Skip to content

runc v1.3.0 -- "Mr. President, we must not allow a mine shaft gap!"

Latest
Latest
Compare
Choose a tag to compare
@cyphar cyphar released this 29 Apr 15:22
· 148 commits to main since this release
v1.3.0
This tag was signed with the committer’s verified signature.
cyphar Aleksa Sarai
GPG key ID: 2897FAD2B7E9446F
Verified
Learn about vigilant mode.
4ca628d
This commit was signed with the committer’s verified signature.
cyphar Aleksa Sarai
GPG key ID: 2897FAD2B7E9446F
Verified
Learn about vigilant mode.

This is the first release of the 1.3.z release branch of runc. It
contains a few minor fixes for issues found in 1.3.0-rc.2.

This is the first release of runc that will follow our new release and
support policy (see RELEASES.md for more details). This means that, as
of this release:

  • As of this release, the runc 1.2.z release branch will now only
    receive security and "significant" bugfixes.
  • Users are encouraged to plan migrating to runc 1.3.0 as soon as
    possible.
  • Due to its particular situation, runc 1.1.z is officially no longer
    supported and will no longer receive any updates (not even for
    critical security issues). Users are urged (in the strongest possible
    terms) to upgrade to a supported version of runc.
  • Barring any future changes to our release policy, users should expect
    a runc 1.4.0 release in late October 2025.

Fixed

  • Removed pre-emptive "full access to cgroups" warning when calling
    runc pause or runc unpause as an unprivileged user without
    --systemd-cgroups. Now the warning is only emitted if an actual permission
    error was encountered. (#4709)
  • Several fixes to our CI, mainly related to AlmaLinux and CRIU. (#4670,
    #4728, #4736)

Changed

  • In runc 1.2, we changed our mount behaviour to correctly handle clearing
    flags. However, the error messages we returned did not provide as much
    information to users about what clearing flags were conflicting with locked
    mount flags. We now provide more diagnostic information if there is an error
    when in the fallback path to handle locked mount flags. (#4734)
  • Upgrade our CI to use golangci-lint v2.0. (#4692)
  • runc version information is now filled in using //go:embed rather than
    being set through Makefile. This allows go install or other non-make
    builds to contain the correct version information. Note that
    make EXTRA_VERSION=... still works. (#418)
  • Remove exclude directives from our go.mod for broken cilium/ebpf
    versions. v0.17.3 resolved the issue we had, and exclude directives are
    incompatible with go install. (#4748)

Static Linking Notices

The runc binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc acting
as a "work that uses the Library":

The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.

Thanks to the following contributors for making this release possible:

Signed-off-by: Aleksa Sarai [email protected]

Assets 23
Loading