openshift-ci[bot]
commented
1 month ago [APPROVALNOTIFIER] This PR is APPROVED
This pull-request has been approved by: Luap99, renovate[bot]
The full list of commands accepted by this bot can be found here.
The pull request process is described here
Needs approval from an approver in each of these files:
- ~~[OWNERS](https://github.com/containers/common/blob/main/OWNERS)~~ [Luap99]
Approvers can indicate their approval by writing `/approve` in a comment
Approvers can cancel approval by writing `/approve cancel` in a comment
This PR contains the following updates:
v1.2.0-rc.3->v1.2.0Release Notes
opencontainers/runc (github.com/opencontainers/runc)
### [`v1.2.0`](https://redirect.github.com/opencontainers/runc/releases/tag/v1.2.0): runc v1.2.0 -- "できるときにできることをやるんだ。それが今だ。" [Compare Source](https://redirect.github.com/opencontainers/runc/compare/v1.2.0-rc.3...v1.2.0) This is the long-awaited release of runc 1.2.0! The primary changes from rc3 are general improvements and fixes for minor regressions related to the new /proc/self/exe cloning logic in runc 1.2, follow-on patches related to CVE-2024-45310, as well as some other minor changes. - In order to alleviate the remaining concerns around the memory usage and (arguably somewhat unimportant, but measurable) performance overhead of memfds for cloning `/proc/self/exe`, we have added a new protection using `overlayfs` that is used if you have enough privileges and the running kernel supports it. It has effectively no performance nor memory overhead (compared to no cloning at all). ([#4448](https://redirect.github.com/opencontainers/runc/issues/4448)) - The original fix for [CVE-2024-45310][cve-2024-45310] was intentionally very limited in scope to make it easier to review, however it also did not handle all possible `os.MkdirAll` cases and thus could lead to regressions. We have switched to the more complete implementation in the newer versions of `github.com/cyphar/filepath-securejoin`. ([#4393](https://redirect.github.com/opencontainers/runc/issues/4393), [#4400](https://redirect.github.com/opencontainers/runc/issues/4400), [#4421](https://redirect.github.com/opencontainers/runc/issues/4421), [#4430](https://redirect.github.com/opencontainers/runc/issues/4430)) - In certain situations (a system with lots of mounts or racing mounts) we could accidentally end up leaking mounts from the container into the host. This has been fixed. ([#4417](https://redirect.github.com/opencontainers/runc/issues/4417)) - The fallback logic for `O_TMPFILE` clones of `/proc/self/exe` had a minor bug that would cause us to miss non-`noexec` directories and thus fail to start containers on some systems. ([#4444](https://redirect.github.com/opencontainers/runc/issues/4444)) - Sometimes the cloned `/proc/self/exe` file descriptor could be placed in a way that it would get clobbered by the Go runtime. We had a fix for this already but it turns out it could still break in rare circumstances, but it has now been fixed. ([#4294](https://redirect.github.com/opencontainers/runc/issues/4294), [#4452](https://redirect.github.com/opencontainers/runc/issues/4452)) - It is not possible for `runc kill` to work properly in some specific configurations (such as rootless containers with no cgroups and a shared pid namespace). We now output a warning for such configurations. ([#4398](https://redirect.github.com/opencontainers/runc/issues/4398)) - memfd-bind: update the documentation and make path handling with the systemd unit more idiomatic. ([#4428](https://redirect.github.com/opencontainers/runc/issues/4428)) - We now use v0.16 of Cilium's eBPF library, including fixes that quite a few downstreams asked for. ([#4397](https://redirect.github.com/opencontainers/runc/issues/4397), [#4396](https://redirect.github.com/opencontainers/runc/issues/4396)) - Some internal `runc init` synchronisation that was no longer necessary (due to the `/proc/self/exe` cloning move to Go) was removed. ([#4441](https://redirect.github.com/opencontainers/runc/issues/4441)) [cve-2024-45310]: https://redirect.github.com/opencontainers/runc/security/advisories/GHSA-jfvp-7x6p-h2pv ##### Static Linking Notices The `runc` binary distributed with this release are *statically linked* with the following [GNU LGPL-2.1][lgpl-2.1] licensed libraries, with `runc` acting as a "work that uses the Library": [lgpl-2.1]: https://www.gnu.org/licenses/old-licenses/lgpl-2.1.en.html - [libseccomp](https://redirect.github.com/seccomp/libseccomp) The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1. However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.Thanks to all of the contributors who made this release possible: - Akhil Mohan
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.