v1.0.0~rc6

This is the final feature release of runc before 1.0, rather than 1.0
itself. The reason for tihs is that, during the preparations for this
release (which was originally meant to be 1.0) it was brought up that
there were several spec-compliance problems. One of these was related to
hook ordering, and upon trying to fix them it turns out that many users
(notably the NVIDIA OCI hooks) make use of our incorrect hook ordering.
Many of the proposed solutions to this problem all require a lot of time
and co-ordination, and thus would stall this release indefinitely.

So, the idea is to have an intermediate release which will mark a
freeze-on-everything-except-spec-compliance-bugs. No other changes will
be included pre-1.0 (aside from security patches obviously).

Features:
 + Upgrade to using Go 1.10. opencontainers#1711
 + Upgrade to CRIU 3.11. opencontainers#1711 opencontainers#1864 opencontainers#1935 opencontainers#1936
 + Allow for checkpoint-restore into a foreign network namespace. opencontainers#1849
 + The "type" field for bind-mounts is now ignored. This is important, because
   many users incorrectly assume that "type" defines a bind-mount and not
   "options". Previously you had to set both. opencontainers#1753 opencontainers#1845
 + "setgroups=allow" is now possible in rootless mode, but requires the use of
   the privileged newgidmap helper (fully-rootless still requires
   "setgroups=deny"). opencontainers#1693
 + Rootless mode can now safely ignore a read-only cgroupfs. opencontainers#1759 opencontainers#1806
 + Several aspects of rootless mode are now used inside user namespaces. This
   is necessary for a bunch of useful things (such as running Docker inside an
   user namespace), but did cause some breakages. We think they've all been
   fixed -- but if not please submit an issue! opencontainers#1688 opencontainers#1808 opencontainers#1816 opencontainers#1862
 + Improve kernel.{domain,host}name sysctl handling, to allow the NIS
   domainname to be set from Docker or other callers without an OCI spec
   change. opencontainers#1827
 + Add documentation for one of the more confusion parts of runc, how terminals
   are handled (including an explanation of --console-socket). All the gory
   details and recommendations are available in docs/terminals.md. opencontainers#1730
 + Allow /proc to be bind-mounted over (useful for rootless containers). opencontainers#1832
 + Ignore ENOSYS for keyctl(2) operations. This is necessary to get Docker
   working with LXC under the default seccomp profile (which is what ChromeOS
   uses). opencontainers#1893
 + Add support for the Intel RDT/MBA resource control system. opencontainers#1632 opencontainers#1913
 + Allow building with completely-disabled kmemcg support, to get around
   problems with broken kernels (RHEL 7.5 can oops with kmemcg accounting
   enabled). opencontainers#1921 opencontainers#1922 opencontainers#1930
 + Add support for cgroup namespaces, which in turn fixes a few other issues we
   encountered with the previous code (which could be moving us to a cgroup
   during Go execution). opencontainers#1916

Fixes:
 * Namespace creation with user namespaces now plays a bit nicer with SELinux
   and IPC (which had a bug where the in-kernel mqueue mount would have the
   wrong tag if using unshare(CLONE_NEWUSER|CLONE_NEWIPC)). This is done to
   avoid future problems with broken kernel integration. opencontainers#1562
 * Mild refactor of libcontainer/user. opencontainers#1749
 * Fix null-pointer-exception when no cgroups were set. opencontainers#1752
 * Various DBus and systemd related changes for the systemd-cgroup driver.
   opencontainers#1754 opencontainers#1772 opencontainers#1776 opencontainers#1781 opencontainers#1805 opencontainers#1917
 * Apply SELinux label to masked directories. opencontainers#1756
 * Obey the XDG spec and set the sticky bit on runc's root when using
   XDG_RUNTIME_DIR (in rootless mode). opencontainers#1760
 * Only configure network namespaces if we are creating them. opencontainers#1777
 * Fix race in runc-exec against a currently-exiting pid1. opencontainers#1812
 * Forward GOMAXPROCS to try to reduce the number of threads started by 'runc
   init'. Unforunately there's no way to stop Go from spawning new threads so
   this is more of a recommendation. opencontainers#1830
 * Fix tmpcopyup in cases where /tmp is not a private mount. opencontainers#1873
 * Whitelist /proc/loadavg for bind-mounting. opencontainers#1882
 * Protect against deletion of runc state directory with a containerid of "..",
   as well as the addition of other path hardening code. opencontainers#1883
 * Handle duplicated cgroupfs mountpoint entries more sanely, to make runc work
   on distributions that use-and-abuse shared subtrees. opencontainers#1817
 * Fix console hanging in several cases. opencontainers#1895 opencontainers#1897
 * Lock-to-a-thread during 'runc init' to ensure that that we don't switch
   threads and run within a different SELinux label. opencontainers#1814
 * Respect cgroupPath when trying to find the cgroupfs mountpoint (which can
   happen in cases where containers are given different cgroupfs mounts). opencontainers#1872
 * And many other minor changes, many from first-time contributors! opencontainers#1746 opencontainers#1748
   opencontainers#1749 opencontainers#1784 opencontainers#1779 opencontainers#1785 opencontainers#1796 opencontainers#1819 opencontainers#1825 opencontainers#1836 opencontainers#1824 opencontainers#1820 opencontainers#1838 opencontainers#1840
   opencontainers#1841 opencontainers#1867 opencontainers#1871 opencontainers#1855 opencontainers#1854 opencontainers#1874 opencontainers#1868 opencontainers#1886 opencontainers#1892 opencontainers#1858 opencontainers#1894 opencontainers#1908
   opencontainers#1880 opencontainers#1910 opencontainers#1915 opencontainers#1903 opencontainers#1922 opencontainers#1926 opencontainers#1928 opencontainers#1925 opencontainers#1911

Fixes (for spec violations):
 * Don't set a container to "running" when exec-ing into it (because it might
   be in the "created" state). opencontainers#1771
 * oom_score_adj is now no longer modified if it was unspecified in config.json
   (this was a spec violation). opencontainers#1759
 * Set "status" in hook stdin, as well as switch to using *spec.State to avoid
   JSON-representation drift. opencontainers#1741

Thanks to all of the contributors that made this release possible:

 * Ace-Tang <[email protected]>
 * Adrian Reber <[email protected]>
 * Akihiro Suda <[email protected]>
 * Alban Crequy <[email protected]>
 * Aleksa Sarai <[email protected]>
 * Alex Glikson <[email protected]>
 * Andrei Vagin <[email protected]>
 * Antonio Murdaca <[email protected]>
 * Bin Chen <[email protected]>
 * ChangFeng <[email protected]>
 * Chris Aniszczyk <[email protected]>
 * Danail Branekov <[email protected]>
 * Daniel, Dao Quang Minh <[email protected]>
 * Daniel J Walsh <[email protected]>
 * Denys Smirnov <[email protected]>
 * Derek Carr <[email protected]>
 * dlorenc <[email protected]>
 * Dmitry Smirnov <[email protected]>
 * Dominik Süß <[email protected]>
 * Filipe Brandenburger <[email protected]>
 * Giuseppe Scrivano <[email protected]>
 * Harald Nordgren <[email protected]>
 * Jay Kamat <[email protected]>
 * Jonathan Marler <[email protected]>
 * Kenta Tada <[email protected]>
 * Kir Kolyshkin <[email protected]>
 * Lifubang <[email protected]>
 * Lin Yang <[email protected]>
 * Marco Vedovati <[email protected]>
 * Michael Crosby <[email protected]>
 * Mike Brown <[email protected]>
 * Mrunal Patel <[email protected]>
 * Nalin Dahyabhai <[email protected]>
 * Qiang Huang <[email protected]>
 * Sebastien Boeuf <[email protected]>
 * Sergio Lopez <[email protected]>
 * Tamal Saha <[email protected]>
 * Tibor Vass <[email protected]>
 * vikaschoudhary16 <[email protected]>
 * Vincent Batts <[email protected]>
 * W. Trevor King <[email protected]>
 * Xiaochen Shen <[email protected]>
 * Yan Zhu <[email protected]>
 * Yuanhong Peng <[email protected]>

Signed-off-by: Aleksa Sarai <[email protected]>

v1.0.0~rc5

This is planned to be the final -rc release of runc. While we really
haven't followed the rules for release candidates (with huge features
introduced each release, and with massive gaps between releases) the
hope is that once we've release 1.0.0 we will be much more liberal with
releases in future. Let's see how that pans out. :P

Features:

+ Support cgroups in rootless containers. This is a continuation of the
  previous work done, and allows for users that have specialised setups
  (such as having the LXC pam_cg.so module set up) to use cgroups with
  rootless containers. opencontainers#1540
+ Add support for newuidmap and newgidmap with rootless containers.
  This is a continuation of some previous work, and allows users that
  have /etc/sub{uid,gid} configured to use the shadow-utils setuid
  helpers. Note that this support doesn't restrict users that don't want
  to use setuid binaries at all. opencontainers#1529
+ runc will now use a chroot when mount namespaces aren't provided in
  the config.json. While chroot does have its (many) downsides, this
  does allow for specialised configurations to work properly. opencontainers#1702
+ Expose annotations to hooks, so that the hook can have more direct
  information about the container it is being run against. opencontainers#1687
+ Add "runc exec --additional-gids" support. opencontainers#1608
+ Allow more signals to be sent with "runc kill" than are defined by
  Go's syscall package. opencontainers#1706
+ Emit an error if users try to use MS_PRIVATE with --no-pivot, as that
  is simply not safe. opencontainers#1606
+ Add support for "unbindable" and "runbindable" as rootfs propagation.
  opencontainers#1655
+ Implement intelrdt support in runc. opencontainers#1279 opencontainers#1590
+ Add support for lazy migration with CRIU. This includes the addition
  of "runc checkpoint httpd" which acts as a remote pagefault request
  server. opencontainers#1541
+ Add MIPS support. opencontainers#1475

Fixes:

* Delay seccomp application as late as possible, to reduce the syscall
  footprint of runc on profiles. opencontainers#1569
* Fix --read-only containers with user namespaces, which would
  previously fail under Docker because of privilege problems when trying
  to do the read-only remount. opencontainers#1572
* Switch away from stateDirFd entirely. This is an improvement over the
  protections we added for CVE-2016-9962, and protects against many
  other possible container escape bugs. opencontainers#1570
* Handle races between "runc start" and "runc delete" over the exec FIFO
  correctly, and avoid blocking "runc start" indefinitely. opencontainers#1698
* Correctly generate seccomp profiles that place requirements on syscall
  arguments, as well as multi-argument restrictions. opencontainers#1616 opencontainers#1424
* Prospective patch for remounting of old-root during pivot_root. This
  is intended to solve one of the many "mount leak" bugs that have been
  popping up recently -- caused by lots of container churn and host
  mounts being pinned during container setup. opencontainers#1500
* Fix "runc exec" on big-endian architectures. opencontainers#1727
* Correct systemd slice expansion to work with cAdvisor. opencontainers#1722
* Fix races against systemd cgroup scope creation. opencontainers#1683
* Do not wait for signalled processes if libcontainer is running in a
  process that is a subreaper. opencontainers#1678
* Remove dependency on libapparmor entirely, and just use
  /proc/$pid/attr directly. opencontainers#1675
* Improvements to our integration tests. opencontainers#1661 opencontainers#1629 opencontainers#1528
* Handle systemd's quirky CPUQuotaPerSecUSec handling in
  fractions-of-a-percent edge-cases. opencontainers#1651
* Remove docker/docker import in runc by moving the package to runc.
  opencontainers#1644
* Switch from docker's pkg/symlink to cyphar/filepath-securejoin. opencontainers#1622
* Enable integration and unit tests on arm64. opencontainers#1642 opencontainers#1640
* Add /proc/scsi to masked paths (mirror of Docker's CVE-2017-16539).
  opencontainers#1641
* Add several tests for specconv. opencontainers#1626 opencontainers#1619
* Add more extensive tests for terminal handling. opencontainers#1357
* Always write freezer state during retry-loop, to avoid an indefinite
  hang when new tasks are spawned in the container. opencontainers#1610
* Create cwd when it doesn't exist in the container. opencontainers#1604
* Set initial console size based on process spec, to avoid SIGWINCH
  races where initial console size is completely wrong. opencontainers#1275
* Small fixes for static builds. opencontainers#1579 opencontainers#1577
* Use epoll for PTY IO, to avoid issues with systemd's SAK protections.
  opencontainers#1455
* Update state.json after a "runc update". opencontainers#1558
* Switch to umoci's release scripts, to use a more "standardised" and
  distribution-friendly release scheme. Several makefile-fixes included
  as well. opencontainers#1554 opencontainers#1542 opencontainers#1555
* Reap "runc:[1:CHILD]" to avoid intermediate zombies building up. opencontainers#1506
* Use CRIU's RPC to check the version. opencontainers#1535
* Always save own namespace paths rather than the path given during
  start-up, to avoid issues where the path disappears afterwards. opencontainers#1477
* Fix that we incorrectly set the owners of devices. This is still (subtly)
  broken in user namespaces, but will be fixed in a future version. opencontainers#1743

* Lots of other miscellaneous fixes and cleanups, many of which were
  written by first-time contributors. Thanks for contributing, and
  welcome to the project! opencontainers#1729 opencontainers#1724 opencontainers#1695 opencontainers#1685 opencontainers#1703 opencontainers#1699 opencontainers#1682
  opencontainers#1665 opencontainers#1667 opencontainers#1669 opencontainers#1654 opencontainers#1664 opencontainers#1660 opencontainers#1645 opencontainers#1640 opencontainers#1621 opencontainers#1607 opencontainers#1206
  opencontainers#1615 opencontainers#1614 opencontainers#1453 opencontainers#1613 opencontainers#1600 opencontainers#1599 opencontainers#1598 opencontainers#1597 opencontainers#1593 opencontainers#1586 opencontainers#1588
  opencontainers#1587 opencontainers#1589 opencontainers#1575 opencontainers#1578 opencontainers#1573 opencontainers#1561 opencontainers#1560 opencontainers#1559 opencontainers#1556 opencontainers#1551 opencontainers#1553
  opencontainers#1548 opencontainers#1544 opencontainers#1545 opencontainers#1537

Removals:
- Andrej Vagin stepped down as a maintainer. Thanks for all of your hard
 work Andrej, and have fun working on your other projects! opencontainers#1543

Thanks to all of the contributors that made this release possible:

 * Adrian Reber <[email protected]>
 * Akihiro Suda <[email protected]>
 * Aleksa Sarai <[email protected]>
 * Alex Fang <[email protected]>
 * Allen Sun <[email protected]>
 * Andrei Vagin <[email protected]>
 * Antonio Murdaca <[email protected]>
 * Bin Lu <[email protected]>
 * Danail Branekov <[email protected]>
 * Daniel, Dao Quang Minh <[email protected]>
 * Ed King <[email protected]>
 * Euan Kemp <[email protected]>
 * Giuseppe Scrivano <[email protected]>
 * Jianyong Wu <[email protected]>
 * Kenfe-Mickael Laventure <[email protected]>
 * Konstantinos Karampogias <[email protected]>
 * leitwolf7 <[email protected]>
 * Lorenzo Fontana <[email protected]>
 * Ma Shimiao <[email protected]>
 * Matthew Heon <[email protected]>
 * Michael Crosby <[email protected]>
 * Mrunal Patel <[email protected]>
 * Nikolas Sepos <[email protected]>
 * Peter Morjan <[email protected]>
 * Petros Angelatos <[email protected]>
 * Qiang Huang <[email protected]>
 * ravisantoshgudimetla <[email protected]>
 * s7v7nislands <[email protected]>
 * Sebastien Boeuf <[email protected]>
 * Seth Jennings <[email protected]>
 * Steven Hartland <[email protected]>
 * Sumit Sanghrajka <[email protected]>
 * Taeung Song <[email protected]>
 * Thomas Hipp <[email protected]>
 * Tobias Klauser <[email protected]>
 * Tom Godkin <[email protected]>
 * Tycho Andersen <[email protected]>
 * Valentin Kulesh <[email protected]>
 * vikaschoudhary16 <[email protected]>
 * Vincent Demeester <[email protected]>
 * Vladimir Stefanovic <[email protected]>
 * vsoch <[email protected]>
 * Will Martin <[email protected]>
 * W. Trevor King <[email protected]>
 * Xiaochen Shen <[email protected]>
 * ynirk <[email protected]>
 * Yong Tang <[email protected]>
 * Yuanhong Peng <[email protected]>
 * yupeng <[email protected]>

Signed-off-by: Aleksa Sarai <[email protected]>

v1.0.0~rc4

Features:

+ runc now supports v1.0.0 of the OCI runtime specification. opencontainers#1527
+ Rootless containers support has been released. The current state of
  this feature is that it only supports single-{uid,gid} mappings as an
  unprivileged user, and cgroups are completely unsupported. Work is
  being done to improve this. opencontainers#774
+ Rather than relying on CRIU version nnumbers, actually check if the
  system supports pre-dumping. opencontainers#1371
+ Allow the PIDs cgroup limit to be updated. opencontainers#1423
+ Add support for checkpoint/restore of containers with orphaned PTYs
  (which is effectively all containers with terminal=true). opencontainers#1355
+ Permit prestart hooks to modify the cgroup configuration of a
  container. opencontainers#1239
+ Add support for a wide variety of mount options. opencontainers#1460
+ Expose memory.use_hierarchy in MemoryStats. opencontainers#1378

Fixes:

* Fix incorrect handling of systems without the freezer cgroup. opencontainers#1387
* Many, many changes to switch away from Go's "syscall" stdlib to
  "golang.org/x/sys/unix". opencontainers#1394 opencontainers#1398 opencontainers#1442 opencontainers#1464 opencontainers#1467 opencontainers#1470 opencontainers#1474
  opencontainers#1478 opencontainers#1491 opencontainers#1482 opencontainers#1504 opencontainers#1519 opencontainers#1530
* Set cgroup resources when restoring a container. opencontainers#1399
* Switch back to using /sbin as the installation directory. opencontainers#1406
* Remove the arbitrary container ID length restriction. opencontainers#1435
* Make container force deletion ignore non-existent containers. opencontainers#1451
* Improve handling of arbitrary cgroup mount locations when populating
  cpuset. opencontainers#1372
* Make the SaneTerminal interface public. opencontainers#1479
* Fix cases where runc would report a container to be in a "Running"
  state if the init was a zombie or dead. opencontainers#1489
* Do not set supplementary groups for numeric users. opencontainers#1450
* Fix various issues with the "owner" field in runc-list. opencontainers#1516
* Many other miscellaneous fixes, some of which were made by first-time
  contributors. Thanks, and welcome to the project! opencontainers#1406 opencontainers#1400 opencontainers#1365
  opencontainers#1396 opencontainers#1402 opencontainers#1414 opencontainers#1412 opencontainers#1408 opencontainers#1418 opencontainers#1425 opencontainers#1428 opencontainers#1436 opencontainers#1433 opencontainers#1438
  opencontainers#1410 opencontainers#1447 opencontainers#1388 opencontainers#1484 opencontainers#1481 opencontainers#1496 opencontainers#1245 opencontainers#1524 opencontainers#1534 opencontainers#1526 opencontainers#1533

Removals:

- Remove any semblance of non-Linux support. opencontainers#1502
- We no longer use shfmt for testing. opencontainers#1510

Thanks to all of the contributors that made this release possible:

* Adrian Reber <[email protected]>
* Aleksa Sarai <[email protected]>
* Andrei Vagin <[email protected]>
* Antonio Murdaca <[email protected]>
* chchliang <[email protected]>
* Christy Perez <[email protected]>
* Craig Furman <[email protected]>
* CuiHaozhi <[email protected]>
* Daniel, Dao Quang Minh <[email protected]>
* Derek Carr <[email protected]>
* Harshal Patil <[email protected]>
* Jonh Wendell <[email protected]>
* Justin Cormack <[email protected]>
* Kang Liang <[email protected]>
* Kenfe-Mickael Laventure <[email protected]>
* Konstantinos Karampogias <[email protected]>
* Ma Shimiao <[email protected]>
* Michael Crosby <[email protected]>
* Mrunal Patel <[email protected]>
* Qiang Huang <[email protected]>
* Steven Hartland <[email protected]>
* Tim Potter <[email protected]>
* Tobias Klauser <[email protected]>
* Valentin Rothberg <[email protected]>
* Vincent Batts <[email protected]>
* Wentao Zhang <[email protected]>
* Will Martin <[email protected]>
* W. Trevor King <[email protected]>
* yangshukui <[email protected]>
* Zhang Wei <[email protected]>

Vote-Closed: [Wed Aug 9 05:28:38 UTC 2017]
Vote-Results: [+5 -0 /2]

v1.0.0~rc3

Features:

+ Add slice management support to the systemd cgroup driver. Checks are
  done to make sure that systemd supports the feature. opencontainers#1084
+ Support for readonly mount labels. opencontainers#1112
+ Add a tmpcopyup mount extension for tmpfs mounts that are mounted over
  already existing directories, allowing for the contents of a volume to
  be copied up transparently. opencontainers#845
* Switch our pivot_root usage to no longer require temporary
  directories, improving the state of containters running in entirely
  readonly contexts. opencontainers#1125 opencontainers#1148
+ Allow updating of rt_period_us and rt_runtime_us in cpuacct cgroup.
+ Reimplement console handling to use AF_UNIX sockets such that the
  console is created inside the container's (namespaced) devpts
  instance, solving a wide variety of historical pty bugs with runC.
  opencontainers#1018 opencontainers#1356
* Support overlayfs in mounts. opencontainers#1314
+ Support creating devices with types 'p' and 'u'. opencontainers#1321
+ Add --preserve-fds=N to create and run commands. opencontainers#1320
+ Add pre-dump and parent-path to checkpoint. opencontainers#1001
+ Update to runtime-spec v1.0.0-rc5. opencontainers#1370

Fixes:

* Remove check for binding to /. opencontainers#1090
* Ensure we log to logrus on command errors. opencontainers#1089
* Don't enable kmem limits if they're not specified in the config. opencontainers#1095
* Handle cases where specs.Resources.* members would cause null
  dereferences. opencontainers#1111 opencontainers#1116
* Fix bugs in the GetProcessStartTime implementation. opencontainers#1136
* Make sysctl config validation checks handle network namespaces more
  gracefully. opencontainers#1138 opencontainers#1149
* Guarantee correct namespace creation ordering. This is part of the
  rootless container patchset, and is also required in certain SELinux
  setups. opencontainers#977
* Stop screwing around with '\n' in console output. opencontainers#1146
* Fix cpuset.cpu_exclusive handling. opencontainers#1194
* Sync HookState with the OCI specification. opencontainers#1201
* Split remounting mountpoints and bindmounts, resolving issues with
  mount options being dropped in certain cases. opencontainers#1222
* Fix leftover cgroup directory issue. opencontainers#1196
* Handle config.Devices and config.MaskPaths in checkpoint. opencontainers#1110.
* Don't create combined cgroup subsystem names. opencontainers#1268
* Ignore cgroupv2 mountpoints, fixing issues with systemd v232. opencontainers#1266
* Race condition when synchronising with children and grandchildren in
  nsexec.c. opencontainers#1237
* Fix state checks to no longer depend on _LIBCONTAINER being present in
  the environment, fixing both bugs as well as being part of the
  rootless container patchset. opencontainers#1317
* Fix systemd-notify when using different PID namespaces, and allow
  detach+notify socket. opencontainers#1308
* Don't fchown when inheriting stdio, which is necessary for rootless
  containers in certain scenarios. opencontainers#1354
* Fix cpu.cfs_quota_us being changed when systemd is reloaded. opencontainers#1344
* Add devices to whitelist for LXD, to make runC under LXC/LXD work
  better. opencontainers#1327
* Many improvements to testing. opencontainers#1121 opencontainers#1131 opencontainers#1132 opencontainers#1147

Security:

* Several fixes for CVE-2016-9962. 5d93fed opencontainers#1274

Thanks to all of the contributors that made this release possible:

* Qiang Huang <[email protected]>
* Aleksa Sarai <[email protected]>
* Mrunal Patel <[email protected]>
* Michael Crosby <[email protected]>
* Wang Long <[email protected]>
* Daniel, Dao Quang Minh <[email protected]>
* rajasec <[email protected]>
* Zhang Wei <[email protected]>
* Steven Hartland <[email protected]>
* Giuseppe Scrivano <[email protected]>
* Shukui Yang <[email protected]>
* Ma Shimiao <[email protected]>
* Daniel Dao <[email protected]>
* CuiHaozhi <[email protected]>
* Antonio Murdaca <[email protected]>
* Xianglin Gao <[email protected]>
* Lei Jitang <[email protected]>
* Justin Cormack <[email protected]>
* Dan Walsh <[email protected]>
* Daniel Martí <[email protected]>
* Ce Gao <[email protected]>
* allencloud <[email protected]>
* Alexander Morozov <[email protected]>
* yupeng <[email protected]>
* Yuanhong Peng <[email protected]>
* Yong Tang <[email protected]>
* xuxinkun <[email protected]>
* Xianlu Bird <[email protected]>
* William Martin <[email protected]>
* Wentao Zhang <[email protected]>
* Vivek Goyal <[email protected]>
* Samuel Ortiz <[email protected]>
* rainrambler <[email protected]>
* Mohammad Arab <[email protected]>
* Michal Rostecki <[email protected]>
* Máximo Cuadros <[email protected]>
* Kenfe-Mickael Laventure <[email protected]>
* Ian Campbell <[email protected]>
* Harry Zhang <[email protected]>
* Fengtu Wang <[email protected]>
* Eric Paris <[email protected]>
* Derek Carr <[email protected]>
* Deng Guangxing <[email protected]>
* CuiHaozhi <[email protected]>
* Crazykev <[email protected]>
* Chris Aniszczyk <[email protected]>
* Casey Callendrello <[email protected]>
* Carlton-Semple <[email protected]>
* Brian Goff <[email protected]>
* Andrew Vagin <[email protected]>

runC 1.0.0-rc2

Features:
 + {create,run}: add --no-new-keyring flag so that a new session keyring
   is not created for the container and the calling process's keyring is
   inherited.
 + restore: add --empty-ns flag to tell CRIU to only create a network
   namespace for a container and not populate it (allowing higher levels
   to correctly handle re-creating the network namespace).
 + {create,start}: use a FIFO rather than signals to signal the starting
   of a container. This removes the Go version restriction, and also
   avoids potential issues with Go's signal handling.
 + exec: allow additional groups to be overridden.
 + delete: add --force flag.
 - exec: disable the subreaper option entirely, because the option
   causes many issues with reparenting in the context of containers.
   This is not a complete fix, which is intended to land for -rc3. Using
   the removed option will be silently ignored by runC.
 + {create,run}: add support for masking directories with MaskPaths.
 + delete: allow for the deletion of multiple containers in one cmdline.
 + build: add `make release` for distributions.

Fixes:
 * Major improvements and fixes to CLI handling. Now commands like
   `runc ps` and `runc exec` will act sanely when you're trying to use
   flags that are not meant to be parsed by runC.
 * Set the cp.rt_* cgroup options correctly so that runC running in
   SCHED_RR (realtime) mode can operate properly.
 * Massive improvements to kmem limit detection to ensure that we only
   attempt to change memory.kmem.* if it is safe to do so.
 * Part of a major cleanup of the nsenter code, with more intended to
   land before -rc3.
 * Restored containers now have a start time, which is the time that the
   new container was started (not when the original container was
   started).
 * Fix the default cgroupPath behaviour, so that we actually attach to
   subcgroups of all of the caller's current cgroups (rather than using
   the devices cgroup path for all other cgroups)
 + Support 32bit UIDs on i386 with the setuid32(2) syscall.
 + Add /proc/timer_list to the set of default masked paths.
 - Do not create /dev/fuse by default.
 * Parse cgroupPath correctly if it contains ':'.
 * Add some more debugging information for the test suite, along with
   fixes for race conditions and other issues. In addition, add more
   integration tests for edge conditions.
 * Improve check-config.sh script to handle more cases.
 * Fix incorrect type when setting of net_cls classid.
 * Lots of fixes to help pages and man pages.
 + *: append -dirty to the version if the git repo is unclean.
 * Fix the JSON tags for CpuRt* options.
 * Cleanups to the rootfs setup code.
 * Improve error messages related to SELinux.

Thanks to all of the contributors that made this release possible:

 * Akihiro Suda <[email protected]>
 * Aleksa Sarai <[email protected]>
 * Alexander Morozov <[email protected]>
 * Andrew Vagin <[email protected]>
 * Ben <[email protected]>
 * Buddha Prakash <[email protected]>
 * Carl Henrik Lunde <[email protected]>
 * Christian Brauner <[email protected]>
 * Dam Thomason <[email protected]>
 * Dan Walsh <[email protected]>
 * Daniel, Dao Quang Minh <[email protected]>
 * Davanum Srinivas <[email protected]>
 * Euan Kemp <[email protected]>
 * Guilherme Rezende <[email protected]>
 * Haiyan Meng <[email protected]>
 * Hushan Jia <[email protected]>
 * Jiuyue Ma <[email protected]>
 * Johnny Bieren <[email protected]>
 * Jonathan Boulle <[email protected]>
 * Justin Cormack <[email protected]>
 * Kenfe-Mickael Laventure <[email protected]>
 * Michael Crosby <[email protected]>
 * Mike Brown <[email protected]>
 * Mrunal Patel <[email protected]>
 * Peng Gao <[email protected]>
 * Petar Petrov <[email protected]>
 * Phil Estes <[email protected]>
 * Qiang Huang <[email protected]>
 * Serge Hallyn <[email protected]>
 * Seth Jennings <[email protected]>
 * Shukui Yang <[email protected]>
 * Tristan Cacqueray <[email protected]>
 * Vishnu kannan <[email protected]>
 * Wang Long <[email protected]>
 * Yang Hongyang <[email protected]>
 * Yen-Lin Chen <[email protected]>
 * Yuanhong Peng <[email protected]>
 * Zhang Wei <[email protected]>
 * Zhao Lei <[email protected]>
 * rajasec <[email protected]>
 * xiekeyang <[email protected]>

Update runc version to 1.0.0-rc1

Signed-off-by: Michael Crosby <[email protected]>

Bump to 0.1.1

This includes a fix for selinux mount labels in the spec.

Signed-off-by: Michael Crosby <[email protected]>

Update runc to 0.1.0

Signed-off-by: Michael Crosby <[email protected]>

Bump runc to 0.0.9

Signed-off-by: Michael Crosby <[email protected]>

Merge pull request opencontainers#549 from crosbymichael/tty-close

Close tty on error before handler