Skip to content

Tags: kolyshkin/runc

Tags

v1.0.2

Verified

This tag was signed with the committer’s verified signature. The key has been revoked.
cyphar Aleksa Sarai
v1.0.2 -- "Given the right lever, you can move a planet."

This is a second stable release in 1.0 branch, fixing a few medium and
high priority issues, including one that affects Kubernetes' usage of
runc's libcontainer.

Bugfixes:

 * Fixed a failure to set CPU quota period in some cases on cgroup v1. (opencontainers#3115)
 * Fixed the inability to start a container with the "adding seccomp filter
   rule for syscall ..." error, caused by redundant seccomp rules (i.e. those
   that has action equal to the default one). Such redundant rules are now
   skipped. (opencontainers#3129)
 * Made release builds reproducible from now on. (opencontainers#3142)
 * Fixed a rare debug log race in runc init, which can result in occasional
   harmful "failed to decode ..." errors from runc run or exec. (opencontainers#3130)
 * Fixed the check in cgroup v1 systemd manager if a container needs to be
   frozen before Set, and add a setting to skip such freeze unconditionally.
   The previous fix for that issue, done in  runc 1.0.1, was not working.
   (opencontainers#3167)

Thanks to all of the contributors who made this release possible:

 * Adrian Reber <areber@redhat.com>
 * Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 * Aleksa Sarai <cyphar@cyphar.com>
 * Kir Kolyshkin <kolyshkin@gmail.com>
 * Mrunal Patel <mrunal@me.com>
 * Odin Ugedal <odin@uged.al>

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

v1.0.1

Verified

This tag was signed with the committer’s verified signature. The key has been revoked.
cyphar Aleksa Sarai
v1.0.1 -- "If in doubt, Meriadoc, always follow your nose."

This is the first stable release in the 1.0 branch, fixing a few medium
and high priority issues with runc 1.0.0, including a few that affect
Kubernetes' usage of libcontainer.

Bugfixes:
 * Fixed occasional runc exec/run failure ("interrupted system call") on an
   Azure volume. (opencontainers#3074)
 * Fixed "unable to find groups ... token too long" error with /etc/group
   containing lines longer than 64K characters. (opencontainers#3079)
 * cgroup/systemd/v1: fix leaving cgroup frozen after Set if a parent cgroup is
   frozen.  This is a regression in 1.0.0, not affecting runc itself but some
   of libcontainer users (e.g Kubernetes). (opencontainers#3085)
 * cgroupv2: bpf: Ignore inaccessible existing programs in case of
   permission error when handling replacement of existing bpf cgroup
   programs. This fixes a regression in 1.0.0, where some SELinux
   policies would block runc from being able to run entirely. (opencontainers#3087)
 * cgroup/systemd/v2: don't freeze cgroup on Set. (opencontainers#3092)
 * cgroup/systemd/v1: avoid unnecessary freeze on Set. (opencontainers#3093)

Thanks to all of the contributors who made this release possible:

 * Aleksa Sarai <cyphar@cyphar.com>
 * Kir Kolyshkin <kolyshkin@gmail.com>
 * Maksim An <maksiman@microsoft.com>
 * Mrunal Patel <mrunal@me.com>
 * Odin Ugedal <odin@uged.al>

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

v1.0.0

Verified

This tag was signed with the committer’s verified signature. The key has been revoked.
cyphar Aleksa Sarai
v1.0.0 -- "A wizard is never late, nor is he early, he arrives precis…

…ely when he means to."

This release fixes a few bugs found (almost all related to cgroupv2
handling), and is the first non-rc release of runc in 5 years
(v1.0.0-rc1 was released in 2016). It's been a very long road, and we
thank the many contributors and maintainers that helped us get to this
point (approximately 422 people in total).

As runc follows Semantic Versioning, we will endeavor to not make any
breaking changes without bumping the major version number of runc.

However, it should be noted that Go API usage of runc's internal
implementation (libcontainer) is *not* covered by this policy -- for
historical reasons, this code was not moved into an "internal" package
(this feature did not exist in Go at the time) and because certain
projects currently depend on this, we have not yet moved this code into
an internal package. Despite this, we reserve the right to make breaking
changes in our Go APIs (though we will note such changes in our
changelog, and will try to avoid needless disruption if possible).

Breaking changes:

 * Removed libcontainer/configs.Device* identifiers (deprecated since rc94,
   use libcontainer/devices) (opencontainers#2999)
 * Removed libcontainer/system.RunningInUserNS function (deprecated since
   rc94, use libcontainer/userns) (opencontainers#2999)

Deprecations:

 * The usage of relative paths for mountpoints will now produce a warning
   (such configurations are outside of the spec, and in future runc will
   produce an error when given such configurations). (opencontainers#2917, opencontainers#3004)

Bugfixes:

 * cgroupv2: devices: rework the filter generation to produce consistent
   results with cgroupv1, and always clobber any existing eBPF
   program(s) to fix `runc update` and avoid leaking eBPF programs
   (resulting in errors when managing containers).  (opencontainers#2951)
 * cgroupv2: correctly convert "number of IOs" statistics in a
   cgroupv1-compatible way. (opencontainers#2965, opencontainers#2967, opencontainers#2968, opencontainers#2964)
 * cgroupv2: support larger than 32-bit IO statistics on 32-bit architectures.
 * cgroupv2: wait for freeze to finish before returning from the freezing
   code, optimize the method for checking whether a cgroup is frozen. (opencontainers#2955)
 * cgroups/systemd: fixed "retry on dbus disconnect" logic introduced in rc94
 * cgroups/systemd: fixed returning "unit already exists" error from a systemd
   cgroup manager (regression in rc94) (opencontainers#2997, opencontainers#2996)

Improvements:

 * cgroupv2: support SkipDevices with systemd driver (opencontainers#2958, opencontainers#3019)
 * cgroup/systemd: return, not ignore, stop unit error from Destroy (opencontainers#2946)
 * Fix all golangci-lint failures. (opencontainers#2781, opencontainers#2962)
 * Make "runc --version" output sane even when built with `go get` or
   otherwise outside of our build scripts. (opencontainers#2962)
 * cgroups: set SkipDevices during runc update (so we don't modify
   cgroups at all during `runc update`). (opencontainers#2994)
 * cgroup1: blkio: support BFQ weights. (opencontainers#3010)
 * cgroupv2: set per-device io weights if BFQ IO scheduler is available.
   (opencontainers#3022)

Thanks to the following people who made this release possible:

 * Adrian Reber <areber@redhat.com>
 * Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 * Aleksa Sarai <cyphar@cyphar.com>
 * Antti Kervinen <antti.kervinen@intel.com>
 * Daniel, Dao Quang Minh <dqminh89@gmail.com>
 * Enrico Weigelt <info@metux.net>
 * Kir Kolyshkin <kolyshkin@gmail.com>
 * Michael Crosby <michael@thepasture.io>
 * Mrunal Patel <mrunal@me.com>
 * Peter Hunt <pehunt@redhat.com>
 * Qiang Huang <h.huangqiang@huawei.com>
 * Sebastiaan van Stijn <github@gone.nl>
 * Shiming Zhang <wzshiming@foxmail.com>
 * Yashpal Choudhary <yashpal.c1995@gmail.com>

Vote: +5 -0 %2
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

v1.0.0-rc95

Verified

This tag was signed with the committer’s verified signature. The key has been revoked.
cyphar Aleksa Sarai
v1.0.0-rc95 -- "Just when I thought I was out, they pull me back in."

This release of runc contains a fix for CVE-2021-30465[1], and users are
strongly recommended to update (especially if you are providing
semi-limited access to spawn containers to untrusted users).

Aside from this security fix, only a few other changes were made since
v1.0.0-rc94 (the only user-visible change was the addition of support
for defaultErrnoRet in seccomp profiles).

Thanks to the following people who made this release possible:

 * Aleksa Sarai <cyphar@cyphar.com>
 * Giuseppe Scrivano <gscrivan@redhat.com>
 * Kir Kolyshkin <kolyshkin@gmail.com>
 * Mrunal Patel <mrunal@me.com>

Due to the nature of this release, it didn't go through the normal
public release procedure. However, this break from procedure was agreed
upon on the security mailing list.

[1]: GHSA-c3xm-pvg7-gh7r

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

v1.0.0-rc94

Verified

This tag was signed with the committer’s verified signature. The key has been revoked.
cyphar Aleksa Sarai
v1.0.0-rc94 -- "Time is an illusion. Lunchtime doubly so."

This release fixes several regressions found in v1.0.0-rc93. We
recommend users update as soon as possible. This release includes the
following notable changes:

Potentially breaking changes:
* cgroupv1: kernel memory limits are now always ignored, as kmemcg has
  been effectively deprecated by the kernel. Users should make use of
  regular memory cgroup controls. (opencontainers#2840)
* libcontainer/cgroups: cgroup managers' `Set` now accept
  `configs.Resources` rather than `configs.Cgroups` (opencontainers#2906)
* libcontainer/cgroups/systemd: reconnect and retry in case dbus
  connection is closed (after dbus restart) (opencontainers#2923)
* libcontainer/cgroups/systemd: don't set limits in `Apply` (opencontainers#2814)

Bugfixes:
* seccomp: fix 32-bit compilation errors (regression in rc93, opencontainers#2783)
* cgroupv2: blkio weight value conversion fix (opencontainers#2786)
* runc init: fix a hang caused by deadlock in seccomp/ebpf loading code
  (regression in rc93, opencontainers#2871)
* runc start: fix "chdir to cwd: permission denied"  for some setups
  (regression in rc93, opencontainers#2894)
* s390: fix broken terminal (regression in rc93, opencontainers#2898)

Improvements:
* runc start/exec: better diagnostics when container limits are too low
  (opencontainers#2812)
* runc start/exec: better cleanup after failed runc init (opencontainers#2855)
* cgroupv1: improve freezing chances (opencontainers#2941, opencontainers#2918, opencontainers#2791)
* cgroupv2: multiple GetStats improvements (opencontainers#2816, opencontainers#2873)
* cgroupv2: fallback to setting io.weight if io.bfq.weight is not
  available (opencontainers#2820)
* capabilities: WARN, not ERROR, for unknown / unavailable capabilities
  (opencontainers#2854)

Thanks to the following people who made this release possible:

 * Adam Korcz <adam@adalogics.com>
 * Adrian Reber <areber@redhat.com>
 * Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 * Aleksa Sarai <cyphar@cyphar.com>
 * Ben Hutchings <ben.hutchings@essensium.com>
 * Danail Branekov <danailster@gmail.com>
 * Daniel Dao <dqminh89@gmail.com>
 * Enrico Weigelt <info@metux.net>
 * Iceber Gu <wei.cai-nat@daocloud.io>
 * Kenta Tada <Kenta.Tada@sony.com>
 * Kieron Browne <kbrowne@vmware.com>
 * Kir Kolyshkin <kolyshkin@gmail.com>
 * Liang Zhou <zhoul110@chinatelecom.cn>
 * Liu Hua <weldonliu@tencent.com>
 * Mauricio Vásquez <mauricio@kinvolk.io>
 * Mrunal Patel <mrunal@me.com>
 * Odin Ugedal <odin@uged.al>
 * Peter Hunt <pehunt@redhat.com>
 * Qiang Huang <h.huangqiang@huawei.com>
 * Ryosuke Hanatsuka <hanatsuu@gmail.com>
 * Sascha Grunert <sgrunert@redhat.com>
 * Sebastiaan van Stijn <github@gone.nl>
 * Shengjing Zhu <zhsj@debian.org>
 * Shiming Zhang <wzshiming@foxmail.com>
 * Vasiliy Ulyanov <vulyanov@suse.de>

Vote: +6 -0 !1
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

v1.0.0-rc93

Verified

This tag was signed with the committer’s verified signature. The key has been revoked.
cyphar Aleksa Sarai
v1.0.0~rc93 -- "I never could get the hang of Thursdays."

This is the last feature-rich RC release and we are in a feature-freeze until
1.0. 1.0.0~rc94 will be released in a few weeks with minimal bug fixes only,
and 1.0.0 will be released soon afterwards.

 * runc's cgroupv2 support is no longer considered experimental. It is now
   believed to be fully ready for production deployments. In addition, runc's
   cgroup code has been improved:
   - The systemd cgroup driver has been improved to be more resilient and
     handle more systemd properties correctly.
   - We now make use of openat2(2) when possible to improve the security of
     cgroup operations (in future runc will be wholesale ported to libpathrs to
     get this protection in all codepaths).

 * runc's mountinfo parsing code has been reworked significantly, making
   container startup times significantly faster and less wasteful in general.

 * runc now has special handling for seccomp profiles to avoid making new
   syscalls unusable for glibc. This is done by installing a custom prefix to
   all seccomp filters which returns -ENOSYS for syscalls that are newer than
   any syscall in the profile (meaning they have a larger syscall number).

   This should not cause any regressions (because previously users would simply
   get -EPERM rather than -ENOSYS, and the rule applied above is the most
   conservative rule possible) but please report any regressions you find as a
   result of this change -- in particular, programs which have special fallback
   code that is only run in the case of -EPERM.

 * runc now supports the following new runtime-spec features:
   - The umask of a container can now be specified.
   - The new Linux 5.9 capabilities (CAP_PERFMON, CAP_BPF, and
     CAP_CHECKPOINT_RESTORE) are now supported.
   - The "unified" cgroup configuration option, which allows users to explicitly
     specify the limits based on the cgroup file names rather than abstracting
     them through OCI configuration. This is currently limited in scope to
     cgroupv2.

 * Various rootless containers improvements:
   - runc will no longer cause conflicts if a user specifies a custom device
     which conflicts with a user-configured device -- the user device takes
     precedence.
   - runc no longer panics if /sys/fs/cgroup is missing in rootless mode.

 * runc --root is now always treated as local to the current working directory.

 * The --no-pivot-root hardening was improved to handle nested mounts properly
   (please note that we still strongly recommend that users do not use
   --no-pivot-root -- it is still an insecure option).

 * A large number of code cleanliness and other various cleanups, including
   fairly large changes to our tests and CI to make them all run more
   efficiently.

For packagers the following changes have been made which will have impact on
your packaging of runc:

 * The "selinux" and "apparmor" buildtags have been removed, and now all runc
   builds will have SELinux and AppArmor support enabled. Note that "seccomp"
   is still optional (though we very highly recommend you enable it).

 * make install DESTDIR= now functions correctly.

Thanks to the following people who made this release possible:

 * acetang <aceapril@126.com>
 * Adrian Reber <areber@redhat.com>
 * Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 * Aleksa Sarai <cyphar@cyphar.com>
 * Amim Knabben <amim.knabben@gmail.com>
 * An Long <aisk1988@gmail.com>
 * Aos Dabbagh <aosdab@gmail.com>
 * Ashok Pon Kumar <ashokponkumar@gmail.com>
 * Cesar Talledo <ctalledo@nestybox.com>
 * Chaitanya Bandi <kbandi@cs.stonybrook.edu>
 * Cory Bennett <cbennett@netflix.com>
 * Daniel J Walsh <dwalsh@redhat.com>
 * Eduardo Vega <edvegavalerio@gmail.com>
 * Feng Sun <loyou85@gmail.com>
 * Giuseppe Scrivano <gscrivan@redhat.com>
 * Jeff Zvier <zvier20@gmail.com>
 * Kenta Tada <Kenta.Tada@sony.com>
 * Kir Kolyshkin <kolyshkin@gmail.com>
 * Manabu Sugimoto <Manabu.Sugimoto@sony.com>
 * Mauricio Vásquez <mauricio@kinvolk.io>
 * Michael Crosby <crosbymichael@gmail.com>
 * Mrunal Patel <mrunalp@gmail.com>
 * Paweł Szulik <pawel.szulik@intel.com>
 * Peter Hunt <pehunt@redhat.com>
 * Piotr Wagner <piotr.wagner@intel.com>
 * Sascha Grunert <sgrunert@suse.com>
 * SataQiu <1527062125@qq.com>
 * Sebastiaan van Stijn <github@gone.nl>
 * Shengjing Zhu <zhsj@debian.org>
 * Shukui Yang <keloyangsk@gmail.com>
 * wangtianxia <sometimesnaive@sjtu.edu.cn>
 * Wei Fu <fuweid89@gmail.com>
 * Xiaochen Shen <xiaochen.shen@intel.com>
 * Xiaodong Liu <liuxiaodong@loongson.cn>

Vote: +6 -0 #1
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

v1.0.0-rc92

Verified

This tag was signed with the committer’s verified signature. The key has been revoked.
cyphar Aleksa Sarai
v1.0.0~rc92

This release contains a hotfix to solve a regression in v1.0.0-rc91 that
concerns Docker (this only affects Docker's vendoring of libcontainer,
not the usage of runc as the runtime):

 * Fix helpers used by Docker to correctly handle symlinks in /dev (when running
   with --privileged containers).

As well as some other improvements:

 * Updates to CRIU support.
 * Improvements to cgroupfs performance and correctness.

Thanks to the following people who made this release possible:

 * Adrian Reber <areber@redhat.com>
 * Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 * Aleksa Sarai <cyphar@cyphar.com>
 * Daniel J Walsh <dwalsh@redhat.com>
 * Giuseppe Scrivano <gscrivan@redhat.com>
 * John Hwang <john.f.hwang@gmail.com>
 * Kir Kolyshkin <kolyshkin@gmail.com>
 * Lokesh Mandvekar <lsm5@fedoraproject.org>
 * Mrunal Patel <mrunalp@gmail.com>
 * Sebastiaan van Stijn <github@gone.nl>
 * tjucoder <chinesecoder@foxmail.com>
 * Xiaodong Liu <liuxiaodong@loongson.cn>
 * Xiaoyu Zhang <mateuszhang@tencent.com>
 * zvier <zvier20@gmail.com>

Vote: +4 -0 #3
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

v1.0.0-rc91

Verified

This tag was signed with the committer’s verified signature.
cyphar Aleksa Sarai
v1.0.0-rc91

This is intended to be the second-last RC release, with -rc92 having
very few large changes so that we can release runc 1.0 (at long last).

 * The long-awaited hooks changes have been merged into runc. This was
   one of the few remaining spec-related issues which were blocking us
   from releasing runc 1.0. Existing hook users will not be affected by
   this change, but runc now supports additional hooks that we expect
   users to migrate to eventually. The new hooks are:

    - createRuntime (replacement for the now-deprecated prestart)
    - createContainer
    - startContainer

 * A large amount of effort has been undertaken to support cgroupv2
   within runc. The support is still considered experimental, but it is
   mostly functional at this point. Please report any bugs you find when
   running under cgroupv2-only systems.

 * A minor-severity security bug was fixed[1]. The devices list would
   be in allow-by-default mode from the outset, meaning that users would
   have to explicitly specify they wish to deny all device access at the
   beginning of the configuration. While this would normally be
   considered a high-severity vulnerability, all known users of runc had
   worked around this issue several years ago (hence why this fairly
   obvious bug was masked).

   In addition, the devices list code has been massively improved such
   that it will attempt to avoid causing spurrious errors in the
   container (such as while writing to /dev/null) when doing devices
   cgroup updates.

 * A security audit of runc was conducted in 2019, and the report PDF is
   now included in the runc repository. The previous release of runc
   has already addressed the security issues found in that report.

Thanks to the following people who made this release possible:

 * Adrian Reber <areber@redhat.com>
 * Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 * Alban Crequy <alban@kinvolk.io>
 * Aleksa Sarai <asarai@suse.de>
 * Alice Frosi <afrosi@de.ibm.com>
 * Amye Scavarda Perrin <amye@linuxfoundation.org>
 * Andrei Vagin <avagin@gmail.com>
 * Boris Popovschi <zyqsempai@mail.ru>
 * Brian Goff <cpuguy83@gmail.com>
 * Chris Aniszczyk <caniszczyk@gmail.com>
 * Danail Branekov <danailster@gmail.com>
 * Giuseppe Scrivano <gscrivan@redhat.com>
 * iwankgb <maciej.iwanowski@intel.com>
 * John Hwang <John.F.Hwang@gmail.com>
 * Katarzyna Kujawa <katarzyna.kujawa@intel.com>
 * Kenta Tada <Kenta.Tada@sony.com>
 * Kir Kolyshkin <kolyshkin@gmail.com>
 * Kir Kolyshkin <kolyshkin@users.noreply.github.com>
 * Kohei Ota <kela@inductor.me>
 * l00397676 <lujingxiao@huawei.com>
 * Lifubang <lifubang@acmcoder.com>
 * Mario Nitchev <marionitchev@gmail.com>
 * Michael Crosby <crosbymichael@gmail.com>
 * Mrunal Patel <mrunalp@gmail.com>
 * Odin Ugedal <odin@ugedal.com>
 * Paweł Szulik <pawel.szulik@intel.com>
 * Peter Hunt <pehunt@redhat.com>
 * Pradyumna Agrawal <pradyumnaa@vmware.com>
 * Qiang Huang <h.huangqiang@huawei.com>
 * Renaud Gaubert <rgaubert@nvidia.com>
 * Sascha Grunert <sgrunert@suse.com>
 * Sebastiaan van Stijn <github@gone.nl>
 * SiYu Zhao <d.chaser.zsy@gmail.com>
 * Ted Yu <yuzhihong@gmail.com>
 * Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
 * Tianon Gravi <admwiggin@gmail.com>
 * Tobias Klauser <tklauser@distanz.ch>
 * wanghuaiqing <wanghuaiqing@loongson.cn>
 * W. Trevor King <wking@tremily.us>
 * Yulia Nedyalkova <julianedialkova@hotmail.com>
 * zyu <yuzhihong@gmail.com>

> **NOTE**: For those who are confused by the massive version jump (rc10
> to rc91), this was done to avoid issues with SemVer and lexical
> comparisons -- there haven't been 90 other release candidates. Please
> also note thatrunc 1.0.0-rc90 is identical to 1.0.0-rc10.

[1]: GHSA-g54h-m393-cpwq

Vote: +7 -0 #0
Signed-off-by: Aleksa Sarai <asarai@suse.de>

v1.0.0-rc90

Verified

This tag was signed with the committer’s verified signature.
cyphar Aleksa Sarai
v1.0.0-rc90

This release is *identical* to v1.0.0-rc10.

The purpose of this release is to resolve an issue with our versioning
scheme (in particular, the format we've used under SemVer means that the
"-rcNN" string suffix is sorted lexicographically rather than in the
classic `sort -V` order).

Because we cannot do a post-1.0 release yet, this is a workaround to
make sure that systems such as Go modules correctly update to the latest
runc release. See [1] for more details.

The next release (which would've originally been called -rc11) will be
1.0.0-rc91. I'm sorry.

[1]: opencontainers#2399

Signed-off-by: Aleksa Sarai <asarai@suse.de>

v1.0.0-rc10

Verified

This tag was signed with the committer’s verified signature.
cyphar Aleksa Sarai
v1.0.0~rc10

This is a hot-fix for v1.0.0~rc9, primarily fixing CVE-2019-19921. Given
that the relevant runtime-spec PR which was considered a blocker has
been merged[1] the next rc release of runc should be the last one before
1.0.0.

Thanks to the following people who made this release possible:

 * Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 * Aleksa Sarai <asarai@suse.de>
 * James Peach <jpeach@apache.org>
 * Jordan Liggitt <liggitt@google.com>
 * Julia Nedialkova <julianedialkova@hotmail.com>
 * Julio Montes <julio.montes@intel.com>
 * Kevin Kelani <kkelani@gmail.com>
 * Kurnia D Win <kurnia.d.win@gmail.com>
 * Manuel Rüger <manuel@rueg.eu>
 * Michael Crosby <crosbymichael@gmail.com>
 * Mrunal Patel <mrunal@me.com>
 * Qiang Huang <h.huangqiang@huawei.com>
 * Radostin Stoyanov <rstoyanov1@gmail.com>
 * Sascha Grunert <sgrunert@suse.com>
 * tianye15 <tianye15@yq01-ps-www007cc6e83.yq01.baidu.com>

[1]: opencontainers/runtime-spec#1008

Vote: +4 -0 #1
Signed-off-by: Aleksa Sarai <asarai@suse.de>