Release 1.3.0-rc.1

[rata]

[1.3.0-rc.1] - 2025-03-04

No tengo miedo al invierno, con tu recuerdo lleno de sol.

libcontainer API

• configs.CommandHook struct has changed, Command is now a pointer.
  Also, configs.NewCommandHook now accepts a *Command. (libct: speedup process.Env handling #4325)
• The Process struct has User string field replaced with numeric
  UID and GID fields, and AdditionalGroups changed its type from
  []string to []int. Essentially, resolution of user and group
  names to IDs is no longer performed by libcontainer, so if a libcontainer
  user previously relied on this feature, now they have to convert names to
  IDs before calling libcontainer; it is recommended to use Go package
  github.com/moby/sys/user for that. (Remove /etc/passwd and /etc/group parsing on runc run/exec #3999)
• Move libcontainer/cgroups to a separate repository. (Move libcontainer/cgroups to a separate repository #4618)

Fixed

• runc exec -p no longer ignores specified ioPriority and scheduler
  settings. Similarly, libcontainer's Container.Start and Container.Run
  methods no longer ignore Process.IOPriority and Process.Scheduler
  settings. (Fix process/config properties merging #4585)
• We no longer use F_SEAL_FUTURE_WRITE when sealing the runc binary, as it
  turns out this had some unfortunate bugs in older kernel versions and was
  never necessary in the first place. (exeseal: do not use F_SEAL_FUTURE_WRITE #4641, runc gets stuck #4640)
• runc now uses a more flexible method of joining namespaces, which better
  matches the behaviour of nsenter(8). This is mainly useful for users that
  create a container with a runc-managed user namespace but want the container
  to join some externally-managed namespace as well. (nsenter: implement a two-stage join for setns #4492)
• runc now properly handles joining time namespaces (such as with runc exec). Previously we would attempt to set the time offsets when joining,
  which would fail. (Can't exec into a container with private time namespace #4635, libct: don't send config to nsexec when joining an existing timens #4636)
• Handle EINTR retries correctly for socket-related direct
  golang.org/x/sys/unix system calls. (Retry direct unix package calls if observing EINTR #4637)
• Handle close_range(2) errors more gracefully. (utils: Handle close_range more gracefully #4596)
• Fix a stall issue that would happen if setting O_CLOEXEC with
  CloseExecFrom failed (libcontainer: Prevent startup hang when CloseExecFrom errors #4599).
• Handle errors on older kernels when resetting ambient capabilities more
  gracefully. (capabilities: be more graceful in resetting ambient #4597)

Changed

• runc now has an official release policy to help provide more consistency
  around our release schedules and better define our support policy for old
  release branches. See RELEASES.md for more details. (RELEASES: add formal release policy for runc #4557)
• Improved performance by switching to strings.Cut where appropriate.
  (Use strings.Cut and strings.CutPrefix where possible #4470)
• The minimum Go version of runc is now Go 1.23. (Add Go 1.24, drop Go 1.22 #4598)
• Updated builds to libseccomp v2.5.6. (build: bump libseccomp to v2.5.6 #4625)

Added

• runc has been updated to support OCI runtime-spec 1.2.1. (build(deps): bump github.com/opencontainers/runtime-spec from 1.2.0 to 1.2.1 #4653)
• CPU affinity support for runc exec. (runc exec: implement CPU affinity #4327)
• CRIU support can be disabled using the build tag runc_nocriu. (Add runc_nocriu build tag to opt out of c/r #4546)
• Support to get the pidfd of the container via CLI flag pidfd-socket.
  ([feature request] *: introduce pidfd-socket flag #4045)
• Support skip-in-flight and link-remap options for CRIU. (Add skip-in-flight and link-remap criu options for checkpoint and restore  #4627)
• Support cgroup v1 mounted with noprefix. (support cgroup v1 mounted with noprefix #4513)

[rata]

I've put a date a few days in the future, but we can change it to sooner. Maintainers can edit the PR branch, in case someone wants to merge and release before ;)

[rata]

All tests are green :)

[lifubang]

Ask a question, which branch will be based on when creating the branch release-1.3? I think it' the main branch? If yes, all commits in the main branch will be included in v1.3.0-rc.1?

Or this time release only includes PRs in the milestone 1.3.0-rc.1?

[cyphar]

@lifubang The branch will be forked from c39da1f, so any commits that are included there will be in the release.

[lifubang]

so any commits that are included there will be in the release.

So any commits before this commit ID in the main branch will be in the release.
If I understand correctly, I think maybe we should release v1.2.6 first. Because some PRs are not mentioned in the change log and haven't been released yet. For example: #4637, #4636, etc. But perhaps it's not necessary to write everything down.

[cyphar]

I'm reworking the changelog already, and those will be included. We're already a few days behind on the rc1 deadline, no need to delay it further because of the changelog.

[cyphar]

FWIW, I'm not sure if we want to branch release-1.3 immediately from rc1 or after rc2/GA. I guess we can play it by ear (previously we would branch off GA, but this limits what patches we can accept into main now that we're going to be more strict about rc1 and the whole release schedule).

[lifubang]

I'm not sure if we want to branch release-1.3 immediately from rc1 or after rc2/GA.

I suggest to create branch release-1.3 immediately.

[cyphar]

Yeah, I forgot that I even wrote that this is what we should do in RELEASES.md:

The first release candidate will be created 2 months before the planned release
date (i.e. the end of February and August, respectively), at which point the
release branch will be created and will enter a feature freeze.

😅

[cyphar]

https://github.com/opencontainers/runc/releases/tag/v1.3.0-rc.1