Release v1.1.15

[rata]

[1.1.15] - 2024-10-07

Fixed

• The -ENOSYS seccomp stub is now always generated for the native
  architecture that runc is running on. This is needed to work around some
  arguably specification-incompliant behaviour from Docker on architectures
  such as ppc64le, where the allowed architecture list is set to null. This
  ensures that we always generate at least one -ENOSYS stub for the native
  architecture even with these weird configs. ([1.1] seccomp: patchbpf: always include native architecture in stub #4391)
• On a system with older kernel, reading /proc/self/mountinfo may skip some
  entries, as a consequence runc may not properly set mount propagation,
  causing container mounts leak onto the host mount namespace. (runc has problems due to leaked mount information #2404, [1.1] runc run: fix mount leak #4425)

Removed

• In order to fix performance issues in the "lightweight" bindfd protection
  against CVE-2019-5736, the temporary ro bind-mount of /proc/self/exe
  has been removed. runc now creates a binary copy in all cases. ([1.1] nsenter: cloned_binary: remove bindfd logic entirely #4392, too many mount/umount syscalls #2532)

---

I'd like to create a 1.1.15 release including the change to remove the bindfd logic (already backported :)), as that is causing us quite some pain. I'm of course fine if we release earlier than that date, in fact that would be great :)

I'll be on PTO starting today and coming back next week. Feel free to either push to this branch to amend any changes (maintainers can push to that branch on my behalf IIUC), otherwise I can address the changes early next week.

[rata]

Hmm, alma linux 9 is failing with:

not ok 14 runc run (cgroup v2 resources.unified only)
# (in test file tests/integration/cgroups.bats, line 270)
#   `[ "$status" -eq 0 ]' failed
# runc spec (status=0):
#
# runc run -d --console-socket /tmp/bats-run-eiy40K/runc.G1EDSZ/tty/sock test_cgroups_unified (status=1):
# time="2024-10-02T11:30:45Z" level=error msg="runc run failed: unable to start container process: container init was OOM-killed (memory limit too low?)"

It failed also when merging to the 1.1 branch, but not on the PR. See the last commit "merge #4391 into opencontainers/runc:release-1.1": https://github.com/opencontainers/runc/commits/release-1.1/

[rata]

Fixed here for 1.1: #4423

[kolyshkin]

Let's include #4425 into 1.1.15, too.

Also, we need to decide what to do with #4347

[cyphar]

Since #4347 is a longer-standing issue I don't think we need to block a 1.1.z patch release on it. Maybe we might want to block 1.2.0 on it (depending on how the spec stuff goes) but I'm not sure if we would even want to backport a spec fix to 1.1.z.

[AkihiroSuda]

LGTM but needs rebase

[kolyshkin]

LGTM

[kolyshkin]

I rebased this PR and did some minor fixes to the changelog (added missing CVE and 1.1.15 links, fixed the "Unreleased 1.1.z" link).

Also changed the release date to Monday, because why not.

[lifubang]

I searched PR with the label kind/bug, and found that #3546 is not only an new feature implementation, but also a bug in practise.
Do you think #3546 should be included?