1- # Changelog/
1+ # Changelog
22This file documents all notable changes made to this project since runc 1.0.
33
44The format is based on [ Keep a Changelog] ( https://keepachangelog.com/en/1.0.0/ ) ,
@@ -27,6 +27,70 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
2727 support would return ` -EPERM ` despite the existence of the ` -ENOSYS ` stub
2828 code (this was due to how s390x does syscall multiplexing). (#3474 )
2929
30+
31+ ## [ 1.1.3] - 2022-06-09
32+
33+ > In the beginning there was nothing, which exploded.
34+
35+ ### Fixed
36+ * Our seccomp ` -ENOSYS ` stub now correctly handles multiplexed syscalls on
37+ s390 and s390x. This solves the issue where syscalls the host kernel did not
38+ support would return ` -EPERM ` despite the existence of the ` -ENOSYS ` stub
39+ code (this was due to how s390x does syscall multiplexing). (#3478 )
40+ * Retry on dbus disconnect logic in libcontainer/cgroups/systemd now works as
41+ intended; this fix does not affect runc binary itself but is important for
42+ libcontainer users such as Kubernetes. (#3476 )
43+ * Inability to compile with recent clang due to an issue with duplicate
44+ constants in libseccomp-golang. (#3477 )
45+ * When using systemd cgroup driver, skip adding device paths that don't exist,
46+ to stop systemd from emitting warnings about those paths. (#3504 )
47+ * Socket activation was failing when more than 3 sockets were used. (#3494 )
48+ * Various CI fixes. (#3472 , #3479 )
49+
50+ ### Added
51+ * Allow to bind mount /proc/sys/kernel/ns_last_pid to inside container. (#3493 )
52+
53+ ### Changed
54+ * runc static binaries are now linked against libseccomp v2.5.4. (#3481 )
55+
56+
57+ ## [ 1.1.2] - 2022-05-11
58+
59+ > I should think I'm going to be a perpetual student.
60+
61+ ### Security
62+ * A bug was found in runc where runc exec --cap executed processes with
63+ non-empty inheritable Linux process capabilities, creating an atypical Linux
64+ environment. For more information, see [ GHSA-f3fp -gc8g-vw66] [ ] and
65+ CVE-2022 -29162.
66+
67+ ### Changed
68+ * ` runc spec ` no longer sets any inheritable capabilities in the created
69+ example OCI spec (` config.json ` ) file.
70+
71+ [ GHSA-f3fp-gc8g-vw66 ] : https://github.com/opencontainers/runc/security/advisories/GHSA-f3fp-gc8g-vw66
72+
73+
74+ ## [ 1.1.1] - 2022-03-28
75+
76+ > Violence is the last refuge of the incompetent.
77+
78+ ### Added
79+ * CI is now also run on centos-stream-9. (#3436 )
80+
81+ ### Fixed
82+ * ` runc run/start ` can now run a container with read-only ` /dev ` in OCI spec,
83+ rather than error out. (#3355 )
84+ * ` runc exec ` now ensures that ` --cgroup ` argument is a sub-cgroup. (#3403 )
85+ * libcontainer systemd v2 manager no longer errors out if one of the files
86+ listed in ` /sys/kernel/cgroup/delegate ` do not exist in container's cgroup.
87+ (#3387 , #3404 )
88+ * Loose OCI spec validation to avoid bogus "Intel RDT is not supported" error.
89+ (#3406 )
90+ * libcontainer/cgroups no longer panics in cgroup v1 managers if ` stat `
91+ of ` /sys/fs/cgroup/unified ` returns an error other than ENOENT. (#3435 )
92+
93+
3094## [ 1.1.0] - 2022-01-14
3195
3296> A plan depends as much upon execution as it does upon concept.
@@ -37,6 +101,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
37101 should avoid folks accidentally creating broken runc binaries (and
38102 incorrectly importing our internal libraries into their projects). (#3331 )
39103
104+
40105## [ 1.1.0-rc.1] - 2021-12-14
41106
42107> He who controls the spice controls the universe.
@@ -62,7 +127,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
62127 binary etc.) and failures of the command being executed. (#3073 )
63128 * runc run: new ` --keep ` option to skip removal exited containers artefacts.
64129 This might be useful to check the state (e.g. of cgroup controllers) after
65- the container has exited. (#2817 , #2825 )
130+ the container has exited. (#2817 , #2825 )
66131 * seccomp: add support for ` SCMP_ACT_KILL_PROCESS ` and ` SCMP_ACT_KILL_THREAD `
67132 (the latter is just an alias for ` SCMP_ACT_KILL ` ). (#3204 )
68133 * seccomp: add support for ` SCMP_ACT_NOTIFY ` (seccomp actions). This allows
@@ -151,13 +216,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
151216### Fixed
152217 * Fixed inability to start a container with read-write bind mount of a
153218 read-only fuse host mount. (#3283 , #3292 )
154- * Fixed inability to start when read-only /dev in set in spec (#3276 , #3277 )
219+ * Fixed inability to start when read-only /dev in set in spec. (#3276 , #3277 )
155220 * Fixed not removing sub-cgroups upon container delete, when rootless cgroup v2
156221 is used with older systemd. (#3226 , #3297 )
157222 * Fixed returning error from GetStats when hugetlb is unsupported (which causes
158223 excessive logging for Kubernetes). (#3233 , #3295 )
159224 * Improved an error message when dbus-user-session is not installed and
160- rootless + cgroup2 + systemd are used (#3212 )
225+ rootless + cgroup2 + systemd are used. (#3212 )
161226
162227[ GHSA-v95c-p5hm-xq8f ] : https://github.com/opencontainers/runc/security/advisories/GHSA-v95c-p5hm-xq8f
163228
@@ -237,7 +302,7 @@ implementation (libcontainer) is *not* covered by this policy.
237302 code, optimize the method for checking whether a cgroup is frozen. (#2955 )
238303 * cgroups/systemd: fixed "retry on dbus disconnect" logic introduced in rc94
239304 * cgroups/systemd: fixed returning "unit already exists" error from a systemd
240- cgroup manager (regression in rc94) (#2997 , #2996 )
305+ cgroup manager (regression in rc94). (#2997 , #2996 )
241306
242307### Added
243308 * cgroupv2: support SkipDevices with systemd driver. (#2958 , #3019 )
@@ -246,15 +311,15 @@ implementation (libcontainer) is *not* covered by this policy.
246311 (#3022 )
247312
248313### Changed
249- * cgroup/systemd: return, not ignore, stop unit error from Destroy (#2946 )
314+ * cgroup/systemd: return, not ignore, stop unit error from Destroy. (#2946 )
250315 * Fix all golangci-lint failures. (#2781 , #2962 )
251316 * Make ` runc --version ` output sane even when built with ` go get ` or
252317 otherwise outside of our build scripts. (#2962 )
253318 * cgroups: set SkipDevices during runc update (so we don't modify
254319 cgroups at all during ` runc update ` ). (#2994 )
255320
256321<!-- minor releases -->
257- [ Unreleased ] : https://github.com/opencontainers/runc/compare/v1.1.0 ...HEAD
322+ [ Unreleased ] : https://github.com/opencontainers/runc/compare/v1.1.3 ...HEAD
258323[ 1.1.0 ] : https://github.com/opencontainers/runc/compare/v1.1.0-rc.1...v1.1.0
259324[ 1.0.0 ] : https://github.com/opencontainers/runc/releases/tag/v1.0.0
260325
@@ -265,5 +330,8 @@ implementation (libcontainer) is *not* covered by this policy.
265330[ 1.0.1 ] : https://github.com/opencontainers/runc/compare/v1.0.0...v1.0.1
266331
267332<!-- 1.1.z patch releases -->
268- [ Unreleased 1.1.z ] : https://github.com/opencontainers/runc/compare/v1.1.0...release-1.1
333+ [ Unreleased 1.1.z ] : https://github.com/opencontainers/runc/compare/v1.1.3...release-1.1
334+ [ 1.1.3 ] : https://github.com/opencontainers/runc/compare/v1.1.2...v1.1.3
335+ [ 1.1.2 ] : https://github.com/opencontainers/runc/compare/v1.1.1...v1.1.2
336+ [ 1.1.1 ] : https://github.com/opencontainers/runc/compare/v1.1.0...v1.1.1
269337[ 1.1.0-rc.1 ] : https://github.com/opencontainers/runc/compare/v1.0.0...v1.1.0-rc.1
0 commit comments