buildkit icon indicating copy to clipboard operation
buildkit copied to clipboard
verified publisher icon moby

Dockerfile: update runc binary to 1.1.15

Open austinvazquez opened this issue 1 year ago • 1 comments

diff: https://github.com/opencontainers/runc/compare/v1.1.14...v1.1.15

Release Notes:

  • The -ENOSYS seccomp stub is now always generated for the native architecture that runc is running on. This is needed to work around some arguably specification-incompliant behaviour from Docker on architectures such as ppc64le, where the allowed architecture list is set to null. This ensures that we always generate at least one -ENOSYS stub for the native architecture even with these weird configs.
  • On a system with older kernel, reading /proc/self/mountinfo may skip some entries, as a consequence runc may not properly set mount propagation, causing container mounts leak onto the host mount namespace.
  • In order to fix performance issues in the "lightweight" bindfd protection against [https://github.com/advisories/GHSA-gxmr-w5mj-v8hh], the temporary ro bind-mount of /proc/self/exe has been removed. runc now creates a binary copy in all cases.

austinvazquez avatar Oct 09 '24 22:10 austinvazquez

Opening prematurely to test if any issues with runc/containerd integration with buildkit. moby usually waits to consume runc release once containerd has vetted it. containerd 1.6 CI (https://github.com/containerd/containerd/pull/10795) has exposed an issue with runc v1.1.15 with cgroupfs driver.

austinvazquez avatar Oct 09 '24 22:10 austinvazquez

1.2 is out. Closing in favor of that.

austinvazquez avatar Oct 27 '24 15:10 austinvazquez