diff --git a/.gitignore b/.gitignore
index daead67..26a1112 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/runc-aea4f21.tar.gz
+SOURCES/runc-1d3ab6d.tar.gz
diff --git a/.runc.metadata b/.runc.metadata
index 2300756..8381c08 100644
--- a/.runc.metadata
+++ b/.runc.metadata
@@ -1 +1 @@
-7de652a014b59b797b937e8540e53971add71cbc SOURCES/runc-aea4f21.tar.gz
+8749df85670607ff9eaa079d7974ad8dd6e84496 SOURCES/runc-1d3ab6d.tar.gz
diff --git a/SOURCES/0001-Revert-Apply-cgroups-earlier.patch b/SOURCES/0001-Revert-Apply-cgroups-earlier.patch
new file mode 100644
index 0000000..4ad310a
--- /dev/null
+++ b/SOURCES/0001-Revert-Apply-cgroups-earlier.patch
@@ -0,0 +1,62 @@
+From dfb3496c174377b860b62872ce6af951364cc3ac Mon Sep 17 00:00:00 2001
+From: Lokesh Mandvekar <lsm5@fedoraproject.org>
+Date: Tue, 12 Dec 2017 13:22:42 +0530
+Subject: [PATCH] Revert "Apply cgroups earlier"
+
+This reverts commit 7062c7556b71188abc18d7516441ff4b03fbc1fc.
+---
+ libcontainer/process_linux.go | 31 ++++++++++++++-----------------
+ 1 file changed, 14 insertions(+), 17 deletions(-)
+
+diff --git a/libcontainer/process_linux.go b/libcontainer/process_linux.go
+index 149b1126..b8a395af 100644
+--- a/libcontainer/process_linux.go
++++ b/libcontainer/process_linux.go
+@@ -272,6 +272,20 @@ func (p *initProcess) start() error {
+ p.process.ops = nil
+ return newSystemErrorWithCause(err, "starting init process command")
+ }
++ if _, err := io.Copy(p.parentPipe, p.bootstrapData); err != nil {
++ return newSystemErrorWithCause(err, "copying bootstrap data to pipe")
++ }
++ if err := p.execSetns(); err != nil {
++ return newSystemErrorWithCause(err, "running exec setns process for init")
++ }
++ // Save the standard descriptor names before the container process
++ // can potentially move them (e.g., via dup2()). If we don't do this now,
++ // we won't know at checkpoint time which file descriptor to look up.
++ fds, err := getPipeFds(p.pid())
++ if err != nil {
++ return newSystemErrorWithCausef(err, "getting pipe fds for pid %d", p.pid())
++ }
++ p.setExternalDescriptors(fds)
+ // Do this before syncing with child so that no children can escape the
+ // cgroup. We don't need to worry about not doing this and not being root
+ // because we'd be using the rootless cgroup manager in that case.
+@@ -292,23 +306,6 @@ func (p *initProcess) start() error {
+ }
+ }
+ }()
+-
+- if _, err := io.Copy(p.parentPipe, p.bootstrapData); err != nil {
+- return newSystemErrorWithCause(err, "copying bootstrap data to pipe")
+- }
+-
+- if err := p.execSetns(); err != nil {
+- return newSystemErrorWithCause(err, "running exec setns process for init")
+- }
+-
+- // Save the standard descriptor names before the container process
+- // can potentially move them (e.g., via dup2()). If we don't do this now,
+- // we won't know at checkpoint time which file descriptor to look up.
+- fds, err := getPipeFds(p.pid())
+- if err != nil {
+- return newSystemErrorWithCausef(err, "getting pipe fds for pid %d", p.pid())
+- }
+- p.setExternalDescriptors(fds)
+ if err := p.createNetworkInterfaces(); err != nil {
+ return newSystemErrorWithCause(err, "creating network interfaces")
+ }
+--
+2.14.3
+
diff --git a/SOURCES/change-default-root.patch b/SOURCES/change-default-root.patch
index 6ae9207..733522d 100644
--- a/SOURCES/change-default-root.patch
+++ b/SOURCES/change-default-root.patch
@@ -1,22 +1,8 @@
-From e8008604cb0a1921ab416302265ed50d504696f5 Mon Sep 17 00:00:00 2001
-From: Mrunal Patel <mrunalp@gmail.com>
-Date: Wed, 5 Apr 2017 07:46:28 -0700
-Subject: [PATCH] Change the default --root to /run/runc-ctrs
-
-This avoids the unmarshalling issues with older docker-runc
-Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
----
- list.go | 2 +-
- main.go | 2 +-
- man/runc-list.8.md | 2 +-
- man/runc.8.md | 2 +-
- 4 files changed, 4 insertions(+), 4 deletions(-)
-
diff --git a/list.go b/list.go
-index c7550a2..75ee2fc 100644
+index 0313d8c..328798b 100644
--- a/list.go
+++ b/list.go
-@@ -46,7 +46,7 @@ var listCommand = cli.Command{
+@@ -50,7 +50,7 @@ var listCommand = cli.Command{
ArgsUsage: `
Where the given root is specified via the global option "--root"
@@ -26,18 +12,23 @@ index c7550a2..75ee2fc 100644
EXAMPLE 1:
To list containers created via the default "--root":
diff --git a/main.go b/main.go
-index 1cb8f4d..0b34488 100644
+index 4642335..d58ccb4 100644
--- a/main.go
+++ b/main.go
-@@ -77,7 +77,7 @@ func main() {
- },
- cli.StringFlag{
- Name: "root",
-- Value: "/run/runc",
-+ Value: "/run/runc-ctrs",
- Usage: "root directory for storage of container state (this should be located in tmpfs)",
- },
- cli.StringFlag{
+@@ -62,11 +62,11 @@ func main() {
+ v = append(v, fmt.Sprintf("spec: %s", specs.Version))
+ app.Version = strings.Join(v, "\n")
+
+- root := "/run/runc"
++ root := "/run/runc-ctrs"
+ if os.Geteuid() != 0 {
+ runtimeDir := os.Getenv("XDG_RUNTIME_DIR")
+ if runtimeDir != "" {
+- root = runtimeDir + "/runc"
++ root = runtimeDir + "/runc-ctrs"
+ }
+ }
+
diff --git a/man/runc-list.8.md b/man/runc-list.8.md
index f737424..107220e 100644
--- a/man/runc-list.8.md
@@ -52,15 +43,15 @@ index f737424..107220e 100644
To list containers created via the default "--root":
# runc list
diff --git a/man/runc.8.md b/man/runc.8.md
-index b5a8c54..c3a07fb 100644
+index 6c6d7a5..786a215 100644
--- a/man/runc.8.md
+++ b/man/runc.8.md
@@ -50,7 +50,7 @@ value for "bundle" is the current directory.
--debug enable debug output for logging
--log value set the log file path where internal debug information is written (default: "/dev/null")
--log-format value set the format used by logs ('text' (default), or 'json') (default: "text")
-- --root value root directory for storage of container state (this should be located in tmpfs) (default: "/run/runc")
-+ --root value root directory for storage of container state (this should be located in tmpfs) (default: "/run/runc-ctrs")
+- --root value root directory for storage of container state (this should be located in tmpfs) (default: "/run/runc" or $XDG_RUNTIME_DIR/runc for rootless containers)
++ --root value root directory for storage of container state (this should be located in tmpfs) (default: "/run/runc-ctrs" or $XDG_RUNTIME_DIR/runc-ctrs for rootless containers)
--criu value path to the criu binary used for checkpoint and restore (default: "criu")
--systemd-cgroup enable systemd cgroup support, expects cgroupsPath to be of form "slice:prefix:name" for e.g. "system.slice:runc:434234"
--help, -h show help
diff --git a/SPECS/runc.spec b/SPECS/runc.spec
index b884acf..0081a49 100644
--- a/SPECS/runc.spec
+++ b/SPECS/runc.spec
@@ -30,18 +30,19 @@
%global provider_prefix %{provider}.%{provider_tld}/%{project}/%{repo}
%global import_path %{provider_prefix}
%global git0 https://github.com/opencontainers/runc
-%global commit0 aea4f21eec795d9f5b7c7d514f568c08d58b8e58
+%global commit0 1d3ab6d668952a23498256dd385bec37f8f9fa04
%global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
Name: %{repo}
Version: 1.0.0
-Release: 21.rc4.dev.git%{shortcommit0}%{?dist}
+Release: 23.rc4.dev.git%{shortcommit0}%{?dist}
Summary: CLI for running Open Containers
License: ASL 2.0
URL: http//%{provider_prefix}
Source0: %{git0}/archive/%{commit0}/%{repo}-%{shortcommit0}.tar.gz
Source1: 99-containers.conf
Patch0: change-default-root.patch
+Patch1: 0001-Revert-Apply-cgroups-earlier.patch
Requires: criu
Requires(pre): container-selinux >= 2:2.2-2
@@ -285,6 +286,14 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/Godeps/_workspace:%{gopath}
%endif
%changelog
+* Tue Dec 12 2017 Lokesh Mandvekar <lsm5@redhat.com> - 1.0.0-23.rc4.git1d3ab6d
+- Resolves: #1524654
+
+* Sun Dec 10 2017 Dan Walsh <dwalsh@redhat.name> - 1.0.0-22.rc4.git1d3ab6d
+- Many Stability fixes
+- Many fixes for rootless containers
+- Many fixes for static builds
+
* Thu Nov 09 2017 Lokesh Mandvekar <lsm5@redhat.com> - 1.0.0-21.rc4.dev.gitaea4f21
- enable debuginfo and include -buildmode=pie for go build