runc v1.3.0 -- "Mr. President, we must not allow a mine shaft gap!"

This is the first release of the 1.3.z release branch of runc. It
contains a few minor fixes for issues found in 1.3.0-rc.2.

This is the first release of runc that will follow our new release and
support policy (see RELEASES.md for more details). This means that, as
of this release:

 * As of this release, the runc 1.2.z release branch will now only
   recieve security and "significant" bugfixes.
 * Users are encouraged to plan migrating to runc 1.3.0 as soon as
   possible.
 * Due to its particular situation, runc 1.1.z is officially no longer
   supported and will no longer receieve any updates (not even for
   critical security issues). Users are urged (in the strongest possible
   terms) to upgrade to a supported version of runc.
 * Barring any future changes to our release policy, users should expect
   a runc 1.4.0 release in late October 2025.

Fixed:

 * Removed pre-emptive "full access to cgroups" warning when calling
   runc pause or runc unpause as an unprivileged user without
   --systemd-cgroups. Now the warning is only emitted if an actual
   permission error was encountered. (#4709)
 * Several fixes to our CI, mainly related to AlmaLinux and CRIU.
   (#4670, #4728, #4736)

Changed:

 * In runc 1.2, we changed our mount behaviour to correctly handle
   clearing flags. However, the error messages we returned did not
   provide as much information to users about what clearing flags were
   conflicting with locked mount flags. We now provide more diagnostic
   information if there is an error when in the fallback path to handle
   locked mount flags. (#4734)
 * Upgrade our CI to use golangci-lint v2.0. (#4692)
 * runc version information is now filled in using //go:embed rather
   than being set through Makefile. This allows go install or other
   non-make builds to contain the correct version information. Note that
   "make EXTRA_VERSION=..." still works. (#418)
 * Remove exclude directives from our go.mod for broken cilium/ebpf
   versions. v0.17.3 resolved the issue we had, and exclude directives
   are incompatible with go install. (#4748)

Thanks to the following contributors for making this release possible:

 * Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 * Aleksa Sarai <cyphar@cyphar.com>
 * Kir Kolyshkin <kolyshkin@gmail.com>
 * Rodrigo Campos <rodrigoca@microsoft.com>
 * lifubang <lifubang@acmcoder.com>

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

runc v1.3.0-rc.2 -- "Eppur si muove."

This is the second release candidate of the runc 1.3.0 release. It
contains a few fixes for issues found in rc.1.

This is the first release series that will follow our new release
policy, meaning that users should expect runc 1.3.0 to be released at
the end of April 2025, at which point the support policy for the runc
1.2.z branch will change. Please see the new RELEASES.md document for
more information.

Users are strongly encouraged to test our release candidates so we can
fix issues before the general release.

Fixes:

 * Use the container's `/etc/passwd` to set the `HOME` env var. After a refactor
   for 1.3, we were setting it reading the host's `/etc/passwd` file instead.
   (#4693, #4688)
 * Override `HOME` env var if it's set to the empty string. This fixes a
   regression after the same refactor for 1.3 and aligns the behavior with older
   versions of runc. (#4711)
 * Add time namespace to container config after checkpoint/restore. CRIU since
   version 3.14 uses a time namespace for checkpoint/restore, however it was not
   joining the time namespace in runc. (#4705)

Thanks to the following contributors for making this release possible:

 * Rodrigo Campos <rodrigoca@microsoft.com>
 * Rudi Heitbaum <rudi@heitbaum.com>
 * Kir Kolyshkin <kolyshkin@gmail.com>
 * lifubang <lifubang@acmcoder.com>
 * Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 * Andrei Vagin <avagin@gmail.com>

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

runc v1.2.6 -- "Hasta la victoria, siempre."

This is the sixth patch release in the 1.2.z series of runc.
It primarily fixes an issue with runc exec vs time namespace,
and a compatibility issue with older kernels.

* Fix a stall issue that would happen if setting `O_CLOEXEC` with
  `CloseExecFrom` failed (#4647).
* `runc` now properly handles joining time namespaces (such as with `runc
  exec`). Previously we would attempt to set the time offsets when joining,
  which would fail. (#4635, #4649)
* Handle `EINTR` retries correctly for socket-related direct
  `golang.org/x/sys/unix` system calls. (#4650)
* We no longer use `F_SEAL_FUTURE_WRITE` when sealing the runc binary, as it
  turns out this had some unfortunate bugs in older kernel versions and was
  never necessary in the first place. (#4651, #4640)
* Remove `Fexecve` helper from `libcontainer/system`. Runc 1.2.1 removed
  runc-dmz, but we forgot to remove this helper added only for that. (#4646)
* Use Go 1.23 for official builds, run CI with Go 1.24 and drop Ubuntu 20.04
  from CI. We need to drop Ubuntu 20.04 from CI because Github Actions
  announced it's already deprecated and it will be discontinued soon. (#4648)

Thanks to the following contributors who made this release possible:

 * Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 * Aleksa Sarai <cyphar@cyphar.com>
 * Evan Phoenix <evan@phx.io>
 * Kir Kolyshkin <kolyshkin@gmail.com>
 * lifubang <lifubang@acmcoder.com>
 * Rodrigo Campos <rodrigoca@microsoft.com>
 * Tomasz Duda <tomaszduda23@gmail.com>

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

runc v1.3.0-rc.1 -- "No tengo miedo al invierno, con tu recuerdo llen…

…o de sol."

This is the first release candidate of the runc 1.3.0 release. It
contains a couple of new features, but is mostly made up of some minor
(but notable) API changes to libcontainer as well as a series of bug
fixes.

This is the first release series that will follow our new release
policy, meaning that user should expect runc 1.3.0 to be released at the
end of April 2025, at which point the support policy for the runc 1.2.z
branch will change. Please see the new RELEASES.md document for more
information.

Users are strongly encouraged to test our release candidates over the
next two months so we can fix issues before the general release.

API Changes:

 * configs.CommandHook struct has changed, Command is now a pointer.
   Also, configs.NewCommandHook now accepts a *Command. (#4325)
 * The Process struct has User string field replaced with numeric UID
   and GID fields, and AdditionalGroups changed its type from []string
   to []int. Essentially, resolution of user and group names to IDs is
   no longer performed by libcontainer, so if a libcontainer user
   previously relied on this feature, now they have to convert names to
   IDs before calling libcontainer; it is recommended to use Go package
   github.com/moby/sys/user for that. (#3999)
 * Move libcontainer/cgroups to a separate repository. (#4618)

Fixes:

 * runc exec -p no longer ignores specified ioPriority and scheduler
   settings. Similarly, libcontainer's Container.Start and Container.Run
   methods no longer ignore Process.IOPriority and Process.Scheduler
   settings. (#4585)
 * We no longer use F_SEAL_FUTURE_WRITE when sealing the runc binary, as
   it turns out this had some unfortunate bugs in older kernel versions
   and was never necessary in the first place. (#4641, #4640)
 * runc now uses a more flexible method of joining namespaces, which
   better matches the behaviour of nsenter(8). This is mainly useful for
   users that create a container with a runc-managed user namespace but
   want the container to join some externally-managed namespace as well.
   (#4492)
 * runc now properly handles joining time namespaces (such as with runc
   exec). Previously we would attempt to set the time offsets when
   joining, which would fail. (#4635, #4636)
 * Handle EINTR retries correctly for socket-related direct
   golang.org/x/sys/unix system calls. (#4637)
 * Handle close_range(2) errors more gracefully. (#4596)
 * Fix a stall issue that would happen if setting O_CLOEXEC with
   CloseExecFrom failed (#4599).
 * Handle errors on older kernels when resetting ambient capabilities
   more gracefully. (#4597)

Changed:

 * runc now has an official release policy to help provide more
   consistency around our release schedules and better define our
   support policy for old release branches. See RELEASES.md for more
   details. (#4557)
 * Improved performance by switching to strings.Cut where appropriate.
   (#4470)
 * The minimum Go version of runc is now Go 1.23. (#4598)
 * Updated builds to libseccomp v2.5.6. (#4625)

Added:

 + runc has been updated to support OCI runtime-spec 1.2.1. (#4653)
 + CPU affinity support for runc exec. (#4327)
 + CRIU support can be disabled using the build tag runc_nocriu. (#4547)
 + Support to get the pidfd of the container via CLI flag pidfd-socket.
   (#4045)
 + Support skip-in-flight and link-remap options for CRIU. (#4627)
 + Support cgroup v1 mounted with noprefix. (#4513)

Thanks to the following contributors for making this release possible:

 * Adam Korczynski <adam@adalogics.com>
 * Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 * Aleksa Sarai <cyphar@cyphar.com>
 * Brad Davidson <brad.davidson@rancher.com>
 * Daniel Levi-Minzi <dleviminzi@gmail.com>
 * Evan Phoenix <evan@phx.io>
 * Jian Wen <wenjianhn@gmail.com>
 * Kir Kolyshkin <kolyshkin@gmail.com>
 * Rin Arakaki <rnarkkx@gmail.com>
 * Rodrigo Campos <rodrigoca@microsoft.com>
 * Sebastiaan van Stijn <github@gone.nl>
 * Tomasz Duda <tomaszduda23@gmail.com>
 * Wei Fu <fuweid89@gmail.com>
 * Yangzhao Hjh <yangzhao.hjh@alibaba-inc.com>
 * lifubang <lifubang@acmcoder.com>

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

runc v1.2.5 -- "Мороз и солнце; день чудесный!"

This is the fifth patch release in the 1.2.z series of runc. It
primarily fixes an issue caused by an upstream systemd bug.

 * There was a regression in systemd v230 which made the way we define device
   rule restrictions require a systemctl daemon-reload for our transient
   units. This caused issues for workloads using NVIDIA GPUs. Workaround the
   upstream regression by re-arranging how the unit properties are defined.
   (#4568, #4612, #4615)
 * Dependency github.com/cyphar/filepath-securejoin is updated to v0.4.1,
   to allow projects that vendor runc to bump it as well. (#4608)
 * CI: fixed criu-dev compilation. (#4611)
 * Dependency golang.org/x/net is updated to 0.33.0. (#4632)

Thanks to the following contributors who made this release possible:

 * Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 * Aleksa Sarai <cyphar@cyphar.com>
 * Brad Davidson <brad.davidson@rancher.com>
 * Jian Wen <wenjianhn@gmail.com>
 * Kir Kolyshkin <kolyshkin@gmail.com>
 * Rodrigo Campos <rata@users.noreply.github.com>
 * lifubang <lifubang@acmcoder.com>

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

runc v1.2.4 -- "Христос се роди!"

This is the fourth patch release of the 1.2.z release branch of runc. It
includes a fix for a regression introduced in 1.2.0 related to the
default device list.

 * Re-add tun/tap devices to built-in allowed devices lists.

   In runc 1.2.0 we removed these devices from the default allow-list
   (which were added seemingly by accident early in Docker's history) as
   a precaution in order to try to reduce the attack surface of device
   inodes available to most containers (#3468). At the time we thought
   that the vast majority of users using tun/tap would already be
   specifying what devices they need (such as by using `--device` with
   Docker/Podman) as opposed to doing the `mknod` manually, and thus
   there would've been no user-visible change.

   Unfortunately, it seems that this regressed a noticeable number of
   users (and not all higher-level tools provide easy ways to specify
   devices to allow) and so this change needed to be reverted. Users
   that do not need these devices are recommended to explicitly disable
   them by adding deny rules in their container configuration. (#4555,
   #4556)

Thanks to all of the contributors who made this release possible:

 * Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 * Aleksa Sarai <cyphar@cyphar.com>
 * Kir Kolyshkin <kolyshkin@gmail.com>
 * lifubang <lifubang@acmcoder.com>

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

runc v1.2.3 -- "Winter is not a season, it's a celebration."

This is the third patch release of the 1.2.z release branch of runc. It
primarily fixes some minor regressions introduced in 1.2.0.

 * Fixed a regression in use of securejoin.MkdirAll, where multiple
   runc processes racing to create the same mountpoint in a shared rootfs
   would result in spurious EEXIST errors. In particular, this regression
   caused issues with BuildKit. (#4543, #4550)
 * Fixed a regression in eBPF support for pre-5.6 kernels after upgrading
   Cilium's eBPF library version to 0.16 in runc. (#3008, #4551)

Thanks to all of the contributors who made this release possible:

 * Aleksa Sarai <cyphar@cyphar.com>
 * Kir Kolyshkin <kolyshkin@gmail.com>
 * lifubang <lifubang@acmcoder.com>

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

runc v1.2.2 -- "Specialization is for insects."

This is the second patch release of the 1.2.z branch of runc. It
includes two fixes for problems introduced in runc 1.2.0, as well as
some documentation improvements surrounding the overlayfs /proc/self/exe
protections.

 * Fixed the failure of `runc delete` on a rootless container with no
   dedicated cgroup on a system with read-only `/sys/fs/cgroup` mount.
   This is a regression in runc 1.2.0, causing a failure when using
   rootless buildkit. (#4518, #4531)
 * Using runc on a system where /run/runc and /usr/bin are on different
   filesystems no longer results in harmless but annoying messages
   ("overlayfs: "xino" feature enabled using 3 upper inode bits")
   appearing in the kernel log. (#4508, #4530)
 * Better memfd-bind documentation. (#4530)

Thanks to all of the contributors who made this release possible:

 * Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 * Aleksa Sarai <cyphar@cyphar.com>
 * Austin Vazquez <macedonv@amazon.com>
 * Kir Kolyshkin <kolyshkin@gmail.com>
 * Rodrigo Campos <rodrigoca@microsoft.com>
 * lfbzhm <lifubang@acmcoder.com>

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

runc v1.2.1 -- "No existe una escuela que enseñe a vivir."

This is the first patch release of the 1.2.z series of runc. It includes
a critical bugfix for an issue that manifested on SELinux-based
distributions distributions and was blocking containerd from updating to
runc 1.2.z.

In addition, runc-dmz (added in 1.2.0) has been removed entirely. This
was opt-out (due to the many limitations it had), but the late addition
of the overlayfs-based CVE-2019-5736 protection made it no longer
necessary at all.

 + Became root after joining an existing user namespace. Otherwise, runc
   won't have permissions to configure some mounts when running under
   SELinux and runc is not creating the user namespace. (#4466, #4477)
 - Remove dependency on `golang.org/x/sys/execabs` from go.mod. (#4480)
 - Remove runc-dmz, that had many limitations, and is mostly made obsolete by
   the new protection mechanism added in v1.2.0. Note that runc-dmz was only
   available only in the 1.2.0 release and required to set an environment variable
   to opt-in. (#4488)
 * The `script/check-config.sh` script now checks for overlayfs support. (#4494)
 * When using cgroups v2, allow to set or update memory limit to "unlimited"
   and swap limit to a specific value. (#4501)

Thanks to all of the contributors who made this release possible:

 * Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 * Aleksa Sarai <cyphar@cyphar.com>
 * Kir Kolyshkin <kolyshkin@gmail.com>
 * Rodrigo Campos <rodrigoca@microsoft.com>
 * Wei Fu <fuweid89@gmail.com>
 * lifubang <lifubang@acmcoder.com>

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

v1.2.0 -- "できるときにできることをやるんだ。それが今だ。"

This is long-awaited release of runc 1.2.0! The primary changes from rc3
are general improvements and fixes for minor regressions related to the
new /proc/self/exe cloning logic in runc 1.2, follow-on patches related
to CVE-2024-45310, as well as some other minor changes.

 + In order to alleviate the remaining concerns around the memory usage
   and (arguably somewhat unimportant, but measurable) performance
   overhead of memfds for cloning `/proc/self/exe`, we have added a new
   protection using `overlayfs` that is used if you have enough
   privileges and the running kernel supports it. It has effectively no
   performance nor memory overhead (compared to no cloning at all).
   (#4448)
 * The original fix for CVE-2024-45310 was intentionally very limited in
   scope to make it easier to review, however it also did not handle all
   possible `os.MkdirAll` cases and thus could lead to regressions. We
   have switched to the more complete implementation in the newer
   versions of `github.com/cyphar/filepath-securejoin`. (#4393, #4400,
   #4421, #4430)
 * In certain situations (a system with lots of mounts or racing mounts)
   we could accidentally end up leaking mounts from the container into
   the host. This has been fixed. (#4417)
 * The fallback logic for `O_TMPFILE` clones of `/proc/self/exe` had a
   minor bug that would cause us to miss non-`noexec` directories and
   thus fail to start containers on some systems. (#4444)
 * Sometimes the cloned `/proc/self/exe` file descriptor could be placed
   in a way that it would get clobbered by the Go runtime. We had a fix
   for this already but it turns out it could still break in rare
   circumstances, but it has now been fixed. (#4294, #4452)
 * It is not possible for `runc kill` to work properly in some specific
   configurations (such as rootless containers with no cgroups and a
   shared pid namespace). We now output a warning for such
   configurations. (#4398)
 * memfd-bind: update the documentation and make path handling with the
   systemd unit more idiomatic. (#4428)
 * We now use v0.16 of Cilium's eBPF library, including fixes that quite
   a few downstreams asked for. (#4397, #4396)
 * Some internal `runc init` synchronisation that was no longer
   necessary (due to the `/proc/self/exe` cloning move to Go) was
   removed. (#4441)

Thanks to all of the contributors who made this release possible:

 * Akhil Mohan <akhilerm@gmail.com>
 * Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 * Aleksa Sarai <cyphar@cyphar.com>
 * Amir M. Ghazanfari <a.m.ghazanfari76@gmail.com>
 * Kir Kolyshkin <kolyshkin@gmail.com>
 * Rafael Roquetto <rafael.roquetto@grafana.com>
 * Rodrigo Campos <rodrigoca@microsoft.com>
 * Sebastiaan van Stijn <github@gone.nl>
 * Stavros Panakakis <stavrospanakakis@gmail.com>
 * lifubang <lifubang@acmcoder.com>

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>