diff --git a/CHANGELOG.md b/CHANGELOG.md index 3b77754ab74..e717157924b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,13 +6,48 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased 1.4.z] +## [1.4.1] - 2026-03-12 + +> La guerre n'est pas une aventure. La guerre est une maladie. Comme le typhus. + +### Deprecated ### +- `libcontainer/configs.MPOL_*` constants added in runc [1.4.0][]. (#5110, #5055) + +### Added ### +- Preliminary `loong64` support. (#5062, #4938) + +### Fixed ### +- libct: fix panic in `initSystemdProps` when processing certain systemd + properties in the OCI spec. (#5161, #5133) +- libct: fix several file descriptor leaks on error paths. (#5168, #5009) +- Remove unnecessary `crypto/tls` dependency by open-coding the systemd socket + activation logic, allowing us to more easily avoid false positive CVE + warnings. (#5093, #5057) +- Remove legacy `os.Is*` error usage, improving error type detection to make + our error fallback paths more robust. (#5162, #5061) +- Go 1.26 has started enforcing a restriction of `os/exec.Cmd` which caused + issues with our usage of `CLONE_INTO_CGROUP` (on newer kernels). This has now + been resolved. (#5116, #5091) +- Recursive `atime`-related mount flags (`rrelatime` et al.) are now applied + properly. (#5114, #5098) +- Fix a regression in `runc exec` due to `CLONE_INTO_CGROUP` in the + (inadvisable) scenario where a container is configured without cgroup + namespaces and with `/sys/fs/cgroup` mounted `rw`. (#5117, #5101) +- On machines with more than 1024 CPU cores, our logic for resetting the CPU + affinity will now correctly reset the affinity onto _all_ available cores + (not just the first 1024). (#5149, #5025) +- PR #4757 caused a regression that resulted in spurious `cannot start a container + that has stopped` errors when running `runc create` and has thus been + reverted. (#5157, #5153, #5151, #4645, #4757) + ### Changed ### - Previously we made an attempt to make our `runc.armhf` release binaries work with ARMv6 (which would allow runc to work on the original Raspberry Pi). Unfortunately, this has effectively always been broken (because we cross-compile `libseccomp` within a Debian container and statically link to it) and so we are now officially matching [the Debian definition of `armhf`][debian-armhf] - (that is, ARMv7). (#5103) + (that is, ARMv7). (#5167, #5103) +- Minor signing keyring updates. (#5147, #5139, #5144, #5148) [debian-armhf]: https://wiki.debian.org/ArmHardFloatPort @@ -1428,7 +1463,8 @@ implementation (libcontainer) is *not* covered by this policy. [1.3.0-rc.1]: https://github.com/opencontainers/runc/compare/v1.2.0...v1.3.0-rc.1 -[Unreleased 1.4.z]: https://github.com/opencontainers/runc/compare/v1.4.0...release-1.4 +[Unreleased 1.4.z]: https://github.com/opencontainers/runc/compare/v1.4.1...release-1.4 +[1.4.1]: https://github.com/opencontainers/runc/compare/v1.4.0...v1.4.1 [1.4.0]: https://github.com/opencontainers/runc/compare/v1.4.0-rc.3...v1.4.0 [1.4.0-rc.3]: https://github.com/opencontainers/runc/compare/v1.4.0-rc.2...v1.4.0-rc.3 [1.4.0-rc.2]: https://github.com/opencontainers/runc/compare/v1.4.0-rc.1...v1.4.0-rc.2 diff --git a/VERSION b/VERSION index 11da7992069..e38b2639417 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.4.0+dev +1.4.1+dev