From b640a284966cebc6f270a709911b06123ef4dff9071ba441bb10a556d247f0b9 Mon Sep 17 00:00:00 2001 From: Dario Faggioli Date: Thu, 12 Sep 2024 17:12:27 +0000 Subject: [PATCH] - update to 1.17: * Add --log-level option. It accepts error, warning and error. * Add debug logs for container creation. * Fix double-free in crun exec code that could lead to a crash. * Allow passing an ID to the journald log driver. * Report "executable not found" errors after tty has been setup. * Do not treat EPIPE from hooks as an error. * Make sure DefaultDependencies is correctly set in the systemd scope. * Improve the error message when the container process is not found. * Improve error handling for the mnt namespace restoration. * Fix error handling for getpwuid_r, recvfrom and libcrun_kill_linux. * Fix handling of device paths with trailing slashes. - add url for keyring - enable leap by disabling wasmedge (not packaged for leap) OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/crun?expand=0&rev=49 --- .gitattributes | 23 ++ .gitignore | 1 + crun-1.15.tar.gz | 3 + crun-1.15.tar.gz.asc | 11 + crun-1.16.1.tar.gz | 3 + crun-1.16.1.tar.gz.asc | 11 + crun-1.17.tar.gz | 3 + crun-1.17.tar.gz.asc | 11 + crun.changes | 535 +++++++++++++++++++++++++++++++++++++++++ crun.keyring | 386 +++++++++++++++++++++++++++++ crun.spec | 107 +++++++++ 11 files changed, 1094 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 crun-1.15.tar.gz create mode 100644 crun-1.15.tar.gz.asc create mode 100644 crun-1.16.1.tar.gz create mode 100644 crun-1.16.1.tar.gz.asc create mode 100644 crun-1.17.tar.gz create mode 100644 crun-1.17.tar.gz.asc create mode 100644 crun.changes create mode 100644 crun.keyring create mode 100644 crun.spec diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/crun-1.15.tar.gz b/crun-1.15.tar.gz new file mode 100644 index 0000000..c2343ac --- /dev/null +++ b/crun-1.15.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a03ba1e58b8823ae77d010024b43bd94c5a99f7d652257b1b23abd2d2cdb087f +size 1756886 diff --git a/crun-1.15.tar.gz.asc b/crun-1.15.tar.gz.asc new file mode 100644 index 0000000..65bf7c8 --- /dev/null +++ b/crun-1.15.tar.gz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCAAdFiEEr2D8o82qberRV+o6Z+OPeouiF3IFAmYzfXgACgkQZ+OPeoui +F3KNlAf+JPTyqSazEqx+TWdxHwXhzdfaWzgJ7O0mtM3KruCKIodvF+V/tsIDJrwc +gF5tGgLVBD9Tlt+wzCSaoWbxEbz2eZmDRNVtxZt6e/QfHSID8PzVm8jVZiBMmy8n +wPs3chVGM/T0Fh+8hBv2fmueYWPnSMnA4SSxp6eNjAYt5H59OXyVRw5hk0lQTzQQ +U+GeMRTRVkorNq8dZ+LdPHg8+u5ndPCD93wfdelK2wI2X4UlAcTA2qcuL1MowCCC +fqPigsOGiRNjzDCfptbCrG778nZu32AGn4ohBXmxoLDbfz2X3ZjgySzSZaVb/D7S +R4c3fkxsV7PNXt6sNx+J8UAGntztBA== +=pgGE +-----END PGP SIGNATURE----- diff --git a/crun-1.16.1.tar.gz b/crun-1.16.1.tar.gz new file mode 100644 index 0000000..c7bc124 --- /dev/null +++ b/crun-1.16.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:70548de4874f0c9e7e1e080ff092e23f8fcc772a23261ee26e26d79f24df289e +size 1760357 diff --git a/crun-1.16.1.tar.gz.asc b/crun-1.16.1.tar.gz.asc new file mode 100644 index 0000000..e85118b --- /dev/null +++ b/crun-1.16.1.tar.gz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCAAdFiEEr2D8o82qberRV+o6Z+OPeouiF3IFAma7dj0ACgkQZ+OPeoui +F3LNNwgAidlpoqDuVBqh9ykjXfA0fnZ58NpWlU2wuHTk1zt+3vgTuFNGKmSimEZI +c8mcgjq3nvTTmCBWr6Qikh5neSCerJJ+eprvmRQwHHuJj1sPoM/KhmVVc4pfLhQF +B9MQxKrWf635TRh9r5V8kpx0K43ffL7ZVVNJ6Iumm4G1MOaEqpSZYSkgXMePFTGB +kRh9zaHJ66m50i7ctokyfI1Y07hexviDXOhJi5znA0Y2GBSoiZLQcY8hwB7xg/m1 +vd9vI9CHA2E05dWE/Zuz9v/1YRH+hb1fRpnJP6LQPYjlUM/CnmMEDE6yJjQYwDQU +Gu6uuqxH3nXMPJzv0MFpznEva5eLGQ== +=++ex +-----END PGP SIGNATURE----- diff --git a/crun-1.17.tar.gz b/crun-1.17.tar.gz new file mode 100644 index 0000000..2c7598e --- /dev/null +++ b/crun-1.17.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b766609814c0b0a3c0d2d235af1b061bd71da1aa2e8bb181d66e89f1b9a4e874 +size 1773153 diff --git a/crun-1.17.tar.gz.asc b/crun-1.17.tar.gz.asc new file mode 100644 index 0000000..e55cc35 --- /dev/null +++ b/crun-1.17.tar.gz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCAAdFiEEr2D8o82qberRV+o6Z+OPeouiF3IFAmbe+kIACgkQZ+OPeoui +F3Kr8Af+Lr1TLt/nDA6Dgjo55pQScbgAa7nq1iM2yZEQpq2WwpXvj6M15pZ3vWAj +kzeotA3JX3VrggjgLZ5j2GPh37BQfNteehX9yae3AkaltLkANZSaAbekqWCvX4Pk +PeD9LzPLqOHGBCGi58UjeXl9Ov4bYhrDvIv7+LL3Q5qG2fp2ynfm7IEhSz7wjXns +Yd6rqbs+bP+RlJUp6fcy5gBZEoCrLiBBh9TH1mPHURkzSsJNCf3Vqm2pQXfQlHBU +VtWZU0D5XYnhyBHSPmZCdMjy7WAdACYN9euBDP2XhXSvv95bQy/NLC/IMUDJq5FL +/ihOb/YV2LpSGoUvbBOliIdqtbVftw== +=jC+F +-----END PGP SIGNATURE----- diff --git a/crun.changes b/crun.changes new file mode 100644 index 0000000..2577cba --- /dev/null +++ b/crun.changes @@ -0,0 +1,535 @@ +------------------------------------------------------------------- +Wed Sep 11 20:12:48 UTC 2024 - Richard Rahl + +- update to 1.17: + * Add --log-level option. It accepts error, warning and error. + * Add debug logs for container creation. + * Fix double-free in crun exec code that could lead to a crash. + * Allow passing an ID to the journald log driver. + * Report "executable not found" errors after tty has been setup. + * Do not treat EPIPE from hooks as an error. + * Make sure DefaultDependencies is correctly set in the systemd scope. + * Improve the error message when the container process is not found. + * Improve error handling for the mnt namespace restoration. + * Fix error handling for getpwuid_r, recvfrom and libcrun_kill_linux. + * Fix handling of device paths with trailing slashes. +- add url for keyring +- enable leap by disabling wasmedge (not packaged for leap) + +------------------------------------------------------------------- +Thu Sep 5 13:18:43 UTC 2024 - Dan Čermák + +- new upstream release 1.16.1 + +1.16.1: + +- fix a regression introduced by 1.16 where using 'rshared' rootfs mount propagation and the rootfs itself is a mountpoint. +- inherit user from original process on exec, if not overridden. + +1.16: + +- build: fix build for s390x. +- linux: fix mount of special files with rro. Open the mount target with O_PATH to prevent open(2) failures with special files like FIFOs or UNIX sockets. +- Fix sd-bus error handling for cpu quota and period props update. +- container: use relative path for rootfs if possible. If the rootfs cannot be resolved and it is below the current working directory, only use its relative path. +- wasmedge: access container environment variables for the WasmEdge configuration. +- cgroup, systemd: use MemoryMax instead of MemoryLimit. Fixes a warning for using an old configuration name. +- cgroup, systemd: improve checks for sd_bus_message_append errors + +------------------------------------------------------------------- +Thu May 30 12:30:26 UTC 2024 - Dario Faggioli + +- New upstream release 1.15 + * fix a mount point leak under /run/crun, add a retry mechanism to unmount the directory if the removal failed with EBUSY. + * linux: cgroups: fix potential mount leak when /sys/fs/cgroup is already mounted, causing the posthooks to not run. + * release: build s390x binaries using musl libc. + * features: add support for potentiallyUnsafeConfigAnnotations. + * handlers: add option to load wasi-nn plugin for wasmedge. + * linux: fix "harden chdir()" security measure. The previous check was not correct. + * crun: add option --keep to the run command. When specified the container is not automatically deleted when it exits. + +------------------------------------------------------------------- +Wed Mar 6 10:06:50 UTC 2024 - Dan Čermák + +- New upstream release 1.14.4 + +* crun-1.14.4 + +- linux: fix mount of file with recursive flags. Do not assume it is + a directory, but check the source type. + +* crun-1.14.3 + +- follow up for 1.14.2. Drop the version check for each command. + +* crun-1.14.2 + +- crun: drop check for OCI version. A recent bump in the OCI runtime + specs caused crun to fail with every config file. Just drop the + check since it doesn't add any value. + +* crun-1.14.1 + +- there was recently a security vulnerability (CVE-2024-21626) in runc + that allowed a malicious user to chdir(2) to a /proc/*/fd entry that is + outside the container rootfs. While crun is not affected directly, + harden chdir by validating that we are still inside the container + rootfs. +- container: attempt to close all the files before execv(2). + if we leak any fd, it prevents execv to gain access to files outside + the container rootfs through /proc/self/fd/$fd. +- fix a regression caused by 1.14 when installing the ebpf filter on a + kernel older than 5.11. +- cgroup, systemd: fix segfault if the resources block is not specified. + +------------------------------------------------------------------- +Sat Jan 27 16:21:04 UTC 2024 - Andrea Manzini + +- update to 1.14: + * build: drop dependency on libgcrypt. Use blake3 to compute the cache key. + * cpuset: don't clobber parent cgroup value when writing the cpuset value. + * linux: force umask(0). It ensures that the mknodat syscall is not affected by the umask of the calling process, + allowing file permissions to be set as specified in the OCI configuration. + * ebpf: do not require MEMLOCK for eBPF programs. This requirement was relaxed in Linux 5.11. + +- update to 1.13: + * src: use O_CLOEXEC for all open/openat calls + * cgroup v1: use "max" when pids limit < 0. + * improve error message when idmap mount fails because the underlying file system has no support for it. + * libcrun: fix compilation when building without libseccomp and libcap. + * fix relative idmapped mount when using the custom annotation. + +------------------------------------------------------------------- +Fri Dec 1 13:41:35 UTC 2023 - Dan Čermák + +- New upstream release 1.12: + + * add new WebAssembly handler: spin. + * systemd: fallback to system bus if session bus is not available. + * configure the cpu rt and cpuset controllers before joining them to + avoid running temporarily the workload on the wrong cpus. + * preconfigure the cpuset with required resources instead of using the + parent's set. This prevents needless churn in the kernel as it + tracks which CPUs have load balancing disabled. + * try attr//* before the attr/* files. Writes to the attr/* + files may fail if apparmor is not the first "major" LSM in the list + of loaded LSMs (e.g. lsm=apparmor,bpf vs lsm=bpf,apparmor). + +- New upstream release 1.11.2: + + * fix a regression caused by 1.11.1 where the process crashes if there + are no CPU limits configured on cgroup v1. (bsc#1217590) + * fix error code check for the ptsname_r function. + +------------------------------------------------------------------- +Mon Nov 6 10:19:58 UTC 2023 - Dirk Müller + +- update to 1.11.1: + * force a remount operation with bind mounts from the host to + correctly set all the mount flags. + * cgroup: honor cpu burst. + * systemd: set CPUQuota and CPUPeriod on the scope cgroup. + * linux: append tmpfs mode if missing for mounts. This is the + same behavior of runc. + * cgroup: always use the user session for rootless. + * support for Intel Resource Director Technology (RDT). + * new mount option "copy-symlink". When provided for a mount, + if the source is a symlink, then it is copied in the container + instead of attempting a mount. + * linux: open mounts before setgroups if in a userns. This + solves a problem where a directory that was previously + accessible to the user, become inaccessible after setgroups + causing the bind mount to fail. + +------------------------------------------------------------------- +Thu Oct 12 08:02:18 UTC 2023 - Dan Čermák + +- New upstream release 1.9.2: + + * cgroup: reset the inherited cpu affinity after moving to cgroup. Old kernels + do that automatically, but new kernels remember the affinity that was set + before the cgroup move, so we need to reset it in order to honor the cpuset + configuration. + +- New upstream release 1.9.1: + + * utils: ignore ENOTSUP when chmod a symlink. It fixes a problem on Linux 6.6 + that always refuses chmod on a symlink. + * build: fix build on CentOS 7 + * linux: add new fallback when mount fails with EBUSY, so that there is not an + additional tmpfs mount if not needed. + * utils: improve error message when a directory cannot be created as a + component of the path is already existing as a non directory. + +- Only build with wasmedge on x86_64 & aarch64 + +------------------------------------------------------------------- +Wed Oct 11 11:29:21 UTC 2023 - Alexandre Vicenzi + +- Add crun-wasm symlink for platform 'wasi/wasm' + +------------------------------------------------------------------- +Wed Sep 13 06:04:30 UTC 2023 - Danish Prakash + +- Update to 1.9: + * linux: support arbitrary idmapped mounts. + * linux: add support for "ridmap" mount option to support recursive + idmapped mounts. + * crun delete: call systemd's reset-failed. + * linux: fix check for oom_score_adj. + * features: Support mountExtensions. + * linux: correctly handle unknown signal string when it doesn't start with + a digit. + * linux: do not attempt to join again already joined namespace. + * wasmer: use latest wasix API. + +------------------------------------------------------------------- +Tue Sep 5 11:41:14 UTC 2023 - Alexandre Vicenzi + +- Enable WasmEdge support to run Wasm compat containers. + +------------------------------------------------------------------- +Mon Aug 14 12:55:14 UTC 2023 - Danish Prakash + +- Update to 1.8.6: + * crun: new command "crun features". + * linux: fix handling of idmapped mounts when the container joins an + existing PID namespace. + * linux: support io_priority from the OCI specs. + * linux: handle correctly the case where the status file is not written + yet for a container. + * crun: fix segfault for "ps" when the container is not using cgroups. + * cgroup: allow setting swap to 0. + +------------------------------------------------------------------- +Wed Jun 14 12:55:19 UTC 2023 - Frederic Crozat + +- Update to 1.8.5: + * scheduler: use definition from the OCI configuration file + instead of the custom label that is now dropped and not + supported anymore. + * cgroup: fix creating cgroup under "domain threaded". + * cgroup, systemd: set the memory limit on the system scope. + * restore tty settings from the correct file descriptor. It was + previously restoring the settings from the wrong file + descriptor causing the tty settings to be changed on the + calling terminal. + * criu: check if the criu_join_ns_add function exists. + Fix a segfault with new versions of CRIU. + * linux: do not precreate devs with euid > 0. Fix creating + devices when running the OCI runtime as non root user. + * linux: improve PID detection on systems that lack pidfd. + While there is still a window of time that the PID could be + recycled, now it is now reduced to a minimum. + * criu: fix memory leak. + * logging: improve error message when dlopen fails. + +- Changes from 1.8.4: + * drop custom annotation to set the time namespace and use + the OCI specs instead. + * cgroup: workaround cpu quota/period issue with v1. Sometimes + setting CPU quota period fails when a new period is lower, + and a parent cgroup has CPU quota limit set. + * cgroup: fix set quota to -1 on cgroup v1. + * criu: drop loading unused functions. + +------------------------------------------------------------------- +Tue Mar 28 10:27:06 UTC 2023 - Dirk Müller + +- update to 1.8.3: + * update: initialize the rt limits only on cgroup v1. + * lua bindings for libcrun. + * wasmedge: add current directory to preopen paths. + * linux: inherit parent mount flags when making a path masked. + * libcrun: custom annotation to set the scheduler for the + container process. + * cgroup: fallback to blkio.bfq files if blkio is not available + on cgroup v1. + * cgroup: initialize rt limits when using systemd. + * tty: chown the tty to the exec user instead of the user + specified to create the container. + * cgroup: fallback to create cgroupfs as sibling of the current + cgroup if there is none specified and it cannot be created in + the root cgroup. +- add keyring for GPG validation + +------------------------------------------------------------------- +Tue Feb 28 20:14:52 UTC 2023 - Niels Abspoel + +- Update to 1.8.1 + * linux: idmapped mounts expect the same configuration as + the user namespace mappings. Before they were expecting the inverted + mapping. It is a breaking change, but the behavior was aligned + to what runc will do as well. + * krun: always allow /dev/kvm in the cgroup configuration. + * handlers: disable exec for handlers that do not support it. + * selinux: allow setting fscontext using a custom annotation. + * cgroup: reset systemd unit if start fails. + * cgroup: rmdir the entire systemd scope. It fixes a leak on cgroupv1. + * cgroup: always delete the cgroup on errors. + On some errors it could have been leaked before. + +- changes from 1.8 + * linux: precreate devices on the host. + * cgroup: support cpuset mounted with noprefix. + * linux: mount the source cgroup if cgroupns=host. + * libcrun: don't clone self from read-only mount. + * build: fix build without dlfcn.h. + * linux: set PR_SET_DUMPABLE. + * utils: fix applying AppArmor profile. + * linux: write setgroups=deny when mapping a single uid/gid. + * cgroup: fix enter cgroupv1 mount on RHEL 7. + +------------------------------------------------------------------- +Wed Dec 7 09:24:19 UTC 2022 - Frederic Crozat + +- Update to 1.7.2: + * criu: hardcode library name to libcriu.so.2. + * cgroup: always enable all controllers, even if the cgroup was + already joined. Regression caused by crun-1.7. + +- Changes from 1.7.1: + * criu: load libcriu dynamically. + * seccomp: initialize libgcrypt. + * handlers: fix rewriting the argv if the full cmdline doesn't + fit. + * utils: honor SELinux label when using a custom handler. + * utils: honor AppArmor label when using a custom handler. + * krun: copy the OCI configuration file into the container. + * utils: fix creating the default user namespace when running + with euid != 0. + * Add setlinebuf() when --debug and --log=file: are used. + * Fix timestamp format in the error messages. + * krun: disable libkrun's collection of env vars. + +- Changes from 1.7: + * seccomp: use a cache for the generated BPF. + * add support for setting the domainname through the OCI spec. + * handlers: define wasm and krun. + * wasmtime: add support for compiling .wat format. + * cgroup: honor checkBeforeUpdate on cgroupv2. + * crun: chown std streams before joining the user namespace. + * crun: display rundir in --version output. + * container: with cgroupfs use clone3 to join directly the target + cgroup. + * linux: create parent directories for created devices with mode + 0755. + * wasm: inherit environment variables in the WasmEdge handler. + +------------------------------------------------------------------- +Fri Sep 30 12:31:47 UTC 2022 - Dario Faggioli + +- Update the libkrun dependency to the new libkrun1 library and + devel package + +------------------------------------------------------------------- +Thu Sep 29 10:44:19 UTC 2022 - Dario Faggioli + +- Update to 1.6 + * runc compatibility: -v now prints the version string. + * build: fix build with glibc 2.36. + * container: drop intermediate userns custom feature. + * cgroup: change the delegate cgroup semantic so that the cgroup + is created in the container payload after the cgroup namespace + is created. + * seccomp: use helper process to send file descriptor to the listener + socket. It enables to be notified on every syscall without hanging + the main process. + * linux: add a fallback to using kill(2) if pidfd_send_signal(2) + fails with ENOSYS. + * krun: add support for krun-sev. + * wasmtime: always grant file system capability for workdir inside + the container. + * wasmtime: inherit arguments list from the handler instead of the + current process. + * wasmedge: use released wasmedge library instead of libwasmedge_c.so. + +- Update to 1.5 + * add mono based native .NET handler + * new Wasmtime backend for running WebAssembly + * add support for wasmedge 0.10 and dropping support for wasmedge 0.9.x + * dropping support for experimental WasmEdgeProcess from wasmedge handler + * honor process user's uid when setting the HOME environment variable + * create the current working directory if it is missing in the container + * fallback to using a tmpfs mount if umount of /sys and /proc fails + * fallback to netlink to setup lo device + * fix creating devices in the rootfs + * fallback to using io.weight if io.bfq.weight doesn't exist + * remove tun/tap from the default allow list + * linux: devices mounts have noexec and nosuid + * fix copyup of files from the container to the tmpfs + * honor $PATH for newgidmap and newguidmap + * krun: limit the number of vCPUs to 8 + * cgroup: add support for cpu.idle + +------------------------------------------------------------------- +Mon May 9 12:43:12 UTC 2022 - Frederic Crozat + +- Update to 1.4.5: + + CRIU: add support for different manage cgroups modes. + + linux: the hook processes inherit the crun process + environment if there is no environment block specified in the + OCI configuration. + ° exec: fix double free when using --apparmor and + --process-label. + +------------------------------------------------------------------- +Tue Apr 12 08:59:23 UTC 2022 - Dario Faggioli + +- It'd be nice to run the test suite with %check. It however, still + does not work properly inside OBS workers. Add it commented and + explain it + +------------------------------------------------------------------- +Tue Apr 12 08:36:54 UTC 2022 - Dario Faggioli + +- switch to latest upstream version (1.4.4) +- big jump from 0.21! Here's a short summary, for details, + see: https://github.com/containers/crun/releases + * 1.4.4 + wasm, kubernetes: support wasm for kubernetes infrastructure with side-cars + Resolve symlinks in bind mounts when creating a user namespace. + Fix CVE-2022-27650: exec does not set inheritable capabilities. + * 1.4.3 + cgroup: avoid potential infinite loop when deleting a cgroup. + support additional options for idmap mounts. + open the source for a bind mount in the host. + * 1.4.2 + CRIU: add pre-dump support. + Fix running with a read-only /dev. + Ignore EROFS when chowning standard stream files. + Add validation for sysctls before applying them. + * 1.4.1 + Fix check for an invalid path. + Allow deleting a container while in created state. + cgroup: do not set cpu limits if number of shares is set to 0. + * 1.4 + wasm: support for running on kubernetes with containerd. + linux: add support for recursive mount options. + add support for idmapped mounts through a new mount option "idmap". + linux: improve detection of /dev target. + now crun exec uses CLONE_INTO_CGROUP on supported kernels when using cgroup v2. + retry the openat2 syscall if it fails with EAGAIN. + cgroup: set the CPUWeight/CPUShares on the systemd scope cgroup. + on new kernels, use setns with pidfd. + attempt the chdir again with the specified user if it failed before changing credentials. + * 1.3 + add support to natively build and run WebAssembly workload and WebAssembly containers. + allow to specify sub-cgroup for exec. + chown std streams if they are not a TTY. + attach the correct streams if the container is suspended and restored multiple times. + fix race condition when enabling controllers on cgroup v2. + * 1.2 + exec: fix regression in 1.1 where containers are being wrongly reported as paused. + criu: add support for external ipc, uts and time namespaces. + * 1.1 + cgroup: use cgroup.kill when available. + exec: refuse to exec in a paused container/cgroup. + container: Set primary process to 1 via LISTEN_PID by default if user configuration is missing. + criu: Add support for external PID namespace. + criu: fix save of external descriptors. + utils: retry openat2 on EAGAIN. + * 1.0 + cgroup: chown the current container cgroup to root in the container. + linux: treat pidfd_open failures EINVAL as ESRCH. + cgroup: add support for setting memory.use_hierarchy on cgroup v1. + Makefile.am: fix link error when using directly libcrun. + Fix symlink target mangling for tmpcopyup targets. +- fix bsc#1197871, CVE-2022-27650 (as 1.4.4 contains the fixes itself) +- update and fixup dependencies + +------------------------------------------------------------------- +Tue Nov 2 08:58:05 UTC 2021 - Dario Faggioli + +- Add libprotobuf-c-devel as an explicit dependency, for fixing + the build; +- Get rid of rpmlintrc, as it's no longer needed. + +------------------------------------------------------------------- +Mon Aug 23 15:22:18 UTC 2021 - Dario Faggioli + +- make libkrun support conditional, so we can have crun (without + libkrun, of course) on all arches, which may help with + bsc#1188914. + +------------------------------------------------------------------- +Fri Aug 6 13:37:49 UTC 2021 - Frederic Crozat + +- Drop libkrun-dlopen.patch and adapt to libkrun new package name, + it is a plugin, not a regular shared library. + +------------------------------------------------------------------- +Fri Aug 6 09:55:53 UTC 2021 - Frederic Crozat + +- Add libkrun-dlopen.patch: use soname when dlopening libkrun. + +------------------------------------------------------------------- +Wed Jul 28 11:56:01 UTC 2021 - Paolo Stivanin + +- Update to 0.21 + - honor memory swappiness set to 0 + - status: add fields for owner and created timestamp + - cgroup: lookup pids controller as well when the memory controller + is not available + - when compiled with krun, automatically use it if the current + executable file is called "krun". + - container: ignore error when resetting the SELinux label for the + keyring. + - container: call prestart hooks before rootfs is RO. + - cgroup: added support cleaning custom controllers on cgroupv1. + - spec: add support for --bundle. + - exec: add --no-new-privs. + - exec: add --process-label and --apparmor to change SELinux and + AppArmor labels. + - cgroup: kill procs in cgroup on EBUSY. + - cgroup: ignore devices errors when running in a user namespace. + - seccomp: drop SECCOMP_FILTER_FLAG_LOG by default. + - seccomp: report correct action in error message. + - apply SELinux label to keyring. + - add custom annotation run.oci.delegate-cgroup. + - close_range fallbacks to close on EPERM. + - report error if the cgroup path was set and the cgroup could not be + joined. + - on exec, honor additional_gids from the process spec, not the + container definition. + - spec: add cgroup ns if on cgroup v2. + - systemd: support array of strings for cgroup annotation. + - join all the cgroup v1 controllers. + - raise a warning when newuidmap/newgidmap fail. + - handle eBPF access(dev_name, F_OK) call correctly. + - fix some memory leaks on errors when libcrun is used by a long + running process. + - fix the SELinux label for masked directories. + - support default seccomp errno value. + - fail if no default seccomp action specified. + - support OCI seccomp notify listener. + - improve OOM error messages. + - ignore unknown capabilities and raise a warning. + - always remount bind mounts to drop not requested mount flags. + +------------------------------------------------------------------- +Tue Mar 23 17:52:10 UTC 2021 - Dario Faggioli + +- Add a mention to crun-rpmlintrc in the spec file + +------------------------------------------------------------------- +Fri Mar 19 02:18:44 UTC 2021 - Dario Faggioli + +- Since we're building with libkrun support, let's enable only the + arch-es for which we do have libkrun + +------------------------------------------------------------------- +Sat Mar 13 01:12:19 UTC 2021 - Dario Faggioli + +- Suppress the (false positive) rpmlint warning + +------------------------------------------------------------------- +Sat Mar 13 00:43:54 UTC 2021 - Dario Faggioli + +- Some fixes to the spec file (add some %doc, remove unused macros, etc) + +------------------------------------------------------------------- +Thu Mar 11 08:08:36 UTC 2021 - Dario Faggioli + +- Initial package for 0.18 + Based on the package by Giuseppe Scrivano diff --git a/crun.keyring b/crun.keyring new file mode 100644 index 0000000..9876368 --- /dev/null +++ b/crun.keyring @@ -0,0 +1,386 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: Hockeypuck 2.2 +Comment: Hostname: + +xsFNBFJtp1EBEAC/8IKgtgDH/BWRWUkM7pDWWZJJgaE2wMhCKXbXMbtyJHBco/TG +7Ow2bD35H0QAmhh6gGVYu9hwrzK3EiP9SmTMXjJmhm6b2iFlhV9bbU5pjb/q3pT6 +gaP22DMOXOlo7aCZiTCQ4UY2p86meJ1xM585wnvmfY9CZ3V4rloa5eKwVU3wUflL +dv8im81fNGpWFRaV/rhWbEcL0zft4hmkwppCFGJe9XP4houjVIFArb31mBPFguJS +O4zEdiJh+Oj9htbrxAXqiaJwW1MRRBMkMvJDYUSZnV90lWUUdxglO4/V7uOxdpXY +tDdMcOlSY+mnU36yyrTN4o7UAzvXEXkc7YHQZGhY/XW4zXDhnH0G8c+cx6XnEml8 +zVrU8PrdKNo5nqxZ+ZdLz2kzAxXpVum7LABkzWIQ/+0ShhX7cS6/P12odabQpQGH +QpZgTIP2BrpFJ+L2j+I69dKl7BtmZVy0ya3P8SG7ny819aNLSa9PDOWxKk3rxk/v +4BI6vYWY1N4AQ8bXQHHzUQ/V9E2uuslSUabp7WDqVPcWxhekBIzfVsxqNsXEycYZ +ZwA0VKacrbDR9iT9cP75xDXw9RHxsrETfGYEXEia8FPSR1bGYw9yLExdDPdSRUl/ +JEotHv4+Zt9gXC2MspitNs8LlL4iB+wrb+CvBBCEupufcDXnmcAGRupWCQARAQAB +zSdHaXVzZXBwZSBTY3JpdmFubyA8Z3Njcml2YW5vQGdtYWlsLmNvbT7CwokEEwEK +ATMCGwMCHgECF4AFCwkIBwMFFQoJCAsFFgIDAQAWIQSsQEwcC/c1xj/01WImPW3y +4WPh6gUCY2rCy1oUgAAAAAAQAEFwcm9vZkBhcmlhZG5lLmlkaHR0cHM6Ly9naXN0 +LmdpdGh1Yi5jb20vZ2l1c2VwcGUvZjg5MTM4MDQ5NTIzM2MzZGY2OTBmMTMxZmQ4 +MjMwOGI4FIAAAAAAEAAfcHJvb2ZAYXJpYWRuZS5pZGh0dHBzOi8vZm9zc3RvZG9u +Lm9yZy9AZ2l1c2VwcGUyFIAAAAAAEAAZcHJvb2ZAYXJpYWRuZS5pZGRuczpzY3Jp +dmFuby5vcmc/dHlwZT1UWFQzFIAAAAAAEAAacHJvb2ZAYXJpYWRuZS5pZGlyYzov +L2xpYmVyYS5jaGF0L2dpdXNlcHBlAAoJECY9bfLhY+HqGi0P/iBSdveMNNbBjdrj +ZUiPY2+PTKmV8nluKtyNAsUsI6hwMPg782K7ohZDcWu3SBIlvDqBR4EWvGLSHo/o +VzK029oaJLgtzTguJ2uygVSIJ5e+pUJ906dOWy5sUC6y0gO3L2FgiwjLvOVXassL +OiQ1XdW/4ZZs3qddFUnD+NUnIOS/Czec3bI/spZuoIe0HQjDJg72f1JbMk/VDs6D +pFlzqr5y19sJCPDwmX8PUGAi11nzmWigu0ohG88HM0W6jfEEdNFKkEbTNi0EEjqn +6HEPJSXvuwP7bDR9EelazA/C7HDaFC92UoxyVUWucAQJKeryIBqwiMeoP+ZwMReC +34Uj63G81/MS0v92Cf7mydqQTzIflruWjuoDVbwf9MeJi3r7WnDrFYyU7XJdDzXO +DizVFjrAGGMjQ6LOoiQ9l93Nh+AZfnlK8zCNx+1Agp3QVgqms6kVBOJIn6fVRwbZ +j2b4lMN7E7bYyiEkkcSJSSufGUD2Pph7B5xgWX8/udczcBWzu3f24JxAo+mCTZDl +xJp755kvV7NAddXkcRw7S89N6q17HAZWn7TyKDtFx19tbznKF7DBkmUlFMy14DeF +5skQKD6ohKk0aL8jcYIJZP5STMdjj3p6qRJFY8I9EV81Byg+AP2x0JyXdIiNzk2+ +gHQ2nlREL9dn8rPEOPdk7SiPZUeSwsF3BBMBCgAhAhsDAh4BAheABQJYsGOCBQsJ +CAcDBRUKCQgLBRYCAwEAAAoJECY9bfLhY+Hqo8MP/jBgRMAu4VUszCaNmRB5Js83 +aeLH5qS9FCCJv96DbY0jdLGrnXb0clXtQrktrU1f+UAlOc2zHvwX6XuRW/Ew1m5e +0zmBSpiKCMdIlTHVseu/wTs5gXUEtFKMmz4xzHjcYNghjv11KA70F45NBeX8dy8u +6NDQ5Z2LxVQ0UyH2XxPUkpE3woMc9v6F7yhQFWMSibCMO1iYkNmDcZt/TyAC8yeG +qPgec4vxkvBURKAaV3LqZ6fpzECVk09lVQjhv8GwNsFTyQ1VeRJULnAxxJVexdt0 +4uQO40cIl9ckxjY+jDW01T0IY6o9ectUXlPrqR/xI84DIEwLofpp7/vOkB/q2D4R +OaKYP97G9hyuoX1vkmEFvCee1JdgYgpznArgNF7viVI+oKZ4GpkMJH5dimf0qyvf +6rrGzZXsrkSaJC1dcjA8yvct11uY8ZpD62Zp83nkuvUDiDW5U4Zx5077/fIcJfFU +yCd3EuZqy3Uca8p8tWntqDrS7/cn1W4whkhvmyDuMtDLckEKpWyVP5SvyFLo1Q7t +YzYLoZ7ESrWZw+qvEWDdYzlCVBEBdsnsT3fp4YpKwL5qRw1pLd6ysC+eFhdVZYa3 +mMWrOwANLp6yWYdLYXOvuyK4BVgpLmpQ7iwm/PH8RGtn4j7p65Ch2Sr6TCbmBD0t +isYMHaEwksi5RYw3qI+OwsF4BBMBAgAiBQJSbafvAhsDBgsJCAcDAgYVCAIJCgsE +FgIDAQIeAQIXgAAKCRAmPW3y4WPh6p9OD/9ynTKgcd1Gsv5VOSWVpfPBitz27Lcg +T3ruSd2KTExLDIHi04RghlV6E6g8KEM/Np9oUYqXpXvzDLvIppbf0aIpY595xS2/ +xiura5w4pH3ul10UduSe4eFB9RtLjWutJosy7OvPYq8q+xMTqkRUFDhmZP6hU4Bp +S+uibgXnhSPxfsMXiYYO5pD+2lE1NVZpQnZUWZT8IdwpohX0qwifab0eB33FD/mg +Lw0WSwD6iI1GrvqTUR56t0VTaJAgukAogTDgE3tab1yO6FcpfSMykesSV5OlpoIh +R+SWrn5XkDXRWTNxroWvRAkdzNMQTquIRMu2m/e68II/LqNNO4okL3AOUO/B2xyO +2aZ3WHZjSDTTslgSBpcUw+4g2mlwD2XD8TGIeezjGAz/rbmlHGrHO/9ma2yL9bzf +Vie7R9234VPMIsaaUHm8DIAJV80qyYbwyjNvlZxqw7Q1qSK0A0hYOmxF19zHLEsR +BE13dVo3Boea8nKR0lkwKhquxTsoChckQAj5JM8bFWZT4bPntJzJ+JM6tvlWbBKT +EBnYJMzSgyBQDZN1nfRCbmDsBsgKKsx78BiiBmrKNVsko3pLzahKplQ/AGrLP5xa +fKFntDUMBBqpGsMgmzf9Z3JUBXt8HZJA73XanF4OkMZEjdZJoCEyOYCJjkDbfDtw +ENVn2llyH3wYZcJGBBARAgAGBQJSbaggAAoJEAeRr4zAM2P0egcAn0nF+4YjkLsQ +zyXL3a5G94axfwnEAJ9w+NZTP2g8eeFPwnrTb0SkNa3vrcLBXAQQAQIABgUCUn5L +zAAKCRA++QUjswSvCM4YEACXvumQNvW0c7o0gtpOAqTwkttAMpPXJE2mny8drsTh +IwRUdbC7f6VEfR99TtqkMFwW0XAK1Uxq2hJDT9oa9DphrEYRS9qHx+mgUt421YO3 +e8zCRlkgRvglJTH/Ljj72hnmscUOa182P5PYPq0ndCDYHBfq+MgxTLN1knjRYYIm +oDfOEBAzySzj+HdZV2+FBFn+lYE/bFBoQ95qPqVENWG9sCIn5uLQZ9C907GpzTRL +1At98kdpIGzJtePxYwwK6OD5I53c4/AfgKLzI17I7KcAyVO5uln9wHx4HP80kqQk +atpsIXXdJMZAwCWUPBUTgmZajbyqbGOtxQCb1Ans8gOao7yzd5nkYKLKSSkrqXbo +hOwV0qi6P1Iy+lH3JX8ImNx13hRC0zx0h+E42KkkAq9+pvxTe4WHfKv29rJSqKTf +1hXrHKwOyqqxt8kVG5t5MgNZyLKibzMdAK1OcyqQfePE2uBR5uIL9JULPeRZlZDq +LcDD/GLdCRcuLk/eQyglYafCeutZKJ7Y/jBBDrKbwzCF4Pw9Vs2zLFGnAx8Y9Xux +/5w3y5oP/36yjjwBq7apbXAYz3UFdnRN+e+JqDUtSOa/S4wNgz6F8fHLZ4fTfaxn +U0k77TWzESROYKlT/PuKEHsqQR2LVQgSWXpKB6oXe0SODxINYC2xGzyh9oXPLIAy +Yc0lR2l1c2VwcGUgU2NyaXZhbm8gPGdzY3JpdmFub0BnbnUub3JnPsLBwQQTAQoA +awIbAwIeAQIXgAULCQgHAwUVCgkICwUWAgMBABYhBKxATBwL9zXGP/TVYiY9bfLh +Y+HqBQJjarsuMhSAAAAAABAAGXByb29mQGFyaWFkbmUuaWRkbnM6c2NyaXZhbm8u +b3JnP3R5cGU9VFhUAAoJECY9bfLhY+HqvAUP/iPOqQZo4YdN6uefPIxeXCgXZ3H/ +Ozqt+6ThlKr11WEQHEDZ4Fqe4CokxQ+UyPuCs9YyVBFmx83Olu95ogEx1KLOv4ju +jyuPtrKx1flzjKFf6xxT1jRxaIGVXtkerZJ8GpaHmIWokwCDKEfF7Z3QToZlAzC8 +IgjhWjGeBV37+DUtpoQB5xv03VXzrx8MtjP8FXmtyz/QTRIE0gAgxSYNDF8BXvi/ +7+T3fRPDbRDzm+HxcUWI5dWimGvhXnRkF8ONpEp/kSNQWemSHtCvvTQ7yOzX9fix +5Sb3t7Cx4DwVNVBvNf6pcF7wb/tyr+uYP2F/HhIFyIEayrw3tjkriYHJb1x7wZqQ +/xkw/D7DXkek0oU/vT3caZ/ZcMMAqjBzs8Q9BNiQ6fa1skdMzOQssjE10W9zAtDj +93FsnU3+AA8Do0UpTxrugrP7w5H9yK8RFEdpJ+AR3jW75YXJzsCUYRvMyNalO9yz +vyvCB4EvY/W0D58Q2dddM5vcrVDdxqdlOghgv3Dr2R/Oew8F1e9jyLGpQYSE6ilI +oOS1b9veX8BAPX4HZPC6ZdSQTpUlvE03oNeyCDiLsYrtu5gwrwl+4DK5WhVX14H+ +BKvhd4YYcwrr+i7EQZlRyTcVeGEdcaioxaUpelpw2KGu3lNA9XCGRcB8wesqBGs+ +B0fUv6S/1SdI0oGJwsF3BBMBCgAhAhsDAh4BAheABQJYsGOCBQsJCAcDBRUKCQgL +BRYCAwEAAAoJECY9bfLhY+Hq5W0P/Rq2TUBpxOvjyga90D5G0k+AlgZUp3W+J2Ol +632t3Q+ZI03zbRwmtyF/Bq9J4wsAUiAJb3M6BQjaExdzdgM2DOPT5UDichHushTT +zeO3NjAxUzBrN7ZXReRevq1ulysSsTEqZlGUr6HztdAlN4hTetAnVibQQ8dMyCO3 +t8s/wgXUtsV8LZ2wwt6JaPTBpkuRECSspOEg39Id382tHMTUGDcKj5nRaxV6tjyy +TnTJOvkL1xmYGUcHSPoWl4RycrJCmfl8rcZF/kbhUckRcIRPWBG4Uks4qUeq+YxO +47kJi0Yu5fBEc370ydOzkEoGeKgyfiQtIn1FURFKNPG3ooB4U+L3AWieMl8374dq +Ts+x+S3io+Bxo363mP1FYvo5bWFSQ2siUBWg5Ab+UjWYIcyqA7Jsdnig0+N9LoCT +a0+Ba/wFO//ejBvyHss5EhbJyjdToPc30NUU8OjX23vQO20bM7JAVvb9YEpXOPkv +xmb8DrMzvU35gBxgeyspaukiuoe/rPTT6daCOXTXJ4CeSNP9ggzTvcqZn47lQtVU +dxB1UnYkmsOG9lv1SEV23ahSnvA0pV4C3481z9u2iBvj9tVjmCNcaGPPTiYJr7/T +SPGIqAVGYiNWNbYBeWYCNWfrCByvWuJDPhtonT6vON65uKSWbDyNjbGf4QvTfs7C +LEaXce4dwsF4BBMBAgAiBQJSbadRAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIX +gAAKCRAmPW3y4WPh6slnD/9XrBZcGXmnnfjI2NZoEOcSdr4IRe07+ndm0WtsmVxe +l6rEUizDS9auWPqMT6OmWobbzDBJnyaHEliE2ZgD+E65XjNV5dvbgyXEZ4NRLnwO +4jnLeDnpKVFqlWGU884IscV1NINjdDSA2waDuKpb3Z6+MOBxTFRDEZyWvDterN4p +esmlzJLew/IxDVegthyboXfj+TrMKDGwzai4+9JVN9vqFBUTfM26ODkxEjgknk96 +XaIE2wR8yXZiMu5ym6ivIOxE+dNeDClTrzFH/PVS7SNE5ZpZWGK1nAG8BWUqNqY2 +J0JPhh1KWmK0j5WktMSiZQDTftX/bnP0iDRnpvE9w4YZ/kAMN/uqIAlYU3wxv0LG +xHvHLCMXQTD3erct7iqK9jMZtVuqUUGf6V055WX52ehwU8PXtAy4e5BXVIOHQ572 +cg2DZ5Nc5O9yL3hXCpVlzr72WrG4aKpN4MZzgD0CaVLh3/tXSagNjLjQRjPtfYdE +8Sn9QeyStpIvuUFWBBDPWOG0gqbJDaVA2BtemMSymiuhR7FSAUiMi5L5Fozaoffr +S7GKDOA0LY/Ecue733fTLaORqGMZjlddJhNN6NqJ0DyR1av/W2cQNrEJIyJY/edp +3RTNQkkpl+SD4/VpI89yIfjzdYcxEcBp2MLsWmNr9CcJXBmjpYWFNd8ZUvmwpqm7 +jMJGBBARAgAGBQJSbaggAAoJEAeRr4zAM2P0qXQAoNIUipQxGhhZgF/unhtLG5yb +SYGRAJ9n3IV20MeoA5rYWg8/t06xC8H0fMLBXAQQAQIABgUCUn5LzAAKCRA++QUj +swSvCFfAD/4qVpe+yzRyaw8PLif5Kg6mdkMmcEZQaCX+zlO+eDbjds3vqRMZWs5s +TNydJH7OqqAXFMqYlrWvJHhyelab1GIo+tu3jrWF6dkxGA2/cM68F9ZRYlOAZnZq +m6Qomeu/7hcpAJWCj63QAb/Engf+ZmbGzrzup2Ap5vEskAUscSbCtq3m+Z3JWcEq +msfl0y1QCmf9ChfBnh1Tv5UmMMPyk4srwRlvdxsaAiJ7Cwm9W1cCM8R0VNo1pofr +EdRPwdovDnPnK5DaSaelaODrQAb+NlNqzC2X8Q6XxebguEN2RRPkvhI5Z0bLOZei +BU5qRub7hk6scZy1t6jCXml34KyyHtFNhX+LYSuwTzeM0ENeqN6NhtAstGnGD63l +R0D/MwiXudXr8bshFDk9CsMeL901h7RIIrV/IaPZCGAF+puz//ri5FuFAMonb3IM +ScIekBHqh0HJ/1wd9CuHAp8VJZa6TDSKT8d1rs2pytaDYe0n5jnNQ9f/RM8n8nXr +NbNNsYXAwU96Bjs5jgSY6IflCLWLwHJ3wf5F7T2xuEvWUjMF4Q3NxB4HLxu12FSB +NQwAhlr0dq/zabgzK11ri1iRtsxqPQ2eZTIczyTUq18D7BS65rpziGQ/uq/EkUZB +oUpyRZ8OePzWmKr/pKMtHHHFXto2Zc98263fi4U2c0vph4SW95hG/80nR2l1c2Vw +cGUgU2NyaXZhbm8gPGdzY3JpdmFuQHJlZGhhdC5jb20+wsHBBBMBCgBrAhsDAh4B +AheABQsJCAcDBRUKCQgLBRYCAwEAFiEErEBMHAv3NcY/9NViJj1t8uFj4eoFAmNq +uy4yFIAAAAAAEAAZcHJvb2ZAYXJpYWRuZS5pZGRuczpzY3JpdmFuby5vcmc/dHlw +ZT1UWFQACgkQJj1t8uFj4epa5RAAvg2Y6TQXXpHyTO7kumZoAXUfsg5lCTfqkVjT +lDoH2FURsT54pKIfABjTfyUckgPjLsG51umBiy4Z1FNWdwr10ldYCpJkP3ecpISb +Sa6zdfkb9yuhzeSsd4DRH5b+2yVV4RMMHzshV2JzapYZfimbjy5DkFzAWipFucLR +ctJPChFV3IfZFUCHyV8Mc/r7feEESmX9b5/oeqb1bgUDijBe14BfM8YW5THHDWGN +XsxkpQEHU8YkR2R0dtgEg01sF/2fZyYBY8brOK2hkxLsVxgT6/KzGVEQ7IReF+U3 +lAtUkszOiQryT6W/b4XLWu7HOhZOI+W3Gf64a6SL3PTWhQyXxSVQN9Yh39g90y01 +xubiZRILWNnDDp1/PD7ACKWaP+gzjxy+7/kidKs1AHISJvARcvDkNzJRXIUterPA +GP+eKTcnkbX/gS3O7OKowluswhdktog+wdnnVzCEJLS6CPr6qxrL8ItK4doQcMTP +DYob5Ht8XRliMNfo8dr85d0rfpvYE2vfUATA+aTUZRUx8CGyb1lgJs8BH850BXYd +tTXtTuw19c3RHWZ5Ifrcw5NugLmGhv8Vqgj+Iwj+Y3fJsafPgOTNQbaovAKA7LDw +cnZPqb2jiUx88k9I/uMe1l8pzMMta12t25IrWAtqVvGU1D1E3O9kPe095h5DjjPS +YXHvySPCwXcEEwEKACECGwMCHgECF4AFAliwY4IFCwkIBwMFFQoJCAsFFgIDAQAA +CgkQJj1t8uFj4eoqWhAAvdQlRb9TjEOe1K2/SQGM1COQwg/9h7vQEFg4P5Okfb9p +gu5XYB8qU72UudNShA1ZAJ5beN9VjatD7l+e4T1YL8ZrnUvzQwnytsnHrJI+n+KO +GJH3jHi7Fms0vhl1KuOtiYTdiM2mJjA/0aE+e14FPBM7/1tbcVzmYy5CHZcOXcOf +gxu7tFO1PsUne4GVfInwV+k2O+6gQ+7mKgHF0IB1ic2t4ih5jcTeY1Zga+GToOtp +I89Stz0g6QTnu+03P1wbmLhw5sxgcD/AyrHhuOnYCmR58TJSmWHpClNneR8T1qIa +f1JWhPlXgCchAMPZRZLHGAg3q/zALJ1RHXytT2KZeVZ8DdOu3fkOt63r4aVNtOZY +RR8kKhuSJiWH8HnmqcW0/cujvt1ZAKXkBABhPABwv/3mK+JhItz+MJp4PWycqayA +PerVY+lM3MU+kDfQzHuAw7C+KX2NOxT4FjWmlW5kzOfBiQqPTEQCR/1pPRISYSE/ +AnVHx4qAGKQYg9LMopzY6CT4d3/N9RbEdRPfJKGEu174LcOGA8qF4jLtd3gJEna0 +PrucisT0WaW3tZwv8vxLsu1glUr23Uxgj5AAahQpTf6CRknuE6LGeSqepdFy0fIL +VGQFjWbpgYe40pvc9jBZ6YMn6f1bjT8iOToCtFcoAO6+30hsyixOkq9DUC3d/jrC +wXgEEwECACIFAlJtqAMCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJECY9 +bfLhY+HqwhYP/0mohSlKW+PZPV0JDFAq1y0a9RQVJrmwVluuXej7peq3v/st8JIA +lAkTa4nYP2Lz9s4rd6idlTip/TbrsPa8X+i5ZgowIRNjgM8PZy+sfaS4PKiYbyKA +RB2cyCJbmmI3gdnkr4ZnAfW21w2UR7i/UHFQViWRTmw7FYx+7Y8JRJ/3lom94PST +wuERhkqUM9qk2IPPWJ/MgziQ9YT9FhPbk8liIFednp/fIfLo/qdOypk+QmX/cEXv +5DuPhbwRfcJz8gDA8ePW4hxsH329Yrb7Sm5QnTlEmJDGXMooWDOtQMohIV6zvN8x +4m1tU61jKR8VnWHCkIDAqMNnCoGU8udqlChTDQx3Nwqzsej4u9hd3M9WxFmqiZ/Q +6VQ96wywpZGR9b8G27049d6Lri7Exw5DqBh/rQ2Wr8/x0qhcfdTu+rM1aDk1CV9Z +Qp+oF4Gi3Q72gLd10mN9PBer5tFl584IX3vp12M6GZ9bvOqcjWbGyDndWh5/BAVg +6+X2GPQqbRjVHyDEqPvuOVXcjk0jPD3iCx+2depdf6EjNW8Avv0VFPDn6q8IcV6j +5CK2mfBJ237WCarju1By0+WvBXfX2CTEomPm17iNs9yyCNJyH4tLIvYJhQHdFOkB +xUbAjIynI8aAPdKsIABMbHnQqMeDX+ZC+o7/ZjRg4r5ANEyVDJP3v23HwkYEEBEC +AAYFAlJtqCAACgkQB5GvjMAzY/QYogCgggEjL/hoLt0gUhRCQjVT6xlSB6UAoIua +r9cxqmL0uf4/4P5bP0063yiqwsFcBBABAgAGBQJSfkvMAAoJED75BSOzBK8I2gQP +/jepR0rfv2XiTzJhsxg18OoqVRsjxepNKKpyBTxXLU2f1OKRL06/+hcB80+t9fQN +GPuVehsepVzBY75KezfIoKPJzmAWeyKoZ/+u3QK6NCbHLGHeWKmo6QHn6OseruTO +hJ4ZRnP9aKyIxFJmTllxIsW4GbtshzJ8Tu/hYYze2Syzr+Qy7LX99sEdPqx9NJji +vdp9UWHiIJx3fy6PMuBSzvvAqfDxSl1bF0dapdNleofIfJpeq4DKpy54PAx2Gmne +L0z+aVssS/takIYwKKAsbXvrAWYP+VAylWHIAUjO4zMH0D+XAEiTq7wfINXwg7dA +aBDA9B5bQ/kCcKfwiRCgquurxIVjmrJcvZ7LgwDCxfqHfP0d5ZUcQTgOXc7rr66F +OyrclHlCa4wPYuvIKJch9fcjI6rPZjNnx2eeq465nWPbI/zloMXK4mD741e2gGB6 +R5sVrm2KBoOCu3se+m2pMLGccxuefe77eAezLoAjS/XJUsyvQObptW7rQsQXw5U+ +L4mKsFlb2VdGoEp9HvNp5ezrBckAZaxPrY7WwlcIwKwmfMCP3OZppgjOpvbo1+ZV +8x1QNdGMIbwaaqclwfRXLfWrKR9/unu5MFB5cAVVLU5zhngZ4X+uyXQjiPaB8lKA +ETP613zaJeogy0JU5TXzTLFoU3Gb/cvA9P1D7hg5ErUazSlHaXVzZXBwZSBTY3Jp +dmFubyA8Z2l1c2VwcGVAc2NyaXZhbm8ub3JnPsLBwQQTAQoAawIbAwULCQgHAwUV +CgkICwUWAgMBAAIeAQIXgBYhBKxATBwL9zXGP/TVYiY9bfLhY+HqBQJjarq8MhSA +AAAAABAAGXByb29mQGFyaWFkbmUuaWRkbnM6c2NyaXZhbm8ub3JnP3R5cGU9VFhU +AAoJECY9bfLhY+HqSxYP/ivpKr5ooW559K200oaxfj36i7RPWremItOIt80Csdx+ +bO9HjKD/c0GEobuRd1gnwxCaTITbhbn1GWuLO9z30UUB7o+BKaEHokfwxZffZF/9 +sJo44LF1IdfnLtv2cXJALYJRER/L7bCCSeGPmkSGMNoxhDBF6/DW3J+1qMRu4+EN +9A75CGSPke2A49smbbt3+dDMsA+WZlrB6nTbyPfGm5u4JBxhwuEs3feHt+U2U+7b +XpE+Le2aKqNQrmxab853tn3GsmlaFCthwwbkbDL/eLQmTfbBn1+uFEUdEtmYg2Dh +LJK/WlBcyuYfeXUr23p1cHyMkDy8V6TiP8QV6vplyYjUKJ/1jcj8ynjBbkf7Z9M2 +0DluT58/juKhNv4Tik2qavP37EOGMzreSid1XgnEJccsvOzDsundcIduUTjCzm/t +lDirdH+7W4PugUE5gdpJNoUp9UJqUDLFx/nwzteFaIxrON2L84aojbNHHA1Rc63D +tBEKsDIjDCf5+EEGOL5LO+tRhR/Of96hrjIfaLKTRUPoOZpYAKNN89QhAV3u1zJt +cur1jVQkmyLRqZDkOc57Ttc/R72/vVDuoHHWJkeXCBokvwvrA3wf8MZE6H3ztIM4 +jVNUROSFVM+6GMHXATpb3tTn0yokbKeaF9Ik5WZSNCnBCiNAt5+mnOqcPA4imVKJ +wsGOBBMBCgA4FiEErEBMHAv3NcY/9NViJj1t8uFj4eoFAlsGigkCGwMFCwkIBwMF +FQoJCAsFFgIDAQACHgECF4AACgkQJj1t8uFj4erK2w/+MS2DbFJBMMI45Q0spsww +NMI2HWRmKeqi3BKn3dOlute0Uv7YIXXwdh1os2kK2e0zU4jBSIKbTv/rBKnVu6iS +A6Cy0jsK+vBMxkI5y+994z6Nglzkw/HASm5TmkMuM92oDQ+fTxgGfEmEHKmzWPcR +7XaJrYO6NqQsV7RLSh/8hvfGw//YuPwfXx1MecL6QoRP9BBYTHDSY9gEFKTWTXNH +QXuQAoXMNuIxAav8iEDddsriH07lsVonHU8NYP7LB9WDwcWhVgaLCM13s3NLQfEw +RGu6SMHsShkZrv6tkiahsRozemoZT5iOgTBaXgvWNwWjaZDKagTBx7r6y0v2/sW/ +TX59ECJAGy4P+PAhvE6fjrZZvQL9ndkc64iDiem6MqnUk3ObiFTvc9pipch4mhXP +rqeohqDdt02ViVKNX5Oxjb/jFmvXGeEiMp0FD0EvrIOPAykUz3rw4jVvLov6zxfN +apzokaaMqEJ/Ln2i1Y/r2xd6cUqZzmxDO5tKtHafDIwuk7z9sGIWbbXSS6OL6nO3 +8lo4G6dFQMTil/S094SMOjMmLB0GXcegfsJhApwF2oR4f6CZa6BmUPeebYDTxjdL +La1OKAo7NN1SO8e6Y5z3psCr2Obn6edBEXwm3ewPDM3lUa4+pZJfIAzrwbdrcNmL ++X/tw8oNYOvpCjVDL7klizrCwXcEEwEKACECGwMCHgECF4AFAliwY34FCwkIBwMF +FQoJCAsFFgIDAQAACgkQJj1t8uFj4eph8BAAkv9zRz+2Xycw5tbC7vBJN8auPX3g +sKi9rsEcLI6jibHMyO55qHdTFuTGZx+eyFITFBcpBgNaGn5MHzACdd+pBfIShCED +uauGI6Fk12euBCmXZgl5Q7hFiGlvgGsrykmhlub+zYVun7SbISFBQi2kAZwNYN2v +SP9sNAx7ojQlrdkMQ8ZmRZT6GF2HGyuYkfiBLpBaqmWpQ/EbGMQMvsSMh1XyRNW+ +dppU742C6xLaAD9w7R7i0/RMEPScTIZE/lNHWHFJJXvByfQChcx+WS8kKNdZO65v ++k7x5YjTvz9DO4Wnl3tDhyFyFsbHpb/Rs+DSV/NxXz7c6OjmoiDf//wwv1LR5JAJ +Q7TzVUVrppRDnD+4nzWKbHpWW8iHdv4BaN+CRKDz6Qo4sNu56oyVpsvdM/gkrCaO +f7UHiJ3D7PSoWpOG4/k3ciqO8ija864UC2dDdk/koNCIof43yE376dm9FLEDJba6 +bPlcuCFODmjcWhn+sPqiLDicW9L3j56Cnvnkr9R6rI7pbn4Olr2NXHn0ydHj1jRk +CKumjvyOV/hilisvrS6/II7Mnu/CZxxaqWmUZJ1ir01YG4VTBrgRCgeCA4t9mfPC +uAPYEHGlQzYYNayBZiRe7VsIvdcJlcyDrNBhFpR6sfRWogvBH92/MaRFlwmFzFj3 +He4lhG9cI0Di/z/CwXgEEwECACIFAlVMzPQCGwMGCwkIBwMCBhUIAgkKCwQWAgMB +Ah4BAheAAAoJECY9bfLhY+HqfBQP/1Ai2d+uvqYK5ZpaYnWdl7hVZqJg3mJYeClM +0cVFk+PxSaLbF0W6UP8mWXi3QVuGVcNM2zKvAH//fRW71XHmgHeoG6aoB6doVswY +bINPlas+I1lLCznswSpSYGLf7J4c7Vpqpp5rfHZU9jG03J4dK5JRd7y2pAxK2jte +0CayHqUwZhNF6s41V1GiCPXlbG5j4u5nAAHkTwAXt+zzVr5ixGn7nSHnWcTBSK12 +UQyEqcbbn4WQRBCN6agvYpwHbnqVMuNz6rU/xX4tUncE5h1t2NOBSTvwaxT30Ox5 +nPwb4HnTxYW8d7zYl+2DtT0r/CAxZkOpHOKNFHswhniHnqC3tPqecWnY1/I/JKOv +o8G8QT43BLzJOKGxNQYlKOiw2+vyoYcBdEC77RGrks6RA3KDuxPETubIPPLac1pF +1VEHtOg0tCXz4YwvB5hvqbBBbrf2fVpkSpxtZs+zbqctr4/xOnNWt+fpvTkND9/A +tTs4dDmJxSQjep/USCkJzyoszVTiA6gwNRRiQdmlVedcIC1lMCQCsWmYGgprqJoY +cqHNHmQVYGPWO0FHyC2My4gWtBpYBoVjZ1x32/O6PRZMt72jjZbUky5bxJPA3eUd +mJVydHnKINUHV790hhJw/Vq6y53ljQpOA7fXmk9UzkEL/nuxb6EV9TJWDIo0RPe4 +lvUqcUw0wkYEEBEKAAYFAlsjsbwACgkQB5GvjMAzY/RrgQCfT7KZtNV7n0lejq6o +j5veQ0RrKVMAnjEidiLYNaofkkbpaNbEzLlmGyS6zsBNBFw2Y2IBCADCyrHataR3 +kdV4as+atq34rBvmYO+7+PXuhel+I3medGaDzRoekAT5y1ujvwSuj+BBaKCZ2WbO +N0u4iPUSfd6U6sKONa899VXAh+9NXjsas97HMUA8F59Yxis8e7G+HpLJx8e0+ws7 +TN1o6zr0ISNuXN/QpkclP7aJDWw6ec9MbQZjdLlMxTDMUHq3leUfngAX+8HC72ec +p+Ex59rAPtYSHE9vGKo/V3gN5GwshZQg2pWHPT9AkUEHkU5BSr4H6YHkb1rAfetv +JLm6PHtwVnsWyg0v46uQFjgj/F1ooDhLxKt2IqdZy2Q/dS25RDDW0K8OIf4D6sBb +4/ipnuP7kvMbABEBAAHCwqwEGAEKACAWIQSsQEwcC/c1xj/01WImPW3y4WPh6gUC +XDZjYgIbAgFACRAmPW3y4WPh6sB0IAQZAQoAHRYhBK9g/KPNqm3q0VfqOmfjj3qL +ohdyBQJcNmNiAAoJEGfjj3qLohdylogH/jFk4H5UpC03Kn5VinrtETpgHOVterbf +9+D28ApnVHk6x5WhJDzeWTF+Y0LVLycN49/3kOUL6nK5twym+7jYVmfn/OCRLNQm ++Pt5MpISlSCrc8sMT7f6+2h5eCVKF0YQ2a/PdZmb7AtXtiaqErEBbeMU23lyK78E +V7pOUq2LS8jTb5FmHIAs+KJHm7CZH8wmh6OcpDQyPjqXsvSUHvI5yKWP6M5xCJgI +Jb0McdBTBhP21qXkcrcQTtZuVFIoqCjVeNmegzwJKG3gtMfrDw8URLGXHRLzlW34 +LHUfuNCLB8OxP+mgIw0OmRfNLqdh3ewAQnkUmJHvizeomAJtVfOJv/cHvRAAoZql +PwsPCUapLLI5EFeYkqr64ugJjT0fp4E2MVHjf6Dep2EKSrW7RojVP0he2eTfevDi +HJwrOGRgfEggb2lKMPIjjDl4XNHfArzfpOtrxya2ycm/5wPu1Xq+jEzwAnAFzBHU +I5lFVRGWmQXuS8F+Imz8Lln8B0BcJehSMqWhKOChOKXcQ4modjyrzpgN116VwQqD +7FU/+4CNOAabaoVBYC47Ha9qOgC6wrCDD/lmLXaKWfTY5vCqbxBKgsAz38jjmwHB +u2NuCmc1Ojfe00gRMgO4Z4ZeCPBGexMCxz1o2WryJTwSVyLvbamDW6gLMM3HGCRP +gEB1iRz5fGMqlM60t8ptlwpHPZSzoTVzOEUkBjLgsnUsIPGF8b+qzqfdqALZ0I7m +0iqvVnlkfuFW7UCRsfViCjZQRV5TjpyIGfFmeyeVZbd1e2SedaT97H6+j7qqPQts +1mc9evSvgxcbhCABs0nM/iVOOC6gsRNYyDTuZGAo/NYpCp/aVbpT6ywBsHiRtqly +T0x9cDD1iGqgPqQknA/Hxar9zgjTmVc7whv/wR7HcM3cpLX4HZJJCj0q47e8N/FO +YyfPfjpr0vFs2Vm/8P04YvjCPsjS4EXeTyWsHgNgLz3YZBtG7UR4ZbUFSPTkcWj9 +cXTK/Wxrqrz/3/pTkjP5+DBR8zCiek8ibIp6/8POwE0EW50EYgEIAOFJvfHksz6p +1nPpIJZFB8auV4vGH09xjOSb8vSaJtlcFd/Hcm+97hm25Nw+Kz/hibmpOndb8EIw +Iyr9VUmo2BvWNRteYQYuIqv8VYSgdTuy5oZnYOw/BpQQHJW056BhCYqUbrqOIa9u +Q5X48zvvzQpW24pRt6sYv4/1Hw/jr9u68oxPL6nDcX2QQhtOH2AYLNAG9LoXEcFa +C034yisd7ARJjg1F85MJZPDNLhcIUkZNaeL9RfzVgC6wEtwyIj4CLtqnjvTSnlsk +ZfAWSM+xU7NV9UIpXanX7dly5IrCFiay8vUGajU+hkbGQultMsQ+IKXXFQHgwLMm +f5F9EcQ/+RkAEQEAAcLBdgQYAQoAIBYhBKxATBwL9zXGP/TVYiY9bfLhY+HqBQJb +nQRiAhsMAAoJECY9bfLhY+HqzkUP/jGNn7aizhy/j4aHJE/45ZGsOzCYDO7zGVvP +Yn78ekIOlrDYma89eRyJkDEbKO0BkEpqYbiE4UyvI+QCEeT5a8usF9DayXW0D25z +r5hsjBD9KJHxPYzJt619Py5MgGZmQU6snvp7qr+TfJM3c8Les4MU8Dk6eHHa3MrV +INDcF2Y1kb9FeHeNgjjyOUjbYOHw8C4c6vNE4Zip6jzC13NODLVbn5UPRXrbmKWI +oDE8zNljbRWHvB2AvKl/YaiRLq4XsGnIUMlIZzU3Wq21/VX4+CVJCBe5Fu/EPpry +JnWe4ONX6105wvoyBpZ5Yw6hZk6Qfkt7fye4Qo1xlT8oTai6q+GkXr7jwGP2sD5v +9hVpihPC3y3zQtlLwqgdgyTI5OPGObpDf5Y/9Z+57yPtT312yW8YP9gQf/AXLJn3 +EcpQIGENFh7gTBzwushRbXQPgXkmqi34U/KLkWYjkX+vNR+cyKg6OJLizFzgX3Iy +p9xW5XRqu7dIlgFOtHhYIgkQz1x5QkYQZpjN53lldXxLqVXeOlapdFUa64nsukJo +1H9aJj9jlx0hwGY3UqhsDE/oHaiZqIi1LMnQzz4apWs3PX9FlmV2xQv/BysEnE7J +5Oi6xpNXvj95k1p0usb9ZzoGEPD0xPR7HtaQcbZlMIG4B3xgvmudzCJ7g93r0925 +9Ozl2AsYzsBNBFsGtRcBCADEld1p2+NbQkSF+WzzzmQjbIWUEQy8N0wEl0t1aRda +WV8gIdtC3q9Eg4Bpd7wUczNsCYWkiGBi7EEfn93vcXhvqX3YQY/xTc/88PoTtIDg +iU+j1LsPmi4u0oIHg/hOCuFyLoWCkJPxm7TiqXAqWiEwgp+1TPh54EXUQWBQO5W4 +JjLxpLvkXpWQGKJF21s9GulRUP3E30FFa/twLFuHbJrG8+/7Zynu4t/z+KjHvEfp +IQX/6z+NlSkNigubD9jbTvMuY2zbZDN1OdQHs7ZyI9A8AdxqXHCBRpZECo77X3mY +QUbmYQfB/aX60TMYQt3UBivggU15u6mdrGo1bedCLvDhABEBAAHCwqwEGAEKACAW +IQSsQEwcC/c1xj/01WImPW3y4WPh6gUCWwa1FwIbLgFACRAmPW3y4WPh6sB0IAQZ +AQoAHRYhBAJ/O9WFlMoYG7XsUORzD5f2AobtBQJbBrUXAAoJEORzD5f2AobthwEH +/1fxABg0deOflZE8SS9VTR0BiM6IIOnzbXlJ/yHOoAihE93PppLsmzheWH0N31TW +/OHJ70nmdhVgNM1IAjZAO6NjeCaAaJ3FvX9/FcYUetLeVO5r09JQ3KWhyLxSp3HG +zBMvZ5UITPz5NylUBh1s1PQoZKuB8sfhdFs9t9HBWK1E0V0uMzL6uTNmDeMxK1XO +2R0i3s4WalF4PeSMqvrL5wgrEAw7hFi3QZT9VtfGcm7D68qCu5KvkttEjzjH1F0J +Ud15kgtd/D2zN1ekzrEoARwuaPnTOmfidCNUIvbHKo0cvLw/kCsWkdCidptCEnPA +A5j8QwZmPkdlUGdWoo+t1k34GQ/+MMZ2uxoul8w/pTFhYhLFrJQId49sgtuZ4H5E +ysBfYMcLWAMecYzp/3Oj6LTRFisBnWVdcuV4v39UN8ra8ZKSGJ5fz86pEEljjggW +O9oCrkt4djhSMrCXOuEKHyarnf+EsLfHHYssz40TnWGfwTuBOomAkJRd2xZFsDia +weoTqdWhUnb/9rFNFUuR9s2ij2u1TpVnSK4pu9Tl8gGjWyHuLi4GYPOdu50abBuV +vxtDokOT3P+st5YCHI0fr56MykhsTUsBBJnbYXJOJZkLHWg3umyDZ18/wE+kiSrW ++qly8UiDFMA4DBR+K+V9/VdeDYjKB9GmAJqmPf0+knLF2TwPMufZwx/VXwUmphBj +Gn2sqBVP46YoC/dxH7GFYusLSYofQhMK6K/9vsjqhACMyMsWr6VzxYgu5bhs1G74 +JXlJkaX3wezGScakX/shP2KbmvB3cbfUYeqo1Kiv9N0iiWZNaGXcJ/7wXUTLWPAh +J48a5YTLnG8aqJSGI7dCDbMUcPTRuDSFi4ZQER46HgqoXqhaql4fSWFxCSbM3YA9 +hs+74oeNHb0QHEPAxfls58gAHRzhZSVcbyGpyv09L41RXpYGX4gCbmLkugg/y6m5 +WtOuuJxV6UmeQLTPD721jlBPpALOTicKph3axybnW2w/zw0hEH9NOJIFePftgE42 +SLolicHOwE0EWwaY+AEIAK+RSbW/yR8qK5GvRqLWAKU9Si30ZaA1PWJgA0dEhFsQ +h5Ba7kOoB8s/Q/crSlJGyU33fU1UqCLZ6EZ55Uprh+viXi3f0t7K1fEJLIueKZ7D +dJD1vANHHkAp/vI/Xf+/oEfhjvh9QbroItMuiq/TT/Uyqj/4u+JZsa2tLRDy8MhS +WJ2VWqM9IXDA6HUw7xXuli+0wYTkOmS6G0lMZuJwNQSUAXt7cZ2ATcd4saDajjWJ +0o+/L42yhPHgUiBXVID5wlX3NL8jigqjYOzxY1UxVezCmXzo1hzZEkvrFOvkQHZd +yGdcGQ6x/X+lU7xb+iLq3YK8vZPBJXeoba+0RNJjQ6MAEQEAAcLBdgQYAQoAIBYh +BKxATBwL9zXGP/TVYiY9bfLhY+HqBQJbBpj4AhsgAAoJECY9bfLhY+Hq1fQP/2JB +9FSCIQ9Td21K98P9/3cXwAkbiyjPkUSYfarRqb4VXrpiMbTzJZeSxvywm1ByqGw/ +j9NUgZAroEQtIiC9QLVJJa/kqF+qXAeSQVX8NzDY5gONcwvkm9s3vt9izCxSzfqe +15YCKjZLWDdquAlDMe06DJdS1KY55/yGwwaOPmz2TkiApszQEf24+E+QII6sYV/+ +oiyR3bTs5JxjdRnCUp23Jyh493Zm9ANDqreDSywNv7q9+0PMmUnmUWDdNNqrboAa +wsR6fVCFp57Eyha9zEV6e/P8WMWVRkdhvd/QeUGJLnoZL4mqsQiRgJyjlaB+1zY4 +giowwl9w4vjK9QDmX2s8HvoR6i30dy5Zy7Tk7tLerlDG4opjEGh4oZl3C1qNsVFB +u1obkRzKk6UtAYW7+bKfFuKgKL54tXhuyClR+gMMInN+88mh/DVDGhfBKa/vlweg +NUFXb/uBKMO37R4PM+ao+6aupRA2i22K9X1DmMyQpk9VDDub9B5jBlIQ8HRE4wR8 +W6/xAAEE9MTv4UNFEDEB4Y9uqe7XnCcNBTLEu3IjNaYckk7X/qsia5ztVVpIsXnO +bSpbh8KOzzHqM1bPHLEp1RYSTPy1q1VMwhyRTz0bRdWOFsXU7A7F+yVAT/WbMorK +Jj63H3JJ+v35nXZSzixkx1x1eNdW3bUT0ZSZ5TUczsFNBFJtp1EBEADJ/d/waJe9 +hlvi4RBfGpige5p1AKwHCOeep5oTqgKmBOvNlgV/g6PKhiV4sH/VEWnsl5jg9e2L +AfjpMUBYr3yfRtMu/ruDAavVvKjUQwHuogXtVreXiL/m2HNyDq8ed52h/RZ2O8Q3 +rPeiahMSZ3FgwMWTrbqDRwVM9gL4dC8aj7YlUSNIN40Vmv0sp8BXS9TToxYdqB1F +DXrp6DQEWSvdKGQ64VFPlw7T+1eh3vfC/mTg62eu+QhAvTt1OFM7sELGER1jG9GT +byThDQyfOA+scgGn2X4tRSr9OCmpZXh3wqJ/UiZiK29aBmPU+m2oCtXzsnUiupL0 +OO+Na6Vb3RUplhSkeMfcYkHQ79NHJ9px3MleZwdt7ojFbD7zXZoCj8FPm7Pm/oFo +F17XOqLSQeqGjEQz87y2NtKt5/zM7SAgG08xuuH+6Tzhcr/IDmcj1Ch1yEVEwVUs +EY9tQwArSgQbI74CDyt0Ex66omgavcbDUotsXaT/ZacBoIdRNsTvSO3X2uLiMxs4 +DCxbTDsGWqNTyq8qUa16RXUkaAzsyhW11sy9YkOYyTyat4et0w/o7ima0sAYjon9 +89m2gPRnncEpCWkUP8C6ujw3ae77KtOgOIL+dlZESU5qpGaNdNBw9hhkLq+sg1LJ +w3sCVvjORoEufVEoVlQjqOsHuyKRqbAAJwARAQABwsFfBBgBAgAJBQJSbadRAhsM +AAoJECY9bfLhY+HqAewP/0tTNtq9iUHLlLERkeppm9OXOkcKXZn5i1NcPpSTRrUV ++U7C5BnV4APRT7kes9mHiSgnRuhTKZh/FPBF3rdPv//GNzgac1IeMlmZPPVCg68R +1QOraJh/IOeTrTVH48zg0xC/U3vhibKm8FfVY6fdvI/76gPoC7XSA8DpkS3529Ly +YJYAy09g3OELQKgZ4L7t2hQumFy675psknwqc5sDGRYKFcxbAhgFSFi32B4aLsfK +vPtW2DvfnBkXYM0+5sKI7kjmKydJbqKPeYQ2npXwz1Bw+x5qagr8FPGaWAcd5x8V +3ychdWVrhfyU0puA14GGrxtEQ+BWko4SgwlDfD/+ojd4/6Jxtm07Pw4Nv8hcNPRl +1yYh9Qe1OT+2X+yIPtLZ+18CG1ATnLBirxsAjLYhn+gSNALDCunmmqzmJrQKYboD +ttgOl9A22tb/08fXa3RCbEg74ohPi7uFncA8TdQK+y8n0Pk87JxjbHTMsvcxQBWt +2NlqmupDnFQNLCv9dxARUB1lznrN2dXfprTLIDjE8CYBYnDah0gMmPIXhIAubqfz +o6P+bfCMdyR298fguSZjLgXcDFOcVrNqx5EY/pfnqB1usZQTWgr6CKG4F5Hzvgng +fU+zYExi0PGH+KR6rgDyh5QRPpx9eD28X5AOj8oblNabDhgQ7u8fMvydOTrhku1+ +zsBNBFsGmc8BCACzDYoyyPwY8bbd3QDgvxaxqX0XpRs3eZ5p226AQKhoFpKwbpKW +qhv5i4eCzLX1sKvS+Ofk3YRaeABBa7R9g7x6R/CyFdxBkauZleSpdzzCKZ1AMoeG +wlZHj8XD9bnDOfecVFa5gUVWyWFGNPXs4JRXvaX0okxwZ2+K5QOAe2vxpWELKfdS +WXYwAVoJMNffr9bQ+aPbpdbx0UGCfloYwmV19Firiz1PAzvJYEAVslvr1fCQexUB +UkmppKlXzmG0gasMy9K7YxX5rI6DK7jUohj5/N7K3v1IUPqXKrpAPmGEAOgS49pQ +scMmH8ZBenqFFo6rScut1pIWEvjcX2GmWHNVABEBAAHCwXYEKAEKACAWIQSsQEwc +C/c1xj/01WImPW3y4WPh6gUCW47qCQIdAQAKCRAmPW3y4WPh6lDlEACmYygTs76r +SOwsHZ2YLH3bluq1sIELcnNZfm0ZkYj5mTKkuU46/IfOQe2kDL5rN7GmRprIB79m +myFadgTmfkb+9u5/o0dUwbUsZwBRr/EL6gcuGY4mvwjPC6xNX0CVCvMha4xR4e+W +bC71hHTZXzvWuyRMNjr0w3dhW66FY5kRtl3qhqsWhmmw3lvneNNHJi46wTY79oYN +IEd98daos52HbV4wt22hbx6/D0GkrKaoc57ZrWY4jr5R1OAiOyGFguJZ6LiwD7q5 +TWEK06ixbhsU/nxCyCIZRcbgRe71fy9vUscZL0Iz7OXMxKxDlaKmEfQ0zdmkHApf +9610DcwTQcwT3cvUsLJ9sC7d3mRb8oUqkHJi25efxEHnYBHoz9XxuX5lITTo6bxW +CobBw5/e/+aDGMuBGfaBOkwj/F0Drej6MB3aupxHSj96bgrqH7+42cSIGPqd5iLi +/UOL4hu3KlQDOKl2ygBNEcN9+42G9r0B8TaUHBiQCleHQBYVhuzExVei7hlx3sPb +5vx/u+arTJ9ZCoVZjsUubJYe4j3bkZwXMRETqnQ/MYSlsMqH3qzpEWdLbFrRdbj7 +L8v9Mtp2pBjlbiKCBiPV7gWy1h3+boSOj0WNZ5kSOQEm7n2RIIPsQpC6cc/0Htt2 +pTvPlJeDPOQ6bEmZzHQ5n24vEw119NhNgMLCsgQYAQoAJhYhBKxATBwL9zXGP/TV +YiY9bfLhY+HqAhsuBQJbjum2BQkAiaFJAUDAdCAEGQEKAB0WIQTz0Ti6kOYcPK7n +Aba3JfP9vazURgUCWwaZzwAKCRC3JfP9vazURvneCACeIFcjkWw7YCSV2W7llvoC +Qr+v4m4S3gRNe/hkOnbwKwUuCQRoa8RcVQp3tgPQBDePaOUxZSR9Fwr24mXob0Dq +EAn2GYtgWbsrNG2CqlLxXQGwZvdFlde+7N6aLwBz+EPGF4iAEmLq1lu2mFvtZd94 +ygRVsHxXEnFMcAaoQKCaUjQKmpEpm6n+9hTTnJb5OumT6kLvtDgc47TafVfz1R3m +eqS3iDGKW/cOZolxj23di3aIqy6gnsKYY0LaH9jXqlD/P2vSi4TYe/PrtMCgqQ4l +LbYgT+49aLanll7Ypk99zX6aOHD7ywBvEkcehlNX4+e9I+dfy/X1o+nXuMzYNPM+ +CRAmPW3y4WPh6qgVD/45y25gzNhSUKuaLACRJxDYOFqQe6GoKa7PXvYhtPoqWgkZ +glzmBQsQMlFxiVWrVqR9S44pBrlaxxPkcNTBthonH9TliUSA1M3PMfDZ2UlqrfFW +pLjNEXCYyAKLLAH/zqy8zrGPNzKXDpD6eq/NueopNG6T2HqDnaabA5g/Zuut9DX1 +E8neRupq73Ftcfzk4MWY00vtS0GvNbmI30CN/WYlvyiKA7P22FOYXm6VWA0qrnPv +12qSb9k4ZT2Mxro5xEHv7Inc6J6syURUcHlsKRbIwYlvDgsN+IVoV0TLeJObrGs8 +ck6vRWz3tNlWiaX5Lr4gBTT+ooMm/Box1LZC6gu1ROjwco1c3YnEqNdeRTZts971 +UDRXK3ZvaqeFYNYvDqlOuoczruk4H8BbqXY+Gy/VuMrPcJuCd61Tdjb+EbaZ+V1M +DolsRlvwjtx4WgSC6DhFbp8iB79g/0IPNMzTdccmDW0wttAwaLjBSDWh4iT3GUYa +N5gXPVdVN3C7A1bpzM7hF5pGT/GvOnza0IJ8ssbVx0N9H5/svTPtbpukryciTCbK +x0HstWr0RCngzGhv5Bx97ZrCxgCGYc+i51oQWvyIfaKWDI7Ha46maBbDK3u/ZkQk +z79FpIAZCLhHfFi76yeyN4IbLXJfHIUzV75nukAVwnd2JBluGk+of/ZqzIwyuMLC +rAQYAQoAIBYhBKxATBwL9zXGP/TVYiY9bfLhY+HqBQJbBpnPAhsuAUAJECY9bfLh +Y+HqwHQgBBkBCgAdFiEE89E4upDmHDyu5wG2tyXz/b2s1EYFAlsGmc8ACgkQtyXz +/b2s1Eb53ggAniBXI5FsO2Akldlu5Zb6AkK/r+JuEt4ETXv4ZDp28CsFLgkEaGvE +XFUKd7YD0AQ3j2jlMWUkfRcK9uJl6G9A6hAJ9hmLYFm7KzRtgqpS8V0BsGb3RZXX +vuzemi8Ac/hDxheIgBJi6tZbtphb7WXfeMoEVbB8VxJxTHAGqECgmlI0CpqRKZup +/vYU05yW+Trpk+pC77Q4HOO02n1X89Ud5nqkt4gxilv3DmaJcY9t3Yt2iKsuoJ7C +mGNC2h/Y16pQ/z9r0ouE2Hvz67TAoKkOJS22IE/uPWi2p5Ze2KZPfc1+mjhw+8sA +bxJHHoZTV+PnvSPnX8v19aPp17jM2DTzPtKREACAd7ki0iZPBfPLgm9sQPxyZ7Lp +AX/iJHKswgNPYokKkehxPzGe7Lk2oZXRH2rl8fnEBnU8xKkBJmR2tMl08zXXrrRD +tA6ZoGiykequS2DVgRxhjHPe/XileyLMXRqY70DZFSKkghI8SwReKdg9tNq73c2Z +9GAiic4JXhdgLi+C6x36fI6vuQ+W8X4ZxFOVyYLHkT1PnQty6s03qsVFHoz9j91F ++BCyDdPNhCJ0RAz3XQXSPwsRSIGWfC2B3+jBRt1Kgn+9o+WOlHWSMMTOw031jhdz +yS3A1OvUPT/wtO6cxs/r7UCTuG/4HxGGhi4VeOCFMf0bH+iGBh83cykKAXnUnHnI +nwUU2cRRvZjInoXTcaGdmt5zp0WwzBHmpyLmQLfey43sVYBoJvLSbzYsb94F6cbO +3c60YdNbXfx30pzVJbAn4yzq7I4KreT6O8yOnLbZXIn2tZL513l+Lp4zbqo70Xxt +U/j4JVI/cNEpIT8I6JKw+N4zCXVW44Wf5GRHnSNs3grf95xzyBvIXMxBXkeKhJbz +GOS1k+b9l3xEALIt1rULmGLhZBd8R9x7/z6g4iPg0GS+6R80Utd5RHl1z3/gMDtw +seSZF9RHRRfv9ZsQOGCNDAt+5yNL22IE87NXOCzgX0CIBSAKhqAC2wLXFSf4JyDH +CnbTKmjTJGwZmHRnrw== +=yIJv +-----END PGP PUBLIC KEY BLOCK----- diff --git a/crun.spec b/crun.spec new file mode 100644 index 0000000..72153e5 --- /dev/null +++ b/crun.spec @@ -0,0 +1,107 @@ +# +# spec file for package crun +# +# Copyright (c) 2024 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%ifarch x86_64 aarch64 +%if 0%{?suse_version} >= 1600 +%define with_wasmedge 1 +%else +%define with_wasmedge 0 +%endif +%else +%define with_wasmedge 0 +%endif + +Name: crun +Version: 1.17 +Release: 0 +Summary: OCI runtime written in C +License: GPL-2.0-or-later +URL: https://github.com/containers/crun +Source0: %{URL}/releases/download/%{version}/%{name}-%{version}.tar.gz +Source1: %{URL}/releases/download/%{version}/%{name}-%{version}.tar.gz.asc +Source2: https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xac404c1c0bf735c63ff4d562263d6df2e163e1ea#/%{name}.keyring +# We always run autogen.sh +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: gcc +BuildRequires: gettext +BuildRequires: glibc-devel-static +BuildRequires: go-md2man +BuildRequires: libcap-devel +BuildRequires: libprotobuf-c-devel +BuildRequires: libseccomp-devel +BuildRequires: libtool +BuildRequires: libyajl-devel +BuildRequires: make +BuildRequires: python3 +BuildRequires: python3-libmount +BuildRequires: systemd-devel +%ifnarch %{ix86} +BuildRequires: criu-devel >= 3.15 +%endif +%ifarch x86_64 aarch64 +BuildRequires: libkrun-devel +Requires: libkrun1 +%endif +%if %with_wasmedge +BuildRequires: wasmedge-devel +%endif + +%description +crun is a runtime for running OCI containers. It is built with libkrun support + +%prep +%autosetup -p1 + +%build +%ifarch x86_64 aarch64 +export LIBKRUN="--with-libkrun" +%endif +%if %with_wasmedge +export WASMEDGE="--with-wasmedge" +%endif + +./autogen.sh +%configure --disable-silent-rules $LIBKRUN $WASMEDGE CFLAGS='-I %{_includedir}/libseccomp' +%make_build + +# TODO: +# - it would be nice to enable the test-suite, but seems to behave (and fail!) +# differently when run inside of an OBS worker, with respect to when it's +# run manually on the host... Need to investigate more. +#%%dnl %%check +#make test-suite.log + +%install +%make_install +rm -rf %{buildroot}/%{_libdir}/lib* + +%files +%license COPYING +%doc README.md +%doc SECURITY.md +%{_bindir}/%{name} +%ifarch x86_64 aarch64 +%{_bindir}/krun +%endif +%if %with_wasmedge +%{_bindir}/crun-wasm +%endif +%{_mandir}/man1/* + +%changelog