When used with systemd v240+, systemd cgroup drivers no longer skip
DeviceAllow rules if the device does not exist (a regression introduced
in runc 1.1.3). This fix also reverts the workaround added in runc 1.1.5,
removing an extra warning emitted by runc run/start. (#3845, #3708, #3671)
Added
The source code now has a new file, runc.keyring, which contains the keys
used to sign runc releases. (#3838)
[1.1.6] - 2023-04-11
In this world nothing is certain but death and taxes.
Compatibility
This release can no longer be built from sources using Go 1.16. Using a
latest maintained Go 1.20.x or Go 1.19.x release is recommended.
Go 1.17 can still be used.
Fixed
systemd cgroup v1 and v2 drivers were deliberately ignoring UnitExist error
from systemd while trying to create a systemd unit, which in some scenarios
may result in a container not being added to the proper systemd unit and
cgroup. (#3780, #3806)
systemd cgroup v2 driver was incorrectly translating cpuset range from spec's
resources.cpu.cpus to systemd unit property (AllowedCPUs) in case of more
than 8 CPUs, resulting in the wrong AllowedCPUs setting. (#3808)
systemd cgroup v1 driver was prefixing container's cgroup path with the path
of PID 1 cgroup, resulting in inability to place PID 1 in a non-root cgroup.
(#3811)
runc run/start may return "permission denied" error when starting a rootless
container when the file to be executed does not have executable bit set for
the user, not taking the CAP_DAC_OVERRIDE capability into account. This is
a regression in runc 1.1.4, as well as in Go 1.20 and 1.20.1 (#3715, #3817)
cgroup v1 drivers are now aware of misc controller. (#3823)
Various CI fixes and improvements, mostly to ensure Go 1.19.x and Go 1.20.x
compatibility.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Bumps github.com/opencontainers/runc from 1.1.5 to 1.1.7.
Changelog
Sourced from github.com/opencontainers/runc's changelog.
Commits
860f061
VERSION: release 1.1.72648033
Merge pull request #3838 from cyphar/1.1-release-gpgkeysf72cd0a
Merge pull request #3845 from kolyshkin/1.1-rm-warningc1063b1
runc.keyring: add Akihiro Sudab0fae8c
scripts: keyring validate: print some more information79a52b4
libct/cg/sd: use systemd version when generating dev props6a806d4
runc.keyring: add Kolyshkinb6f686f
keyring: add Aleksa's <cyphar@cyphar.com> signing key63355bf
keyring: add Aleksa's <asarai@suse.com> signing key3bdb63b
keyring: verify runc.keyring has legitimate maintainer keysDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)