opencontainers/runc v1.4.0-rc.2

runc v1.4.0-rc.2 -- "私の役目は信じるかどうかではない。行うかどうかだ。"

on GitHub

This is the second release candidate of the runc 1.4.0 release. It
includes a few minor features that did not make the cut-off for
v1.4.0-rc.1 (namely CLONE_INTO_CGROUP support and some new Intel RDT
features).

Users are strongly encouraged to test our release candidates over the
next month so we can fix issues before the general release. You should
expect runc 1.4.0 to be released at the end of October 2025 (at which
point, runc 1.2.z will only receive high-severity security fixes for 6
months and users are thus very strongly encouraged to migrate to a newer
version).

libcontainer API

• The deprecated libcontainer/userns package has been removed; use
  github.com/moby/sys/userns instead. (#4910, #4911)

Added

• Allow setting user.* sysctls for user-namespaced containers, as they are
  namespaced and thus safe to configure. (#4889, #4892)
• Add support for using clone3(2)'s CLONE_INTO_CGROUP flag when
  configuring the runc exec process. This also included some internal
  changes to how we add processes to containers. (#4822, #4812, #4920)
• Add support for configuring the NUMA pmemory policy for a container with
  set_mempolicy(2). (opencontainers/runtime-spec#1282, #4726, #4915)
• Add support for intelRdt.schemata to allow for configuration of all
  schemas in resctrl. (opencontainers/runtime-spec#1230, #4830, #4915)
• Add support for intelRdt.enableMonitoring to allow for per-container
  resctrl monitoring. This replaces the old intelRdt.enableCMT and
  intelRdt.enableMBM options which were never implemented by runc and have
  been removed from the runtime-spec. (opencontainers/runtime-spec#1287,
  #4832, #4921)

Fixed

• Configure personality(2) before applying seccomp profiles. (#4900, #4903)
• Fixed integration test failure on ppc64, caused by 64K page size so the
  kernel was rounding memory limit to 64K. (#4841, #4895, #4893)
• seccompagent: fix fd close loop to prevent closing stdio in the error path.
  (#4913, #4923)

Static Linking Notices

The runc binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc acting
as a "work that uses the Library":

• libseccomp

The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.

Thanks to the following contributors for making this release possible:

• Aleksa Sarai cyphar@cyphar.com
• Antti Kervinen antti.kervinen@intel.com
• Donet Tom donettom@linux.ibm.com
• Joshua Rogers MegaManSec@users.noreply.github.com
• Kir Kolyshkin kolyshkin@gmail.com
• Markus Lehtonen markus.lehtonen@intel.com
• Rodrigo Campos rodrigoca@microsoft.com
• Tycho Andersen tycho@tycho.pizza
• Vishal Chourasia vishalc@linux.ibm.com
• Li Fubang lifubang@acmcoder.com

Signed-off-by: Aleksa Sarai cyphar@cyphar.com