pool/crun
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 969577 from home:dfaggioli:Virtualization

Browse Source 
- It'd be nice to run the test suite with %check. It however, still
  does not work properly inside OBS workers. Add it commented (and
  explain it in a comment)
- switch to latest upstream version (1.4.4)
- big jump from 0.21! Here's a short summary, for details,
  see: https://github.com/containers/crun/releases
  * 1.4.4
    wasm, kubernetes: support wasm for kubernetes infrastructure with side-cars
    Resolve symlinks in bind mounts when creating a user namespace.
    Fix CVE-2022-27650: exec does not set inheritable capabilities.
  * 1.4.3
    cgroup: avoid potential infinite loop when deleting a cgroup.
    support additional options for idmap mounts.
    open the source for a bind mount in the host.
  * 1.4.2
    CRIU: add pre-dump support.
    Fix running with a read-only /dev.
    Ignore EROFS when chowning standard stream files.
    Add validation for sysctls before applying them.
  * 1.4.1
    Fix check for an invalid path.
    Allow deleting a container while in created state.
    cgroup: do not set cpu limits if number of shares is set to 0.
  * 1.4
    wasm: support for running on kubernetes with containerd.
    linux: add support for recursive mount options.
    add support for idmapped mounts through a new mount option "idmap".
    linux: improve detection of /dev target.
    now crun exec uses CLONE_INTO_CGROUP on supported kernels when using cgroup v2.
    retry the openat2 syscall if it fails with EAGAIN.
    cgroup: set the CPUWeight/CPUShares on the systemd scope cgroup.
    on new kernels, use setns with pidfd.
    attempt the chdir again with the specified user if it failed before changing credentials.
  * 1.3
    add support to natively build and run WebAssembly workload and WebAssembly containers.
    allow to specify sub-cgroup for exec.
    chown std streams if they are not a TTY.
    attach the correct streams if the container is suspended and restored multiple times.
    fix race condition when enabling controllers on cgroup v2.
  * 1.2
    exec: fix regression in 1.1 where containers are being wrongly reported as paused.
    criu: add support for external ipc, uts and time namespaces.
  * 1.1
    cgroup: use cgroup.kill when available.
    exec: refuse to exec in a paused container/cgroup.
    container: Set primary process to 1 via LISTEN_PID by default if user configuration is missing.
    criu: Add support for external PID namespace.
    criu: fix save of external descriptors.
    utils: retry openat2 on EAGAIN.
  * 1.0
    cgroup: chown the current container cgroup to root in the container.
    linux: treat pidfd_open failures EINVAL as ESRCH.
    cgroup: add support for setting memory.use_hierarchy on cgroup v1.
    Makefile.am: fix link error when using directly libcrun.
    Fix symlink target mangling for tmpcopyup targets.
- fix bsc#1197871, CVE-2022-27650 (as 1.4.4 contains the fixes itself)
- update and fixup dependencies

OBS-URL: https://build.opensuse.org/request/show/969577
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/crun?expand=0&rev=11
This commit is contained in:
Dario Faggioli 2022-04-12 22:04:19 +00:00 committed by Git OBS Bridge
parent 95f9d78cf4
commit e4da896bdb
4 changed files with 80 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
crun-0.21.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:018c805c88a15cbd8341d00badd00c92de256bc585c46336be78f1ff9a5a3cf2
size 1878109

3
crun-1.4.4.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:49eeb7ed921428f06094ab02233bb2f95ddfc4bf59a40bcabe8a2823085a0c12
size 1962130

65
crun.changes
View File

@ -1,3 +1,68 @@
-------------------------------------------------------------------
Tue Apr 12 08:59:23 UTC 2022 - Dario Faggioli <dfaggioli@suse.com>
- It'd be nice to run the test suite with %check. It however, still
does not work properly inside OBS workers. Add it commented and
explain it
-------------------------------------------------------------------
Tue Apr 12 08:36:54 UTC 2022 - Dario Faggioli <dfaggioli@suse.com>
- switch to latest upstream version (1.4.4)
- big jump from 0.21! Here's a short summary, for details,
see: https://github.com/containers/crun/releases
* 1.4.4
wasm, kubernetes: support wasm for kubernetes infrastructure with side-cars
Resolve symlinks in bind mounts when creating a user namespace.
Fix CVE-2022-27650: exec does not set inheritable capabilities.
* 1.4.3
cgroup: avoid potential infinite loop when deleting a cgroup.
support additional options for idmap mounts.
open the source for a bind mount in the host.
* 1.4.2
CRIU: add pre-dump support.
Fix running with a read-only /dev.
Ignore EROFS when chowning standard stream files.
Add validation for sysctls before applying them.
* 1.4.1
Fix check for an invalid path.
Allow deleting a container while in created state.
cgroup: do not set cpu limits if number of shares is set to 0.
* 1.4
wasm: support for running on kubernetes with containerd.
linux: add support for recursive mount options.
add support for idmapped mounts through a new mount option "idmap".
linux: improve detection of /dev target.
now crun exec uses CLONE_INTO_CGROUP on supported kernels when using cgroup v2.
retry the openat2 syscall if it fails with EAGAIN.
cgroup: set the CPUWeight/CPUShares on the systemd scope cgroup.
on new kernels, use setns with pidfd.
attempt the chdir again with the specified user if it failed before changing credentials.
* 1.3
add support to natively build and run WebAssembly workload and WebAssembly containers.
allow to specify sub-cgroup for exec.
chown std streams if they are not a TTY.
attach the correct streams if the container is suspended and restored multiple times.
fix race condition when enabling controllers on cgroup v2.
* 1.2
exec: fix regression in 1.1 where containers are being wrongly reported as paused.
criu: add support for external ipc, uts and time namespaces.
* 1.1
cgroup: use cgroup.kill when available.
exec: refuse to exec in a paused container/cgroup.
container: Set primary process to 1 via LISTEN_PID by default if user configuration is missing.
criu: Add support for external PID namespace.
criu: fix save of external descriptors.
utils: retry openat2 on EAGAIN.
* 1.0
cgroup: chown the current container cgroup to root in the container.
linux: treat pidfd_open failures EINVAL as ESRCH.
cgroup: add support for setting memory.use_hierarchy on cgroup v1.
Makefile.am: fix link error when using directly libcrun.
Fix symlink target mangling for tmpcopyup targets.
- fix bsc#1197871, CVE-2022-27650 (as 1.4.4 contains the fixes itself)
- update and fixup dependencies
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Nov 2 08:58:05 UTC 2021 - Dario Faggioli <dfaggioli@suse.com> Tue Nov 2 08:58:05 UTC 2021 - Dario Faggioli <dfaggioli@suse.com>

17
crun.spec
View File

@ -1,7 +1,7 @@
# #
# spec file for package crun # spec file for package crun
# #
# Copyright (c) 2021 SUSE LLC # Copyright (c) 2022 SUSE LLC
# #
# All modifications and additions to the file contributed by third parties # All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed # remain the property of their copyright owners, unless otherwise agreed
@ -19,7 +19,7 @@
Summary: OCI runtime written in C Summary: OCI runtime written in C
License: GPL-2.0-or-later License: GPL-2.0-or-later
Name: crun Name: crun
Version: 0.21 Version: 1.4.4
Release: 0 Release: 0
Source0: https://github.com/containers/crun/releases/download/%{version}/%{name}-%{version}.tar.gz Source0: https://github.com/containers/crun/releases/download/%{version}/%{name}-%{version}.tar.gz
URL: https://github.com/containers/crun URL: https://github.com/containers/crun
@ -27,16 +27,16 @@ URL: https://github.com/containers/crun
BuildRequires: autoconf BuildRequires: autoconf
BuildRequires: automake BuildRequires: automake
BuildRequires: gcc BuildRequires: gcc
BuildRequires: git-core BuildRequires: gettext
BuildRequires: glibc-devel-static BuildRequires: glibc-devel-static
BuildRequires: go-md2man BuildRequires: go-md2man
BuildRequires: libcap-devel BuildRequires: libcap-devel
BuildRequires: libprotobuf-c-devel BuildRequires: libprotobuf-c-devel
BuildRequires: libseccomp-devel BuildRequires: libseccomp-devel
BuildRequires: libselinux-devel
BuildRequires: libtool BuildRequires: libtool
BuildRequires: libyajl-devel BuildRequires: libyajl-devel
BuildRequires: python BuildRequires: make
BuildRequires: python3
BuildRequires: python3-libmount BuildRequires: python3-libmount
BuildRequires: systemd-devel BuildRequires: systemd-devel
%ifnarch %ix86 %ifnarch %ix86
@ -61,6 +61,13 @@ export LIBKRUN="--with-libkrun"
%configure --disable-silent-rules $LIBKRUN CFLAGS='-I /usr/include/libseccomp' %configure --disable-silent-rules $LIBKRUN CFLAGS='-I /usr/include/libseccomp'
%make_build %make_build
# TODO:
# - it would be nice to enable the test-suite, but seems to behave (and fail!)
# differently when run inside of an OBS worker, with respect to when it's
# run manually on the host... Need to investigate more.
#%check
#make test-suite.log
%install %install
%make_install %make_install
rm -rf %{buildroot}/%{_libdir}/lib* rm -rf %{buildroot}/%{_libdir}/lib*