This is the seventh release of the 1.2.z release branch of runc. It
contains some fixes for issues found in runc 1.3.z that were considered
"significant" bugfixes (as per our new release and support policy) and
thus be worth backporting.
Fixed
- Removed preemptive "full access to cgroups" warning when calling
runc pauseorrunc unpauseas an unprivileged user without
--systemd-cgroups. Now the warning is only emitted if an actual permission
error was encountered. (#4709, #4720) - Add time namespace to container config after checkpoint/restore. CRIU since
version 3.14 uses a time namespace for checkpoint/restore, however it was
not joining the time namespace in runc. (#4696, #4714) - Container processes will no longer inherit the CPU affinity of runc by
default. Instead, the default CPU affinity of container processes will be
the largest set of CPUs permitted by the container's cpuset cgroup and any
other system restrictions (such as isolated CPUs). (#4041, #4815, #4858) - Close seccomp agent connection to prevent resource leaks. (#4796, #4800)
- Several fixes to our CI, mainly related to AlmaLinux and CRIU. (#4670,
#4728, #4736, #4742) - Setting
linux.rootfsPropagationtosharedorunbindablenow functions
properly. (#1755, #1815, #4724, #4791) runc updatewill no longer clear intelRdt state information. (#4828,
#4834)
Changed
- In runc 1.2, we changed our mount behaviour to correctly handle clearing
flags. However, the error messages we returned did not provide as much
information to users about what clearing flags were conflicting with locked
mount flags. We now provide more diagnostic information if there is an error
when in the fallback path to handle locked mount flags. (#4734, #4740) - Ignore the dmem controller in our cgroup tests, as systemd does not yet
support it. (#4806, #4811) /proc/net/devis no longer included in the permitted procfs overmount
list. Its inclusion was almost certainly an error, and because/proc/net
is a symlink to/proc/self/net, overmounting this was almost certainly
never useful (and will be blocked by future kernel versions). (#4817, #4820)- CI: Switch to GitHub-hosted ARM runners. Thanks again to @alexellis for
supporting runc's ARM CI up until now. (#4844, #4856, #4867) - Simplify the
prepareCriuRestoreMountslogic for checkpoint-restore.
(#4765, #4872)
Static Linking Notices
The runc binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc acting
as a "work that uses the Library":
The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.
However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.
Thanks to the following contributors for making this release possible:
- Akihiro Suda akihiro.suda.cz@hco.ntt.co.jp
- Aleksa Sarai cyphar@cyphar.com
- Andrei Vagin avagin@gmail.com
- Kir Kolyshkin kolyshkin@gmail.com
- Markus Lehtonen markus.lehtonen@intel.com
- Martin Sivak msivak@redhat.com
- Pavel Liubimov prlyubimov@gmail.com
- Peter Hunt pehunt@redhat.com
- Rodrigo Campos rodrigoca@microsoft.com
- Yusuke Sakurai yusuke.sakurai@3-shake.com
- lfbzhm lifubang@acmcoder.com
- ningmingxiao ning.mingxiao@zte.com.cn
Signed-off-by: Aleksa Sarai cyphar@cyphar.com