Skip to content

[release/2.2] Update runc binary to v1.3.4 #12593

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
dmcgowan merged 1 commit into from
Dec 3, 2025
Merged

[release/2.2] Update runc binary to v1.3.4 #12593

dmcgowan merged 1 commit into from
Dec 3, 2025

Conversation

@vvoland
Copy link
Contributor

@vvoland vvoland commented Nov 28, 2025

This update includes a fix for a regression introduced in CVE-2025-52881 mitigation patches where the mode= argument was incorrectly applied to tmpfs mounts regardless of whether the target path existed.

@github-project-automation github-project-automation bot moved this to Needs Triage in Pull Request Review Nov 28, 2025
@dosubot dosubot bot added the area/runtime Runtime label Nov 28, 2025
akhilerm
akhilerm reviewed Dec 1, 2025
View reviewed changes
script/setup/runc-version
@@ -1 +1 @@
v1.3.3
v1.3.4
Copy link
Member

@akhilerm akhilerm Dec 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since runc v1.4.0 is available , we should be switching to that version in main

Copy link
Contributor Author

@vvoland vvoland Dec 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense, I've switched this one to target the 2.2 release branch

@vvoland vvoland changed the title runc: Update runc binary to v1.3.4 [release/2.2] runc: Update runc binary to v1.3.4 Dec 1, 2025
@vvoland vvoland changed the base branch from main to release/2.2 December 1, 2025 09:11
@vvoland
runc: Update runc binary to v1.3.4
fb5b818 
This update includes a fix for a regression introduced in CVE-2025-52881
mitigation patches where the `mode=` argument was incorrectly applied to
tmpfs mounts regardless of whether the target path existed.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
@samuelkarp
Copy link
Member

samuelkarp commented Dec 1, 2025

That CI is passing I think validates this, but 1.4.0 has a breaking change regarding the handling of pids.limit in the bundle. As long as we're omitting adding 0 when the limit is unset, this should be fine though.

@dmcgowan
Copy link
Member

dmcgowan commented Dec 1, 2025

@samuelkarp the 1.4 change was merged in main, should we create an issue to make sure we are testing that case? Are you ok getting this 1.3.4 change, I don't think we have had much runc version skew between main and release branches but it seems warranted in this case.

@samuelkarp samuelkarp mentioned this pull request Dec 1, 2025
Open
@samuelkarp
Copy link
Member

samuelkarp commented Dec 1, 2025

the 1.4 change was merged in main

I need to get my eyes checked 👀. I think 1.4 is fine in the release branches as long as we've validated that our spec generation logic doesn't populate 0 when we mean unset (which I don't think it does...I think we're in the clear).

Opened #12607 for tracking.

@kavinnath
Copy link

kavinnath commented Dec 3, 2025
edited
Loading

I hope containerd LTS 1.7 will add support for the runc 1.3.4 binary soon right?

@github-project-automation github-project-automation bot moved this from Needs Triage to Review In Progress in Pull Request Review Dec 3, 2025
@dmcgowan
Copy link
Member

dmcgowan commented Dec 3, 2025

I hope containerd LTS 1.7 will add support for the runc 1.3.4 binary soon right?

It is already supported, runc can be updated independently of containerd. This is for our own testing and the Github release tars but packagers can choose their own version.

@dmcgowan dmcgowan changed the title [release/2.2] runc: Update runc binary to v1.3.4 [release/2.2] Update runc binary to v1.3.4 Dec 3, 2025
@dmcgowan dmcgowan merged commit f064d36 into containerd:release/2.2 Dec 3, 2025
89 of 92 checks passed
@github-project-automation github-project-automation bot moved this from Review In Progress to Done in Pull Request Review Dec 3, 2025
@dmcgowan dmcgowan added cherry-pick/1.7.x Change to be cherry picked to release/1.7 branch cherry-pick/2.1.x Change to be cherry picked to release/2.1 branch labels Dec 3, 2025
@dmcgowan
Copy link
Member

dmcgowan commented Dec 3, 2025

/cherry-pick release/2.1

@k8s-infra-cherrypick-robot
Copy link

k8s-infra-cherrypick-robot commented Dec 3, 2025

@dmcgowan: new pull request created: #12618

Details

In response to this:

/cherry-pick release/2.1

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-infra-cherrypick-robot k8s-infra-cherrypick-robot mentioned this pull request Dec 3, 2025
Merged
@dmcgowan
Copy link
Member

dmcgowan commented Dec 3, 2025

/cherry-pick release/1.7

@dmcgowan dmcgowan added cherry-picked/1.7.x PR commits are cherry-picked into release/1.7 branch cherry-picked/2.1.x PR commits are cherry picked into the release/2.1 branch and removed cherry-pick/1.7.x Change to be cherry picked to release/1.7 branch cherry-pick/2.1.x Change to be cherry picked to release/2.1 branch labels Dec 3, 2025
@k8s-infra-cherrypick-robot
Copy link

k8s-infra-cherrypick-robot commented Dec 3, 2025

@dmcgowan: new pull request created: #12619

Details

In response to this:

/cherry-pick release/1.7

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-infra-cherrypick-robot k8s-infra-cherrypick-robot mentioned this pull request Dec 3, 2025
Merged
@dmcgowan dmcgowan mentioned this pull request Dec 12, 2025
Merged
@thaJeztah thaJeztah mentioned this pull request Dec 18, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@akhilerm akhilerm akhilerm left review comments

@dims dims dims approved these changes

@dmcgowan dmcgowan dmcgowan approved these changes

Assignees

No one assigned

Labels

area/runtime Runtime cherry-picked/1.7.x PR commits are cherry-picked into release/1.7 branch cherry-picked/2.1.x PR commits are cherry picked into the release/2.1 branch impact/changelog size/XS

Projects

Pull Request Review
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

8 participants

@vvoland @samuelkarp @dmcgowan @kavinnath @k8s-infra-cherrypick-robot @dims @akhilerm @k8s-ci-robot