Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dockerfile: update runc binary to 1.1.15 #5417

Closed
wants to merge 1 commit into from

Conversation

austinvazquez
Copy link
Contributor

@austinvazquez austinvazquez commented Oct 9, 2024

diff: opencontainers/runc@v1.1.14...v1.1.15

Release Notes:

  • The -ENOSYS seccomp stub is now always generated for the native
    architecture that runc is running on. This is needed to work around some
    arguably specification-incompliant behaviour from Docker on architectures
    such as ppc64le, where the allowed architecture list is set to null. This
    ensures that we always generate at least one -ENOSYS stub for the native
    architecture even with these weird configs.
  • On a system with older kernel, reading /proc/self/mountinfo may skip some
    entries, as a consequence runc may not properly set mount propagation,
    causing container mounts leak onto the host mount namespace.
  • In order to fix performance issues in the "lightweight" bindfd protection
    against [https://github.com/advisories/GHSA-gxmr-w5mj-v8hh], the temporary ro bind-mount of /proc/self/exe
    has been removed. runc now creates a binary copy in all cases.

@austinvazquez
Copy link
Contributor Author

austinvazquez commented Oct 9, 2024

Opening prematurely to test if any issues with runc/containerd integration with buildkit. moby usually waits to consume runc release once containerd has vetted it. containerd 1.6 CI (containerd/containerd#10795) has exposed an issue with runc v1.1.15 with cgroupfs driver.

@austinvazquez
Copy link
Contributor Author

1.2 is out. Closing in favor of that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant