Skip to content

Dockerfile: update runc binary to v1.3.4#51633

Merged
vvoland merged 1 commit intomoby:masterfrom
Xeeynamo:bump-runc-v134
Dec 2, 2025
Merged

Dockerfile: update runc binary to v1.3.4#51633
vvoland merged 1 commit intomoby:masterfrom
Xeeynamo:bump-runc-v134

Conversation

@Xeeynamo
Copy link
Copy Markdown
Contributor

@Xeeynamo Xeeynamo commented Dec 1, 2025
edited by thaJeztah
Loading

This version bump aims to fix a regression in runc v1.3.3, which caused /dev/shm to have inappropriate permissions exposed to containers:

Fixes docker/for-mac#7804

Update runc (in static binaries) to [v1.3.4](https://github.com/opencontainers/runc/releases/tag/v1.3.4)

@Xeeynamo Xeeynamo requested a review from tianon as a code owner December 1, 2025 17:21
AkihiroSuda
AkihiroSuda reviewed Dec 1, 2025
View reviewed changes
Comment thread Dockerfile
# that is used. If you need to update runc, open a pull request in the containerd
# project first, and update both after that is merged.
ARG RUNC_VERSION=v1.3.3
ARG RUNC_VERSION=v1.3.4
Copy link
Copy Markdown
Member

@AkihiroSuda AkihiroSuda Dec 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Now v1.4.0

Copy link
Copy Markdown
Member

@thaJeztah thaJeztah Dec 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we tried to align this one ~ with the containerd.io packages; we can update it to 1.4 later probably, or did containerd already move to 1.4 now?

Copy link
Copy Markdown
Contributor Author

@Xeeynamo Xeeynamo Dec 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It has been bumped to 1.4.0 just a few hours ago: containerd/containerd@fbb42c2 . I rebased both commit and PR description to match v1.4.0 instead of v1.3.4!

Copy link
Copy Markdown
Member

@thaJeztah thaJeztah Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, right, that's the main branch, so currently targeting containerd v2.3.0 (May 2026), but perhaps it's OK to backport

@thaJeztah thaJeztah added status/2-code-review kind/enhancement Enhancements are not bugs or new features but can improve usability or performance. impact/changelog area/testing area/packaging labels Dec 1, 2025
@thaJeztah thaJeztah added this to the 29.1.2 milestone Dec 1, 2025
@Xeeynamo Xeeynamo changed the title Dockerfile: update runc binary to v1.3.4 Dockerfile: update runc binary to v1.4.0 Dec 1, 2025
vvoland
vvoland requested changes Dec 2, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@vvoland vvoland left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's go with v1.3.4 for now. It also has the patch for the regression introduced by the CVE fix.

We want to be able to release minor/patch releases from master for now, and runc 1.4.0 has been out only for a few days, so I'd like to give it a little bit more baking time.

@Xeeynamo Xeeynamo changed the title Dockerfile: update runc binary to v1.4.0 Dockerfile: update runc binary to v1.3.4 Dec 2, 2025
@Xeeynamo
Dockerfile: update runc binary to v1.3.4
f97f234 
- release notes: https://github.com/opencontainers/runc/releases/tag/v1.4.0
- full diff: opencontainers/runc@v1.3.3...v1.4.0

This version bump aims to fix a regression in runc v1.3.3, which caused
/dev/shm to have inappropriate permissions exposed to containers:
* opencontainers/runc#4971
* opencontainers/runc#4976

Signed-off-by: Luciano Ciccariello <xeeynamo@hotmail.com>
thaJeztah
thaJeztah approved these changes Dec 2, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@thaJeztah thaJeztah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks!

let’s open a follow-up with 1.4; we can keep that one in draft (at least to have CI run), then decide when the right moment is to merge.

vvoland
vvoland approved these changes Dec 2, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@vvoland vvoland left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@vvoland vvoland merged commit 616e53c into moby:master Dec 2, 2025
299 of 302 checks passed
@Xeeynamo Xeeynamo deleted the bump-runc-v134 branch December 2, 2025 11:49
@thaJeztah thaJeztah mentioned this pull request Dec 2, 2025
Draft
@guoard
Copy link
Copy Markdown

guoard commented Dec 3, 2025

Do you have any plans to backport it to the 28.x branch?

@thaJeztah
Copy link
Copy Markdown
Member

thaJeztah commented Dec 3, 2025

This only impacts the static binaries; if you have installed docker through the deb or rpm packages you should be able to get the update by updating the containerd.io package to the latest version.

@ACLay ACLay mentioned this pull request Dec 3, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AkihiroSuda AkihiroSuda AkihiroSuda left review comments

@thaJeztah thaJeztah thaJeztah approved these changes

@vvoland vvoland vvoland approved these changes

@tianon tianon Awaiting requested review from tianon tianon is a code owner

Assignees

No one assigned

Labels

area/packaging area/testing impact/changelog kind/enhancement Enhancements are not bugs or new features but can improve usability or performance. status/2-code-review

Projects

None yet

Milestone

29.1.2

Development

Successfully merging this pull request may close these issues.

Error when starting Oracle Database after upgrading from 4.50.0 to 4.51.0

5 participants

@Xeeynamo @guoard @thaJeztah @vvoland @AkihiroSuda