commit 10246afe293829c1ee51144cfc79c081a44aeabe3f1f14e78f011012dacf80f3 Author: Dario Faggioli Date: Thu Sep 5 14:23:42 2024 +0000 new upstream release 1.16.1 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/crun?expand=0&rev=47 diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/crun-1.15.tar.gz b/crun-1.15.tar.gz new file mode 100644 index 0000000..c2343ac --- /dev/null +++ b/crun-1.15.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a03ba1e58b8823ae77d010024b43bd94c5a99f7d652257b1b23abd2d2cdb087f +size 1756886 diff --git a/crun-1.15.tar.gz.asc b/crun-1.15.tar.gz.asc new file mode 100644 index 0000000..65bf7c8 --- /dev/null +++ b/crun-1.15.tar.gz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCAAdFiEEr2D8o82qberRV+o6Z+OPeouiF3IFAmYzfXgACgkQZ+OPeoui +F3KNlAf+JPTyqSazEqx+TWdxHwXhzdfaWzgJ7O0mtM3KruCKIodvF+V/tsIDJrwc +gF5tGgLVBD9Tlt+wzCSaoWbxEbz2eZmDRNVtxZt6e/QfHSID8PzVm8jVZiBMmy8n +wPs3chVGM/T0Fh+8hBv2fmueYWPnSMnA4SSxp6eNjAYt5H59OXyVRw5hk0lQTzQQ +U+GeMRTRVkorNq8dZ+LdPHg8+u5ndPCD93wfdelK2wI2X4UlAcTA2qcuL1MowCCC +fqPigsOGiRNjzDCfptbCrG778nZu32AGn4ohBXmxoLDbfz2X3ZjgySzSZaVb/D7S +R4c3fkxsV7PNXt6sNx+J8UAGntztBA== +=pgGE +-----END PGP SIGNATURE----- diff --git a/crun-1.16.1.tar.gz b/crun-1.16.1.tar.gz new file mode 100644 index 0000000..c7bc124 --- /dev/null +++ b/crun-1.16.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:70548de4874f0c9e7e1e080ff092e23f8fcc772a23261ee26e26d79f24df289e +size 1760357 diff --git a/crun-1.16.1.tar.gz.asc b/crun-1.16.1.tar.gz.asc new file mode 100644 index 0000000..e85118b --- /dev/null +++ b/crun-1.16.1.tar.gz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCAAdFiEEr2D8o82qberRV+o6Z+OPeouiF3IFAma7dj0ACgkQZ+OPeoui +F3LNNwgAidlpoqDuVBqh9ykjXfA0fnZ58NpWlU2wuHTk1zt+3vgTuFNGKmSimEZI +c8mcgjq3nvTTmCBWr6Qikh5neSCerJJ+eprvmRQwHHuJj1sPoM/KhmVVc4pfLhQF +B9MQxKrWf635TRh9r5V8kpx0K43ffL7ZVVNJ6Iumm4G1MOaEqpSZYSkgXMePFTGB +kRh9zaHJ66m50i7ctokyfI1Y07hexviDXOhJi5znA0Y2GBSoiZLQcY8hwB7xg/m1 +vd9vI9CHA2E05dWE/Zuz9v/1YRH+hb1fRpnJP6LQPYjlUM/CnmMEDE6yJjQYwDQU +Gu6uuqxH3nXMPJzv0MFpznEva5eLGQ== +=++ex +-----END PGP SIGNATURE----- diff --git a/crun.changes b/crun.changes new file mode 100644 index 0000000..70e06bb --- /dev/null +++ b/crun.changes @@ -0,0 +1,517 @@ +------------------------------------------------------------------- +Thu Sep 5 13:18:43 UTC 2024 - Dan Čermák + +- new upstream release 1.16.1 + +1.16.1: + +- fix a regression introduced by 1.16 where using 'rshared' rootfs mount propagation and the rootfs itself is a mountpoint. +- inherit user from original process on exec, if not overridden. + +1.16: + +- build: fix build for s390x. +- linux: fix mount of special files with rro. Open the mount target with O_PATH to prevent open(2) failures with special files like FIFOs or UNIX sockets. +- Fix sd-bus error handling for cpu quota and period props update. +- container: use relative path for rootfs if possible. If the rootfs cannot be resolved and it is below the current working directory, only use its relative path. +- wasmedge: access container environment variables for the WasmEdge configuration. +- cgroup, systemd: use MemoryMax instead of MemoryLimit. Fixes a warning for using an old configuration name. +- cgroup, systemd: improve checks for sd_bus_message_append errors + +------------------------------------------------------------------- +Thu May 30 12:30:26 UTC 2024 - Dario Faggioli + +- New upstream release 1.15 + * fix a mount point leak under /run/crun, add a retry mechanism to unmount the directory if the removal failed with EBUSY. + * linux: cgroups: fix potential mount leak when /sys/fs/cgroup is already mounted, causing the posthooks to not run. + * release: build s390x binaries using musl libc. + * features: add support for potentiallyUnsafeConfigAnnotations. + * handlers: add option to load wasi-nn plugin for wasmedge. + * linux: fix "harden chdir()" security measure. The previous check was not correct. + * crun: add option --keep to the run command. When specified the container is not automatically deleted when it exits. + +------------------------------------------------------------------- +Wed Mar 6 10:06:50 UTC 2024 - Dan Čermák + +- New upstream release 1.14.4 + +* crun-1.14.4 + +- linux: fix mount of file with recursive flags. Do not assume it is + a directory, but check the source type. + +* crun-1.14.3 + +- follow up for 1.14.2. Drop the version check for each command. + +* crun-1.14.2 + +- crun: drop check for OCI version. A recent bump in the OCI runtime + specs caused crun to fail with every config file. Just drop the + check since it doesn't add any value. + +* crun-1.14.1 + +- there was recently a security vulnerability (CVE-2024-21626) in runc + that allowed a malicious user to chdir(2) to a /proc/*/fd entry that is + outside the container rootfs. While crun is not affected directly, + harden chdir by validating that we are still inside the container + rootfs. +- container: attempt to close all the files before execv(2). + if we leak any fd, it prevents execv to gain access to files outside + the container rootfs through /proc/self/fd/$fd. +- fix a regression caused by 1.14 when installing the ebpf filter on a + kernel older than 5.11. +- cgroup, systemd: fix segfault if the resources block is not specified. + +------------------------------------------------------------------- +Sat Jan 27 16:21:04 UTC 2024 - Andrea Manzini + +- update to 1.14: + * build: drop dependency on libgcrypt. Use blake3 to compute the cache key. + * cpuset: don't clobber parent cgroup value when writing the cpuset value. + * linux: force umask(0). It ensures that the mknodat syscall is not affected by the umask of the calling process, + allowing file permissions to be set as specified in the OCI configuration. + * ebpf: do not require MEMLOCK for eBPF programs. This requirement was relaxed in Linux 5.11. + +- update to 1.13: + * src: use O_CLOEXEC for all open/openat calls + * cgroup v1: use "max" when pids limit < 0. + * improve error message when idmap mount fails because the underlying file system has no support for it. + * libcrun: fix compilation when building without libseccomp and libcap. + * fix relative idmapped mount when using the custom annotation. + +------------------------------------------------------------------- +Fri Dec 1 13:41:35 UTC 2023 - Dan Čermák + +- New upstream release 1.12: + + * add new WebAssembly handler: spin. + * systemd: fallback to system bus if session bus is not available. + * configure the cpu rt and cpuset controllers before joining them to + avoid running temporarily the workload on the wrong cpus. + * preconfigure the cpuset with required resources instead of using the + parent's set. This prevents needless churn in the kernel as it + tracks which CPUs have load balancing disabled. + * try attr//* before the attr/* files. Writes to the attr/* + files may fail if apparmor is not the first "major" LSM in the list + of loaded LSMs (e.g. lsm=apparmor,bpf vs lsm=bpf,apparmor). + +- New upstream release 1.11.2: + + * fix a regression caused by 1.11.1 where the process crashes if there + are no CPU limits configured on cgroup v1. (bsc#1217590) + * fix error code check for the ptsname_r function. + +------------------------------------------------------------------- +Mon Nov 6 10:19:58 UTC 2023 - Dirk Müller + +- update to 1.11.1: + * force a remount operation with bind mounts from the host to + correctly set all the mount flags. + * cgroup: honor cpu burst. + * systemd: set CPUQuota and CPUPeriod on the scope cgroup. + * linux: append tmpfs mode if missing for mounts. This is the + same behavior of runc. + * cgroup: always use the user session for rootless. + * support for Intel Resource Director Technology (RDT). + * new mount option "copy-symlink". When provided for a mount, + if the source is a symlink, then it is copied in the container + instead of attempting a mount. + * linux: open mounts before setgroups if in a userns. This + solves a problem where a directory that was previously + accessible to the user, become inaccessible after setgroups + causing the bind mount to fail. + +------------------------------------------------------------------- +Thu Oct 12 08:02:18 UTC 2023 - Dan Čermák + +- New upstream release 1.9.2: + + * cgroup: reset the inherited cpu affinity after moving to cgroup. Old kernels + do that automatically, but new kernels remember the affinity that was set + before the cgroup move, so we need to reset it in order to honor the cpuset + configuration. + +- New upstream release 1.9.1: + + * utils: ignore ENOTSUP when chmod a symlink. It fixes a problem on Linux 6.6 + that always refuses chmod on a symlink. + * build: fix build on CentOS 7 + * linux: add new fallback when mount fails with EBUSY, so that there is not an + additional tmpfs mount if not needed. + * utils: improve error message when a directory cannot be created as a + component of the path is already existing as a non directory. + +- Only build with wasmedge on x86_64 & aarch64 + +------------------------------------------------------------------- +Wed Oct 11 11:29:21 UTC 2023 - Alexandre Vicenzi + +- Add crun-wasm symlink for platform 'wasi/wasm' + +------------------------------------------------------------------- +Wed Sep 13 06:04:30 UTC 2023 - Danish Prakash + +- Update to 1.9: + * linux: support arbitrary idmapped mounts. + * linux: add support for "ridmap" mount option to support recursive + idmapped mounts. + * crun delete: call systemd's reset-failed. + * linux: fix check for oom_score_adj. + * features: Support mountExtensions. + * linux: correctly handle unknown signal string when it doesn't start with + a digit. + * linux: do not attempt to join again already joined namespace. + * wasmer: use latest wasix API. + +------------------------------------------------------------------- +Tue Sep 5 11:41:14 UTC 2023 - Alexandre Vicenzi + +- Enable WasmEdge support to run Wasm compat containers. + +------------------------------------------------------------------- +Mon Aug 14 12:55:14 UTC 2023 - Danish Prakash + +- Update to 1.8.6: + * crun: new command "crun features". + * linux: fix handling of idmapped mounts when the container joins an + existing PID namespace. + * linux: support io_priority from the OCI specs. + * linux: handle correctly the case where the status file is not written + yet for a container. + * crun: fix segfault for "ps" when the container is not using cgroups. + * cgroup: allow setting swap to 0. + +------------------------------------------------------------------- +Wed Jun 14 12:55:19 UTC 2023 - Frederic Crozat + +- Update to 1.8.5: + * scheduler: use definition from the OCI configuration file + instead of the custom label that is now dropped and not + supported anymore. + * cgroup: fix creating cgroup under "domain threaded". + * cgroup, systemd: set the memory limit on the system scope. + * restore tty settings from the correct file descriptor. It was + previously restoring the settings from the wrong file + descriptor causing the tty settings to be changed on the + calling terminal. + * criu: check if the criu_join_ns_add function exists. + Fix a segfault with new versions of CRIU. + * linux: do not precreate devs with euid > 0. Fix creating + devices when running the OCI runtime as non root user. + * linux: improve PID detection on systems that lack pidfd. + While there is still a window of time that the PID could be + recycled, now it is now reduced to a minimum. + * criu: fix memory leak. + * logging: improve error message when dlopen fails. + +- Changes from 1.8.4: + * drop custom annotation to set the time namespace and use + the OCI specs instead. + * cgroup: workaround cpu quota/period issue with v1. Sometimes + setting CPU quota period fails when a new period is lower, + and a parent cgroup has CPU quota limit set. + * cgroup: fix set quota to -1 on cgroup v1. + * criu: drop loading unused functions. + +------------------------------------------------------------------- +Tue Mar 28 10:27:06 UTC 2023 - Dirk Müller + +- update to 1.8.3: + * update: initialize the rt limits only on cgroup v1. + * lua bindings for libcrun. + * wasmedge: add current directory to preopen paths. + * linux: inherit parent mount flags when making a path masked. + * libcrun: custom annotation to set the scheduler for the + container process. + * cgroup: fallback to blkio.bfq files if blkio is not available + on cgroup v1. + * cgroup: initialize rt limits when using systemd. + * tty: chown the tty to the exec user instead of the user + specified to create the container. + * cgroup: fallback to create cgroupfs as sibling of the current + cgroup if there is none specified and it cannot be created in + the root cgroup. +- add keyring for GPG validation + +------------------------------------------------------------------- +Tue Feb 28 20:14:52 UTC 2023 - Niels Abspoel + +- Update to 1.8.1 + * linux: idmapped mounts expect the same configuration as + the user namespace mappings. Before they were expecting the inverted + mapping. It is a breaking change, but the behavior was aligned + to what runc will do as well. + * krun: always allow /dev/kvm in the cgroup configuration. + * handlers: disable exec for handlers that do not support it. + * selinux: allow setting fscontext using a custom annotation. + * cgroup: reset systemd unit if start fails. + * cgroup: rmdir the entire systemd scope. It fixes a leak on cgroupv1. + * cgroup: always delete the cgroup on errors. + On some errors it could have been leaked before. + +- changes from 1.8 + * linux: precreate devices on the host. + * cgroup: support cpuset mounted with noprefix. + * linux: mount the source cgroup if cgroupns=host. + * libcrun: don't clone self from read-only mount. + * build: fix build without dlfcn.h. + * linux: set PR_SET_DUMPABLE. + * utils: fix applying AppArmor profile. + * linux: write setgroups=deny when mapping a single uid/gid. + * cgroup: fix enter cgroupv1 mount on RHEL 7. + +------------------------------------------------------------------- +Wed Dec 7 09:24:19 UTC 2022 - Frederic Crozat + +- Update to 1.7.2: + * criu: hardcode library name to libcriu.so.2. + * cgroup: always enable all controllers, even if the cgroup was + already joined. Regression caused by crun-1.7. + +- Changes from 1.7.1: + * criu: load libcriu dynamically. + * seccomp: initialize libgcrypt. + * handlers: fix rewriting the argv if the full cmdline doesn't + fit. + * utils: honor SELinux label when using a custom handler. + * utils: honor AppArmor label when using a custom handler. + * krun: copy the OCI configuration file into the container. + * utils: fix creating the default user namespace when running + with euid != 0. + * Add setlinebuf() when --debug and --log=file: are used. + * Fix timestamp format in the error messages. + * krun: disable libkrun's collection of env vars. + +- Changes from 1.7: + * seccomp: use a cache for the generated BPF. + * add support for setting the domainname through the OCI spec. + * handlers: define wasm and krun. + * wasmtime: add support for compiling .wat format. + * cgroup: honor checkBeforeUpdate on cgroupv2. + * crun: chown std streams before joining the user namespace. + * crun: display rundir in --version output. + * container: with cgroupfs use clone3 to join directly the target + cgroup. + * linux: create parent directories for created devices with mode + 0755. + * wasm: inherit environment variables in the WasmEdge handler. + +------------------------------------------------------------------- +Fri Sep 30 12:31:47 UTC 2022 - Dario Faggioli + +- Update the libkrun dependency to the new libkrun1 library and + devel package + +------------------------------------------------------------------- +Thu Sep 29 10:44:19 UTC 2022 - Dario Faggioli + +- Update to 1.6 + * runc compatibility: -v now prints the version string. + * build: fix build with glibc 2.36. + * container: drop intermediate userns custom feature. + * cgroup: change the delegate cgroup semantic so that the cgroup + is created in the container payload after the cgroup namespace + is created. + * seccomp: use helper process to send file descriptor to the listener + socket. It enables to be notified on every syscall without hanging + the main process. + * linux: add a fallback to using kill(2) if pidfd_send_signal(2) + fails with ENOSYS. + * krun: add support for krun-sev. + * wasmtime: always grant file system capability for workdir inside + the container. + * wasmtime: inherit arguments list from the handler instead of the + current process. + * wasmedge: use released wasmedge library instead of libwasmedge_c.so. + +- Update to 1.5 + * add mono based native .NET handler + * new Wasmtime backend for running WebAssembly + * add support for wasmedge 0.10 and dropping support for wasmedge 0.9.x + * dropping support for experimental WasmEdgeProcess from wasmedge handler + * honor process user's uid when setting the HOME environment variable + * create the current working directory if it is missing in the container + * fallback to using a tmpfs mount if umount of /sys and /proc fails + * fallback to netlink to setup lo device + * fix creating devices in the rootfs + * fallback to using io.weight if io.bfq.weight doesn't exist + * remove tun/tap from the default allow list + * linux: devices mounts have noexec and nosuid + * fix copyup of files from the container to the tmpfs + * honor $PATH for newgidmap and newguidmap + * krun: limit the number of vCPUs to 8 + * cgroup: add support for cpu.idle + +------------------------------------------------------------------- +Mon May 9 12:43:12 UTC 2022 - Frederic Crozat + +- Update to 1.4.5: + + CRIU: add support for different manage cgroups modes. + + linux: the hook processes inherit the crun process + environment if there is no environment block specified in the + OCI configuration. + ° exec: fix double free when using --apparmor and + --process-label. + +------------------------------------------------------------------- +Tue Apr 12 08:59:23 UTC 2022 - Dario Faggioli + +- It'd be nice to run the test suite with %check. It however, still + does not work properly inside OBS workers. Add it commented and + explain it + +------------------------------------------------------------------- +Tue Apr 12 08:36:54 UTC 2022 - Dario Faggioli + +- switch to latest upstream version (1.4.4) +- big jump from 0.21! Here's a short summary, for details, + see: https://github.com/containers/crun/releases + * 1.4.4 + wasm, kubernetes: support wasm for kubernetes infrastructure with side-cars + Resolve symlinks in bind mounts when creating a user namespace. + Fix CVE-2022-27650: exec does not set inheritable capabilities. + * 1.4.3 + cgroup: avoid potential infinite loop when deleting a cgroup. + support additional options for idmap mounts. + open the source for a bind mount in the host. + * 1.4.2 + CRIU: add pre-dump support. + Fix running with a read-only /dev. + Ignore EROFS when chowning standard stream files. + Add validation for sysctls before applying them. + * 1.4.1 + Fix check for an invalid path. + Allow deleting a container while in created state. + cgroup: do not set cpu limits if number of shares is set to 0. + * 1.4 + wasm: support for running on kubernetes with containerd. + linux: add support for recursive mount options. + add support for idmapped mounts through a new mount option "idmap". + linux: improve detection of /dev target. + now crun exec uses CLONE_INTO_CGROUP on supported kernels when using cgroup v2. + retry the openat2 syscall if it fails with EAGAIN. + cgroup: set the CPUWeight/CPUShares on the systemd scope cgroup. + on new kernels, use setns with pidfd. + attempt the chdir again with the specified user if it failed before changing credentials. + * 1.3 + add support to natively build and run WebAssembly workload and WebAssembly containers. + allow to specify sub-cgroup for exec. + chown std streams if they are not a TTY. + attach the correct streams if the container is suspended and restored multiple times. + fix race condition when enabling controllers on cgroup v2. + * 1.2 + exec: fix regression in 1.1 where containers are being wrongly reported as paused. + criu: add support for external ipc, uts and time namespaces. + * 1.1 + cgroup: use cgroup.kill when available. + exec: refuse to exec in a paused container/cgroup. + container: Set primary process to 1 via LISTEN_PID by default if user configuration is missing. + criu: Add support for external PID namespace. + criu: fix save of external descriptors. + utils: retry openat2 on EAGAIN. + * 1.0 + cgroup: chown the current container cgroup to root in the container. + linux: treat pidfd_open failures EINVAL as ESRCH. + cgroup: add support for setting memory.use_hierarchy on cgroup v1. + Makefile.am: fix link error when using directly libcrun. + Fix symlink target mangling for tmpcopyup targets. +- fix bsc#1197871, CVE-2022-27650 (as 1.4.4 contains the fixes itself) +- update and fixup dependencies + +------------------------------------------------------------------- +Tue Nov 2 08:58:05 UTC 2021 - Dario Faggioli + +- Add libprotobuf-c-devel as an explicit dependency, for fixing + the build; +- Get rid of rpmlintrc, as it's no longer needed. + +------------------------------------------------------------------- +Mon Aug 23 15:22:18 UTC 2021 - Dario Faggioli + +- make libkrun support conditional, so we can have crun (without + libkrun, of course) on all arches, which may help with + bsc#1188914. + +------------------------------------------------------------------- +Fri Aug 6 13:37:49 UTC 2021 - Frederic Crozat + +- Drop libkrun-dlopen.patch and adapt to libkrun new package name, + it is a plugin, not a regular shared library. + +------------------------------------------------------------------- +Fri Aug 6 09:55:53 UTC 2021 - Frederic Crozat + +- Add libkrun-dlopen.patch: use soname when dlopening libkrun. + +------------------------------------------------------------------- +Wed Jul 28 11:56:01 UTC 2021 - Paolo Stivanin + +- Update to 0.21 + - honor memory swappiness set to 0 + - status: add fields for owner and created timestamp + - cgroup: lookup pids controller as well when the memory controller + is not available + - when compiled with krun, automatically use it if the current + executable file is called "krun". + - container: ignore error when resetting the SELinux label for the + keyring. + - container: call prestart hooks before rootfs is RO. + - cgroup: added support cleaning custom controllers on cgroupv1. + - spec: add support for --bundle. + - exec: add --no-new-privs. + - exec: add --process-label and --apparmor to change SELinux and + AppArmor labels. + - cgroup: kill procs in cgroup on EBUSY. + - cgroup: ignore devices errors when running in a user namespace. + - seccomp: drop SECCOMP_FILTER_FLAG_LOG by default. + - seccomp: report correct action in error message. + - apply SELinux label to keyring. + - add custom annotation run.oci.delegate-cgroup. + - close_range fallbacks to close on EPERM. + - report error if the cgroup path was set and the cgroup could not be + joined. + - on exec, honor additional_gids from the process spec, not the + container definition. + - spec: add cgroup ns if on cgroup v2. + - systemd: support array of strings for cgroup annotation. + - join all the cgroup v1 controllers. + - raise a warning when newuidmap/newgidmap fail. + - handle eBPF access(dev_name, F_OK) call correctly. + - fix some memory leaks on errors when libcrun is used by a long + running process. + - fix the SELinux label for masked directories. + - support default seccomp errno value. + - fail if no default seccomp action specified. + - support OCI seccomp notify listener. + - improve OOM error messages. + - ignore unknown capabilities and raise a warning. + - always remount bind mounts to drop not requested mount flags. + +------------------------------------------------------------------- +Tue Mar 23 17:52:10 UTC 2021 - Dario Faggioli + +- Add a mention to crun-rpmlintrc in the spec file + +------------------------------------------------------------------- +Fri Mar 19 02:18:44 UTC 2021 - Dario Faggioli + +- Since we're building with libkrun support, let's enable only the + arch-es for which we do have libkrun + +------------------------------------------------------------------- +Sat Mar 13 01:12:19 UTC 2021 - Dario Faggioli + +- Suppress the (false positive) rpmlint warning + +------------------------------------------------------------------- +Sat Mar 13 00:43:54 UTC 2021 - Dario Faggioli + +- Some fixes to the spec file (add some %doc, remove unused macros, etc) + +------------------------------------------------------------------- +Thu Mar 11 08:08:36 UTC 2021 - Dario Faggioli + +- Initial package for 0.18 + Based on the package by Giuseppe Scrivano diff --git a/crun.keyring b/crun.keyring new file mode 100644 index 0000000..f508c86 --- /dev/null +++ b/crun.keyring @@ -0,0 +1,208 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBFJtp1EBEAC/8IKgtgDH/BWRWUkM7pDWWZJJgaE2wMhCKXbXMbtyJHBco/TG +7Ow2bD35H0QAmhh6gGVYu9hwrzK3EiP9SmTMXjJmhm6b2iFlhV9bbU5pjb/q3pT6 +gaP22DMOXOlo7aCZiTCQ4UY2p86meJ1xM585wnvmfY9CZ3V4rloa5eKwVU3wUflL +dv8im81fNGpWFRaV/rhWbEcL0zft4hmkwppCFGJe9XP4houjVIFArb31mBPFguJS +O4zEdiJh+Oj9htbrxAXqiaJwW1MRRBMkMvJDYUSZnV90lWUUdxglO4/V7uOxdpXY +tDdMcOlSY+mnU36yyrTN4o7UAzvXEXkc7YHQZGhY/XW4zXDhnH0G8c+cx6XnEml8 +zVrU8PrdKNo5nqxZ+ZdLz2kzAxXpVum7LABkzWIQ/+0ShhX7cS6/P12odabQpQGH +QpZgTIP2BrpFJ+L2j+I69dKl7BtmZVy0ya3P8SG7ny819aNLSa9PDOWxKk3rxk/v +4BI6vYWY1N4AQ8bXQHHzUQ/V9E2uuslSUabp7WDqVPcWxhekBIzfVsxqNsXEycYZ +ZwA0VKacrbDR9iT9cP75xDXw9RHxsrETfGYEXEia8FPSR1bGYw9yLExdDPdSRUl/ +JEotHv4+Zt9gXC2MspitNs8LlL4iB+wrb+CvBBCEupufcDXnmcAGRupWCQARAQAB +tCVHaXVzZXBwZSBTY3JpdmFubyA8Z3Njcml2YW5vQGdudS5vcmc+iQI3BBMBCgAh +AhsDAh4BAheABQJYsGOCBQsJCAcDBRUKCQgLBRYCAwEAAAoJECY9bfLhY+Hq5W0P +/Rq2TUBpxOvjyga90D5G0k+AlgZUp3W+J2Ol632t3Q+ZI03zbRwmtyF/Bq9J4wsA +UiAJb3M6BQjaExdzdgM2DOPT5UDichHushTTzeO3NjAxUzBrN7ZXReRevq1ulysS +sTEqZlGUr6HztdAlN4hTetAnVibQQ8dMyCO3t8s/wgXUtsV8LZ2wwt6JaPTBpkuR +ECSspOEg39Id382tHMTUGDcKj5nRaxV6tjyyTnTJOvkL1xmYGUcHSPoWl4RycrJC +mfl8rcZF/kbhUckRcIRPWBG4Uks4qUeq+YxO47kJi0Yu5fBEc370ydOzkEoGeKgy +fiQtIn1FURFKNPG3ooB4U+L3AWieMl8374dqTs+x+S3io+Bxo363mP1FYvo5bWFS +Q2siUBWg5Ab+UjWYIcyqA7Jsdnig0+N9LoCTa0+Ba/wFO//ejBvyHss5EhbJyjdT +oPc30NUU8OjX23vQO20bM7JAVvb9YEpXOPkvxmb8DrMzvU35gBxgeyspaukiuoe/ +rPTT6daCOXTXJ4CeSNP9ggzTvcqZn47lQtVUdxB1UnYkmsOG9lv1SEV23ahSnvA0 +pV4C3481z9u2iBvj9tVjmCNcaGPPTiYJr7/TSPGIqAVGYiNWNbYBeWYCNWfrCByv +WuJDPhtonT6vON65uKSWbDyNjbGf4QvTfs7CLEaXce4dtCdHaXVzZXBwZSBTY3Jp +dmFubyA8Z3Njcml2YW5AcmVkaGF0LmNvbT6JAjcEEwEKACECGwMCHgECF4AFAliw +Y4IFCwkIBwMFFQoJCAsFFgIDAQAACgkQJj1t8uFj4eoqWhAAvdQlRb9TjEOe1K2/ +SQGM1COQwg/9h7vQEFg4P5Okfb9pgu5XYB8qU72UudNShA1ZAJ5beN9VjatD7l+e +4T1YL8ZrnUvzQwnytsnHrJI+n+KOGJH3jHi7Fms0vhl1KuOtiYTdiM2mJjA/0aE+ +e14FPBM7/1tbcVzmYy5CHZcOXcOfgxu7tFO1PsUne4GVfInwV+k2O+6gQ+7mKgHF +0IB1ic2t4ih5jcTeY1Zga+GToOtpI89Stz0g6QTnu+03P1wbmLhw5sxgcD/AyrHh +uOnYCmR58TJSmWHpClNneR8T1qIaf1JWhPlXgCchAMPZRZLHGAg3q/zALJ1RHXyt +T2KZeVZ8DdOu3fkOt63r4aVNtOZYRR8kKhuSJiWH8HnmqcW0/cujvt1ZAKXkBABh +PABwv/3mK+JhItz+MJp4PWycqayAPerVY+lM3MU+kDfQzHuAw7C+KX2NOxT4FjWm +lW5kzOfBiQqPTEQCR/1pPRISYSE/AnVHx4qAGKQYg9LMopzY6CT4d3/N9RbEdRPf +JKGEu174LcOGA8qF4jLtd3gJEna0PrucisT0WaW3tZwv8vxLsu1glUr23Uxgj5AA +ahQpTf6CRknuE6LGeSqepdFy0fILVGQFjWbpgYe40pvc9jBZ6YMn6f1bjT8iOToC +tFcoAO6+30hsyixOkq9DUC3d/jq0J0dpdXNlcHBlIFNjcml2YW5vIDxnc2NyaXZh +bm9AZ21haWwuY29tPokCNwQTAQoAIQIbAwIeAQIXgAUCWLBjggULCQgHAwUVCgkI +CwUWAgMBAAAKCRAmPW3y4WPh6qPDD/4wYETALuFVLMwmjZkQeSbPN2nix+akvRQg +ib/eg22NI3Sxq5129HJV7UK5La1NX/lAJTnNsx78F+l7kVvxMNZuXtM5gUqYigjH +SJUx1bHrv8E7OYF1BLRSjJs+Mcx43GDYIY79dSgO9BeOTQXl/HcvLujQ0OWdi8VU +NFMh9l8T1JKRN8KDHPb+he8oUBVjEomwjDtYmJDZg3Gbf08gAvMnhqj4HnOL8ZLw +VESgGldy6men6cxAlZNPZVUI4b/BsDbBU8kNVXkSVC5wMcSVXsXbdOLkDuNHCJfX +JMY2Pow1tNU9CGOqPXnLVF5T66kf8SPOAyBMC6H6ae/7zpAf6tg+ETmimD/exvYc +rqF9b5JhBbwnntSXYGIKc5wK4DRe74lSPqCmeBqZDCR+XYpn9Ksr3+q6xs2V7K5E +miQtXXIwPMr3LddbmPGaQ+tmafN55Lr1A4g1uVOGcedO+/3yHCXxVMgndxLmast1 +HGvKfLVp7ag60u/3J9VuMIZIb5sg7jLQy3JBCqVslT+Ur8hS6NUO7WM2C6GexEq1 +mcPqrxFg3WM5QlQRAXbJ7E936eGKSsC+akcNaS3esrAvnhYXVWWGt5jFqzsADS6e +slmHS2Fzr7siuAVYKS5qUO4sJvzx/ERrZ+I+6euQodkq+kwm5gQ9LYrGDB2hMJLI +uUWMN6iPjrQpR2l1c2VwcGUgU2NyaXZhbm8gPGdpdXNlcHBlQHNjcml2YW5vLm9y +Zz6JAk4EEwEKADgWIQSsQEwcC/c1xj/01WImPW3y4WPh6gUCWwaKCQIbAwULCQgH +AwUVCgkICwUWAgMBAAIeAQIXgAAKCRAmPW3y4WPh6srbD/4xLYNsUkEwwjjlDSym +zDA0wjYdZGYp6qLcEqfd06W617RS/tghdfB2HWizaQrZ7TNTiMFIgptO/+sEqdW7 +qJIDoLLSOwr68EzGQjnL733jPo2CXOTD8cBKblOaQy4z3agND59PGAZ8SYQcqbNY +9xHtdomtg7o2pCxXtEtKH/yG98bD/9i4/B9fHUx5wvpChE/0EFhMcNJj2AQUpNZN +c0dBe5AChcw24jEBq/yIQN12yuIfTuWxWicdTw1g/ssH1YPBxaFWBosIzXezc0tB +8TBEa7pIwexKGRmu/q2SJqGxGjN6ahlPmI6BMFpeC9Y3BaNpkMpqBMHHuvrLS/b+ +xb9Nfn0QIkAbLg/48CG8Tp+Otlm9Av2d2RzriIOJ6boyqdSTc5uIVO9z2mKlyHia +Fc+up6iGoN23TZWJUo1fk7GNv+MWa9cZ4SIynQUPQS+sg48DKRTPevDiNW8ui/rP +F81qnOiRpoyoQn8ufaLVj+vbF3pxSpnObEM7m0q0dp8MjC6TvP2wYhZttdJLo4vq +c7fyWjgbp0VAxOKX9LT3hIw6MyYsHQZdx6B+wmECnAXahHh/oJlroGZQ955tgNPG +N0strU4oCjs03VI7x7pjnPemwKvY5ufp50ERfCbd7A8MzeVRrj6lkl8gDOvBt2tw +2Yv5f+3Dyg1g6+kKNUMvuSWLOrkBDQRbBpj4AQgAr5FJtb/JHyorka9GotYApT1K +LfRloDU9YmADR0SEWxCHkFruQ6gHyz9D9ytKUkbJTfd9TVSoItnoRnnlSmuH6+Je +Ld/S3srV8Qksi54pnsN0kPW8A0ceQCn+8j9d/7+gR+GO+H1Buugi0y6Kr9NP9TKq +P/i74lmxra0tEPLwyFJYnZVaoz0hcMDodTDvFe6WL7TBhOQ6ZLobSUxm4nA1BJQB +e3txnYBNx3ixoNqONYnSj78vjbKE8eBSIFdUgPnCVfc0vyOKCqNg7PFjVTFV7MKZ +fOjWHNkSS+sU6+RAdl3IZ1wZDrH9f6VTvFv6Iurdgry9k8Eld6htr7RE0mNDowAR +AQABiQI2BBgBCgAgFiEErEBMHAv3NcY/9NViJj1t8uFj4eoFAlsGmPgCGyAACgkQ +Jj1t8uFj4erV9A//YkH0VIIhD1N3bUr3w/3/dxfACRuLKM+RRJh9qtGpvhVeumIx +tPMll5LG/LCbUHKobD+P01SBkCugRC0iIL1AtUklr+SoX6pcB5JBVfw3MNjmA41z +C+Sb2ze+32LMLFLN+p7XlgIqNktYN2q4CUMx7ToMl1LUpjnn/IbDBo4+bPZOSICm +zNAR/bj4T5AgjqxhX/6iLJHdtOzknGN1GcJSnbcnKHj3dmb0A0Oqt4NLLA2/ur37 +Q8yZSeZRYN002qtugBrCxHp9UIWnnsTKFr3MRXp78/xYxZVGR2G939B5QYkuehkv +iaqxCJGAnKOVoH7XNjiCKjDCX3Di+Mr1AOZfazwe+hHqLfR3LlnLtOTu0t6uUMbi +imMQaHihmXcLWo2xUUG7WhuRHMqTpS0Bhbv5sp8W4qAovni1eG7IKVH6Awwic37z +yaH8NUMaF8Epr++XB6A1QVdv+4Eow7ftHg8z5qj7pq6lEDaLbYr1fUOYzJCmT1UM +O5v0HmMGUhDwdETjBHxbr/EAAQT0xO/hQ0UQMQHhj26p7tecJw0FMsS7ciM1phyS +Ttf+qyJrnO1VWkixec5tKluHwo7PMeozVs8csSnVFhJM/LWrVUzCHJFPPRtF1Y4W +xdTsDsX7JUBP9ZsyisomPrcfckn6/fmddlLOLGTHXHV411bdtRPRlJnlNRy5AQ0E +WwaZzwEIALMNijLI/Bjxtt3dAOC/FrGpfRelGzd5nmnbboBAqGgWkrBukpaqG/mL +h4LMtfWwq9L45+TdhFp4AEFrtH2DvHpH8LIV3EGRq5mV5Kl3PMIpnUAyh4bCVkeP +xcP1ucM595xUVrmBRVbJYUY09ezglFe9pfSiTHBnb4rlA4B7a/GlYQsp91JZdjAB +Wgkw19+v1tD5o9ul1vHRQYJ+WhjCZXX0WKuLPU8DO8lgQBWyW+vV8JB7FQFSSamk +qVfOYbSBqwzL0rtjFfmsjoMruNSiGPn83sre/UhQ+pcqukA+YYQA6BLj2lCxwyYf +xkF6eoUWjqtJy63WkhYS+NxfYaZYc1UAEQEAAYkCNgQoAQoAIBYhBKxATBwL9zXG +P/TVYiY9bfLhY+HqBQJbjuoJAh0BAAoJECY9bfLhY+HqUOUQAKZjKBOzvqtI7Cwd +nZgsfduW6rWwgQtyc1l+bRmRiPmZMqS5Tjr8h85B7aQMvms3saZGmsgHv2abIVp2 +BOZ+Rv727n+jR1TBtSxnAFGv8QvqBy4Zjia/CM8LrE1fQJUK8yFrjFHh75ZsLvWE +dNlfO9a7JEw2OvTDd2FbroVjmRG2XeqGqxaGabDeW+d400cmLjrBNjv2hg0gR33x +1qiznYdtXjC3baFvHr8PQaSspqhzntmtZjiOvlHU4CI7IYWC4lnouLAPurlNYQrT +qLFuGxT+fELIIhlFxuBF7vV/L29SxxkvQjPs5czErEOVoqYR9DTN2aQcCl/3rXQN +zBNBzBPdy9Swsn2wLt3eZFvyhSqQcmLbl5/EQedgEejP1fG5fmUhNOjpvFYKhsHD +n97/5oMYy4EZ9oE6TCP8XQOt6PowHdq6nEdKP3puCuofv7jZxIgY+p3mIuL9Q4vi +G7cqVAM4qXbKAE0Rw337jYb2vQHxNpQcGJAKV4dAFhWG7MTFV6LuGXHew9vm/H+7 +5qtMn1kKhVmOxS5slh7iPduRnBcxEROqdD8xhKWwyoferOkRZ0tsWtF1uPsvy/0y +2nakGOVuIoIGI9XuBbLWHf5uhI6PRY1nmRI5ASbufZEgg+xCkLpxz/Qe23alO8+U +l4M85DpsSZnMdDmfbi8TDXX02E2AiQNyBBgBCgAmFiEErEBMHAv3NcY/9NViJj1t +8uFj4eoCGy4FAluO6bYFCQCJoUkBQMB0IAQZAQoAHRYhBPPROLqQ5hw8rucBtrcl +8/29rNRGBQJbBpnPAAoJELcl8/29rNRG+d4IAJ4gVyORbDtgJJXZbuWW+gJCv6/i +bhLeBE17+GQ6dvArBS4JBGhrxFxVCne2A9AEN49o5TFlJH0XCvbiZehvQOoQCfYZ +i2BZuys0bYKqUvFdAbBm90WV177s3povAHP4Q8YXiIASYurWW7aYW+1l33jKBFWw +fFcScUxwBqhAoJpSNAqakSmbqf72FNOclvk66ZPqQu+0OBzjtNp9V/PVHeZ6pLeI +MYpb9w5miXGPbd2LdoirLqCewphjQtof2NeqUP8/a9KLhNh78+u0wKCpDiUttiBP +7j1otqeWXtimT33Nfpo4cPvLAG8SRx6GU1fj570j51/L9fWj6de4zNg08z4JECY9 +bfLhY+HqqBUP/jnLbmDM2FJQq5osAJEnENg4WpB7oagprs9e9iG0+ipaCRmCXOYF +CxAyUXGJVatWpH1LjikGuVrHE+Rw1MG2Gicf1OWJRIDUzc8x8NnZSWqt8VakuM0R +cJjIAossAf/OrLzOsY83MpcOkPp6r8256ik0bpPYeoOdppsDmD9m6630NfUTyd5G +6mrvcW1x/OTgxZjTS+1LQa81uYjfQI39ZiW/KIoDs/bYU5hebpVYDSquc+/XapJv +2ThlPYzGujnEQe/sidzonqzJRFRweWwpFsjBiW8OCw34hWhXRMt4k5usazxyTq9F +bPe02VaJpfkuviAFNP6igyb8GjHUtkLqC7VE6PByjVzdicSo115FNm2z3vVQNFcr +dm9qp4Vg1i8OqU66hzOu6TgfwFupdj4bL9W4ys9wm4J3rVN2Nv4Rtpn5XUwOiWxG +W/CO3HhaBILoOEVunyIHv2D/Qg80zNN1xyYNbTC20DBouMFINaHiJPcZRho3mBc9 +V1U3cLsDVunMzuEXmkZP8a86fNrQgnyyxtXHQ30fn+y9M+1um6SvJyJMJsrHQey1 +avREKeDMaG/kHH3tmsLGAIZhz6LnWhBa/Ih9opYMjsdrjqZoFsMre79mRCTPv0Wk +gBkIuEd8WLvrJ7I3ghstcl8chTNXvme6QBXCd3YkGW4aT6h/9mrMjDK4uQENBFsG +tRcBCADEld1p2+NbQkSF+WzzzmQjbIWUEQy8N0wEl0t1aRdaWV8gIdtC3q9Eg4Bp +d7wUczNsCYWkiGBi7EEfn93vcXhvqX3YQY/xTc/88PoTtIDgiU+j1LsPmi4u0oIH +g/hOCuFyLoWCkJPxm7TiqXAqWiEwgp+1TPh54EXUQWBQO5W4JjLxpLvkXpWQGKJF +21s9GulRUP3E30FFa/twLFuHbJrG8+/7Zynu4t/z+KjHvEfpIQX/6z+NlSkNigub +D9jbTvMuY2zbZDN1OdQHs7ZyI9A8AdxqXHCBRpZECo77X3mYQUbmYQfB/aX60TMY +Qt3UBivggU15u6mdrGo1bedCLvDhABEBAAGJA2wEGAEKACAWIQSsQEwcC/c1xj/0 +1WImPW3y4WPh6gUCWwa1FwIbLgFACRAmPW3y4WPh6sB0IAQZAQoAHRYhBAJ/O9WF +lMoYG7XsUORzD5f2AobtBQJbBrUXAAoJEORzD5f2AobthwEH/1fxABg0deOflZE8 +SS9VTR0BiM6IIOnzbXlJ/yHOoAihE93PppLsmzheWH0N31TW/OHJ70nmdhVgNM1I +AjZAO6NjeCaAaJ3FvX9/FcYUetLeVO5r09JQ3KWhyLxSp3HGzBMvZ5UITPz5NylU +Bh1s1PQoZKuB8sfhdFs9t9HBWK1E0V0uMzL6uTNmDeMxK1XO2R0i3s4WalF4PeSM +qvrL5wgrEAw7hFi3QZT9VtfGcm7D68qCu5KvkttEjzjH1F0JUd15kgtd/D2zN1ek +zrEoARwuaPnTOmfidCNUIvbHKo0cvLw/kCsWkdCidptCEnPAA5j8QwZmPkdlUGdW +oo+t1k34GQ/+MMZ2uxoul8w/pTFhYhLFrJQId49sgtuZ4H5EysBfYMcLWAMecYzp +/3Oj6LTRFisBnWVdcuV4v39UN8ra8ZKSGJ5fz86pEEljjggWO9oCrkt4djhSMrCX +OuEKHyarnf+EsLfHHYssz40TnWGfwTuBOomAkJRd2xZFsDiaweoTqdWhUnb/9rFN +FUuR9s2ij2u1TpVnSK4pu9Tl8gGjWyHuLi4GYPOdu50abBuVvxtDokOT3P+st5YC +HI0fr56MykhsTUsBBJnbYXJOJZkLHWg3umyDZ18/wE+kiSrW+qly8UiDFMA4DBR+ +K+V9/VdeDYjKB9GmAJqmPf0+knLF2TwPMufZwx/VXwUmphBjGn2sqBVP46YoC/dx +H7GFYusLSYofQhMK6K/9vsjqhACMyMsWr6VzxYgu5bhs1G74JXlJkaX3wezGScak +X/shP2KbmvB3cbfUYeqo1Kiv9N0iiWZNaGXcJ/7wXUTLWPAhJ48a5YTLnG8aqJSG +I7dCDbMUcPTRuDSFi4ZQER46HgqoXqhaql4fSWFxCSbM3YA9hs+74oeNHb0QHEPA +xfls58gAHRzhZSVcbyGpyv09L41RXpYGX4gCbmLkugg/y6m5WtOuuJxV6UmeQLTP +D721jlBPpALOTicKph3axybnW2w/zw0hEH9NOJIFePftgE42SLolicG5AQ0EW50E +YgEIAOFJvfHksz6p1nPpIJZFB8auV4vGH09xjOSb8vSaJtlcFd/Hcm+97hm25Nw+ +Kz/hibmpOndb8EIwIyr9VUmo2BvWNRteYQYuIqv8VYSgdTuy5oZnYOw/BpQQHJW0 +56BhCYqUbrqOIa9uQ5X48zvvzQpW24pRt6sYv4/1Hw/jr9u68oxPL6nDcX2QQhtO +H2AYLNAG9LoXEcFaC034yisd7ARJjg1F85MJZPDNLhcIUkZNaeL9RfzVgC6wEtwy +Ij4CLtqnjvTSnlskZfAWSM+xU7NV9UIpXanX7dly5IrCFiay8vUGajU+hkbGQult +MsQ+IKXXFQHgwLMmf5F9EcQ/+RkAEQEAAYkCNgQYAQoAIBYhBKxATBwL9zXGP/TV +YiY9bfLhY+HqBQJbnQRiAhsMAAoJECY9bfLhY+HqzkUP/jGNn7aizhy/j4aHJE/4 +5ZGsOzCYDO7zGVvPYn78ekIOlrDYma89eRyJkDEbKO0BkEpqYbiE4UyvI+QCEeT5 +a8usF9DayXW0D25zr5hsjBD9KJHxPYzJt619Py5MgGZmQU6snvp7qr+TfJM3c8Le +s4MU8Dk6eHHa3MrVINDcF2Y1kb9FeHeNgjjyOUjbYOHw8C4c6vNE4Zip6jzC13NO +DLVbn5UPRXrbmKWIoDE8zNljbRWHvB2AvKl/YaiRLq4XsGnIUMlIZzU3Wq21/VX4 ++CVJCBe5Fu/EPpryJnWe4ONX6105wvoyBpZ5Yw6hZk6Qfkt7fye4Qo1xlT8oTai6 +q+GkXr7jwGP2sD5v9hVpihPC3y3zQtlLwqgdgyTI5OPGObpDf5Y/9Z+57yPtT312 +yW8YP9gQf/AXLJn3EcpQIGENFh7gTBzwushRbXQPgXkmqi34U/KLkWYjkX+vNR+c +yKg6OJLizFzgX3Iyp9xW5XRqu7dIlgFOtHhYIgkQz1x5QkYQZpjN53lldXxLqVXe +OlapdFUa64nsukJo1H9aJj9jlx0hwGY3UqhsDE/oHaiZqIi1LMnQzz4apWs3PX9F +lmV2xQv/BysEnE7J5Oi6xpNXvj95k1p0usb9ZzoGEPD0xPR7HtaQcbZlMIG4B3xg +vmudzCJ7g93r09259Ozl2AsYuQENBFw2Y2IBCADCyrHataR3kdV4as+atq34rBvm +YO+7+PXuhel+I3medGaDzRoekAT5y1ujvwSuj+BBaKCZ2WbON0u4iPUSfd6U6sKO +Na899VXAh+9NXjsas97HMUA8F59Yxis8e7G+HpLJx8e0+ws7TN1o6zr0ISNuXN/Q +pkclP7aJDWw6ec9MbQZjdLlMxTDMUHq3leUfngAX+8HC72ecp+Ex59rAPtYSHE9v +GKo/V3gN5GwshZQg2pWHPT9AkUEHkU5BSr4H6YHkb1rAfetvJLm6PHtwVnsWyg0v +46uQFjgj/F1ooDhLxKt2IqdZy2Q/dS25RDDW0K8OIf4D6sBb4/ipnuP7kvMbABEB +AAGJA2wEGAEKACAWIQSsQEwcC/c1xj/01WImPW3y4WPh6gUCXDZjYgIbAgFACRAm +PW3y4WPh6sB0IAQZAQoAHRYhBK9g/KPNqm3q0VfqOmfjj3qLohdyBQJcNmNiAAoJ +EGfjj3qLohdylogH/jFk4H5UpC03Kn5VinrtETpgHOVterbf9+D28ApnVHk6x5Wh +JDzeWTF+Y0LVLycN49/3kOUL6nK5twym+7jYVmfn/OCRLNQm+Pt5MpISlSCrc8sM +T7f6+2h5eCVKF0YQ2a/PdZmb7AtXtiaqErEBbeMU23lyK78EV7pOUq2LS8jTb5Fm +HIAs+KJHm7CZH8wmh6OcpDQyPjqXsvSUHvI5yKWP6M5xCJgIJb0McdBTBhP21qXk +crcQTtZuVFIoqCjVeNmegzwJKG3gtMfrDw8URLGXHRLzlW34LHUfuNCLB8OxP+mg +Iw0OmRfNLqdh3ewAQnkUmJHvizeomAJtVfOJv/cHvRAAoZqlPwsPCUapLLI5EFeY +kqr64ugJjT0fp4E2MVHjf6Dep2EKSrW7RojVP0he2eTfevDiHJwrOGRgfEggb2lK +MPIjjDl4XNHfArzfpOtrxya2ycm/5wPu1Xq+jEzwAnAFzBHUI5lFVRGWmQXuS8F+ +Imz8Lln8B0BcJehSMqWhKOChOKXcQ4modjyrzpgN116VwQqD7FU/+4CNOAabaoVB +YC47Ha9qOgC6wrCDD/lmLXaKWfTY5vCqbxBKgsAz38jjmwHBu2NuCmc1Ojfe00gR +MgO4Z4ZeCPBGexMCxz1o2WryJTwSVyLvbamDW6gLMM3HGCRPgEB1iRz5fGMqlM60 +t8ptlwpHPZSzoTVzOEUkBjLgsnUsIPGF8b+qzqfdqALZ0I7m0iqvVnlkfuFW7UCR +sfViCjZQRV5TjpyIGfFmeyeVZbd1e2SedaT97H6+j7qqPQts1mc9evSvgxcbhCAB +s0nM/iVOOC6gsRNYyDTuZGAo/NYpCp/aVbpT6ywBsHiRtqlyT0x9cDD1iGqgPqQk +nA/Hxar9zgjTmVc7whv/wR7HcM3cpLX4HZJJCj0q47e8N/FOYyfPfjpr0vFs2Vm/ +8P04YvjCPsjS4EXeTyWsHgNgLz3YZBtG7UR4ZbUFSPTkcWj9cXTK/Wxrqrz/3/pT +kjP5+DBR8zCiek8ibIp6/8O5Ag0EUm2nUQEQAMn93/Bol72GW+LhEF8amKB7mnUA +rAcI556nmhOqAqYE682WBX+Do8qGJXiwf9URaeyXmOD17YsB+OkxQFivfJ9G0y7+ +u4MBq9W8qNRDAe6iBe1Wt5eIv+bYc3IOrx53naH9FnY7xDes96JqExJncWDAxZOt +uoNHBUz2Avh0LxqPtiVRI0g3jRWa/SynwFdL1NOjFh2oHUUNeunoNARZK90oZDrh +UU+XDtP7V6He98L+ZODrZ675CEC9O3U4UzuwQsYRHWMb0ZNvJOENDJ84D6xyAafZ +fi1FKv04KalleHfCon9SJmIrb1oGY9T6bagK1fOydSK6kvQ4741rpVvdFSmWFKR4 +x9xiQdDv00cn2nHcyV5nB23uiMVsPvNdmgKPwU+bs+b+gWgXXtc6otJB6oaMRDPz +vLY20q3n/MztICAbTzG64f7pPOFyv8gOZyPUKHXIRUTBVSwRj21DACtKBBsjvgIP +K3QTHrqiaBq9xsNSi2xdpP9lpwGgh1E2xO9I7dfa4uIzGzgMLFtMOwZao1PKrypR +rXpFdSRoDOzKFbXWzL1iQ5jJPJq3h63TD+juKZrSwBiOif3z2baA9GedwSkJaRQ/ +wLq6PDdp7vsq06A4gv52VkRJTmqkZo100HD2GGQur6yDUsnDewJW+M5GgS59UShW +VCOo6we7IpGpsAAnABEBAAGJAh8EGAECAAkFAlJtp1ECGwwACgkQJj1t8uFj4eoB +7A//S1M22r2JQcuUsRGR6mmb05c6RwpdmfmLU1w+lJNGtRX5TsLkGdXgA9FPuR6z +2YeJKCdG6FMpmH8U8EXet0+//8Y3OBpzUh4yWZk89UKDrxHVA6tomH8g55OtNUfj +zODTEL9Te+GJsqbwV9Vjp928j/vqA+gLtdIDwOmRLfnb0vJglgDLT2Dc4QtAqBng +vu3aFC6YXLrvmmySfCpzmwMZFgoVzFsCGAVIWLfYHhoux8q8+1bYO9+cGRdgzT7m +wojuSOYrJ0luoo95hDaelfDPUHD7HmpqCvwU8ZpYBx3nHxXfJyF1ZWuF/JTSm4DX +gYavG0RD4FaSjhKDCUN8P/6iN3j/onG2bTs/Dg2/yFw09GXXJiH1B7U5P7Zf7Ig+ +0tn7XwIbUBOcsGKvGwCMtiGf6BI0AsMK6eaarOYmtAphugO22A6X0Dba1v/Tx9dr +dEJsSDviiE+Lu4WdwDxN1Ar7LyfQ+TzsnGNsdMyy9zFAFa3Y2Wqa6kOcVA0sK/13 +EBFQHWXOes3Z1d+mtMsgOMTwJgFicNqHSAyY8heEgC5up/Ojo/5t8Ix3JHb3x+C5 +JmMuBdwMU5xWs2rHkRj+l+eoHW6xlBNaCvoIobgXkfO+CeB9T7NgTGLQ8Yf4pHqu +APKHlBE+nH14PbxfkA6PyhuU1psOGBDu7x8y/J05OuGS7X4= +=TOIR +-----END PGP PUBLIC KEY BLOCK----- diff --git a/crun.spec b/crun.spec new file mode 100644 index 0000000..2c12191 --- /dev/null +++ b/crun.spec @@ -0,0 +1,108 @@ +# +# spec file for package crun +# +# Copyright (c) 2024 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%ifarch x86_64 aarch64 +%define with_wasmedge 1 +%else +%define with_wasmedge 0 +%endif + +Name: crun +Version: 1.16.1 +Release: 0 +Summary: OCI runtime written in C +License: GPL-2.0-or-later +URL: https://github.com/containers/crun +Source0: %{URL}/releases/download/%{version}/%{name}-%{version}.tar.gz +Source1: %{URL}/releases/download/%{version}/%{name}-%{version}.tar.gz.asc +Source2: crun.keyring +# We always run autogen.sh +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: gcc +BuildRequires: gettext +BuildRequires: glibc-devel-static +BuildRequires: go-md2man +BuildRequires: libcap-devel +BuildRequires: libprotobuf-c-devel +BuildRequires: libseccomp-devel +BuildRequires: libtool +BuildRequires: libyajl-devel +BuildRequires: make +BuildRequires: python3 +BuildRequires: python3-libmount +BuildRequires: systemd-devel +%ifnarch %{ix86} +BuildRequires: criu-devel >= 3.15 +%endif +%ifarch x86_64 aarch64 +BuildRequires: libkrun-devel +Requires: libkrun1 +%endif +%if %with_wasmedge +BuildRequires: wasmedge-devel +%endif + +%description +crun is a runtime for running OCI containers. It is built with libkrun support + +%prep +%autosetup -p1 + +%build +%ifarch x86_64 aarch64 +export LIBKRUN="--with-libkrun" +%endif +%if %with_wasmedge +export WASMEDGE="--with-wasmedge" +%endif + +./autogen.sh +%configure --disable-silent-rules $LIBKRUN $WASMEDGE CFLAGS='-I %{_includedir}/libseccomp' +%make_build + +# TODO: +# - it would be nice to enable the test-suite, but seems to behave (and fail!) +# differently when run inside of an OBS worker, with respect to when it's +# run manually on the host... Need to investigate more. +%dnl %check +#make test-suite.log + +%install +%make_install +rm -rf %{buildroot}/%{_libdir}/lib* + +%if %with_wasmedge +# platform 'wasi/wasm' requires crun-wasm +ln -s %{_bindir}/crun %{buildroot}%{_bindir}/crun-wasm +%endif + +%files +%license COPYING +%doc README.md +%doc SECURITY.md +%{_bindir}/%{name} +%ifarch x86_64 aarch64 +%{_bindir}/krun +%endif +%if %with_wasmedge +%{_bindir}/crun-wasm +%endif +%{_mandir}/man1/* + +%changelog