runC是一个轻量级的通用运行时容器 ,runC的目标是让用户随时随地使用标准化的容器,功能和特性:
- 完整支持Linux命名空间,包括用户命名空间。
- 原生支持Linux的所有安全功能,包括Selinux、Apparmor、seccomp、control groups、capability drop、pivot_root、uid/gid dropping等。
- 原生支持实时迁移和Windows 10容器。
- 计划为Arm、Power、Sparc等架构提供原生支持,并直接得到Arm、Intel、Qualcomm、IBM,以及整个硬件制造商生态系统的参与和支持。
- 计划为前沿硬件功能提供原生支持,例如DPDK、sr-iov、tpm、secure enclave等。
- 可移植的性能配置文件,以及成为正式标准的配置格式。
更新日志
特征:
- Add slice management support to the systemd cgroup driver. Checks are
- done to make sure that systemd supports the feature. #1084
- Support for readonly mount labels. #1112
- Add a tmpcopyup mount extension for tmpfs mounts that are mounted over
- already existing directories, allowing for the contents of a volume to
- be copied up transparently. #845
- Switch our pivot_root usage to no longer require temporary
- directories, improving the state of containters running in entirely
- readonly contexts. #1125 #1148
- Allow updating of rt_period_us and rt_runtime_us in cpuacct cgroup.
- Reimplement console handling to use AF_UNIX sockets such that the
- console is created inside the container's (namespaced) devpts
- instance, solving a wide variety of historical pty bugs with runC.
- #1018 #1356
- Support overlayfs in mounts. #1314
- Support creating devices with types 'p' and 'u'. #1321
- Add --preserve-fds=N to create and run commands. #1320
- Add pre-dump and parent-path to checkpoint. #1001
- Update to runtime-spec v1.0.0-rc5. #1370
修复:
- Remove check for binding to /. #1090
- Ensure we log to logrus on command errors. #1089
- Don't enable kmem limits if they're not specified in the config. #1095
- Handle cases where specs.Resources.* members would cause null
dereferences. #1111 #1116
- Fix bugs in the GetProcessStartTime implementation. #1136
- Make sysctl config validation checks handle network namespaces more
gracefully. #1138 #1149
- Guarantee correct namespace creation ordering. This is part of the
rootless container patchset, and is also required in certain SELinux
setups. #977
- Stop screwing around with '/n' in console output. #1146
- Fix cpuset.cpu_exclusive handling. #1194
- Sync HookState with the OCI specification. #1201
- Split remounting mountpoints and bindmounts, resolving issues with
mount options being dropped in certain cases. #1222
- Fix leftover cgroup directory issue. #1196
- Handle config.Devices and config.MaskPaths in checkpoint. #1110.
- Don't create combined cgroup subsystem names. #1268
- Ignore cgroupv2 mountpoints, fixing issues with systemd v232. #1266
- Race condition when synchronising with children and grandchildren in
nsexec.c. #1237
- Fix state checks to no longer depend on _LIBCONTAINER being present in
the environment, fixing both bugs as well as being part of the
rootless container patchset. #1317
- Fix systemd-notify when using different PID namespaces, and allow
detach+notify socket. #1308
- Don't fchown when inheriting stdio, which is necessary for rootless
containers in certain scenarios. #1354
- Fix cpu.cfs_quota_us being changed when systemd is reloaded. #1344
- Add devices to whitelist for LXD, to make runC under LXC/LXD work
better. #1327
- Many improvements to testing. #1121 #1131 #1132 #1147
安全:
下载
本站原创,转载时保留以下信息:
本文转自:深度开源(open-open.com)
原文地址:http://www.open-open.com/news/view/6fe29773