Due to CVE-2019-5736, we had to do another -rc release so users can update. We
hope to be able to release 1.0.0 in the near future (there is still an
outstanding spec-compliance issue with OCI hooks which we need to resolve
first).
This also updates runc to a vendored commit of the runtime-spec rather than a
full release, which will hopefully be rectified with runc 1.0.0. #k
Security:
+ Mitigate CVE-2019-5736. This is an updated version of the patch series sent
out on openwall and we encourage users to update. #1982 #1984
NOTE: This mitigation *WILL NOT WORK* if you run untrusted containers with
host uid 0 and give them CAP_SYS_ADMIN (the protection operates
through a hidden read-only bind-mount which can be re-mounted by
CAP_SYS_ADMIN privileged users).
Put simply -- we consider granting CAP_SYS_ADMIN to untrusted
containers without user namespaces to be fundamentally insecure, as
such we do not consider this to be a security issue.
If you want an additional host-level mitigation, use `chattr +i` on
the host file to ensure containers without CAP_LINUX_IMMUTABLE cannot
write to it -- even with CAP_SYS_ADMIN. But as above, if you give
CAP_LINUX_IMMUTABLE to a container you will have problems.
An alternative is to bind-mount a sealed memfd copy of the runc
binary over the binary (runc will detect this and will not attempt
further mitigation, because sealed memfds are fundamentally
unmodifiable) but this requires more in-depth work by administrators.
+ There appear to be production users of --no-pivot-root, which is something
that we absolutely recommend against and do not consider to be a secure
configuration -- since pivot_root(2) has many security properties that are
not possible to provide with just chroot(2).
However, a specific issue was discovered which we decided to mitigate in
order to avoid production users being exploited by it. This security issue
is *not* elligible for a CVE because it requires an insecure configuration
(--no-pivot-root). #1962
Features:
+ Add intelrdt support for MBA to runc (a new intelrdt feature available in
Linux 4.18+). #1919
+ Add support for specifying a CRIU configuration file for checkpoint/restore
(which makes use of a new org.criu.config annotation). #1933 #1964
+ Add support for "runc exec --preserve-fds". #1995
* Added support for SELinux labeling of keyrings. #2012
Fixes:
* Correct handling of "runc kill" when a container is stopped or paused.
#1934 #1943
* Error out if built with nokmem and kmemcg limits were requested. #1939
* Update check-config.sh to be in line with Docker's. #1942
* Improve handling of kmem and the systemd cgroup driver. #1960
* Improve resilience of adding setns tasks to cgroups. #1950
- Remove (broken) detection of .scope for systemd. #1978
* Fix console hanging with preserve-fds, where not enough fds have actually
been provided to runc (which is a very common mistake when using
--preserve-fds). #2000
* Create bind-mounts when restoring. #1968
* Fix regression of zombie "runc init" processes. #2023
Thanks to all of the contributors that made this release possible:
* Ace-Tang <[email protected]>
* Adrian Reber <[email protected]>
* Aleksa Sarai <[email protected]>
* Alex Fang <[email protected]>
* Christian Brauner <[email protected]>
* Daniel, Dao Quang Minh <[email protected]>
* Daniel J Walsh <[email protected]>
* Filipe Brandenburger <[email protected]>
* Giuseppe Scrivano <[email protected]>
* JoeWrightss <[email protected]>
* John Howard <[email protected]>
* Justin Cormack <[email protected]>
* Kenta Tada <[email protected]>
* Lifubang <[email protected]>
* Michael Crosby <[email protected]>
* Mrunal Patel <[email protected]>
* Tom Godkin <[email protected]>
* Vincent Batts <[email protected]>
* Xiaochen Shen <[email protected]>
With special thanks and well-wishes to Victor Marmol and Rohit Jnagal, who have
both decided to give up their maintainership. Thanks for all of your
contributions over the years, and good luck with your future endeavours!
Signed-off-by: Aleksa Sarai <[email protected]>
