Skip to content

Commit 202ca99

Browse files
cypharcyphar
committed
merge #4655 into opencontainers/runc:main
Kir Kolyshkin (1): CHANGELOG: fwd port 1.2.1 to 1.2.5 changes LGTMs: lifubang cyphar
2 parents b0a21af + 6e01e85 commit 202ca99

File tree

1 file changed

+95
-1
lines changed

1 file changed

+95
-1
lines changed

CHANGELOG.md

Lines changed: 95 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,95 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
2323
methods no longer ignore `Process.IOPriority` and `Process.Scheduler`
2424
settings. (#4585)
2525

26+
## [1.2.5] - 2025-02-13
27+
28+
> Мороз и солнце; день чудесный!
29+
30+
### Fixed
31+
* There was a regression in systemd v230 which made the way we define device
32+
rule restrictions require a systemctl daemon-reload for our transient
33+
units. This caused issues for workloads using NVIDIA GPUs. Workaround the
34+
upstream regression by re-arranging how the unit properties are defined.
35+
(#4568, #4612, #4615)
36+
* Dependency github.com/cyphar/filepath-securejoin is updated to v0.4.1,
37+
allowing projects that vendor runc to bump it as well. (#4608)
38+
* CI: fixed criu-dev compilation. (#4611)
39+
40+
### Changed
41+
* Dependency golang.org/x/net is updated to 0.33.0. (#4632)
42+
43+
## [1.2.4] - 2025-01-07
44+
45+
> Христос се роди!
46+
47+
### Fixed
48+
* Re-add tun/tap devices to built-in allowed devices lists.
49+
50+
In runc 1.2.0 we removed these devices from the default allow-list (which
51+
were added seemingly by accident early in Docker's history) as a precaution
52+
in order to try to reduce the attack surface of device inodes available to
53+
most containers (#3468). At the time we thought that the vast majority of
54+
users using tun/tap would already be specifying what devices they need (such
55+
as by using `--device` with Docker/Podman) as opposed to doing the `mknod`
56+
manually, and thus there would've been no user-visible change.
57+
58+
Unfortunately, it seems that this regressed a noticeable number of users
59+
(and not all higher-level tools provide easy ways to specify devices to
60+
allow) and so this change needed to be reverted. Users that do not need
61+
these devices are recommended to explicitly disable them by adding deny
62+
rules in their container configuration. (#4555, #4556)
63+
64+
## [1.2.3] - 2024-12-12
65+
66+
> Winter is not a season, it's a celebration.
67+
68+
### Fixed
69+
* Fixed a regression in use of securejoin.MkdirAll, where multiple
70+
runc processes racing to create the same mountpoint in a shared rootfs
71+
would result in spurious EEXIST errors. In particular, this regression
72+
caused issues with BuildKit. (#4543, #4550)
73+
* Fixed a regression in eBPF support for pre-5.6 kernels after upgrading
74+
Cilium's eBPF library version to 0.16 in runc. (#3008, #4551)
75+
76+
## [1.2.2] - 2024-11-15
77+
78+
> Specialization is for insects.
79+
80+
### Fixed
81+
* Fixed the failure of `runc delete` on a rootless container with no
82+
dedicated cgroup on a system with read-only `/sys/fs/cgroup` mount.
83+
This is a regression in runc 1.2.0, causing a failure when using
84+
rootless buildkit. (#4518, #4531)
85+
* Using runc on a system where /run/runc and /usr/bin are on different
86+
filesystems no longer results in harmless but annoying messages
87+
("overlayfs: "xino" feature enabled using 3 upper inode bits")
88+
appearing in the kernel log. (#4508, #4530)
89+
90+
### Changed
91+
* Better memfd-bind documentation. (#4530)
92+
* CI: bump Fedora 40 -> 41. (#4528)
93+
94+
## [1.2.1] - 2024-11-01
95+
96+
> No existe una escuela que enseñe a vivir.
97+
98+
### Fixed
99+
* Became root after joining an existing user namespace. Otherwise, runc
100+
won't have permissions to configure some mounts when running under
101+
SELinux and runc is not creating the user namespace. (#4466, #4477)
102+
103+
### Removed
104+
* Remove dependency on `golang.org/x/sys/execabs` from go.mod. (#4480)
105+
* Remove runc-dmz, that had many limitations, and is mostly made obsolete by
106+
the new protection mechanism added in v1.2.0. Note that runc-dmz was only
107+
available only in the 1.2.0 release and required to set an environment variable
108+
to opt-in. (#4488)
109+
110+
### Added
111+
* The `script/check-config.sh` script now checks for overlayfs support. (#4494)
112+
* When using cgroups v2, allow to set or update memory limit to "unlimited"
113+
and swap limit to a specific value. (#4501)
114+
26115
## [1.2.0] - 2024-10-22
27116

28117
> できるときにできることをやるんだ。それが今だ。
@@ -917,7 +1006,12 @@ implementation (libcontainer) is *not* covered by this policy.
9171006
[1.1.0-rc.1]: https://github.com/opencontainers/runc/compare/v1.0.0...v1.1.0-rc.1
9181007

9191008
<!-- 1.2.z patch releases -->
920-
[Unreleased 1.2.z]: https://github.com/opencontainers/runc/compare/v1.2.0...release-1.2
1009+
[Unreleased 1.2.z]: https://github.com/opencontainers/runc/compare/v1.2.5...release-1.2
1010+
[1.2.5]: https://github.com/opencontainers/runc/compare/v1.2.4...v1.2.5
1011+
[1.2.4]: https://github.com/opencontainers/runc/compare/v1.2.3...v1.2.4
1012+
[1.2.3]: https://github.com/opencontainers/runc/compare/v1.2.2...v1.2.3
1013+
[1.2.2]: https://github.com/opencontainers/runc/compare/v1.2.1...v1.2.2
1014+
[1.2.1]: https://github.com/opencontainers/runc/compare/v1.2.0...v1.2.1
9211015
[1.2.0-rc.3]: https://github.com/opencontainers/runc/compare/v1.2.0-rc.2...v1.2.0-rc.3
9221016
[1.2.0-rc.2]: https://github.com/opencontainers/runc/compare/v1.2.0-rc.1...v1.2.0-rc.2
9231017
[1.2.0-rc.1]: https://github.com/opencontainers/runc/compare/v1.1.0...v1.2.0-rc.1

0 commit comments

Comments
 (0)