@@ -6,6 +6,40 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
66
77## [ Unreleased]
88
9+ ## [ 1.2.0-rc.1] - 2023-08-10
10+
11+ > How, dear sir, did you cross the flood? By not stopping, friend, and by not
12+ > straining I crossed the flood
13+
14+ This new runc release includes all the changes from the v1.1 patch releases up
15+ to v1.1.10.
16+
17+ ### Compatibility
18+
19+ * This release requires Go 1.20.x or Go 1.19.x (#3718 )
20+
21+ ### Added
22+
23+ * Support idmap mounts as specified in the OCI runtime-spec v1.1.0. (#3717 , #3985 )
24+ * Support for ` cgroup.kill ` to kill all processes inside a container. (#3135 ,
25+ #3825 )
26+ * Implement to set a domainname as specified in the OCI runtime-spec v1.1.0.
27+ (#3600 )
28+ * Add support for umask when exec-ing into a container. (#3661 )
29+ * libct/cg: support SCHED_IDLE for runc cgroupfs. (#3377 )
30+ * checkpoint/restore: implement ` --manage-cgroups-mode ` ignore. (#3546 )
31+ * seccomp: refactor flags support; add flags to features, set SPEC_ALLOW by
32+ default. (#3588 )
33+ * libct/cg/sd: use systemd v240+ new ` MAJOR:* ` syntax. (#3843 )
34+ * Use github.com/checkpoint-restore/go-criu v6.3.0, which reduces the compiled
35+ binary file. (#3652 )
36+ * Expose MountExtensions (including idmap support) in the features subcommand. (#3993 )
37+ * Support CFS bandwidth burst for CPU. (#3749 , #3145 )
38+ * Support time namespace. (#3876 )
39+ * Build tag ` runc_nodmz ` , see also the ` memfd-bind ` binary in ` contrib/ ` in case you can't use
40+ ` runc-dmz ` and still want to reduce memory usage. (#3987 )
41+ * New "pidfd-socket" CLI flag. (#4045 )
42+
943### Deprecated
1044
1145 * ` runc ` option ` --criu ` is now ignored (with a warning), and the option will
@@ -16,12 +50,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
1650 to kill a container (with SIGKILL) which does not have its own private PID
1751 namespace (so that runc would send SIGKILL to all processes). Now, this is
1852 done automatically. (#3864 , #3825 )
53+ * ` libcontainer/user ` is deprecated, use ` github.com/moby/sys/user ` instead. It
54+ will be removed in a future release. (#4017 )
1955
2056### Changed
2157
2258 * When Intel RDT feature is not available, its initialization is skipped,
2359 resulting in slightly faster ` runc exec ` and ` runc run ` . (#3306 )
24- * Enforce absolute paths for mounts . (#3020 , # 3717
60+ * The ` runc features ` command is no longer experimental . (#3861 )
2561 * libcontainer users that create and kill containers from a daemon process
2662 (so that the container init is a child of that process) must now implement
2763 a proper child reaper in case a container does not have its own private PID
@@ -35,6 +71,28 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
3571 For cgroupv1, ` Usage ` and ` Failcnt ` are set by subtracting memory usage
3672 from memory+swap usage. For cgroupv2, ` Usage ` , ` Limit ` , and ` MaxUsage `
3773 are set. (#4010 )
74+ * When running rootless or using a user namespace, a source filesystem mounted
75+ with ` nodev ` , ` nosuid ` or ` noexec ` can now be used as source of a bind mount
76+ without the same options being set for the mount. (#3805 )
77+ * libcontainer users that create and kill containers from a daemon process
78+ (so that the container init is a child of that process) must now implement
79+ a proper child reaper in case a container does not have its own private PID
80+ namespace, as documented in ` container.Signal ` . (#3825 )
81+ * libcontainer: ` container.Signal ` no longer have the second ` all bool `
82+ argument; a need to kill all processes is now determined automatically.
83+ (#3825 , #3885 )
84+ * libct/cg: Remove function EnterPid with no users. (#3797 )
85+ * libct/seccomp: enable seccomp binary tree optimization. (#3405 )
86+ * runc run/exec: ignore SIGURG. (#3368 )
87+ * Remove tun/tap from the default device rules. (#3468 )
88+ * ` runc --root non-existent-dir list ` now reports an error for non-existent
89+ root directory. (#3374 )
90+ * libct: Mount: Remove {Pre,Post}mountCmds, were never used and are obsoleted
91+ by more generic container hooks. (#3350 )
92+ * When joining an existing time or user namespace, don't require configuration
93+ entries for them. If they are specified, they need to be consistent with the
94+ user namespace joining. In future minor releases an error will be thrown if
95+ they are specified, though. (#4133 )
3896
3997### Fixed
4098
@@ -46,6 +104,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
46104 code (this was due to how s390x does syscall multiplexing). (#3474 )
47105 * Remove tun/tap from the default device rules. (#3468 )
48106 * specconv: avoid mapping "acl" to MS_POSIXACL. (#3739 )
107+ * libcontainer: fix private PID namespace detection when killing the container.
108+ (#3866 , #3825 )
109+ * Fix ` READY ` notification sometimes not accepted by systemd. (#3291 , #3293 )
110+ * Reduce the number of mount/umount syscalls in the host mount namespace, remove the bindfd logic
111+ and move the memfd logic to go. (#3987 , #3599 , #2532 , #3931 )
49112
50113## [ 1.1.10] - 2023-10-31
51114
0 commit comments