Release v1.1.15 #4422
Release v1.1.15 #4422
Conversation
rata
force-pushed
the
release-1.1.15
branch
2 times, most recently
from
8a768e6
to
28ccc03
Compare
|
Hmm, alma linux 9 is failing with: not ok 14 runc run (cgroup v2 resources.unified only)
# (in test file tests/integration/cgroups.bats, line 270)
# `[ "$status" -eq 0 ]' failed
# runc spec (status=0):
#
# runc run -d --console-socket /tmp/bats-run-eiy40K/runc.G1EDSZ/tty/sock test_cgroups_unified (status=1):
# time="2024-10-02T11:30:45Z" level=error msg="runc run failed: unable to start container process: container init was OOM-killed (memory limit too low?)"It failed also when merging to the 1.1 branch, but not on the PR. See the last commit "merge #4391 into opencontainers/runc:release-1.1": https://github.com/opencontainers/runc/commits/release-1.1/ |
|
Fixed here for 1.1: #4423 |
|
Since #4347 is a longer-standing issue I don't think we need to block a 1.1.z patch release on it. Maybe we might want to block 1.2.0 on it (depending on how the spec stuff goes) but I'm not sure if we would even want to backport a spec fix to 1.1.z. |
|
LGTM but needs rebase |
No entry lives under this line, let's just remove it. Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
kolyshkin
force-pushed
the
release-1.1.15
branch
from
28ccc03
to
d2f93b0
Compare
[@kolyshkin: rebased; added a CVE link; added 1.1.15 link; changed date to 7 Oct] Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com> Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
kolyshkin
force-pushed
the
release-1.1.15
branch
from
d2f93b0
to
9f4baaa
Compare
|
I rebased this PR and did some minor fixes to the changelog (added missing CVE and 1.1.15 links, fixed the "Unreleased 1.1.z" link). Also changed the release date to Monday, because why not. |
It's a relatively big one and might not be backportable as-is, so I'd rather have it in 1.2.0. If anything, this gives us yet another reason to release it sooner. |
|
Thanks! |
This comment was marked as spam.
This comment was marked as spam.
Sorry, something went wrong.
[1.1.15] - 2024-10-07
Fixed
-ENOSYSseccomp stub is now always generated for the nativearchitecture that
runcis running on. This is needed to work around somearguably specification-incompliant behaviour from Docker on architectures
such as ppc64le, where the allowed architecture list is set to
null. Thisensures that we always generate at least one
-ENOSYSstub for the nativearchitecture even with these weird configs. ([1.1] seccomp: patchbpf: always include native architecture in stub #4391)
/proc/self/mountinfomay skip someentries, as a consequence runc may not properly set mount propagation,
causing container mounts leak onto the host mount namespace. (runc has problems due to leaked mount information #2404, [1.1] runc run: fix mount leak #4425)
Removed
against CVE-2019-5736, the temporary
robind-mount of/proc/self/exehas been removed. runc now creates a binary copy in all cases. ([1.1] nsenter: cloned_binary: remove bindfd logic entirely #4392, too many mount/umount syscalls #2532)
I'd like to create a 1.1.15 release including the change to remove the bindfd logic (already backported :)), as that is causing us quite some pain. I'm of course fine if we release earlier than that date, in fact that would be great :)
I'll be on PTO starting today and coming back next week. Feel free to either push to this branch to amend any changes (maintainers can push to that branch on my behalf IIUC), otherwise I can address the changes early next week.