v1.1.0 -- "A plan depends as much upon execution as it does upon concept."
This release only contains very minor changes from v1.1.0-rc.1 and is
the first release of the 1.1.y release series of runc.
Changed:
Thanks to the following people who made this release possible:
Signed-off-by: Aleksa Sarai cyphar@cyphar.com
v1.1.0~rc1 -- "He who controls the spice controls the universe."
This release is the first release candidate for the next minor release
following runc 1.0. It contains all of the bugfixes included in runc 1.0
patch releases (up to and including 1.0.3).
A fair few new features have been added, and several features have been
deprecated (with plans for removal in runc 1.2). At the moment we only
plan to do a single release candidate for runc 1.1, and once 1.1.0 is
released we will not continue updating the 1.0.z runc branch.
Deprecated:
Removed:
cgroup.GetHugePageSizes
has been removed entirely, and been replaced withcgroup.HugePageSizes
which is more efficient. (#3234)intelrdt.GetIntelRdtPath
has been removed. Users who were using thisintelrdt.Root
Added:
--keep
option to skip removal exited containers artefacts.SCMP_ACT_KILL_PROCESS
and SCMP_ACT_KILL_THREAD
SCMP_ACT_KILL
). (#3204)SCMP_ACT_NOTIFY
(seccomp actions). This allows--lsm-mount-context
) to setsysctl(8)
'smount_setattr(2)
. Thesemount(8)
options -- just prepend r
rro
). (#3272)runc features
subcommand to allow runc users to detect what featuresChanged:
/proc/$pid/stat
parsing. (#2696)/sys/fs/cgroup
is configured as a read-write mount, change/sys/kernel/cgroup/delegate
) to allow for proper deferral to the containerLibcontainer API:
Fixed:
runc delete -f
now succeeds (rather than timing out) on a paused--ignore-paused
. (#3132, #3223)Thanks to the following people who made this release possible:
Signed-off-by: Aleksa Sarai cyphar@cyphar.com
v1.0.3 -- "If you were waiting for the opportune moment, that was it."
This is the third stable release in the 1.0 branch, fixing a handful of medium
priority issues related to mounts and cgroups, as well as a potential security
vulnerability.
This release is expected to be the last point release in the 1.0 branch, as we
are planning to release runc 1.1 in the near future.
Security:
A potential vulnerability was discovered in runc (related to an internal
usage of netlink), however upon further investigation we discovered that
while this bug was exploitable on the master branch of runc, no released
version of runc could be exploited using this bug. The exploit required
being able to create a netlink attribute with a length that would overflow a
uint16 but this was not possible in any released version of runc. For more
information see GHSA-v95c-p5hm-xq8f and CVE-2021-43784.
Due to an abundance of caution we decided to do an emergency release with
this fix, but to reiterate we do not believe this vulnerability was
possible to exploit. Thanks to Felix Wilhelm from Google Project Zero for
discovering and reporting this vulnerability so quickly.
Bugfixes:
Enhancements:
Thanks to all of the contributors who made this release possible:
Signed-off-by: Aleksa Sarai cyphar@cyphar.com
v1.0.2 -- "Given the right lever, you can move a planet."
This is a second stable release in 1.0 branch, fixing a few medium and
high priority issues, including one that affects Kubernetes' usage of
runc's libcontainer.
Bugfixes:
Thanks to all of the contributors who made this release possible:
Signed-off-by: Aleksa Sarai cyphar@cyphar.com
v1.0.1 -- "If in doubt, Meriadoc, always follow your nose."
This is the first stable release in the 1.0 branch, fixing a few medium
and high priority issues with runc 1.0.0, including a few that affect
Kubernetes' usage of libcontainer.
Bugfixes:
Thanks to all of the contributors who made this release possible:
Signed-off-by: Aleksa Sarai cyphar@cyphar.com
v1.0.0 -- "A wizard is never late, nor is he early, he arrives precisely when he means to."
This release fixes a few bugs found (almost all related to cgroupv2
handling), and is the first non-rc release of runc in 5 years
(v1.0.0-rc1 was released in 2016). It's been a very long road, and we
thank the many contributors and maintainers that helped us get to this
point (approximately 422 people in total).
As runc follows Semantic Versioning, we will endeavor to not make any
breaking changes without bumping the major version number of runc.
However, it should be noted that Go API usage of runc's internal
implementation (libcontainer) is not covered by this policy -- for
historical reasons, this code was not moved into an "internal" package
(this feature did not exist in Go at the time) and because certain
projects currently depend on this, we have not yet moved this code into
an internal package. Despite this, we reserve the right to make breaking
changes in our Go APIs (though we will note such changes in our
changelog, and will try to avoid needless disruption if possible).
Breaking changes:
Deprecations:
Bugfixes:
runc update
and avoid leaking eBPF programsImprovements:
go get
orrunc update
). (#2994)Thanks to the following people who made this release possible:
Vote: +5 -0 %2
Signed-off-by: Aleksa Sarai cyphar@cyphar.com
v1.0.0-rc95 -- "Just when I thought I was out, they pull me back in."
This release of runc contains a fix for CVE-2021-304651, and users are
strongly recommended to update (especially if you are providing
semi-limited access to spawn containers to untrusted users).
Aside from this security fix, only a few other changes were made since
v1.0.0-rc94 (the only user-visible change was the addition of support
for defaultErrnoRet in seccomp profiles).
Thanks to the following people who made this release possible:
Due to the nature of this release, it didn't go through the normal
public release procedure. However, this break from procedure was agreed
upon on the security mailing list.
Signed-off-by: Aleksa Sarai cyphar@cyphar.com
v1.0.0-rc94 -- "Time is an illusion. Lunchtime doubly so."
This release fixes several regressions found in v1.0.0-rc93. We
recommend users update as soon as possible. This release includes the
following notable changes:
Potentially breaking changes:
Set
now acceptconfigs.Resources
rather than configs.Cgroups
(#2906)Apply
(#2814)Bugfixes:
Improvements:
Thanks to the following people who made this release possible:
Vote: +6 -0 !1
Signed-off-by: Aleksa Sarai cyphar@cyphar.com
v1.0.0~rc93 -- "I never could get the hang of Thursdays."
This is the last feature-rich RC release and we are in a feature-freeze until
1.0. 1.0.0~rc94 will be released in a few weeks with minimal bug fixes only,
and 1.0.0 will be released soon afterwards.
runc's cgroupv2 support is no longer considered experimental. It is now
believed to be fully ready for production deployments. In addition, runc's
cgroup code has been improved:
runc's mountinfo parsing code has been reworked significantly, making
container startup times significantly faster and less wasteful in general.
runc now has special handling for seccomp profiles to avoid making new
syscalls unusable for glibc. This is done by installing a custom prefix to
all seccomp filters which returns -ENOSYS for syscalls that are newer than
any syscall in the profile (meaning they have a larger syscall number).
This should not cause any regressions (because previously users would simply
get -EPERM rather than -ENOSYS, and the rule applied above is the most
conservative rule possible) but please report any regressions you find as a
result of this change -- in particular, programs which have special fallback
code that is only run in the case of -EPERM.
runc now supports the following new runtime-spec features:
Various rootless containers improvements:
runc --root is now always treated as local to the current working directory.
The --no-pivot-root hardening was improved to handle nested mounts properly
(please note that we still strongly recommend that users do not use
--no-pivot-root -- it is still an insecure option).
A large number of code cleanliness and other various cleanups, including
fairly large changes to our tests and CI to make them all run more
efficiently.
For packagers the following changes have been made which will have impact on
your packaging of runc:
The "selinux" and "apparmor" buildtags have been removed, and now all runc
builds will have SELinux and AppArmor support enabled. Note that "seccomp"
is still optional (though we very highly recommend you enable it).
make install DESTDIR= now functions correctly.
Thanks to the following people who made this release possible:
Vote: +6 -0 #1
Signed-off-by: Aleksa Sarai cyphar@cyphar.com
v1.0.0~rc92
This release contains a hotfix to solve a regression in v1.0.0-rc91 that
concerns Docker (this only affects Docker's vendoring of libcontainer,
not the usage of runc as the runtime):
As well as some other improvements:
Thanks to the following people who made this release possible:
Vote: +4 -0 #3
Signed-off-by: Aleksa Sarai cyphar@cyphar.com
v1.0.0-rc91
This is intended to be the second-last RC release, with -rc92 having
very few large changes so that we can release runc 1.0 (at long last).
The long-awaited hooks changes have been merged into runc. This was
one of the few remaining spec-related issues which were blocking us
from releasing runc 1.0. Existing hook users will not be affected by
this change, but runc now supports additional hooks that we expect
users to migrate to eventually. The new hooks are:
A large amount of effort has been undertaken to support cgroupv2
within runc. The support is still considered experimental, but it is
mostly functional at this point. Please report any bugs you find when
running under cgroupv2-only systems.
A minor-severity security bug was fixed1. The devices list would
be in allow-by-default mode from the outset, meaning that users would
have to explicitly specify they wish to deny all device access at the
beginning of the configuration. While this would normally be
considered a high-severity vulnerability, all known users of runc had
worked around this issue several years ago (hence why this fairly
obvious bug was masked).
In addition, the devices list code has been massively improved such
that it will attempt to avoid causing spurrious errors in the
container (such as while writing to /dev/null) when doing devices
cgroup updates.
A security audit of runc was conducted in 2019, and the report PDF is
now included in the runc repository. The previous release of runc
has already addressed the security issues found in that report.
Thanks to the following people who made this release possible:
NOTE: For those who are confused by the massive version jump (rc10
to rc91), this was done to avoid issues with SemVer and lexical
comparisons -- there haven't been 90 other release candidates. Please
also note thatrunc 1.0.0-rc90 is identical to 1.0.0-rc10.
Vote: +7 -0 #0
Signed-off-by: Aleksa Sarai asarai@suse.de
v1.0.0-rc90
This release is identical to v1.0.0-rc10.
The purpose of this release is to resolve an issue with our versioning
scheme (in particular, the format we've used under SemVer means that the
"-rcNN" string suffix is sorted lexicographically rather than in the
classic sort -V
order).
Because we cannot do a post-1.0 release yet, this is a workaround to
make sure that systems such as Go modules correctly update to the latest
runc release. See 1 for more details.
The next release (which would've originally been called -rc11) will be
1.0.0-rc91. I'm sorry.
Signed-off-by: Aleksa Sarai asarai@suse.de
v1.0.0~rc10
This is a hot-fix for v1.0.0~rc9, primarily fixing CVE-2019-19921. Given
that the relevant runtime-spec PR which was considered a blocker has
been merged1 the next rc release of runc should be the last one before
1.0.0.
Thanks to the following people who made this release possible:
Vote: +4 -0 #1
Signed-off-by: Aleksa Sarai asarai@suse.de
v1.0.0~rc9
This is a hot-fix for v1.0.0~rc8, primarily fixing CVE-2019-16884.
Thanks to the following people who made this release possible:
Vote: +4 -0 #1
Signed-off-by: Aleksa Sarai asarai@suse.de
v1.0.0~rc8
This is a hot-fix for v1.0.0-rc7, and fixes a regression on old kernels
(which don't support keycreate labeling). Users are strongly encouraged
to update, as this regression was introduced in 1.0.0-rc7 and has
blocked many users from updating to mitigate CVE-2019-5736.
Bugs: #2032 #2031 #2043
At the moment the only outlying issue before we can release 1.0.0 is
some spec discussions we are having about OCI hooks and how to handle
the integration with existing NVIDIA hooks. We will do our best to
finish this work as soon as we can.
Thanks to the following people who made this release possible:
Vote: +4 -0 #1
Signed-off-by: Aleksa Sarai asarai@suse.de
v1.0.0~rc7
Due to CVE-2019-5736, we had to do another -rc release so users can update. We
hope to be able to release 1.0.0 in the near future (there is still an
outstanding spec-compliance issue with OCI hooks which we need to resolve
first).
This also updates runc to a vendored commit of the runtime-spec rather than a
full release, which will hopefully be rectified with runc 1.0.0. #k
Security:
Mitigate CVE-2019-5736. This is an updated version of the patch series sent
out on openwall and we encourage users to update. #1982 #1984
NOTE: This mitigation WILL NOT WORK if you run untrusted containers with
host uid 0 and give them CAP_SYS_ADMIN (the protection operates
through a hidden read-only bind-mount which can be re-mounted by
CAP_SYS_ADMIN privileged users).
Put simply -- we consider granting CAP_SYS_ADMIN to untrusted
containers without user namespaces to be fundamentally insecure, as
such we do not consider this to be a security issue.
If you want an additional host-level mitigation, use `chattr +i` on
the host file to ensure containers without CAP_LINUX_IMMUTABLE cannot
write to it -- even with CAP_SYS_ADMIN. But as above, if you give
CAP_LINUX_IMMUTABLE to a container you will have problems.
An alternative is to bind-mount a sealed memfd copy of the runc
binary over the binary (runc will detect this and will not attempt
further mitigation, because sealed memfds are fundamentally
unmodifiable) but this requires more in-depth work by administrators.
There appear to be production users of --no-pivot-root, which is something
that we absolutely recommend against and do not consider to be a secure
configuration -- since pivot_root(2) has many security properties that are
not possible to provide with just chroot(2).
However, a specific issue was discovered which we decided to mitigate in
order to avoid production users being exploited by it. This security issue
is not elligible for a CVE because it requires an insecure configuration
(--no-pivot-root). #1962
Features:
Fixes:
Thanks to all of the contributors that made this release possible:
With special thanks and well-wishes to Victor Marmol and Rohit Jnagal, who have
both decided to give up their maintainership. Thanks for all of your
contributions over the years, and good luck with your future endeavours!
Signed-off-by: Aleksa Sarai asarai@suse.de
v1.0.0~rc6
This is the final feature release of runc before 1.0, rather than 1.0
itself. The reason for tihs is that, during the preparations for this
release (which was originally meant to be 1.0) it was brought up that
there were several spec-compliance problems. One of these was related to
hook ordering, and upon trying to fix them it turns out that many users
(notably the NVIDIA OCI hooks) make use of our incorrect hook ordering.
Many of the proposed solutions to this problem all require a lot of time
and co-ordination, and thus would stall this release indefinitely.
So, the idea is to have an intermediate release which will mark a
freeze-on-everything-except-spec-compliance-bugs. No other changes will
be included pre-1.0 (aside from security patches obviously).
Features:
Fixes:
Fixes (for spec violations):
Thanks to all of the contributors that made this release possible:
Signed-off-by: Aleksa Sarai asarai@suse.de
v1.0.0~rc5
This is planned to be the final -rc release of runc. While we really
haven't followed the rules for release candidates (with huge features
introduced each release, and with massive gaps between releases) the
hope is that once we've release 1.0.0 we will be much more liberal with
releases in future. Let's see how that pans out. :P
Features:
Fixes:
Delay seccomp application as late as possible, to reduce the syscall
footprint of runc on profiles. #1569
Fix --read-only containers with user namespaces, which would
previously fail under Docker because of privilege problems when trying
to do the read-only remount. #1572
Switch away from stateDirFd entirely. This is an improvement over the
protections we added for CVE-2016-9962, and protects against many
other possible container escape bugs. #1570
Handle races between "runc start" and "runc delete" over the exec FIFO
correctly, and avoid blocking "runc start" indefinitely. #1698
Correctly generate seccomp profiles that place requirements on syscall
arguments, as well as multi-argument restrictions. #1616 #1424
Prospective patch for remounting of old-root during pivot_root. This
is intended to solve one of the many "mount leak" bugs that have been
popping up recently -- caused by lots of container churn and host
mounts being pinned during container setup. #1500
Fix "runc exec" on big-endian architectures. #1727
Correct systemd slice expansion to work with cAdvisor. #1722
Fix races against systemd cgroup scope creation. #1683
Do not wait for signalled processes if libcontainer is running in a
process that is a subreaper. #1678
Remove dependency on libapparmor entirely, and just use
/proc/$pid/attr directly. #1675
Improvements to our integration tests. #1661 #1629 #1528
Handle systemd's quirky CPUQuotaPerSecUSec handling in
fractions-of-a-percent edge-cases. #1651
Remove docker/docker import in runc by moving the package to runc.
#1644
Switch from docker's pkg/symlink to cyphar/filepath-securejoin. #1622
Enable integration and unit tests on arm64. #1642 #1640
Add /proc/scsi to masked paths (mirror of Docker's CVE-2017-16539).
#1641
Add several tests for specconv. #1626 #1619
Add more extensive tests for terminal handling. #1357
Always write freezer state during retry-loop, to avoid an indefinite
hang when new tasks are spawned in the container. #1610
Create cwd when it doesn't exist in the container. #1604
Set initial console size based on process spec, to avoid SIGWINCH
races where initial console size is completely wrong. #1275
Small fixes for static builds. #1579 #1577
Use epoll for PTY IO, to avoid issues with systemd's SAK protections.
#1455
Update state.json after a "runc update". #1558
Switch to umoci's release scripts, to use a more "standardised" and
distribution-friendly release scheme. Several makefile-fixes included
as well. #1554 #1542 #1555
Reap "runc:[1:CHILD]" to avoid intermediate zombies building up. #1506
Use CRIU's RPC to check the version. #1535
Always save own namespace paths rather than the path given during
start-up, to avoid issues where the path disappears afterwards. #1477
Fix that we incorrectly set the owners of devices. This is still (subtly)
broken in user namespaces, but will be fixed in a future version. #1743
Lots of other miscellaneous fixes and cleanups, many of which were
written by first-time contributors. Thanks for contributing, and
welcome to the project! #1729 #1724 #1695 #1685 #1703 #1699 #1682
#1665 #1667 #1669 #1654 #1664 #1660 #1645 #1640 #1621 #1607 #1206
#1615 #1614 #1453 #1613 #1600 #1599 #1598 #1597 #1593 #1586 #1588
#1587 #1589 #1575 #1578 #1573 #1561 #1560 #1559 #1556 #1551 #1553
#1548 #1544 #1545 #1537
Removals:
Thanks to all of the contributors that made this release possible:
Signed-off-by: Aleksa Sarai asarai@suse.de
v1.0.0~rc4
Features:
Fixes:
Removals:
Thanks to all of the contributors that made this release possible:
Vote-Closed: [Wed Aug 9 05:28:38 UTC 2017]
Vote-Results: [+5 -0 /2]
v1.0.0~rc3
Features:
Fixes:
Security:
Thanks to all of the contributors that made this release possible: