Release notes: https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc5
Possibly relevant changes included:
- chroot when no mount namespaces is provided
- fix systemd slice expansion so that it could be consumed by cAdvisor
- libcontainer/capabilities_linux: Drop os.Getpid() call
- Update console dependency to fix runc exec on BE (causing: `container_linux.go:265: starting container process caused "open /dev/pts/4294967296: no such file or directory"`)
- libcontainer: setupUserNamespace is always called (fixes: Devices are mounted with wrong uid/gid)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This fix is related to 36219
This fix updates runc to:
```
-RUNC_COMMIT=9f9c96235cc97674e935002fc3d78361b696a69e
+RUNC_COMMIT=6c55f98695e902427906eed2c799e566e3d3dfb5
-github.com/opencontainers/runc 9f9c96235cc97674e935002fc3d78361b696a69e
+github.com/opencontainers/runc 6c55f98695e902427906eed2c799e566e3d3dfb5
```
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This vendoring fixes two issues.
1. When a user specifies an SELinux MCS Label (level) to override moby picking
an unigue MCS label, the code currently picks a label then overrides with the
user selected. This works fine, except the unique MCS Label is leaked and will
not be used until the daemon is restarted.
2. The override label, is not reserved. This could potentially cause an issue
where the daemon could pick the same MCS Label again for a different container.
(~ 1/500,000 Chance).
The updated selinux go bindings, now release the overriden unigue label, and reserve
the one specified by the user.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This fix updates runc to 0351df1c5a66838d0c392b4ac4cf9450de844e2d
With this fix the warnings generated by netgo and dlopen by go 1.9
are addressed.
See
- opencontainers/runc#1577
- opencontainers/runc#1579
This fix is part of the efforts for go 1.9 (#33892)
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This also update:
- runc to 3f2f8b84a77f73d38244dd690525642a72156c64
- runtime-specs to v1.0.0
Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
The current use of the types from distribution brings in some
unfortunate dependencies, including other distribution packages and the
gorilla/mux and gorilla/context packages. Using the OCI types avoids
the extra dependencies for client users.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
* run latest vndr so as to collect more LICENSE files
* remove unused packages
* vendor github.com/philhofer/fwd with LICENSE.md (MIT)
* vendor github.com/bsphere/le_go with LICENSE (MIT)
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
Until we can support existing behaviour with `sudo` disable
ambient capabilities in runc build.
Add tests that non root user cannot use default capabilities,
and that capabilities are working as expected.
Test for #27590
Update runc.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>