merge #5154 into opencontainers/runc:main

Aleksa Sarai (4):
  VERSION: back to development
  VERSION: release v1.5.0-rc.1
  CHANGELOG: forward-port v1.4.1 entry
  CHANGELOG: add original PR references to backports

LGTMs: rata lifubang
This commit is contained in:
Aleksa Sarai
2026-03-13 21:28:25 +09:00
2 changed files with 93 additions and 12 deletions
+92 -11
View File
@@ -6,6 +6,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
## [Unreleased]
## [1.5.0-rc.1] - 2026-03-12
> 憎しみを束ねてもそれは脆い!
> [!NOTE]
> runc v1.5.0-rc.1 includes all of the patches backported to runc v1.4.1.
### libcontainer API ###
- The following deprecated Go APIs have been removed:
- `CleanPath`, `StripRoot`, and `WithProcfd` from `libcontainer/utils`. Note
@@ -28,7 +35,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- `libcontainer/configs.NewWeightDevice`
- `libcontainer/configs.NewThrottleDevice`
- `libcontainer/configs.HookList.RunHooks`. (#5141)
- `libcontainer/configs.MPOL_*` (#5414)
- `libcontainer/configs.MPOL_*` (#5141)
- All of the types in `libcontainer/devices` which are now maintained in
`github.com/opencontainers/cgroups/devices/config` (#5141):
- `libcontainer/devices.Wildcard`
@@ -40,27 +47,96 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- `libcontainer/devices.Permissions`
- `libcontainer/devices.Type`
- `libcontainer/devices.Rule`
- `libcontainer.Process` methods (`Wait`, `Pid`, `Signal`) and
`libcontainer/configs.Config` methods (`HostUID`, `HostRootUID`, `HostGID`,
`HostRootGID`) now use pointer receivers. (#5088)
- The example code for `libcontainer` has been moved out of a `README` and into
a proper `Example*` test file that will be compile-tested by our CI. As
mentioned elsewhere, we still *do not* recommend users make use of the
`libcontainer` API directly. (#5127)
### Deprecated ###
- The `libcontainer/configs.Mount.Relabel` configuration field (used to relabel
mounts with the `z` and `Z` "pseudo" mount options) was never accessible
outside of the libcontainer API, and in practice the relabel logic has always
lived in higher level runtimes. It has been made into a no-op and the field
will be removed entirely in runc 1.7. (#5152, #5160)
### Removed ###
- The `memfd-bind` helper binary has been removed, as it has never been
particularly useful and was completely obsoleted by the changes to
`/proc/self/exe` sealing we introduced in runc [1.2.0][]. (#5141)
### Added ###
- User-namespaced containers can now configure `user.*` sysctls. (#4889)
- Intel RDT: the RDT subdirectory is now only removed if runc created it,
matching the updated runtime-spec guidance. (#3832, #5155)
### Changed ###
- Our release binaries and default build configuration now use [libpathrs][] by
default, providiung better hardening against certain kinds of attacks. Users
of runc should not see any changes as a result of this, but pacakgers will
default, providing better hardening against certain kinds of attacks. Users
of runc should not see any changes as a result of this, but packagers will
need to adjust their packaging accordingly. runc can still be built without
libpathrs (by building without the `libpathrs` build tag), but we currently
plan to make runc 1.6 *require* libpathrs. (#5103)
- `runc exec` will now request systemd to move the `exec` process into the
container cgroup, making the procedure more rootless-friendly. (#4822)
- seccomp: minor documentation updates. (#4902)
- Errors from `runc init` have historically been quite painful to understand
and debug, we have made several improvements to make them more comprehensive
and thus useful when debugging issues. (#4951, #4928)
- Update spec conformance documentation for OCI runtime-spec v1.3.0. (#4948,
#5150)
- Our release archives now have the name `runc-$version.tar.xz` to make distro
packaging a little easier by matching the filename to the top-level directory
name in the archive. (#5052)
[libpathrs]: https://github.com/cyphar/libpathrs
## [1.4.1] - 2026-03-12
> La guerre n'est pas une aventure. La guerre est une maladie. Comme le typhus.
### Deprecated ###
- `libcontainer/configs.MPOL_*` constants added in runc [1.4.0][]. (#5110,
#5055)
### Added ###
- Preliminary `loong64` support. (#5062, #4938)
### Fixed ###
- libct: fix panic in `initSystemdProps` when processing certain systemd
properties in the OCI spec. (#5161, #5133)
- libct: fix several file descriptor leaks on error paths. (#5168, #5009)
- Remove unnecessary `crypto/tls` dependency by open-coding the systemd socket
activation logic, allowing us to more easily avoid false positive CVE
warnings. (#5093, #5057)
- Remove legacy `os.Is*` error usage, improving error type detection to make
our error fallback paths more robust. (#5162, #5061)
- Go 1.26 has started enforcing a restriction of `os/exec.Cmd` which caused
issues with our usage of `CLONE_INTO_CGROUP` (on newer kernels). This has now
been resolved. (#5116, #5091)
- Recursive `atime`-related mount flags (`rrelatime` et al.) are now applied
properly. (#5114, #5098)
- Fix a regression in `runc exec` due to `CLONE_INTO_CGROUP` in the
(inadvisable) scenario where a container is configured without cgroup
namespaces and with `/sys/fs/cgroup` mounted `rw`. (#5117, #5101)
- On machines with more than 1024 CPU cores, our logic for resetting the CPU
affinity will now correctly reset the affinity onto _all_ available cores
(not just the first 1024). (#5149, #5025)
- PR #4757 caused a regression that resulted in spurious `cannot start a
container that has stopped` errors when running `runc create` and has thus
been reverted. (#5157, #5153, #5151, #4645, #4757)
### Changed ###
- Previously we made an attempt to make our `runc.armhf` release binaries work
with ARMv6 (which would allow runc to work on the original Raspberry Pi).
Unfortunately, this has effectively always been broken (because we
cross-compile `libseccomp` within a Debian container and statically link to
it) and so we are now officially matching [the Debian definition of `armhf`][debian-armhf]
(that is, ARMv7). (#5103)
(that is, ARMv7). (#5167, #5103)
- Minor signing keyring updates. (#5147, #5139, #5144, #5148)
[libpathrs]: https://github.com/cyphar/libpathrs
[debian-armhf]: https://wiki.debian.org/ArmHardFloatPort
## [1.4.0] - 2025-11-27
@@ -91,9 +167,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- libct: fix mips compilation. (#4962, #4967)
- When configuring a `tmpfs` mount, only set the `mode=` argument if the target
path already existed. This fixes a regression introduced in our
[CVE-2025-52881][] mitigation patches. (#4971, #4976)
[CVE-2025-52881][] mitigation patches. (#4971, #4973, #4976)
- Fix various file descriptor leaks and add additional tests to detect them as
comprehensively as possible. (#5007, #5021, #5034)
comprehensively as possible. (#5007, #5021, #5026, #5034)
- The "hallucination" helpers added as part of the [CVE-2025-52881][]
mitigation have been made more generic and now apply to all of our `pathrs`
helper functions, which should ensure we will not regress dangling symlink
@@ -113,9 +189,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
* libct: fix mips compilation. (#4962, #4966)
* When configuring a `tmpfs` mount, only set the `mode=` argument if the
target path already existed. This fixes a regression introduced in our
[CVE-2025-52881][] mitigation patches. (#4971, #4976)
[CVE-2025-52881][] mitigation patches. (#4971, #4973, #4976)
* Fix various file descriptor leaks and add additional tests to detect them as
comprehensively as possible. (#5007, #5021, #5034)
comprehensively as possible. (#5007, #5021, #5026, #5034)
### Changed
* Downgrade `github.com/cyphar/filepath-securejoin` dependency to `v0.5.2`,
@@ -134,7 +210,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
target path already existed. This fixes a regression introduced in our
[CVE-2025-52881][] mitigation patches. (#4971, #4974)
* Fix various file descriptor leaks and add additional tests to detect them as
comprehensively as possible. (#5007, #5021, #5027)
comprehensively as possible. (#5007, #5021, #5026, #5027)
### Changed
* Downgrade `github.com/cyphar/filepath-securejoin` dependency to `v0.5.2`,
@@ -1606,8 +1682,13 @@ implementation (libcontainer) is *not* covered by this policy.
[1.3.0-rc.1]: https://github.com/opencontainers/runc/compare/v1.2.0...v1.3.0-rc.1
<!-- 1.4.z patch releases -->
[Unreleased 1.4.z]: https://github.com/opencontainers/runc/compare/v1.4.0...release-1.4
[Unreleased 1.4.z]: https://github.com/opencontainers/runc/compare/v1.4.1...release-1.4
[1.4.1]: https://github.com/opencontainers/runc/compare/v1.4.0...v1.4.1
[1.4.0]: https://github.com/opencontainers/runc/compare/v1.4.0-rc.3...v1.4.0
[1.4.0-rc.3]: https://github.com/opencontainers/runc/compare/v1.4.0-rc.2...v1.4.0-rc.3
[1.4.0-rc.2]: https://github.com/opencontainers/runc/compare/v1.4.0-rc.1...v1.4.0-rc.2
[1.4.0-rc.1]: https://github.com/opencontainers/runc/compare/v1.3.0...v1.4.0-rc.1
<!-- 1.5.z patch releases -->
[Unreleased 1.5.z]: https://github.com/opencontainers/runc/compare/v1.5.0-rc.1...release-1.5
[1.5.0-rc.1]: https://github.com/opencontainers/runc/compare/v1.4.0...v1.5.0-rc.1
+1 -1
View File
@@ -1 +1 @@
1.4.0-rc.1+dev
1.5.0-rc.1+dev