1# Changelog
2This file documents all notable changes made to this project since runc 1.0.
3
4The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
5and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
6
7## [Unreleased 1.1.z]
8
9## [1.1.12] - 2024-01-31
10
11> Now you're thinking with Portals™!
12
13### Security
14
15* Fix [CVE-2024-21626][cve-2024-21626], a container breakout attack that took
16 advantage of a file descriptor that was leaked internally within runc (but
17 never leaked to the container process). In addition to fixing the leak,
18 several strict hardening measures were added to ensure that future internal
19 leaks could not be used to break out in this manner again. Based on our
20 research, while no other container runtime had a similar leak, none had any
21 of the hardening steps we've introduced (and some runtimes would not check
22 for any file descriptors that a calling process may have leaked to them,
23 allowing for container breakouts due to basic user error).
24
25[cve-2024-21626]: https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv
26
27## [1.1.11] - 2024-01-01
28
29> Happy New Year!
30
31### Fixed
32
33* Fix several issues with userns path handling. (#4122, #4124, #4134, #4144)
34
35### Changed
36
37 * Support memory.peak and memory.swap.peak in cgroups v2.
38 Add `swapOnlyUsage` in `MemoryStats`. This field reports swap-only usage.
39 For cgroupv1, `Usage` and `Failcnt` are set by subtracting memory usage
40 from memory+swap usage. For cgroupv2, `Usage`, `Limit`, and `MaxUsage`
41 are set. (#4000, #4010, #4131)
42 * build(deps): bump github.com/cyphar/filepath-securejoin. (#4140)
43
44## [1.1.10] - 2023-10-31
45
46> Śruba, przykręcona we śnie, nie zmieni sytuacji, jaka panuje na jawie.
47
48### Added
49
50* Support for `hugetlb.<pagesize>.rsvd` limiting and accounting. Fixes the
51 issue of postres failing when hugepage limits are set. (#3859, #4077)
52
53### Fixed
54
55* Fixed permissions of a newly created directories to not depend on the value
56 of umask in tmpcopyup feature implementation. (#3991, #4060)
57* libcontainer: cgroup v1 GetStats now ignores missing `kmem.limit_in_bytes`
58 (fixes the compatibility with Linux kernel 6.1+). (#4028)
59* Fix a semi-arbitrary cgroup write bug when given a malicious hugetlb
60 configuration. This issue is not a security issue because it requires a
61 malicious `config.json`, which is outside of our threat model. (#4103)
62* Various CI fixes. (#4081, #4055)
63
64## [1.1.9] - 2023-08-10
65
66> There is a crack in everything. That's how the light gets in.
67
68### Added
69
70* Added go 1.21 to the CI matrix; other CI updates. (#3976, #3958)
71
72### Fixed
73
74* Fixed losing sticky bit on tmpfs (a regression in 1.1.8). (#3952, #3961)
75* intelrdt: fixed ignoring ClosID on some systems. (#3550, #3978)
76
77### Changed
78
79 * Sum `anon` and `file` from `memory.stat` for cgroupv2 root usage,
80 as the root does not have `memory.current` for cgroupv2.
81 This aligns cgroupv2 root usage more closely with cgroupv1 reporting.
82 Additionally, report root swap usage as sum of swap and memory usage,
83 aligned with v1 and existing non-root v2 reporting. (#3933)
84
85## [1.1.8] - 2023-07-20
86
87> 海纳百川 有容乃大
88
89### Added
90
91* Support riscv64. (#3905)
92
93### Fixed
94
95* init: do not print environment variable value. (#3879)
96* libct: fix a race with systemd removal. (#3877)
97* tests/int: increase num retries for oom tests. (#3891)
98* man/runc: fixes. (#3892)
99* Fix tmpfs mode opts when dir already exists. (#3916)
100* docs/systemd: fix a broken link. (#3917)
101* ci/cirrus: enable some rootless tests on cs9. (#3918)
102* runc delete: call systemd's reset-failed. (#3932)
103* libct/cg/sd/v1: do not update non-frozen cgroup after frozen failed. (#3921)
104
105### Changed
106
107* CI: bump Fedora, Vagrant, bats. (#3878)
108* `.codespellrc`: update for 2.2.5. (#3909)
109
110## [1.1.7] - 2023-04-26
111
112> Ночевала тучка золотая на груди утеса-великана.
113
114### Fixed
115
116* When used with systemd v240+, systemd cgroup drivers no longer skip
117 `DeviceAllow` rules if the device does not exist (a regression introduced
118 in runc 1.1.3). This fix also reverts the workaround added in runc 1.1.5,
119 removing an extra warning emitted by runc run/start. (#3845, #3708, #3671)
120
121### Added
122
123* The source code now has a new file, `runc.keyring`, which contains the keys
124 used to sign runc releases. (#3838)
125
126## [1.1.6] - 2023-04-11
127
128> In this world nothing is certain but death and taxes.
129
130### Compatibility
131
132* This release can no longer be built from sources using Go 1.16. Using a
133 latest maintained Go 1.20.x or Go 1.19.x release is recommended.
134 Go 1.17 can still be used.
135
136### Fixed
137
138* systemd cgroup v1 and v2 drivers were deliberately ignoring `UnitExist` error
139 from systemd while trying to create a systemd unit, which in some scenarios
140 may result in a container not being added to the proper systemd unit and
141 cgroup. (#3780, #3806)
142* systemd cgroup v2 driver was incorrectly translating cpuset range from spec's
143 `resources.cpu.cpus` to systemd unit property (`AllowedCPUs`) in case of more
144 than 8 CPUs, resulting in the wrong AllowedCPUs setting. (#3808)
145* systemd cgroup v1 driver was prefixing container's cgroup path with the path
146 of PID 1 cgroup, resulting in inability to place PID 1 in a non-root cgroup.
147 (#3811)
148* runc run/start may return "permission denied" error when starting a rootless
149 container when the file to be executed does not have executable bit set for
150 the user, not taking the `CAP_DAC_OVERRIDE` capability into account. This is
151 a regression in runc 1.1.4, as well as in Go 1.20 and 1.20.1 (#3715, #3817)
152* cgroup v1 drivers are now aware of `misc` controller. (#3823)
153* Various CI fixes and improvements, mostly to ensure Go 1.19.x and Go 1.20.x
154 compatibility.
155
156## [1.1.5] - 2023-03-29
157
158> 囚われた屈辱は
159> 反撃の嚆矢だ
160
161### Security
162
163The following CVEs were fixed in this release:
164
165* [CVE-2023-25809][] is a vulnerability involving rootless containers where
166 (under specific configurations), the container would have write access to the
167 `/sys/fs/cgroup/user.slice/...` cgroup hierarchy. No other hierarchies on the
168 host were affected. This vulnerability was discovered by Akihiro Suda.
169
170* [CVE-2023-27561][] was a regression in our protections against tricky `/proc`
171 and `/sys` configurations (where the container mountpoint is a symlink)
172 causing us to be tricked into incorrectly configuring the container, which
173 effectively re-introduced [CVE-2019-19921][]. This regression was present
174 from v1.0.0-rc95 to v1.1.4 and was discovered by @Beuc. (#3785)
175
176* [CVE-2023-28642][] is a different attack vector using the same regression
177 as in [CVE-2023-27561][]. This was reported by Lei Wang.
178
179[CVE-2019-19921]: https://github.com/advisories/GHSA-fh74-hm69-rqjw
180[CVE-2023-25809]: https://github.com/opencontainers/runc/security/advisories/GHSA-m8cg-xc2p-r3fc
181[CVE-2023-27561]: https://github.com/advisories/GHSA-vpvm-3wq2-2wvm
182[CVE-2023-28642]: https://github.com/opencontainers/runc/security/advisories/GHSA-g2j6-57v7-gm8c
183
184### Fixed
185
186* Fix the inability to use `/dev/null` when inside a container. (#3620)
187* Fix changing the ownership of host's `/dev/null` caused by fd redirection
188 (a regression in 1.1.1). (#3674, #3731)
189* Fix rare runc exec/enter unshare error on older kernels, including
190 CentOS < 7.7. (#3776)
191* nsexec: Check for errors in `write_log()`. (#3721)
192* Various CI fixes and updates. (#3618, #3630, #3640, #3729)
193
194## [1.1.4] - 2022-08-24
195
196> If you look for perfection, you'll never be content.
197
198### Fixed
199
200* Fix mounting via wrong proc fd.
201 When the user and mount namespaces are used, and the bind mount is followed by
202 the cgroup mount in the spec, the cgroup was mounted using the bind mount's
203 mount fd. (#3511)
204* Switch `kill()` in `libcontainer/nsenter` to `sane_kill()`. (#3536)
205* Fix "permission denied" error from `runc run` on `noexec` fs. (#3541)
206* Fix failed exec after `systemctl daemon-reload`.
207 Due to a regression in v1.1.3, the `DeviceAllow=char-pts rwm` rule was no
208 longer added and was causing an error `open /dev/pts/0: operation not permitted: unknown`
209 when systemd was reloaded. (#3554)
210* Various CI fixes. (#3538, #3558, #3562)
211
212## [1.1.3] - 2022-06-09
213
214> In the beginning there was nothing, which exploded.
215
216### Fixed
217 * Our seccomp `-ENOSYS` stub now correctly handles multiplexed syscalls on
218 s390 and s390x. This solves the issue where syscalls the host kernel did not
219 support would return `-EPERM` despite the existence of the `-ENOSYS` stub
220 code (this was due to how s390x does syscall multiplexing). (#3478)
221 * Retry on dbus disconnect logic in libcontainer/cgroups/systemd now works as
222 intended; this fix does not affect runc binary itself but is important for
223 libcontainer users such as Kubernetes. (#3476)
224 * Inability to compile with recent clang due to an issue with duplicate
225 constants in libseccomp-golang. (#3477)
226 * When using systemd cgroup driver, skip adding device paths that don't exist,
227 to stop systemd from emitting warnings about those paths. (#3504)
228 * Socket activation was failing when more than 3 sockets were used. (#3494)
229 * Various CI fixes. (#3472, #3479)
230
231### Added
232 * Allow to bind mount /proc/sys/kernel/ns_last_pid to inside container. (#3493)
233
234### Changed
235 * runc static binaries are now linked against libseccomp v2.5.4. (#3481)
236
237
238## [1.1.2] - 2022-05-11
239
240> I should think I'm going to be a perpetual student.
241
242### Security
243 * A bug was found in runc where runc exec --cap executed processes with
244 non-empty inheritable Linux process capabilities, creating an atypical Linux
245 environment. For more information, see [GHSA-f3fp-gc8g-vw66][] and
246 CVE-2022-29162.
247
248### Changed
249 * `runc spec` no longer sets any inheritable capabilities in the created
250 example OCI spec (`config.json`) file.
251
252[GHSA-f3fp-gc8g-vw66]: https://github.com/opencontainers/runc/security/advisories/GHSA-f3fp-gc8g-vw66
253
254
255## [1.1.1] - 2022-03-28
256
257> Violence is the last refuge of the incompetent.
258
259### Added
260 * CI is now also run on centos-stream-9. (#3436)
261
262### Fixed
263 * `runc run/start` can now run a container with read-only `/dev` in OCI spec,
264 rather than error out. (#3355)
265 * `runc exec` now ensures that `--cgroup` argument is a sub-cgroup. (#3403)
266 * libcontainer systemd v2 manager no longer errors out if one of the files
267 listed in `/sys/kernel/cgroup/delegate` do not exist in container's cgroup.
268 (#3387, #3404)
269 * Loose OCI spec validation to avoid bogus "Intel RDT is not supported" error.
270 (#3406)
271 * libcontainer/cgroups no longer panics in cgroup v1 managers if `stat`
272 of `/sys/fs/cgroup/unified` returns an error other than ENOENT. (#3435)
273
274
275## [1.1.0] - 2022-01-14
276
277> A plan depends as much upon execution as it does upon concept.
278
279### Changed
280 * libcontainer will now refuse to build without the nsenter package being
281 correctly compiled (specifically this requires CGO to be enabled). This
282 should avoid folks accidentally creating broken runc binaries (and
283 incorrectly importing our internal libraries into their projects). (#3331)
284
285
286## [1.1.0-rc.1] - 2021-12-14
287
288> He who controls the spice controls the universe.
289
290### Deprecated
291 * runc run/start now warns if a new container cgroup is non-empty or frozen;
292 this warning will become an error in runc 1.2. (#3132, #3223)
293 * runc can only be built with Go 1.16 or later from this release onwards.
294 (#3100, #3245, #3325)
295
296### Removed
297 * `cgroup.GetHugePageSizes` has been removed entirely, and been replaced with
298 `cgroup.HugePageSizes` which is more efficient. (#3234)
299 * `intelrdt.GetIntelRdtPath` has been removed. Users who were using this
300 function to get the intelrdt root should use the new `intelrdt.Root`
301 instead. (#2920, #3239)
302
303### Added
304 * Add support for RDMA cgroup added in Linux 4.11. (#2883)
305 * runc exec now produces exit code of 255 when the exec failed.
306 This may help in distinguishing between runc exec failures
307 (such as invalid options, non-running container or non-existent
308 binary etc.) and failures of the command being executed. (#3073)
309 * runc run: new `--keep` option to skip removal exited containers artefacts.
310 This might be useful to check the state (e.g. of cgroup controllers) after
311 the container has exited. (#2817, #2825)
312 * seccomp: add support for `SCMP_ACT_KILL_PROCESS` and `SCMP_ACT_KILL_THREAD`
313 (the latter is just an alias for `SCMP_ACT_KILL`). (#3204)
314 * seccomp: add support for `SCMP_ACT_NOTIFY` (seccomp actions). This allows
315 users to create sophisticated seccomp filters where syscalls can be
316 efficiently emulated by privileged processes on the host. (#2682)
317 * checkpoint/restore: add an option (`--lsm-mount-context`) to set
318 a different LSM mount context on restore. (#3068)
319 * runc releases are now cross-compiled for several architectures. Static
320 builds for said architectures will be available for all future releases.
321 (#3197)
322 * intelrdt: support ClosID parameter. (#2920)
323 * runc exec --cgroup: an option to specify a (non-top) in-container cgroup
324 to use for the process being executed. (#3040, #3059)
325 * cgroup v1 controllers now support hybrid hierarchy (i.e. when on a cgroup v1
326 machine a cgroup2 filesystem is mounted to /sys/fs/cgroup/unified, runc
327 run/exec now adds the container to the appropriate cgroup under it). (#2087,
328 #3059)
329 * sysctl: allow slashes in sysctl names, to better match `sysctl(8)`'s
330 behaviour. (#3254, #3257)
331 * mounts: add support for bind-mounts which are inaccessible after switching
332 the user namespace. Note that this does not permit the container any
333 additional access to the host filesystem, it simply allows containers to
334 have bind-mounts configured for paths the user can access but have
335 restrictive access control settings for other users. (#2576)
336 * Add support for recursive mount attributes using `mount_setattr(2)`. These
337 have the same names as the proposed `mount(8)` options -- just prepend `r`
338 to the option name (such as `rro`). (#3272)
339 * Add `runc features` subcommand to allow runc users to detect what features
340 runc has been built with. This includes critical information such as
341 supported mount flags, hook names, and so on. Note that the output of this
342 command is subject to change and will not be considered stable until runc
343 1.2 at the earliest. The runtime-spec specification for this feature is
344 being developed in [opencontainers/runtime-spec#1130]. (#3296)
345
346[opencontainers/runtime-spec#1130]: https://github.com/opencontainers/runtime-spec/pull/1130
347
348### Changed
349 * system: improve performance of `/proc/$pid/stat` parsing. (#2696)
350 * cgroup2: when `/sys/fs/cgroup` is configured as a read-write mount, change
351 the ownership of certain cgroup control files (as per
352 `/sys/kernel/cgroup/delegate`) to allow for proper deferral to the container
353 process. (#3057)
354 * docs: series of improvements to man pages to make them easier to read and
355 use. (#3032)
356
357#### libcontainer API
358 * internal api: remove internal error types and handling system, switch to Go
359 wrapped errors. (#3033)
360 * New configs.Cgroup structure fields (#3177):
361 * Systemd (whether to use systemd cgroup manager); and
362 * Rootless (whether to use rootless cgroups).
363 * New cgroups/manager package aiming to simplify cgroup manager instantiation.
364 (#3177)
365 * All cgroup managers' instantiation methods now initialize cgroup paths and
366 can return errors. This allows to use any cgroup manager method (e.g.
367 Exists, Destroy, Set, GetStats) right after instantiation, which was not
368 possible before (as paths were initialized in Apply only). (#3178)
369
370### Fixed
371 * nsenter: do not try to close already-closed fds during container setup and
372 bail on close(2) failures. (#3058)
373 * runc checkpoint/restore: fixed for containers with an external bind mount
374 which destination is a symlink. (#3047).
375 * cgroup: improve openat2 handling for cgroup directory handle hardening.
376 (#3030)
377 * `runc delete -f` now succeeds (rather than timing out) on a paused
378 container. (#3134)
379 * runc run/start/exec now refuses a frozen cgroup (paused container in case of
380 exec). Users can disable this using `--ignore-paused`. (#3132, #3223)
381 * config: do not permit null bytes in mount fields. (#3287)
382
383
384## [1.0.3] - 2021-12-06
385
386> If you were waiting for the opportune moment, that was it.
387
388### Security
389 * A potential vulnerability was discovered in runc (related to an internal
390 usage of netlink), however upon further investigation we discovered that
391 while this bug was exploitable on the master branch of runc, no released
392 version of runc could be exploited using this bug. The exploit required being
393 able to create a netlink attribute with a length that would overflow a uint16
394 but this was not possible in any released version of runc. For more
395 information, see [GHSA-v95c-p5hm-xq8f][] and CVE-2021-43784.
396
397### Fixed
398 * Fixed inability to start a container with read-write bind mount of a
399 read-only fuse host mount. (#3283, #3292)
400 * Fixed inability to start when read-only /dev in set in spec. (#3276, #3277)
401 * Fixed not removing sub-cgroups upon container delete, when rootless cgroup v2
402 is used with older systemd. (#3226, #3297)
403 * Fixed returning error from GetStats when hugetlb is unsupported (which causes
404 excessive logging for Kubernetes). (#3233, #3295)
405 * Improved an error message when dbus-user-session is not installed and
406 rootless + cgroup2 + systemd are used. (#3212)
407
408[GHSA-v95c-p5hm-xq8f]: https://github.com/opencontainers/runc/security/advisories/GHSA-v95c-p5hm-xq8f
409
410
411## [1.0.2] - 2021-07-16
412
413> Given the right lever, you can move a planet.
414
415### Changed
416 * Made release builds reproducible from now on. (#3099, #3142)
417
418### Fixed
419 * Fixed a failure to set CPU quota period in some cases on cgroup v1. (#3090
420 #3115)
421 * Fixed the inability to start a container with the "adding seccomp filter
422 rule for syscall ..." error, caused by redundant seccomp rules (i.e. those
423 that has action equal to the default one). Such redundant rules are now
424 skipped. (#3109, #3129)
425 * Fixed a rare debug log race in runc init, which can result in occasional
426 harmful "failed to decode ..." errors from runc run or exec. (#3120, #3130)
427 * Fixed the check in cgroup v1 systemd manager if a container needs to be
428 frozen before Set, and add a setting to skip such freeze unconditionally.
429 The previous fix for that issue, done in runc 1.0.1, was not working.
430 (#3166, #3167)
431
432
433## [1.0.1] - 2021-07-16
434
435> If in doubt, Meriadoc, always follow your nose.
436
437### Fixed
438 * Fixed occasional runc exec/run failure ("interrupted system call") on an
439 Azure volume. (#3045, #3074)
440 * Fixed "unable to find groups ... token too long" error with /etc/group
441 containing lines longer than 64K characters. (#3062, #3079)
442 * cgroup/systemd/v1: fix leaving cgroup frozen after Set if a parent cgroup is
443 frozen. This is a regression in 1.0.0, not affecting runc itself but some
444 of libcontainer users (e.g Kubernetes). (#3081, #3085)
445 * cgroupv2: bpf: Ignore inaccessible existing programs in case of
446 permission error when handling replacement of existing bpf cgroup
447 programs. This fixes a regression in 1.0.0, where some SELinux
448 policies would block runc from being able to run entirely. (#3055, #3087)
449 * cgroup/systemd/v2: don't freeze cgroup on Set. (#3067, #3092)
450 * cgroup/systemd/v1: avoid unnecessary freeze on Set. (#3082, #3093)
451
452
453## [1.0.0] - 2021-06-22
454
455> A wizard is never late, nor is he early, he arrives precisely when he means
456> to.
457
458As runc follows Semantic Versioning, we will endeavour to not make any
459breaking changes without bumping the major version number of runc.
460However, it should be noted that Go API usage of runc's internal
461implementation (libcontainer) is *not* covered by this policy.
462
463### Removed
464 * Removed libcontainer/configs.Device* identifiers (deprecated since rc94,
465 use libcontainer/devices). (#2999)
466 * Removed libcontainer/system.RunningInUserNS function (deprecated since
467 rc94, use libcontainer/userns). (#2999)
468
469### Deprecated
470 * The usage of relative paths for mountpoints will now produce a warning
471 (such configurations are outside of the spec, and in future runc will
472 produce an error when given such configurations). (#2917, #3004)
473
474### Fixed
475 * cgroupv2: devices: rework the filter generation to produce consistent
476 results with cgroupv1, and always clobber any existing eBPF
477 program(s) to fix `runc update` and avoid leaking eBPF programs
478 (resulting in errors when managing containers). (#2951)
479 * cgroupv2: correctly convert "number of IOs" statistics in a
480 cgroupv1-compatible way. (#2965, #2967, #2968, #2964)
481 * cgroupv2: support larger than 32-bit IO statistics on 32-bit architectures.
482 * cgroupv2: wait for freeze to finish before returning from the freezing
483 code, optimize the method for checking whether a cgroup is frozen. (#2955)
484 * cgroups/systemd: fixed "retry on dbus disconnect" logic introduced in rc94
485 * cgroups/systemd: fixed returning "unit already exists" error from a systemd
486 cgroup manager (regression in rc94). (#2997, #2996)
487
488### Added
489 * cgroupv2: support SkipDevices with systemd driver. (#2958, #3019)
490 * cgroup1: blkio: support BFQ weights. (#3010)
491 * cgroupv2: set per-device io weights if BFQ IO scheduler is available.
492 (#3022)
493
494### Changed
495 * cgroup/systemd: return, not ignore, stop unit error from Destroy. (#2946)
496 * Fix all golangci-lint failures. (#2781, #2962)
497 * Make `runc --version` output sane even when built with `go get` or
498 otherwise outside of our build scripts. (#2962)
499 * cgroups: set SkipDevices during runc update (so we don't modify
500 cgroups at all during `runc update`). (#2994)
501
502<!-- minor releases -->
503[Unreleased]: https://github.com/opencontainers/runc/compare/v1.1.0...HEAD
504[1.1.0]: https://github.com/opencontainers/runc/compare/v1.1.0-rc.1...v1.1.0
505[1.0.0]: https://github.com/opencontainers/runc/releases/tag/v1.0.0
506
507<!-- 1.0.z patch releases -->
508[Unreleased 1.0.z]: https://github.com/opencontainers/runc/compare/v1.0.3...release-1.0
509[1.0.3]: https://github.com/opencontainers/runc/compare/v1.0.2...v1.0.3
510[1.0.2]: https://github.com/opencontainers/runc/compare/v1.0.1...v1.0.2
511[1.0.1]: https://github.com/opencontainers/runc/compare/v1.0.0...v1.0.1
512
513<!-- 1.1.z patch releases -->
514[Unreleased 1.1.z]: https://github.com/opencontainers/runc/compare/v1.1.12...release-1.1
515[1.1.12]: https://github.com/opencontainers/runc/compare/v1.1.11...v1.1.12
516[1.1.11]: https://github.com/opencontainers/runc/compare/v1.1.10...v1.1.11
517[1.1.10]: https://github.com/opencontainers/runc/compare/v1.1.9...v1.1.10
518[1.1.9]: https://github.com/opencontainers/runc/compare/v1.1.8...v1.1.9
519[1.1.8]: https://github.com/opencontainers/runc/compare/v1.1.7...v1.1.8
520[1.1.7]: https://github.com/opencontainers/runc/compare/v1.1.6...v1.1.7
521[1.1.6]: https://github.com/opencontainers/runc/compare/v1.1.5...v1.1.6
522[1.1.5]: https://github.com/opencontainers/runc/compare/v1.1.4...v1.1.5
523[1.1.4]: https://github.com/opencontainers/runc/compare/v1.1.3...v1.1.4
524[1.1.3]: https://github.com/opencontainers/runc/compare/v1.1.2...v1.1.3
525[1.1.2]: https://github.com/opencontainers/runc/compare/v1.1.1...v1.1.2
526[1.1.1]: https://github.com/opencontainers/runc/compare/v1.1.0...v1.1.1
527[1.1.0-rc.1]: https://github.com/opencontainers/runc/compare/v1.0.0...v1.1.0-rc.1
View as plain text