release notes: https://github.com/opencontainers/runc/releases/tag/v1.1.6
full diff: opencontainers/runc@v1.1.5...v1.1.6

This is the sixth patch release in the 1.1.z series of runc, which fixes
a series of cgroup-related issues.

Note that this release can no longer be built from sources using Go
1.16. Using a latest maintained Go 1.20.x or Go 1.19.x release is
recommended. Go 1.17 can still be used.

- systemd cgroup v1 and v2 drivers were deliberately ignoring UnitExist error
  from systemd while trying to create a systemd unit, which in some scenarios
  may result in a container not being added to the proper systemd unit and
  cgroup.
- systemd cgroup v2 driver was incorrectly translating cpuset range from spec's
  resources.cpu.cpus to systemd unit property (AllowedCPUs) in case of more
  than 8 CPUs, resulting in the wrong AllowedCPUs setting.
- systemd cgroup v1 driver was prefixing container's cgroup path with the path
  of PID 1 cgroup, resulting in inability to place PID 1 in a non-root cgroup.
- runc run/start may return "permission denied" error when starting a rootless
  container when the file to be executed does not have executable bit set for
  the user, not taking the CAP_DAC_OVERRIDE capability into account. This is
  a regression in runc 1.1.4, as well as in Go 1.20 and 1.20.1
- cgroup v1 drivers are now aware of misc controller.

Signed-off-by: Sebastiaan van Stijn <[email protected]>
(cherry picked from commit 49111b1)
Signed-off-by: Sebastiaan van Stijn <[email protected]>

Commit cab0562 removed the tryReadonlyMounts
utility, in favor of mounts.ReadOnlyMounts() that was added in commit
daa3a76.

That change made part of the comment redundant, because mounts.ReadOnlyMounts
handles both overlayfs read-only mounts (by skipping the workdir mounts), and
sets the "ro" option for other mount-types, but the reason why we're using a
read-only mount is still relevant, so restoring that part of the comment.

Signed-off-by: Sebastiaan van Stijn <[email protected]>
(cherry picked from commit cb2c3ec)
Signed-off-by: Sebastiaan van Stijn <[email protected]>

This commit adds supports for the ArgsEscaped
value for the image got from the dockerfile.
It is used to evaluate and process the image
entrypoint/cmd and container entrypoint/cmd
options got from the podspec.

Signed-off-by: Kirtana Ashok <[email protected]>
(cherry picked from commit 8137e41)
Signed-off-by: Kirtana Ashok <[email protected]>

- Rename test name
- Add a tag to the container image used in the tests instead of the latest tag
- Add a 5 second delay between container start and stop to ensure that the
  container is fully initialized

Signed-off-by: Kirtana Ashok <[email protected]>
(cherry picked from commit e0b817e)
Signed-off-by: Kirtana Ashok <[email protected]>

[release/1.6 backport] update runc binary to v1.1.6

[release/1.6 ] Add ArgsEscaped support for CRI

…_comments

[release/1.6 backport] oci: partially restore comment on read-only mounts for uid/gid uses

release notes: https://github.com/opencontainers/runc/releases/tag/v1.1.7
full diff: opencontainers/runc@v1.1.6...v1.1.7

This is the seventh patch release in the 1.1.z release of runc, and is
the last planned release of the 1.1.z series. It contains a fix for
cgroup device rules with systemd when handling device rules for devices
that don't exist (though for devices whose drivers don't correctly
register themselves in the kernel -- such as the NVIDIA devices -- the
full fix only works with systemd v240+).

- When used with systemd v240+, systemd cgroup drivers no longer skip
  DeviceAllow rules if the device does not exist (a regression introduced
  in runc 1.1.3). This fix also reverts the workaround added in runc 1.1.5,
  removing an extra warning emitted by runc run/start.
- The source code now has a new file, runc.keyring, which contains the keys
  used to sign runc releases.

Signed-off-by: Sebastiaan van Stijn <[email protected]>
(cherry picked from commit 27c0fe3)
Signed-off-by: Sebastiaan van Stijn <[email protected]>

Signed-off-by: Iceber Gu <[email protected]>
(cherry picked from commit 97064b0)

Signed-off-by: Iceber Gu <[email protected]>
(cherry picked from commit c89438e)

Signed-off-by: Iceber Gu <[email protected]>

If containerd does not see a container but criservice's
container store does, then we should try to recover from
this error state by removing the container from criservice's
container store as well.

Signed-off-by: Kirtana Ashok <[email protected]>
(cherry picked from commit d9f3e38)
Signed-off-by: Kirtana Ashok <[email protected]>

[release/1.6] Remove entry for container from container store on error

[release/1.6 backport] update runc binary to v1.1.7

[release/1.6] fix the task setting the runtime path

go1.19.9 (released 2023-05-02) includes three security fixes to the html/template
package, as well as bug fixes to the compiler, the runtime, and the crypto/tls
and syscall packages. See the Go 1.19.9 milestone on our issue tracker for details.

https://github.com/golang/go/issues?q=milestone%3AGo1.19.9+label%3ACherryPickApproved

release notes: https://go.dev/doc/devel/release#go1.19.9
full diff: golang/go@go1.19.8...go1.19.9

from the announcement:

> These minor releases include 3 security fixes following the security policy:
>
>- html/template: improper sanitization of CSS values
>
>  Angle brackets (`<>`) were not considered dangerous characters when inserted
>  into CSS contexts. Templates containing multiple actions separated by a '/'
>  character could result in unexpectedly closing the CSS context and allowing
>  for injection of unexpected HMTL, if executed with untrusted input.
>
>  Thanks to Juho Nurminen of Mattermost for reporting this issue.
>
>  This is CVE-2023-24539 and Go issue https://go.dev/issue/59720.
>
> - html/template: improper handling of JavaScript whitespace
>
>   Not all valid JavaScript whitespace characters were considered to be
>   whitespace. Templates containing whitespace characters outside of the character
>   set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain
>   actions may not be properly sanitized during execution.
>
>   Thanks to Juho Nurminen of Mattermost for reporting this issue.
>
>   This is CVE-2023-24540 and Go issue https://go.dev/issue/59721.
>
> - html/template: improper handling of empty HTML attributes
>
>   Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}")
>   executed with empty input could result in output that would have unexpected
>   results when parsed due to HTML normalization rules. This may allow injection
>   of arbitrary attributes into tags.
>
>   Thanks to Juho Nurminen of Mattermost for reporting this issue.
>
>   This is CVE-2023-29400 and Go issue https://go.dev/issue/59722.

Signed-off-by: Sebastiaan van Stijn <[email protected]>

[release/1.6] update go to go1.19.9

Signed-off-by: Kirtana Ashok <[email protected]>

[release/1.6] Prepare release notes for v1.6.21