ALP-pool/crun
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Sync from SUSE:ALP:Source:Standard:1.0 crun revision 3dc38939e33106d924783caf6d16f434

Browse Source
This commit is contained in:
Adrian Schröter 2024-02-10 20:12:07 +01:00
commit 8faccd54d5
6 changed files with 807 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
.gitattributes vendored Normal file
View File

@ -0,0 +1,23 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text

BIN
crun-1.14.tar.xz (Stored with Git LFS) Normal file
View File

Binary file not shown.

11
crun-1.14.tar.xz.asc Normal file
View File

@ -0,0 +1,11 @@
-----BEGIN PGP SIGNATURE-----
iQEzBAABCAAdFiEEr2D8o82qberRV+o6Z+OPeouiF3IFAmWxP6sACgkQZ+OPeoui
F3KW9Af/Y7/+zpxWQ07p0TEVj4+ay61UDzALUMW76vI73+PV4EheBPMHnUAJtaxL
2CY10m2tlE55S3QZ9/66j+TCQ7DheXGv1fMCWVg99whqmrO9a0JH/XACyj64lqAc
igUvcnzH3sQvLaTVQWxX7aBGZKWFumSBzHJeFx6TxkYCJb5/o4O1Fcv0IBW5+T80
6yHcYe07zNXOmdp7QflxxZ+B79wP+bKvGvSiBPZ5zysEap+e8UMxlDf5C+YaLIZq
LgHpVkN/TF8PJb8meX3qxbWgzOswz4+sa/4VOAkwfENLUWMM1TqHhf4rQAxrWmIY
hNVDEcKOwlwSChJqn6NBaKj1Rc3Jng==
=LYzP
-----END PGP SIGNATURE-----

451
crun.changes Normal file
View File

@ -0,0 +1,451 @@
-------------------------------------------------------------------
Sat Jan 27 16:21:04 UTC 2024 - Andrea Manzini <andrea.manzini@suse.com>
- update to 1.14:
* build: drop dependency on libgcrypt. Use blake3 to compute the cache key.
* cpuset: don't clobber parent cgroup value when writing the cpuset value.
* linux: force umask(0). It ensures that the mknodat syscall is not affected by the umask of the calling process,
allowing file permissions to be set as specified in the OCI configuration.
* ebpf: do not require MEMLOCK for eBPF programs. This requirement was relaxed in Linux 5.11.
- update to 1.13:
* src: use O_CLOEXEC for all open/openat calls
* cgroup v1: use "max" when pids limit < 0.
* improve error message when idmap mount fails because the underlying file system has no support for it.
* libcrun: fix compilation when building without libseccomp and libcap.
* fix relative idmapped mount when using the custom annotation.
-------------------------------------------------------------------
Fri Dec 1 13:41:35 UTC 2023 - Dan Čermák <dcermak@suse.com>
- New upstream release 1.12:
* add new WebAssembly handler: spin.
* systemd: fallback to system bus if session bus is not available.
* configure the cpu rt and cpuset controllers before joining them to
avoid running temporarily the workload on the wrong cpus.
* preconfigure the cpuset with required resources instead of using the
parent's set. This prevents needless churn in the kernel as it
tracks which CPUs have load balancing disabled.
* try attr/<lsm>/* before the attr/* files. Writes to the attr/*
files may fail if apparmor is not the first "major" LSM in the list
of loaded LSMs (e.g. lsm=apparmor,bpf vs lsm=bpf,apparmor).
- New upstream release 1.11.2:
* fix a regression caused by 1.11.1 where the process crashes if there
are no CPU limits configured on cgroup v1. (bsc#1217590)
* fix error code check for the ptsname_r function.
-------------------------------------------------------------------
Mon Nov 6 10:19:58 UTC 2023 - Dirk Müller <dmueller@suse.com>
- update to 1.11.1:
* force a remount operation with bind mounts from the host to
correctly set all the mount flags.
* cgroup: honor cpu burst.
* systemd: set CPUQuota and CPUPeriod on the scope cgroup.
* linux: append tmpfs mode if missing for mounts. This is the
same behavior of runc.
* cgroup: always use the user session for rootless.
* support for Intel Resource Director Technology (RDT).
* new mount option "copy-symlink". When provided for a mount,
if the source is a symlink, then it is copied in the container
instead of attempting a mount.
* linux: open mounts before setgroups if in a userns. This
solves a problem where a directory that was previously
accessible to the user, become inaccessible after setgroups
causing the bind mount to fail.
-------------------------------------------------------------------
Thu Oct 12 08:02:18 UTC 2023 - Dan Čermák <dcermak@suse.com>
- New upstream release 1.9.2:
* cgroup: reset the inherited cpu affinity after moving to cgroup. Old kernels
do that automatically, but new kernels remember the affinity that was set
before the cgroup move, so we need to reset it in order to honor the cpuset
configuration.
- New upstream release 1.9.1:
* utils: ignore ENOTSUP when chmod a symlink. It fixes a problem on Linux 6.6
that always refuses chmod on a symlink.
* build: fix build on CentOS 7
* linux: add new fallback when mount fails with EBUSY, so that there is not an
additional tmpfs mount if not needed.
* utils: improve error message when a directory cannot be created as a
component of the path is already existing as a non directory.
- Only build with wasmedge on x86_64 & aarch64
-------------------------------------------------------------------
Wed Oct 11 11:29:21 UTC 2023 - Alexandre Vicenzi <alexandre.vicenzi@suse.com>
- Add crun-wasm symlink for platform 'wasi/wasm'
-------------------------------------------------------------------
Wed Sep 13 06:04:30 UTC 2023 - Danish Prakash <danish.prakash@suse.com>
- Update to 1.9:
* linux: support arbitrary idmapped mounts.
* linux: add support for "ridmap" mount option to support recursive
idmapped mounts.
* crun delete: call systemd's reset-failed.
* linux: fix check for oom_score_adj.
* features: Support mountExtensions.
* linux: correctly handle unknown signal string when it doesn't start with
a digit.
* linux: do not attempt to join again already joined namespace.
* wasmer: use latest wasix API.
-------------------------------------------------------------------
Tue Sep 5 11:41:14 UTC 2023 - Alexandre Vicenzi <alexandre.vicenzi@suse.com>
- Enable WasmEdge support to run Wasm compat containers.
-------------------------------------------------------------------
Mon Aug 14 12:55:14 UTC 2023 - Danish Prakash <danish.prakash@suse.com>
- Update to 1.8.6:
* crun: new command "crun features".
* linux: fix handling of idmapped mounts when the container joins an
existing PID namespace.
* linux: support io_priority from the OCI specs.
* linux: handle correctly the case where the status file is not written
yet for a container.
* crun: fix segfault for "ps" when the container is not using cgroups.
* cgroup: allow setting swap to 0.
-------------------------------------------------------------------
Wed Jun 14 12:55:19 UTC 2023 - Frederic Crozat <fcrozat@suse.com>
- Update to 1.8.5:
* scheduler: use definition from the OCI configuration file
instead of the custom label that is now dropped and not
supported anymore.
* cgroup: fix creating cgroup under "domain threaded".
* cgroup, systemd: set the memory limit on the system scope.
* restore tty settings from the correct file descriptor. It was
previously restoring the settings from the wrong file
descriptor causing the tty settings to be changed on the
calling terminal.
* criu: check if the criu_join_ns_add function exists.
Fix a segfault with new versions of CRIU.
* linux: do not precreate devs with euid > 0. Fix creating
devices when running the OCI runtime as non root user.
* linux: improve PID detection on systems that lack pidfd.
While there is still a window of time that the PID could be
recycled, now it is now reduced to a minimum.
* criu: fix memory leak.
* logging: improve error message when dlopen fails.
- Changes from 1.8.4:
* drop custom annotation to set the time namespace and use
the OCI specs instead.
* cgroup: workaround cpu quota/period issue with v1. Sometimes
setting CPU quota period fails when a new period is lower,
and a parent cgroup has CPU quota limit set.
* cgroup: fix set quota to -1 on cgroup v1.
* criu: drop loading unused functions.
-------------------------------------------------------------------
Tue Mar 28 10:27:06 UTC 2023 - Dirk Müller <dmueller@suse.com>
- update to 1.8.3:
* update: initialize the rt limits only on cgroup v1.
* lua bindings for libcrun.
* wasmedge: add current directory to preopen paths.
* linux: inherit parent mount flags when making a path masked.
* libcrun: custom annotation to set the scheduler for the
container process.
* cgroup: fallback to blkio.bfq files if blkio is not available
on cgroup v1.
* cgroup: initialize rt limits when using systemd.
* tty: chown the tty to the exec user instead of the user
specified to create the container.
* cgroup: fallback to create cgroupfs as sibling of the current
cgroup if there is none specified and it cannot be created in
the root cgroup.
- add keyring for GPG validation
-------------------------------------------------------------------
Tue Feb 28 20:14:52 UTC 2023 - Niels Abspoel <aboe76@gmail.com>
- Update to 1.8.1
* linux: idmapped mounts expect the same configuration as
the user namespace mappings. Before they were expecting the inverted
mapping. It is a breaking change, but the behavior was aligned
to what runc will do as well.
* krun: always allow /dev/kvm in the cgroup configuration.
* handlers: disable exec for handlers that do not support it.
* selinux: allow setting fscontext using a custom annotation.
* cgroup: reset systemd unit if start fails.
* cgroup: rmdir the entire systemd scope. It fixes a leak on cgroupv1.
* cgroup: always delete the cgroup on errors.
On some errors it could have been leaked before.
- changes from 1.8
* linux: precreate devices on the host.
* cgroup: support cpuset mounted with noprefix.
* linux: mount the source cgroup if cgroupns=host.
* libcrun: don't clone self from read-only mount.
* build: fix build without dlfcn.h.
* linux: set PR_SET_DUMPABLE.
* utils: fix applying AppArmor profile.
* linux: write setgroups=deny when mapping a single uid/gid.
* cgroup: fix enter cgroupv1 mount on RHEL 7.
-------------------------------------------------------------------
Wed Dec 7 09:24:19 UTC 2022 - Frederic Crozat <fcrozat@suse.com>
- Update to 1.7.2:
* criu: hardcode library name to libcriu.so.2.
* cgroup: always enable all controllers, even if the cgroup was
already joined. Regression caused by crun-1.7.
- Changes from 1.7.1:
* criu: load libcriu dynamically.
* seccomp: initialize libgcrypt.
* handlers: fix rewriting the argv if the full cmdline doesn't
fit.
* utils: honor SELinux label when using a custom handler.
* utils: honor AppArmor label when using a custom handler.
* krun: copy the OCI configuration file into the container.
* utils: fix creating the default user namespace when running
with euid != 0.
* Add setlinebuf() when --debug and --log=file: are used.
* Fix timestamp format in the error messages.
* krun: disable libkrun's collection of env vars.
- Changes from 1.7:
* seccomp: use a cache for the generated BPF.
* add support for setting the domainname through the OCI spec.
* handlers: define wasm and krun.
* wasmtime: add support for compiling .wat format.
* cgroup: honor checkBeforeUpdate on cgroupv2.
* crun: chown std streams before joining the user namespace.
* crun: display rundir in --version output.
* container: with cgroupfs use clone3 to join directly the target
cgroup.
* linux: create parent directories for created devices with mode
0755.
* wasm: inherit environment variables in the WasmEdge handler.
-------------------------------------------------------------------
Fri Sep 30 12:31:47 UTC 2022 - Dario Faggioli <dfaggioli@suse.com>
- Update the libkrun dependency to the new libkrun1 library and
devel package
-------------------------------------------------------------------
Thu Sep 29 10:44:19 UTC 2022 - Dario Faggioli <dfaggioli@suse.com>
- Update to 1.6
* runc compatibility: -v now prints the version string.
* build: fix build with glibc 2.36.
* container: drop intermediate userns custom feature.
* cgroup: change the delegate cgroup semantic so that the cgroup
is created in the container payload after the cgroup namespace
is created.
* seccomp: use helper process to send file descriptor to the listener
socket. It enables to be notified on every syscall without hanging
the main process.
* linux: add a fallback to using kill(2) if pidfd_send_signal(2)
fails with ENOSYS.
* krun: add support for krun-sev.
* wasmtime: always grant file system capability for workdir inside
the container.
* wasmtime: inherit arguments list from the handler instead of the
current process.
* wasmedge: use released wasmedge library instead of libwasmedge_c.so.
- Update to 1.5
* add mono based native .NET handler
* new Wasmtime backend for running WebAssembly
* add support for wasmedge 0.10 and dropping support for wasmedge 0.9.x
* dropping support for experimental WasmEdgeProcess from wasmedge handler
* honor process user's uid when setting the HOME environment variable
* create the current working directory if it is missing in the container
* fallback to using a tmpfs mount if umount of /sys and /proc fails
* fallback to netlink to setup lo device
* fix creating devices in the rootfs
* fallback to using io.weight if io.bfq.weight doesn't exist
* remove tun/tap from the default allow list
* linux: devices mounts have noexec and nosuid
* fix copyup of files from the container to the tmpfs
* honor $PATH for newgidmap and newguidmap
* krun: limit the number of vCPUs to 8
* cgroup: add support for cpu.idle
-------------------------------------------------------------------
Mon May 9 12:43:12 UTC 2022 - Frederic Crozat <fcrozat@suse.com>
- Update to 1.4.5:
+ CRIU: add support for different manage cgroups modes.
+ linux: the hook processes inherit the crun process
environment if there is no environment block specified in the
OCI configuration.
° exec: fix double free when using --apparmor and
--process-label.
-------------------------------------------------------------------
Tue Apr 12 08:59:23 UTC 2022 - Dario Faggioli <dfaggioli@suse.com>
- It'd be nice to run the test suite with %check. It however, still
does not work properly inside OBS workers. Add it commented and
explain it
-------------------------------------------------------------------
Tue Apr 12 08:36:54 UTC 2022 - Dario Faggioli <dfaggioli@suse.com>
- switch to latest upstream version (1.4.4)
- big jump from 0.21! Here's a short summary, for details,
see: https://github.com/containers/crun/releases
* 1.4.4
wasm, kubernetes: support wasm for kubernetes infrastructure with side-cars
Resolve symlinks in bind mounts when creating a user namespace.
Fix CVE-2022-27650: exec does not set inheritable capabilities.
* 1.4.3
cgroup: avoid potential infinite loop when deleting a cgroup.
support additional options for idmap mounts.
open the source for a bind mount in the host.
* 1.4.2
CRIU: add pre-dump support.
Fix running with a read-only /dev.
Ignore EROFS when chowning standard stream files.
Add validation for sysctls before applying them.
* 1.4.1
Fix check for an invalid path.
Allow deleting a container while in created state.
cgroup: do not set cpu limits if number of shares is set to 0.
* 1.4
wasm: support for running on kubernetes with containerd.
linux: add support for recursive mount options.
add support for idmapped mounts through a new mount option "idmap".
linux: improve detection of /dev target.
now crun exec uses CLONE_INTO_CGROUP on supported kernels when using cgroup v2.
retry the openat2 syscall if it fails with EAGAIN.
cgroup: set the CPUWeight/CPUShares on the systemd scope cgroup.
on new kernels, use setns with pidfd.
attempt the chdir again with the specified user if it failed before changing credentials.
* 1.3
add support to natively build and run WebAssembly workload and WebAssembly containers.
allow to specify sub-cgroup for exec.
chown std streams if they are not a TTY.
attach the correct streams if the container is suspended and restored multiple times.
fix race condition when enabling controllers on cgroup v2.
* 1.2
exec: fix regression in 1.1 where containers are being wrongly reported as paused.
criu: add support for external ipc, uts and time namespaces.
* 1.1
cgroup: use cgroup.kill when available.
exec: refuse to exec in a paused container/cgroup.
container: Set primary process to 1 via LISTEN_PID by default if user configuration is missing.
criu: Add support for external PID namespace.
criu: fix save of external descriptors.
utils: retry openat2 on EAGAIN.
* 1.0
cgroup: chown the current container cgroup to root in the container.
linux: treat pidfd_open failures EINVAL as ESRCH.
cgroup: add support for setting memory.use_hierarchy on cgroup v1.
Makefile.am: fix link error when using directly libcrun.
Fix symlink target mangling for tmpcopyup targets.
- fix bsc#1197871, CVE-2022-27650 (as 1.4.4 contains the fixes itself)
- update and fixup dependencies
-------------------------------------------------------------------
Tue Nov 2 08:58:05 UTC 2021 - Dario Faggioli <dfaggioli@suse.com>
- Add libprotobuf-c-devel as an explicit dependency, for fixing
the build;
- Get rid of rpmlintrc, as it's no longer needed.
-------------------------------------------------------------------
Mon Aug 23 15:22:18 UTC 2021 - Dario Faggioli <dfaggioli@suse.com>
- make libkrun support conditional, so we can have crun (without
libkrun, of course) on all arches, which may help with
bsc#1188914.
-------------------------------------------------------------------
Fri Aug 6 13:37:49 UTC 2021 - Frederic Crozat <fcrozat@suse.com>
- Drop libkrun-dlopen.patch and adapt to libkrun new package name,
it is a plugin, not a regular shared library.
-------------------------------------------------------------------
Fri Aug 6 09:55:53 UTC 2021 - Frederic Crozat <fcrozat@suse.com>
- Add libkrun-dlopen.patch: use soname when dlopening libkrun.
-------------------------------------------------------------------
Wed Jul 28 11:56:01 UTC 2021 - Paolo Stivanin <info@paolostivanin.com>
- Update to 0.21
- honor memory swappiness set to 0
- status: add fields for owner and created timestamp
- cgroup: lookup pids controller as well when the memory controller
is not available
- when compiled with krun, automatically use it if the current
executable file is called "krun".
- container: ignore error when resetting the SELinux label for the
keyring.
- container: call prestart hooks before rootfs is RO.
- cgroup: added support cleaning custom controllers on cgroupv1.
- spec: add support for --bundle.
- exec: add --no-new-privs.
- exec: add --process-label and --apparmor to change SELinux and
AppArmor labels.
- cgroup: kill procs in cgroup on EBUSY.
- cgroup: ignore devices errors when running in a user namespace.
- seccomp: drop SECCOMP_FILTER_FLAG_LOG by default.
- seccomp: report correct action in error message.
- apply SELinux label to keyring.
- add custom annotation run.oci.delegate-cgroup.
- close_range fallbacks to close on EPERM.
- report error if the cgroup path was set and the cgroup could not be
joined.
- on exec, honor additional_gids from the process spec, not the
container definition.
- spec: add cgroup ns if on cgroup v2.
- systemd: support array of strings for cgroup annotation.
- join all the cgroup v1 controllers.
- raise a warning when newuidmap/newgidmap fail.
- handle eBPF access(dev_name, F_OK) call correctly.
- fix some memory leaks on errors when libcrun is used by a long
running process.
- fix the SELinux label for masked directories.
- support default seccomp errno value.
- fail if no default seccomp action specified.
- support OCI seccomp notify listener.
- improve OOM error messages.
- ignore unknown capabilities and raise a warning.
- always remount bind mounts to drop not requested mount flags.
-------------------------------------------------------------------
Tue Mar 23 17:52:10 UTC 2021 - Dario Faggioli <dfaggioli@suse.com>
- Add a mention to crun-rpmlintrc in the spec file
-------------------------------------------------------------------
Fri Mar 19 02:18:44 UTC 2021 - Dario Faggioli <dfaggioli@suse.com>
- Since we're building with libkrun support, let's enable only the
arch-es for which we do have libkrun
-------------------------------------------------------------------
Sat Mar 13 01:12:19 UTC 2021 - Dario Faggioli <dfaggioli@suse.com>
- Suppress the (false positive) rpmlint warning
-------------------------------------------------------------------
Sat Mar 13 00:43:54 UTC 2021 - Dario Faggioli <dfaggioli@suse.com>
- Some fixes to the spec file (add some %doc, remove unused macros, etc)
-------------------------------------------------------------------
Thu Mar 11 08:08:36 UTC 2021 - Dario Faggioli <dfaggioli@suse.com>
- Initial package for 0.18
Based on the package by Giuseppe Scrivano <gscrivan@redhat.com>

208
crun.keyring Normal file
View File

@ -0,0 +1,208 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBFJtp1EBEAC/8IKgtgDH/BWRWUkM7pDWWZJJgaE2wMhCKXbXMbtyJHBco/TG
7Ow2bD35H0QAmhh6gGVYu9hwrzK3EiP9SmTMXjJmhm6b2iFlhV9bbU5pjb/q3pT6
gaP22DMOXOlo7aCZiTCQ4UY2p86meJ1xM585wnvmfY9CZ3V4rloa5eKwVU3wUflL
dv8im81fNGpWFRaV/rhWbEcL0zft4hmkwppCFGJe9XP4houjVIFArb31mBPFguJS
O4zEdiJh+Oj9htbrxAXqiaJwW1MRRBMkMvJDYUSZnV90lWUUdxglO4/V7uOxdpXY
tDdMcOlSY+mnU36yyrTN4o7UAzvXEXkc7YHQZGhY/XW4zXDhnH0G8c+cx6XnEml8
zVrU8PrdKNo5nqxZ+ZdLz2kzAxXpVum7LABkzWIQ/+0ShhX7cS6/P12odabQpQGH
QpZgTIP2BrpFJ+L2j+I69dKl7BtmZVy0ya3P8SG7ny819aNLSa9PDOWxKk3rxk/v
4BI6vYWY1N4AQ8bXQHHzUQ/V9E2uuslSUabp7WDqVPcWxhekBIzfVsxqNsXEycYZ
ZwA0VKacrbDR9iT9cP75xDXw9RHxsrETfGYEXEia8FPSR1bGYw9yLExdDPdSRUl/
JEotHv4+Zt9gXC2MspitNs8LlL4iB+wrb+CvBBCEupufcDXnmcAGRupWCQARAQAB
tCVHaXVzZXBwZSBTY3JpdmFubyA8Z3Njcml2YW5vQGdudS5vcmc+iQI3BBMBCgAh
AhsDAh4BAheABQJYsGOCBQsJCAcDBRUKCQgLBRYCAwEAAAoJECY9bfLhY+Hq5W0P
/Rq2TUBpxOvjyga90D5G0k+AlgZUp3W+J2Ol632t3Q+ZI03zbRwmtyF/Bq9J4wsA
UiAJb3M6BQjaExdzdgM2DOPT5UDichHushTTzeO3NjAxUzBrN7ZXReRevq1ulysS
sTEqZlGUr6HztdAlN4hTetAnVibQQ8dMyCO3t8s/wgXUtsV8LZ2wwt6JaPTBpkuR
ECSspOEg39Id382tHMTUGDcKj5nRaxV6tjyyTnTJOvkL1xmYGUcHSPoWl4RycrJC
mfl8rcZF/kbhUckRcIRPWBG4Uks4qUeq+YxO47kJi0Yu5fBEc370ydOzkEoGeKgy
fiQtIn1FURFKNPG3ooB4U+L3AWieMl8374dqTs+x+S3io+Bxo363mP1FYvo5bWFS
Q2siUBWg5Ab+UjWYIcyqA7Jsdnig0+N9LoCTa0+Ba/wFO//ejBvyHss5EhbJyjdT
oPc30NUU8OjX23vQO20bM7JAVvb9YEpXOPkvxmb8DrMzvU35gBxgeyspaukiuoe/
rPTT6daCOXTXJ4CeSNP9ggzTvcqZn47lQtVUdxB1UnYkmsOG9lv1SEV23ahSnvA0
pV4C3481z9u2iBvj9tVjmCNcaGPPTiYJr7/TSPGIqAVGYiNWNbYBeWYCNWfrCByv
WuJDPhtonT6vON65uKSWbDyNjbGf4QvTfs7CLEaXce4dtCdHaXVzZXBwZSBTY3Jp
dmFubyA8Z3Njcml2YW5AcmVkaGF0LmNvbT6JAjcEEwEKACECGwMCHgECF4AFAliw
Y4IFCwkIBwMFFQoJCAsFFgIDAQAACgkQJj1t8uFj4eoqWhAAvdQlRb9TjEOe1K2/
SQGM1COQwg/9h7vQEFg4P5Okfb9pgu5XYB8qU72UudNShA1ZAJ5beN9VjatD7l+e
4T1YL8ZrnUvzQwnytsnHrJI+n+KOGJH3jHi7Fms0vhl1KuOtiYTdiM2mJjA/0aE+
e14FPBM7/1tbcVzmYy5CHZcOXcOfgxu7tFO1PsUne4GVfInwV+k2O+6gQ+7mKgHF
0IB1ic2t4ih5jcTeY1Zga+GToOtpI89Stz0g6QTnu+03P1wbmLhw5sxgcD/AyrHh
uOnYCmR58TJSmWHpClNneR8T1qIaf1JWhPlXgCchAMPZRZLHGAg3q/zALJ1RHXyt
T2KZeVZ8DdOu3fkOt63r4aVNtOZYRR8kKhuSJiWH8HnmqcW0/cujvt1ZAKXkBABh
PABwv/3mK+JhItz+MJp4PWycqayAPerVY+lM3MU+kDfQzHuAw7C+KX2NOxT4FjWm
lW5kzOfBiQqPTEQCR/1pPRISYSE/AnVHx4qAGKQYg9LMopzY6CT4d3/N9RbEdRPf
JKGEu174LcOGA8qF4jLtd3gJEna0PrucisT0WaW3tZwv8vxLsu1glUr23Uxgj5AA
ahQpTf6CRknuE6LGeSqepdFy0fILVGQFjWbpgYe40pvc9jBZ6YMn6f1bjT8iOToC
tFcoAO6+30hsyixOkq9DUC3d/jq0J0dpdXNlcHBlIFNjcml2YW5vIDxnc2NyaXZh
bm9AZ21haWwuY29tPokCNwQTAQoAIQIbAwIeAQIXgAUCWLBjggULCQgHAwUVCgkI
CwUWAgMBAAAKCRAmPW3y4WPh6qPDD/4wYETALuFVLMwmjZkQeSbPN2nix+akvRQg
ib/eg22NI3Sxq5129HJV7UK5La1NX/lAJTnNsx78F+l7kVvxMNZuXtM5gUqYigjH
SJUx1bHrv8E7OYF1BLRSjJs+Mcx43GDYIY79dSgO9BeOTQXl/HcvLujQ0OWdi8VU
NFMh9l8T1JKRN8KDHPb+he8oUBVjEomwjDtYmJDZg3Gbf08gAvMnhqj4HnOL8ZLw
VESgGldy6men6cxAlZNPZVUI4b/BsDbBU8kNVXkSVC5wMcSVXsXbdOLkDuNHCJfX
JMY2Pow1tNU9CGOqPXnLVF5T66kf8SPOAyBMC6H6ae/7zpAf6tg+ETmimD/exvYc
rqF9b5JhBbwnntSXYGIKc5wK4DRe74lSPqCmeBqZDCR+XYpn9Ksr3+q6xs2V7K5E
miQtXXIwPMr3LddbmPGaQ+tmafN55Lr1A4g1uVOGcedO+/3yHCXxVMgndxLmast1
HGvKfLVp7ag60u/3J9VuMIZIb5sg7jLQy3JBCqVslT+Ur8hS6NUO7WM2C6GexEq1
mcPqrxFg3WM5QlQRAXbJ7E936eGKSsC+akcNaS3esrAvnhYXVWWGt5jFqzsADS6e
slmHS2Fzr7siuAVYKS5qUO4sJvzx/ERrZ+I+6euQodkq+kwm5gQ9LYrGDB2hMJLI
uUWMN6iPjrQpR2l1c2VwcGUgU2NyaXZhbm8gPGdpdXNlcHBlQHNjcml2YW5vLm9y
Zz6JAk4EEwEKADgWIQSsQEwcC/c1xj/01WImPW3y4WPh6gUCWwaKCQIbAwULCQgH
AwUVCgkICwUWAgMBAAIeAQIXgAAKCRAmPW3y4WPh6srbD/4xLYNsUkEwwjjlDSym
zDA0wjYdZGYp6qLcEqfd06W617RS/tghdfB2HWizaQrZ7TNTiMFIgptO/+sEqdW7
qJIDoLLSOwr68EzGQjnL733jPo2CXOTD8cBKblOaQy4z3agND59PGAZ8SYQcqbNY
9xHtdomtg7o2pCxXtEtKH/yG98bD/9i4/B9fHUx5wvpChE/0EFhMcNJj2AQUpNZN
c0dBe5AChcw24jEBq/yIQN12yuIfTuWxWicdTw1g/ssH1YPBxaFWBosIzXezc0tB
8TBEa7pIwexKGRmu/q2SJqGxGjN6ahlPmI6BMFpeC9Y3BaNpkMpqBMHHuvrLS/b+
xb9Nfn0QIkAbLg/48CG8Tp+Otlm9Av2d2RzriIOJ6boyqdSTc5uIVO9z2mKlyHia
Fc+up6iGoN23TZWJUo1fk7GNv+MWa9cZ4SIynQUPQS+sg48DKRTPevDiNW8ui/rP
F81qnOiRpoyoQn8ufaLVj+vbF3pxSpnObEM7m0q0dp8MjC6TvP2wYhZttdJLo4vq
c7fyWjgbp0VAxOKX9LT3hIw6MyYsHQZdx6B+wmECnAXahHh/oJlroGZQ955tgNPG
N0strU4oCjs03VI7x7pjnPemwKvY5ufp50ERfCbd7A8MzeVRrj6lkl8gDOvBt2tw
2Yv5f+3Dyg1g6+kKNUMvuSWLOrkBDQRbBpj4AQgAr5FJtb/JHyorka9GotYApT1K
LfRloDU9YmADR0SEWxCHkFruQ6gHyz9D9ytKUkbJTfd9TVSoItnoRnnlSmuH6+Je
Ld/S3srV8Qksi54pnsN0kPW8A0ceQCn+8j9d/7+gR+GO+H1Buugi0y6Kr9NP9TKq
P/i74lmxra0tEPLwyFJYnZVaoz0hcMDodTDvFe6WL7TBhOQ6ZLobSUxm4nA1BJQB
e3txnYBNx3ixoNqONYnSj78vjbKE8eBSIFdUgPnCVfc0vyOKCqNg7PFjVTFV7MKZ
fOjWHNkSS+sU6+RAdl3IZ1wZDrH9f6VTvFv6Iurdgry9k8Eld6htr7RE0mNDowAR
AQABiQI2BBgBCgAgFiEErEBMHAv3NcY/9NViJj1t8uFj4eoFAlsGmPgCGyAACgkQ
Jj1t8uFj4erV9A//YkH0VIIhD1N3bUr3w/3/dxfACRuLKM+RRJh9qtGpvhVeumIx
tPMll5LG/LCbUHKobD+P01SBkCugRC0iIL1AtUklr+SoX6pcB5JBVfw3MNjmA41z
C+Sb2ze+32LMLFLN+p7XlgIqNktYN2q4CUMx7ToMl1LUpjnn/IbDBo4+bPZOSICm
zNAR/bj4T5AgjqxhX/6iLJHdtOzknGN1GcJSnbcnKHj3dmb0A0Oqt4NLLA2/ur37
Q8yZSeZRYN002qtugBrCxHp9UIWnnsTKFr3MRXp78/xYxZVGR2G939B5QYkuehkv
iaqxCJGAnKOVoH7XNjiCKjDCX3Di+Mr1AOZfazwe+hHqLfR3LlnLtOTu0t6uUMbi
imMQaHihmXcLWo2xUUG7WhuRHMqTpS0Bhbv5sp8W4qAovni1eG7IKVH6Awwic37z
yaH8NUMaF8Epr++XB6A1QVdv+4Eow7ftHg8z5qj7pq6lEDaLbYr1fUOYzJCmT1UM
O5v0HmMGUhDwdETjBHxbr/EAAQT0xO/hQ0UQMQHhj26p7tecJw0FMsS7ciM1phyS
Ttf+qyJrnO1VWkixec5tKluHwo7PMeozVs8csSnVFhJM/LWrVUzCHJFPPRtF1Y4W
xdTsDsX7JUBP9ZsyisomPrcfckn6/fmddlLOLGTHXHV411bdtRPRlJnlNRy5AQ0E
WwaZzwEIALMNijLI/Bjxtt3dAOC/FrGpfRelGzd5nmnbboBAqGgWkrBukpaqG/mL
h4LMtfWwq9L45+TdhFp4AEFrtH2DvHpH8LIV3EGRq5mV5Kl3PMIpnUAyh4bCVkeP
xcP1ucM595xUVrmBRVbJYUY09ezglFe9pfSiTHBnb4rlA4B7a/GlYQsp91JZdjAB
Wgkw19+v1tD5o9ul1vHRQYJ+WhjCZXX0WKuLPU8DO8lgQBWyW+vV8JB7FQFSSamk
qVfOYbSBqwzL0rtjFfmsjoMruNSiGPn83sre/UhQ+pcqukA+YYQA6BLj2lCxwyYf
xkF6eoUWjqtJy63WkhYS+NxfYaZYc1UAEQEAAYkCNgQoAQoAIBYhBKxATBwL9zXG
P/TVYiY9bfLhY+HqBQJbjuoJAh0BAAoJECY9bfLhY+HqUOUQAKZjKBOzvqtI7Cwd
nZgsfduW6rWwgQtyc1l+bRmRiPmZMqS5Tjr8h85B7aQMvms3saZGmsgHv2abIVp2
BOZ+Rv727n+jR1TBtSxnAFGv8QvqBy4Zjia/CM8LrE1fQJUK8yFrjFHh75ZsLvWE
dNlfO9a7JEw2OvTDd2FbroVjmRG2XeqGqxaGabDeW+d400cmLjrBNjv2hg0gR33x
1qiznYdtXjC3baFvHr8PQaSspqhzntmtZjiOvlHU4CI7IYWC4lnouLAPurlNYQrT
qLFuGxT+fELIIhlFxuBF7vV/L29SxxkvQjPs5czErEOVoqYR9DTN2aQcCl/3rXQN
zBNBzBPdy9Swsn2wLt3eZFvyhSqQcmLbl5/EQedgEejP1fG5fmUhNOjpvFYKhsHD
n97/5oMYy4EZ9oE6TCP8XQOt6PowHdq6nEdKP3puCuofv7jZxIgY+p3mIuL9Q4vi
G7cqVAM4qXbKAE0Rw337jYb2vQHxNpQcGJAKV4dAFhWG7MTFV6LuGXHew9vm/H+7
5qtMn1kKhVmOxS5slh7iPduRnBcxEROqdD8xhKWwyoferOkRZ0tsWtF1uPsvy/0y
2nakGOVuIoIGI9XuBbLWHf5uhI6PRY1nmRI5ASbufZEgg+xCkLpxz/Qe23alO8+U
l4M85DpsSZnMdDmfbi8TDXX02E2AiQNyBBgBCgAmFiEErEBMHAv3NcY/9NViJj1t
8uFj4eoCGy4FAluO6bYFCQCJoUkBQMB0IAQZAQoAHRYhBPPROLqQ5hw8rucBtrcl
8/29rNRGBQJbBpnPAAoJELcl8/29rNRG+d4IAJ4gVyORbDtgJJXZbuWW+gJCv6/i
bhLeBE17+GQ6dvArBS4JBGhrxFxVCne2A9AEN49o5TFlJH0XCvbiZehvQOoQCfYZ
i2BZuys0bYKqUvFdAbBm90WV177s3povAHP4Q8YXiIASYurWW7aYW+1l33jKBFWw
fFcScUxwBqhAoJpSNAqakSmbqf72FNOclvk66ZPqQu+0OBzjtNp9V/PVHeZ6pLeI
MYpb9w5miXGPbd2LdoirLqCewphjQtof2NeqUP8/a9KLhNh78+u0wKCpDiUttiBP
7j1otqeWXtimT33Nfpo4cPvLAG8SRx6GU1fj570j51/L9fWj6de4zNg08z4JECY9
bfLhY+HqqBUP/jnLbmDM2FJQq5osAJEnENg4WpB7oagprs9e9iG0+ipaCRmCXOYF
CxAyUXGJVatWpH1LjikGuVrHE+Rw1MG2Gicf1OWJRIDUzc8x8NnZSWqt8VakuM0R
cJjIAossAf/OrLzOsY83MpcOkPp6r8256ik0bpPYeoOdppsDmD9m6630NfUTyd5G
6mrvcW1x/OTgxZjTS+1LQa81uYjfQI39ZiW/KIoDs/bYU5hebpVYDSquc+/XapJv
2ThlPYzGujnEQe/sidzonqzJRFRweWwpFsjBiW8OCw34hWhXRMt4k5usazxyTq9F
bPe02VaJpfkuviAFNP6igyb8GjHUtkLqC7VE6PByjVzdicSo115FNm2z3vVQNFcr
dm9qp4Vg1i8OqU66hzOu6TgfwFupdj4bL9W4ys9wm4J3rVN2Nv4Rtpn5XUwOiWxG
W/CO3HhaBILoOEVunyIHv2D/Qg80zNN1xyYNbTC20DBouMFINaHiJPcZRho3mBc9
V1U3cLsDVunMzuEXmkZP8a86fNrQgnyyxtXHQ30fn+y9M+1um6SvJyJMJsrHQey1
avREKeDMaG/kHH3tmsLGAIZhz6LnWhBa/Ih9opYMjsdrjqZoFsMre79mRCTPv0Wk
gBkIuEd8WLvrJ7I3ghstcl8chTNXvme6QBXCd3YkGW4aT6h/9mrMjDK4uQENBFsG
tRcBCADEld1p2+NbQkSF+WzzzmQjbIWUEQy8N0wEl0t1aRdaWV8gIdtC3q9Eg4Bp
d7wUczNsCYWkiGBi7EEfn93vcXhvqX3YQY/xTc/88PoTtIDgiU+j1LsPmi4u0oIH
g/hOCuFyLoWCkJPxm7TiqXAqWiEwgp+1TPh54EXUQWBQO5W4JjLxpLvkXpWQGKJF
21s9GulRUP3E30FFa/twLFuHbJrG8+/7Zynu4t/z+KjHvEfpIQX/6z+NlSkNigub
D9jbTvMuY2zbZDN1OdQHs7ZyI9A8AdxqXHCBRpZECo77X3mYQUbmYQfB/aX60TMY
Qt3UBivggU15u6mdrGo1bedCLvDhABEBAAGJA2wEGAEKACAWIQSsQEwcC/c1xj/0
1WImPW3y4WPh6gUCWwa1FwIbLgFACRAmPW3y4WPh6sB0IAQZAQoAHRYhBAJ/O9WF
lMoYG7XsUORzD5f2AobtBQJbBrUXAAoJEORzD5f2AobthwEH/1fxABg0deOflZE8
SS9VTR0BiM6IIOnzbXlJ/yHOoAihE93PppLsmzheWH0N31TW/OHJ70nmdhVgNM1I
AjZAO6NjeCaAaJ3FvX9/FcYUetLeVO5r09JQ3KWhyLxSp3HGzBMvZ5UITPz5NylU
Bh1s1PQoZKuB8sfhdFs9t9HBWK1E0V0uMzL6uTNmDeMxK1XO2R0i3s4WalF4PeSM
qvrL5wgrEAw7hFi3QZT9VtfGcm7D68qCu5KvkttEjzjH1F0JUd15kgtd/D2zN1ek
zrEoARwuaPnTOmfidCNUIvbHKo0cvLw/kCsWkdCidptCEnPAA5j8QwZmPkdlUGdW
oo+t1k34GQ/+MMZ2uxoul8w/pTFhYhLFrJQId49sgtuZ4H5EysBfYMcLWAMecYzp
/3Oj6LTRFisBnWVdcuV4v39UN8ra8ZKSGJ5fz86pEEljjggWO9oCrkt4djhSMrCX
OuEKHyarnf+EsLfHHYssz40TnWGfwTuBOomAkJRd2xZFsDiaweoTqdWhUnb/9rFN
FUuR9s2ij2u1TpVnSK4pu9Tl8gGjWyHuLi4GYPOdu50abBuVvxtDokOT3P+st5YC
HI0fr56MykhsTUsBBJnbYXJOJZkLHWg3umyDZ18/wE+kiSrW+qly8UiDFMA4DBR+
K+V9/VdeDYjKB9GmAJqmPf0+knLF2TwPMufZwx/VXwUmphBjGn2sqBVP46YoC/dx
H7GFYusLSYofQhMK6K/9vsjqhACMyMsWr6VzxYgu5bhs1G74JXlJkaX3wezGScak
X/shP2KbmvB3cbfUYeqo1Kiv9N0iiWZNaGXcJ/7wXUTLWPAhJ48a5YTLnG8aqJSG
I7dCDbMUcPTRuDSFi4ZQER46HgqoXqhaql4fSWFxCSbM3YA9hs+74oeNHb0QHEPA
xfls58gAHRzhZSVcbyGpyv09L41RXpYGX4gCbmLkugg/y6m5WtOuuJxV6UmeQLTP
D721jlBPpALOTicKph3axybnW2w/zw0hEH9NOJIFePftgE42SLolicG5AQ0EW50E
YgEIAOFJvfHksz6p1nPpIJZFB8auV4vGH09xjOSb8vSaJtlcFd/Hcm+97hm25Nw+
Kz/hibmpOndb8EIwIyr9VUmo2BvWNRteYQYuIqv8VYSgdTuy5oZnYOw/BpQQHJW0
56BhCYqUbrqOIa9uQ5X48zvvzQpW24pRt6sYv4/1Hw/jr9u68oxPL6nDcX2QQhtO
H2AYLNAG9LoXEcFaC034yisd7ARJjg1F85MJZPDNLhcIUkZNaeL9RfzVgC6wEtwy
Ij4CLtqnjvTSnlskZfAWSM+xU7NV9UIpXanX7dly5IrCFiay8vUGajU+hkbGQult
MsQ+IKXXFQHgwLMmf5F9EcQ/+RkAEQEAAYkCNgQYAQoAIBYhBKxATBwL9zXGP/TV
YiY9bfLhY+HqBQJbnQRiAhsMAAoJECY9bfLhY+HqzkUP/jGNn7aizhy/j4aHJE/4
5ZGsOzCYDO7zGVvPYn78ekIOlrDYma89eRyJkDEbKO0BkEpqYbiE4UyvI+QCEeT5
a8usF9DayXW0D25zr5hsjBD9KJHxPYzJt619Py5MgGZmQU6snvp7qr+TfJM3c8Le
s4MU8Dk6eHHa3MrVINDcF2Y1kb9FeHeNgjjyOUjbYOHw8C4c6vNE4Zip6jzC13NO
DLVbn5UPRXrbmKWIoDE8zNljbRWHvB2AvKl/YaiRLq4XsGnIUMlIZzU3Wq21/VX4
+CVJCBe5Fu/EPpryJnWe4ONX6105wvoyBpZ5Yw6hZk6Qfkt7fye4Qo1xlT8oTai6
q+GkXr7jwGP2sD5v9hVpihPC3y3zQtlLwqgdgyTI5OPGObpDf5Y/9Z+57yPtT312
yW8YP9gQf/AXLJn3EcpQIGENFh7gTBzwushRbXQPgXkmqi34U/KLkWYjkX+vNR+c
yKg6OJLizFzgX3Iyp9xW5XRqu7dIlgFOtHhYIgkQz1x5QkYQZpjN53lldXxLqVXe
OlapdFUa64nsukJo1H9aJj9jlx0hwGY3UqhsDE/oHaiZqIi1LMnQzz4apWs3PX9F
lmV2xQv/BysEnE7J5Oi6xpNXvj95k1p0usb9ZzoGEPD0xPR7HtaQcbZlMIG4B3xg
vmudzCJ7g93r09259Ozl2AsYuQENBFw2Y2IBCADCyrHataR3kdV4as+atq34rBvm
YO+7+PXuhel+I3medGaDzRoekAT5y1ujvwSuj+BBaKCZ2WbON0u4iPUSfd6U6sKO
Na899VXAh+9NXjsas97HMUA8F59Yxis8e7G+HpLJx8e0+ws7TN1o6zr0ISNuXN/Q
pkclP7aJDWw6ec9MbQZjdLlMxTDMUHq3leUfngAX+8HC72ecp+Ex59rAPtYSHE9v
GKo/V3gN5GwshZQg2pWHPT9AkUEHkU5BSr4H6YHkb1rAfetvJLm6PHtwVnsWyg0v
46uQFjgj/F1ooDhLxKt2IqdZy2Q/dS25RDDW0K8OIf4D6sBb4/ipnuP7kvMbABEB
AAGJA2wEGAEKACAWIQSsQEwcC/c1xj/01WImPW3y4WPh6gUCXDZjYgIbAgFACRAm
PW3y4WPh6sB0IAQZAQoAHRYhBK9g/KPNqm3q0VfqOmfjj3qLohdyBQJcNmNiAAoJ
EGfjj3qLohdylogH/jFk4H5UpC03Kn5VinrtETpgHOVterbf9+D28ApnVHk6x5Wh
JDzeWTF+Y0LVLycN49/3kOUL6nK5twym+7jYVmfn/OCRLNQm+Pt5MpISlSCrc8sM
T7f6+2h5eCVKF0YQ2a/PdZmb7AtXtiaqErEBbeMU23lyK78EV7pOUq2LS8jTb5Fm
HIAs+KJHm7CZH8wmh6OcpDQyPjqXsvSUHvI5yKWP6M5xCJgIJb0McdBTBhP21qXk
crcQTtZuVFIoqCjVeNmegzwJKG3gtMfrDw8URLGXHRLzlW34LHUfuNCLB8OxP+mg
Iw0OmRfNLqdh3ewAQnkUmJHvizeomAJtVfOJv/cHvRAAoZqlPwsPCUapLLI5EFeY
kqr64ugJjT0fp4E2MVHjf6Dep2EKSrW7RojVP0he2eTfevDiHJwrOGRgfEggb2lK
MPIjjDl4XNHfArzfpOtrxya2ycm/5wPu1Xq+jEzwAnAFzBHUI5lFVRGWmQXuS8F+
Imz8Lln8B0BcJehSMqWhKOChOKXcQ4modjyrzpgN116VwQqD7FU/+4CNOAabaoVB
YC47Ha9qOgC6wrCDD/lmLXaKWfTY5vCqbxBKgsAz38jjmwHBu2NuCmc1Ojfe00gR
MgO4Z4ZeCPBGexMCxz1o2WryJTwSVyLvbamDW6gLMM3HGCRPgEB1iRz5fGMqlM60
t8ptlwpHPZSzoTVzOEUkBjLgsnUsIPGF8b+qzqfdqALZ0I7m0iqvVnlkfuFW7UCR
sfViCjZQRV5TjpyIGfFmeyeVZbd1e2SedaT97H6+j7qqPQts1mc9evSvgxcbhCAB
s0nM/iVOOC6gsRNYyDTuZGAo/NYpCp/aVbpT6ywBsHiRtqlyT0x9cDD1iGqgPqQk
nA/Hxar9zgjTmVc7whv/wR7HcM3cpLX4HZJJCj0q47e8N/FOYyfPfjpr0vFs2Vm/
8P04YvjCPsjS4EXeTyWsHgNgLz3YZBtG7UR4ZbUFSPTkcWj9cXTK/Wxrqrz/3/pT
kjP5+DBR8zCiek8ibIp6/8O5Ag0EUm2nUQEQAMn93/Bol72GW+LhEF8amKB7mnUA
rAcI556nmhOqAqYE682WBX+Do8qGJXiwf9URaeyXmOD17YsB+OkxQFivfJ9G0y7+
u4MBq9W8qNRDAe6iBe1Wt5eIv+bYc3IOrx53naH9FnY7xDes96JqExJncWDAxZOt
uoNHBUz2Avh0LxqPtiVRI0g3jRWa/SynwFdL1NOjFh2oHUUNeunoNARZK90oZDrh
UU+XDtP7V6He98L+ZODrZ675CEC9O3U4UzuwQsYRHWMb0ZNvJOENDJ84D6xyAafZ
fi1FKv04KalleHfCon9SJmIrb1oGY9T6bagK1fOydSK6kvQ4741rpVvdFSmWFKR4
x9xiQdDv00cn2nHcyV5nB23uiMVsPvNdmgKPwU+bs+b+gWgXXtc6otJB6oaMRDPz
vLY20q3n/MztICAbTzG64f7pPOFyv8gOZyPUKHXIRUTBVSwRj21DACtKBBsjvgIP
K3QTHrqiaBq9xsNSi2xdpP9lpwGgh1E2xO9I7dfa4uIzGzgMLFtMOwZao1PKrypR
rXpFdSRoDOzKFbXWzL1iQ5jJPJq3h63TD+juKZrSwBiOif3z2baA9GedwSkJaRQ/
wLq6PDdp7vsq06A4gv52VkRJTmqkZo100HD2GGQur6yDUsnDewJW+M5GgS59UShW
VCOo6we7IpGpsAAnABEBAAGJAh8EGAECAAkFAlJtp1ECGwwACgkQJj1t8uFj4eoB
7A//S1M22r2JQcuUsRGR6mmb05c6RwpdmfmLU1w+lJNGtRX5TsLkGdXgA9FPuR6z
2YeJKCdG6FMpmH8U8EXet0+//8Y3OBpzUh4yWZk89UKDrxHVA6tomH8g55OtNUfj
zODTEL9Te+GJsqbwV9Vjp928j/vqA+gLtdIDwOmRLfnb0vJglgDLT2Dc4QtAqBng
vu3aFC6YXLrvmmySfCpzmwMZFgoVzFsCGAVIWLfYHhoux8q8+1bYO9+cGRdgzT7m
wojuSOYrJ0luoo95hDaelfDPUHD7HmpqCvwU8ZpYBx3nHxXfJyF1ZWuF/JTSm4DX
gYavG0RD4FaSjhKDCUN8P/6iN3j/onG2bTs/Dg2/yFw09GXXJiH1B7U5P7Zf7Ig+
0tn7XwIbUBOcsGKvGwCMtiGf6BI0AsMK6eaarOYmtAphugO22A6X0Dba1v/Tx9dr
dEJsSDviiE+Lu4WdwDxN1Ar7LyfQ+TzsnGNsdMyy9zFAFa3Y2Wqa6kOcVA0sK/13
EBFQHWXOes3Z1d+mtMsgOMTwJgFicNqHSAyY8heEgC5up/Ojo/5t8Ix3JHb3x+C5
JmMuBdwMU5xWs2rHkRj+l+eoHW6xlBNaCvoIobgXkfO+CeB9T7NgTGLQ8Yf4pHqu
APKHlBE+nH14PbxfkA6PyhuU1psOGBDu7x8y/J05OuGS7X4=
=TOIR
-----END PGP PUBLIC KEY BLOCK-----

111
crun.spec Normal file
View File

@ -0,0 +1,111 @@
#
# spec file for package crun
#
# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%ifarch x86_64 aarch64
%define with_wasmedge 1
%else
%define with_wasmedge 0
%endif
Name: crun
Version: 1.14
Release: 0
Summary: OCI runtime written in C
License: GPL-2.0-or-later
URL: https://github.com/containers/crun
Source0: %{URL}/releases/download/%{version}/%{name}-%{version}.tar.xz
Source1: %{URL}/releases/download/%{version}/%{name}-%{version}.tar.xz.asc
Source2: crun.keyring
# We always run autogen.sh
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: gcc
BuildRequires: gettext
BuildRequires: glibc-devel-static
BuildRequires: go-md2man
BuildRequires: libcap-devel
BuildRequires: libprotobuf-c-devel
BuildRequires: libseccomp-devel
BuildRequires: libtool
BuildRequires: libyajl-devel
BuildRequires: make
BuildRequires: python3
BuildRequires: python3-libmount
BuildRequires: systemd-devel
%ifnarch %{ix86}
BuildRequires: criu-devel >= 3.15
%endif
%ifarch x86_64 aarch64
BuildRequires: libkrun-devel
Requires: libkrun1
%endif
%if %with_wasmedge
BuildRequires: wasmedge-devel
%endif
%description
crun is a runtime for running OCI containers. It is built with libkrun support
%prep
%autosetup -p1
%build
%ifarch x86_64 aarch64
export LIBKRUN="--with-libkrun"
%endif
%if %with_wasmedge
export WASMEDGE="--with-wasmedge"
%endif
./autogen.sh
%configure --disable-silent-rules $LIBKRUN $WASMEDGE CFLAGS='-I %{_includedir}/libseccomp'
%make_build
# TODO:
# - it would be nice to enable the test-suite, but seems to behave (and fail!)
# differently when run inside of an OBS worker, with respect to when it's
# run manually on the host... Need to investigate more.
%dnl %check
#make test-suite.log
%install
%make_install
rm -rf %{buildroot}/%{_libdir}/lib*
%ifarch x86_64 aarch64
# allow easy krun usage with podman
ln -s %{_bindir}/crun %{buildroot}%{_bindir}/krun
%endif
%if %with_wasmedge
# platform 'wasi/wasm' requires crun-wasm
ln -s %{_bindir}/crun %{buildroot}%{_bindir}/crun-wasm
%endif
%files
%license COPYING
%doc README.md
%doc SECURITY.md
%{_bindir}/%{name}
%ifarch x86_64 aarch64
%{_bindir}/krun
%endif
%if %with_wasmedge
%{_bindir}/crun-wasm
%endif
%{_mandir}/man1/*
%changelog