Skip to content

runc v1.3.0-rc.1 -- "No tengo miedo al invierno, con tu recuerdo lleno de sol."

Latest
Latest
Compare
Choose a tag to compare
@cyphar cyphar released this 04 Mar 12:14
· 17 commits to main since this release
v1.3.0-rc.1
This tag was signed with the committer’s verified signature.
cyphar Aleksa Sarai
GPG key ID: 2897FAD2B7E9446F
Verified
Learn about vigilant mode.
a00ce11
This commit was signed with the committer’s verified signature.
cyphar Aleksa Sarai
GPG key ID: 2897FAD2B7E9446F
Verified
Learn about vigilant mode.

This is the first release candidate of the runc 1.3.0 release. It
contains a couple of new features, but is mostly made up of some minor
(but notable) API changes to libcontainer as well as a series of bug
fixes.

This is the first release series that will follow our new release
policy, meaning that user should expect runc 1.3.0 to be released at the
end of April 2025, at which point the support policy for the runc 1.2.z
branch will change. Please see the new RELEASES.md document for more
information.

Users are strongly encouraged to test our release candidates over the
next two months so we can fix issues before the general release.

libcontainer API

  • configs.CommandHook struct has changed, Command is now a pointer.
    Also, configs.NewCommandHook now accepts a *Command. (#4325)
  • The Process struct has User string field replaced with numeric
    UID and GID fields, and AdditionalGroups changed its type from
    []string to []int. Essentially, resolution of user and group
    names to IDs is no longer performed by libcontainer, so if a libcontainer
    user previously relied on this feature, now they have to convert names to
    IDs before calling libcontainer; it is recommended to use Go package
    github.com/moby/sys/user for that. (#3999)
  • Move libcontainer/cgroups to a separate repository. (#4618)

Fixed

  • runc exec -p no longer ignores specified ioPriority and scheduler
    settings. Similarly, libcontainer's Container.Start and Container.Run
    methods no longer ignore Process.IOPriority and Process.Scheduler
    settings. (#4585)
  • We no longer use F_SEAL_FUTURE_WRITE when sealing the runc binary, as it
    turns out this had some unfortunate bugs in older kernel versions and was
    never necessary in the first place. (#4641, #4640)
  • runc now uses a more flexible method of joining namespaces, which better
    matches the behaviour of nsenter(8). This is mainly useful for users that
    create a container with a runc-managed user namespace but want the container
    to join some externally-managed namespace as well. (#4492)
  • runc now properly handles joining time namespaces (such as with runc exec).
    Previously we would attempt to set the time offsets when joining, which
    would fail. (#4635, #4636)
  • Handle EINTR retries correctly for socket-related direct
    golang.org/x/sys/unix system calls. (#4637)
  • Handle close_range(2) errors more gracefully. (#4596)
  • Fix a stall issue that would happen if setting O_CLOEXEC with
    CloseExecFrom failed (#4599).
  • Handle errors on older kernels when resetting ambient capabilities more
    gracefully. (#4597)

Changed

  • runc now has an official release policy to help provide more consistency
    around our release schedules and better define our support policy for old
    release branches. See RELEASES.md for more details. (#4557)
  • Improved performance by switching to strings.Cut where appropriate.
    (#4470)
  • The minimum Go version of runc is now Go 1.23. (#4598)
  • Updated builds to libseccomp v2.5.6. (#4625)

Added

  • runc has been updated to support OCI runtime-spec 1.2.1. (#4653)
  • CPU affinity support for runc exec. (#4327)
  • CRIU support can be disabled using the build tag runc_nocriu. (#4546)
  • Support to get the pidfd of the container via CLI flag pidfd-socket.
    (#4045)
  • Support skip-in-flight and link-remap options for CRIU. (#4627)
  • Support cgroup v1 mounted with noprefix. (#4513)

Static Linking Notices

The runc binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc acting
as a "work that uses the Library":

The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.

Thanks to the following contributors for making this release possible:

Signed-off-by: Aleksa Sarai [email protected]

Assets 23
Loading