Bump runc from v1.1.13 to v1.2.1

cache/runc.json

@@ -0,0 +1,7 @@
+{
+  "tagName": "v1.2.1",
+  "url": "https://github.com/opencontainers/runc/releases/tag/v1.2.1",
+  "description": "This is the first patch release of the 1.2.z series of runc. It includes\r\na critical bugfix for an issue that manifested on SELinux-based\r\ndistributions and was blocking containerd from updating to\r\nrunc 1.2.z.\r\n\r\nIn addition, runc-dmz (added in 1.2.0) has been removed entirely. This\r\nwas opt-in (due to the many limitations it had), but the late addition\r\nof the overlayfs-based CVE-2019-5736 protection made it no longer\r\nnecessary at all.\r\n\r\n + We now explicitly become root after joining an existing user namespace.\r\n   Otherwise, runc won't have permissions to configure some mounts when\r\n   running under SELinux and runc is not creating the user namespace.\r\n   (#4466, #4477)\r\n - Remove dependency on `golang.org/x/sys/execabs` from go.mod. (#4480)\r\n - Remove runc-dmz, that had many limitations, and is mostly made obsolete by\r\n   the new protection mechanism added in v1.2.0. Note that runc-dmz was only\r\n   available only in the 1.2.0 release and required to set an environment variable\r\n   to opt-in. (#4488)\r\n * The `script/check-config.sh` script now checks for overlayfs support. (#4494)\r\n * When using cgroups v2, allow to set or update memory limit to \"unlimited\"\r\n   and swap limit to a specific value. (#4501)\r\n\r\n### Static Linking Notices ###\r\n\r\nThe `runc` binary distributed with this release are *statically linked* with\r\nthe following [GNU LGPL-2.1][lgpl-2.1] licensed libraries, with `runc` acting\r\nas a \"work that uses the Library\":\r\n\r\n[lgpl-2.1]: https://www.gnu.org/licenses/old-licenses/lgpl-2.1.en.html\r\n\r\n  - [libseccomp](https://github.com/seccomp/libseccomp)\r\n\r\nThe versions of these libraries were not modified from their upstream versions,\r\nbut in order to comply with the LGPL-2.1 (&sect;6(a)), we have attached the\r\ncomplete source code for those libraries which (when combined with the attached\r\nrunc source code) may be used to exercise your rights under the LGPL-2.1.\r\n\r\nHowever we strongly suggest that you make use of your distribution's packages\r\nor download them from the authoritative upstream sources, especially since\r\nthese libraries are related to the security of your containers.\r\n\r\n<hr/>\r\n\r\nThanks to all of the contributors who made this release possible:\r\n\r\n * Akihiro Suda <[email protected]>\r\n * Aleksa Sarai <[email protected]>\r\n * Kir Kolyshkin <[email protected]>\r\n * Rodrigo Campos <[email protected]>\r\n * Wei Fu <[email protected]>\r\n * lifubang <[email protected]>\r\n\r\nSigned-off-by: Aleksa Sarai <[email protected]>",
+  "publishedAt": "2024-11-01T22:23:57Z",
+  "isLatest": true
+}

roles/kubespray-defaults/defaults/main/checksums.yml

@@ -750,27 +750,31 @@ cri_dockerd_archive_checksums:
     0.3.5: 0
 runc_checksums:
   arm:
+    v1.2.1: 0
     v1.1.13: 0
     v1.1.12: 0
     v1.1.11: 0
     v1.1.10: 0
     v1.1.9: 0
     v1.1.8: 0
   arm64:
+    v1.2.1: 8c0d81c80ffdaab986629a9c787d8468ab41851e7aab8f9617a4c3674e192aaa
     v1.1.13: 4b93701752f5338ed51592b38e039aef8c1a59856d1225df21eba84c2830743c
     v1.1.12: 879f910a05c95c10c64ad8eb7d5e3aa8e4b30e65587b3d68e009a3565aed5bb8
     v1.1.11: 9f1ee53f06b78cc4a115ca6ae4eec10567999539ce828a22c5351edba043ed12
     v1.1.10: 4830afd426bdeacbdf9cb8729524aa2ed51790b8c4b28786995925593708f1c8
     v1.1.9: b43e9f561e85906f469eef5a7b7992fc586f750f44a0e011da4467e7008c33a0
     v1.1.8: 7c22cb618116d1d5216d79e076349f93a672253d564b19928a099c20e4acd658
   amd64:
+    v1.2.1: b106d49c60e688022f5909432a77bd3260f29687199d47213ed87269588af781
     v1.1.13: bcfc299c1ab255e9d045ffaf2e324c0abaf58f599831a7c2c4a80b33f795de94
     v1.1.12: aadeef400b8f05645768c1476d1023f7875b78f52c7ff1967a6dbce236b8cbd8
     v1.1.11: 77ae134de014613c44d25e6310a57a219a7a91155cd47d069a0f22a2cad5caea
     v1.1.10: 81f73a59be3d122ab484d7dfe9ddc81030f595cc59968f61c113a9a38a2c113a
     v1.1.9: b9bfdd4cb27cddbb6172a442df165a80bfc0538a676fbca1a6a6c8f4c6933b43
     v1.1.8: 1d05ed79854efc707841dfc7afbf3b86546fc1d0b3a204435ca921c14af8385b
   ppc64le:
+    v1.2.1: 652920e145b461151b7e87b28b339594e62129cfc87370b03651a37c39bbc0df
     v1.1.13: 4675d51dc0b08ad8e17d3065f2e4ce47760728945f33d3092385e792357e6519
     v1.1.12: 4069d1d57724126e116ad6dbd84409082d1b0afee1ee960b17558f146a742bb6
     v1.1.11: e3d1da41f97db1bb7e9a8d96c9092747c14ee53bc9f160048828e63f3a2d0896

roles/kubespray-defaults/defaults/main/download.yml

@@ -75,7 +75,7 @@ image_arch: "{{ host_architecture | default('amd64') }}"
 
 # Versions
 crun_version: 1.14.4
-runc_version: v1.1.13
+runc_version: v1.2.1
 kata_containers_version: 3.1.3
 youki_version: 0.1.0
 gvisor_version: 20240305

version_diff.json

@@ -0,0 +1,17 @@
+{
+  "runc": {
+    "current_version": "v1.1.13",
+    "latest_version": "v1.2.1",
+    "release": {
+      "tagName": "v1.2.1",
+      "url": "https://github.com/opencontainers/runc/releases/tag/v1.2.1",
+      "description": "This is the first patch release of the 1.2.z series of runc. It includes\r\na critical bugfix for an issue that manifested on SELinux-based\r\ndistributions and was blocking containerd from updating to\r\nrunc 1.2.z.\r\n\r\nIn addition, runc-dmz (added in 1.2.0) has been removed entirely. This\r\nwas opt-in (due to the many limitations it had), but the late addition\r\nof the overlayfs-based CVE-2019-5736 protection made it no longer\r\nnecessary at all.\r\n\r\n + We now explicitly become root after joining an existing user namespace.\r\n   Otherwise, runc won't have permissions to configure some mounts when\r\n   running under SELinux and runc is not creating the user namespace.\r\n   (#4466, #4477)\r\n - Remove dependency on `golang.org/x/sys/execabs` from go.mod. (#4480)\r\n - Remove runc-dmz, that had many limitations, and is mostly made obsolete by\r\n   the new protection mechanism added in v1.2.0. Note that runc-dmz was only\r\n   available only in the 1.2.0 release and required to set an environment variable\r\n   to opt-in. (#4488)\r\n * The `script/check-config.sh` script now checks for overlayfs support. (#4494)\r\n * When using cgroups v2, allow to set or update memory limit to \"unlimited\"\r\n   and swap limit to a specific value. (#4501)\r\n\r\n### Static Linking Notices ###\r\n\r\nThe `runc` binary distributed with this release are *statically linked* with\r\nthe following [GNU LGPL-2.1][lgpl-2.1] licensed libraries, with `runc` acting\r\nas a \"work that uses the Library\":\r\n\r\n[lgpl-2.1]: https://www.gnu.org/licenses/old-licenses/lgpl-2.1.en.html\r\n\r\n  - [libseccomp](https://github.com/seccomp/libseccomp)\r\n\r\nThe versions of these libraries were not modified from their upstream versions,\r\nbut in order to comply with the LGPL-2.1 (&sect;6(a)), we have attached the\r\ncomplete source code for those libraries which (when combined with the attached\r\nrunc source code) may be used to exercise your rights under the LGPL-2.1.\r\n\r\nHowever we strongly suggest that you make use of your distribution's packages\r\nor download them from the authoritative upstream sources, especially since\r\nthese libraries are related to the security of your containers.\r\n\r\n<hr/>\r\n\r\nThanks to all of the contributors who made this release possible:\r\n\r\n * Akihiro Suda <[email protected]>\r\n * Aleksa Sarai <[email protected]>\r\n * Kir Kolyshkin <[email protected]>\r\n * Rodrigo Campos <[email protected]>\r\n * Wei Fu <[email protected]>\r\n * lifubang <[email protected]>\r\n\r\nSigned-off-by: Aleksa Sarai <[email protected]>",
+      "publishedAt": "2024-11-01T22:23:57Z",
+      "isLatest": true,
+      "component": "runc",
+      "owner": "opencontainers",
+      "repo": "runc",
+      "release_type": "release"
+    }
+  }
+}