v1.0.0~rc3 Features: + Add slice management support to the systemd cgroup driver. Checks are done to make sure that systemd supports the feature. #1084 + Support for readonly mount labels. #1112 + Add a tmpcopyup mount extension for tmpfs mounts that are mounted over already existing directories, allowing for the contents of a volume to be copied up transparently. #845 * Switch our pivot_root usage to no longer require temporary directories, improving the state of containters running in entirely readonly contexts. #1125 #1148 + Allow updating of rt_period_us and rt_runtime_us in cpuacct cgroup. + Reimplement console handling to use AF_UNIX sockets such that the console is created inside the container's (namespaced) devpts instance, solving a wide variety of historical pty bugs with runC. #1018 #1356 * Support overlayfs in mounts. #1314 + Support creating devices with types 'p' and 'u'. #1321 + Add --preserve-fds=N to create and run commands. #1320 + Add pre-dump and parent-path to checkpoint. #1001 + Update to runtime-spec v1.0.0-rc5. #1370 Fixes: * Remove check for binding to /. #1090 * Ensure we log to logrus on command errors. #1089 * Don't enable kmem limits if they're not specified in the config. #1095 * Handle cases where specs.Resources.* members would cause null dereferences. #1111 #1116 * Fix bugs in the GetProcessStartTime implementation. #1136 * Make sysctl config validation checks handle network namespaces more gracefully. #1138 #1149 * Guarantee correct namespace creation ordering. This is part of the rootless container patchset, and is also required in certain SELinux setups. #977 * Stop screwing around with '\n' in console output. #1146 * Fix cpuset.cpu_exclusive handling. #1194 * Sync HookState with the OCI specification. #1201 * Split remounting mountpoints and bindmounts, resolving issues with mount options being dropped in certain cases. #1222 * Fix leftover cgroup directory issue. #1196 * Handle config.Devices and config.MaskPaths in checkpoint. #1110. * Don't create combined cgroup subsystem names. #1268 * Ignore cgroupv2 mountpoints, fixing issues with systemd v232. #1266 * Race condition when synchronising with children and grandchildren in nsexec.c. #1237 * Fix state checks to no longer depend on _LIBCONTAINER being present in the environment, fixing both bugs as well as being part of the rootless container patchset. #1317 * Fix systemd-notify when using different PID namespaces, and allow detach+notify socket. #1308 * Don't fchown when inheriting stdio, which is necessary for rootless containers in certain scenarios. #1354 * Fix cpu.cfs_quota_us being changed when systemd is reloaded. #1344 * Add devices to whitelist for LXD, to make runC under LXC/LXD work better. #1327 * Many improvements to testing. #1121 #1131 #1132 #1147 Security: * Several fixes for CVE-2016-9962. 5d93fed3d27f #1274 Thanks to all of the contributors that made this release possible: * Qiang Huang <h.huangqiang@huawei.com> * Aleksa Sarai <asarai@suse.de> * Mrunal Patel <mrunalp@gmail.com> * Michael Crosby <crosbymichael@gmail.com> * Wang Long <long.wanglong@huawei.com> * Daniel, Dao Quang Minh <dqminh89@gmail.com> * rajasec <rajasec79@gmail.com> * Zhang Wei <zhangwei555@huawei.com> * Steven Hartland <steven.hartland@multiplay.co.uk> * Giuseppe Scrivano <gscrivan@redhat.com> * Shukui Yang <yangshukui@huawei.com> * Ma Shimiao <mashimiao.fnst@cn.fujitsu.com> * Daniel Dao <dqminh89@gmail.com> * CuiHaozhi <cuihaozhi@chinacloud.com.cn> * Antonio Murdaca <runcom@redhat.com> * Xianglin Gao <xlgao@zju.edu.cn> * Lei Jitang <leijitang@huawei.com> * Justin Cormack <justin.cormack@docker.com> * Dan Walsh <dwalsh@redhat.com> * Daniel Martí <mvdan@mvdan.cc> * Ce Gao <ce.gao@outlook.com> * allencloud <allen.sun@daocloud.io> * Alexander Morozov <lk4d4math@gmail.com> * yupeng <yu.peng36@zte.com.cn> * Yuanhong Peng <pengyuanhong@huawei.com> * Yong Tang <yong.tang.github@outlook.com> * xuxinkun <xuxinkun@gmail.com> * Xianlu Bird <xianlubird@gmail.com> * William Martin <wmartin@pivotal.io> * Wentao Zhang <zhangwentao234@huawei.com> * Vivek Goyal <vgoyal@redhat.com> * Samuel Ortiz <sameo@linux.intel.com> * rainrambler <wanganyu@outlook.com> * Mohammad Arab <boynux@gmail.com> * Michal Rostecki <michal@kinvolk.io> * Máximo Cuadros <mcuadros@gmail.com> * Kenfe-Mickael Laventure <mickael.laventure@gmail.com> * Ian Campbell <ian.campbell@docker.com> * Harry Zhang <harryz@hyper.sh> * Fengtu Wang <wangfengtu@huawei.com> * Eric Paris <eparis@redhat.com> * Derek Carr <decarr@redhat.com> * Deng Guangxing <dengguangxing@huawei.com> * CuiHaozhi <61755280@qq.com> * Crazykev <crazykev@zju.edu.cn> * Chris Aniszczyk <caniszczyk@gmail.com> * Casey Callendrello <c1@caseyc.net> * Carlton-Semple <carlton.semple@ibm.com> * Brian Goff <cpuguy83@gmail.com> * Andrew Vagin <avagin@openvz.org>