From ec33e305e4bb4373d80865e956b4ee989d3abee2fd27f1d3911d5d8de463ef28 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.com>
Date: Tue, 3 Sep 2024 02:30:45 +0000
Subject: [PATCH] - Update to runc v1.2.0~rc3. Upstream changelog is available
 from   <https://github.com/opencontainers/runc/releases/tag/v1.2.0-rc.3>.  
 Includes the patch for CVE-2024-45310.

OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=162
---
 .gitattributes             |  23 +
 .gitignore                 |   1 +
 runc-1.2.0-rc.1.tar.xz     |   3 +
 runc-1.2.0-rc.1.tar.xz.asc |  17 +
 runc-1.2.0-rc.2.tar.xz     |   3 +
 runc-1.2.0-rc.2.tar.xz.asc |  11 +
 runc-1.2.0-rc.3.tar.xz     |   3 +
 runc-1.2.0-rc.3.tar.xz.asc |   7 +
 runc.changes               | 904 +++++++++++++++++++++++++++++++++++++
 runc.keyring               | 221 +++++++++
 runc.spec                  | 108 +++++
 11 files changed, 1301 insertions(+)
 create mode 100644 .gitattributes
 create mode 100644 .gitignore
 create mode 100644 runc-1.2.0-rc.1.tar.xz
 create mode 100644 runc-1.2.0-rc.1.tar.xz.asc
 create mode 100644 runc-1.2.0-rc.2.tar.xz
 create mode 100644 runc-1.2.0-rc.2.tar.xz.asc
 create mode 100644 runc-1.2.0-rc.3.tar.xz
 create mode 100644 runc-1.2.0-rc.3.tar.xz.asc
 create mode 100644 runc.changes
 create mode 100644 runc.keyring
 create mode 100644 runc.spec

diff --git a/.gitattributes b/.gitattributes
new file mode 100644
index 0000000..9b03811
--- /dev/null
+++ b/.gitattributes
@@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..57affb6
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+.osc
diff --git a/runc-1.2.0-rc.1.tar.xz b/runc-1.2.0-rc.1.tar.xz
new file mode 100644
index 0000000..6c4ff7e
--- /dev/null
+++ b/runc-1.2.0-rc.1.tar.xz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3f6fed97bf5db1d4eac43b622a62379e07f3f73dd1c3e5ee5c0f82a1c960e1f7
+size 1603252
diff --git a/runc-1.2.0-rc.1.tar.xz.asc b/runc-1.2.0-rc.1.tar.xz.asc
new file mode 100644
index 0000000..c6776ab
--- /dev/null
+++ b/runc-1.2.0-rc.1.tar.xz.asc
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQJEBAABCAAuFiEEXzbGxhtUYBJKdfWmnhiqJn3bjbQFAmYNM/MQHGFzYXJhaUBz
+dXNlLmNvbQAKCRCeGKomfduNtLTvEACihuWRg3CBLJuZFnV5YMkgYO1nhNfcY0TX
+BJWqrjleSkyhrWWNeGPmCLGvCLzQtk+pQzC8T2lN3/y4VNIsdSUrGrMP6uSh3uKu
+TF/IMBL5HJmowv+6RYcKb0kq9ta1lFR8LL63o7hn45xu5ZsnQGwEz+nI4IbrYRjr
+zPyYD5GQgkjFzBeHUb5BcbGNgZ62XTyyhZgUH8D/2+X9B/xqK6RKZ+dEVD4rU/nj
+rQafX4GHg+20OsmUj5AoE+nXkP98YyM33Nh9RQKNdDwS/OZ8lh24BtN4635VRINA
+EsCLKZKAb9Eu0Wqs/b0k8RsWblNEg/fDPvTg8bBJI6tIldVa8K4mqk6tOYL1zZzD
+33F5lhpNdstajFZuehXDHDqhDAQmJ0GAHDFeGZo7Am7wTmxSNNZ0gpo1zcWl9Y/D
+xW12H/oYtMwaj3MrtmlN+Os3V4pm16FgFM6LuPAR79FrXpu1l30D1wkVvQsp5pkD
+XaUxLw6kYzt5Z/PB13L7QccxojRDJtFCDf2n4DLHJWI/qFe57qYCwD0TP/gIDkOA
+HE4t7UU6lygPwIbc+0Zc5S7zOI3/CBgq1IWoMiZamAEs3FzPwt4jC3Czq9zemHPU
+7gyjR5rTVTJu9OOCVhyegxqD2fOxMOEKITAHrKIN+qnQkXAQ5gXeY4mHWr02tkkW
+7rsh+eQR2A==
+=io9I
+-----END PGP SIGNATURE-----
diff --git a/runc-1.2.0-rc.2.tar.xz b/runc-1.2.0-rc.2.tar.xz
new file mode 100644
index 0000000..046c196
--- /dev/null
+++ b/runc-1.2.0-rc.2.tar.xz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:293b7271196a7284a1cca1865e8e210d9c153054b0d0c04f3a69f28ca517723d
+size 1607920
diff --git a/runc-1.2.0-rc.2.tar.xz.asc b/runc-1.2.0-rc.2.tar.xz.asc
new file mode 100644
index 0000000..6f232dd
--- /dev/null
+++ b/runc-1.2.0-rc.2.tar.xz.asc
@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCAAdFiEEwkKM11cg+s3PdrbqF95ey3WhEA4FAmZ8WH4ACgkQF95ey3Wh
+EA6mMwf/Zh+RldJEoFjye87UFK9OhNMZCwIKqYS4mKNRdgCfdzYq/ZGbvczwGbQQ
+tUpD7UFfHlIegc1qJkOi20LtyzoE+H3bChacjn5N0hpfbfJ/NUPMgoBFxpcPS8Bp
+xdyKrA4L6RwvoS6APxAfzqFoXkZ0lADxa/x46NBgxHMCXkGwofY6n/G+2ztgYEyn
+hg10kG2olFK7nbmCms3xdxi2AEQ5V35SwyCtZrSnVlm/9rGtZZro8eiF4MXMYr9N
+Cj/9oWy+F4ATzkQI1FoqtE5K8uhD76qFtKfJ67SuVGZhHaqLUPSuMjlF6Qlu+ziA
+0YH6gwvKpvtFSejEM2l9UKYazASJMA==
+=tl7E
+-----END PGP SIGNATURE-----
diff --git a/runc-1.2.0-rc.3.tar.xz b/runc-1.2.0-rc.3.tar.xz
new file mode 100644
index 0000000..a362722
--- /dev/null
+++ b/runc-1.2.0-rc.3.tar.xz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:837185e9041c795187eb0f775af8d0b76869e98376bad7cf5f3249a2c636e794
+size 1609672
diff --git a/runc-1.2.0-rc.3.tar.xz.asc b/runc-1.2.0-rc.3.tar.xz.asc
new file mode 100644
index 0000000..a83f000
--- /dev/null
+++ b/runc-1.2.0-rc.3.tar.xz.asc
@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+
+iHUEABYKAB0WIQS2TklVsp+j1GPyqQYol/rSt+lEbwUCZtZoygAKCRAol/rSt+lE
+bx7WAP0SyVg+qUJHACE0IkVAxaBzqVjNFVhdLY5ieF9h4LE0KgEA5Aa2n1k22JMX
+0774jwpF778ieaNR3L6sf/hKjAXTmwM=
+=6S7t
+-----END PGP SIGNATURE-----
diff --git a/runc.changes b/runc.changes
new file mode 100644
index 0000000..caaa9fc
--- /dev/null
+++ b/runc.changes
@@ -0,0 +1,904 @@
+-------------------------------------------------------------------
+Tue Sep  3 02:01:16 UTC 2024 - Aleksa Sarai <asarai@suse.com>
+
+- Update to runc v1.2.0~rc3. Upstream changelog is available from
+  <https://github.com/opencontainers/runc/releases/tag/v1.2.0-rc.3>.
+  Includes the patch for CVE-2024-45310.
+
+-------------------------------------------------------------------
+Tue Sep  3 01:57:20 UTC 2024 - Aleksa Sarai <asarai@suse.com>
+
+[ This was only ever released for SLES and Leap. ]
+
+- Update to runc v1.1.14. Upstream changelog is available from
+  <https://github.com/opencontainers/runc/releases/tag/v1.1.14>.
+  Includes the patch for CVE-2024-45310.
+
+- Rebase patches:
+  * 0001-bsc1221050-libct-seccomp-patchbpf-rm-duplicated-code.patch
+  * 0002-bsc1221050-seccomp-patchbpf-rename-nativeArch-linuxA.patch
+  * 0003-bsc1221050-seccomp-patchbpf-always-include-native-ar.patch
+  * 0004-bsc1214960-nsenter-cloned_binary-remove-bindfd-logic.patch
+
+-------------------------------------------------------------------
+Mon Jul 22 13:08:06 UTC 2024 - Aleksa Sarai <asarai@suse.com>
+
+[ This was only ever released for SLES and Leap. ]
+
+- Update to runc v1.1.13. Upstream changelog is available from
+  <https://github.com/opencontainers/runc/releases/tag/v1.1.12>.
+- Rebase patches:
+  * 0001-bsc1221050-libct-seccomp-patchbpf-rm-duplicated-code.patch
+  * 0002-bsc1221050-seccomp-patchbpf-rename-nativeArch-linuxA.patch
+  * 0003-bsc1221050-seccomp-patchbpf-always-include-native-ar.patch
+- Backport <https://github.com/opencontainers/runc/pull/3931> to fix a
+  performance issue when running lots of containers, caused by systemd getting
+  too many mount notifications. bsc#1214960
+  + 0004-bsc1214960-nsenter-cloned_binary-remove-bindfd-logic.patch
+
+-------------------------------------------------------------------
+Fri Jul 12 08:33:22 UTC 2024 - Aleksa Sarai <asarai@suse.com>
+
+- Update to runc v1.2.0~rc2. Upstream changelog is available from
+  <https://github.com/opencontainers/runc/releases/tag/v1.2.0-rc.2>.
+- Re-allow Go 1.22 builds for >= 1.22.4.
+
+-------------------------------------------------------------------
+Thu Apr 25 08:23:43 UTC 2024 - Aleksa Sarai <asarai@suse.com>
+
+- Build with Go 1.21 until the upstream Go 1.22 compatibility issue gets fixed.
+  <https://github.com/opencontainers/runc/issues/4233>
+
+-------------------------------------------------------------------
+Fri Apr  4 05:04:27 UTC 2024 - Aleksa Sarai <asarai@suse.com>
+
+- Update to runc v1.2.0~rc1. Upstream changelog is available from
+  <https://github.com/opencontainers/runc/releases/tag/v1.2.0-rc.1>.
+- Remove upstreamed patches.
+  - 0001-bsc1221050-libct-seccomp-patchbpf-rm-duplicated-code.patch
+  - 0002-bsc1221050-seccomp-patchbpf-rename-nativeArch-linuxA.patch
+  - 0003-bsc1221050-seccomp-patchbpf-always-include-native-ar.patch
+
+-------------------------------------------------------------------
+Thu Mar 21 03:46:48 UTC 2024 - Aleksa Sarai <asarai@suse.com>
+
+- Add upstream patch <https://github.com/opencontainers/runc/pull/4219> to
+  properly fix -ENOSYS stub on ppc64le. bsc#1192051 bsc#1221050
+  + 0001-bsc1221050-libct-seccomp-patchbpf-rm-duplicated-code.patch
+  + 0002-bsc1221050-seccomp-patchbpf-rename-nativeArch-linuxA.patch
+  + 0003-bsc1221050-seccomp-patchbpf-always-include-native-ar.patch
+
+-------------------------------------------------------------------
+Wed Jan 31 00:00:33 UTC 2024 - Aleksa Sarai <asarai@suse.com>
+
+- Update to runc v1.1.12. Upstream changelog is available from
+  <https://github.com/opencontainers/runc/releases/tag/v1.1.12>. bsc#1218894
+
+  * This release fixes a container breakout vulnerability (CVE-2024-21626). For
+    more details, see the upstream security advisory:
+    <https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv>
+  * Remove upstreamed patches:
+    - CVE-2024-21626.patch
+  * Update runc.keyring to match upstream changes.
+
+-------------------------------------------------------------------
+Thu Jan 18 00:37:01 UTC 2024 - Aleksa Sarai <asarai@suse.com>
+
+[ This was only ever released for SLES. ]
+
+- Add upstream patch to fix embargoed issue CVE-2024-21626. bsc#1218894
+  <https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv>
+  + CVE-2024-21626.patch
+
+-------------------------------------------------------------------
+Tue Jan  2 03:02:16 UTC 2024 - Aleksa Sarai <asarai@suse.com>
+
+- Update to runc v1.1.11. Upstream changelog is available from
+  <https://github.com/opencontainers/runc/releases/tag/v1.1.11>.
+
+-------------------------------------------------------------------
+Wed Nov  1 07:25:46 UTC 2023 - Aleksa Sarai <asarai@suse.com>
+
+- Update to runc v1.1.10. Upstream changelog is available from
+  <https://github.com/opencontainers/runc/releases/tag/v1.1.10>.
+
+-------------------------------------------------------------------
+Wed Sep  6 06:42:37 UTC 2023 - Danish Prakash <danish.prakash@suse.com>
+
+- Update to runc v1.1.9. Upstream changelog is available from
+  <https://github.com/opencontainers/runc/releases/tag/v1.1.9>.
+
+-------------------------------------------------------------------
+Wed Jul 19 14:04:08 UTC 2023 - Aleksa Sarai <asarai@suse.com>
+
+- Update to runc v1.1.8. Upstream changelog is available from
+  <https://github.com/opencontainers/runc/releases/tag/v1.1.8>.
+
+-------------------------------------------------------------------
+Thu Apr 27 09:43:31 UTC 2023 - Aleksa Sarai <asarai@suse.com>
+
+- Update to runc v1.1.7. Upstream changelog is available from
+  <https://github.com/opencontainers/runc/releases/tag/v1.1.7>.
+- Update runc.keyring to upstream version.
+
+-------------------------------------------------------------------
+Wed Apr 12 04:17:29 UTC 2023 - Aleksa Sarai <asarai@suse.com>
+
+- Update to runc v1.1.6. Upstream changelog is available from
+  <https://github.com/opencontainers/runc/releases/tag/v1.1.6>.
+
+-------------------------------------------------------------------
+Wed Mar 29 07:05:52 UTC 2023 - Aleksa Sarai <asarai@suse.com>
+
+- Update to runc v1.1.5. Upstream changelog is available from
+  <https://github.com/opencontainers/runc/releases/tag/v1.1.5>.
+
+  Includes fixes for the following CVEs:
+   - CVE-2023-25809 bsc#1209884
+   - CVE-2023-27561 bsc#1208962
+   - CVE-2023-28642 bsc#1209888
+
+  * Fix the inability to use `/dev/null` when inside a container. bsc#1168481
+  * Fix changing the ownership of host's `/dev/null` caused by fd redirection
+    (a regression in 1.1.1). bsc#1207004
+  * Fix rare runc exec/enter unshare error on older kernels.
+  * nsexec: Check for errors in `write_log()`.
+
+- Drop version-specific Go requirement.
+
+-------------------------------------------------------------------
+Wed Aug 31 13:00:31 UTC 2022 - Fabian Vogt <fvogt@suse.com>
+
+- Update to runc v1.1.4. Upstream changelog is available from
+  https://github.com/opencontainers/runc/releases/tag/v1.1.4.
+  bsc#1202021
+
+  * Fix mounting via wrong proc fd. When the user and mount namespaces are
+    used, and the bind mount is followed by the cgroup mount in the spec,
+    the cgroup was mounted using the bind mount's mount fd.
+  * Switch kill() in libcontainer/nsenter to sane_kill().
+  * Fix "permission denied" error from runc run on noexec fs.
+  * Fix failed exec after systemctl daemon-reload. Due to a regression
+    in v1.1.3, the DeviceAllow=char-pts rwm rule was no longer added and
+    was causing an error open /dev/pts/0: operation not permitted: unknown when systemd was reloaded.
+    (boo#1202821)
+
+-------------------------------------------------------------------
+Thu Jun  9 00:22:16 UTC 2022 - Aleksa Sarai <asarai@suse.com>
+
+- Update to runc v1.1.3. Upstream changelog is available from
+  https://github.com/opencontainers/runc/releases/tag/v1.1.3.
+  (Includes a fix for bsc#1200088.)
+
+  * Our seccomp `-ENOSYS` stub now correctly handles multiplexed syscalls on
+    s390 and s390x. This solves the issue where syscalls the host kernel did not
+    support would return `-EPERM` despite the existence of the `-ENOSYS` stub
+    code (this was due to how s390x does syscall multiplexing).
+  * Retry on dbus disconnect logic in libcontainer/cgroups/systemd now works as
+    intended; this fix does not affect runc binary itself but is important for
+    libcontainer users such as Kubernetes.
+  * Inability to compile with recent clang due to an issue with duplicate
+    constants in libseccomp-golang.
+  * When using systemd cgroup driver, skip adding device paths that don't exist,
+    to stop systemd from emitting warnings about those paths.
+  * Socket activation was failing when more than 3 sockets were used.
+  * Various CI fixes.
+  * Allow to bind mount /proc/sys/kernel/ns_last_pid to inside container.
+  * runc static binaries are now linked against libseccomp v2.5.4.
+- Remove upstreamed patches:
+  - bsc1192051-0001-seccomp-enosys-always-return-ENOSYS-for-setup-2-on-s390x.patch
+
+-------------------------------------------------------------------
+Mon May 23 03:02:32 UTC 2022 - Aleksa Sarai <asarai@suse.com>
+
+- Backport <https://github.com/opencontainers/runc/pull/3474> to fix issues
+  with newer syscalls (namely faccessat2) on older kernels on s390(x) caused by
+  that platform's syscall multiplexing semantics. bsc#1192051 bsc#1199565
+  + bsc1192051-0001-seccomp-enosys-always-return-ENOSYS-for-setup-2-on-s390x.patch
+
+-------------------------------------------------------------------
+Thu May 12 10:04:57 UTC 2022 - Aleksa Sarai <asarai@suse.com>
+
+- Add ExcludeArch for s390 (not s390x) since we've never supported it.
+
+-------------------------------------------------------------------
+Wed May 11 22:43:51 UTC 2022 - Aleksa Sarai <asarai@suse.com>
+
+- Update to runc v1.1.2. Upstream changelog is available from
+  https://github.com/opencontainers/runc/releases/tag/v1.1.2.
+  CVE-2022-29162 bsc#1199460
+
+  * A bug was found in runc where runc exec --cap executed processes with
+    non-empty inheritable Linux process capabilities, creating an atypical Linux
+    environment. For more information, see [GHSA-f3fp-gc8g-vw66][] and
+    CVE-2022-29162. bsc#1199460
+  * `runc spec` no longer sets any inheritable capabilities in the created
+    example OCI spec (`config.json`) file.
+
+-------------------------------------------------------------------
+Tue Mar 29 03:33:30 UTC 2022 - Aleksa Sarai <asarai@suse.com>
+
+- Update to runc v1.1.1. Upstream changelog is available from
+  https://github.com/opencontainers/runc/releases/tag/v1.1.1.
+
+  * runc run/start can now run a container with read-only /dev in OCI spec,
+    rather than error out. (#3355)
+  * runc exec now ensures that --cgroup argument is a sub-cgroup. (#3403)
+    libcontainer systemd v2 manager no longer errors out if one of the files
+    listed in /sys/kernel/cgroup/delegate do not exist in container's
+    cgroup. (#3387, #3404)
+  * Loosen OCI spec validation to avoid bogus "Intel RDT is not supported"
+    error. (#3406)
+  * libcontainer/cgroups no longer panics in cgroup v1 managers if stat
+    of /sys/fs/cgroup/unified returns an error other than ENOENT. (#3435)
+
+-------------------------------------------------------------------
+Mon Jan 17 07:15:26 UTC 2022 - Aleksa Sarai <asarai@suse.com>
+
+- Update to runc v1.1.0. Upstream changelog is available from
+  https://github.com/opencontainers/runc/releases/tag/v1.1.0.
+
+  - libcontainer will now refuse to build without the nsenter package being
+    correctly compiled (specifically this requires CGO to be enabled). This
+    should avoid folks accidentally creating broken runc binaries (and
+    incorrectly importing our internal libraries into their projects). (#3331)
+
+-------------------------------------------------------------------
+Tue Dec 14 05:04:21 UTC 2021 - Aleksa Sarai <asarai@suse.com>
+
+- Update to runc v1.1.0~rc1. Upstream changelog is available from
+  https://github.com/opencontainers/runc/releases/tag/v1.1.0-rc.1.
+
+  + Add support for RDMA cgroup added in Linux 4.11.
+  * runc exec now produces exit code of 255 when the exec failed.
+    This may help in distinguishing between runc exec failures
+    (such as invalid options, non-running container or non-existent
+    binary etc.) and failures of the command being executed.
+  + runc run: new --keep option to skip removal exited containers artefacts.
+    This might be useful to check the state (e.g. of cgroup controllers) after
+    the container hasexited.
+  + seccomp: add support for SCMP_ACT_KILL_PROCESS and SCMP_ACT_KILL_THREAD
+    (the latter is just an alias for SCMP_ACT_KILL).
+  + seccomp: add support for SCMP_ACT_NOTIFY (seccomp actions). This allows
+    users to create sophisticated seccomp filters where syscalls can be
+    efficiently emulated by privileged processes on the host.
+  + checkpoint/restore: add an option (--lsm-mount-context) to set
+    a different LSM mount context on restore.
+  + intelrdt: support ClosID parameter.
+  + runc exec --cgroup: an option to specify a (non-top) in-container cgroup
+    to use for the process being executed.
+  + cgroup v1 controllers now support hybrid hierarchy (i.e. when on a cgroup v1
+    machine a cgroup2 filesystem is mounted to /sys/fs/cgroup/unified, runc
+    run/exec now adds the container to the appropriate cgroup under it).
+  + sysctl: allow slashes in sysctl names, to better match sysctl(8)'s
+    behaviour.
+  + mounts: add support for bind-mounts which are inaccessible after switching
+    the user namespace. Note that this does not permit the container any
+    additional access to the host filesystem, it simply allows containers to
+    have bind-mounts configured for paths the user can access but have
+    restrictive access control settings for other users.
+  + Add support for recursive mount attributes using mount_setattr(2). These
+    have the same names as the proposed mount(8) options -- just prepend r
+    to the option name (such as rro).
+  + Add runc features subcommand to allow runc users to detect what features
+    runc has been built with. This includes critical information such as
+    supported mount flags, hook names, and so on. Note that the output of this
+    command is subject to change and will not be considered stable until runc
+    1.2 at the earliest. The runtime-spec specification for this feature is
+    being developed in opencontainers/runtime-spec#1130.
+  * system: improve performance of /proc/$pid/stat parsing.
+  * cgroup2: when /sys/fs/cgroup is configured as a read-write mount, change
+    the ownership of certain cgroup control files (as per
+    /sys/kernel/cgroup/delegate) to allow for proper deferral to the container
+    process.
+  * runc checkpoint/restore: fixed for containers with an external bind mount
+    which destination is a symlink.
+  * cgroup: improve openat2 handling for cgroup directory handle hardening.
+    runc delete -f now succeeds (rather than timing out) on a paused
+    container.
+  * runc run/start/exec now refuses a frozen cgroup (paused container in case of
+    exec). Users can disable this using --ignore-paused.
+- Update version data embedded in binary to correctly include the git commit of
+  the release.
+- Drop runc-rpmlintrc because we don't have runc-test anymore.
+
+-------------------------------------------------------------------
+Mon Dec  6 04:38:25 UTC 2021 - Aleksa Sarai <asarai@suse.com>
+
+- Update to runc v1.0.3. Upstream changelog is available from
+  https://github.com/opencontainers/runc/releases/tag/v1.0.3. CVE-2021-43784
+  bsc#1193436
+
+  * A potential vulnerability was discovered in runc (related to an internal
+    usage of netlink), however upon further investigation we discovered that
+    while this bug was exploitable on the master branch of runc, no released
+    version of runc could be exploited using this bug. The exploit required
+    being able to create a netlink attribute with a length that would overflow a
+    uint16 but this was not possible in any released version of runc. For more
+    information see GHSA-v95c-p5hm-xq8f and CVE-2021-43784.
+
+    Due to an abundance of caution we decided to do an emergency release with
+    this fix, but to reiterate we do not believe this vulnerability was
+    possible to exploit. Thanks to Felix Wilhelm from Google Project Zero for
+    discovering and reporting this vulnerability so quickly.
+  * Fixed inability to start a container with read-write bind mount of a
+    read-only fuse host mount.
+  * Fixed inability to start when read-only /dev in set in spec.
+  * Fixed not removing sub-cgroups upon container delete, when rootless cgroup
+    v2 is used with older systemd.
+  * Fixed returning error from GetStats when hugetlb is unsupported (which
+    causes excessive logging for kubernetes).
+
+-------------------------------------------------------------------
+Mon Aug 23 09:35:05 UTC 2021 - Aleksa Sarai <asarai@suse.com>
+
+- Update to runc v1.0.2. Upstream changelog is available from
+  https://github.com/opencontainers/runc/releases/tag/v1.0.2
+
+  * Fixed a failure to set CPU quota period in some cases on cgroup v1.
+  * Fixed the inability to start a container with the "adding seccomp filter
+    rule for syscall ..." error, caused by redundant seccomp rules (i.e. those
+    that has action equal to the default one). Such redundant rules are now
+    skipped.
+  * Made release builds reproducible from now on.
+  * Fixed a rare debug log race in runc init, which can result in occasional
+    harmful "failed to decode ..." errors from runc run or exec.
+  * Fixed the check in cgroup v1 systemd manager if a container needs to be
+    frozen before Set, and add a setting to skip such freeze unconditionally.
+    The previous fix for that issue, done in runc 1.0.1, was not working.
+
+-------------------------------------------------------------------
+Sun Jul 18 02:40:16 UTC 2021 - Aleksa Sarai <asarai@suse.com>
+
+- Update to runc v1.0.1. Upstream changelog is available from
+  https://github.com/opencontainers/runc/releases/tag/v1.0.1
+
+  * Fixed occasional runc exec/run failure ("interrupted system call") on an
+    Azure volume.
+  * Fixed "unable to find groups ... token too long" error with /etc/group
+    containing lines longer than 64K characters.
+  * cgroup/systemd/v1: fix leaving cgroup frozen after Set if a parent cgroup is
+    frozen. This is a regression in 1.0.0, not affecting runc itself but some
+    of libcontainer users (e.g Kubernetes).
+  * cgroupv2: bpf: Ignore inaccessible existing programs in case of
+    permission error when handling replacement of existing bpf cgroup
+    programs. This fixes a regression in 1.0.0, where some SELinux
+    policies would block runc from being able to run entirely.
+  * cgroup/systemd/v2: don't freeze cgroup on Set.
+  * cgroup/systemd/v1: avoid unnecessary freeze on Set.
+
+- Remove upstreamed patches:
+  + boo1187704-0001-cgroupv2-ebpf-ignore-inaccessible-existing-programs.patch
+
+-------------------------------------------------------------------
+Thu Jul  1 03:39:56 UTC 2021 - Aleksa Sarai <asarai@suse.com>
+
+- Backport <https://github.com/opencontainers/runc/pull/3055> to fix issues
+  with runc under openSUSE MicroOS's SELinux policy. boo#1187704
+  + boo1187704-0001-cgroupv2-ebpf-ignore-inaccessible-existing-programs.patch
+
+-------------------------------------------------------------------
+Tue Jun  1 11:00:30 UTC 2021 - Aleksa Sarai <asarai@suse.com>
+
+- Update to runc v1.0.0. Upstream changelog is available from
+  https://github.com/opencontainers/runc/releases/tag/v1.0.0
+
+  ! The usage of relative paths for mountpoints will now produce a warning
+    (such configurations are outside of the spec, and in future runc will
+    produce an error when given such configurations).
+
+  * cgroupv2: devices: rework the filter generation to produce consistent
+    results with cgroupv1, and always clobber any existing eBPF
+    program(s) to fix runc update and avoid leaking eBPF programs
+    (resulting in errors when managing containers).
+  * cgroupv2: correctly convert "number of IOs" statistics in a
+    cgroupv1-compatible way.
+  * cgroupv2: support larger than 32-bit IO statistics on 32-bit architectures.
+  * cgroupv2: wait for freeze to finish before returning from the freezing
+    code, optimize the method for checking whether a cgroup is frozen.
+  * cgroups/systemd: fixed "retry on dbus disconnect" logic introduced in rc94
+  * cgroups/systemd: fixed returning "unit already exists" error from a systemd
+    cgroup manager (regression in rc94)
+
+  + cgroupv2: support SkipDevices with systemd driver
+  + cgroup/systemd: return, not ignore, stop unit error from Destroy
+  + Make "runc --version" output sane even when built with go get or
+    otherwise outside of our build scripts.
+  + cgroups: set SkipDevices during runc update (so we don't modify
+    cgroups at all during runc update).
+  + cgroup1: blkio: support BFQ weights.
+  + cgroupv2: set per-device io weights if BFQ IO scheduler is available.
+
+-------------------------------------------------------------------
+Wed May 19 10:00:00 UTC 2021 - Aleksa Sarai <asarai@suse.com>
+
+- Update to runc v1.0.0~rc95. Upstream changelog is available from
+  https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc95
+
+  This release of runc contains a fix for CVE-2021-30465, and users are
+  strongly recommended to update (especially if you are providing
+  semi-limited access to spawn containers to untrusted users). bsc#1185405
+
+-------------------------------------------------------------------
+Wed May 12 08:03:58 UTC 2021 - Aleksa Sarai <asarai@suse.com>
+
+- Update to runc v1.0.0~rc94. Upstream changelog is available from
+  https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc94
+  Breaking Changes:
+  * cgroupv1: kernel memory limits are now always ignored, as kmemcg has
+    been effectively deprecated by the kernel. Users should make use of regular
+    memory cgroup controls.
+  Regression Fixes:
+  * seccomp: fix 32-bit compilation errors
+  * runc init: fix a hang caused by deadlock in seccomp/ebpf loading code
+  * runc start: fix "chdir to cwd: permission denied" for some setups
+- Remove upstreamed patches:
+  - 0001-cloned_binary-switch-from-error-to-warning-for-SYS_m.patch
+
+-------------------------------------------------------------------
+Mon Apr 26 07:54:54 UTC 2021 - Aleksa Sarai <asarai@suse.com>
+
+- Backport patch to fix build on SLE-12 ppc64le.
+  + 0001-cloned_binary-switch-from-error-to-warning-for-SYS_m.patch
+
+-------------------------------------------------------------------
+Wed Feb  3 04:09:17 UTC 2021 - Aleksa Sarai <asarai@suse.com>
+
+- Update to runc v1.0.0~rc93. Upstream changelog is available from
+  https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc93
+  bsc#1182451 bsc#1184962
+
+  * Cgroupv2 support is no longer considered experimental.
+  * Mountinfo parsing code has been reworked significantly.
+  * Special ENOSYS handling for seccomp profiles to avoid making new
+    syscalls unusable for glibc.
+  * Various rootless containers improvements.
+  * The "selinux" and "apparmor" buildtags have been removed, and now all runc
+    builds will have SELinux and AppArmor support enabled.
+
+-------------------------------------------------------------------
+Tue Feb  2 05:53:17 UTC 2021 - Aleksa Sarai <asarai@suse.com>
+
+- Update to handle the docker-runc removal. bsc#1181677
+- Modernise go building for runc now that it has go.mod.
+
+-------------------------------------------------------------------
+Fri Aug 28 07:38:29 UTC 2020 - Ralf Haferkamp <rhafer@suse.com>
+
+- Upgrade to runc v1.0.0~rc92 (bsc#1175821). Upstream changelog is available
+  from https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc92
+
+  * Updates to CRIU support.
+  * Improvements to cgroupfs performance and correctness.
+
+-------------------------------------------------------------------
+Thu Jul  2 01:24:49 UTC 2020 - Aleksa Sarai <asarai@suse.com>
+
+- Upgrade to runc v1.0.0~rc91. Upstream changelog is available from
+  https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc91
+
+  * This release of runc has experimental support for cgroupv2-only systems.
+
+- Remove upstreamed patches:
+  - bsc1149954-0001-sd-notify-do-not-hang-when-NOTIFY_SOCKET-is-used-wit.patch
+  - bsc1168481-0001-cgroup-devices-major-cleanups-and-minimal-transition.patch
+
+-------------------------------------------------------------------
+Thu Jun 25 22:34:03 UTC 2020 - Aleksa Sarai <asarai@suse.com>
+
+- Switch to Go 1.13 for build.
+
+-------------------------------------------------------------------
+Wed May 13 06:49:44 UTC 2020 - Aleksa Sarai <asarai@suse.com>
+
+- Backport https://github.com/opencontainers/runc/pull/2391 to help fix
+  bsc#1168481.
+  + bsc1168481-0001-cgroup-devices-major-cleanups-and-minimal-transition.patch
+
+-------------------------------------------------------------------
+Tue Apr 14 10:16:21 UTC 2020 - Ralf Haferkamp <rhafer@suse.com>
+
+- Renamed patch:
+  0001-sd-notify-do-not-hang-when-NOTIFY_SOCKET-is-used-wit.patch
+  to
+  bsc1149954-0001-sd-notify-do-not-hang-when-NOTIFY_SOCKET-is-used-wit.patch
+
+-------------------------------------------------------------------
+Wed Mar 18 08:57:34 UTC 2020 - Ralf Haferkamp <rhafer@suse.com>
+
+- Added fix for bsc#1149954
+  * 0001-sd-notify-do-not-hang-when-NOTIFY_SOCKET-is-used-wit.patch
+    (cherry pick of https://github.com/opencontainers/runc/pull/1807)
+
+-------------------------------------------------------------------
+Thu Jan 23 17:18:05 UTC 2020 - Aleksa Sarai <asarai@suse.com>
+
+- Upgrade to runc v1.0.0~rc10. Upstream changelog is available from
+  https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc10
+- Drop upstreamed patches:
+  - CVE-2019-19921.patch
+
+-------------------------------------------------------------------
+Tue Jan 21 22:10:58 UTC 2020 - Bjørn Lie <bjorn.lie@gmail.com>
+
+- Change packagewide go version to be greater or equal to 1.10.
+
+-------------------------------------------------------------------
+Fri Jan 17 03:02:46 UTC 2020 - Aleksa Sarai <asarai@suse.com>
+
+- Update CVE-2019-19921 patch to match upstream PR.
+  * CVE-2019-19921.patch
+
+-------------------------------------------------------------------
+Tue Jan 14 04:44:36 UTC 2020 - Aleksa Sarai <asarai@suse.com>
+
+- Add backported fix for CVE-2019-19921. bsc#1160452
+  + CVE-2019-19921.patch
+
+-------------------------------------------------------------------
+Sat Oct  5 11:40:13 UTC 2019 - Aleksa Sarai <asarai@suse.com>
+
+- Upgrade to runc v1.0.0~rc9. Upstream changelog is available from
+  https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc9
+- Remove upstreamed patches:
+  - CVE-2019-16884.patch
+
+-------------------------------------------------------------------
+Thu Sep 26 14:54:07 UTC 2019 - Aleksa Sarai <asarai@suse.com>
+
+- Add backported fix for CVE-2019-16884. bsc#1152308
+  + CVE-2019-16884.patch
+- Add runc-rpmlintrc to drop runc-test rpmlint warnings.
+
+-------------------------------------------------------------------
+Mon Apr 29 11:56:21 UTC 2019 - Aleksa Sarai <asarai@suse.com>
+
+- Upgrade to runc v1.0.0~rc8. Upstream changelog is available from
+  https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc8
+- Includes upstreamed patches for regressions (bsc#1131314 bsc#1131553).
+- Remove upstreamed patches:
+  - CVE-2019-5736.patch
+
+-------------------------------------------------------------------
+Wed Feb  6 08:10:47 UTC 2019 - Aleksa Sarai <asarai@suse.com>
+
+- Add fix for CVE-2019-5736 (effectively copying /proc/self/exe during re-exec
+  to avoid write attacks to the host runc binary). bsc#1121967
+  + CVE-2019-5736.patch
+
+-------------------------------------------------------------------
+Wed Dec 19 19:55:11 UTC 2018 - clee@suse.com
+
+- Update go requirements to >= go1.10 to fix
+  * bsc#1118897 CVE-2018-16873
+    go#29230 cmd/go: remote command execution during "go get -u"
+  * bsc#1118898 CVE-2018-16874
+    go#29231 cmd/go: directory traversal in "go get" via curly braces in import paths
+  * bsc#1118899 CVE-2018-16875
+    go#29233 crypto/x509: CPU denial of service
+
+-------------------------------------------------------------------
+Thu Dec 13 04:34:25 UTC 2018 - dorf@suse.com
+
+- Require golang = 1.10.
+
+-------------------------------------------------------------------
+Thu Nov 29 09:10:09 UTC 2018 - Aleksa Sarai <asarai@suse.com>
+
+- Upgrade to runc v1.0.0~rc6. Upstream changelog is available from
+  https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc6
+
+-------------------------------------------------------------------
+Wed Oct 31 14:01:03 UTC 2018 - Valentin Rothberg <vrothberg@suse.com>
+
+- Create a symlink in /usr/bin/runc to enable rootless Podman and Buildah.
+
+-------------------------------------------------------------------
+Wed Jun 13 12:59:09 UTC 2018 - dcassany@suse.com
+
+- Make use of %license macro
+
+-------------------------------------------------------------------
+Tue Jun  5 06:38:40 UTC 2018 - asarai@suse.com
+
+- Remove 'go test' from %check section, as it has only ever caused us problems
+  and hasn't (as far as I remember) ever caught a release-blocking issue. Smoke
+  testing has been far more useful. boo#1095817
+
+-------------------------------------------------------------------
+Tue Feb 27 17:18:32 UTC 2018 - asarai@suse.com
+
+- Upgrade to runc v1.0.0~rc5. Upstream changelog is available from
+  https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc5
+- Remove patch now merged upstream.
+  - bsc1053532-0001-makefile-drop-usage-of-install.patch
+
+-------------------------------------------------------------------
+Thu Aug 17 04:39:56 UTC 2017 - asarai@suse.com
+
+- Use .tar.xz provided by upstream, as well as include the keyring to allow
+  full provenance of the source.
+
+-------------------------------------------------------------------
+Sun Aug 13 14:25:32 UTC 2017 - asarai@suse.com
+
+- Use the upstream Makefile, to ensure that we always include the version
+  information in runc. This was confusing users (and Docker). bsc#1053532
+- Add a backported patch to fix a Makefile bug.
+  https://github.com/opencontainers/runc/pull/1555
+  + bsc1053532-0001-makefile-drop-usage-of-install.patch
+
+-------------------------------------------------------------------
+Thu Aug 10 17:14:02 UTC 2017 - asarai@suse.com
+
+- Update to runc v1.0.0-rc4. Upstream changelog:
+	+ runc now supports v1.0.0 of the OCI runtime specification. #1527
+	+ Rootless containers support has been released. The current state of
+	  this feature is that it only supports single-{uid,gid} mappings as an
+	  unprivileged user, and cgroups are completely unsupported. Work is
+	  being done to improve this. #774
+	+ Rather than relying on CRIU version nnumbers, actually check if the
+	  system supports pre-dumping. #1371
+	+ Allow the PIDs cgroup limit to be updated. #1423
+	+ Add support for checkpoint/restore of containers with orphaned PTYs
+	  (which is effectively all containers with terminal=true). #1355
+	+ Permit prestart hooks to modify the cgroup configuration of a
+	  container. #1239
+	+ Add support for a wide variety of mount options. #1460
+	+ Expose memory.use_hierarchy in MemoryStats. #1378
+	* Fix incorrect handling of systems without the freezer cgroup. #1387
+	* Many, many changes to switch away from Go's "syscall" stdlib to
+	  "golang.org/x/sys/unix". #1394 #1398 #1442 #1464 #1467 #1470 #1474
+	  #1478 #1491 #1482 #1504 #1519 #1530
+	* Set cgroup resources when restoring a container. #1399
+	* Switch back to using /sbin as the installation directory. #1406
+	* Remove the arbitrary container ID length restriction. #1435
+	* Make container force deletion ignore non-existent containers. #1451
+	* Improve handling of arbitrary cgroup mount locations when populating
+	  cpuset. #1372
+	* Make the SaneTerminal interface public. #1479
+	* Fix cases where runc would report a container to be in a "Running"
+	  state if the init was a zombie or dead. #1489
+	* Do not set supplementary groups for numeric users. #1450
+	* Fix various issues with the "owner" field in runc-list. #1516
+	* Many other miscellaneous fixes, some of which were made by first-time
+	  contributors. Thanks, and welcome to the project! #1406 #1400 #1365
+	  #1396 #1402 #1414 #1412 #1408 #1418 #1425 #1428 #1436 #1433 #1438
+	  #1410 #1447 #1388 #1484 #1481 #1496 #1245 #1524 #1534 #1526 #1533
+	- Remove any semblance of non-Linux support. #1502
+	- We no longer use shfmt for testing. #1510
+
+-------------------------------------------------------------------
+Wed Aug  2 13:51:43 UTC 2017 - asarai@suse.com
+
+- Use -buildmode=pie for tests and binary build. bsc#1048046 bsc#1051429
+- Cleanup seccomp builds similar to bsc#1028638
+- Remove the usage of 'cp -r' to reduce noise in the build logs.
+
+-------------------------------------------------------------------
+Thu Jul  6 17:14:17 UTC 2017 - thipp@suse.de
+
+- switch to opencontainers/runc master branch
+- remove CVE-2016-9962.patch
+- stop providing docker-runc
+
+-------------------------------------------------------------------
+Thu May  4 19:04:49 UTC 2017 - jmassaguerpla@suse.com
+
+- fix the golang requirement to 1.7 to the subpackages
+
+-------------------------------------------------------------------
+Tue May  2 15:49:41 UTC 2017 - jmassaguerpla@suse.com
+
+- fix golang requirement to 1.7
+
+-------------------------------------------------------------------
+Fri Apr 28 16:16:00 UTC 2017 - jengelh@inai.de
+
+- Substitute %__-type macro indirections
+
+-------------------------------------------------------------------
+Thu Apr 13 16:34:03 UTC 2017 - jmassaguerpla@suse.com
+
+- update version to the one required by docker-17.04.0-ce (bsc#1034053)
+  remove ignore_cgroup2_mountpoint.patch . This is already included in
+  the upstream source code.
+
+-------------------------------------------------------------------
+Wed Apr 12 09:55:28 UTC 2017 - jmassaguerpla@suse.com
+
+- Make sure this is being built with go 1.7
+
+-------------------------------------------------------------------
+Tue Apr 11 15:37:36 UTC 2017 - jmassaguerpla@suse.com
+
+- remove the go_arches macro because we are using go1.7 which
+  is available in all archs
+
+-------------------------------------------------------------------
+Wed Mar 29 15:47:52 UTC 2017 - jmassaguerpla@suse.com
+
+- fix bsc#1028113 - runc: make sure to ignore cgroup v2 mountpoints
+  This is a backport of https://github.com/opencontainers/runc/pull/1266
+  + ignore_cgroup2_mountpoint.patch
+
+-------------------------------------------------------------------
+Fri Feb 24 18:08:10 UTC 2017 - jmassaguerpla@suse.com
+
+- update to docker-1.13.0 requirement
+
+-------------------------------------------------------------------
+Fri Jan 13 13:58:33 UTC 2017 - jmassaguerpla@suse.com
+
+- fix CVE-2016-9962 bsc#1012568 and applying the patch
+  CVE-2016-9962.patch, because 1.12.6 partially fixes it (it contains
+  the first patch attached in bsc#1012568)
+
+-------------------------------------------------------------------
+Mon Dec 19 12:49:38 UTC 2016 - jmassaguerpla@suse.com
+
+- update runc to the version used in docker 1.12.5 (bsc#1016307).
+  This fixes bsc#1015661
+
+-------------------------------------------------------------------
+Mon Dec 19 12:17:07 UTC 2016 - asarai@suse.com
+
+- For the moment, we have to switch to using Docker's fork of runC. This *will*
+  be solved properly by creating a new package purely for Docker's runC fork,
+  because it's quite silly to tie OCI project releases to Docker's vendoring
+  scheme. Once this is fixed, this package will be switch to being purely-OCI.
+
+-------------------------------------------------------------------
+Fri Dec 16 17:05:37 UTC 2016 - jmassaguerpla@suse.com
+
+- add the /usr/bin/docker-run symlink to partially fix bsc#1015661
+
+-------------------------------------------------------------------
+Thu Nov 24 11:05:41 UTC 2016 - jmassaguerpla@suse.com
+
+- fix version by adding a revision "counter" so that it will always
+  increase
+
+  fix bsc#1009961
+
+-------------------------------------------------------------------
+Thu Oct 13 11:04:27 UTC 2016 - jmassaguerpla@suse.com
+
+- update to 02f8fa7 because that is the needed version for docker 1.12.1 (bsc#1004490)
+
+-------------------------------------------------------------------
+Wed Sep 21 05:13:26 UTC 2016 - jengelh@inai.de
+
+- Run fdupes.
+
+-------------------------------------------------------------------
+Mon Sep 19 11:57:45 UTC 2016 - jmassaguerpla@suse.com
+
+- fix go_arches definition: use global instead of define, otherwise
+  it fails to build
+
+-------------------------------------------------------------------
+Fri Aug 26 08:59:54 UTC 2016 - asarai@suse.com
+
+- Remove docker-runc symlink because it's been fixed within the Docker
+  package. bsc#978260
+
+-------------------------------------------------------------------
+Thu Aug 25 17:02:33 UTC 2016 - jmassaguerpla@suse.com
+
+- Create a symlink /usr/sbin/docker-runc -> /usr/sbin/docker
+  Docker expects this symlink to exist bsc#978260
+
+-------------------------------------------------------------------
+Thu Aug 25 15:56:00 UTC 2016 - jmassaguerpla@suse.com
+
+- Remove GOPATH at the end of the GOPATH assignment
+  cause GOPATH is empty and if we do that, we get the path ""
+  appended, which causes gcc6-go to complain
+
+-------------------------------------------------------------------
+Wed Aug 24 12:27:57 UTC 2016 - jmassaguerpla@suse.com
+
+- add go_arches in project configuration: this way, we can use the
+  same spec file but decide in the project configuration if to
+  use gc-go or gcc-go for some archs.
+
+-------------------------------------------------------------------
+Thu Aug 18 10:35:29 UTC 2016 - jmassaguerpla@suse.com
+
+- use gcc6-go instead of gcc5-go (bsc#988408)
+- build ppc64le with gc-go because this version builds with gc-go 1.6
+
+-------------------------------------------------------------------
+Thu Aug 18 10:34:29 UTC 2016 - cbrauner@suse.de
+
+- bump git commit id to the one required by docker v1.12.0 (bsc#995058)
+- run unit tests during package build
+- remove seccomp-use-pkg-config.patch
+  The patch is now upstream.
+- remove GO_BUILD_FLAGS macro and substitute with BUILDFLAGS env variable to
+  allow for easier string appending.
+- only run unit test on architectures that provide the go list and go test tools
+
+-------------------------------------------------------------------
+Wed Aug 17 10:29:15 UTC 2016 - cbrauner@suse.de
+
+- Add runc-test package which contains the source code and the test. This
+  package will be used to run the integration tests.
+- Simplify package build and check sections: Instead of symlinking we default to
+  cp -avr. go list gets confused by symlinks hence, we need to copy the source
+  code anyway if we want to run unit tests during package build at some point.
+
+-------------------------------------------------------------------
+Fri Apr 29 09:03:24 UTC 2016 - asarai@suse.de
+
+* Update to runC 0.1.1. (bsc#989566 FATE#320763) Changelog from upstream:
+
+  This release includes a bug fix for adding the selinux mount label in the specification.
+
+-------------------------------------------------------------------
+Tue Apr 19 09:59:05 UTC 2016 - asarai@suse.de
+
+* Don't use gcc-go for aarch64, since gc has grown support for it and is more
+  stable.
+
+-------------------------------------------------------------------
+Fri Apr 15 10:46:04 UTC 2016 - asarai@suse.de
+
+* Disable seccomp entirely for aarch64 builds, since it is not provided on all
+  SUSE platforms.
+
+-------------------------------------------------------------------
+Wed Apr 13 12:03:09 UTC 2016 - asarai@suse.de
+
+* Update to runC 0.1.0. Changelog from upstream:
+
+  This release updates runc to the OCI runtime specification v0.5.0 and includes
+  various fixes and features.
+
+  Features:
+  + cgroups: pid limits and stats
+  + cgroups: kmem stats
+  + systemd cgroup support
+  + libcontainer specconv package
+  + no pivot root option
+  + numeric ids are treated as uid/gid
+  + hook improvements
+
+  Bug Fixes:
+  * log flushing
+  * atomic pid file creation
+  * init error recovery
+  * seccomp logging removed
+  * delete container on aborted start
+  * /dev bind mount handling
+
+-------------------------------------------------------------------
+Wed Mar 30 14:18:18 UTC 2016 - asarai@suse.de
+
+* Install to /usr/sbin.  https://github.com/opencontainers/runc/pull/702
+
+-------------------------------------------------------------------
+Sun Mar 27 14:50:32 UTC 2016 - asarai@suse.de
+
+* Added runC man pages.
+* Recommended criu, since it's required for the checkpoint and restore
+  functionality.
+
+-------------------------------------------------------------------
+Sun Mar 27 10:14:32 UTC 2016 - asarai@suse.de
+
+* Small updates to method of compilation to better match Makefile.
+
+-------------------------------------------------------------------
+Mon Mar 21 12:04:59 UTC 2016 - asarai@suse.de
+
+* Make compilation work on gcc-go only systems (ppc and s390).
+
+-------------------------------------------------------------------
+Mon Mar 21 08:24:02 UTC 2016 - asarai@suse.de
+
+* initial import of runC 0.0.9
+* add patch seccomp-use-pkg-config.patch which allows us to build runC, since
+  they assume that the seccomp.h file lives at /usr/include/seccomp.h.
+
diff --git a/runc.keyring b/runc.keyring
new file mode 100644
index 0000000..afc1c45
--- /dev/null
+++ b/runc.keyring
@@ -0,0 +1,221 @@
+pub   rsa4096 2016-06-21 [SC] [expires: 2031-06-18]
+      5F36C6C61B5460124A75F5A69E18AA267DDB8DB4
+uid           [ultimate] Aleksa Sarai <asarai@suse.com>
+uid           [ultimate] Aleksa Sarai <asarai@suse.de>
+sub   rsa4096 2016-06-21 [E] [expires: 2031-06-18]
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Comment: github=cyphar
+
+mQINBFdpGN0BEADMEmLpnUel7OI2SM8f88i7w0iRgJd4kOvF1z673+zWCgaw9QW8
+ha7wAm/+3isas9IqlvGx61i6hbO7TFwcYi472VHhs4HP8jMtWytHHkjc3O9xlMc0
+CfekjIpoR1CffYtCvkLr8/f74jHNRfqsmZ1Oxa9GjbhgDnbw4Baztp6WctzMXyOJ
+j5bJuSfQTcgFbIeQ27zx7gNjbnHyEP5TEm1/CeoWpGPpZLJPiKHdI/TBCyFexHJ0
+IlabKc4DC43RZyh0Btuf+FiX9K2NkoCC7l5nQdde8B6YG7SA6xEhwhQ73bSs7A56
+rlZxfIFmLCB/81FyXk5eH0Eu9Lbwj69YQ81EdkLnLAyP3ZB+MRGuiWVD88Jr1He2
+25m3dxTVzaP0TAV4LqdbuqTwr2wagu9MZQ5XXDiaEuiPwTrO10xlmivOjRaWxoWA
+E0I3fOdrzqfg9XK6g1pG23v2WhHFIejqVCXrf5oPcCd62lGeh0ghEdNN89ikXbka
+1PJRiWI3uDQ6STSKa+6uC5eUM7tK/ymqS8JYSQf4d3eIaC2H403psPt5kbq1bHdx
+nRPX2eh/t1QzR1dhPxzai4CzLERIYJ9iD4nGiSscwy0P44AgyeuywSg4qXzr9Sfe
+igOj+6lfJb3iZRN3dKLTRAKWvo7yfdi/UOycodlaQyW8v0yXAx7Yh1NgJQARAQAB
+tB1BbGVrc2EgU2FyYWkgPGFzYXJhaUBzdXNlLmRlPokCPQQTAQgAJwUCV2kY3QIb
+AwUJHDIEgAULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAKCRCeGKomfduNtGecEACZ
+JLVdeKHKsSUqTLOjbC6t9uKfKlNpu+iQ2/TS9YazLWXoFEc8f/uWB8BpHcJBFrqz
+j+mI34ShEkbbNJArxR76njnAtPF+73GiD0dAjRDWz8YtQgSg5UhYm6O2Si/EM4I8
+TDzflyjaZltCkDe2U+2T8dTkYxqOi11IuCukPBNe0moxGKvLGPWEqZQMPCfBgllD
+lv2Toiry2Fp1bkBlT6hk0C684rfAwzPQuH0BBv8vgfgroRMJg/qfZb64lhMCXaPr
+rCtVHP+F1bVXKZCBCt7ETTtcteUEKaFmGgDGpXGnIqPL5iWLK5u8DQL/1lGcinj9
+QdD9IUNqsrsNAbdyMMqQvZKQwIVDgFMXrCwSRymOi6cppN7eF0VyFN7YsATttRGx
+CZBoSMhVW6VVxuJFGaQWFXWthVGVEd2jkvny1TX8Nm8KBHC2G/wNVU3pKrCPhMCt
+rYc8xWZ+6uisQ6XWs8H4nyBOVN6RvhIqqXJL1nvViOSFMLSDyFgPA16368krgxYE
+pVDvie04aDjKZj2/0LSogNQPqZxs8uKIjLZ1NYQQmCQ8Dx9/nshg1wbyDD/c///M
+EmVFmZhlNLZ8tV/iTlwfD/4vjbeaAQTVanhPFRbUtmL/iuz5f0gH0b0xc+mc+yQ1
+egjBwMuKr+h7jbSXIWoFGZLrqT3WswTg0Khk6oEL57QeQWxla3NhIFNhcmFpIDxh
+c2FyYWlAc3VzZS5jb20+iQI9BBMBCAAnBQJXaRngAhsDBQkcMgSABQsJCAcCBhUI
+CQoLAgQWAgMBAh4BAheAAAoJEJ4YqiZ924202mIQAIjGrikF7OPBCbV5Oo4oC0QQ
+7HcG+DM9cN6UcFO+rzWQxZ/atEpiULa4O3YKoGOkSV5WAjUpaY5Rf7Obt3EjgrwE
+PhtGvOpC6kkkTV43RmmK06CxHiZPrUJBwcpbW1rf2JZx7PPBMbZfsmWdVZc+LjzC
+D3KtJ7xhzT0mi+zN5ONNHody6sDQO6n0mN+bRVxiVdcxwjYHfJYGobI6aaKyupvl
++xCGK4ekzNCVzaxudzqmbFE6qk+cWcvcA8HpggA63rCvCLfK1embNOtqzKAcJh1o
+cJvrtpe18qBvd4yXFWEqQBW6IoDLvdzaLY7eNMI97UDInciz/GUtbxhqbs1lAOBz
+V1y9fi0+NIIq1qmhbLxpUFC2BWsZRuWEqYWdr4FFJCuYEEXX6KXM7d9CSdWlErCU
+mqKYsx6X4E7Iy1yupYbIqXRea9wBr8aPoFk+gLdNbCWAE4o7InKJY1uqOt141ffs
++6XJe2wVvA2xLr0ZphlcyF0EHZX8tMWLCYdQJdLMps2hl5oFpi7ccdM1GpE/Kwt5
+pEBqsJ6vP59BsbmciYmNkYKvFIKJcasImglQP6nrQiBwjTd7fYXpMDeO0yNtklaZ
+IZlbNvxOe1TqbRzfVFk3oSBbEaFzPAx/W0uU1evZynpu2PcIvOuadScc9j0jMzt8
+0wknTD5AqhD/fkfZlwRouQINBFdpGN0BEADfqvO6AkGOWf+lcQZfWBMSMpzneCCS
+JvQvD65VrFt0CCbSlJv1pc3GwLlL2dMulIxQGg0JMTjfPZcCYqrnOcWe0gedETRV
+nOucY7zWmohR7L70YWwh46FlAPifY6bIIYGYTHyI9w1adS9K4tAJW/XS0WrvZ5KA
+l7htrAzUAsMhag9y9jtQJVPLErGJta3jZJASs8PZWWmLYZE+oy1R3W52w/HqGQHS
+8BPgo4oL+lrjPmjAwouhhNETTq9W2xmCe18EJodOjNKdF5ODOq1LOkPNHIaIdG0s
+sY3qbifcRLVDvSmb8++4WRYl1HLy2vpsTQ31mZ3KyRKR6cP61ivTZy8idwD+Qt1t
+3uKTCGNZj96OCob8ZeZsak6enuFZleVbLty1eULIw/IZuq8g6E+/V7mbFo4vkXMN
+q4YrX0Q3XEzB8Cdxd5vsnz7Uga35j44gwJ+BUsCyaRUyGzLqhUWHJS73Vy3IxHfX
+Rj7TQUBFYDKbOS9oKearmvTb1SQzH7NM5jQUFzXeJQE03jetRneNQ5hkh9UhUr64
+gtRnnKXTimXkczEMU9eDSTgQoaebdPnWEnzoStS5ln03zH+CNTQF9qjcpYBrJ2mZ
+wnxO9OP/45KQL4hPAi2+hGkq2yjuIzeCkFJabAc7sF6lwJqH82XtiIIR+AGTM8QC
+Eno0eqAytg8YawARAQABiQIlBBgBCAAPBQJXaRjdAhsMBQkcMgSAAAoJEJ4YqiZ9
+2420AuIP/1PYZDKFLv//+iY6Z9xGz4zHL+9nWND/Kll3xHeuWjYGZ2nmcovSnEW4
+0eiMn1c6KMgs/CCR4+9bm7MdgaF73pjM4xzHBIBetLLkcKQIrniX2Fq+WgscJfFx
++0ha7Xb2TTpSy8PRiYHowVUaMPwyqSsAUwrSenLuwyiKr+EW4Wzo+YM2w9a86yw1
+GfWuiyk0Z4sGoPoPEjmD4y6Xlf8kIfuZeb+joHd6W1nMf7cxDkNLQqX6sWvs62Tv
+Lsx2jApPKD2PyTyyxItJKc6NXFVM+Uww323ZYVWMkz+VKalHRiv6xzGqArhpAIH6
+fn+1WjjqkrrLU4I7smjlulZCy/NZLOKqQYaqM+7BgC2mOPMb5CM99cg4SrK86dFr
+3Cf22+OTmC6/Wb5Gu4PzTzkYIJDnt3BJQYjJlp4zyOHluN6notrWagLIB06oX+jQ
+pxGySHW++Cha/JCUb0mfeHIJKvRor3v7YaSJoFIo//rz6XJ9WVZfsKnOte/3s9m7
+qkEvLArbe2o7pUJ2mxZZw/nAk/Y39FYAMvgMA9f+uv18O7u+ojYjS6DlrmNuIEg/
+mp8FqVxVNdIS2capSF4+eOn3a4kcF0018xbTLA2AwQ2o9eF5G9qTdSVrN865VPCd
+KWr9ByCKAwVHsaSgVSJE/dse4f1toqeEHHbWk682U4RqOWZR4bA0
+=3/jE
+-----END PGP PUBLIC KEY BLOCK-----
+
+pub   ed25519 2019-06-21 [C]
+      C9C370B246B09F6DBCFC744C34401015D1D2D386
+uid           [ultimate] Aleksa Sarai <cyphar@cyphar.com>
+sub   ed25519 2022-09-30 [S] [expires: 2030-03-25]
+sub   cv25519 2022-09-30 [E] [expires: 2030-03-25]
+sub   ed25519 2022-09-30 [A] [expires: 2030-03-25]
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Comment: github=cyphar
+
+mDMEXQxvLxYJKwYBBAHaRw8BAQdArRQoZs9YzYtQIiPA1qdvUT8Q0wbPZyRV65Tz
+QNTIZla0IEFsZWtzYSBTYXJhaSA8Y3lwaGFyQGN5cGhhci5jb20+iJAEExYIADgF
+CwkIBwIGFQoJCAsCBBYCAwECHgECF4ACGwEWIQTJw3CyRrCfbbz8dEw0QBAV0dLT
+hgUCZa3xwQAKCRA0QBAV0dLThpQyAQDGzjZyyWWmd6Ykg5/lymp2MLIg1f2jG6ew
+AiPT4ATkBAD/RgdLDf1IQStEH7pHmQa1qvqyRq1jeEgF23KruXbbdQ64MwRdDMJS
+FgkrBgEEAdpHDwEBB0B2IGusH7LuDH3hNT6JYM30S7G92FGogA6a9WQzKRlqvIh4
+BCgWCgAgFiEEycNwskawn228/HRMNEAQFdHS04YFAmM2ukUCHQEACgkQNEAQFdHS
+04ZTQAEAjAT0fXVJHdRL6UMCxDYsgjG+QyH1mr7gKgbPvB8A5LgBAN4QDqCxIY3b
+8+X4Ud3C9yLfkbcsdgctU3fO/jHpKVIIiO8EGBYIACAWIQTJw3CyRrCfbbz8dEw0
+QBAV0dLThgUCXQzCUgIbAgCBCRA0QBAV0dLThnYgBBkWCAAdFiEEsWZunbXxPIMS
+y32KnZS5YyG50BIFAl0MwlIACgkQnZS5YyG50BLusQD/aPjX4NhlSYgzNV2x31aw
+x5AxTp+18xoQDwaU123grDgA/2B73RiaTO2boRK5UETxx6awdsA51hZubxo4LyxG
+SP8IW5gA/2JWrDg+7cSQrS71gHmtqvz0se+D7zmWdcnN8O3LoUZeAQDW3Pkq0cru
+YVbsXiTwzenLPUJrjGBAVaoFmYqFUelFDLg4BF0MwmoSCisGAQQBl1UBBQEBB0BL
+FI5mD555F7t6dovnw4DW19nkG/g/Vd5Zb/7qhMLWagMBCAeIeAQoFgoAIBYhBMnD
+cLJGsJ9tvPx0TDRAEBXR0tOGBQJjNrpFAh0BAAoJEDRAEBXR0tOGgPkA/1Z69M4e
+qU3ZM7czYOHKAbNHiRuAqzc6o90WBJLhgFJmAQCcKmpnnnTpbnGoXgkcRSr2y1wk
+uId1oVRwfRbN9h94Doh4BBgWCAAgFiEEycNwskawn228/HRMNEAQFdHS04YFAl0M
+wmoCGwwACgkQNEAQFdHS04aZWgD/d0gCCB7ytnRB9RBtns9RRrtGXOIrzzWKw+zx
+za6Y2zgBANoj7CUeH0MygzZkgMrCmKPNnMxEnHJaTuYZA4yBixkIuDMEXQzCjRYJ
+KwYBBAHaRw8BAQdAAiFh7AD1u/UhjVbGJkRflPhjHBKIsAuP4pkI/qjavwaIeAQo
+FgoAIBYhBMnDcLJGsJ9tvPx0TDRAEBXR0tOGBQJjNrpFAh0BAAoJEDRAEBXR0tOG
+AUgA/2ZDB3tCRBON1WjLBESkHZmNtplYcV03u/oshA/MVCzpAQDGusGcv/rf1ZI9
+o7lcWozXFlQDOM7eoT4avvWOVcsaD4h4BBgWCAAgFiEEycNwskawn228/HRMNEAQ
+FdHS04YFAl0Mwo0CGyAACgkQNEAQFdHS04ajxQEAsZf1yDORUVYicREc/7z0U+51
+DJzeAexeJTYM+N+x13EA/0Ex+o7qQ7dZLGDn7x4LSbd39C+++suHsEaE4XwlX6cH
+uDMEYza6SxYJKwYBBAHaRw8BAQdAE3s7dZQFuImQX2tWshIdGjeUKZc7rlMcrZ6+
+q25gaH2I9QQYFgoAJgIbAhYhBMnDcLJGsJ9tvPx0TDRAEBXR0tOGBQJlrfJcBQkO
+EpjFAIF2IAQZFgoAHRYhBLZOSVWyn6PUY/KpBiiX+tK36URvBQJjNrpLAAoJECiX
++tK36URv2hsBALyKPjIlNTtlwC1PHZkyOPwSiu4ZveS7pWlHLHX6nJBCAP9CBDtf
+UbvG3C5WljSQdiBrXKgosDbJxPwXw+tW0XukAwkQNEAQFdHS04bMkQEA9elVwA0A
++ywDw+jnifIc98XqLI+KF3Xl0A9+lMuwthMBAO00DeAEjkryFMGp62GPNHqr/r6p
++6DIeUjWgK4Sh8IMuDgEYza6YBIKKwYBBAGXVQEFAQEHQKECW5Y7nUGCka0/WcCM
+OerRY95Pm2DQVL76QzvhXD8tAwEIB4h+BBgWCgAmAhsMFiEEycNwskawn228/HRM
+NEAQFdHS04YFAmWt8lwFCQ4SmLAACgkQNEAQFdHS04apHgD+MIRj2kujpxtQt04D
+ZB+hofBtHIEMo2tplFBYvhZ6KOMA/1q3aRv6jnWAv8woc50KitP4/+iPmfyzaBA/
+8XA5DdIKuDMEYza6bhYJKwYBBAHaRw8BAQdAgHXd0yf6MPXJZCZ3TFz8xLymyPsD
+TF2SQwwqM4+nYbeIfgQYFgoAJgIbIBYhBMnDcLJGsJ9tvPx0TDRAEBXR0tOGBQJl
+rfJcBQkOEpiiAAoJEDRAEBXR0tOGAUwA/jbaz04OXnV3PYC/yQUsUJsihCTqz4Ne
+lxxclgJYU604APsFzpoLD0oUlfMn5Fh75ftkKPrwiHpTj4rRU6oIQu1/Bg==
+=Ab7w
+-----END PGP PUBLIC KEY BLOCK-----
+
+pub   rsa2048 2020-04-28 [SC] [expires: 2025-04-18]
+      C2428CD75720FACDCF76B6EA17DE5ECB75A1100E
+uid           [ultimate] Kir Kolyshkin <kolyshkin@gmail.com>
+sub   rsa2048 2020-04-28 [E] [expires: 2025-04-18]
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Comment: github=kolyshkin
+
+mQENBF6ou34BCACow4f1kUqw0varU4pq+C91xhYeNb/0sGyFKCvYfiLY74yG8EXW
+rZ8n06AYDHzPv9oubkUhnFk/u25kXQVgLB6Z5SKRBCiFq1QZirXeNJ8Iss8AwDBV
+ppTSiCl8/x/gKoXiJ+7MyvOZozUavkVHdim1NKCzwD014VOB8RXz+heUjS+HDXY9
+2IknlaZg2oGpQe6weVmXmEhxERapG/y+/Vo6t8UfhSv0gEeM00/yWhBJKSYPtzMg
+SbTL4jCsN/x0bq+ZNp4lunihVY5WqX+BGLcx7xPnJ0Rp9Ju1mAhKrbKUmOG3rkWu
+DIJuVP8HQfCoffsBLUKQ0V4fh18kfq1bo3JvABEBAAG0I0tpciBLb2x5c2hraW4g
+PGtvbHlzaGtpbkBnbWFpbC5jb20+iQFUBBMBCAA+AhsDBQsJCAcCBhUKCQgLAgQW
+AgMBAh4BAheAFiEEwkKM11cg+s3PdrbqF95ey3WhEA4FAmRAbOgFCQlaGGoACgkQ
+F95ey3WhEA6dRQf+P+OHI3QiZu3TnrNBTsf+V8HhFBWKqafrjKbIE1A5HOHzcK2F
+t2afYG+MZQILwSuCQOObgr3o7hGlqkwMwGtHt5nqG6/Z0bmkowG4JJmYIg9FhvQW
+JEm/7lSBtxvFkw05H90UlzCM7AigD+PrLs96Zb0+FqdzEDWTMJeU7yYUFRNbXEu3
+wqpOZpHlYCJGKzFJBbGxYphlmljexRlWdZPwACKg7lBsVkM8JDPGxmmEe7/5tXPt
+Oa1yS13SleLv4muHH3KO3cgJGqBfY/XIExZUQUF0GdL0yppBDbn0oZ/wvRuibCR0
+1P7rW88csSjAjhNjja4v/zWleSIpyWVi8IvYLLkBDQReqLt+AQgAtKUDLyUFxQ9k
+p8OwI/MsPTLLoYfjilJaXnmtzQjGYFrEuU3lt7omRUBldNChkjGghEukGTq0RD7Z
+s6Qv5PM5dtOypPJM0lmz2j7seun3AfDV44h/bjOFwTUjab3Nr9fQ52qESmRS03ik
+6+5YNwq2D/+2kHVJ2vkUoo6KvioA1vPU311oW/Yfky8dLS5NguikE3to6YElWW38
+oqFUVdMScCbf9a6CPXSQEz/rH4TgAhwyTo6oegv+8L/szGFy5ToNGiA0D45HcFDc
+yXs1d+b3bYRuGfC1l/z+WZWwbeHt1fKEQ8pCLDLRre5y0hPRHeN2CG4U7iyI5B5h
+8LITPcZ66wARAQABiQE8BBgBCAAmAhsMFiEEwkKM11cg+s3PdrbqF95ey3WhEA4F
+AmRAbRQFCQlaGJYACgkQF95ey3WhEA7vywf9FFTeRgNji8ZIPMM2vIlns+CMkP5R
+uXakU6Q0O6Wmbb/ULOkobTqJ/Jcze8OuembuU3V6MiOQKgUIDrN7itjnJPQBneKT
+iqJdPK8KOiGIzqa0aRekvOu2nCz9n87Bf48pviH922yfs8gXYRCUnSV/i7/p+N8r
+5Fy7dJen5SXksN2/rUCEgU9FD17l2uMAoQbRqZg74/GwSDLnhrZ9eMrbPnguSQF4
+S1NPMeS7+G/gPN9Ze9qFmOF2p57cmEa+8mriZCYY3BcUBOiMOV5HSBKJwqA2M8au
+2dAKmFWb/G+K/dgBdkAulQ/BfCpwgFmmgJ5dAeaS3y8Xd86aBE0/eLCrhQ==
+=GkpD
+-----END PGP PUBLIC KEY BLOCK-----
+
+pub   rsa3072 2019-07-25 [SC] [expires: 2025-07-27]
+      C020EA876CE4E06C7AB95AEF49524C6F9F638F1A
+uid           [ultimate] Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
+uid           [ultimate] Akihiro Suda <suda.kyoto@gmail.com>
+sub   rsa3072 2019-07-25 [E] [expires: 2025-07-27]
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Comment: github=AkihiroSuda
+
+mQGNBF06GR8BDADEpCHv9HzGbqzQ2RAqTWBGHUNsiHD89NVmbXx4nw56odXf5mAK
+QHxyh9tKkt0BIaKMLcxcU6+GXP5iSLdHnQvnxxbR0gW3CJ8bIWPUflE4hjv8QLbc
+5CSpqa3d7/tsntVYNLPFs6B0acTXB4YLK+u2aC42US6by5zO4KS+8/7RyXhdkYGY
+wy6dCU1ysnuG4QstxlObKJUtxcW/9vQkF/ZdqaqLf6HHL/kMasWUxWG1uvf+V/MO
+BRKu7zBW290XDE5Dd9DomyX4q2kqoWQBkpvkJlVsKWpW+AXnBizbVD+pX90VEQmk
+Tvnr6U9OiArS6m2yVwZlu836l2yo3tX2tsgTNn8gtZugO4Qb3iZnDUexqgCwnLBx
+dsyq4W565jNRV/HWRUMR+LDIS1KiEalzDoID3aUXRHHLUQG0oqX8jqFJUqp1P9pO
+9nezuUDg8SsaBg8O4tyv/CZq/FeF3RMMc2EHTiO8HTERqmRMxUFZv3bkgA4GnjnA
+3wsZhLXQq+UaIJUAEQEAAbQsQWtpaGlybyBTdWRhIDxha2loaXJvLnN1ZGEuY3pA
+aGNvLm50dC5jby5qcD6JAdQEEwEKAD4CGwMFCwkIBwIGFQoJCAsCBBYCAwECHgEC
+F4AWIQTAIOqHbOTgbHq5Wu9JUkxvn2OPGgUCZMPL2QUJC0wZugAKCRBJUkxvn2OP
+GqTiC/93jTl0ci2zWC8vVBPSyjHDrpOhn+3ukCeC7VxHOdo6hBwbsxqaBUWi0Maf
+p9oa4HzmsQjhMM+i3/Q/jHBvijXQ2UO5MaDrLhacoAW8i/YeU2aKn2yIyrQPIdc/
+tlcwjvsRPt534DOisf1N5+w6Y4DRgt2tNl0KOjEBmXsBWN7Fg+QRfLeNWKS9soq7
+QkI68T0e0h752FmI8TK4yy6FrhLVUU2ArLcOV2wjx5zKnWjgX7BbwYjAp8fi9hcC
+XdmSvllQ8U9Y2ll8dDq3HBmo+uI4lfz31S4B5EKo4Wn+3bA4Y+VBNoJfoKyLeOgr
+0cmo6SRJIsVaSvAJcMZ6oq+jvTDuygfRkxxgoTzCgwre7CPzcvC8gC0sYOB34TN4
+UogwN3pFmCPfi5TjXsx7vgfWKlHgwe3L/5aoQjTm+z6WanTHbIqOK9QkIuGykMpL
+7nOJeH9LoRzpzc8aOwIOki2bbo7s9yzL8Gil+zaqe16Q+Y7wVBxSRxbg/3oUTi1K
+/uM8N4S0I0FraWhpcm8gU3VkYSA8c3VkYS5reW90b0BnbWFpbC5jb20+iQHUBBMB
+CgA+AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAFiEEwCDqh2zk4Gx6uVrvSVJM
+b59jjxoFAmTDy9kFCQtMGboACgkQSVJMb59jjxogzgv/a+4+T5Xoklt0rGujSgtD
+ogpQp4guaImEhkPieWMPG7+UfqxwoMLcvLE5kTzqLPe1DdYs8Tm/gtteHttLUfjD
+qwY/+BsqIYYMJMRoXFBk2iokn0m/36da7WKpN+5r5ssujsvGj991k4oLQgFV0kEx
+f4PSRxWQNlAqp4OfQNI91S7oMDH94dR+V5TIYYHxsPsnCvygD72GVER4G5mUvkCH
+Nf8aqeckVxu8uZ/2LiNtYxbh5pwriuj8XbifuawdMdjpTvwAAa2DuKqCtj9cuQIt
+hmOF1ux68TRxk//QGPqX49+WT0mwdHBX/I/nZVTOGt9sjjKU5m1o+rUiVHtQ3Yhw
+fSLWEbfZiTjWDPWpjLU+r3C2qCiJyPjNpsxYAp4y3v511BXesejcXm24+MHFym5F
+ngyAItzwDD9ieTt3uviuC64VZVz7NgnDMUK0LumKh9mrZZ20dTcX9Vw70o41CMQN
+yBKloXOSPzQDZp1ZXzR3P/22WXG/e52YuU3Aw1femld+uQGNBF06GR8BDACxpQ9c
+y72+/WZGon+CToNj+a24PiduyExfFv26E0D77ACS6UAC5jz71mSuLbHiauQ3MHj+
+786z4m4St8+HjDL9YrAe19MobxWsLHAFvBJ8UHfZdkLzBkIKPHz7TUqlhvFR13b6
+ZAZVZk975hgCT3LpzA1miHBY2E5WDpVa3pe94xshVHL3iVf9Jv1a4hmM+eu0gxX4
+iEw7RLq9LssTyjeuRVN23X+ojD4Mp3jQnPA+cjLF718KpCsw5r+tGZ98/5GZevmH
+Qf6sg0b/k6/vkVveopeeH28zb/nnVuhgGSxcbiZUrFC9EfhX4/6NNFRhE300AjeF
+bP7SoXx3qRhr993BDSP32r44hy+kYLhZP5K5oXivcITJZuGcJh49P4QuYGrnODIL
+gEhedWeePcJXFcEz09teizlWKGzd+EA3uwYd/bQelflwXkGuCLaoNv4qcH3oJDp1
+vYI0zT7hGvnz3thRLg3SOWFq5cBhnfNGXPLsoNZBzWGn2cm5MJYSKjIM470AEQEA
+AYkBvAQYAQoAJgIbDBYhBMAg6ods5OBserla70lSTG+fY48aBQJkw8uyBQkLTBmT
+AAoJEElSTG+fY48ayhsL+gLvKlfkYgxodyWKR5hOiUMKWE5tqfQY6kqrgssPYw+u
+Fn69AamQLt4I2AHRg0AHjoZEsMfR19uXZ24XwwcWwgWU6yRJgMSIK67bLvL+d686
+m2KQ2PpmfDrizUgY4J0sY+tzwNZeWxQiFy/Ni6AdEqJvJQDsrKYJ2GGWm6JMZCPw
+y3h5ouueieiEc0pvwEz2kg64uv6p8SUV1me66IXQaGseXb/BcW+Ap2WJO+IZjtNB
+qhk+V+1x5ZT6s9RecjiTDmKfZ71zyRWplkfL22+4XVEc3qLS3r0ZSzeIA4JPRf+N
+yCGjavdTNgu2bTo8iSgBq2NRT9kNwTaS8j883L0eY/JJktrfWnWE4qAuXBqLzkIl
+smspRWy0byLQrrzk9stncF/CDt5XuHPcsXOcRVXVyM+/RXqWKdNAwZO67HD4wJR9
+YR4avhGZZXguH3b0ka2zO8sxTju/09yb07NJ2qfjfWSHCmaj9KuhhE0EO625tckS
+58ceqolNBtrydoYZOc2CKw==
+=ol6W
+-----END PGP PUBLIC KEY BLOCK-----
+
diff --git a/runc.spec b/runc.spec
new file mode 100644
index 0000000..8157311
--- /dev/null
+++ b/runc.spec
@@ -0,0 +1,108 @@
+#
+# spec file for package runc
+#
+# Copyright (c) 2024 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+# nodebuginfo
+
+
+# MANUAL: Make sure you update this each time you update runc.
+%define git_version 45471bc945571d57acef05e0795008d7f1d9baf5
+%define git_short   45471bc94557
+
+%define project github.com/opencontainers/runc
+
+Name:           runc
+# RPM doesn't handle semver rc releases nicely, so for rc releases we need to
+# do something different.
+%define upstream_version 1.2.0-rc.3
+Version:        1.2.0~rc3
+Release:        0
+Summary:        Tool for spawning and running OCI containers
+License:        Apache-2.0
+Group:          System/Management
+URL:            https://github.com/opencontainers/runc
+Source0:        https://github.com/opencontainers/runc/releases/download/v%{upstream_version}/runc.tar.xz#/runc-%{upstream_version}.tar.xz
+Source1:        https://github.com/opencontainers/runc/releases/download/v%{upstream_version}/runc.tar.xz.asc#/runc-%{upstream_version}.tar.xz.asc
+Source2:        runc.keyring
+BuildRequires:  diffutils
+BuildRequires:  fdupes
+BuildRequires:  go >= 1.22.4
+BuildRequires:  go-go-md2man
+BuildRequires:  libseccomp-devel
+BuildRequires:  libselinux-devel
+Recommends:     criu
+# There used to be a docker-runc package which was specifically for Docker.
+# Since Docker now tracks upstream more consistently, we use the same package
+# but we need to obsolete the old one. bsc#1181677
+Obsoletes:      docker-runc < %{version}
+Provides:       docker-runc = %{version}
+# KUBIC-SPECIFIC: There used to be a kubic-specific docker-runc package, but
+#                 now it's been merged into the one package. bsc#1181677
+Obsoletes:      docker-runc-kubic < %{version}
+Provides:       docker-runc-kubic = %{version}
+Obsoletes:      docker-runc = 0.1.1+gitr2819_50a19c6
+Obsoletes:      docker-runc_50a19c6
+ExcludeArch:    s390
+
+# Construct "git describe --dirty --long --always".
+%define git_describe v%{upstream_version}-0-g%{git_short}
+
+%description
+runc is a CLI tool for spawning and running containers according to the OCI
+specification. It is designed to be as minimal as possible, and is the workhorse
+of Docker. It was originally designed to be a replacement for LXC within Docker,
+and has grown to become a separate project entirely.
+
+%prep
+%setup -q -n %{name}-%{upstream_version}
+%autopatch -p1
+
+%build
+# build runc
+make BUILDTAGS="seccomp" COMMIT="%{git_describe}" runc
+# build man pages
+man/md2man-all.sh
+
+# make sure that our keyring copy is identical to upstream.
+our_keyring=$(sha256sum <"%{SOURCE2}")
+src_keyring=$(sha256sum <runc.keyring)
+if [ "$our_keyring" != "$src_keyring" ]; then
+	echo "keyring file doesn't match upstream"
+	diff -u "%{SOURCE2}" runc.keyring
+	exit 1
+fi
+
+%install
+# We install to /usr/sbin/runc as per upstream and create a symlink in /usr/bin
+# for rootless tools.
+install -D -m0755 %{name} %{buildroot}%{_sbindir}/%{name}
+install -m0755 -d %{buildroot}%{_bindir}
+ln -s  %{_sbindir}/%{name} %{buildroot}%{_bindir}/%{name}
+
+# Man pages.
+install -d -m0755 %{buildroot}%{_mandir}/man8
+install -m0644 man/man8/runc*.8 %{buildroot}%{_mandir}/man8
+
+%fdupes %{buildroot}
+
+%files
+%defattr(-,root,root)
+%doc README.md
+%license LICENSE
+%{_sbindir}/%{name}
+%{_bindir}/%{name}
+%{_mandir}/man8/runc*.8.gz
+
+%changelog