Accepting request 969579 from Virtualization:containers

OBS-URL: https://build.opensuse.org/request/show/969579
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/crun?expand=0&rev=6

crun-0.21.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:018c805c88a15cbd8341d00badd00c92de256bc585c46336be78f1ff9a5a3cf2
-size 1878109

crun-1.4.4.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:49eeb7ed921428f06094ab02233bb2f95ddfc4bf59a40bcabe8a2823085a0c12
+size 1962130

crun.changes

@@ -1,3 +1,68 @@
+-------------------------------------------------------------------
+Tue Apr 12 08:59:23 UTC 2022 - Dario Faggioli <dfaggioli@suse.com>
+
+- It'd be nice to run the test suite with %check. It however, still
+  does not work properly inside OBS workers. Add it commented and
+  explain it
+
+-------------------------------------------------------------------
+Tue Apr 12 08:36:54 UTC 2022 - Dario Faggioli <dfaggioli@suse.com>
+
+- switch to latest upstream version (1.4.4)
+- big jump from 0.21! Here's a short summary, for details,
+  see: https://github.com/containers/crun/releases
+  * 1.4.4
+    wasm, kubernetes: support wasm for kubernetes infrastructure with side-cars
+    Resolve symlinks in bind mounts when creating a user namespace.
+    Fix CVE-2022-27650: exec does not set inheritable capabilities.
+  * 1.4.3
+    cgroup: avoid potential infinite loop when deleting a cgroup.
+    support additional options for idmap mounts.
+    open the source for a bind mount in the host.
+  * 1.4.2
+    CRIU: add pre-dump support.
+    Fix running with a read-only /dev.
+    Ignore EROFS when chowning standard stream files.
+    Add validation for sysctls before applying them.
+  * 1.4.1
+    Fix check for an invalid path.
+    Allow deleting a container while in created state.
+    cgroup: do not set cpu limits if number of shares is set to 0.
+  * 1.4
+    wasm: support for running on kubernetes with containerd.
+    linux: add support for recursive mount options.
+    add support for idmapped mounts through a new mount option "idmap".
+    linux: improve detection of /dev target.
+    now crun exec uses CLONE_INTO_CGROUP on supported kernels when using cgroup v2.
+    retry the openat2 syscall if it fails with EAGAIN.
+    cgroup: set the CPUWeight/CPUShares on the systemd scope cgroup.
+    on new kernels, use setns with pidfd.
+    attempt the chdir again with the specified user if it failed before changing credentials.
+  * 1.3
+    add support to natively build and run WebAssembly workload and WebAssembly containers.
+    allow to specify sub-cgroup for exec.
+    chown std streams if they are not a TTY.
+    attach the correct streams if the container is suspended and restored multiple times.
+    fix race condition when enabling controllers on cgroup v2.
+  * 1.2
+    exec: fix regression in 1.1 where containers are being wrongly reported as paused.
+    criu: add support for external ipc, uts and time namespaces.
+  * 1.1
+    cgroup: use cgroup.kill when available.
+    exec: refuse to exec in a paused container/cgroup.
+    container: Set primary process to 1 via LISTEN_PID by default if user configuration is missing.
+    criu: Add support for external PID namespace.
+    criu: fix save of external descriptors.
+    utils: retry openat2 on EAGAIN.
+  * 1.0
+    cgroup: chown the current container cgroup to root in the container.
+    linux: treat pidfd_open failures EINVAL as ESRCH.
+    cgroup: add support for setting memory.use_hierarchy on cgroup v1.
+    Makefile.am: fix link error when using directly libcrun.
+    Fix symlink target mangling for tmpcopyup targets.
+- fix bsc#1197871, CVE-2022-27650 (as 1.4.4 contains the fixes itself)
+- update and fixup dependencies
+
 -------------------------------------------------------------------
 Tue Nov  2 08:58:05 UTC 2021 - Dario Faggioli <dfaggioli@suse.com>
 

crun.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package crun
 #
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -19,7 +19,7 @@
 Summary:        OCI runtime written in C
 License:        GPL-2.0-or-later
 Name:           crun
-Version:        0.21
+Version:        1.4.4
 Release:        0
 Source0:        https://github.com/containers/crun/releases/download/%{version}/%{name}-%{version}.tar.gz
 URL:            https://github.com/containers/crun
@@ -27,16 +27,16 @@ URL:            https://github.com/containers/crun
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  gcc
-BuildRequires:  git-core
+BuildRequires:  gettext
 BuildRequires:  glibc-devel-static
 BuildRequires:  go-md2man
 BuildRequires:  libcap-devel
 BuildRequires:  libprotobuf-c-devel
 BuildRequires:  libseccomp-devel
-BuildRequires:  libselinux-devel
 BuildRequires:  libtool
 BuildRequires:  libyajl-devel
-BuildRequires:  python
+BuildRequires:  make
+BuildRequires:  python3
 BuildRequires:  python3-libmount
 BuildRequires:  systemd-devel
 %ifnarch %ix86
@@ -61,6 +61,13 @@ export LIBKRUN="--with-libkrun"
 %configure --disable-silent-rules $LIBKRUN CFLAGS='-I /usr/include/libseccomp'
 %make_build
 
+# TODO:
+# - it would be nice to enable the test-suite, but seems to behave (and fail!)
+#   differently when run inside of an OBS worker, with respect to when it's
+#   run manually on the host... Need to investigate more.
+#%check
+#make test-suite.log
+
 %install
 %make_install
 rm -rf %{buildroot}/%{_libdir}/lib*