2024-08-07 10:46:14 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Thu May 30 12:30:26 UTC 2024 - Dario Faggioli <dfaggioli@suse.com>
|
|
|
|
|
|
|
|
- New upstream release 1.15
|
|
|
|
* fix a mount point leak under /run/crun, add a retry mechanism to unmount the directory if the removal failed with EBUSY.
|
|
|
|
* linux: cgroups: fix potential mount leak when /sys/fs/cgroup is already mounted, causing the posthooks to not run.
|
|
|
|
* release: build s390x binaries using musl libc.
|
|
|
|
* features: add support for potentiallyUnsafeConfigAnnotations.
|
|
|
|
* handlers: add option to load wasi-nn plugin for wasmedge.
|
|
|
|
* linux: fix "harden chdir()" security measure. The previous check was not correct.
|
|
|
|
* crun: add option --keep to the run command. When specified the container is not automatically deleted when it exits.
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Wed Mar 6 10:06:50 UTC 2024 - Dan Čermák <dcermak@suse.com>
|
|
|
|
|
|
|
|
- New upstream release 1.14.4
|
|
|
|
|
|
|
|
* crun-1.14.4
|
|
|
|
|
|
|
|
- linux: fix mount of file with recursive flags. Do not assume it is
|
|
|
|
a directory, but check the source type.
|
|
|
|
|
|
|
|
* crun-1.14.3
|
|
|
|
|
|
|
|
- follow up for 1.14.2. Drop the version check for each command.
|
|
|
|
|
|
|
|
* crun-1.14.2
|
|
|
|
|
|
|
|
- crun: drop check for OCI version. A recent bump in the OCI runtime
|
|
|
|
specs caused crun to fail with every config file. Just drop the
|
|
|
|
check since it doesn't add any value.
|
|
|
|
|
|
|
|
* crun-1.14.1
|
|
|
|
|
|
|
|
- there was recently a security vulnerability (CVE-2024-21626) in runc
|
|
|
|
that allowed a malicious user to chdir(2) to a /proc/*/fd entry that is
|
|
|
|
outside the container rootfs. While crun is not affected directly,
|
|
|
|
harden chdir by validating that we are still inside the container
|
|
|
|
rootfs.
|
|
|
|
- container: attempt to close all the files before execv(2).
|
|
|
|
if we leak any fd, it prevents execv to gain access to files outside
|
|
|
|
the container rootfs through /proc/self/fd/$fd.
|
|
|
|
- fix a regression caused by 1.14 when installing the ebpf filter on a
|
|
|
|
kernel older than 5.11.
|
|
|
|
- cgroup, systemd: fix segfault if the resources block is not specified.
|
|
|
|
|
2024-05-03 11:55:11 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Sat Jan 27 16:21:04 UTC 2024 - Andrea Manzini <andrea.manzini@suse.com>
|
|
|
|
|
|
|
|
- update to 1.14:
|
|
|
|
* build: drop dependency on libgcrypt. Use blake3 to compute the cache key.
|
|
|
|
* cpuset: don't clobber parent cgroup value when writing the cpuset value.
|
|
|
|
* linux: force umask(0). It ensures that the mknodat syscall is not affected by the umask of the calling process,
|
|
|
|
allowing file permissions to be set as specified in the OCI configuration.
|
|
|
|
* ebpf: do not require MEMLOCK for eBPF programs. This requirement was relaxed in Linux 5.11.
|
|
|
|
|
|
|
|
- update to 1.13:
|
|
|
|
* src: use O_CLOEXEC for all open/openat calls
|
|
|
|
* cgroup v1: use "max" when pids limit < 0.
|
|
|
|
* improve error message when idmap mount fails because the underlying file system has no support for it.
|
|
|
|
* libcrun: fix compilation when building without libseccomp and libcap.
|
|
|
|
* fix relative idmapped mount when using the custom annotation.
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Fri Dec 1 13:41:35 UTC 2023 - Dan Čermák <dcermak@suse.com>
|
|
|
|
|
|
|
|
- New upstream release 1.12:
|
|
|
|
|
|
|
|
* add new WebAssembly handler: spin.
|
|
|
|
* systemd: fallback to system bus if session bus is not available.
|
|
|
|
* configure the cpu rt and cpuset controllers before joining them to
|
|
|
|
avoid running temporarily the workload on the wrong cpus.
|
|
|
|
* preconfigure the cpuset with required resources instead of using the
|
|
|
|
parent's set. This prevents needless churn in the kernel as it
|
|
|
|
tracks which CPUs have load balancing disabled.
|
|
|
|
* try attr/<lsm>/* before the attr/* files. Writes to the attr/*
|
|
|
|
files may fail if apparmor is not the first "major" LSM in the list
|
|
|
|
of loaded LSMs (e.g. lsm=apparmor,bpf vs lsm=bpf,apparmor).
|
|
|
|
|
|
|
|
- New upstream release 1.11.2:
|
|
|
|
|
|
|
|
* fix a regression caused by 1.11.1 where the process crashes if there
|
|
|
|
are no CPU limits configured on cgroup v1. (bsc#1217590)
|
|
|
|
* fix error code check for the ptsname_r function.
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Mon Nov 6 10:19:58 UTC 2023 - Dirk Müller <dmueller@suse.com>
|
|
|
|
|
|
|
|
- update to 1.11.1:
|
|
|
|
* force a remount operation with bind mounts from the host to
|
|
|
|
correctly set all the mount flags.
|
|
|
|
* cgroup: honor cpu burst.
|
|
|
|
* systemd: set CPUQuota and CPUPeriod on the scope cgroup.
|
|
|
|
* linux: append tmpfs mode if missing for mounts. This is the
|
|
|
|
same behavior of runc.
|
|
|
|
* cgroup: always use the user session for rootless.
|
|
|
|
* support for Intel Resource Director Technology (RDT).
|
|
|
|
* new mount option "copy-symlink". When provided for a mount,
|
|
|
|
if the source is a symlink, then it is copied in the container
|
|
|
|
instead of attempting a mount.
|
|
|
|
* linux: open mounts before setgroups if in a userns. This
|
|
|
|
solves a problem where a directory that was previously
|
|
|
|
accessible to the user, become inaccessible after setgroups
|
|
|
|
causing the bind mount to fail.
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Thu Oct 12 08:02:18 UTC 2023 - Dan Čermák <dcermak@suse.com>
|
|
|
|
|
|
|
|
- New upstream release 1.9.2:
|
|
|
|
|
|
|
|
* cgroup: reset the inherited cpu affinity after moving to cgroup. Old kernels
|
|
|
|
do that automatically, but new kernels remember the affinity that was set
|
|
|
|
before the cgroup move, so we need to reset it in order to honor the cpuset
|
|
|
|
configuration.
|
|
|
|
|
|
|
|
- New upstream release 1.9.1:
|
|
|
|
|
|
|
|
* utils: ignore ENOTSUP when chmod a symlink. It fixes a problem on Linux 6.6
|
|
|
|
that always refuses chmod on a symlink.
|
|
|
|
* build: fix build on CentOS 7
|
|
|
|
* linux: add new fallback when mount fails with EBUSY, so that there is not an
|
|
|
|
additional tmpfs mount if not needed.
|
|
|
|
* utils: improve error message when a directory cannot be created as a
|
|
|
|
component of the path is already existing as a non directory.
|
|
|
|
|
|
|
|
- Only build with wasmedge on x86_64 & aarch64
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Wed Oct 11 11:29:21 UTC 2023 - Alexandre Vicenzi <alexandre.vicenzi@suse.com>
|
|
|
|
|
|
|
|
- Add crun-wasm symlink for platform 'wasi/wasm'
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Wed Sep 13 06:04:30 UTC 2023 - Danish Prakash <danish.prakash@suse.com>
|
|
|
|
|
|
|
|
- Update to 1.9:
|
|
|
|
* linux: support arbitrary idmapped mounts.
|
|
|
|
* linux: add support for "ridmap" mount option to support recursive
|
|
|
|
idmapped mounts.
|
|
|
|
* crun delete: call systemd's reset-failed.
|
|
|
|
* linux: fix check for oom_score_adj.
|
|
|
|
* features: Support mountExtensions.
|
|
|
|
* linux: correctly handle unknown signal string when it doesn't start with
|
|
|
|
a digit.
|
|
|
|
* linux: do not attempt to join again already joined namespace.
|
|
|
|
* wasmer: use latest wasix API.
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Tue Sep 5 11:41:14 UTC 2023 - Alexandre Vicenzi <alexandre.vicenzi@suse.com>
|
|
|
|
|
|
|
|
- Enable WasmEdge support to run Wasm compat containers.
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Mon Aug 14 12:55:14 UTC 2023 - Danish Prakash <danish.prakash@suse.com>
|
|
|
|
|
|
|
|
- Update to 1.8.6:
|
|
|
|
* crun: new command "crun features".
|
|
|
|
* linux: fix handling of idmapped mounts when the container joins an
|
|
|
|
existing PID namespace.
|
|
|
|
* linux: support io_priority from the OCI specs.
|
|
|
|
* linux: handle correctly the case where the status file is not written
|
|
|
|
yet for a container.
|
|
|
|
* crun: fix segfault for "ps" when the container is not using cgroups.
|
|
|
|
* cgroup: allow setting swap to 0.
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Wed Jun 14 12:55:19 UTC 2023 - Frederic Crozat <fcrozat@suse.com>
|
|
|
|
|
|
|
|
- Update to 1.8.5:
|
|
|
|
* scheduler: use definition from the OCI configuration file
|
|
|
|
instead of the custom label that is now dropped and not
|
|
|
|
supported anymore.
|
|
|
|
* cgroup: fix creating cgroup under "domain threaded".
|
|
|
|
* cgroup, systemd: set the memory limit on the system scope.
|
|
|
|
* restore tty settings from the correct file descriptor. It was
|
|
|
|
previously restoring the settings from the wrong file
|
|
|
|
descriptor causing the tty settings to be changed on the
|
|
|
|
calling terminal.
|
|
|
|
* criu: check if the criu_join_ns_add function exists.
|
|
|
|
Fix a segfault with new versions of CRIU.
|
|
|
|
* linux: do not precreate devs with euid > 0. Fix creating
|
|
|
|
devices when running the OCI runtime as non root user.
|
|
|
|
* linux: improve PID detection on systems that lack pidfd.
|
|
|
|
While there is still a window of time that the PID could be
|
|
|
|
recycled, now it is now reduced to a minimum.
|
|
|
|
* criu: fix memory leak.
|
|
|
|
* logging: improve error message when dlopen fails.
|
|
|
|
|
|
|
|
- Changes from 1.8.4:
|
|
|
|
* drop custom annotation to set the time namespace and use
|
|
|
|
the OCI specs instead.
|
|
|
|
* cgroup: workaround cpu quota/period issue with v1. Sometimes
|
|
|
|
setting CPU quota period fails when a new period is lower,
|
|
|
|
and a parent cgroup has CPU quota limit set.
|
|
|
|
* cgroup: fix set quota to -1 on cgroup v1.
|
|
|
|
* criu: drop loading unused functions.
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Tue Mar 28 10:27:06 UTC 2023 - Dirk Müller <dmueller@suse.com>
|
|
|
|
|
|
|
|
- update to 1.8.3:
|
|
|
|
* update: initialize the rt limits only on cgroup v1.
|
|
|
|
* lua bindings for libcrun.
|
|
|
|
* wasmedge: add current directory to preopen paths.
|
|
|
|
* linux: inherit parent mount flags when making a path masked.
|
|
|
|
* libcrun: custom annotation to set the scheduler for the
|
|
|
|
container process.
|
|
|
|
* cgroup: fallback to blkio.bfq files if blkio is not available
|
|
|
|
on cgroup v1.
|
|
|
|
* cgroup: initialize rt limits when using systemd.
|
|
|
|
* tty: chown the tty to the exec user instead of the user
|
|
|
|
specified to create the container.
|
|
|
|
* cgroup: fallback to create cgroupfs as sibling of the current
|
|
|
|
cgroup if there is none specified and it cannot be created in
|
|
|
|
the root cgroup.
|
|
|
|
- add keyring for GPG validation
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Tue Feb 28 20:14:52 UTC 2023 - Niels Abspoel <aboe76@gmail.com>
|
|
|
|
|
|
|
|
- Update to 1.8.1
|
|
|
|
* linux: idmapped mounts expect the same configuration as
|
|
|
|
the user namespace mappings. Before they were expecting the inverted
|
|
|
|
mapping. It is a breaking change, but the behavior was aligned
|
|
|
|
to what runc will do as well.
|
|
|
|
* krun: always allow /dev/kvm in the cgroup configuration.
|
|
|
|
* handlers: disable exec for handlers that do not support it.
|
|
|
|
* selinux: allow setting fscontext using a custom annotation.
|
|
|
|
* cgroup: reset systemd unit if start fails.
|
|
|
|
* cgroup: rmdir the entire systemd scope. It fixes a leak on cgroupv1.
|
|
|
|
* cgroup: always delete the cgroup on errors.
|
|
|
|
On some errors it could have been leaked before.
|
|
|
|
|
|
|
|
- changes from 1.8
|
|
|
|
* linux: precreate devices on the host.
|
|
|
|
* cgroup: support cpuset mounted with noprefix.
|
|
|
|
* linux: mount the source cgroup if cgroupns=host.
|
|
|
|
* libcrun: don't clone self from read-only mount.
|
|
|
|
* build: fix build without dlfcn.h.
|
|
|
|
* linux: set PR_SET_DUMPABLE.
|
|
|
|
* utils: fix applying AppArmor profile.
|
|
|
|
* linux: write setgroups=deny when mapping a single uid/gid.
|
|
|
|
* cgroup: fix enter cgroupv1 mount on RHEL 7.
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Wed Dec 7 09:24:19 UTC 2022 - Frederic Crozat <fcrozat@suse.com>
|
|
|
|
|
|
|
|
- Update to 1.7.2:
|
|
|
|
* criu: hardcode library name to libcriu.so.2.
|
|
|
|
* cgroup: always enable all controllers, even if the cgroup was
|
|
|
|
already joined. Regression caused by crun-1.7.
|
|
|
|
|
|
|
|
- Changes from 1.7.1:
|
|
|
|
* criu: load libcriu dynamically.
|
|
|
|
* seccomp: initialize libgcrypt.
|
|
|
|
* handlers: fix rewriting the argv if the full cmdline doesn't
|
|
|
|
fit.
|
|
|
|
* utils: honor SELinux label when using a custom handler.
|
|
|
|
* utils: honor AppArmor label when using a custom handler.
|
|
|
|
* krun: copy the OCI configuration file into the container.
|
|
|
|
* utils: fix creating the default user namespace when running
|
|
|
|
with euid != 0.
|
|
|
|
* Add setlinebuf() when --debug and --log=file: are used.
|
|
|
|
* Fix timestamp format in the error messages.
|
|
|
|
* krun: disable libkrun's collection of env vars.
|
|
|
|
|
|
|
|
- Changes from 1.7:
|
|
|
|
* seccomp: use a cache for the generated BPF.
|
|
|
|
* add support for setting the domainname through the OCI spec.
|
|
|
|
* handlers: define wasm and krun.
|
|
|
|
* wasmtime: add support for compiling .wat format.
|
|
|
|
* cgroup: honor checkBeforeUpdate on cgroupv2.
|
|
|
|
* crun: chown std streams before joining the user namespace.
|
|
|
|
* crun: display rundir in --version output.
|
|
|
|
* container: with cgroupfs use clone3 to join directly the target
|
|
|
|
cgroup.
|
|
|
|
* linux: create parent directories for created devices with mode
|
|
|
|
0755.
|
|
|
|
* wasm: inherit environment variables in the WasmEdge handler.
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Fri Sep 30 12:31:47 UTC 2022 - Dario Faggioli <dfaggioli@suse.com>
|
|
|
|
|
|
|
|
- Update the libkrun dependency to the new libkrun1 library and
|
|
|
|
devel package
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Thu Sep 29 10:44:19 UTC 2022 - Dario Faggioli <dfaggioli@suse.com>
|
|
|
|
|
|
|
|
- Update to 1.6
|
|
|
|
* runc compatibility: -v now prints the version string.
|
|
|
|
* build: fix build with glibc 2.36.
|
|
|
|
* container: drop intermediate userns custom feature.
|
|
|
|
* cgroup: change the delegate cgroup semantic so that the cgroup
|
|
|
|
is created in the container payload after the cgroup namespace
|
|
|
|
is created.
|
|
|
|
* seccomp: use helper process to send file descriptor to the listener
|
|
|
|
socket. It enables to be notified on every syscall without hanging
|
|
|
|
the main process.
|
|
|
|
* linux: add a fallback to using kill(2) if pidfd_send_signal(2)
|
|
|
|
fails with ENOSYS.
|
|
|
|
* krun: add support for krun-sev.
|
|
|
|
* wasmtime: always grant file system capability for workdir inside
|
|
|
|
the container.
|
|
|
|
* wasmtime: inherit arguments list from the handler instead of the
|
|
|
|
current process.
|
|
|
|
* wasmedge: use released wasmedge library instead of libwasmedge_c.so.
|
|
|
|
|
|
|
|
- Update to 1.5
|
|
|
|
* add mono based native .NET handler
|
|
|
|
* new Wasmtime backend for running WebAssembly
|
|
|
|
* add support for wasmedge 0.10 and dropping support for wasmedge 0.9.x
|
|
|
|
* dropping support for experimental WasmEdgeProcess from wasmedge handler
|
|
|
|
* honor process user's uid when setting the HOME environment variable
|
|
|
|
* create the current working directory if it is missing in the container
|
|
|
|
* fallback to using a tmpfs mount if umount of /sys and /proc fails
|
|
|
|
* fallback to netlink to setup lo device
|
|
|
|
* fix creating devices in the rootfs
|
|
|
|
* fallback to using io.weight if io.bfq.weight doesn't exist
|
|
|
|
* remove tun/tap from the default allow list
|
|
|
|
* linux: devices mounts have noexec and nosuid
|
|
|
|
* fix copyup of files from the container to the tmpfs
|
|
|
|
* honor $PATH for newgidmap and newguidmap
|
|
|
|
* krun: limit the number of vCPUs to 8
|
|
|
|
* cgroup: add support for cpu.idle
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Mon May 9 12:43:12 UTC 2022 - Frederic Crozat <fcrozat@suse.com>
|
|
|
|
|
|
|
|
- Update to 1.4.5:
|
|
|
|
+ CRIU: add support for different manage cgroups modes.
|
|
|
|
+ linux: the hook processes inherit the crun process
|
|
|
|
environment if there is no environment block specified in the
|
|
|
|
OCI configuration.
|
|
|
|
° exec: fix double free when using --apparmor and
|
|
|
|
--process-label.
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Tue Apr 12 08:59:23 UTC 2022 - Dario Faggioli <dfaggioli@suse.com>
|
|
|
|
|
|
|
|
- It'd be nice to run the test suite with %check. It however, still
|
|
|
|
does not work properly inside OBS workers. Add it commented and
|
|
|
|
explain it
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Tue Apr 12 08:36:54 UTC 2022 - Dario Faggioli <dfaggioli@suse.com>
|
|
|
|
|
|
|
|
- switch to latest upstream version (1.4.4)
|
|
|
|
- big jump from 0.21! Here's a short summary, for details,
|
|
|
|
see: https://github.com/containers/crun/releases
|
|
|
|
* 1.4.4
|
|
|
|
wasm, kubernetes: support wasm for kubernetes infrastructure with side-cars
|
|
|
|
Resolve symlinks in bind mounts when creating a user namespace.
|
|
|
|
Fix CVE-2022-27650: exec does not set inheritable capabilities.
|
|
|
|
* 1.4.3
|
|
|
|
cgroup: avoid potential infinite loop when deleting a cgroup.
|
|
|
|
support additional options for idmap mounts.
|
|
|
|
open the source for a bind mount in the host.
|
|
|
|
* 1.4.2
|
|
|
|
CRIU: add pre-dump support.
|
|
|
|
Fix running with a read-only /dev.
|
|
|
|
Ignore EROFS when chowning standard stream files.
|
|
|
|
Add validation for sysctls before applying them.
|
|
|
|
* 1.4.1
|
|
|
|
Fix check for an invalid path.
|
|
|
|
Allow deleting a container while in created state.
|
|
|
|
cgroup: do not set cpu limits if number of shares is set to 0.
|
|
|
|
* 1.4
|
|
|
|
wasm: support for running on kubernetes with containerd.
|
|
|
|
linux: add support for recursive mount options.
|
|
|
|
add support for idmapped mounts through a new mount option "idmap".
|
|
|
|
linux: improve detection of /dev target.
|
|
|
|
now crun exec uses CLONE_INTO_CGROUP on supported kernels when using cgroup v2.
|
|
|
|
retry the openat2 syscall if it fails with EAGAIN.
|
|
|
|
cgroup: set the CPUWeight/CPUShares on the systemd scope cgroup.
|
|
|
|
on new kernels, use setns with pidfd.
|
|
|
|
attempt the chdir again with the specified user if it failed before changing credentials.
|
|
|
|
* 1.3
|
|
|
|
add support to natively build and run WebAssembly workload and WebAssembly containers.
|
|
|
|
allow to specify sub-cgroup for exec.
|
|
|
|
chown std streams if they are not a TTY.
|
|
|
|
attach the correct streams if the container is suspended and restored multiple times.
|
|
|
|
fix race condition when enabling controllers on cgroup v2.
|
|
|
|
* 1.2
|
|
|
|
exec: fix regression in 1.1 where containers are being wrongly reported as paused.
|
|
|
|
criu: add support for external ipc, uts and time namespaces.
|
|
|
|
* 1.1
|
|
|
|
cgroup: use cgroup.kill when available.
|
|
|
|
exec: refuse to exec in a paused container/cgroup.
|
|
|
|
container: Set primary process to 1 via LISTEN_PID by default if user configuration is missing.
|
|
|
|
criu: Add support for external PID namespace.
|
|
|
|
criu: fix save of external descriptors.
|
|
|
|
utils: retry openat2 on EAGAIN.
|
|
|
|
* 1.0
|
|
|
|
cgroup: chown the current container cgroup to root in the container.
|
|
|
|
linux: treat pidfd_open failures EINVAL as ESRCH.
|
|
|
|
cgroup: add support for setting memory.use_hierarchy on cgroup v1.
|
|
|
|
Makefile.am: fix link error when using directly libcrun.
|
|
|
|
Fix symlink target mangling for tmpcopyup targets.
|
|
|
|
- fix bsc#1197871, CVE-2022-27650 (as 1.4.4 contains the fixes itself)
|
|
|
|
- update and fixup dependencies
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Tue Nov 2 08:58:05 UTC 2021 - Dario Faggioli <dfaggioli@suse.com>
|
|
|
|
|
|
|
|
- Add libprotobuf-c-devel as an explicit dependency, for fixing
|
|
|
|
the build;
|
|
|
|
- Get rid of rpmlintrc, as it's no longer needed.
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Mon Aug 23 15:22:18 UTC 2021 - Dario Faggioli <dfaggioli@suse.com>
|
|
|
|
|
|
|
|
- make libkrun support conditional, so we can have crun (without
|
|
|
|
libkrun, of course) on all arches, which may help with
|
|
|
|
bsc#1188914.
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Fri Aug 6 13:37:49 UTC 2021 - Frederic Crozat <fcrozat@suse.com>
|
|
|
|
|
|
|
|
- Drop libkrun-dlopen.patch and adapt to libkrun new package name,
|
|
|
|
it is a plugin, not a regular shared library.
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Fri Aug 6 09:55:53 UTC 2021 - Frederic Crozat <fcrozat@suse.com>
|
|
|
|
|
|
|
|
- Add libkrun-dlopen.patch: use soname when dlopening libkrun.
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Wed Jul 28 11:56:01 UTC 2021 - Paolo Stivanin <info@paolostivanin.com>
|
|
|
|
|
|
|
|
- Update to 0.21
|
|
|
|
- honor memory swappiness set to 0
|
|
|
|
- status: add fields for owner and created timestamp
|
|
|
|
- cgroup: lookup pids controller as well when the memory controller
|
|
|
|
is not available
|
|
|
|
- when compiled with krun, automatically use it if the current
|
|
|
|
executable file is called "krun".
|
|
|
|
- container: ignore error when resetting the SELinux label for the
|
|
|
|
keyring.
|
|
|
|
- container: call prestart hooks before rootfs is RO.
|
|
|
|
- cgroup: added support cleaning custom controllers on cgroupv1.
|
|
|
|
- spec: add support for --bundle.
|
|
|
|
- exec: add --no-new-privs.
|
|
|
|
- exec: add --process-label and --apparmor to change SELinux and
|
|
|
|
AppArmor labels.
|
|
|
|
- cgroup: kill procs in cgroup on EBUSY.
|
|
|
|
- cgroup: ignore devices errors when running in a user namespace.
|
|
|
|
- seccomp: drop SECCOMP_FILTER_FLAG_LOG by default.
|
|
|
|
- seccomp: report correct action in error message.
|
|
|
|
- apply SELinux label to keyring.
|
|
|
|
- add custom annotation run.oci.delegate-cgroup.
|
|
|
|
- close_range fallbacks to close on EPERM.
|
|
|
|
- report error if the cgroup path was set and the cgroup could not be
|
|
|
|
joined.
|
|
|
|
- on exec, honor additional_gids from the process spec, not the
|
|
|
|
container definition.
|
|
|
|
- spec: add cgroup ns if on cgroup v2.
|
|
|
|
- systemd: support array of strings for cgroup annotation.
|
|
|
|
- join all the cgroup v1 controllers.
|
|
|
|
- raise a warning when newuidmap/newgidmap fail.
|
|
|
|
- handle eBPF access(dev_name, F_OK) call correctly.
|
|
|
|
- fix some memory leaks on errors when libcrun is used by a long
|
|
|
|
running process.
|
|
|
|
- fix the SELinux label for masked directories.
|
|
|
|
- support default seccomp errno value.
|
|
|
|
- fail if no default seccomp action specified.
|
|
|
|
- support OCI seccomp notify listener.
|
|
|
|
- improve OOM error messages.
|
|
|
|
- ignore unknown capabilities and raise a warning.
|
|
|
|
- always remount bind mounts to drop not requested mount flags.
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Tue Mar 23 17:52:10 UTC 2021 - Dario Faggioli <dfaggioli@suse.com>
|
|
|
|
|
|
|
|
- Add a mention to crun-rpmlintrc in the spec file
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Fri Mar 19 02:18:44 UTC 2021 - Dario Faggioli <dfaggioli@suse.com>
|
|
|
|
|
|
|
|
- Since we're building with libkrun support, let's enable only the
|
|
|
|
arch-es for which we do have libkrun
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Sat Mar 13 01:12:19 UTC 2021 - Dario Faggioli <dfaggioli@suse.com>
|
|
|
|
|
|
|
|
- Suppress the (false positive) rpmlint warning
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Sat Mar 13 00:43:54 UTC 2021 - Dario Faggioli <dfaggioli@suse.com>
|
|
|
|
|
|
|
|
- Some fixes to the spec file (add some %doc, remove unused macros, etc)
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Thu Mar 11 08:08:36 UTC 2021 - Dario Faggioli <dfaggioli@suse.com>
|
|
|
|
|
|
|
|
- Initial package for 0.18
|
|
|
|
Based on the package by Giuseppe Scrivano <gscrivan@redhat.com>
|