github opencontainers/runc v1.5.0-rc.1
runc v1.5.0-rc.1 -- "憎しみを束ねてもそれは脆い!"
on GitHub

pre-release7 hours ago

This is the first release candidate of the runc 1.5.0 release. It
contains a couple of new features, but is mostly made up of various
cleanups (such as the removal of many deprecated APIs) and improvements.
runc v1.5.0-rc.1 includes all of the patches backported to runc v1.4.1.

Users are strongly encouraged to test our release candidates over the
next two months so we can fix issues before the general release. You
should expect runc 1.5.0 to be released at the end of April 2026 (at
which point, runc 1.3.z will only receive high-severity security fixes
for 6 months and runc 1.2.z will become unmaintained -- users are thus
very strongly encouraged to migrate to a newer version).

libcontainer API

  • The following deprecated Go APIs have been removed:
    • CleanPath, StripRoot, and WithProcfd from libcontainer/utils. Note
      that WithProcfdFile has not been removed (due to import cycle issues) but
      is instead marked as internal in its godoc comment. (#5051)
    • All of the cgroup-related types and functions from libcontainer/configs
      which are now maintained in github.com/opencontainers/cgroups (#5141):
      • libcontainer/configs.Cgroup
      • libcontainer/configs.Resources
      • libcontainer/configs.FreezerState
      • libcontainer/configs.LinuxRdma
      • libcontainer/configs.BlockIODevice
      • libcontainer/configs.WeightDevice
      • libcontainer/configs.ThrottleDevice
      • libcontainer/configs.HugepageLimit
      • libcontainer/configs.IfPrioMap
      • libcontainer/configs.Undefined
      • libcontainer/configs.Frozen
      • libcontainer/configs.Thawed
      • libcontainer/configs.NewWeightDevice
      • libcontainer/configs.NewThrottleDevice
    • libcontainer/configs.HookList.RunHooks. (#5141)
    • libcontainer/configs.MPOL_* (#5141)
    • All of the types in libcontainer/devices which are now maintained in
      github.com/opencontainers/cgroups/devices/config (#5141):
      • libcontainer/devices.Wildcard
      • libcontainer/devices.WildcardDevice
      • libcontainer/devices.BlockDevice
      • libcontainer/devices.CharDevice
      • libcontainer/devices.FifoDevice
      • libcontainer/devices.Device
      • libcontainer/devices.Permissions
      • libcontainer/devices.Type
      • libcontainer/devices.Rule
  • libcontainer.Process methods (Wait, Pid, Signal) and
    libcontainer/configs.Config methods (HostUID, HostRootUID, HostGID,
    HostRootGID) now use pointer receivers. (#5088)
  • The example code for libcontainer has been moved out of a README and into
    a proper Example* test file that will be compile-tested by our CI. As
    mentioned elsewhere, we still do not recommend users make use of the
    libcontainer API directly. (#5127)

Deprecated

  • The libcontainer/configs.Mount.Relabel configuration field (used to relabel
    mounts with the z and Z "pseudo" mount options) was never accessible
    outside of the libcontainer API, and in practice the relabel logic has always
    lived in higher level runtimes. It has been made into a no-op and the field
    will be removed entirely in runc 1.7. (#5152, #5160)

Removed

  • The memfd-bind helper binary has been removed, as it has never been
    particularly useful and was completely obsoleted by the changes to
    /proc/self/exe sealing we introduced in runc [1.2.0][]. (#5141)

Added

  • User-namespaced containers can now configure user.* sysctls. (#4889)
  • Intel RDT: the RDT subdirectory is now only removed if runc created it,
    matching the updated runtime-spec guidance. (#3832, #5155)

Changed

  • Our release binaries and default build configuration now use libpathrs by
    default, providing better hardening against certain kinds of attacks. Users
    of runc should not see any changes as a result of this, but packagers will
    need to adjust their packaging accordingly. runc can still be built without
    libpathrs (by building without the libpathrs build tag), but we currently
    plan to make runc 1.6 require libpathrs. (#5103)
  • runc exec will now request systemd to move the exec process into the
    container cgroup, making the procedure more rootless-friendly. (#4822)
  • seccomp: minor documentation updates. (#4902)
  • Errors from runc init have historically been quite painful to understand
    and debug, we have made several improvements to make them more comprehensive
    and thus useful when debugging issues. (#4951, #4928)
  • Update spec conformance documentation for OCI runtime-spec v1.3.0. (#4948,
    #5150)
  • Our release archives now have the name runc-$version.tar.xz to make distro
    packaging a little easier by matching the filename to the top-level directory
    name in the archive. (#5052)

Static Linking Notices

The runc binaries distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc acting
as a "work that uses the Library":

Similarly, the runc binaries distributed with this release are also
statically linked with the following MPLv2 licensed libraries,
with runc acting as a "Larger Work":

The versions of these libraries were not modified from their upstream versions,
but in order to comply with their corresponding licenses, we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under their respective
license.

However, we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.

Thanks to the following contributors for making this release possible:

Signed-off-by: Aleksa Sarai cyphar@cyphar.com

Check out latest releases or
releases around opencontainers/runc v1.5.0-rc.1

Don't miss a new runc release

NewReleases is sending notifications on new releases.

Get notifications