runc 1.0-rc2

NOTE: This release's artefacts were updated on 2020-07-30 to correct an
LGPL compliance issue (we previously did not include the source code of
libseccomp or libapparmor with our releases) and thus we had to recompile
our runc binaries to be sure we were distributing the correct version of
libseccomp and libapparmor. All of the binaries are still signed by the
same maintainer key, and thus can still be easily validated.

NOTE: This release's artefacts were updated on 2021-04-07, to correct an
issue with the .tar.xz archive from 2020-07-30 (the archive had malformed
paths due to a bug in historical release scripts -- which caused the update
on 2020-07-30 to change the checksum of the source code archive). See #2895
for more details. All of the binaries are still signed by the same maintainer
key, and thus can still be easily validated.

Features

• {create,run}: add --no-new-keyring flag so that a new session keyring
  is not created for the container and the calling process's keyring is
  inherited.
• restore: add --empty-ns flag to tell CRIU to only create a network
  namespace for a container and not populate it (allowing higher levels
  to correctly handle re-creating the network namespace).
• {create,start}: use a FIFO rather than signals to signal the starting
  of a container. This removes the Go version restriction, and also
  avoids potential issues with Go's signal handling.
• exec: allow additional groups to be overridden.
• delete: add --force flag.
• exec: disable the subreaper option entirely, because the option
  causes many issues with reparenting in the context of containers.
  This is not a complete fix, which is intended to land for -rc3. Using
  the removed option will be silently ignored by runC.
• {create,run}: add support for masking directories with MaskPaths.
• delete: allow for the deletion of multiple containers in one cmdline.
• build: add make release for distributions.

Fixes

• Major improvements and fixes to CLI handling. Now commands like
  runc ps and runc exec will act sanely when you're trying to use
  flags that are not meant to be parsed by runC.
• Set the cp.rt_* cgroup options correctly so that runC running in
  SCHED_RR (realtime) mode can operate properly.
• Massive improvements to kmem limit detection to ensure that we only
  attempt to change memory.kmem.* if it is safe to do so.
• Part of a major cleanup of the nsenter code, with more intended to
  land before -rc3.
• Restored containers now have a start time, which is the time that the
  new container was started (not when the original container was
  started).
• Fix the default cgroupPath behaviour, so that we actually attach to
  subcgroups of all of the caller's current cgroups (rather than using
  the devices cgroup path for all other cgroups)
• Support 32bit UIDs on i386 with the setuid32(2) syscall.
• Add /proc/timer_list to the set of default masked paths.
• Do not create /dev/fuse by default.
• Parse cgroupPath correctly if it contains ':'.
• Add some more debugging information for the test suite, along with
  fixes for race conditions and other issues. In addition, add more
  integration tests for edge conditions.
• Improve check-config.sh script to handle more cases.
• Fix incorrect type when setting of net_cls classid.
• Lots of fixes to help pages and man pages.
• *: append -dirty to the version if the git repo is unclean.
• Fix the JSON tags for CpuRt* options.
• Cleanups to the rootfs setup code.
• Improve error messages related to SELinux.

Static Linking Notices

The runc binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc acting
as a "work that uses the Library":

• libseccomp
• libapparmor

The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.

---

Thanks to all of the contributors that made this release possible:

• Akihiro Suda [email protected]
• Aleksa Sarai [email protected]
• Alexander Morozov [email protected]
• Andrew Vagin [email protected]
• Ben [email protected]
• Buddha Prakash [email protected]
• Carl Henrik Lunde [email protected]
• Christian Brauner [email protected]
• Dam Thomason [email protected]
• Dan Walsh [email protected]
• Daniel, Dao Quang Minh [email protected]
• Davanum Srinivas [email protected]
• Euan Kemp [email protected]
• Guilherme Rezende [email protected]
• Haiyan Meng [email protected]
• Hushan Jia [email protected]
• Jiuyue Ma [email protected]
• Johnny Bieren [email protected]
• Jonathan Boulle [email protected]
• Justin Cormack [email protected]
• Kenfe-Mickael Laventure [email protected]
• Michael Crosby [email protected]
• Mike Brown [email protected]
• Mrunal Patel [email protected]
• Peng Gao [email protected]
• Petar Petrov [email protected]
• Phil Estes [email protected]
• Qiang Huang [email protected]
• Serge Hallyn [email protected]
• Seth Jennings [email protected]
• Shukui Yang [email protected]
• Tristan Cacqueray [email protected]
• Vishnu kannan [email protected]
• Wang Long [email protected]
• Yang Hongyang [email protected]
• Yen-Lin Chen [email protected]
• Yuanhong Peng [email protected]
• Zhang Wei [email protected]
• Zhao Lei [email protected]
• rajasec [email protected]
• xiekeyang [email protected]