d39f70955b
- Update to runc v1.1.5. Upstream changelog is available from <https://github.com/opencontainers/runc/releases/tag/v1.1.5>. CVE-2023-25809 CVE-2023-27561 CVE-2023-28642 * Fix the inability to use `/dev/null` when inside a container. * Fix changing the ownership of host's `/dev/null` caused by fd redirection (a regression in 1.1.1). bsc#1168481 * Fix rare runc exec/enter unshare error on older kernels. * nsexec: Check for errors in `write_log()`. OBS-URL: https://build.opensuse.org/request/show/1075135 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=136
770 lines
34 KiB
Plaintext
770 lines
34 KiB
Plaintext
-------------------------------------------------------------------
|
||
Wed Mar 29 07:05:52 UTC 2023 - Aleksa Sarai <asarai@suse.com>
|
||
|
||
- Update to runc v1.1.5. Upstream changelog is available from
|
||
<https://github.com/opencontainers/runc/releases/tag/v1.1.5>.
|
||
CVE-2023-25809 CVE-2023-27561 CVE-2023-28642
|
||
|
||
* Fix the inability to use `/dev/null` when inside a container.
|
||
* Fix changing the ownership of host's `/dev/null` caused by fd redirection
|
||
(a regression in 1.1.1). bsc#1168481
|
||
* Fix rare runc exec/enter unshare error on older kernels.
|
||
* nsexec: Check for errors in `write_log()`.
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Aug 31 13:00:31 UTC 2022 - Fabian Vogt <fvogt@suse.com>
|
||
|
||
- Update to runc v1.1.4. Upstream changelog is available from
|
||
https://github.com/opencontainers/runc/releases/tag/v1.1.4.
|
||
bsc#1202021
|
||
|
||
* Fix mounting via wrong proc fd. When the user and mount namespaces are
|
||
used, and the bind mount is followed by the cgroup mount in the spec,
|
||
the cgroup was mounted using the bind mount's mount fd.
|
||
* Switch kill() in libcontainer/nsenter to sane_kill().
|
||
* Fix "permission denied" error from runc run on noexec fs.
|
||
* Fix failed exec after systemctl daemon-reload. Due to a regression
|
||
in v1.1.3, the DeviceAllow=char-pts rwm rule was no longer added and
|
||
was causing an error open /dev/pts/0: operation not permitted: unknown when systemd was reloaded.
|
||
(boo#1202821)
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Jun 9 00:22:16 UTC 2022 - Aleksa Sarai <asarai@suse.com>
|
||
|
||
- Update to runc v1.1.3. Upstream changelog is available from
|
||
https://github.com/opencontainers/runc/releases/tag/v1.1.3.
|
||
(Includes a fix for bsc#1200088.)
|
||
|
||
* Our seccomp `-ENOSYS` stub now correctly handles multiplexed syscalls on
|
||
s390 and s390x. This solves the issue where syscalls the host kernel did not
|
||
support would return `-EPERM` despite the existence of the `-ENOSYS` stub
|
||
code (this was due to how s390x does syscall multiplexing).
|
||
* Retry on dbus disconnect logic in libcontainer/cgroups/systemd now works as
|
||
intended; this fix does not affect runc binary itself but is important for
|
||
libcontainer users such as Kubernetes.
|
||
* Inability to compile with recent clang due to an issue with duplicate
|
||
constants in libseccomp-golang.
|
||
* When using systemd cgroup driver, skip adding device paths that don't exist,
|
||
to stop systemd from emitting warnings about those paths.
|
||
* Socket activation was failing when more than 3 sockets were used.
|
||
* Various CI fixes.
|
||
* Allow to bind mount /proc/sys/kernel/ns_last_pid to inside container.
|
||
* runc static binaries are now linked against libseccomp v2.5.4.
|
||
- Remove upstreamed patches:
|
||
- bsc1192051-0001-seccomp-enosys-always-return-ENOSYS-for-setup-2-on-s390x.patch
|
||
|
||
-------------------------------------------------------------------
|
||
Mon May 23 03:02:32 UTC 2022 - Aleksa Sarai <asarai@suse.com>
|
||
|
||
- Backport <https://github.com/opencontainers/runc/pull/3474> to fix issues
|
||
with newer syscalls (namely faccessat2) on older kernels on s390(x) caused by
|
||
that platform's syscall multiplexing semantics. bsc#1192051 bsc#1199565
|
||
+ bsc1192051-0001-seccomp-enosys-always-return-ENOSYS-for-setup-2-on-s390x.patch
|
||
|
||
-------------------------------------------------------------------
|
||
Thu May 12 10:04:57 UTC 2022 - Aleksa Sarai <asarai@suse.com>
|
||
|
||
- Add ExcludeArch for s390 (not s390x) since we've never supported it.
|
||
|
||
-------------------------------------------------------------------
|
||
Wed May 11 22:43:51 UTC 2022 - Aleksa Sarai <asarai@suse.com>
|
||
|
||
- Update to runc v1.1.2. Upstream changelog is available from
|
||
https://github.com/opencontainers/runc/releases/tag/v1.1.2.
|
||
CVE-2022-29162 bsc#1199460
|
||
|
||
* A bug was found in runc where runc exec --cap executed processes with
|
||
non-empty inheritable Linux process capabilities, creating an atypical Linux
|
||
environment. For more information, see [GHSA-f3fp-gc8g-vw66][] and
|
||
CVE-2022-29162. bsc#1199460
|
||
* `runc spec` no longer sets any inheritable capabilities in the created
|
||
example OCI spec (`config.json`) file.
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Mar 29 03:33:30 UTC 2022 - Aleksa Sarai <asarai@suse.com>
|
||
|
||
- Update to runc v1.1.1. Upstream changelog is available from
|
||
https://github.com/opencontainers/runc/releases/tag/v1.1.1.
|
||
|
||
* runc run/start can now run a container with read-only /dev in OCI spec,
|
||
rather than error out. (#3355)
|
||
* runc exec now ensures that --cgroup argument is a sub-cgroup. (#3403)
|
||
libcontainer systemd v2 manager no longer errors out if one of the files
|
||
listed in /sys/kernel/cgroup/delegate do not exist in container's
|
||
cgroup. (#3387, #3404)
|
||
* Loosen OCI spec validation to avoid bogus "Intel RDT is not supported"
|
||
error. (#3406)
|
||
* libcontainer/cgroups no longer panics in cgroup v1 managers if stat
|
||
of /sys/fs/cgroup/unified returns an error other than ENOENT. (#3435)
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Jan 17 07:15:26 UTC 2022 - Aleksa Sarai <asarai@suse.com>
|
||
|
||
- Update to runc v1.1.0. Upstream changelog is available from
|
||
https://github.com/opencontainers/runc/releases/tag/v1.1.0.
|
||
|
||
- libcontainer will now refuse to build without the nsenter package being
|
||
correctly compiled (specifically this requires CGO to be enabled). This
|
||
should avoid folks accidentally creating broken runc binaries (and
|
||
incorrectly importing our internal libraries into their projects). (#3331)
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Dec 14 05:04:21 UTC 2021 - Aleksa Sarai <asarai@suse.com>
|
||
|
||
- Update to runc v1.1.0~rc1. Upstream changelog is available from
|
||
https://github.com/opencontainers/runc/releases/tag/v1.1.0-rc.1.
|
||
|
||
+ Add support for RDMA cgroup added in Linux 4.11.
|
||
* runc exec now produces exit code of 255 when the exec failed.
|
||
This may help in distinguishing between runc exec failures
|
||
(such as invalid options, non-running container or non-existent
|
||
binary etc.) and failures of the command being executed.
|
||
+ runc run: new --keep option to skip removal exited containers artefacts.
|
||
This might be useful to check the state (e.g. of cgroup controllers) after
|
||
the container hasexited.
|
||
+ seccomp: add support for SCMP_ACT_KILL_PROCESS and SCMP_ACT_KILL_THREAD
|
||
(the latter is just an alias for SCMP_ACT_KILL).
|
||
+ seccomp: add support for SCMP_ACT_NOTIFY (seccomp actions). This allows
|
||
users to create sophisticated seccomp filters where syscalls can be
|
||
efficiently emulated by privileged processes on the host.
|
||
+ checkpoint/restore: add an option (--lsm-mount-context) to set
|
||
a different LSM mount context on restore.
|
||
+ intelrdt: support ClosID parameter.
|
||
+ runc exec --cgroup: an option to specify a (non-top) in-container cgroup
|
||
to use for the process being executed.
|
||
+ cgroup v1 controllers now support hybrid hierarchy (i.e. when on a cgroup v1
|
||
machine a cgroup2 filesystem is mounted to /sys/fs/cgroup/unified, runc
|
||
run/exec now adds the container to the appropriate cgroup under it).
|
||
+ sysctl: allow slashes in sysctl names, to better match sysctl(8)'s
|
||
behaviour.
|
||
+ mounts: add support for bind-mounts which are inaccessible after switching
|
||
the user namespace. Note that this does not permit the container any
|
||
additional access to the host filesystem, it simply allows containers to
|
||
have bind-mounts configured for paths the user can access but have
|
||
restrictive access control settings for other users.
|
||
+ Add support for recursive mount attributes using mount_setattr(2). These
|
||
have the same names as the proposed mount(8) options -- just prepend r
|
||
to the option name (such as rro).
|
||
+ Add runc features subcommand to allow runc users to detect what features
|
||
runc has been built with. This includes critical information such as
|
||
supported mount flags, hook names, and so on. Note that the output of this
|
||
command is subject to change and will not be considered stable until runc
|
||
1.2 at the earliest. The runtime-spec specification for this feature is
|
||
being developed in opencontainers/runtime-spec#1130.
|
||
* system: improve performance of /proc/$pid/stat parsing.
|
||
* cgroup2: when /sys/fs/cgroup is configured as a read-write mount, change
|
||
the ownership of certain cgroup control files (as per
|
||
/sys/kernel/cgroup/delegate) to allow for proper deferral to the container
|
||
process.
|
||
* runc checkpoint/restore: fixed for containers with an external bind mount
|
||
which destination is a symlink.
|
||
* cgroup: improve openat2 handling for cgroup directory handle hardening.
|
||
runc delete -f now succeeds (rather than timing out) on a paused
|
||
container.
|
||
* runc run/start/exec now refuses a frozen cgroup (paused container in case of
|
||
exec). Users can disable this using --ignore-paused.
|
||
- Update version data embedded in binary to correctly include the git commit of
|
||
the release.
|
||
- Drop runc-rpmlintrc because we don't have runc-test anymore.
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Dec 6 04:38:25 UTC 2021 - Aleksa Sarai <asarai@suse.com>
|
||
|
||
- Update to runc v1.0.3. Upstream changelog is available from
|
||
https://github.com/opencontainers/runc/releases/tag/v1.0.3. CVE-2021-43784
|
||
bsc#1193436
|
||
|
||
* A potential vulnerability was discovered in runc (related to an internal
|
||
usage of netlink), however upon further investigation we discovered that
|
||
while this bug was exploitable on the master branch of runc, no released
|
||
version of runc could be exploited using this bug. The exploit required
|
||
being able to create a netlink attribute with a length that would overflow a
|
||
uint16 but this was not possible in any released version of runc. For more
|
||
information see GHSA-v95c-p5hm-xq8f and CVE-2021-43784.
|
||
|
||
Due to an abundance of caution we decided to do an emergency release with
|
||
this fix, but to reiterate we do not believe this vulnerability was
|
||
possible to exploit. Thanks to Felix Wilhelm from Google Project Zero for
|
||
discovering and reporting this vulnerability so quickly.
|
||
* Fixed inability to start a container with read-write bind mount of a
|
||
read-only fuse host mount.
|
||
* Fixed inability to start when read-only /dev in set in spec.
|
||
* Fixed not removing sub-cgroups upon container delete, when rootless cgroup
|
||
v2 is used with older systemd.
|
||
* Fixed returning error from GetStats when hugetlb is unsupported (which
|
||
causes excessive logging for kubernetes).
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Aug 23 09:35:05 UTC 2021 - Aleksa Sarai <asarai@suse.com>
|
||
|
||
- Update to runc v1.0.2. Upstream changelog is available from
|
||
https://github.com/opencontainers/runc/releases/tag/v1.0.2
|
||
|
||
* Fixed a failure to set CPU quota period in some cases on cgroup v1.
|
||
* Fixed the inability to start a container with the "adding seccomp filter
|
||
rule for syscall ..." error, caused by redundant seccomp rules (i.e. those
|
||
that has action equal to the default one). Such redundant rules are now
|
||
skipped.
|
||
* Made release builds reproducible from now on.
|
||
* Fixed a rare debug log race in runc init, which can result in occasional
|
||
harmful "failed to decode ..." errors from runc run or exec.
|
||
* Fixed the check in cgroup v1 systemd manager if a container needs to be
|
||
frozen before Set, and add a setting to skip such freeze unconditionally.
|
||
The previous fix for that issue, done in runc 1.0.1, was not working.
|
||
|
||
-------------------------------------------------------------------
|
||
Sun Jul 18 02:40:16 UTC 2021 - Aleksa Sarai <asarai@suse.com>
|
||
|
||
- Update to runc v1.0.1. Upstream changelog is available from
|
||
https://github.com/opencontainers/runc/releases/tag/v1.0.1
|
||
|
||
* Fixed occasional runc exec/run failure ("interrupted system call") on an
|
||
Azure volume.
|
||
* Fixed "unable to find groups ... token too long" error with /etc/group
|
||
containing lines longer than 64K characters.
|
||
* cgroup/systemd/v1: fix leaving cgroup frozen after Set if a parent cgroup is
|
||
frozen. This is a regression in 1.0.0, not affecting runc itself but some
|
||
of libcontainer users (e.g Kubernetes).
|
||
* cgroupv2: bpf: Ignore inaccessible existing programs in case of
|
||
permission error when handling replacement of existing bpf cgroup
|
||
programs. This fixes a regression in 1.0.0, where some SELinux
|
||
policies would block runc from being able to run entirely.
|
||
* cgroup/systemd/v2: don't freeze cgroup on Set.
|
||
* cgroup/systemd/v1: avoid unnecessary freeze on Set.
|
||
|
||
- Remove upstreamed patches:
|
||
+ boo1187704-0001-cgroupv2-ebpf-ignore-inaccessible-existing-programs.patch
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Jul 1 03:39:56 UTC 2021 - Aleksa Sarai <asarai@suse.com>
|
||
|
||
- Backport <https://github.com/opencontainers/runc/pull/3055> to fix issues
|
||
with runc under openSUSE MicroOS's SELinux policy. boo#1187704
|
||
+ boo1187704-0001-cgroupv2-ebpf-ignore-inaccessible-existing-programs.patch
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Jun 1 11:00:30 UTC 2021 - Aleksa Sarai <asarai@suse.com>
|
||
|
||
- Update to runc v1.0.0. Upstream changelog is available from
|
||
https://github.com/opencontainers/runc/releases/tag/v1.0.0
|
||
|
||
! The usage of relative paths for mountpoints will now produce a warning
|
||
(such configurations are outside of the spec, and in future runc will
|
||
produce an error when given such configurations).
|
||
|
||
* cgroupv2: devices: rework the filter generation to produce consistent
|
||
results with cgroupv1, and always clobber any existing eBPF
|
||
program(s) to fix runc update and avoid leaking eBPF programs
|
||
(resulting in errors when managing containers).
|
||
* cgroupv2: correctly convert "number of IOs" statistics in a
|
||
cgroupv1-compatible way.
|
||
* cgroupv2: support larger than 32-bit IO statistics on 32-bit architectures.
|
||
* cgroupv2: wait for freeze to finish before returning from the freezing
|
||
code, optimize the method for checking whether a cgroup is frozen.
|
||
* cgroups/systemd: fixed "retry on dbus disconnect" logic introduced in rc94
|
||
* cgroups/systemd: fixed returning "unit already exists" error from a systemd
|
||
cgroup manager (regression in rc94)
|
||
|
||
+ cgroupv2: support SkipDevices with systemd driver
|
||
+ cgroup/systemd: return, not ignore, stop unit error from Destroy
|
||
+ Make "runc --version" output sane even when built with go get or
|
||
otherwise outside of our build scripts.
|
||
+ cgroups: set SkipDevices during runc update (so we don't modify
|
||
cgroups at all during runc update).
|
||
+ cgroup1: blkio: support BFQ weights.
|
||
+ cgroupv2: set per-device io weights if BFQ IO scheduler is available.
|
||
|
||
-------------------------------------------------------------------
|
||
Wed May 19 10:00:00 UTC 2021 - Aleksa Sarai <asarai@suse.com>
|
||
|
||
- Update to runc v1.0.0~rc95. Upstream changelog is available from
|
||
https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc95
|
||
|
||
This release of runc contains a fix for CVE-2021-30465, and users are
|
||
strongly recommended to update (especially if you are providing
|
||
semi-limited access to spawn containers to untrusted users). bsc#1185405
|
||
|
||
-------------------------------------------------------------------
|
||
Wed May 12 08:03:58 UTC 2021 - Aleksa Sarai <asarai@suse.com>
|
||
|
||
- Update to runc v1.0.0~rc94. Upstream changelog is available from
|
||
https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc94
|
||
Breaking Changes:
|
||
* cgroupv1: kernel memory limits are now always ignored, as kmemcg has
|
||
been effectively deprecated by the kernel. Users should make use of regular
|
||
memory cgroup controls.
|
||
Regression Fixes:
|
||
* seccomp: fix 32-bit compilation errors
|
||
* runc init: fix a hang caused by deadlock in seccomp/ebpf loading code
|
||
* runc start: fix "chdir to cwd: permission denied" for some setups
|
||
- Remove upstreamed patches:
|
||
- 0001-cloned_binary-switch-from-error-to-warning-for-SYS_m.patch
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Apr 26 07:54:54 UTC 2021 - Aleksa Sarai <asarai@suse.com>
|
||
|
||
- Backport patch to fix build on SLE-12 ppc64le.
|
||
+ 0001-cloned_binary-switch-from-error-to-warning-for-SYS_m.patch
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Feb 3 04:09:17 UTC 2021 - Aleksa Sarai <asarai@suse.com>
|
||
|
||
- Update to runc v1.0.0~rc93. Upstream changelog is available from
|
||
https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc93
|
||
bsc#1182451 bsc#1184962
|
||
|
||
* Cgroupv2 support is no longer considered experimental.
|
||
* Mountinfo parsing code has been reworked significantly.
|
||
* Special ENOSYS handling for seccomp profiles to avoid making new
|
||
syscalls unusable for glibc.
|
||
* Various rootless containers improvements.
|
||
* The "selinux" and "apparmor" buildtags have been removed, and now all runc
|
||
builds will have SELinux and AppArmor support enabled.
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Feb 2 05:53:17 UTC 2021 - Aleksa Sarai <asarai@suse.com>
|
||
|
||
- Update to handle the docker-runc removal. bsc#1181677
|
||
- Modernise go building for runc now that it has go.mod.
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Aug 28 07:38:29 UTC 2020 - Ralf Haferkamp <rhafer@suse.com>
|
||
|
||
- Upgrade to runc v1.0.0~rc92 (bsc#1175821). Upstream changelog is available
|
||
from https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc92
|
||
|
||
* Updates to CRIU support.
|
||
* Improvements to cgroupfs performance and correctness.
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Jul 2 01:24:49 UTC 2020 - Aleksa Sarai <asarai@suse.com>
|
||
|
||
- Upgrade to runc v1.0.0~rc91. Upstream changelog is available from
|
||
https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc91
|
||
|
||
* This release of runc has experimental support for cgroupv2-only systems.
|
||
|
||
- Remove upstreamed patches:
|
||
- bsc1149954-0001-sd-notify-do-not-hang-when-NOTIFY_SOCKET-is-used-wit.patch
|
||
- bsc1168481-0001-cgroup-devices-major-cleanups-and-minimal-transition.patch
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Jun 25 22:34:03 UTC 2020 - Aleksa Sarai <asarai@suse.com>
|
||
|
||
- Switch to Go 1.13 for build.
|
||
|
||
-------------------------------------------------------------------
|
||
Wed May 13 06:49:44 UTC 2020 - Aleksa Sarai <asarai@suse.com>
|
||
|
||
- Backport https://github.com/opencontainers/runc/pull/2391 to help fix
|
||
bsc#1168481.
|
||
+ bsc1168481-0001-cgroup-devices-major-cleanups-and-minimal-transition.patch
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Apr 14 10:16:21 UTC 2020 - Ralf Haferkamp <rhafer@suse.com>
|
||
|
||
- Renamed patch:
|
||
0001-sd-notify-do-not-hang-when-NOTIFY_SOCKET-is-used-wit.patch
|
||
to
|
||
bsc1149954-0001-sd-notify-do-not-hang-when-NOTIFY_SOCKET-is-used-wit.patch
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Mar 18 08:57:34 UTC 2020 - Ralf Haferkamp <rhafer@suse.com>
|
||
|
||
- Added fix for bsc#1149954
|
||
* 0001-sd-notify-do-not-hang-when-NOTIFY_SOCKET-is-used-wit.patch
|
||
(cherry pick of https://github.com/opencontainers/runc/pull/1807)
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Jan 23 17:18:05 UTC 2020 - Aleksa Sarai <asarai@suse.com>
|
||
|
||
- Upgrade to runc v1.0.0~rc10. Upstream changelog is available from
|
||
https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc10
|
||
- Drop upstreamed patches:
|
||
- CVE-2019-19921.patch
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Jan 21 22:10:58 UTC 2020 - Bjørn Lie <bjorn.lie@gmail.com>
|
||
|
||
- Change packagewide go version to be greater or equal to 1.10.
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Jan 17 03:02:46 UTC 2020 - Aleksa Sarai <asarai@suse.com>
|
||
|
||
- Update CVE-2019-19921 patch to match upstream PR.
|
||
* CVE-2019-19921.patch
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Jan 14 04:44:36 UTC 2020 - Aleksa Sarai <asarai@suse.com>
|
||
|
||
- Add backported fix for CVE-2019-19921. bsc#1160452
|
||
+ CVE-2019-19921.patch
|
||
|
||
-------------------------------------------------------------------
|
||
Sat Oct 5 11:40:13 UTC 2019 - Aleksa Sarai <asarai@suse.com>
|
||
|
||
- Upgrade to runc v1.0.0~rc9. Upstream changelog is available from
|
||
https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc9
|
||
- Remove upstreamed patches:
|
||
- CVE-2019-16884.patch
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Sep 26 14:54:07 UTC 2019 - Aleksa Sarai <asarai@suse.com>
|
||
|
||
- Add backported fix for CVE-2019-16884. bsc#1152308
|
||
+ CVE-2019-16884.patch
|
||
- Add runc-rpmlintrc to drop runc-test rpmlint warnings.
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Apr 29 11:56:21 UTC 2019 - Aleksa Sarai <asarai@suse.com>
|
||
|
||
- Upgrade to runc v1.0.0~rc8. Upstream changelog is available from
|
||
https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc8
|
||
- Includes upstreamed patches for regressions (bsc#1131314 bsc#1131553).
|
||
- Remove upstreamed patches:
|
||
- CVE-2019-5736.patch
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Feb 6 08:10:47 UTC 2019 - Aleksa Sarai <asarai@suse.com>
|
||
|
||
- Add fix for CVE-2019-5736 (effectively copying /proc/self/exe during re-exec
|
||
to avoid write attacks to the host runc binary). bsc#1121967
|
||
+ CVE-2019-5736.patch
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Dec 19 19:55:11 UTC 2018 - clee@suse.com
|
||
|
||
- Update go requirements to >= go1.10 to fix
|
||
* bsc#1118897 CVE-2018-16873
|
||
go#29230 cmd/go: remote command execution during "go get -u"
|
||
* bsc#1118898 CVE-2018-16874
|
||
go#29231 cmd/go: directory traversal in "go get" via curly braces in import paths
|
||
* bsc#1118899 CVE-2018-16875
|
||
go#29233 crypto/x509: CPU denial of service
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Dec 13 04:34:25 UTC 2018 - dorf@suse.com
|
||
|
||
- Require golang = 1.10.
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Nov 29 09:10:09 UTC 2018 - Aleksa Sarai <asarai@suse.com>
|
||
|
||
- Upgrade to runc v1.0.0~rc6. Upstream changelog is available from
|
||
https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc6
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Oct 31 14:01:03 UTC 2018 - Valentin Rothberg <vrothberg@suse.com>
|
||
|
||
- Create a symlink in /usr/bin/runc to enable rootless Podman and Buildah.
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Jun 13 12:59:09 UTC 2018 - dcassany@suse.com
|
||
|
||
- Make use of %license macro
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Jun 5 06:38:40 UTC 2018 - asarai@suse.com
|
||
|
||
- Remove 'go test' from %check section, as it has only ever caused us problems
|
||
and hasn't (as far as I remember) ever caught a release-blocking issue. Smoke
|
||
testing has been far more useful. boo#1095817
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Feb 27 17:18:32 UTC 2018 - asarai@suse.com
|
||
|
||
- Upgrade to runc v1.0.0~rc5. Upstream changelog is available from
|
||
https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc5
|
||
- Remove patch now merged upstream.
|
||
- bsc1053532-0001-makefile-drop-usage-of-install.patch
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Aug 17 04:39:56 UTC 2017 - asarai@suse.com
|
||
|
||
- Use .tar.xz provided by upstream, as well as include the keyring to allow
|
||
full provenance of the source.
|
||
|
||
-------------------------------------------------------------------
|
||
Sun Aug 13 14:25:32 UTC 2017 - asarai@suse.com
|
||
|
||
- Use the upstream Makefile, to ensure that we always include the version
|
||
information in runc. This was confusing users (and Docker). bsc#1053532
|
||
- Add a backported patch to fix a Makefile bug.
|
||
https://github.com/opencontainers/runc/pull/1555
|
||
+ bsc1053532-0001-makefile-drop-usage-of-install.patch
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Aug 10 17:14:02 UTC 2017 - asarai@suse.com
|
||
|
||
- Update to runc v1.0.0-rc4. Upstream changelog:
|
||
+ runc now supports v1.0.0 of the OCI runtime specification. #1527
|
||
+ Rootless containers support has been released. The current state of
|
||
this feature is that it only supports single-{uid,gid} mappings as an
|
||
unprivileged user, and cgroups are completely unsupported. Work is
|
||
being done to improve this. #774
|
||
+ Rather than relying on CRIU version nnumbers, actually check if the
|
||
system supports pre-dumping. #1371
|
||
+ Allow the PIDs cgroup limit to be updated. #1423
|
||
+ Add support for checkpoint/restore of containers with orphaned PTYs
|
||
(which is effectively all containers with terminal=true). #1355
|
||
+ Permit prestart hooks to modify the cgroup configuration of a
|
||
container. #1239
|
||
+ Add support for a wide variety of mount options. #1460
|
||
+ Expose memory.use_hierarchy in MemoryStats. #1378
|
||
* Fix incorrect handling of systems without the freezer cgroup. #1387
|
||
* Many, many changes to switch away from Go's "syscall" stdlib to
|
||
"golang.org/x/sys/unix". #1394 #1398 #1442 #1464 #1467 #1470 #1474
|
||
#1478 #1491 #1482 #1504 #1519 #1530
|
||
* Set cgroup resources when restoring a container. #1399
|
||
* Switch back to using /sbin as the installation directory. #1406
|
||
* Remove the arbitrary container ID length restriction. #1435
|
||
* Make container force deletion ignore non-existent containers. #1451
|
||
* Improve handling of arbitrary cgroup mount locations when populating
|
||
cpuset. #1372
|
||
* Make the SaneTerminal interface public. #1479
|
||
* Fix cases where runc would report a container to be in a "Running"
|
||
state if the init was a zombie or dead. #1489
|
||
* Do not set supplementary groups for numeric users. #1450
|
||
* Fix various issues with the "owner" field in runc-list. #1516
|
||
* Many other miscellaneous fixes, some of which were made by first-time
|
||
contributors. Thanks, and welcome to the project! #1406 #1400 #1365
|
||
#1396 #1402 #1414 #1412 #1408 #1418 #1425 #1428 #1436 #1433 #1438
|
||
#1410 #1447 #1388 #1484 #1481 #1496 #1245 #1524 #1534 #1526 #1533
|
||
- Remove any semblance of non-Linux support. #1502
|
||
- We no longer use shfmt for testing. #1510
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Aug 2 13:51:43 UTC 2017 - asarai@suse.com
|
||
|
||
- Use -buildmode=pie for tests and binary build. bsc#1048046 bsc#1051429
|
||
- Cleanup seccomp builds similar to bsc#1028638
|
||
- Remove the usage of 'cp -r' to reduce noise in the build logs.
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Jul 6 17:14:17 UTC 2017 - thipp@suse.de
|
||
|
||
- switch to opencontainers/runc master branch
|
||
- remove CVE-2016-9962.patch
|
||
- stop providing docker-runc
|
||
|
||
-------------------------------------------------------------------
|
||
Thu May 4 19:04:49 UTC 2017 - jmassaguerpla@suse.com
|
||
|
||
- fix the golang requirement to 1.7 to the subpackages
|
||
|
||
-------------------------------------------------------------------
|
||
Tue May 2 15:49:41 UTC 2017 - jmassaguerpla@suse.com
|
||
|
||
- fix golang requirement to 1.7
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Apr 28 16:16:00 UTC 2017 - jengelh@inai.de
|
||
|
||
- Substitute %__-type macro indirections
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Apr 13 16:34:03 UTC 2017 - jmassaguerpla@suse.com
|
||
|
||
- update version to the one required by docker-17.04.0-ce (bsc#1034053)
|
||
remove ignore_cgroup2_mountpoint.patch . This is already included in
|
||
the upstream source code.
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Apr 12 09:55:28 UTC 2017 - jmassaguerpla@suse.com
|
||
|
||
- Make sure this is being built with go 1.7
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Apr 11 15:37:36 UTC 2017 - jmassaguerpla@suse.com
|
||
|
||
- remove the go_arches macro because we are using go1.7 which
|
||
is available in all archs
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Mar 29 15:47:52 UTC 2017 - jmassaguerpla@suse.com
|
||
|
||
- fix bsc#1028113 - runc: make sure to ignore cgroup v2 mountpoints
|
||
This is a backport of https://github.com/opencontainers/runc/pull/1266
|
||
+ ignore_cgroup2_mountpoint.patch
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Feb 24 18:08:10 UTC 2017 - jmassaguerpla@suse.com
|
||
|
||
- update to docker-1.13.0 requirement
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Jan 13 13:58:33 UTC 2017 - jmassaguerpla@suse.com
|
||
|
||
- fix CVE-2016-9962 bsc#1012568 and applying the patch
|
||
CVE-2016-9962.patch, because 1.12.6 partially fixes it (it contains
|
||
the first patch attached in bsc#1012568)
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Dec 19 12:49:38 UTC 2016 - jmassaguerpla@suse.com
|
||
|
||
- update runc to the version used in docker 1.12.5 (bsc#1016307).
|
||
This fixes bsc#1015661
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Dec 19 12:17:07 UTC 2016 - asarai@suse.com
|
||
|
||
- For the moment, we have to switch to using Docker's fork of runC. This *will*
|
||
be solved properly by creating a new package purely for Docker's runC fork,
|
||
because it's quite silly to tie OCI project releases to Docker's vendoring
|
||
scheme. Once this is fixed, this package will be switch to being purely-OCI.
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Dec 16 17:05:37 UTC 2016 - jmassaguerpla@suse.com
|
||
|
||
- add the /usr/bin/docker-run symlink to partially fix bsc#1015661
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Nov 24 11:05:41 UTC 2016 - jmassaguerpla@suse.com
|
||
|
||
- fix version by adding a revision "counter" so that it will always
|
||
increase
|
||
|
||
fix bsc#1009961
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Oct 13 11:04:27 UTC 2016 - jmassaguerpla@suse.com
|
||
|
||
- update to 02f8fa7 because that is the needed version for docker 1.12.1 (bsc#1004490)
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Sep 21 05:13:26 UTC 2016 - jengelh@inai.de
|
||
|
||
- Run fdupes.
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Sep 19 11:57:45 UTC 2016 - jmassaguerpla@suse.com
|
||
|
||
- fix go_arches definition: use global instead of define, otherwise
|
||
it fails to build
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Aug 26 08:59:54 UTC 2016 - asarai@suse.com
|
||
|
||
- Remove docker-runc symlink because it's been fixed within the Docker
|
||
package. bsc#978260
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Aug 25 17:02:33 UTC 2016 - jmassaguerpla@suse.com
|
||
|
||
- Create a symlink /usr/sbin/docker-runc -> /usr/sbin/docker
|
||
Docker expects this symlink to exist bsc#978260
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Aug 25 15:56:00 UTC 2016 - jmassaguerpla@suse.com
|
||
|
||
- Remove GOPATH at the end of the GOPATH assignment
|
||
cause GOPATH is empty and if we do that, we get the path ""
|
||
appended, which causes gcc6-go to complain
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Aug 24 12:27:57 UTC 2016 - jmassaguerpla@suse.com
|
||
|
||
- add go_arches in project configuration: this way, we can use the
|
||
same spec file but decide in the project configuration if to
|
||
use gc-go or gcc-go for some archs.
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Aug 18 10:35:29 UTC 2016 - jmassaguerpla@suse.com
|
||
|
||
- use gcc6-go instead of gcc5-go (bsc#988408)
|
||
- build ppc64le with gc-go because this version builds with gc-go 1.6
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Aug 18 10:34:29 UTC 2016 - cbrauner@suse.de
|
||
|
||
- bump git commit id to the one required by docker v1.12.0 (bsc#995058)
|
||
- run unit tests during package build
|
||
- remove seccomp-use-pkg-config.patch
|
||
The patch is now upstream.
|
||
- remove GO_BUILD_FLAGS macro and substitute with BUILDFLAGS env variable to
|
||
allow for easier string appending.
|
||
- only run unit test on architectures that provide the go list and go test tools
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Aug 17 10:29:15 UTC 2016 - cbrauner@suse.de
|
||
|
||
- Add runc-test package which contains the source code and the test. This
|
||
package will be used to run the integration tests.
|
||
- Simplify package build and check sections: Instead of symlinking we default to
|
||
cp -avr. go list gets confused by symlinks hence, we need to copy the source
|
||
code anyway if we want to run unit tests during package build at some point.
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Apr 29 09:03:24 UTC 2016 - asarai@suse.de
|
||
|
||
* Update to runC 0.1.1. (bsc#989566 FATE#320763) Changelog from upstream:
|
||
|
||
This release includes a bug fix for adding the selinux mount label in the specification.
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Apr 19 09:59:05 UTC 2016 - asarai@suse.de
|
||
|
||
* Don't use gcc-go for aarch64, since gc has grown support for it and is more
|
||
stable.
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Apr 15 10:46:04 UTC 2016 - asarai@suse.de
|
||
|
||
* Disable seccomp entirely for aarch64 builds, since it is not provided on all
|
||
SUSE platforms.
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Apr 13 12:03:09 UTC 2016 - asarai@suse.de
|
||
|
||
* Update to runC 0.1.0. Changelog from upstream:
|
||
|
||
This release updates runc to the OCI runtime specification v0.5.0 and includes
|
||
various fixes and features.
|
||
|
||
Features:
|
||
+ cgroups: pid limits and stats
|
||
+ cgroups: kmem stats
|
||
+ systemd cgroup support
|
||
+ libcontainer specconv package
|
||
+ no pivot root option
|
||
+ numeric ids are treated as uid/gid
|
||
+ hook improvements
|
||
|
||
Bug Fixes:
|
||
* log flushing
|
||
* atomic pid file creation
|
||
* init error recovery
|
||
* seccomp logging removed
|
||
* delete container on aborted start
|
||
* /dev bind mount handling
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Mar 30 14:18:18 UTC 2016 - asarai@suse.de
|
||
|
||
* Install to /usr/sbin. https://github.com/opencontainers/runc/pull/702
|
||
|
||
-------------------------------------------------------------------
|
||
Sun Mar 27 14:50:32 UTC 2016 - asarai@suse.de
|
||
|
||
* Added runC man pages.
|
||
* Recommended criu, since it's required for the checkpoint and restore
|
||
functionality.
|
||
|
||
-------------------------------------------------------------------
|
||
Sun Mar 27 10:14:32 UTC 2016 - asarai@suse.de
|
||
|
||
* Small updates to method of compilation to better match Makefile.
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Mar 21 12:04:59 UTC 2016 - asarai@suse.de
|
||
|
||
* Make compilation work on gcc-go only systems (ppc and s390).
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Mar 21 08:24:02 UTC 2016 - asarai@suse.de
|
||
|
||
* initial import of runC 0.0.9
|
||
* add patch seccomp-use-pkg-config.patch which allows us to build runC, since
|
||
they assume that the seccomp.h file lives at /usr/include/seccomp.h.
|
||
|