Skip to content

runc v1.2.1 -- "No existe una escuela que enseñe a vivir."

Compare
Choose a tag to compare
@cyphar cyphar released this 01 Nov 22:23
· 120 commits to main since this release
v1.2.1
d7735e3

This is the first patch release of the 1.2.z series of runc. It includes
a critical bugfix for an issue that manifested on SELinux-based
distributions and was blocking containerd from updating to
runc 1.2.z.

In addition, runc-dmz (added in 1.2.0) has been removed entirely. This
was opt-in (due to the many limitations it had), but the late addition
of the overlayfs-based CVE-2019-5736 protection made it no longer
necessary at all.

  • We now explicitly become root after joining an existing user namespace.
    Otherwise, runc won't have permissions to configure some mounts when
    running under SELinux and runc is not creating the user namespace.
    (#4466, #4477)
  • Remove dependency on golang.org/x/sys/execabs from go.mod. (#4480)
  • Remove runc-dmz, that had many limitations, and is mostly made obsolete by
    the new protection mechanism added in v1.2.0. Note that runc-dmz was only
    available only in the 1.2.0 release and required to set an environment variable
    to opt-in. (#4488)
  • The script/check-config.sh script now checks for overlayfs support. (#4494)
  • When using cgroups v2, allow to set or update memory limit to "unlimited"
    and swap limit to a specific value. (#4501)

Static Linking Notices

The runc binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc acting
as a "work that uses the Library":

The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.


Thanks to all of the contributors who made this release possible:

Signed-off-by: Aleksa Sarai [email protected]