Skip to content

runc 1.0-rc7 -- "The Eleventh Hour"
Compare
Choose a tag to compare
@cyphar cyphar released this 28 Mar 17:06
v1.0.0-rc7
This tag was signed with the committer’s verified signature.
cyphar Aleksa Sarai
GPG key ID: 9E18AA267DDB8DB4
Verified
Learn about vigilant mode.
69ae5da
This commit was signed with the committer’s verified signature.
cyphar Aleksa Sarai
GPG key ID: 9E18AA267DDB8DB4
Verified
Learn about vigilant mode.

WARNING: There is a regression in this release for old kernels, which we are working on fixing in #2031.

Due to CVE-2019-5736, we had to do another -rc release so users can update. We
hope to be able to release 1.0.0 in the near future (there is still an
outstanding spec-compliance issue with OCI hooks which we need to resolve
first).

This also updates runc to a vendored commit of the runtime-spec rather than a
full release, which will hopefully be rectified with runc 1.0.0.

NOTE: This release's artefacts were updated on 2020-07-30 to correct an
LGPL compliance issue (we previously did not include the source code of
libseccomp with our releases) and thus we had to recompile our runc
binaries to be sure we were distributing the correct version of libseccomp.
All of the binaries are still signed by the same maintainer key, and thus can
still be easily validated.

NOTE: This release's artefacts were updated on 2021-04-07, to correct an
issue with the .tar.xz archive from 2020-07-30 (the archive had malformed
paths due to a bug in historical release scripts -- which caused the update
on 2020-07-30 to change the checksum of the source code archive). See #2895
for more details. All of the binaries are still signed by the same maintainer
key, and thus can still be easily validated.

Security:

  • Mitigate CVE-2019-5736. This is an updated version of the patch series sent
    out on openwall and we encourage users to update. #1982 #1984

    NOTE: This mitigation WILL NOT WORK if you run untrusted containers with
    host uid 0 and give them CAP_SYS_ADMIN (the protection operates through a
    hidden read-only bind-mount which can be re-mounted by CAP_SYS_ADMIN
    privileged users).

    Put simply -- we consider granting CAP_SYS_ADMIN to untrusted containers
    without user namespaces to be fundamentally insecure, as such we do not
    consider this to be a security issue    .

    If you want an additional host-level mitigation, use chattr +i on the
    host file to ensure containers without CAP_LINUX_IMMUTABLE cannot write to
    it -- even with CAP_SYS_ADMIN. But as above, if you give
    CAP_LINUX_IMMUTABLE to a container you will have problems.

    An alternative is to bind-mount a sealed memfd copy of the runc binary over
    the binary (runc will detect this and will not attempt further mitigation,
    because sealed memfds are fundamentally unmodifiable) but this requires
    more in-depth work by administrators.

  • There appear to be production users of --no-pivot-root, which is something
    that we absolutely recommend against and do not consider to be a secure
    configuration     -- since pivot_root(2) has many security properties that are
    not possible to provide with just chroot(2).

    However, a specific issue was discovered which we decided to mitigate in
    order to avoid production users being exploited by it. This security issue
    is not elligible for a CVE because it requires an insecure configuration
    (--no-pivot-root). #1962

Features:

  • Add intelrdt support for MBA to runc (a new intelrdt feature available in
    Linux 4.18+). #1919
  • Add support for specifying a CRIU configuration file for checkpoint/restore
    (which makes use of a new org.criu.config annotation). #1933 #1964
  • Add support for "runc exec --preserve-fds". #1995
  • Added support for SELinux labeling of keyrings. #2012

Fixes:

  • Correct handling of "runc kill" when a container is stopped or paused.
    #1934 #1943
  • Error out if built with nokmem and kmemcg limits were requested. #1939
  • Update check-config.sh to be in line with Docker's. #1942
  • Improve handling of kmem and the systemd cgroup driver. #1960
  • Improve resilience of adding setns tasks to cgroups. #1950
  • Remove (broken) detection of .scope for systemd. #1978
  • Fix console hanging with preserve-fds, where not enough fds have actually
    been provided to runc (which is a very common mistake when using
    --preserve-fds). #2000
  • Create bind-mounts when restoring. #1968
  • Fix regression of zombie "runc init" processes. #2023

Static Linking Notices

The runc binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc acting
as a "work that uses the Library":

The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.

Thanks to all of the contributors that made this release possible:

With special thanks and well-wishes to Victor Marmol and Rohit Jnagal, who have
both decided to give up their maintainership. Thanks for all of your
contributions over the years, and good luck with your future endeavours!

Signed-off-by: Aleksa Sarai asarai@suse.de

Assets 9
Loading