opencontainers/runc v1.4.1

runc v1.4.1 -- "La guerre n'est pas une aventure. La guerre est une maladie. Comme le typhus."

on GitHub

This is the first patch release of the 1.4.z release series of runc.
It primarily includes some fixes for issues found in 1.4.0.

Deprecated

• libcontainer/configs.MPOL_* constants added in runc 1.4.0. (#5110, #5055)

Added

• Preliminary loong64 support. (#5062, #4938)

Fixed

• libct: fix panic in initSystemdProps when processing certain systemd
  properties in the OCI spec. (#5161, #5133)
• libct: fix several file descriptor leaks on error paths. (#5168, #5009)
• Remove unnecessary crypto/tls dependency by open-coding the systemd socket
  activation logic, allowing us to more easily avoid false positive CVE
  warnings. (#5093, #5057)
• Remove legacy os.Is* error usage, improving error type detection to make
  our error fallback paths more robust. (#5162, #5061)
• Go 1.26 has started enforcing a restriction of os/exec.Cmd which caused
  issues with our usage of CLONE_INTO_CGROUP (on newer kernels). This has now
  been resolved. (#5116, #5091)
• Recursive atime-related mount flags (rrelatime et al.) are now applied
  properly. (#5114, #5098)
• Fix a regression in runc exec due to CLONE_INTO_CGROUP in the
  (inadvisable) scenario where a container is configured without cgroup
  namespaces and with /sys/fs/cgroup mounted rw. (#5117, #5101)
• On machines with more than 1024 CPU cores, our logic for resetting the CPU
  affinity will now correctly reset the affinity onto all available cores
  (not just the first 1024). (#5149, #5025)
• PR #4757 caused a regression that resulted in spurious
  cannot start a container that has stopped errors when running
  runc create and has thus been reverted. (#5157, #5153, #5151, #4645, #4757)

Changed

• Previously we made an attempt to make our runc.armhf release binaries work
  with ARMv6 (which would allow runc to work on the original Raspberry Pi).
  Unfortunately, this has effectively always been broken (because we
  cross-compile libseccomp within a Debian container and statically link to
  it) and so we are now officially matching the Debian definition of armhf
  (that is, ARMv7). (#5167, #5103)
• Minor signing keyring updates. (#5147, #5139, #5144, #5148)

Static Linking Notices

The runc binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc acting
as a "work that uses the Library":

• libseccomp

The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.

Thanks to the following contributors for making this release possible:

• Akihiro Suda akihiro.suda.cz@hco.ntt.co.jp
• Aleksa Sarai cyphar@cyphar.com
• Antti Kervinen antti.kervinen@intel.com
• Ariel Otilibili otilibil@eurecom.fr
• Arina Cherednik arinacherednik034@gmail.com
• Curd Becker me@curd-becker.de
• Dimitri John Ledkov dimitri.ledkov@surgut.co.uk
• Efim Verzakov efimverzakov@gmail.com
• Kir Kolyshkin kolyshkin@gmail.com
• Li Fu Bang lifubang@acmcoder.com
• Luke Hinds luke@stacklok.com
• Ricardo Branco rbranco@suse.de
• Rodrigo Campos rata@users.noreply.github.com
• Zhai Xiao Juan zhaixiaojuan@loongson.cn