This is the first release of the 1.4.z release branch of runc. It
contains a few fixes for issues found in 1.4.0-rc.3. This version of
runc supports runtime-spec v1.3 (see docs/spec-conformance.md for the
few features that are still missing).
This is the second release of runc following our new release and support
policy (see RELEASES.md for more details). This means that, as of this
release:
- The runc 1.2.z release branch will now only receive high severity
CVE fixes, and will no longer be supported in less than 6 months (end
of April 2026). - The runc 1.3.z release branch will now only receive security and
"significant" bugfixes. - Users are encouraged to plan migrating to runc 1.4.0 as soon as
possible. - Despite this release being delayed by a month, users should still
expect a runc 1.5.0 release in late April 2026.
Deprecated
- Deprecate cgroup v1. (#4956)
- Deprecate
CleanPath,StripRoot,WithProcfd, andWithProcfdFilefrom
libcontainer/utils. (#4985)
Breaking
- The handling of
pids.limithas been updated to match the newer guidance
from the OCI runtime specification. In particular, now a maximum limit value
of0will be treated as an actual limit (due to limitations with systemd,
it will be treated the same as a limit value of1). We only expect users
that explicitly setpids.limitto0will see a behaviour change.
(opencontainers/cgroups#48, #4949)
Fixed
- cgroups: provide iocost statistics for cgroupv2. (opencontainers/cgroups#43)
- cgroups: retry DBus connection when it fails with EAGAIN.
(opencontainers/cgroups#45) - cgroups: improve
cpuacct.usage_allresilience when parsing data from
patched kernels (such as the Tencent kernels). (opencontainers/cgroups#46,
opencontainers/cgroups#50) - libct: close child fds on
prepareCgroupFDerror. (#4936) - libct: fix mips compilation. (#4962, #4967)
- When configuring a
tmpfsmount, only set themode=argument if the target
path already existed. This fixes a regression introduced in our
CVE-2025-52881 mitigation patches. (#4971, #4976) - Fix various file descriptor leaks and add additional tests to detect them as
comprehensively as possible. (#5007, #5021, #5034) - The "hallucination" helpers added as part of the CVE-2025-52881
mitigation have been made more generic and now apply to all of ourpathrs
helper functions, which should ensure we will not regress dangling symlink
users. (#4985)
Changed
Static Linking Notices
The runc binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc acting
as a "work that uses the Library":
The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.
However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.
Thanks to the following contributors for making this release possible:
- Akihiro Suda akihiro.suda.cz@hco.ntt.co.jp
- Aleksa Sarai cyphar@cyphar.com
- Kir Kolyshkin kolyshkin@gmail.com
- Li Fu Bang lifubang@acmcoder.com
- Rodrigo Campos rata@users.noreply.github.com
- Tianon Gravi admwiggin@gmail.com