diff --git a/.gitignore b/.gitignore
index abc4b4f..4d97e7f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/runc-2abd837.tar.gz
+SOURCES/runc-425e105.tar.gz
diff --git a/.runc.metadata b/.runc.metadata
index 93b3f44..1ff52c1 100644
--- a/.runc.metadata
+++ b/.runc.metadata
@@ -1 +1 @@
-cf7119a838db2963e7af6ecdba90a2cc95ec0d56 SOURCES/runc-2abd837.tar.gz
+cfbe1abc984f5b0be1413475f888e39304b265ae SOURCES/runc-425e105.tar.gz
diff --git a/SOURCES/0001-Revert-Apply-cgroups-earlier.patch b/SOURCES/0001-Revert-Apply-cgroups-earlier.patch
deleted file mode 100644
index 4ad310a..0000000
--- a/SOURCES/0001-Revert-Apply-cgroups-earlier.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From dfb3496c174377b860b62872ce6af951364cc3ac Mon Sep 17 00:00:00 2001
-From: Lokesh Mandvekar <lsm5@fedoraproject.org>
-Date: Tue, 12 Dec 2017 13:22:42 +0530
-Subject: [PATCH] Revert "Apply cgroups earlier"
-
-This reverts commit 7062c7556b71188abc18d7516441ff4b03fbc1fc.
----
- libcontainer/process_linux.go | 31 ++++++++++++++-----------------
- 1 file changed, 14 insertions(+), 17 deletions(-)
-
-diff --git a/libcontainer/process_linux.go b/libcontainer/process_linux.go
-index 149b1126..b8a395af 100644
---- a/libcontainer/process_linux.go
-+++ b/libcontainer/process_linux.go
-@@ -272,6 +272,20 @@ func (p *initProcess) start() error {
- 		p.process.ops = nil
- 		return newSystemErrorWithCause(err, "starting init process command")
- 	}
-+	if _, err := io.Copy(p.parentPipe, p.bootstrapData); err != nil {
-+		return newSystemErrorWithCause(err, "copying bootstrap data to pipe")
-+	}
-+	if err := p.execSetns(); err != nil {
-+		return newSystemErrorWithCause(err, "running exec setns process for init")
-+	}
-+	// Save the standard descriptor names before the container process
-+	// can potentially move them (e.g., via dup2()).  If we don't do this now,
-+	// we won't know at checkpoint time which file descriptor to look up.
-+	fds, err := getPipeFds(p.pid())
-+	if err != nil {
-+		return newSystemErrorWithCausef(err, "getting pipe fds for pid %d", p.pid())
-+	}
-+	p.setExternalDescriptors(fds)
- 	// Do this before syncing with child so that no children can escape the
- 	// cgroup. We don't need to worry about not doing this and not being root
- 	// because we'd be using the rootless cgroup manager in that case.
-@@ -292,23 +306,6 @@ func (p *initProcess) start() error {
- 			}
- 		}
- 	}()
--
--	if _, err := io.Copy(p.parentPipe, p.bootstrapData); err != nil {
--		return newSystemErrorWithCause(err, "copying bootstrap data to pipe")
--	}
--
--	if err := p.execSetns(); err != nil {
--		return newSystemErrorWithCause(err, "running exec setns process for init")
--	}
--
--	// Save the standard descriptor names before the container process
--	// can potentially move them (e.g., via dup2()).  If we don't do this now,
--	// we won't know at checkpoint time which file descriptor to look up.
--	fds, err := getPipeFds(p.pid())
--	if err != nil {
--		return newSystemErrorWithCausef(err, "getting pipe fds for pid %d", p.pid())
--	}
--	p.setExternalDescriptors(fds)
- 	if err := p.createNetworkInterfaces(); err != nil {
- 		return newSystemErrorWithCause(err, "creating network interfaces")
- 	}
--- 
-2.14.3
-
diff --git a/SOURCES/0001-nsenter-clone-proc-self-exe-to-avoid-exposing-host-b-runc.patch b/SOURCES/0001-nsenter-clone-proc-self-exe-to-avoid-exposing-host-b-runc.patch
deleted file mode 100644
index 7975703..0000000
--- a/SOURCES/0001-nsenter-clone-proc-self-exe-to-avoid-exposing-host-b-runc.patch
+++ /dev/null
@@ -1,290 +0,0 @@
-From bf6405284aa3870a39b402309003633a1c230ed9 Mon Sep 17 00:00:00 2001
-From: Aleksa Sarai <asarai@suse.de>
-Date: Wed, 9 Jan 2019 13:40:01 +1100
-Subject: [PATCH 1/1] nsenter: clone /proc/self/exe to avoid exposing host
- binary to container
-
-There are quite a few circumstances where /proc/self/exe pointing to a
-pretty important container binary is a _bad_ thing, so to avoid this we
-have to make a copy (preferably doing self-clean-up and not being
-writeable).
-
-As a hotfix we require memfd_create(2), but we can always extend this to
-use a scratch MNT_DETACH overlayfs or tmpfs. The main downside to this
-approach is no page-cache sharing for the runc binary (which overlayfs
-would give us) but this is far less complicated.
-
-This is only done during nsenter so that it happens transparently to the
-Go code, and any libcontainer users benefit from it. This also makes
-ExtraFiles and --preserve-fds handling trivial (because we don't need to
-worry about it).
-
-Fixes: CVE-2019-5736
-Co-developed-by: Christian Brauner <christian.brauner@ubuntu.com>
-Signed-off-by: Aleksa Sarai <asarai@suse.de>
-Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
----
- libcontainer/nsenter/cloned_binary.c | 221 +++++++++++++++++++++++++++
- libcontainer/nsenter/nsexec.c        |  11 ++
- 2 files changed, 232 insertions(+)
- create mode 100644 libcontainer/nsenter/cloned_binary.c
-
-diff --git a/libcontainer/nsenter/cloned_binary.c b/libcontainer/nsenter/cloned_binary.c
-new file mode 100644
-index 00000000..d9f6093a
---- /dev/null
-+++ b/libcontainer/nsenter/cloned_binary.c
-@@ -0,0 +1,221 @@
-+#define _GNU_SOURCE
-+#include <unistd.h>
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include <stdbool.h>
-+#include <string.h>
-+#include <limits.h>
-+#include <fcntl.h>
-+#include <errno.h>
-+
-+#include <sys/types.h>
-+#include <sys/stat.h>
-+#include <sys/vfs.h>
-+#include <sys/mman.h>
-+#include <sys/sendfile.h>
-+#include <sys/syscall.h>
-+
-+#include <linux/magic.h>
-+#include <linux/memfd.h>
-+
-+/* Use our own wrapper for memfd_create. */
-+#if !defined(SYS_memfd_create) && defined(__NR_memfd_create)
-+#  define SYS_memfd_create __NR_memfd_create
-+#endif
-+#ifndef SYS_memfd_create
-+#  error "memfd_create(2) syscall not supported by this glibc version"
-+#endif
-+int memfd_create(const char *name, unsigned int flags)
-+{
-+	return syscall(SYS_memfd_create, name, flags);
-+}
-+
-+/* This comes directly from <linux/fcntl.h>. */
-+#ifndef F_LINUX_SPECIFIC_BASE
-+#  define F_LINUX_SPECIFIC_BASE 1024
-+#endif
-+#ifndef F_ADD_SEALS
-+#  define F_ADD_SEALS (F_LINUX_SPECIFIC_BASE + 9)
-+#  define F_GET_SEALS (F_LINUX_SPECIFIC_BASE + 10)
-+#endif
-+#ifndef F_SEAL_SEAL
-+#  define F_SEAL_SEAL   0x0001	/* prevent further seals from being set */
-+#  define F_SEAL_SHRINK 0x0002	/* prevent file from shrinking */
-+#  define F_SEAL_GROW   0x0004	/* prevent file from growing */
-+#  define F_SEAL_WRITE  0x0008	/* prevent writes */
-+#endif
-+
-+
-+#define OUR_MEMFD_COMMENT "runc_cloned:/proc/self/exe"
-+#define OUR_MEMFD_SEALS \
-+	(F_SEAL_SEAL | F_SEAL_SHRINK | F_SEAL_GROW | F_SEAL_WRITE)
-+
-+static void *must_realloc(void *ptr, size_t size)
-+{
-+	void *old = ptr;
-+	do {
-+		ptr = realloc(old, size);
-+	} while(!ptr);
-+	return ptr;
-+}
-+
-+/*
-+ * Verify whether we are currently in a self-cloned program (namely, is
-+ * /proc/self/exe a memfd). F_GET_SEALS will only succeed for memfds (or rather
-+ * for shmem files), and we want to be sure it's actually sealed.
-+ */
-+static int is_self_cloned(void)
-+{
-+	int fd, seals;
-+
-+	fd = open("/proc/self/exe", O_RDONLY|O_CLOEXEC);
-+	if (fd < 0)
-+		return -ENOTRECOVERABLE;
-+
-+	seals = fcntl(fd, F_GET_SEALS);
-+	close(fd);
-+	return seals == OUR_MEMFD_SEALS;
-+}
-+
-+/*
-+ * Basic wrapper around mmap(2) that gives you the file length so you can
-+ * safely treat it as an ordinary buffer. Only gives you read access.
-+ */
-+static char *read_file(char *path, size_t *length)
-+{
-+	int fd;
-+	char buf[4096], *copy = NULL;
-+
-+	if (!length)
-+		return NULL;
-+
-+	fd = open(path, O_RDONLY | O_CLOEXEC);
-+	if (fd < 0)
-+		return NULL;
-+
-+	*length = 0;
-+	for (;;) {
-+		int n;
-+
-+		n = read(fd, buf, sizeof(buf));
-+		if (n < 0)
-+			goto error;
-+		if (!n)
-+			break;
-+
-+		copy = must_realloc(copy, (*length + n) * sizeof(*copy));
-+		memcpy(copy + *length, buf, n);
-+		*length += n;
-+	}
-+	close(fd);
-+	return copy;
-+
-+error:
-+	close(fd);
-+	free(copy);
-+	return NULL;
-+}
-+
-+/*
-+ * A poor-man's version of "xargs -0". Basically parses a given block of
-+ * NUL-delimited data, within the given length and adds a pointer to each entry
-+ * to the array of pointers.
-+ */
-+static int parse_xargs(char *data, int data_length, char ***output)
-+{
-+	int num = 0;
-+	char *cur = data;
-+
-+	if (!data || *output != NULL)
-+		return -1;
-+
-+	while (cur < data + data_length) {
-+		num++;
-+		*output = must_realloc(*output, (num + 1) * sizeof(**output));
-+		(*output)[num - 1] = cur;
-+		cur += strlen(cur) + 1;
-+	}
-+	(*output)[num] = NULL;
-+	return num;
-+}
-+
-+/*
-+ * "Parse" out argv and envp from /proc/self/cmdline and /proc/self/environ.
-+ * This is necessary because we are running in a context where we don't have a
-+ * main() that we can just get the arguments from.
-+ */
-+static int fetchve(char ***argv, char ***envp)
-+{
-+	char *cmdline = NULL, *environ = NULL;
-+	size_t cmdline_size, environ_size;
-+
-+	cmdline = read_file("/proc/self/cmdline", &cmdline_size);
-+	if (!cmdline)
-+		goto error;
-+	environ = read_file("/proc/self/environ", &environ_size);
-+	if (!environ)
-+		goto error;
-+
-+	if (parse_xargs(cmdline, cmdline_size, argv) <= 0)
-+		goto error;
-+	if (parse_xargs(environ, environ_size, envp) <= 0)
-+		goto error;
-+
-+	return 0;
-+
-+error:
-+	free(environ);
-+	free(cmdline);
-+	return -EINVAL;
-+}
-+
-+#define SENDFILE_MAX 0x7FFFF000 /* sendfile(2) is limited to 2GB. */
-+static int clone_binary(void)
-+{
-+	int binfd, memfd, err;
-+	ssize_t sent = 0;
-+
-+	memfd = memfd_create(OUR_MEMFD_COMMENT, MFD_CLOEXEC | MFD_ALLOW_SEALING);
-+	if (memfd < 0)
-+		return -ENOTRECOVERABLE;
-+
-+	binfd = open("/proc/self/exe", O_RDONLY | O_CLOEXEC);
-+	if (binfd < 0)
-+		goto error;
-+
-+	sent = sendfile(memfd, binfd, NULL, SENDFILE_MAX);
-+	close(binfd);
-+	if (sent < 0)
-+		goto error;
-+
-+	err = fcntl(memfd, F_ADD_SEALS, OUR_MEMFD_SEALS);
-+	if (err < 0)
-+		goto error;
-+
-+	return memfd;
-+
-+error:
-+	close(memfd);
-+	return -EIO;
-+}
-+
-+int ensure_cloned_binary(void)
-+{
-+	int execfd;
-+	char **argv = NULL, **envp = NULL;
-+
-+	/* Check that we're not self-cloned, and if we are then bail. */
-+	int cloned = is_self_cloned();
-+	if (cloned > 0 || cloned == -ENOTRECOVERABLE)
-+		return cloned;
-+
-+	if (fetchve(&argv, &envp) < 0)
-+		return -EINVAL;
-+
-+	execfd = clone_binary();
-+	if (execfd < 0)
-+		return -EIO;
-+
-+	fexecve(execfd, argv, envp);
-+	return -ENOEXEC;
-+}
-diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c
-index cb224314..784fd9b0 100644
---- a/libcontainer/nsenter/nsexec.c
-+++ b/libcontainer/nsenter/nsexec.c
-@@ -528,6 +528,9 @@ void join_namespaces(char *nslist)
- 	free(namespaces);
- }
- 
-+/* Defined in cloned_binary.c. */
-+int ensure_cloned_binary(void);
-+
- void nsexec(void)
- {
- 	int pipenum;
-@@ -543,6 +546,14 @@ void nsexec(void)
- 	if (pipenum == -1)
- 		return;
- 
-+	/*
-+	 * We need to re-exec if we are not in a cloned binary. This is necessary
-+	 * to ensure that containers won't be able to access the host binary
-+	 * through /proc/self/exe. See CVE-2019-5736.
-+	 */
-+	if (ensure_cloned_binary() < 0)
-+		bail("could not ensure we are a cloned binary");
-+
- 	/* Parse all of the netlink configuration. */
- 	nl_parse(pipenum, &config);
- 
--- 
-2.20.1
-
diff --git a/SOURCES/1807.patch b/SOURCES/1807.patch
index 8dab9a9..dcfae56 100644
--- a/SOURCES/1807.patch
+++ b/SOURCES/1807.patch
@@ -1,4 +1,4 @@
-From cd9b959b34c183cf6cd031af678c4ec66b765080 Mon Sep 17 00:00:00 2001
+From e3b37893afa498ef6254cc9d94c159b12e04d0b0 Mon Sep 17 00:00:00 2001
 From: Giuseppe Scrivano <gscrivan@redhat.com>
 Date: Fri, 25 May 2018 18:04:06 +0200
 Subject: [PATCH] sd-notify: do not hang when NOTIFY_SOCKET is used with create
@@ -11,13 +11,13 @@ still accessible from the container.
 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
 ---
  notify_socket.go | 113 ++++++++++++++++++++++++++++++++++-------------
- signals.go       |   5 +--
+ signals.go       |   4 +-
  start.go         |  13 +++++-
  utils_linux.go   |  12 ++++-
- 4 files changed, 106 insertions(+), 37 deletions(-)
+ 4 files changed, 106 insertions(+), 36 deletions(-)
 
 diff --git a/notify_socket.go b/notify_socket.go
-index cd6c0a98..7fbd2e73 100644
+index b890b5b1c..286ce1ddd 100644
 --- a/notify_socket.go
 +++ b/notify_socket.go
 @@ -6,11 +6,14 @@ import (
@@ -52,7 +52,7 @@ index cd6c0a98..7fbd2e73 100644
  	}
  
  	return notifySocket
-@@ -43,13 +46,19 @@ func (ns *notifySocket) Close() error {
+@@ -43,13 +46,19 @@ func (s *notifySocket) Close() error {
  
  // If systemd is supporting sd_notify protocol, this function will add support
  // for sd_notify protocol from within the container.
@@ -82,9 +82,9 @@ index cd6c0a98..7fbd2e73 100644
  
 -// pid1 must be set only with -d, as it is used to set the new process as the main process
 -// for the service in systemd
--func (notifySocket *notifySocket) run(pid1 int) {
+-func (s *notifySocket) run(pid1 int) {
 -	buf := make([]byte, 512)
--	notifySocketHostAddr := net.UnixAddr{Name: notifySocket.host, Net: "unixgram"}
+-	notifySocketHostAddr := net.UnixAddr{Name: s.host, Net: "unixgram"}
 +func (s *notifySocket) setupSocketDirectory() error {
 +	return os.Mkdir(path.Dir(s.socketPath), 0755)
 +}
@@ -121,7 +121,7 @@ index cd6c0a98..7fbd2e73 100644
 +		return err
  	}
 -	for {
--		r, err := notifySocket.socket.Read(buf)
+-		r, err := s.socket.Read(buf)
 -		if err != nil {
 -			break
 +
@@ -189,19 +189,18 @@ index cd6c0a98..7fbd2e73 100644
  		}
  	}
 diff --git a/signals.go b/signals.go
-index 1811de83..d0988cb3 100644
+index b67f65a03..dd25e094c 100644
 --- a/signals.go
 +++ b/signals.go
-@@ -70,7 +70,7 @@ func (h *signalHandler) forward(process *libcontainer.Process, tty *tty, detach
+@@ -70,6 +70,7 @@ func (h *signalHandler) forward(process *libcontainer.Process, tty *tty, detach
  			h.notifySocket.run(pid1)
  			return 0, nil
- 		} else {
--			go h.notifySocket.run(0)
-+			h.notifySocket.run(os.Getpid())
  		}
++		h.notifySocket.run(os.Getpid())
+ 		go h.notifySocket.run(0)
  	}
  
-@@ -98,9 +98,6 @@ func (h *signalHandler) forward(process *libcontainer.Process, tty *tty, detach
+@@ -97,9 +98,6 @@ func (h *signalHandler) forward(process *libcontainer.Process, tty *tty, detach
  					// status because we must ensure that any of the go specific process
  					// fun such as flushing pipes are complete before we return.
  					process.Wait()
@@ -212,7 +211,7 @@ index 1811de83..d0988cb3 100644
  				}
  			}
 diff --git a/start.go b/start.go
-index 2bb698b2..3a1769a4 100644
+index 2bb698b20..3a1769a43 100644
 --- a/start.go
 +++ b/start.go
 @@ -3,6 +3,7 @@ package main
@@ -243,10 +242,10 @@ index 2bb698b2..3a1769a4 100644
  			return errors.New("cannot start a container that has stopped")
  		case libcontainer.Running:
 diff --git a/utils_linux.go b/utils_linux.go
-index c6a34897..77423f67 100644
+index ce50db145..670c0fcba 100644
 --- a/utils_linux.go
 +++ b/utils_linux.go
-@@ -420,7 +420,9 @@ func startContainer(context *cli.Context, spec *specs.Spec, action CtAct, criuOp
+@@ -406,7 +406,9 @@ func startContainer(context *cli.Context, spec *specs.Spec, action CtAct, criuOp
  
  	notifySocket := newNotifySocket(context, os.Getenv("NOTIFY_SOCKET"), id)
  	if notifySocket != nil {
@@ -257,7 +256,7 @@ index c6a34897..77423f67 100644
  	}
  
  	container, err := createContainer(context, id, spec)
-@@ -429,10 +431,16 @@ func startContainer(context *cli.Context, spec *specs.Spec, action CtAct, criuOp
+@@ -415,10 +417,16 @@ func startContainer(context *cli.Context, spec *specs.Spec, action CtAct, criuOp
  	}
  
  	if notifySocket != nil {
@@ -275,6 +274,3 @@ index c6a34897..77423f67 100644
  	}
  
  	// Support on-demand socket activation by passing file descriptors into the container init process.
--- 
-2.17.1
-
diff --git a/SOURCES/change-default-root.patch b/SOURCES/change-default-root.patch
index 749918a..091bc88 100644
--- a/SOURCES/change-default-root.patch
+++ b/SOURCES/change-default-root.patch
@@ -1,53 +1,61 @@
+From bc548da226f683aa123551295b95d9c11621b7bf Mon Sep 17 00:00:00 2001
+From: Lokesh Mandvekar <lsm5@redhat.com>
+Date: Thu, 4 Jul 2019 19:17:16 +0000
+Subject: [PATCH] change default root
+
+Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
+---
+ list.go            | 2 +-
+ main.go            | 4 ++--
+ man/runc-list.8.md | 2 +-
+ man/runc.8.md      | 2 +-
+ 4 files changed, 5 insertions(+), 5 deletions(-)
+
 diff --git a/list.go b/list.go
-index 0313d8cc..328798b5 100644
+index 0313d8c..328798b 100644
 --- a/list.go
 +++ b/list.go
 @@ -50,7 +50,7 @@ var listCommand = cli.Command{
  	ArgsUsage: `
- 
+
  Where the given root is specified via the global option "--root"
 -(default: "/run/runc").
 +(default: "/run/runc-ctrs").
- 
+
  EXAMPLE 1:
  To list containers created via the default "--root":
 diff --git a/main.go b/main.go
-index 278399a5..0f49fce1 100644
+index 072447d..e675a96 100644
 --- a/main.go
 +++ b/main.go
-@@ -62,7 +62,7 @@ func main() {
+@@ -62,10 +62,10 @@ func main() {
  	v = append(v, fmt.Sprintf("spec: %s", specs.Version))
  	app.Version = strings.Join(v, "\n")
- 
+
 -	root := "/run/runc"
 +	root := "/run/runc-ctrs"
- 	rootless, err := isRootless(nil)
- 	if err != nil {
- 		fatal(err)
-@@ -70,7 +70,7 @@ func main() {
- 	if rootless {
- 		runtimeDir := os.Getenv("XDG_RUNTIME_DIR")
- 		if runtimeDir != "" {
+ 	if shouldHonorXDGRuntimeDir() {
+ 		if runtimeDir := os.Getenv("XDG_RUNTIME_DIR"); runtimeDir != "" {
 -			root = runtimeDir + "/runc"
 +			root = runtimeDir + "/runc-ctrs"
  			// According to the XDG specification, we need to set anything in
  			// XDG_RUNTIME_DIR to have a sticky bit if we don't want it to get
  			// auto-pruned.
 diff --git a/man/runc-list.8.md b/man/runc-list.8.md
-index f7374244..107220ee 100644
+index f737424..107220e 100644
 --- a/man/runc-list.8.md
 +++ b/man/runc-list.8.md
 @@ -6,7 +6,7 @@
- 
+
  # EXAMPLE
  Where the given root is specified via the global option "--root"
 -(default: "/run/runc").
 +(default: "/run/runc-ctrs").
- 
+
  To list containers created via the default "--root":
         # runc list
 diff --git a/man/runc.8.md b/man/runc.8.md
-index 6d0ddff..337bc73 100644
+index 6d0ddff..9d6816d 100644
 --- a/man/runc.8.md
 +++ b/man/runc.8.md
 @@ -51,7 +51,7 @@ value for "bundle" is the current directory.
@@ -55,7 +63,10 @@ index 6d0ddff..337bc73 100644
     --log value          set the log file path where internal debug information is written (default: "/dev/null")
     --log-format value   set the format used by logs ('text' (default), or 'json') (default: "text")
 -   --root value         root directory for storage of container state (this should be located in tmpfs) (default: "/run/runc" or $XDG_RUNTIME_DIR/runc for rootless containers)
-+   --root value         root directory for storage of container state (this should be located in tmpfs) (default: "/run/runc-ctrs" or $XDG_RUNTIME_DIR/runc-ctrs for rootless containers)
++   --root value         root directory for storage of container state (this should be located in tmpfs) (default: "/run/runc-ctrs" or $XDG_RUNTIME_DIR/runc for rootless containers)
     --criu value         path to the criu binary used for checkpoint and restore (default: "criu")
     --systemd-cgroup     enable systemd cgroup support, expects cgroupsPath to be of form "slice:prefix:name" for e.g. "system.slice:runc:434234"
     --rootless value    enable rootless mode ('true', 'false', or 'auto') (default: "auto")
+-- 
+1.8.3.1
+
diff --git a/SPECS/runc.spec b/SPECS/runc.spec
index 55bc8e6..38a9891 100644
--- a/SPECS/runc.spec
+++ b/SPECS/runc.spec
@@ -1,172 +1,57 @@
 %global with_debug 1
-%global with_devel 0
-%global with_bundled 1
 %global with_check 0
-%global with_unit_test 0
 
 %if 0%{?with_debug}
 %global _find_debuginfo_dwz_opts %{nil}
 %global _dwz_low_mem_die_limit 0
 %else
-%global debug_package   %{nil}
+%global debug_package %{nil}
 %endif
 
 %if ! 0%{?gobuild:1}
 %define gobuild(o:) \
-scl enable go-toolset-1.10 -- go build -buildmode pie -compiler gc -tags="rpm_crashtraceback no_openssl ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags'" -a -v -x %{?**};
+go build -buildmode pie -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags'" -a -v -x %{?**};
 %endif
 
-%global provider        github
-%global provider_tld    com
-%global project         opencontainers
-%global repo            runc
+%global provider github
+%global provider_tld com
+%global project opencontainers
+%global repo runc
 # https://github.com/opencontainers/runc
-%global provider_prefix %{provider}.%{provider_tld}/%{project}/%{repo}
-%global import_path     %{provider_prefix}
-%global git0 https://github.com/opencontainers/runc
-%global commit0 2abd837c8c25b0102ac4ce14f17bc0bc7ddffba7
-%global shortcommit0    %(c=%{commit0}; echo ${c:0:7})
+%global import_path %{provider}.%{provider_tld}/%{project}/%{repo}
+%global git0 https://%{import_path}
+%global commit0 425e105d5a03fabd737a126ad93d62a9eeede87f
+%global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
 
 Name: %{repo}
 Version: 1.0.0
-Release: 59.dev.git%{shortcommit0}%{?dist}
+Release: 64.rc8%{?dist}
 Summary: CLI for running Open Containers
 License: ASL 2.0
-URL: http//%{provider_prefix}
-Source0: %{git0}/archive/%{commit0}/%{repo}-%{shortcommit0}.tar.gz
+URL: %{git0}
+Source0: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz
 Source1: 99-containers.conf
-Patch0: change-default-root.patch
-Patch1: 0001-Revert-Apply-cgroups-earlier.patch
-Patch2: 1807.patch
-Patch3: 0001-nsenter-clone-proc-self-exe-to-avoid-exposing-host-b-runc.patch
-%ifnarch %{ix86}
+Patch0: 1807.patch
+Patch1: change-default-root.patch
 Requires: criu
-%endif
 Requires(pre): container-selinux >= 2:2.2-2
-ExclusiveArch: aarch64 %{arm} ppc64le s390x x86_64 %{ix86}
-
-%if 0%{?fedora}
-BuildRequires: %{?go_compiler:compiler(go-compiler)}%{!?go_compiler:golang}
-%else
+ExclusiveArch: aarch64 %{arm} ppc64le s390x x86_64
 BuildRequires: go-toolset-1.10
 BuildRequires: openssl-devel
-%endif #fedora
 BuildRequires: git
 BuildRequires: go-md2man
 BuildRequires: libseccomp-devel
 
-%if ! 0%{?with_bundled}
-BuildRequires: golang(github.com/Sirupsen/logrus)
-BuildRequires: golang(github.com/codegangsta/cli)
-BuildRequires: golang(github.com/coreos/go-systemd/dbus)
-BuildRequires: golang(github.com/coreos/go-systemd/util)
-BuildRequires: golang(github.com/docker/docker/pkg/mount)
-BuildRequires: golang(github.com/docker/docker/pkg/symlink)
-BuildRequires: golang(github.com/docker/docker/pkg/term)
-BuildRequires: golang(github.com/docker/docker/pkg/units)
-BuildRequires: golang(github.com/godbus/dbus)
-BuildRequires: golang(github.com/golang/protobuf/proto)
-BuildRequires: golang(github.com/opencontainers/specs)
-BuildRequires: golang(github.com/syndtr/gocapability/capability)
-%endif
-
 %description
 The runc command can be used to start containers which are packaged
 in accordance with the Open Container Initiative's specifications,
 and to manage containers running under runc.
 
-%if 0%{?with_devel}
-%package devel
-Summary:       %{summary}
-BuildArch:     noarch
-
-%if 0%{?with_check}
-BuildRequires: golang(github.com/Sirupsen/logrus)
-BuildRequires: golang(github.com/codegangsta/cli)
-BuildRequires: golang(github.com/coreos/go-systemd/dbus)
-BuildRequires: golang(github.com/coreos/go-systemd/util)
-BuildRequires: golang(github.com/docker/docker/pkg/mount)
-BuildRequires: golang(github.com/docker/docker/pkg/symlink)
-BuildRequires: golang(github.com/docker/docker/pkg/term)
-BuildRequires: golang(github.com/docker/docker/pkg/units)
-BuildRequires: golang(github.com/godbus/dbus)
-BuildRequires: golang(github.com/golang/protobuf/proto)
-BuildRequires: golang(github.com/opencontainers/specs)
-BuildRequires: golang(github.com/seccomp/libseccomp-golang)
-BuildRequires: golang(github.com/syndtr/gocapability/capability)
-BuildRequires: golang(github.com/vishvananda/netlink)
-%endif
-
-Requires:      golang(github.com/Sirupsen/logrus)
-Requires:      golang(github.com/coreos/go-systemd/dbus)
-Requires:      golang(github.com/coreos/go-systemd/util)
-Requires:      golang(github.com/docker/docker/pkg/mount)
-Requires:      golang(github.com/docker/docker/pkg/symlink)
-Requires:      golang(github.com/docker/docker/pkg/units)
-Requires:      golang(github.com/godbus/dbus)
-Requires:      golang(github.com/golang/protobuf/proto)
-Requires:      golang(github.com/seccomp/libseccomp-golang)
-Requires:      golang(github.com/syndtr/gocapability/capability)
-Requires:      golang(github.com/vishvananda/netlink)
-
-Provides:      golang(%{import_path}/libcontainer) = %{version}-%{release}
-Provides:      golang(%{import_path}/libcontainer/apparmor) = %{version}-%{release}
-Provides:      golang(%{import_path}/libcontainer/cgroups) = %{version}-%{release}
-Provides:      golang(%{import_path}/libcontainer/cgroups/fs) = %{version}-%{release}
-Provides:      golang(%{import_path}/libcontainer/cgroups/systemd) = %{version}-%{release}
-Provides:      golang(%{import_path}/libcontainer/configs) = %{version}-%{release}
-Provides:      golang(%{import_path}/libcontainer/configs/validate) = %{version}-%{release}
-Provides:      golang(%{import_path}/libcontainer/criurpc) = %{version}-%{release}
-Provides:      golang(%{import_path}/libcontainer/devices) = %{version}-%{release}
-Provides:      golang(%{import_path}/libcontainer/integration) = %{version}-%{release}
-Provides:      golang(%{import_path}/libcontainer/label) = %{version}-%{release}
-Provides:      golang(%{import_path}/libcontainer/nsenter) = %{version}-%{release}
-Provides:      golang(%{import_path}/libcontainer/seccomp) = %{version}-%{release}
-Provides:      golang(%{import_path}/libcontainer/selinux) = %{version}-%{release}
-Provides:      golang(%{import_path}/libcontainer/stacktrace) = %{version}-%{release}
-Provides:      golang(%{import_path}/libcontainer/system) = %{version}-%{release}
-Provides:      golang(%{import_path}/libcontainer/user) = %{version}-%{release}
-Provides:      golang(%{import_path}/libcontainer/utils) = %{version}-%{release}
-Provides:      golang(%{import_path}/libcontainer/xattr) = %{version}-%{release}
-
-%description devel
-The runc command can be used to start containers which are packaged
-in accordance with the Open Container Initiative's specifications,
-and to manage containers running under runc.
-
-This package contains library source intended for
-building other packages which use import path with
-%{import_path} prefix.
-%endif
-
-%if 0%{?with_unit_test} && 0%{?with_devel}
-%package unit-test
-Summary:         Unit tests for %{name} package
-# If go_compiler is not set to 1, there is no virtual provide. Use golang instead.
-BuildRequires:  %{?go_compiler:compiler(go-compiler)}%{!?go_compiler:golang}
-
-%if 0%{?with_check}
-#Here comes all BuildRequires: PACKAGE the unit tests
-#in %%check section need for running
-%endif
-
-# test subpackage tests code from devel subpackage
-Requires:        %{name}-devel = %{version}-%{release}
-
-%description unit-test
-The runc command can be used to start containers which are packaged
-in accordance with the Open Container Initiative's specifications,
-and to manage containers running under runc.
-
-This package contains unit tests for project
-providing packages with %{import_path} prefix.
-%endif
-
 # Go Toolset
-%{?enable_gotoolset7}
+%{?enable_gotoolset110}
 
 %prep
-%autosetup -Sgit -n %{repo}-%{commit0}
+%autosetup -Sgit -n %{name}-%{commit0}
 
 %build
 mkdir -p GOPATH
@@ -178,9 +63,7 @@ popd
 pushd GOPATH/src/%{import_path}
 export GOPATH=$(pwd)/GOPATH
 export BUILDTAGS='selinux seccomp'
-
 %gobuild -o %{name} %{import_path} 
-%gobuild -o recvtty %{import_path}/contrib/cmd/recvtty
 
 pushd man
 ./md2man-all.sh
@@ -189,7 +72,6 @@ popd
 %install
 install -d -p %{buildroot}%{_bindir}
 install -p -m 755 %{name} %{buildroot}%{_bindir}
-install -p -m 755 recvtty %{buildroot}%{_bindir}
 
 install -d -p %{buildroot}%{_mandir}/man8
 install -p -m 644 man/man8/* %{buildroot}%{_mandir}/man8
@@ -197,47 +79,9 @@ install -p -m 644 man/man8/* %{buildroot}%{_mandir}/man8
 install -d -p %{buildroot}%{_usr}/lib/sysctl.d
 install -p -m 644 %{SOURCE1} %{buildroot}%{_usr}/lib/sysctl.d
 
-# source codes for building projects
-%if 0%{?with_devel}
-install -d -p %{buildroot}/%{gopath}/src/%{import_path}/
-# find all *.go but no *_test.go files and generate devel.file-list
-for file in $(find . -iname "*.go" \! -iname "*_test.go" | grep -v "^./Godeps") ; do
-    echo "%%dir %%{gopath}/src/%%{import_path}/$(dirname $file)" >> devel.file-list
-    install -d -p %{buildroot}/%{gopath}/src/%{import_path}/$(dirname $file)
-    cp -pav $file %{buildroot}/%{gopath}/src/%{import_path}/$file
-    echo "%%{gopath}/src/%%{import_path}/$file" >> devel.file-list
-done
-for file in $(find . -iname "*.proto" | grep -v "^./Godeps") ; do
-    echo "%%dir %%{gopath}/src/%%{import_path}/$(dirname $file)" >> devel.file-list
-    install -d -p %{buildroot}/%{gopath}/src/%{import_path}/$(dirname $file)
-    cp -pav $file %{buildroot}/%{gopath}/src/%{import_path}/$file
-    echo "%%{gopath}/src/%%{import_path}/$file" >> devel.file-list
-done
-%endif
-
-# testing files for this project
-%if 0%{?with_unit_test} && 0%{?with_devel}
-install -d -p %{buildroot}/%{gopath}/src/%{import_path}/
-# find all *_test.go files and generate unit-test.file-list
-for file in $(find . -iname "*_test.go" | grep -v "^./Godeps"); do
-    echo "%%dir %%{gopath}/src/%%{import_path}/$(dirname $file)" >> devel.file-list
-    install -d -p %{buildroot}/%{gopath}/src/%{import_path}/$(dirname $file)
-    cp -pav $file %{buildroot}/%{gopath}/src/%{import_path}/$file
-    echo "%%{gopath}/src/%%{import_path}/$file" >> unit-test.file-list
-done
-%endif
-
-%if 0%{?with_devel}
-sort -u -o devel.file-list devel.file-list
-%endif
-
 %check
-%if 0%{?with_check} && 0%{?with_unit_test} && 0%{?with_devel}
-%if ! 0%{?with_bundled}
-export GOPATH=%{buildroot}/%{gopath}:%{gopath}
-%else
+%if 0%{?with_check}
 export GOPATH=%{buildroot}/%{gopath}:$(pwd)/Godeps/_workspace:%{gopath}
-%endif
 
 %if ! 0%{?gotest:1}
 %global gotest go test
@@ -273,27 +117,25 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/Godeps/_workspace:%{gopath}
 %license LICENSE
 %doc MAINTAINERS_GUIDE.md PRINCIPLES.md README.md CONTRIBUTING.md
 %{_bindir}/%{name}
-%{_bindir}/recvtty
 %{_mandir}/man8/%{name}*
 %{_usr}/lib/sysctl.d/99-containers.conf
 
-%if 0%{?with_devel}
-%files devel -f devel.file-list
-%license LICENSE
-%doc MAINTAINERS_GUIDE.md PRINCIPLES.md README.md CONTRIBUTING.md
-%dir %{gopath}/src/%{provider}.%{provider_tld}/%{project}
-%dir %{gopath}/src/%{import_path}
-%endif
+%changelog
+* Thu Jul 11 2019 Lokesh Mandvekar <lsm5@redhat.com> - 1.0.0-64.rc8
+- Resolves: #1728762 - update change-default-root.patch
 
-%if 0%{?with_unit_test} && 0%{?with_devel}
-%files unit-test -f unit-test.file-list
-%license LICENSE
-%doc MAINTAINERS_GUIDE.md PRINCIPLES.md README.md CONTRIBUTING.md
-%endif
+* Thu Jul 04 2019 Lokesh Mandvekar <lsm5@redhat.com> - 1.0.0-63.rc8
+- Resolves: #1724778
 
-%changelog
-* Wed Feb 13 2019 Johnny Hughes <johnny@centos.org>
--  Use go-toolset-1.10, build on i386
+* Tue Jun 25 2019 Lokesh Mandvekar <lsm5@redhat.com> - 1.0.0-62.rc8
+- Resolves: #1723480
+- bump to v1.0.0-rc8
+
+* Fri Jun 07 2019 Lokesh Mandvekar <lsm5@redhat.com> - 1.0.0-61.dev.git2abd837
+- Resolves: #1676705 - correct URL field
+
+* Mon Feb 11 2019 Frantisek Kluknavsky <fkluknav@redhat.com> - 1.0.0-60.dev.git2abd837
+- update golang toolchain macros
 
 * Fri Feb 08 2019 Frantisek Kluknavsky <fkluknav@redhat.com> - 1.0.0-59.dev.git2abd837
 - Resolves: #1664908