v1.0.0-rc91
This is intended to be the second-last RC release, with -rc92 having
very few large changes so that we can release runc 1.0 (at long last).
* The long-awaited hooks changes have been merged into runc. This was
one of the few remaining spec-related issues which were blocking us
from releasing runc 1.0. Existing hook users will not be affected by
this change, but runc now supports additional hooks that we expect
users to migrate to eventually. The new hooks are:
- createRuntime (replacement for the now-deprecated prestart)
- createContainer
- startContainer
* A large amount of effort has been undertaken to support cgroupv2
within runc. The support is still considered experimental, but it is
mostly functional at this point. Please report any bugs you find when
running under cgroupv2-only systems.
* A minor-severity security bug was fixed[1]. The devices list would
be in allow-by-default mode from the outset, meaning that users would
have to explicitly specify they wish to deny all device access at the
beginning of the configuration. While this would normally be
considered a high-severity vulnerability, all known users of runc had
worked around this issue several years ago (hence why this fairly
obvious bug was masked).
In addition, the devices list code has been massively improved such
that it will attempt to avoid causing spurrious errors in the
container (such as while writing to /dev/null) when doing devices
cgroup updates.
* A security audit of runc was conducted in 2019, and the report PDF is
now included in the runc repository. The previous release of runc
has already addressed the security issues found in that report.
Thanks to the following people who made this release possible:
* Adrian Reber <areber@redhat.com>
* Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
* Alban Crequy <alban@kinvolk.io>
* Aleksa Sarai <asarai@suse.de>
* Alice Frosi <afrosi@de.ibm.com>
* Amye Scavarda Perrin <amye@linuxfoundation.org>
* Andrei Vagin <avagin@gmail.com>
* Boris Popovschi <zyqsempai@mail.ru>
* Brian Goff <cpuguy83@gmail.com>
* Chris Aniszczyk <caniszczyk@gmail.com>
* Danail Branekov <danailster@gmail.com>
* Giuseppe Scrivano <gscrivan@redhat.com>
* iwankgb <maciej.iwanowski@intel.com>
* John Hwang <John.F.Hwang@gmail.com>
* Katarzyna Kujawa <katarzyna.kujawa@intel.com>
* Kenta Tada <Kenta.Tada@sony.com>
* Kir Kolyshkin <kolyshkin@gmail.com>
* Kir Kolyshkin <kolyshkin@users.noreply.github.com>
* Kohei Ota <kela@inductor.me>
* l00397676 <lujingxiao@huawei.com>
* Lifubang <lifubang@acmcoder.com>
* Mario Nitchev <marionitchev@gmail.com>
* Michael Crosby <crosbymichael@gmail.com>
* Mrunal Patel <mrunalp@gmail.com>
* Odin Ugedal <odin@ugedal.com>
* Paweł Szulik <pawel.szulik@intel.com>
* Peter Hunt <pehunt@redhat.com>
* Pradyumna Agrawal <pradyumnaa@vmware.com>
* Qiang Huang <h.huangqiang@huawei.com>
* Renaud Gaubert <rgaubert@nvidia.com>
* Sascha Grunert <sgrunert@suse.com>
* Sebastiaan van Stijn <github@gone.nl>
* SiYu Zhao <d.chaser.zsy@gmail.com>
* Ted Yu <yuzhihong@gmail.com>
* Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
* Tianon Gravi <admwiggin@gmail.com>
* Tobias Klauser <tklauser@distanz.ch>
* wanghuaiqing <wanghuaiqing@loongson.cn>
* W. Trevor King <wking@tremily.us>
* Yulia Nedyalkova <julianedialkova@hotmail.com>
* zyu <yuzhihong@gmail.com>
> **NOTE**: For those who are confused by the massive version jump (rc10
> to rc91), this was done to avoid issues with SemVer and lexical
> comparisons -- there haven't been 90 other release candidates. Please
> also note thatrunc 1.0.0-rc90 is identical to 1.0.0-rc10.
[1]: https://github.com/opencontainers/runc/security/advisories/GHSA-g54h-m393-cpwq
Vote: +7 -0 #0
Signed-off-by: Aleksa Sarai <asarai@suse.de>