| tag | e4bccdbd64361ac5ea8ba90bb8845add78f957a6 | |
|---|---|---|
| tagger | Aleksa Sarai <cyphar@cyphar.com> | Mon Dec 06 04:09:13 2021 |
| object | f46b6ba2c9314cfc8caae24a32ec5fe9ef1059fe |
v1.0.3 -- "If you were waiting for the opportune moment, that was it." This is the third stable release in the 1.0 branch, fixing a handful of medium priority issues related to mounts and cgroups, as well as a potential security vulnerability. This release is expected to be the last point release in the 1.0 branch, as we are planning to release runc 1.1 in the near future. Security: * A potential vulnerability was discovered in runc (related to an internal usage of netlink), however upon further investigation we discovered that while this bug was exploitable on the master branch of runc, no released version of runc could be exploited using this bug. The exploit required being able to create a netlink attribute with a length that would overflow a uint16 but this was not possible in any released version of runc. For more information see GHSA-v95c-p5hm-xq8f and CVE-2021-43784. Due to an abundance of caution we decided to do an emergency release with this fix, but to reiterate *we do not believe this vulnerability was possible to exploit*. Thanks to Felix Wilhelm from Google Project Zero for discovering and reporting this vulnerability so quickly. Bugfixes: * Fixed inability to start a container with read-write bind mount of a read-only fuse host mount (#3292) * Fixed inability to start when read-only /dev in set in spec (#3277) * Fixed not removing sub-cgroups upon container delete, when rootless cgroup v2 is used with older systemd (#3297) * Fixed returning error from GetStats when hugetlb is unsupported (which causes excessive logging for kubernetes) (#3295) * [CI only] Fixed criu 3.16 compatibility issue (#3282) * [CI only] Add Go 1.17 to the testing matrix (#3299) Enhancements: * Improved an error message when dbus-user-session is not installed and rootless + cgroup2 + systemd are used (#3212) Thanks to all of the contributors who made this release possible: * Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> * Aleksa Sarai <cyphar@cyphar.com> * Kailun Qin <kailun.qin@intel.com> * Kang Chen <kongchen28@gmail.com> * Kir Kolyshkin <kolyshkin@gmail.com> * Odin Ugedal <odin@uged.al> * Sebastiaan van Stijn <thaJeztah@users.noreply.github.com> Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
| commit | f46b6ba2c9314cfc8caae24a32ec5fe9ef1059fe | [log] [tgz] |
|---|---|---|
| author | Aleksa Sarai <cyphar@cyphar.com> | Fri Dec 03 00:01:46 2021 |
| committer | Aleksa Sarai <cyphar@cyphar.com> | Fri Dec 03 08:17:37 2021 |
| tree | 9c190f8fedcf7c3d32f6d0c66f464b3a100ed56d | |
| parent | b8dbe46687c2a96efa9252b69d3fc1ce33bdc416 [diff] |
VERSION: release v1.0.3 Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
runc is a CLI tool for spawning and running containers according to the OCI specification.
runc depends on and tracks the runtime-spec repository. We will try to make sure that runc and the OCI specification major versions stay in lockstep. This means that runc 1.0.0 should implement the 1.0 version of the specification.
You can find official releases of runc on the release page.
The reporting process and disclosure communications are outlined here.
A third party security audit was performed by Cure53, you can see the full report here.
runc currently supports the Linux platform with various architecture support. It must be built with Go version 1.13 or higher.
In order to enable seccomp support you will need to install libseccomp on your platform.
e.g.
libseccomp-develfor CentOS, orlibseccomp-devfor Ubuntu
# create a 'github.com/opencontainers' in your GOPATH/src cd github.com/opencontainers git clone https://github.com/opencontainers/runc cd runc make sudo make install
You can also use go get to install to your GOPATH, assuming that you have a github.com parent folder already created under src:
go get github.com/opencontainers/runc cd $GOPATH/src/github.com/opencontainers/runc make sudo make install
runc will be installed to /usr/local/sbin/runc on your system.
runc supports optional build tags for compiling support of various features, with some of them enabled by default (see BUILDTAGS in top-level Makefile).
To change build tags from the default, set the BUILDTAGS variable for make, e.g. to disable seccomp:
make BUILDTAGS=""
| Build Tag | Feature | Enabled by default | Dependency |
|---|---|---|---|
| seccomp | Syscall filtering | yes | libseccomp |
The following build tags were used earlier, but are now obsoleted:
runc currently supports running its test suite via Docker. To run the suite just type make test.
make test
There are additional make targets for running the tests outside of a container but this is not recommended as the tests are written with the expectation that they can write and remove anywhere.
You can run a specific test case by setting the TESTFLAGS variable.
# make test TESTFLAGS="-run=SomeTestFunction"
You can run a specific integration test by setting the TESTPATH variable.
# make test TESTPATH="/checkpoint.bats"
You can run a specific rootless integration test by setting the ROOTLESS_TESTPATH variable.
# make test ROOTLESS_TESTPATH="/checkpoint.bats"
You can run a test using your container engine's flags by setting CONTAINER_ENGINE_BUILD_FLAGS and CONTAINER_ENGINE_RUN_FLAGS variables.
# make test CONTAINER_ENGINE_BUILD_FLAGS="--build-arg http_proxy=http://yourproxy/" CONTAINER_ENGINE_RUN_FLAGS="-e http_proxy=http://yourproxy/"
runc uses Go Modules for dependencies management. Please refer to Go Modules for how to add or update new dependencies. When updating dependencies, be sure that you are running Go 1.14 or newer.
# Update vendored dependencies make vendor # Verify all dependencies make verify-dependencies
Please note that runc is a low level tool not designed with an end user in mind. It is mostly employed by other higher level container software.
Therefore, unless there is some specific use case that prevents the use of tools like Docker or Podman, it is not recommended to use runc directly.
If you still want to use runc, here's how.
In order to use runc you must have your container in the format of an OCI bundle. If you have Docker installed you can use its export method to acquire a root filesystem from an existing Docker container.
# create the top most bundle directory mkdir /mycontainer cd /mycontainer # create the rootfs directory mkdir rootfs # export busybox via Docker into the rootfs directory docker export $(docker create busybox) | tar -C rootfs -xvf -
After a root filesystem is populated you just generate a spec in the format of a config.json file inside your bundle. runc provides a spec command to generate a base template spec that you are then able to edit. To find features and documentation for fields in the spec please refer to the specs repository.
runc spec
Assuming you have an OCI bundle from the previous step you can execute the container in two different ways.
The first way is to use the convenience command run that will handle creating, starting, and deleting the container after it exits.
# run as root cd /mycontainer runc run mycontainerid
If you used the unmodified runc spec template this should give you a sh session inside the container.
The second way to start a container is using the specs lifecycle operations. This gives you more power over how the container is created and managed while it is running. This will also launch the container in the background so you will have to edit the config.json to remove the terminal setting for the simple examples below (see more details about runc terminal handling). Your process field in the config.json should look like this below with "terminal": false and "args": ["sleep", "5"].
"process": { "terminal": false, "user": { "uid": 0, "gid": 0 }, "args": [ "sleep", "5" ], "env": [ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "TERM=xterm" ], "cwd": "/", "capabilities": { "bounding": [ "CAP_AUDIT_WRITE", "CAP_KILL", "CAP_NET_BIND_SERVICE" ], "effective": [ "CAP_AUDIT_WRITE", "CAP_KILL", "CAP_NET_BIND_SERVICE" ], "inheritable": [ "CAP_AUDIT_WRITE", "CAP_KILL", "CAP_NET_BIND_SERVICE" ], "permitted": [ "CAP_AUDIT_WRITE", "CAP_KILL", "CAP_NET_BIND_SERVICE" ], "ambient": [ "CAP_AUDIT_WRITE", "CAP_KILL", "CAP_NET_BIND_SERVICE" ] }, "rlimits": [ { "type": "RLIMIT_NOFILE", "hard": 1024, "soft": 1024 } ], "noNewPrivileges": true },
Now we can go through the lifecycle operations in your shell.
# run as root cd /mycontainer runc create mycontainerid # view the container is created and in the "created" state runc list # start the process inside the container runc start mycontainerid # after 5 seconds view that the container has exited and is now in the stopped state runc list # now delete the container runc delete mycontainerid
This allows higher level systems to augment the containers creation logic with setup of various settings after the container is created and/or before it is deleted. For example, the container's network stack is commonly set up after create but before start.
runc has the ability to run containers without root privileges. This is called rootless. You need to pass some parameters to runc in order to run rootless containers. See below and compare with the previous version.
Note: In order to use this feature, “User Namespaces” must be compiled and enabled in your kernel. There are various ways to do this depending on your distribution:
CONFIG_USER_NS=y is set in your kernel configuration (normally found in /proc/config.gz)echo 1 > /proc/sys/kernel/unprivileged_userns_cloneecho 28633 > /proc/sys/user/max_user_namespacesRun the following commands as an ordinary user:
# Same as the first example mkdir ~/mycontainer cd ~/mycontainer mkdir rootfs docker export $(docker create busybox) | tar -C rootfs -xvf - # The --rootless parameter instructs runc spec to generate a configuration for a rootless container, which will allow you to run the container as a non-root user. runc spec --rootless # The --root parameter tells runc where to store the container state. It must be writable by the user. runc --root /tmp/runc run mycontainerid
runc can be used with process supervisors and init systems to ensure that containers are restarted when they exit. An example systemd unit file looks something like this.
[Unit] Description=Start My Container [Service] Type=forking ExecStart=/usr/local/sbin/runc run -d --pid-file /run/mycontainerid.pid mycontainerid ExecStopPost=/usr/local/sbin/runc delete mycontainerid WorkingDirectory=/mycontainer PIDFile=/run/mycontainerid.pid [Install] WantedBy=multi-user.target
The code and docs are released under the Apache 2.0 license.