551 #1553
    #1548 #1544 #1545 #1537

Removals:

  • Andrej Vagin stepped down as a maintainer. Thanks for all of your hard
    work Andrej, and have fun working on your other projects! #1543

Static Linking Notices

The runc binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc acting
as a "work that uses the Library":

The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.

Thanks to all of the contributors that made this release possible:

Vote: +5 -0 #2
Signed-off-by: Aleksa Sarai asarai@suse.de

Assets 9

runc 1.0-rc4

10 Aug 14:33
@cyphar cyphar
v1.0.0-rc4
This tag was signed with the committer’s verified signature.
cyphar Aleksa Sarai
GPG key ID: 9E18AA267DDB8DB4
Learn about vigilant mode.
2e7cfe0
This commit was signed with the committer’s verified signature.
cyphar Aleksa Sarai
GPG key ID: 9E18AA267DDB8DB4
Learn about vigilant mode.
Compare
Choose a tag to compare
runc 1.0-rc4

NOTE: This release's artefacts were updated on 2020-07-30 to correct an
LGPL compliance issue (we previously did not include the source code of
libseccomp or libapparmor with our releases) and thus we had to recompile
our runc binaries to be sure we were distributing the correct version of
libseccomp and libapparmor. All of the binaries are still signed by the
same maintainer key, and thus can still be easily validated.

NOTE: This release's artefacts were updated on 2021-04-07, to correct an
issue with the .tar.xz archive from 2020-07-30 (the archive had malformed
paths due to a bug in historical release scripts -- which caused the update
on 2020-07-30 to change the checksum of the source code archive). See #2895
for more details. All of the binaries are still signed by the same maintainer
key, and thus can still be easily validated.

Features:

  • runc now supports v1.0.0 of the OCI runtime specification. #1527
  • Rootless containers support has been released. The current state of
    this feature is that it only supports single-{uid,gid} mappings as an
    unprivileged user, and cgroups are completely unsupported. Work is
    being done to improve this. #774
  • Rather than relying on CRIU version nnumbers, actually check if the
    system supports pre-dumping. #1371
  • Allow the PIDs cgroup limit to be updated. #1423
  • Add support for checkpoint/restore of containers with orphaned PTYs
    (which is effectively all containers with terminal=true). #1355
  • Permit prestart hooks to modify the cgroup configuration of a
    container. #1239
  • Add support for a wide variety of mount options. #1460
  • Expose memory.use_hierarchy in MemoryStats. #1378

Fixes:

Removals:

  • Remove any semblance of non-Linux support. #1502
  • We no longer use shfmt for testing. #1510

Static Linking Notices

The runc binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc acting
as a "work that uses the Library":

The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.

Thanks to all of the contributors that made this release possible:

Vote-Closed: [Wed Aug 9 05:28:38 UTC 2017]
Vote-Results: [+5 -0 /2]

Assets 11

runc 1.0-rc3

21 Mar 20:44
@cyphar cyphar
v1.0.0-rc3
This tag was signed with the committer’s verified signature.
cyphar Aleksa Sarai
GPG key ID: 9E18AA267DDB8DB4
Learn about vigilant mode.
75f8da7
Compare
Choose a tag to compare
runc 1.0-rc3

NOTE: This release's artefacts were updated on 2020-07-30 to correct an
LGPL compliance issue (we previously did not include the source code of
libseccomp or libapparmor with our releases) and thus we had to recompile
our runc binaries to be sure we were distributing the correct version of
libseccomp and libapparmor. All of the binaries are still signed by the
same maintainer key, and thus can still be easily validated.

NOTE: This release's artefacts were updated on 2021-04-07, to correct an
issue with the .tar.xz archive from 2020-07-30 (the archive had malformed
paths due to a bug in historical release scripts -- which caused the update
on 2020-07-30 to change the checksum of the source code archive). See #2895
for more details. All of the binaries are still signed by the same maintainer
key, and thus can still be easily validated.

Features:

  • Add slice management support to the systemd cgroup driver. Checks are
    done to make sure that systemd supports the feature. #1084
  • Support for readonly mount labels. #1112
  • Add a tmpcopyup mount extension for tmpfs mounts that are mounted over
    already existing directories, allowing for the contents of a volume to
    be copied up transparently. #845
  • Switch our pivot_root usage to no longer require temporary
    directories, improving the state of containters running in entirely
    readonly contexts. #1125 #1148
  • Allow updating of rt_period_us and rt_runtime_us in cpuacct cgroup.
  • Reimplement console handling to use AF_UNIX sockets such that the
    console is created inside the container's (namespaced) devpts
    instance, solving a wide variety of historical pty bugs with runC.
    #1018 #1356
  • Support overlayfs in mounts. #1314
  • Support creating devices with types 'p' and 'u'. #1321
  • Add --preserve-fds=N to create and run commands. #1320
  • Add pre-dump and parent-path to checkpoint. #1001
  • Update to runtime-spec v1.0.0-rc5. #1370

Fixes:

  • Remove check for binding to /. #1090
  • Ensure we log to logrus on command errors. #1089
  • Don't enable kmem limits if they're not specified in the config. #1095
  • Handle cases where specs.Resources.* members would cause null
    dereferences. #1111 #1116
  • Fix bugs in the GetProcessStartTime implementation. #1136
  • Make sysctl config validation checks handle network namespaces more
    gracefully. #1138 #1149
  • Guarantee correct namespace creation ordering. This is part of the
    rootless container patchset, and is also required in certain SELinux
    setups. #977
  • Stop screwing around with '\n' in console output. #1146
  • Fix cpuset.cpu_exclusive handling. #1194
  • Sync HookState with the OCI specification. #1201
  • Split remounting mountpoints and bindmounts, resolving issues with
    mount options being dropped in certain cases. #1222
  • Fix leftover cgroup directory issue. #1196
  • Handle config.Devices and config.MaskPaths in checkpoint. #1110.
  • Don't create combined cgroup subsystem names. #1268
  • Ignore cgroupv2 mountpoints, fixing issues with systemd v232. #1266
  • Race condition when synchronising with children and grandchildren in
    nsexec.c. #1237
  • Fix state checks to no longer depend on _LIBCONTAINER being present in
    the environment, fixing both bugs as well as being part of the
    rootless container patchset. #1317
  • Fix systemd-notify when using different PID namespaces, and allow
    detach+notify socket. #1308
  • Don't fchown when inheriting stdio, which is necessary for rootless
    containers in certain scenarios. #1354
  • Fix cpu.cfs_quota_us being changed when systemd is reloaded. #1344
  • Add devices to whitelist for LXD, to make runC under LXC/LXD work
    better. #1327
  • Many improvements to testing. #1121 #1131 #1132 #1147

Security:

Static Linking Notices

The runc binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc acting
as a "work that uses the Library":

The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.

Thanks to all of the contributors that made this release possible:

Assets 11

runc 1.0-rc2

01 Oct 08:34
@cyphar cyphar
v1.0.0-rc2
This tag was signed with the committer’s verified signature.
cyphar Aleksa Sarai
GPG key ID: 9E18AA267DDB8DB4
Learn about vigilant mode.
c91b5be
Compare
Choose a tag to compare
runc 1.0-rc2

NOTE: This release's artefacts were updated on 2020-07-30 to correct an
LGPL compliance issue (we previously did not include the source code of
libseccomp or libapparmor with our releases) and thus we had to recompile
our runc binaries to be sure we were distributing the correct version of
libseccomp and libapparmor. All of the binaries are still signed by the
same maintainer key, and thus can still be easily validated.

NOTE: This release's artefacts were updated on 2021-04-07, to correct an
issue with the .tar.xz archive from 2020-07-30 (the archive had malformed
paths due to a bug in historical release scripts -- which caused the update
on 2020-07-30 to change the checksum of the source code archive). See #2895
for more details. All of the binaries are still signed by the same maintainer
key, and thus can still be easily validated.

Features

  • {create,run}: add --no-new-keyring flag so that a new session keyring
    is not created for the container and the calling process's keyring is
    inherited.
  • restore: add --empty-ns flag to tell CRIU to only create a network
    namespace for a container and not populate it (allowing higher levels
    to correctly handle re-creating the network namespace).
  • {create,start}: use a FIFO rather than signals to signal the starting
    of a container. This removes the Go version restriction, and also
    avoids potential issues with Go's signal handling.
  • exec: allow additional groups to be overridden.
  • delete: add --force flag.
  • exec: disable the subreaper option entirely, because the option
    causes many issues with reparenting in the context of containers.
    This is not a complete fix, which is intended to land for -rc3. Using
    the removed option will be silently ignored by runC.
  • {create,run}: add support for masking directories with MaskPaths.
  • delete: allow for the deletion of multiple containers in one cmdline.
  • build: add make release for distributions.

Fixes

  • Major improvements and fixes to CLI handling. Now commands like
    runc ps and runc exec will act sanely when you're trying to use
    flags that are not meant to be parsed by runC.
  • Set the cp.rt_* cgroup options correctly so that runC running in
    SCHED_RR (realtime) mode can operate properly.
  • Massive improvements to kmem limit detection to ensure that we only
    attempt to change memory.kmem.* if it is safe to do so.
  • Part of a major cleanup of the nsenter code, with more intended to
    land before -rc3.
  • Restored containers now have a start time, which is the time that the
    new container was started (not when the original container was
    started).
  • Fix the default cgroupPath behaviour, so that we actually attach to
    subcgroups of all of the caller's current cgroups (rather than using
    the devices cgroup path for all other cgroups)
  • Support 32bit UIDs on i386 with the setuid32(2) syscall.
  • Add /proc/timer_list to the set of default masked paths.
  • Do not create /dev/fuse by default.
  • Parse cgroupPath correctly if it contains ':'.
  • Add some more debugging information for the test suite, along with
    fixes for race conditions and other issues. In addition, add more
    integration tests for edge conditions.
  • Improve check-config.sh script to handle more cases.
  • Fix incorrect type when setting of net_cls classid.
  • Lots of fixes to help pages and man pages.
  • *: append -dirty to the version if the git repo is unclean.
  • Fix the JSON tags for CpuRt* options.
  • Cleanups to the rootfs setup code.
  • Improve error messages related to SELinux.

Static Linking Notices

The runc binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc acting
as a "work that uses the Library":

The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.

Thanks to all of the contributors that made this release possible:

Assets 11

runc 1.0-rc1

03 Jun 23:08
@crosbymichael crosbymichael
v1.0.0-rc1
04f275d
Compare
Choose a tag to compare
runc 1.0-rc1

runc 1.0 Release Candidate 1

This is the first of the release candidates for OCI's runtime specification and runc version 1.0. Runc is now using the runtime-spec 1.0.0-rc1 release.

Breaking Changes

The large breaking change from the previous versions of runc to 1.0 is the create and start command changes. The previous start command functionality has been moved to the run command. runc run mycontainer. runc start does not perform the operations that it did before this release.

Create -> Start -> Delete

By splitting the create and start phase for a container it allows higher level systems to modify the container before the user defined process is started.

A simple example of using this new workflow would look something like this from the command line:

# create the container with the specified configuration 
runc create mycontainer

# at the point that create returns the container's environment is fully setup but the user's specified process has not run

# you can place network interfaces inside the container 
# you can exec into the container
# you can modify the mount namespaces
runc exec mycontainer ps aux

# after your setup is complete you can start the user defined process
runc start mycontainer

# after start returns the user defied process inside your OCI config is running

# whenever the container exits you must delete the container removing any existing resources it still has
runc delete mycontainer

If you want the previous functionality where runc did this for you, use the runc run command.

Container State

You can get the container state and status by using the runc state command:

runc state mycontainer

{
  "ociVersion": "1.0.0-rc1",
  "id": "mycontainer",
  "pid": 18917,
  "bundlePath": "/containers/mycontainer",
  "rootfsPath": "/containers/mycontainer/rootfs",
  "status": "running",
  "created": "2016-06-03T21:23:42.401668933Z",
  "annotations": {
    "something": "else"
  }
}

ps command

A ps command was added to show the processes inside the container:

runc ps influxdb
UID        PID  PPID  C STIME TTY          TIME CMD
1000  18936 18917  0 14:23 ?        00:00:06 influxd -config /home/influxdb/influxdb.conf

Other Updates

  • Added seccomp support for more architectures
  • Stable stats output
  • Added update command for dynamically updating container resources
  • bash completion and man pages

Please help in testing and please report any issues to the issue tracker on github. Thanks!

  • OCI Maintainers

Usage

NAME:
   runc - Open Container Initiative runtime

runc is a command line client for running applications packaged according to
the Open Container Initiative (OCI) format and is a compliant implementation of the
Open Container Initiative specification.

runc integrates well with existing process supervisors to provide a production
container runtime environment for applications. It can be used with your
existing process monitoring tools and the container will be spawned as a
direct child of the process supervisor.

Containers are configured using bundles. A bundle for a container is a directory
that includes a specification file named "config.json" and a root filesystem.
The root filesystem contains the contents of the container.

To start a new instance of a container:

    # runc start [ -b bundle ] <container-id>

Where "<container-id>" is your name for the instance of the container that you
are starting. The name you provide for the container instance must be unique on
your host. Providing the bundle directory using "-b" is optional. The default
value for "bundle" is the current directory.

USAGE:
   runc [global options] command [command options] [arguments...]

VERSION:
   1.0.0-rc1
commit: 04f275d4601ca7e5ff9460cec7f65e8dd15443ec
spec: 1.0.0-rc1

COMMANDS:
     checkpoint checkpoint a running container
     create create a container
     delete delete any resources held by the container often used with detached containers
     events display container events such as OOM notifications, cpu, memory, and IO usage statistics
     exec   execute new process inside the container
     init   initialize the namespaces and launch the process (do not call it outside of runc)
     kill   kill sends the specified signal (default: SIGTERM) to the container's init process
     list   lists containers started by runc with the given root
     pause  pause suspends all processes inside the container
     ps     ps displays the processes running inside a container
     restore    restore a container from a previous checkpoint
     resume resumes all processes that have been previously paused
     run    create and run a container
     spec   create a new specification file
     start  start signals a created container to execute the user defined process
     state  output the state of a container
     update update container resource constraints

GLOBAL OPTIONS:
   --debug      enable debug output for logging
   --log value      set the log file path where internal debug information is written (default: "/dev/null")
   --log-format value   set the format used by logs ('text' (default), or 'json') (default: "text")
   --root value     root directory for storage of container state (this should be located in tmpfs) (default: "/run/runc")
   --criu value     path to the criu binary used for checkpoint and restore (default: "criu")
   --systemd-cgroup enable systemd cgroup support, expects cgroupsPath to be of form "slice:prefix:name" for e.g. "system.slice:runc:434234"
   --help, -h       show help
   --version, -v    print the version
Assets 2

runc 0.1.1

25 Apr 23:27
@crosbymichael crosbymichael
v0.1.1
baf6536
Compare
Choose a tag to compare
runc 0.1.1

runc 0.1.1

This release includes a bug fix for adding the selinux mount label in the specification.

Assets 2

Runc v0.1.0

12 Apr 21:48
@crosbymichael crosbymichael
v0.1.0
8e129e0
Compare
Choose a tag to compare
Runc v0.1.0

This release updates runc to the OCI runtime specification v0.5.0 and includes various fixes and features.

Features:

  • cgroups: pid limits and stats
  • cgroups: kmem stats
  • systemd cgroup support
  • libcontainer specconv package
  • no pivot root option
  • numeric ids are treated as uid/gid
  • hook improvements

Bug Fixes:

  • log flushing
  • atomic pid file creation
  • init error recovery
  • seccomp logging removed
  • delete container on aborted start
  • /dev bind mount handling
Assets 2

runc 0.0.9 and specification 0.4.0

11 Mar 01:02
@crosbymichael crosbymichael
v0.0.9
94dc520
Compare
Choose a tag to compare
runc 0.0.9 and specification 0.4.0

runc 0.0.9

This new release of runc includes the specification v0.4 changes. The backwards incompatible changes includes moving process specific settings like capabilities, rlimits, apparmor, and selinux process label from the container configuration to the process configuration. Be sure to update your config.json files for these changes or they will not be applied to the container. You can always use the runc spec command to generate a compatible config.json based on the specification version that runc is currently using.

Updates:

  • In this release runc has better support for errors and logging for use with the --log flag.
  • Improved namespace sharing for joining PID namespaces.
  • Allow all mount types inside the container's mount namespace.
  • Updated masked and readonly paths for container's /proc.
  • Better IO handling for container's STDIO.
  • Unique session keyring support for containers.
  • Container label support.
  • No new privileges support.
  • Various bug fixes and performance improvements.
NAME:
   runc - Open Container Initiative runtime

runc is a command line client for running applications packaged according to
the Open Container Format (OCF) and is a compliant implementation of the
Open Container Initiative specification.

runc integrates well with existing process supervisors to provide a production
container runtime environment for applications. It can be used with your
existing process monitoring tools and the container will be spawned as a
direct child of the process supervisor.

Containers are configured using bundles. A bundle for a container is a directory
that includes a specification file named "config.json" and a root filesystem.
The root filesystem contains the contents of the container. 

To start a new instance of a container:

    # runc start [ -b bundle ] <container-id>

Where "<container-id>" is your name for the instance of the container that you
are starting. The name you provide for the container instance must be unique on
your host. Providing the bundle directory using "-b" is optional. The default
value for "bundle" is the current directory.

USAGE:
   runc [global options] command [command options] [arguments...]

VERSION:
   0.0.9
spec version 0.4.0

COMMANDS:
   checkpoint   checkpoint a running container
   delete   delete any resources held by the container often used with detached containers
   events   display container events such as OOM notifications, cpu, memory, IO and network stats
   exec     execute new process inside the container
   init     init is used to initialize the containers namespaces and launch the users process.
    This command should not be called outside of runc.

   kill     kill sends the specified signal (default: SIGTERM) to the container's init process
   list     lists containers started by runc with the given root
   pause    pause suspends all processes inside the container
   restore  restore a container from a previous checkpoint
   resume   resumes all processes that have been previously paused
   spec     create a new specification file
   start    create and run a container
   state    output the state of a container
   help, h  Shows a list of commands or help for one command

GLOBAL OPTIONS:
   --debug      enable debug output for logging
   --log "/dev/null"    set the log file path where internal debug information is written
   --log-format "text"  set the format used by logs ('text' (default), or 'json')
   --root "/run/runc"   root directory for storage of container state (this should be located in tmpfs)
   --criu "criu"    path to the criu binary used for checkpoint and restore
   --help, -h       show help
   --version, -v    print the version
Assets 2