v1.0.0-rc91 This is intended to be the second-last RC release, with -rc92 having very few large changes so that we can release runc 1.0 (at long last). * The long-awaited hooks changes have been merged into runc. This was one of the few remaining spec-related issues which were blocking us from releasing runc 1.0. Existing hook users will not be affected by this change, but runc now supports additional hooks that we expect users to migrate to eventually. The new hooks are: - createRuntime (replacement for the now-deprecated prestart) - createContainer - startContainer * A large amount of effort has been undertaken to support cgroupv2 within runc. The support is still considered experimental, but it is mostly functional at this point. Please report any bugs you find when running under cgroupv2-only systems. * A minor-severity security bug was fixed[1]. The devices list would be in allow-by-default mode from the outset, meaning that users would have to explicitly specify they wish to deny all device access at the beginning of the configuration. While this would normally be considered a high-severity vulnerability, all known users of runc had worked around this issue several years ago (hence why this fairly obvious bug was masked). In addition, the devices list code has been massively improved such that it will attempt to avoid causing spurrious errors in the container (such as while writing to /dev/null) when doing devices cgroup updates. * A security audit of runc was conducted in 2019, and the report PDF is now included in the runc repository. The previous release of runc has already addressed the security issues found in that report. Thanks to the following people who made this release possible: * Adrian Reber <areber@redhat.com> * Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> * Alban Crequy <alban@kinvolk.io> * Aleksa Sarai <asarai@suse.de> * Alice Frosi <afrosi@de.ibm.com> * Amye Scavarda Perrin <amye@linuxfoundation.org> * Andrei Vagin <avagin@gmail.com> * Boris Popovschi <zyqsempai@mail.ru> * Brian Goff <cpuguy83@gmail.com> * Chris Aniszczyk <caniszczyk@gmail.com> * Danail Branekov <danailster@gmail.com> * Giuseppe Scrivano <gscrivan@redhat.com> * iwankgb <maciej.iwanowski@intel.com> * John Hwang <John.F.Hwang@gmail.com> * Katarzyna Kujawa <katarzyna.kujawa@intel.com> * Kenta Tada <Kenta.Tada@sony.com> * Kir Kolyshkin <kolyshkin@gmail.com> * Kir Kolyshkin <kolyshkin@users.noreply.github.com> * Kohei Ota <kela@inductor.me> * l00397676 <lujingxiao@huawei.com> * Lifubang <lifubang@acmcoder.com> * Mario Nitchev <marionitchev@gmail.com> * Michael Crosby <crosbymichael@gmail.com> * Mrunal Patel <mrunalp@gmail.com> * Odin Ugedal <odin@ugedal.com> * Paweł Szulik <pawel.szulik@intel.com> * Peter Hunt <pehunt@redhat.com> * Pradyumna Agrawal <pradyumnaa@vmware.com> * Qiang Huang <h.huangqiang@huawei.com> * Renaud Gaubert <rgaubert@nvidia.com> * Sascha Grunert <sgrunert@suse.com> * Sebastiaan van Stijn <github@gone.nl> * SiYu Zhao <d.chaser.zsy@gmail.com> * Ted Yu <yuzhihong@gmail.com> * Tianjia Zhang <tianjia.zhang@linux.alibaba.com> * Tianon Gravi <admwiggin@gmail.com> * Tobias Klauser <tklauser@distanz.ch> * wanghuaiqing <wanghuaiqing@loongson.cn> * W. Trevor King <wking@tremily.us> * Yulia Nedyalkova <julianedialkova@hotmail.com> * zyu <yuzhihong@gmail.com> > **NOTE**: For those who are confused by the massive version jump (rc10 > to rc91), this was done to avoid issues with SemVer and lexical > comparisons -- there haven't been 90 other release candidates. Please > also note thatrunc 1.0.0-rc90 is identical to 1.0.0-rc10. [1]: https://github.com/opencontainers/runc/security/advisories/GHSA-g54h-m393-cpwq Vote: +7 -0 #0 Signed-off-by: Aleksa Sarai <asarai@suse.de>