release notes: https://github.com/opencontainers/runc/releases/tag/v1.1.6
full diff: opencontainers/runc@v1.1.5...v1.1.6
This is the sixth patch release in the 1.1.z series of runc, which fixes
a series of cgroup-related issues.
Note that this release can no longer be built from sources using Go
1.16. Using a latest maintained Go 1.20.x or Go 1.19.x release is
recommended. Go 1.17 can still be used.
- systemd cgroup v1 and v2 drivers were deliberately ignoring UnitExist error
from systemd while trying to create a systemd unit, which in some scenarios
may result in a container not being added to the proper systemd unit and
cgroup.
- systemd cgroup v2 driver was incorrectly translating cpuset range from spec's
resources.cpu.cpus to systemd unit property (AllowedCPUs) in case of more
than 8 CPUs, resulting in the wrong AllowedCPUs setting.
- systemd cgroup v1 driver was prefixing container's cgroup path with the path
of PID 1 cgroup, resulting in inability to place PID 1 in a non-root cgroup.
- runc run/start may return "permission denied" error when starting a rootless
container when the file to be executed does not have executable bit set for
the user, not taking the CAP_DAC_OVERRIDE capability into account. This is
a regression in runc 1.1.4, as well as in Go 1.20 and 1.20.1
- cgroup v1 drivers are now aware of misc controller.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Note that this is the code in containerd that uses runc (as almost
a library). Please see the other commit for the update to runc binary
itself.
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
Looks like we had our own copy of the "getDevices" code already, so use
that code (which also matches the code that's used to _generate_ the spec,
so a better match).
Moving the code to a separate file, I also noticed that the _unix and _linux
code was _exactly_ the same (baring some `//nolint:` comments), so also
removing the duplicated code.
With this patch applied, we removed the dependency on the libcontainer/devices
package (leaving only libcontainer/user).
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
recent versions of libcontainer/apparmor simplified the AppArmor
check to only check if the host supports AppArmor, but no longer
checks if apparmor_parser is installed, or if we're running
docker-in-docker;
bfb4ea1b1b
> The `apparmor_parser` binary is not really required for a system to run
> AppArmor from a runc perspective. How to apply the profile is more in
> the responsibility of higher level runtimes like Podman and Docker,
> which may do the binary check on their own.
This patch copies the logic from libcontainer/apparmor, and
restores the additional checks.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
8448b92d23...8871d5cdf8
The cgo dependency on libseccomp was removed in containerd/cri#1548.
The `seccomp` build tag is now ignored (and the seccomp support is
always built-in).
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
- Remove dependency on libcontainer/system
- Get rid of socat for port forwarding
- Roll docker/distribution back to latest (v2.7.1) release
Now that 901bcb2231 was merged in containerd,
we no longer depend on the ParseDockerRef utility from docker/distribution,
so we can safely roll back to the latest release for this dependency.
- vendor: kubernetes v1.18.2
Fix client watch reestablishment handling of client-side timeouts
- Add config flag to default empty seccomp profile
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This includes an improved fix for CVE-2019-5736 to reduce the
increased memory-consumption introduced by the original patch,
RHEL 7.6 getting into a loop due to a kernel bug in those kernels,
and improve compatibility with older kernels.
changes included:
- opencontainers/runc#1973 Vendor opencontainers/runtime-spec 29686dbc
- opencontainers/runc#1978 Remove detection for scope properties, which have always been broken
- opencontainers/runc#1963 Vendor in go-criu and use it for CRIU's RPC definition
- opencontainers/runc#1995 exec: expose --preserve-fds
- opencontainers/runc#2000 fix preserve-fds flag may cause runc hang
- opencontainers/runc#1968 Create bind mount mountpoints during restore
- opencontainers/runc#1984 nsenter: cloned_binary: "memfd" cleanups
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Includes 6635b4f0c6,
which fixes a vulnerability in runc that allows a container escape (CVE-2019-5736)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This includes fixes for user namespaces as well as a long standing bug
for running docker and containerd inside an lxc container.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
I noticed this file showed up when revendoring dependencies
with vndr.
Also removed `github.com/Microsoft/opengcs` from vendor.conf
as it was not used;
2017/12/05 22:41:58 WARNING: package github.com/Microsoft/opengcs is unused, consider removing it from vendor.conf
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This bumps the runc version to 74a17296470088de3805e138d3d87c62e613dfc4
that includes various fixes.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
This resolves logrus issues with containerd not being in sync with the
version runc is using.
This also updates the OCI runtime spec to v1.0.0
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Update go-runc to 49b2a02ec1ed3e4ae52d30b54a291b75
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Add shim to restore creation
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Keep checkpoint path in service
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Add C/R to non-shim build
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Checkpoint rw and image
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Pause container on bind checkpoints
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Return dump.log in error on checkpoint failure
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Pause container for checkpoint
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Update runc to 639454475cb9c8b861cc599f8bcd5c8c790ae402
For checkpoint into to work you need runc version
639454475cb9c8b861cc599f8bcd5c8c790ae402 + and criu 3.0 as this is what
I have been testing with.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Move restore behind create calls
This remove the restore RPCs in favor of providing the checkpoint
information to the `Create` calls of a container. If provided, the
container will be created/restored from the checkpoint instead of an
existing container.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Regen protos after rebase
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Update go-runc to master with portability fixes.
Subreaper only exists on Linux, and only Linux runs the shim in a
mount namespace.
With these changes the shim compiles on Darwin, which means the
whole build compiles without errors now.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Adjust paths that were not canonical.
Add nested vendors that are required.
Now no errors with latest `vndr`.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
This fixes the ugly build errors on Alpine Linux which the old version gave
from C type mismatches, and now gives a nice neat line of whales on build...
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
