commit f0854d0f7bfb724d603f2a32dd4c54f53d62165111bf508d2ead883bcea637cf Author: Aleksa Sarai Date: Tue Dec 10 06:18:51 2024 +0000 - Update crun.keyring to point to primary key. The original packaging of crun.keyring used the subkey 0xAF60FCA3CDAA6DEAD157EA3A67E38F7A8BA21772 as the key to verify against, rather than the primary key 0xAC404C1C0BF735C63FF4D562263D6DF2E163E1EA. If/when upstream rotates their signing keys, the old key verification would start to fail. OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/crun?expand=0&rev=55 diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/crun-1.15.tar.gz b/crun-1.15.tar.gz new file mode 100644 index 0000000..c2343ac --- /dev/null +++ b/crun-1.15.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a03ba1e58b8823ae77d010024b43bd94c5a99f7d652257b1b23abd2d2cdb087f +size 1756886 diff --git a/crun-1.15.tar.gz.asc b/crun-1.15.tar.gz.asc new file mode 100644 index 0000000..65bf7c8 --- /dev/null +++ b/crun-1.15.tar.gz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCAAdFiEEr2D8o82qberRV+o6Z+OPeouiF3IFAmYzfXgACgkQZ+OPeoui +F3KNlAf+JPTyqSazEqx+TWdxHwXhzdfaWzgJ7O0mtM3KruCKIodvF+V/tsIDJrwc +gF5tGgLVBD9Tlt+wzCSaoWbxEbz2eZmDRNVtxZt6e/QfHSID8PzVm8jVZiBMmy8n +wPs3chVGM/T0Fh+8hBv2fmueYWPnSMnA4SSxp6eNjAYt5H59OXyVRw5hk0lQTzQQ +U+GeMRTRVkorNq8dZ+LdPHg8+u5ndPCD93wfdelK2wI2X4UlAcTA2qcuL1MowCCC +fqPigsOGiRNjzDCfptbCrG778nZu32AGn4ohBXmxoLDbfz2X3ZjgySzSZaVb/D7S +R4c3fkxsV7PNXt6sNx+J8UAGntztBA== +=pgGE +-----END PGP SIGNATURE----- diff --git a/crun-1.16.1.tar.gz b/crun-1.16.1.tar.gz new file mode 100644 index 0000000..c7bc124 --- /dev/null +++ b/crun-1.16.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:70548de4874f0c9e7e1e080ff092e23f8fcc772a23261ee26e26d79f24df289e +size 1760357 diff --git a/crun-1.16.1.tar.gz.asc b/crun-1.16.1.tar.gz.asc new file mode 100644 index 0000000..e85118b --- /dev/null +++ b/crun-1.16.1.tar.gz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCAAdFiEEr2D8o82qberRV+o6Z+OPeouiF3IFAma7dj0ACgkQZ+OPeoui +F3LNNwgAidlpoqDuVBqh9ykjXfA0fnZ58NpWlU2wuHTk1zt+3vgTuFNGKmSimEZI +c8mcgjq3nvTTmCBWr6Qikh5neSCerJJ+eprvmRQwHHuJj1sPoM/KhmVVc4pfLhQF +B9MQxKrWf635TRh9r5V8kpx0K43ffL7ZVVNJ6Iumm4G1MOaEqpSZYSkgXMePFTGB +kRh9zaHJ66m50i7ctokyfI1Y07hexviDXOhJi5znA0Y2GBSoiZLQcY8hwB7xg/m1 +vd9vI9CHA2E05dWE/Zuz9v/1YRH+hb1fRpnJP6LQPYjlUM/CnmMEDE6yJjQYwDQU +Gu6uuqxH3nXMPJzv0MFpznEva5eLGQ== +=++ex +-----END PGP SIGNATURE----- diff --git a/crun-1.17.tar.gz b/crun-1.17.tar.gz new file mode 100644 index 0000000..2c7598e --- /dev/null +++ b/crun-1.17.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b766609814c0b0a3c0d2d235af1b061bd71da1aa2e8bb181d66e89f1b9a4e874 +size 1773153 diff --git a/crun-1.17.tar.gz.asc b/crun-1.17.tar.gz.asc new file mode 100644 index 0000000..e55cc35 --- /dev/null +++ b/crun-1.17.tar.gz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCAAdFiEEr2D8o82qberRV+o6Z+OPeouiF3IFAmbe+kIACgkQZ+OPeoui +F3Kr8Af+Lr1TLt/nDA6Dgjo55pQScbgAa7nq1iM2yZEQpq2WwpXvj6M15pZ3vWAj +kzeotA3JX3VrggjgLZ5j2GPh37BQfNteehX9yae3AkaltLkANZSaAbekqWCvX4Pk +PeD9LzPLqOHGBCGi58UjeXl9Ov4bYhrDvIv7+LL3Q5qG2fp2ynfm7IEhSz7wjXns +Yd6rqbs+bP+RlJUp6fcy5gBZEoCrLiBBh9TH1mPHURkzSsJNCf3Vqm2pQXfQlHBU +VtWZU0D5XYnhyBHSPmZCdMjy7WAdACYN9euBDP2XhXSvv95bQy/NLC/IMUDJq5FL +/ihOb/YV2LpSGoUvbBOliIdqtbVftw== +=jC+F +-----END PGP SIGNATURE----- diff --git a/crun-1.18.2.tar.gz b/crun-1.18.2.tar.gz new file mode 100644 index 0000000..2e23828 --- /dev/null +++ b/crun-1.18.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:fdd530a398e32c36ccb597a43d17692631257374b9121027d88bbc5bccb24442 +size 1778373 diff --git a/crun-1.18.2.tar.gz.asc b/crun-1.18.2.tar.gz.asc new file mode 100644 index 0000000..3cd8a4a --- /dev/null +++ b/crun-1.18.2.tar.gz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCAAdFiEEr2D8o82qberRV+o6Z+OPeouiF3IFAmcjsyAACgkQZ+OPeoui +F3IYeAf/cEc0S/nMuaxgx9Hi2BfuN9LhrevV33S9Wwpm2hI84TtzDegfuzJwF9U6 +padhlLMiG0hTLf7xnfqWUfYZyNU8wNA9f31WG2eLAsoFS3hAIPTJ+0zZYN1bveF6 +HWI22LH+zIrWcFUqIa12WDtZd2A0ftacPBdBocJmD218FiY1ZlimBsp4K4mfdPWw +5BFJiH+GoVVDU7tC0DFSaNBIgHPf4iHhCdJNwFoDInVuzB6XXqzvAwfrkoDVAa/h +sE8D+YbvMHvosF4XUUN3sTqA1WJcqADaOtl4lCedC8TesXxYLdrcnsVH76egPPd/ +mgRIhB/11h9OVwQOkHf1uDcgAmshXw== +=nhoh +-----END PGP SIGNATURE----- diff --git a/crun-1.18.tar.gz b/crun-1.18.tar.gz new file mode 100644 index 0000000..95d7db3 --- /dev/null +++ b/crun-1.18.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a83b70b350e50ad320376685e975afae535dad64e982e2b7c57a0db45663902a +size 1777725 diff --git a/crun-1.18.tar.gz.asc b/crun-1.18.tar.gz.asc new file mode 100644 index 0000000..df8ee8e --- /dev/null +++ b/crun-1.18.tar.gz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCAAdFiEEr2D8o82qberRV+o6Z+OPeouiF3IFAmcXoUIACgkQZ+OPeoui +F3IG1wf6As2b44CDAgYZA1avwOV5RZYe2koC9xcdZNq9zCr+qcbubHwbr4NB0zc0 +L+QQWpyMmnnQkI/7ZFphK2mL0OB68Rd1YHjZh9S7oIkF/u24/+18ZoBI1hZsz59p +BDUnRVLJLOyx0Hk13y6UcaKzHJq7nX59pquSSS3VHNKu97J9TgAUwCcWaoaRR8Zb +7tykfXoEgOajRhU1V3AawDGRh4HZ9wit1GCESWawGx/UYH+VJtMX/ruZmn/QUjzs +zJ/XFN+jQ7IdBXVnrSk4Nnd+9PBrvqmxY0D8AgW84q2peWnoi+IdZqtQ51fHQVoN +pKZxNC391NpQ+DMX81O+SL14NUORXQ== +=nft0 +-----END PGP SIGNATURE----- diff --git a/crun.changes b/crun.changes new file mode 100644 index 0000000..9a327bc --- /dev/null +++ b/crun.changes @@ -0,0 +1,562 @@ +------------------------------------------------------------------- +Tue Dec 10 06:14:24 UTC 2024 - Aleksa Sarai + +- Update crun.keyring to point to primary key. The original packaging of + crun.keyring used the subkey 0xAF60FCA3CDAA6DEAD157EA3A67E38F7A8BA21772 as + the key to verify against, rather than the primary key + 0xAC404C1C0BF735C63FF4D562263D6DF2E163E1EA. If/when upstream rotates their + signing keys, the old key verification would start to fail. + +------------------------------------------------------------------- +Tue Nov 5 07:14:16 UTC 2024 - Madhankumar Chellamuthu + +- Update to crun v1.18.2 Upstream changelog is available from + + +------------------------------------------------------------------- +Mon Oct 28 09:39:05 UTC 2024 - Aleksa Sarai + +- Update to crun v1.18. Upstream changelog is available from + +- Remove URL from crun.keyring source declaration. If the Ubuntu keyservers + update their server software or some other minor change causes the output of + the key to change (such as the maintainer updating their key expiry), we will + end up with build failures despite the key still being a totally valid key to + do verifications with. This also matches how keyring files are managed for + most packages. + +------------------------------------------------------------------- +Wed Sep 11 20:12:48 UTC 2024 - Richard Rahl + +- update to 1.17: + * Add --log-level option. It accepts error, warning and error. + * Add debug logs for container creation. + * Fix double-free in crun exec code that could lead to a crash. + * Allow passing an ID to the journald log driver. + * Report "executable not found" errors after tty has been setup. + * Do not treat EPIPE from hooks as an error. + * Make sure DefaultDependencies is correctly set in the systemd scope. + * Improve the error message when the container process is not found. + * Improve error handling for the mnt namespace restoration. + * Fix error handling for getpwuid_r, recvfrom and libcrun_kill_linux. + * Fix handling of device paths with trailing slashes. +- add url for keyring +- enable leap by disabling wasmedge (not packaged for leap) + +------------------------------------------------------------------- +Thu Sep 5 13:18:43 UTC 2024 - Dan Čermák + +- new upstream release 1.16.1 + +1.16.1: + +- fix a regression introduced by 1.16 where using 'rshared' rootfs mount propagation and the rootfs itself is a mountpoint. +- inherit user from original process on exec, if not overridden. + +1.16: + +- build: fix build for s390x. +- linux: fix mount of special files with rro. Open the mount target with O_PATH to prevent open(2) failures with special files like FIFOs or UNIX sockets. +- Fix sd-bus error handling for cpu quota and period props update. +- container: use relative path for rootfs if possible. If the rootfs cannot be resolved and it is below the current working directory, only use its relative path. +- wasmedge: access container environment variables for the WasmEdge configuration. +- cgroup, systemd: use MemoryMax instead of MemoryLimit. Fixes a warning for using an old configuration name. +- cgroup, systemd: improve checks for sd_bus_message_append errors + +------------------------------------------------------------------- +Thu May 30 12:30:26 UTC 2024 - Dario Faggioli + +- New upstream release 1.15 + * fix a mount point leak under /run/crun, add a retry mechanism to unmount the directory if the removal failed with EBUSY. + * linux: cgroups: fix potential mount leak when /sys/fs/cgroup is already mounted, causing the posthooks to not run. + * release: build s390x binaries using musl libc. + * features: add support for potentiallyUnsafeConfigAnnotations. + * handlers: add option to load wasi-nn plugin for wasmedge. + * linux: fix "harden chdir()" security measure. The previous check was not correct. + * crun: add option --keep to the run command. When specified the container is not automatically deleted when it exits. + +------------------------------------------------------------------- +Wed Mar 6 10:06:50 UTC 2024 - Dan Čermák + +- New upstream release 1.14.4 + +* crun-1.14.4 + +- linux: fix mount of file with recursive flags. Do not assume it is + a directory, but check the source type. + +* crun-1.14.3 + +- follow up for 1.14.2. Drop the version check for each command. + +* crun-1.14.2 + +- crun: drop check for OCI version. A recent bump in the OCI runtime + specs caused crun to fail with every config file. Just drop the + check since it doesn't add any value. + +* crun-1.14.1 + +- there was recently a security vulnerability (CVE-2024-21626) in runc + that allowed a malicious user to chdir(2) to a /proc/*/fd entry that is + outside the container rootfs. While crun is not affected directly, + harden chdir by validating that we are still inside the container + rootfs. +- container: attempt to close all the files before execv(2). + if we leak any fd, it prevents execv to gain access to files outside + the container rootfs through /proc/self/fd/$fd. +- fix a regression caused by 1.14 when installing the ebpf filter on a + kernel older than 5.11. +- cgroup, systemd: fix segfault if the resources block is not specified. + +------------------------------------------------------------------- +Sat Jan 27 16:21:04 UTC 2024 - Andrea Manzini + +- update to 1.14: + * build: drop dependency on libgcrypt. Use blake3 to compute the cache key. + * cpuset: don't clobber parent cgroup value when writing the cpuset value. + * linux: force umask(0). It ensures that the mknodat syscall is not affected by the umask of the calling process, + allowing file permissions to be set as specified in the OCI configuration. + * ebpf: do not require MEMLOCK for eBPF programs. This requirement was relaxed in Linux 5.11. + +- update to 1.13: + * src: use O_CLOEXEC for all open/openat calls + * cgroup v1: use "max" when pids limit < 0. + * improve error message when idmap mount fails because the underlying file system has no support for it. + * libcrun: fix compilation when building without libseccomp and libcap. + * fix relative idmapped mount when using the custom annotation. + +------------------------------------------------------------------- +Fri Dec 1 13:41:35 UTC 2023 - Dan Čermák + +- New upstream release 1.12: + + * add new WebAssembly handler: spin. + * systemd: fallback to system bus if session bus is not available. + * configure the cpu rt and cpuset controllers before joining them to + avoid running temporarily the workload on the wrong cpus. + * preconfigure the cpuset with required resources instead of using the + parent's set. This prevents needless churn in the kernel as it + tracks which CPUs have load balancing disabled. + * try attr//* before the attr/* files. Writes to the attr/* + files may fail if apparmor is not the first "major" LSM in the list + of loaded LSMs (e.g. lsm=apparmor,bpf vs lsm=bpf,apparmor). + +- New upstream release 1.11.2: + + * fix a regression caused by 1.11.1 where the process crashes if there + are no CPU limits configured on cgroup v1. (bsc#1217590) + * fix error code check for the ptsname_r function. + +------------------------------------------------------------------- +Mon Nov 6 10:19:58 UTC 2023 - Dirk Müller + +- update to 1.11.1: + * force a remount operation with bind mounts from the host to + correctly set all the mount flags. + * cgroup: honor cpu burst. + * systemd: set CPUQuota and CPUPeriod on the scope cgroup. + * linux: append tmpfs mode if missing for mounts. This is the + same behavior of runc. + * cgroup: always use the user session for rootless. + * support for Intel Resource Director Technology (RDT). + * new mount option "copy-symlink". When provided for a mount, + if the source is a symlink, then it is copied in the container + instead of attempting a mount. + * linux: open mounts before setgroups if in a userns. This + solves a problem where a directory that was previously + accessible to the user, become inaccessible after setgroups + causing the bind mount to fail. + +------------------------------------------------------------------- +Thu Oct 12 08:02:18 UTC 2023 - Dan Čermák + +- New upstream release 1.9.2: + + * cgroup: reset the inherited cpu affinity after moving to cgroup. Old kernels + do that automatically, but new kernels remember the affinity that was set + before the cgroup move, so we need to reset it in order to honor the cpuset + configuration. + +- New upstream release 1.9.1: + + * utils: ignore ENOTSUP when chmod a symlink. It fixes a problem on Linux 6.6 + that always refuses chmod on a symlink. + * build: fix build on CentOS 7 + * linux: add new fallback when mount fails with EBUSY, so that there is not an + additional tmpfs mount if not needed. + * utils: improve error message when a directory cannot be created as a + component of the path is already existing as a non directory. + +- Only build with wasmedge on x86_64 & aarch64 + +------------------------------------------------------------------- +Wed Oct 11 11:29:21 UTC 2023 - Alexandre Vicenzi + +- Add crun-wasm symlink for platform 'wasi/wasm' + +------------------------------------------------------------------- +Wed Sep 13 06:04:30 UTC 2023 - Danish Prakash + +- Update to 1.9: + * linux: support arbitrary idmapped mounts. + * linux: add support for "ridmap" mount option to support recursive + idmapped mounts. + * crun delete: call systemd's reset-failed. + * linux: fix check for oom_score_adj. + * features: Support mountExtensions. + * linux: correctly handle unknown signal string when it doesn't start with + a digit. + * linux: do not attempt to join again already joined namespace. + * wasmer: use latest wasix API. + +------------------------------------------------------------------- +Tue Sep 5 11:41:14 UTC 2023 - Alexandre Vicenzi + +- Enable WasmEdge support to run Wasm compat containers. + +------------------------------------------------------------------- +Mon Aug 14 12:55:14 UTC 2023 - Danish Prakash + +- Update to 1.8.6: + * crun: new command "crun features". + * linux: fix handling of idmapped mounts when the container joins an + existing PID namespace. + * linux: support io_priority from the OCI specs. + * linux: handle correctly the case where the status file is not written + yet for a container. + * crun: fix segfault for "ps" when the container is not using cgroups. + * cgroup: allow setting swap to 0. + +------------------------------------------------------------------- +Wed Jun 14 12:55:19 UTC 2023 - Frederic Crozat + +- Update to 1.8.5: + * scheduler: use definition from the OCI configuration file + instead of the custom label that is now dropped and not + supported anymore. + * cgroup: fix creating cgroup under "domain threaded". + * cgroup, systemd: set the memory limit on the system scope. + * restore tty settings from the correct file descriptor. It was + previously restoring the settings from the wrong file + descriptor causing the tty settings to be changed on the + calling terminal. + * criu: check if the criu_join_ns_add function exists. + Fix a segfault with new versions of CRIU. + * linux: do not precreate devs with euid > 0. Fix creating + devices when running the OCI runtime as non root user. + * linux: improve PID detection on systems that lack pidfd. + While there is still a window of time that the PID could be + recycled, now it is now reduced to a minimum. + * criu: fix memory leak. + * logging: improve error message when dlopen fails. + +- Changes from 1.8.4: + * drop custom annotation to set the time namespace and use + the OCI specs instead. + * cgroup: workaround cpu quota/period issue with v1. Sometimes + setting CPU quota period fails when a new period is lower, + and a parent cgroup has CPU quota limit set. + * cgroup: fix set quota to -1 on cgroup v1. + * criu: drop loading unused functions. + +------------------------------------------------------------------- +Tue Mar 28 10:27:06 UTC 2023 - Dirk Müller + +- update to 1.8.3: + * update: initialize the rt limits only on cgroup v1. + * lua bindings for libcrun. + * wasmedge: add current directory to preopen paths. + * linux: inherit parent mount flags when making a path masked. + * libcrun: custom annotation to set the scheduler for the + container process. + * cgroup: fallback to blkio.bfq files if blkio is not available + on cgroup v1. + * cgroup: initialize rt limits when using systemd. + * tty: chown the tty to the exec user instead of the user + specified to create the container. + * cgroup: fallback to create cgroupfs as sibling of the current + cgroup if there is none specified and it cannot be created in + the root cgroup. +- add keyring for GPG validation + +------------------------------------------------------------------- +Tue Feb 28 20:14:52 UTC 2023 - Niels Abspoel + +- Update to 1.8.1 + * linux: idmapped mounts expect the same configuration as + the user namespace mappings. Before they were expecting the inverted + mapping. It is a breaking change, but the behavior was aligned + to what runc will do as well. + * krun: always allow /dev/kvm in the cgroup configuration. + * handlers: disable exec for handlers that do not support it. + * selinux: allow setting fscontext using a custom annotation. + * cgroup: reset systemd unit if start fails. + * cgroup: rmdir the entire systemd scope. It fixes a leak on cgroupv1. + * cgroup: always delete the cgroup on errors. + On some errors it could have been leaked before. + +- changes from 1.8 + * linux: precreate devices on the host. + * cgroup: support cpuset mounted with noprefix. + * linux: mount the source cgroup if cgroupns=host. + * libcrun: don't clone self from read-only mount. + * build: fix build without dlfcn.h. + * linux: set PR_SET_DUMPABLE. + * utils: fix applying AppArmor profile. + * linux: write setgroups=deny when mapping a single uid/gid. + * cgroup: fix enter cgroupv1 mount on RHEL 7. + +------------------------------------------------------------------- +Wed Dec 7 09:24:19 UTC 2022 - Frederic Crozat + +- Update to 1.7.2: + * criu: hardcode library name to libcriu.so.2. + * cgroup: always enable all controllers, even if the cgroup was + already joined. Regression caused by crun-1.7. + +- Changes from 1.7.1: + * criu: load libcriu dynamically. + * seccomp: initialize libgcrypt. + * handlers: fix rewriting the argv if the full cmdline doesn't + fit. + * utils: honor SELinux label when using a custom handler. + * utils: honor AppArmor label when using a custom handler. + * krun: copy the OCI configuration file into the container. + * utils: fix creating the default user namespace when running + with euid != 0. + * Add setlinebuf() when --debug and --log=file: are used. + * Fix timestamp format in the error messages. + * krun: disable libkrun's collection of env vars. + +- Changes from 1.7: + * seccomp: use a cache for the generated BPF. + * add support for setting the domainname through the OCI spec. + * handlers: define wasm and krun. + * wasmtime: add support for compiling .wat format. + * cgroup: honor checkBeforeUpdate on cgroupv2. + * crun: chown std streams before joining the user namespace. + * crun: display rundir in --version output. + * container: with cgroupfs use clone3 to join directly the target + cgroup. + * linux: create parent directories for created devices with mode + 0755. + * wasm: inherit environment variables in the WasmEdge handler. + +------------------------------------------------------------------- +Fri Sep 30 12:31:47 UTC 2022 - Dario Faggioli + +- Update the libkrun dependency to the new libkrun1 library and + devel package + +------------------------------------------------------------------- +Thu Sep 29 10:44:19 UTC 2022 - Dario Faggioli + +- Update to 1.6 + * runc compatibility: -v now prints the version string. + * build: fix build with glibc 2.36. + * container: drop intermediate userns custom feature. + * cgroup: change the delegate cgroup semantic so that the cgroup + is created in the container payload after the cgroup namespace + is created. + * seccomp: use helper process to send file descriptor to the listener + socket. It enables to be notified on every syscall without hanging + the main process. + * linux: add a fallback to using kill(2) if pidfd_send_signal(2) + fails with ENOSYS. + * krun: add support for krun-sev. + * wasmtime: always grant file system capability for workdir inside + the container. + * wasmtime: inherit arguments list from the handler instead of the + current process. + * wasmedge: use released wasmedge library instead of libwasmedge_c.so. + +- Update to 1.5 + * add mono based native .NET handler + * new Wasmtime backend for running WebAssembly + * add support for wasmedge 0.10 and dropping support for wasmedge 0.9.x + * dropping support for experimental WasmEdgeProcess from wasmedge handler + * honor process user's uid when setting the HOME environment variable + * create the current working directory if it is missing in the container + * fallback to using a tmpfs mount if umount of /sys and /proc fails + * fallback to netlink to setup lo device + * fix creating devices in the rootfs + * fallback to using io.weight if io.bfq.weight doesn't exist + * remove tun/tap from the default allow list + * linux: devices mounts have noexec and nosuid + * fix copyup of files from the container to the tmpfs + * honor $PATH for newgidmap and newguidmap + * krun: limit the number of vCPUs to 8 + * cgroup: add support for cpu.idle + +------------------------------------------------------------------- +Mon May 9 12:43:12 UTC 2022 - Frederic Crozat + +- Update to 1.4.5: + + CRIU: add support for different manage cgroups modes. + + linux: the hook processes inherit the crun process + environment if there is no environment block specified in the + OCI configuration. + ° exec: fix double free when using --apparmor and + --process-label. + +------------------------------------------------------------------- +Tue Apr 12 08:59:23 UTC 2022 - Dario Faggioli + +- It'd be nice to run the test suite with %check. It however, still + does not work properly inside OBS workers. Add it commented and + explain it + +------------------------------------------------------------------- +Tue Apr 12 08:36:54 UTC 2022 - Dario Faggioli + +- switch to latest upstream version (1.4.4) +- big jump from 0.21! Here's a short summary, for details, + see: https://github.com/containers/crun/releases + * 1.4.4 + wasm, kubernetes: support wasm for kubernetes infrastructure with side-cars + Resolve symlinks in bind mounts when creating a user namespace. + Fix CVE-2022-27650: exec does not set inheritable capabilities. + * 1.4.3 + cgroup: avoid potential infinite loop when deleting a cgroup. + support additional options for idmap mounts. + open the source for a bind mount in the host. + * 1.4.2 + CRIU: add pre-dump support. + Fix running with a read-only /dev. + Ignore EROFS when chowning standard stream files. + Add validation for sysctls before applying them. + * 1.4.1 + Fix check for an invalid path. + Allow deleting a container while in created state. + cgroup: do not set cpu limits if number of shares is set to 0. + * 1.4 + wasm: support for running on kubernetes with containerd. + linux: add support for recursive mount options. + add support for idmapped mounts through a new mount option "idmap". + linux: improve detection of /dev target. + now crun exec uses CLONE_INTO_CGROUP on supported kernels when using cgroup v2. + retry the openat2 syscall if it fails with EAGAIN. + cgroup: set the CPUWeight/CPUShares on the systemd scope cgroup. + on new kernels, use setns with pidfd. + attempt the chdir again with the specified user if it failed before changing credentials. + * 1.3 + add support to natively build and run WebAssembly workload and WebAssembly containers. + allow to specify sub-cgroup for exec. + chown std streams if they are not a TTY. + attach the correct streams if the container is suspended and restored multiple times. + fix race condition when enabling controllers on cgroup v2. + * 1.2 + exec: fix regression in 1.1 where containers are being wrongly reported as paused. + criu: add support for external ipc, uts and time namespaces. + * 1.1 + cgroup: use cgroup.kill when available. + exec: refuse to exec in a paused container/cgroup. + container: Set primary process to 1 via LISTEN_PID by default if user configuration is missing. + criu: Add support for external PID namespace. + criu: fix save of external descriptors. + utils: retry openat2 on EAGAIN. + * 1.0 + cgroup: chown the current container cgroup to root in the container. + linux: treat pidfd_open failures EINVAL as ESRCH. + cgroup: add support for setting memory.use_hierarchy on cgroup v1. + Makefile.am: fix link error when using directly libcrun. + Fix symlink target mangling for tmpcopyup targets. +- fix bsc#1197871, CVE-2022-27650 (as 1.4.4 contains the fixes itself) +- update and fixup dependencies + +------------------------------------------------------------------- +Tue Nov 2 08:58:05 UTC 2021 - Dario Faggioli + +- Add libprotobuf-c-devel as an explicit dependency, for fixing + the build; +- Get rid of rpmlintrc, as it's no longer needed. + +------------------------------------------------------------------- +Mon Aug 23 15:22:18 UTC 2021 - Dario Faggioli + +- make libkrun support conditional, so we can have crun (without + libkrun, of course) on all arches, which may help with + bsc#1188914. + +------------------------------------------------------------------- +Fri Aug 6 13:37:49 UTC 2021 - Frederic Crozat + +- Drop libkrun-dlopen.patch and adapt to libkrun new package name, + it is a plugin, not a regular shared library. + +------------------------------------------------------------------- +Fri Aug 6 09:55:53 UTC 2021 - Frederic Crozat + +- Add libkrun-dlopen.patch: use soname when dlopening libkrun. + +------------------------------------------------------------------- +Wed Jul 28 11:56:01 UTC 2021 - Paolo Stivanin + +- Update to 0.21 + - honor memory swappiness set to 0 + - status: add fields for owner and created timestamp + - cgroup: lookup pids controller as well when the memory controller + is not available + - when compiled with krun, automatically use it if the current + executable file is called "krun". + - container: ignore error when resetting the SELinux label for the + keyring. + - container: call prestart hooks before rootfs is RO. + - cgroup: added support cleaning custom controllers on cgroupv1. + - spec: add support for --bundle. + - exec: add --no-new-privs. + - exec: add --process-label and --apparmor to change SELinux and + AppArmor labels. + - cgroup: kill procs in cgroup on EBUSY. + - cgroup: ignore devices errors when running in a user namespace. + - seccomp: drop SECCOMP_FILTER_FLAG_LOG by default. + - seccomp: report correct action in error message. + - apply SELinux label to keyring. + - add custom annotation run.oci.delegate-cgroup. + - close_range fallbacks to close on EPERM. + - report error if the cgroup path was set and the cgroup could not be + joined. + - on exec, honor additional_gids from the process spec, not the + container definition. + - spec: add cgroup ns if on cgroup v2. + - systemd: support array of strings for cgroup annotation. + - join all the cgroup v1 controllers. + - raise a warning when newuidmap/newgidmap fail. + - handle eBPF access(dev_name, F_OK) call correctly. + - fix some memory leaks on errors when libcrun is used by a long + running process. + - fix the SELinux label for masked directories. + - support default seccomp errno value. + - fail if no default seccomp action specified. + - support OCI seccomp notify listener. + - improve OOM error messages. + - ignore unknown capabilities and raise a warning. + - always remount bind mounts to drop not requested mount flags. + +------------------------------------------------------------------- +Tue Mar 23 17:52:10 UTC 2021 - Dario Faggioli + +- Add a mention to crun-rpmlintrc in the spec file + +------------------------------------------------------------------- +Fri Mar 19 02:18:44 UTC 2021 - Dario Faggioli + +- Since we're building with libkrun support, let's enable only the + arch-es for which we do have libkrun + +------------------------------------------------------------------- +Sat Mar 13 01:12:19 UTC 2021 - Dario Faggioli + +- Suppress the (false positive) rpmlint warning + +------------------------------------------------------------------- +Sat Mar 13 00:43:54 UTC 2021 - Dario Faggioli + +- Some fixes to the spec file (add some %doc, remove unused macros, etc) + +------------------------------------------------------------------- +Thu Mar 11 08:08:36 UTC 2021 - Dario Faggioli + +- Initial package for 0.18 + Based on the package by Giuseppe Scrivano diff --git a/crun.keyring b/crun.keyring new file mode 100644 index 0000000..45a8a45 --- /dev/null +++ b/crun.keyring @@ -0,0 +1,326 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBFJtp1EBEAC/8IKgtgDH/BWRWUkM7pDWWZJJgaE2wMhCKXbXMbtyJHBco/TG +7Ow2bD35H0QAmhh6gGVYu9hwrzK3EiP9SmTMXjJmhm6b2iFlhV9bbU5pjb/q3pT6 +gaP22DMOXOlo7aCZiTCQ4UY2p86meJ1xM585wnvmfY9CZ3V4rloa5eKwVU3wUflL +dv8im81fNGpWFRaV/rhWbEcL0zft4hmkwppCFGJe9XP4houjVIFArb31mBPFguJS +O4zEdiJh+Oj9htbrxAXqiaJwW1MRRBMkMvJDYUSZnV90lWUUdxglO4/V7uOxdpXY +tDdMcOlSY+mnU36yyrTN4o7UAzvXEXkc7YHQZGhY/XW4zXDhnH0G8c+cx6XnEml8 +zVrU8PrdKNo5nqxZ+ZdLz2kzAxXpVum7LABkzWIQ/+0ShhX7cS6/P12odabQpQGH +QpZgTIP2BrpFJ+L2j+I69dKl7BtmZVy0ya3P8SG7ny819aNLSa9PDOWxKk3rxk/v +4BI6vYWY1N4AQ8bXQHHzUQ/V9E2uuslSUabp7WDqVPcWxhekBIzfVsxqNsXEycYZ +ZwA0VKacrbDR9iT9cP75xDXw9RHxsrETfGYEXEia8FPSR1bGYw9yLExdDPdSRUl/ +JEotHv4+Zt9gXC2MspitNs8LlL4iB+wrb+CvBBCEupufcDXnmcAGRupWCQARAQAB +tClHaXVzZXBwZSBTY3JpdmFubyA8Z2l1c2VwcGVAc2NyaXZhbm8ub3JnPokCTgQT +AQoAOBYhBKxATBwL9zXGP/TVYiY9bfLhY+HqBQJbBooJAhsDBQsJCAcDBRUKCQgL +BRYCAwEAAh4BAheAAAoJECY9bfLhY+HqytsP/jEtg2xSQTDCOOUNLKbMMDTCNh1k +ZinqotwSp93TpbrXtFL+2CF18HYdaLNpCtntM1OIwUiCm07/6wSp1buokgOgstI7 +CvrwTMZCOcvvfeM+jYJc5MPxwEpuU5pDLjPdqA0Pn08YBnxJhByps1j3Ee12ia2D +ujakLFe0S0of/Ib3xsP/2Lj8H18dTHnC+kKET/QQWExw0mPYBBSk1k1zR0F7kAKF +zDbiMQGr/IhA3XbK4h9O5bFaJx1PDWD+ywfVg8HFoVYGiwjNd7NzS0HxMERrukjB +7EoZGa7+rZImobEaM3pqGU+YjoEwWl4L1jcFo2mQymoEwce6+stL9v7Fv01+fRAi +QBsuD/jwIbxOn462Wb0C/Z3ZHOuIg4npujKp1JNzm4hU73PaYqXIeJoVz66nqIag +3bdNlYlSjV+TsY2/4xZr1xnhIjKdBQ9BL6yDjwMpFM968OI1by6L+s8XzWqc6JGm +jKhCfy59otWP69sXenFKmc5sQzubSrR2nwyMLpO8/bBiFm210kuji+pzt/JaOBun +RUDE4pf0tPeEjDozJiwdBl3HoH7CYQKcBdqEeH+gmWugZlD3nm2A08Y3Sy2tTigK +OzTdUjvHumOc96bAq9jm5+nnQRF8Jt3sDwzN5VGuPqWSXyAM68G3a3DZi/l/7cPK +DWDr6Qo1Qy+5JYs6iQI3BBMBCgAhAhsDAh4BAheABQJYsGN+BQsJCAcDBRUKCQgL +BRYCAwEAAAoJECY9bfLhY+HqYfAQAJL/c0c/tl8nMObWwu7wSTfGrj194LCova7B +HCyOo4mxzMjueah3UxbkxmcfnshSExQXKQYDWhp+TB8wAnXfqQXyEoQhA7mrhiOh +ZNdnrgQpl2YJeUO4RYhpb4BrK8pJoZbm/s2Fbp+0myEhQUItpAGcDWDdr0j/bDQM +e6I0Ja3ZDEPGZkWU+hhdhxsrmJH4gS6QWqplqUPxGxjEDL7EjIdV8kTVvnaaVO+N +gusS2gA/cO0e4tP0TBD0nEyGRP5TR1hxSSV7wcn0AoXMflkvJCjXWTuub/pO8eWI +078/QzuFp5d7Q4chchbGx6W/0bPg0lfzcV8+3Ojo5qIg3//8ML9S0eSQCUO081VF +a6aUQ5w/uJ81imx6VlvIh3b+AWjfgkSg8+kKOLDbueqMlabL3TP4JKwmjn+1B4id +w+z0qFqThuP5N3IqjvIo2vOuFAtnQ3ZP5KDQiKH+N8hN++nZvRSxAyW2umz5XLgh +Tg5o3FoZ/rD6oiw4nFvS94+egp755K/UeqyO6W5+Dpa9jVx59MnR49Y0ZAirpo78 +jlf4YpYrL60uvyCOzJ7vwmccWqlplGSdYq9NWBuFUwa4EQoHggOLfZnzwrgD2BBx +pUM2GDWsgWYkXu1bCL3XCZXMg6zQYRaUerH0VqILwR/dvzGkRZcJhcxY9x3uJYRv +XCNA4v8/iQI4BBMBAgAiBQJVTMz0AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIX +gAAKCRAmPW3y4WPh6nwUD/9QItnfrr6mCuWaWmJ1nZe4VWaiYN5iWHgpTNHFRZPj +8Umi2xdFulD/Jll4t0FbhlXDTNsyrwB//30Vu9Vx5oB3qBumqAenaFbMGGyDT5Wr +PiNZSws57MEqUmBi3+yeHO1aaqaea3x2VPYxtNyeHSuSUXe8tqQMSto7XtAmsh6l +MGYTRerONVdRogj15WxuY+LuZwAB5E8AF7fs81a+YsRp+50h51nEwUitdlEMhKnG +25+FkEQQjemoL2KcB256lTLjc+q1P8V+LVJ3BOYdbdjTgUk78GsU99DseZz8G+B5 +08WFvHe82Jftg7U9K/wgMWZDqRzijRR7MIZ4h56gt7T6nnFp2NfyPySjr6PBvEE+ +NwS8yTihsTUGJSjosNvr8qGHAXRAu+0Rq5LOkQNyg7sTxE7myDzy2nNaRdVRB7To +NLQl8+GMLweYb6mwQW639n1aZEqcbWbPs26nLa+P8TpzVrfn6b05DQ/fwLU7OHQ5 +icUkI3qf1EgpCc8qLM1U4gOoMDUUYkHZpVXnXCAtZTAkArFpmBoKa6iaGHKhzR5k +FWBj1jtBR8gtjMuIFrQaWAaFY2dcd9vzuj0WTLe9o42W1JMuW8STwN3lHZiVcnR5 +yiDVB1e/dIYScP1ausud5Y0KTgO315pPVM5BC/57sW+hFfUyVgyKNET3uJb1KnFM +NIhGBBARCgAGBQJbI7G8AAoJEAeRr4zAM2P0a4EAn0+ymbTVe59JXo6uqI+b3kNE +aylTAJ4xInYi2DWqH5JG6WjWxMy5ZhskurQnR2l1c2VwcGUgU2NyaXZhbm8gPGdz +Y3JpdmFuQHJlZGhhdC5jb20+iQI4BBMBAgAiBQJSbagDAhsDBgsJCAcDAgYVCAIJ +CgsEFgIDAQIeAQIXgAAKCRAmPW3y4WPh6sIWD/9JqIUpSlvj2T1dCQxQKtctGvUU +FSa5sFZbrl3o+6Xqt7/7LfCSAJQJE2uJ2D9i8/bOK3eonZU4qf0267D2vF/ouWYK +MCETY4DPD2cvrH2kuDyomG8igEQdnMgiW5piN4HZ5K+GZwH1ttcNlEe4v1BxUFYl +kU5sOxWMfu2PCUSf95aJveD0k8LhEYZKlDPapNiDz1ifzIM4kPWE/RYT25PJYiBX +nZ6f3yHy6P6nTsqZPkJl/3BF7+Q7j4W8EX3Cc/IAwPHj1uIcbB99vWK2+0puUJ05 +RJiQxlzKKFgzrUDKISFes7zfMeJtbVOtYykfFZ1hwpCAwKjDZwqBlPLnapQoUw0M +dzcKs7Ho+LvYXdzPVsRZqomf0OlUPesMsKWRkfW/Btu9OPXei64uxMcOQ6gYf60N +lq/P8dKoXH3U7vqzNWg5NQlfWUKfqBeBot0O9oC3ddJjfTwXq+bRZefOCF976ddj +OhmfW7zqnI1mxsg53VoefwQFYOvl9hj0Km0Y1R8gxKj77jlV3I5NIzw94gsftnXq +XX+hIzVvAL79FRTw5+qvCHFeo+QitpnwSdt+1gmq47tQctPlrwV319gkxKJj5te4 +jbPcsgjSch+LSyL2CYUB3RTpAcVGwIyMpyPGgD3SrCAATGx50KjHg1/mQvqO/2Y0 +YOK+QDRMlQyT979tx4hGBBARAgAGBQJSbaggAAoJEAeRr4zAM2P0GKIAoIIBIy/4 +aC7dIFIUQkI1U+sZUgelAKCLmq/XMapi9Ln+P+D+Wz9NOt8oqokCHAQQAQIABgUC +Un5LzAAKCRA++QUjswSvCNoED/43qUdK379l4k8yYbMYNfDqKlUbI8XqTSiqcgU8 +Vy1Nn9TikS9Ov/oXAfNPrfX0DRj7lXobHqVcwWO+Sns3yKCjyc5gFnsiqGf/rt0C +ujQmxyxh3lipqOkB5+jrHq7kzoSeGUZz/WisiMRSZk5ZcSLFuBm7bIcyfE7v4WGM +3tkss6/kMuy1/fbBHT6sfTSY4r3afVFh4iCcd38ujzLgUs77wKnw8UpdWxdHWqXT +ZXqHyHyaXquAyqcueDwMdhpp3i9M/mlbLEv7WpCGMCigLG176wFmD/lQMpVhyAFI +zuMzB9A/lwBIk6u8HyDV8IO3QGgQwPQeW0P5AnCn8IkQoKrrq8SFY5qyXL2ey4MA +wsX6h3z9HeWVHEE4Dl3O66+uhTsq3JR5QmuMD2LryCiXIfX3IyOqz2YzZ8dnnquO +uZ1j2yP85aDFyuJg++NXtoBgekebFa5tigaDgrt7HvptqTCxnHMbnn3u+3gHsy6A +I0v1yVLMr0Dm6bVu60LEF8OVPi+JirBZW9lXRqBKfR7zaeXs6wXJAGWsT62O1sJX +CMCsJnzAj9zmaaYIzqb26NfmVfMdUDXRjCG8GmqnJcH0Vy31qykff7p7uTBQeXAF +VS1Oc4Z4GeF/rsl0I4j2gfJSgBEz+td82iXqIMtCVOU180yxaFNxm/3LwPT9Q+4Y +ORK1GokCNwQTAQoAIQIbAwIeAQIXgAUCWLBjggULCQgHAwUVCgkICwUWAgMBAAAK +CRAmPW3y4WPh6ipaEAC91CVFv1OMQ57Urb9JAYzUI5DCD/2Hu9AQWDg/k6R9v2mC +7ldgHypTvZS501KEDVkAnlt431WNq0PuX57hPVgvxmudS/NDCfK2yceskj6f4o4Y +kfeMeLsWazS+GXUq462JhN2IzaYmMD/RoT57XgU8Ezv/W1txXOZjLkIdlw5dw5+D +G7u0U7U+xSd7gZV8ifBX6TY77qBD7uYqAcXQgHWJza3iKHmNxN5jVmBr4ZOg62kj +z1K3PSDpBOe77Tc/XBuYuHDmzGBwP8DKseG46dgKZHnxMlKZYekKU2d5HxPWohp/ +UlaE+VeAJyEAw9lFkscYCDer/MAsnVEdfK1PYpl5VnwN067d+Q63revhpU205lhF +HyQqG5ImJYfweeapxbT9y6O+3VkApeQEAGE8AHC//eYr4mEi3P4wmng9bJyprIA9 +6tVj6UzcxT6QN9DMe4DDsL4pfY07FPgWNaaVbmTM58GJCo9MRAJH/Wk9EhJhIT8C +dUfHioAYpBiD0syinNjoJPh3f831FsR1E98koYS7Xvgtw4YDyoXiMu13eAkSdrQ+ +u5yKxPRZpbe1nC/y/Euy7WCVSvbdTGCPkABqFClN/oJGSe4TosZ5Kp6l0XLR8gtU +ZAWNZumBh7jSm9z2MFnpgyfp/VuNPyI5OgK0VygA7r7fSGzKLE6Sr0NQLd3+OrQl +R2l1c2VwcGUgU2NyaXZhbm8gPGdzY3JpdmFub0BnbnUub3JnPokCOAQTAQIAIgUC +Um2nUQIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQJj1t8uFj4erJZw// +V6wWXBl5p534yNjWaBDnEna+CEXtO/p3ZtFrbJlcXpeqxFIsw0vWrlj6jE+jplqG +28wwSZ8mhxJYhNmYA/hOuV4zVeXb24MlxGeDUS58DuI5y3g56SlRapVhlPPOCLHF +dTSDY3Q0gNsGg7iqW92evjDgcUxUQxGclrw7XqzeKXrJpcyS3sPyMQ1XoLYcm6F3 +4/k6zCgxsM2ouPvSVTfb6hQVE3zNujg5MRI4JJ5Pel2iBNsEfMl2YjLucpuoryDs +RPnTXgwpU68xR/z1Uu0jROWaWVhitZwBvAVlKjamNidCT4YdSlpitI+VpLTEomUA +037V/25z9Ig0Z6bxPcOGGf5ADDf7qiAJWFN8Mb9CxsR7xywjF0Ew93q3Le4qivYz +GbVbqlFBn+ldOeVl+dnocFPD17QMuHuQV1SDh0Oe9nINg2eTXOTvci94VwqVZc6+ +9lqxuGiqTeDGc4A9AmlS4d/7V0moDYy40EYz7X2HRPEp/UHskraSL7lBVgQQz1jh +tIKmyQ2lQNgbXpjEsporoUexUgFIjIuS+RaM2qH360uxigzgNC2PxHLnu9930y2j +kahjGY5XXSYTTejaidA8kdWr/1tnEDaxCSMiWP3nad0UzUJJKZfkg+P1aSPPciH4 +83WHMRHAadjC7Fpja/QnCVwZo6WFhTXfGVL5sKapu4yIRgQQEQIABgUCUm2oIAAK +CRAHka+MwDNj9Kl0AKDSFIqUMRoYWYBf7p4bSxucm0mBkQCfZ9yFdtDHqAOa2FoP +P7dOsQvB9HyJAhwEEAECAAYFAlJ+S8wACgkQPvkFI7MErwhXwA/+KlaXvss0cmsP +Dy4n+SoOpnZDJnBGUGgl/s5Tvng243bN76kTGVrObEzcnSR+zqqgFxTKmJa1ryR4 +cnpWm9RiKPrbt461henZMRgNv3DOvBfWUWJTgGZ2apukKJnrv+4XKQCVgo+t0AG/ +xJ4H/mZmxs687qdgKebxLJAFLHEmwrat5vmdyVnBKprH5dMtUApn/QoXwZ4dU7+V +JjDD8pOLK8EZb3cbGgIiewsJvVtXAjPEdFTaNaaH6xHUT8HaLw5z5yuQ2kmnpWjg +60AG/jZTaswtl/EOl8Xm4LhDdkUT5L4SOWdGyzmXogVOakbm+4ZOrHGctbeowl5p +d+Cssh7RTYV/i2ErsE83jNBDXqjejYbQLLRpxg+t5UdA/zMIl7nV6/G7IRQ5PQrD +Hi/dNYe0SCK1fyGj2QhgBfqbs//64uRbhQDKJ29yDEnCHpAR6odByf9cHfQrhwKf +FSWWukw0ik/Hda7NqcrWg2HtJ+Y5zUPX/0TPJ/J16zWzTbGFwMFPegY7OY4EmOiH +5Qi1i8Byd8H+Re09sbhL1lIzBeENzcQeBy8btdhUgTUMAIZa9Hav82m4Mytda4tY +kbbMaj0NnmUyHM8k1KtfA+wUuua6c4hkP7qvxJFGQaFKckWfDnj81piq/6SjLRxx +xV7aNmXPfNut34uFNnNL6YeElveYRv+JAjcEEwEKACECGwMCHgECF4AFAliwY4IF +CwkIBwMFFQoJCAsFFgIDAQAACgkQJj1t8uFj4erlbQ/9GrZNQGnE6+PKBr3QPkbS +T4CWBlSndb4nY6Xrfa3dD5kjTfNtHCa3IX8Gr0njCwBSIAlvczoFCNoTF3N2AzYM +49PlQOJyEe6yFNPN47c2MDFTMGs3tldF5F6+rW6XKxKxMSpmUZSvofO10CU3iFN6 +0CdWJtBDx0zII7e3yz/CBdS2xXwtnbDC3olo9MGmS5EQJKyk4SDf0h3fza0cxNQY +NwqPmdFrFXq2PLJOdMk6+QvXGZgZRwdI+haXhHJyskKZ+XytxkX+RuFRyRFwhE9Y +EbhSSzipR6r5jE7juQmLRi7l8ERzfvTJ07OQSgZ4qDJ+JC0ifUVREUo08beigHhT +4vcBaJ4yXzfvh2pOz7H5LeKj4HGjfreY/UVi+jltYVJDayJQFaDkBv5SNZghzKoD +smx2eKDT430ugJNrT4Fr/AU7/96MG/IeyzkSFsnKN1Og9zfQ1RTw6Nfbe9A7bRsz +skBW9v1gSlc4+S/GZvwOszO9TfmAHGB7Kylq6SK6h7+s9NPp1oI5dNcngJ5I0/2C +DNO9ypmfjuVC1VR3EHVSdiSaw4b2W/VIRXbdqFKe8DSlXgLfjzXP27aIG+P21WOY +I1xoY89OJgmvv9NI8YioBUZiI1Y1tgF5ZgI1Z+sIHK9a4kM+G2idPq843rm4pJZs +PI2NsZ/hC9N+zsIsRpdx7h20J0dpdXNlcHBlIFNjcml2YW5vIDxnc2NyaXZhbm9A +Z21haWwuY29tPokCOAQTAQIAIgUCUm2n7wIbAwYLCQgHAwIGFQgCCQoLBBYCAwEC +HgECF4AACgkQJj1t8uFj4eqfTg//cp0yoHHdRrL+VTkllaXzwYrc9uy3IE967knd +ikxMSwyB4tOEYIZVehOoPChDPzafaFGKl6V78wy7yKaW39GiKWOfecUtv8Yrq2uc +OKR97pddFHbknuHhQfUbS41rrSaLMuzrz2KvKvsTE6pEVBQ4ZmT+oVOAaUvrom4F +54Uj8X7DF4mGDuaQ/tpRNTVWaUJ2VFmU/CHcKaIV9KsIn2m9Hgd9xQ/5oC8NFksA ++oiNRq76k1EeerdFU2iQILpAKIEw4BN7Wm9cjuhXKX0jMpHrEleTpaaCIUfklq5+ +V5A10Vkzca6Fr0QJHczTEE6riETLtpv3uvCCPy6jTTuKJC9wDlDvwdscjtmmd1h2 +Y0g007JYEgaXFMPuINppcA9lw/ExiHns4xgM/625pRxqxzv/Zmtsi/W831Ynu0fd +t+FTzCLGmlB5vAyACVfNKsmG8Mozb5WcasO0NakitANIWDpsRdfcxyxLEQRNd3Va +NwaHmvJykdJZMCoarsU7KAoXJEAI+STPGxVmU+Gz57ScyfiTOrb5VmwSkxAZ2CTM +0oMgUA2TdZ30Qm5g7AbICirMe/AYogZqyjVbJKN6S82oSqZUPwBqyz+cWnyhZ7Q1 +DAQaqRrDIJs3/WdyVAV7fB2SQO912pxeDpDGRI3WSaAhMjmAiY5A23w7cBDVZ9pZ +ch98GGWIRgQQEQIABgUCUm2oIAAKCRAHka+MwDNj9HoHAJ9JxfuGI5C7EM8ly92u +RveGsX8JxACfcPjWUz9oPHnhT8J6029EpDWt762JAhwEEAECAAYFAlJ+S8wACgkQ +PvkFI7MErwjOGBAAl77pkDb1tHO6NILaTgKk8JLbQDKT1yRNpp8vHa7E4SMEVHWw +u3+lRH0ffU7apDBcFtFwCtVMatoSQ0/aGvQ6YaxGEUvah8fpoFLeNtWDt3vMwkZZ +IEb4JSUx/y44+9oZ5rHFDmtfNj+T2D6tJ3Qg2BwX6vjIMUyzdZJ40WGCJqA3zhAQ +M8ks4/h3WVdvhQRZ/pWBP2xQaEPeaj6lRDVhvbAiJ+bi0GfQvdOxqc00S9QLffJH +aSBsybXj8WMMCujg+SOd3OPwH4Ci8yNeyOynAMlTubpZ/cB8eBz/NJKkJGrabCF1 +3STGQMAllDwVE4JmWo28qmxjrcUAm9QJ7PIDmqO8s3eZ5GCiykkpK6l26ITsFdKo +uj9SMvpR9yV/CJjcdd4UQtM8dIfhONipJAKvfqb8U3uFh3yr9vayUqik39YV6xys +DsqqsbfJFRubeTIDWciyom8zHQCtTnMqkH3jxNrgUebiC/SVCz3kWZWQ6i3Aw/xi +3QkXLi5P3kMoJWGnwnrrWSie2P4wQQ6ym8MwheD8PVbNsyxRpwMfGPV7sf+cN8ua +D/9+so48Aau2qW1wGM91BXZ0Tfnviag1LUjmv0uMDYM+hfHxy2eH032sZ1NJO+01 +sxEkTmCpU/z7ihB7KkEdi1UIEll6SgeqF3tEjg8SDWAtsRs8ofaFzyyAMmGJAjcE +EwEKACECGwMCHgECF4AFAliwY4IFCwkIBwMFFQoJCAsFFgIDAQAACgkQJj1t8uFj +4eqjww/+MGBEwC7hVSzMJo2ZEHkmzzdp4sfmpL0UIIm/3oNtjSN0sauddvRyVe1C +uS2tTV/5QCU5zbMe/Bfpe5Fb8TDWbl7TOYFKmIoIx0iVMdWx67/BOzmBdQS0Uoyb +PjHMeNxg2CGO/XUoDvQXjk0F5fx3Ly7o0NDlnYvFVDRTIfZfE9SSkTfCgxz2/oXv +KFAVYxKJsIw7WJiQ2YNxm39PIALzJ4ao+B5zi/GS8FREoBpXcupnp+nMQJWTT2VV +COG/wbA2wVPJDVV5ElQucDHElV7F23Ti5A7jRwiX1yTGNj6MNbTVPQhjqj15y1Re +U+upH/EjzgMgTAuh+mnv+86QH+rYPhE5opg/3sb2HK6hfW+SYQW8J57Ul2BiCnOc +CuA0Xu+JUj6gpngamQwkfl2KZ/SrK9/qusbNleyuRJokLV1yMDzK9y3XW5jxmkPr +ZmnzeeS69QOINblThnHnTvv98hwl8VTIJ3cS5mrLdRxryny1ae2oOtLv9yfVbjCG +SG+bIO4y0MtyQQqlbJU/lK/IUujVDu1jNguhnsRKtZnD6q8RYN1jOUJUEQF2yexP +d+nhikrAvmpHDWkt3rKwL54WF1VlhreYxas7AA0unrJZh0thc6+7IrgFWCkualDu +LCb88fxEa2fiPunrkKHZKvpMJuYEPS2KxgwdoTCSyLlFjDeoj465Ag0EUm2nUQEQ +AMn93/Bol72GW+LhEF8amKB7mnUArAcI556nmhOqAqYE682WBX+Do8qGJXiwf9UR +aeyXmOD17YsB+OkxQFivfJ9G0y7+u4MBq9W8qNRDAe6iBe1Wt5eIv+bYc3IOrx53 +naH9FnY7xDes96JqExJncWDAxZOtuoNHBUz2Avh0LxqPtiVRI0g3jRWa/SynwFdL +1NOjFh2oHUUNeunoNARZK90oZDrhUU+XDtP7V6He98L+ZODrZ675CEC9O3U4Uzuw +QsYRHWMb0ZNvJOENDJ84D6xyAafZfi1FKv04KalleHfCon9SJmIrb1oGY9T6bagK +1fOydSK6kvQ4741rpVvdFSmWFKR4x9xiQdDv00cn2nHcyV5nB23uiMVsPvNdmgKP +wU+bs+b+gWgXXtc6otJB6oaMRDPzvLY20q3n/MztICAbTzG64f7pPOFyv8gOZyPU +KHXIRUTBVSwRj21DACtKBBsjvgIPK3QTHrqiaBq9xsNSi2xdpP9lpwGgh1E2xO9I +7dfa4uIzGzgMLFtMOwZao1PKrypRrXpFdSRoDOzKFbXWzL1iQ5jJPJq3h63TD+ju +KZrSwBiOif3z2baA9GedwSkJaRQ/wLq6PDdp7vsq06A4gv52VkRJTmqkZo100HD2 +GGQur6yDUsnDewJW+M5GgS59UShWVCOo6we7IpGpsAAnABEBAAGJAh8EGAECAAkF +AlJtp1ECGwwACgkQJj1t8uFj4eoB7A//S1M22r2JQcuUsRGR6mmb05c6RwpdmfmL +U1w+lJNGtRX5TsLkGdXgA9FPuR6z2YeJKCdG6FMpmH8U8EXet0+//8Y3OBpzUh4y +WZk89UKDrxHVA6tomH8g55OtNUfjzODTEL9Te+GJsqbwV9Vjp928j/vqA+gLtdID +wOmRLfnb0vJglgDLT2Dc4QtAqBngvu3aFC6YXLrvmmySfCpzmwMZFgoVzFsCGAVI +WLfYHhoux8q8+1bYO9+cGRdgzT7mwojuSOYrJ0luoo95hDaelfDPUHD7HmpqCvwU +8ZpYBx3nHxXfJyF1ZWuF/JTSm4DXgYavG0RD4FaSjhKDCUN8P/6iN3j/onG2bTs/ +Dg2/yFw09GXXJiH1B7U5P7Zf7Ig+0tn7XwIbUBOcsGKvGwCMtiGf6BI0AsMK6eaa +rOYmtAphugO22A6X0Dba1v/Tx9drdEJsSDviiE+Lu4WdwDxN1Ar7LyfQ+TzsnGNs +dMyy9zFAFa3Y2Wqa6kOcVA0sK/13EBFQHWXOes3Z1d+mtMsgOMTwJgFicNqHSAyY +8heEgC5up/Ojo/5t8Ix3JHb3x+C5JmMuBdwMU5xWs2rHkRj+l+eoHW6xlBNaCvoI +obgXkfO+CeB9T7NgTGLQ8Yf4pHquAPKHlBE+nH14PbxfkA6PyhuU1psOGBDu7x8y +/J05OuGS7X65AQ0EWwaY+AEIAK+RSbW/yR8qK5GvRqLWAKU9Si30ZaA1PWJgA0dE +hFsQh5Ba7kOoB8s/Q/crSlJGyU33fU1UqCLZ6EZ55Uprh+viXi3f0t7K1fEJLIue +KZ7DdJD1vANHHkAp/vI/Xf+/oEfhjvh9QbroItMuiq/TT/Uyqj/4u+JZsa2tLRDy +8MhSWJ2VWqM9IXDA6HUw7xXuli+0wYTkOmS6G0lMZuJwNQSUAXt7cZ2ATcd4saDa +jjWJ0o+/L42yhPHgUiBXVID5wlX3NL8jigqjYOzxY1UxVezCmXzo1hzZEkvrFOvk +QHZdyGdcGQ6x/X+lU7xb+iLq3YK8vZPBJXeoba+0RNJjQ6MAEQEAAYkCNgQYAQoA +IBYhBKxATBwL9zXGP/TVYiY9bfLhY+HqBQJbBpj4AhsgAAoJECY9bfLhY+Hq1fQP +/2JB9FSCIQ9Td21K98P9/3cXwAkbiyjPkUSYfarRqb4VXrpiMbTzJZeSxvywm1By +qGw/j9NUgZAroEQtIiC9QLVJJa/kqF+qXAeSQVX8NzDY5gONcwvkm9s3vt9izCxS +zfqe15YCKjZLWDdquAlDMe06DJdS1KY55/yGwwaOPmz2TkiApszQEf24+E+QII6s +YV/+oiyR3bTs5JxjdRnCUp23Jyh493Zm9ANDqreDSywNv7q9+0PMmUnmUWDdNNqr +boAawsR6fVCFp57Eyha9zEV6e/P8WMWVRkdhvd/QeUGJLnoZL4mqsQiRgJyjlaB+ +1zY4giowwl9w4vjK9QDmX2s8HvoR6i30dy5Zy7Tk7tLerlDG4opjEGh4oZl3C1qN +sVFBu1obkRzKk6UtAYW7+bKfFuKgKL54tXhuyClR+gMMInN+88mh/DVDGhfBKa/v +lwegNUFXb/uBKMO37R4PM+ao+6aupRA2i22K9X1DmMyQpk9VDDub9B5jBlIQ8HRE +4wR8W6/xAAEE9MTv4UNFEDEB4Y9uqe7XnCcNBTLEu3IjNaYckk7X/qsia5ztVVpI +sXnObSpbh8KOzzHqM1bPHLEp1RYSTPy1q1VMwhyRTz0bRdWOFsXU7A7F+yVAT/Wb +MorKJj63H3JJ+v35nXZSzixkx1x1eNdW3bUT0ZSZ5TUcuQENBFsGtRcBCADEld1p +2+NbQkSF+WzzzmQjbIWUEQy8N0wEl0t1aRdaWV8gIdtC3q9Eg4Bpd7wUczNsCYWk +iGBi7EEfn93vcXhvqX3YQY/xTc/88PoTtIDgiU+j1LsPmi4u0oIHg/hOCuFyLoWC +kJPxm7TiqXAqWiEwgp+1TPh54EXUQWBQO5W4JjLxpLvkXpWQGKJF21s9GulRUP3E +30FFa/twLFuHbJrG8+/7Zynu4t/z+KjHvEfpIQX/6z+NlSkNigubD9jbTvMuY2zb +ZDN1OdQHs7ZyI9A8AdxqXHCBRpZECo77X3mYQUbmYQfB/aX60TMYQt3UBivggU15 +u6mdrGo1bedCLvDhABEBAAGJA2wEGAEKACAWIQSsQEwcC/c1xj/01WImPW3y4WPh +6gUCWwa1FwIbLgFACRAmPW3y4WPh6sB0IAQZAQoAHRYhBAJ/O9WFlMoYG7XsUORz +D5f2AobtBQJbBrUXAAoJEORzD5f2AobthwEH/1fxABg0deOflZE8SS9VTR0BiM6I +IOnzbXlJ/yHOoAihE93PppLsmzheWH0N31TW/OHJ70nmdhVgNM1IAjZAO6NjeCaA +aJ3FvX9/FcYUetLeVO5r09JQ3KWhyLxSp3HGzBMvZ5UITPz5NylUBh1s1PQoZKuB +8sfhdFs9t9HBWK1E0V0uMzL6uTNmDeMxK1XO2R0i3s4WalF4PeSMqvrL5wgrEAw7 +hFi3QZT9VtfGcm7D68qCu5KvkttEjzjH1F0JUd15kgtd/D2zN1ekzrEoARwuaPnT +OmfidCNUIvbHKo0cvLw/kCsWkdCidptCEnPAA5j8QwZmPkdlUGdWoo+t1k34GQ/+ +MMZ2uxoul8w/pTFhYhLFrJQId49sgtuZ4H5EysBfYMcLWAMecYzp/3Oj6LTRFisB +nWVdcuV4v39UN8ra8ZKSGJ5fz86pEEljjggWO9oCrkt4djhSMrCXOuEKHyarnf+E +sLfHHYssz40TnWGfwTuBOomAkJRd2xZFsDiaweoTqdWhUnb/9rFNFUuR9s2ij2u1 +TpVnSK4pu9Tl8gGjWyHuLi4GYPOdu50abBuVvxtDokOT3P+st5YCHI0fr56Mykhs +TUsBBJnbYXJOJZkLHWg3umyDZ18/wE+kiSrW+qly8UiDFMA4DBR+K+V9/VdeDYjK +B9GmAJqmPf0+knLF2TwPMufZwx/VXwUmphBjGn2sqBVP46YoC/dxH7GFYusLSYof +QhMK6K/9vsjqhACMyMsWr6VzxYgu5bhs1G74JXlJkaX3wezGScakX/shP2KbmvB3 +cbfUYeqo1Kiv9N0iiWZNaGXcJ/7wXUTLWPAhJ48a5YTLnG8aqJSGI7dCDbMUcPTR +uDSFi4ZQER46HgqoXqhaql4fSWFxCSbM3YA9hs+74oeNHb0QHEPAxfls58gAHRzh +ZSVcbyGpyv09L41RXpYGX4gCbmLkugg/y6m5WtOuuJxV6UmeQLTPD721jlBPpALO +TicKph3axybnW2w/zw0hEH9NOJIFePftgE42SLolicG5AQ0EWwaZzwEIALMNijLI +/Bjxtt3dAOC/FrGpfRelGzd5nmnbboBAqGgWkrBukpaqG/mLh4LMtfWwq9L45+Td +hFp4AEFrtH2DvHpH8LIV3EGRq5mV5Kl3PMIpnUAyh4bCVkePxcP1ucM595xUVrmB +RVbJYUY09ezglFe9pfSiTHBnb4rlA4B7a/GlYQsp91JZdjABWgkw19+v1tD5o9ul +1vHRQYJ+WhjCZXX0WKuLPU8DO8lgQBWyW+vV8JB7FQFSSamkqVfOYbSBqwzL0rtj +FfmsjoMruNSiGPn83sre/UhQ+pcqukA+YYQA6BLj2lCxwyYfxkF6eoUWjqtJy63W +khYS+NxfYaZYc1UAEQEAAYkCNgQoAQoAIBYhBKxATBwL9zXGP/TVYiY9bfLhY+Hq +BQJbjuoJAh0BAAoJECY9bfLhY+HqUOUQAKZjKBOzvqtI7CwdnZgsfduW6rWwgQty +c1l+bRmRiPmZMqS5Tjr8h85B7aQMvms3saZGmsgHv2abIVp2BOZ+Rv727n+jR1TB +tSxnAFGv8QvqBy4Zjia/CM8LrE1fQJUK8yFrjFHh75ZsLvWEdNlfO9a7JEw2OvTD +d2FbroVjmRG2XeqGqxaGabDeW+d400cmLjrBNjv2hg0gR33x1qiznYdtXjC3baFv +Hr8PQaSspqhzntmtZjiOvlHU4CI7IYWC4lnouLAPurlNYQrTqLFuGxT+fELIIhlF +xuBF7vV/L29SxxkvQjPs5czErEOVoqYR9DTN2aQcCl/3rXQNzBNBzBPdy9Swsn2w +Lt3eZFvyhSqQcmLbl5/EQedgEejP1fG5fmUhNOjpvFYKhsHDn97/5oMYy4EZ9oE6 +TCP8XQOt6PowHdq6nEdKP3puCuofv7jZxIgY+p3mIuL9Q4viG7cqVAM4qXbKAE0R +w337jYb2vQHxNpQcGJAKV4dAFhWG7MTFV6LuGXHew9vm/H+75qtMn1kKhVmOxS5s +lh7iPduRnBcxEROqdD8xhKWwyoferOkRZ0tsWtF1uPsvy/0y2nakGOVuIoIGI9Xu +BbLWHf5uhI6PRY1nmRI5ASbufZEgg+xCkLpxz/Qe23alO8+Ul4M85DpsSZnMdDmf +bi8TDXX02E2AiQNsBBgBCgAgFiEErEBMHAv3NcY/9NViJj1t8uFj4eoFAlsGmc8C +Gy4BQAkQJj1t8uFj4erAdCAEGQEKAB0WIQTz0Ti6kOYcPK7nAba3JfP9vazURgUC +WwaZzwAKCRC3JfP9vazURvneCACeIFcjkWw7YCSV2W7llvoCQr+v4m4S3gRNe/hk +OnbwKwUuCQRoa8RcVQp3tgPQBDePaOUxZSR9Fwr24mXob0DqEAn2GYtgWbsrNG2C +qlLxXQGwZvdFlde+7N6aLwBz+EPGF4iAEmLq1lu2mFvtZd94ygRVsHxXEnFMcAao +QKCaUjQKmpEpm6n+9hTTnJb5OumT6kLvtDgc47TafVfz1R3meqS3iDGKW/cOZolx +j23di3aIqy6gnsKYY0LaH9jXqlD/P2vSi4TYe/PrtMCgqQ4lLbYgT+49aLanll7Y +pk99zX6aOHD7ywBvEkcehlNX4+e9I+dfy/X1o+nXuMzYNPM+0pEQAIB3uSLSJk8F +88uCb2xA/HJnsukBf+IkcqzCA09iiQqR6HE/MZ7suTahldEfauXx+cQGdTzEqQEm +ZHa0yXTzNdeutEO0DpmgaLKR6q5LYNWBHGGMc979eKV7IsxdGpjvQNkVIqSCEjxL +BF4p2D202rvdzZn0YCKJzgleF2AuL4LrHfp8jq+5D5bxfhnEU5XJgseRPU+dC3Lq +zTeqxUUejP2P3UX4ELIN082EInREDPddBdI/CxFIgZZ8LYHf6MFG3UqCf72j5Y6U +dZIwxM7DTfWOF3PJLcDU69Q9P/C07pzGz+vtQJO4b/gfEYaGLhV44IUx/Rsf6IYG +HzdzKQoBedScecifBRTZxFG9mMiehdNxoZ2a3nOnRbDMEeanIuZAt97LjexVgGgm +8tJvNixv3gXpxs7dzrRh01td/HfSnNUlsCfjLOrsjgqt5Po7zI6cttlcifa1kvnX +eX4unjNuqjvRfG1T+PglUj9w0SkhPwjokrD43jMJdVbjhZ/kZEedI2zeCt/3nHPI +G8hczEFeR4qElvMY5LWT5v2XfEQAsi3WtQuYYuFkF3xH3Hv/PqDiI+DQZL7pHzRS +13lEeXXPf+AwO3Cx5JkX1EdFF+/1mxA4YI0MC37nI0vbYgTzs1c4LOBfQIgFIAqG +oALbAtcVJ/gnIMcKdtMqaNMkbBmYdGeviQNyBBgBCgAmFiEErEBMHAv3NcY/9NVi +Jj1t8uFj4eoCGy4FAluO6bYFCQCJoUkBQMB0IAQZAQoAHRYhBPPROLqQ5hw8rucB +trcl8/29rNRGBQJbBpnPAAoJELcl8/29rNRG+d4IAJ4gVyORbDtgJJXZbuWW+gJC +v6/ibhLeBE17+GQ6dvArBS4JBGhrxFxVCne2A9AEN49o5TFlJH0XCvbiZehvQOoQ +CfYZi2BZuys0bYKqUvFdAbBm90WV177s3povAHP4Q8YXiIASYurWW7aYW+1l33jK +BFWwfFcScUxwBqhAoJpSNAqakSmbqf72FNOclvk66ZPqQu+0OBzjtNp9V/PVHeZ6 +pLeIMYpb9w5miXGPbd2LdoirLqCewphjQtof2NeqUP8/a9KLhNh78+u0wKCpDiUt +tiBP7j1otqeWXtimT33Nfpo4cPvLAG8SRx6GU1fj570j51/L9fWj6de4zNg08z4J +ECY9bfLhY+HqqBUP/jnLbmDM2FJQq5osAJEnENg4WpB7oagprs9e9iG0+ipaCRmC +XOYFCxAyUXGJVatWpH1LjikGuVrHE+Rw1MG2Gicf1OWJRIDUzc8x8NnZSWqt8Vak +uM0RcJjIAossAf/OrLzOsY83MpcOkPp6r8256ik0bpPYeoOdppsDmD9m6630NfUT +yd5G6mrvcW1x/OTgxZjTS+1LQa81uYjfQI39ZiW/KIoDs/bYU5hebpVYDSquc+/X +apJv2ThlPYzGujnEQe/sidzonqzJRFRweWwpFsjBiW8OCw34hWhXRMt4k5usazxy +Tq9FbPe02VaJpfkuviAFNP6igyb8GjHUtkLqC7VE6PByjVzdicSo115FNm2z3vVQ +NFcrdm9qp4Vg1i8OqU66hzOu6TgfwFupdj4bL9W4ys9wm4J3rVN2Nv4Rtpn5XUwO +iWxGW/CO3HhaBILoOEVunyIHv2D/Qg80zNN1xyYNbTC20DBouMFINaHiJPcZRho3 +mBc9V1U3cLsDVunMzuEXmkZP8a86fNrQgnyyxtXHQ30fn+y9M+1um6SvJyJMJsrH +Qey1avREKeDMaG/kHH3tmsLGAIZhz6LnWhBa/Ih9opYMjsdrjqZoFsMre79mRCTP +v0WkgBkIuEd8WLvrJ7I3ghstcl8chTNXvme6QBXCd3YkGW4aT6h/9mrMjDK4uQEN +BFudBGIBCADhSb3x5LM+qdZz6SCWRQfGrleLxh9PcYzkm/L0mibZXBXfx3Jvve4Z +tuTcPis/4Ym5qTp3W/BCMCMq/VVJqNgb1jUbXmEGLiKr/FWEoHU7suaGZ2DsPwaU +EByVtOegYQmKlG66jiGvbkOV+PM7780KVtuKUberGL+P9R8P46/buvKMTy+pw3F9 +kEIbTh9gGCzQBvS6FxHBWgtN+MorHewESY4NRfOTCWTwzS4XCFJGTWni/UX81YAu +sBLcMiI+Ai7ap4700p5bJGXwFkjPsVOzVfVCKV2p1+3ZcuSKwhYmsvL1Bmo1PoZG +xkLpbTLEPiCl1xUB4MCzJn+RfRHEP/kZABEBAAGJAjYEGAEKACAWIQSsQEwcC/c1 +xj/01WImPW3y4WPh6gUCW50EYgIbDAAKCRAmPW3y4WPh6s5FD/4xjZ+2os4cv4+G +hyRP+OWRrDswmAzu8xlbz2J+/HpCDpaw2JmvPXkciZAxGyjtAZBKamG4hOFMryPk +AhHk+WvLrBfQ2sl1tA9uc6+YbIwQ/SiR8T2MybetfT8uTIBmZkFOrJ76e6q/k3yT +N3PC3rODFPA5Onhx2tzK1SDQ3BdmNZG/RXh3jYI48jlI22Dh8PAuHOrzROGYqeo8 +wtdzTgy1W5+VD0V625iliKAxPMzZY20Vh7wdgLypf2GokS6uF7BpyFDJSGc1N1qt +tf1V+PglSQgXuRbvxD6a8iZ1nuDjV+tdOcL6MgaWeWMOoWZOkH5Le38nuEKNcZU/ +KE2ouqvhpF6+48Bj9rA+b/YVaYoTwt8t80LZS8KoHYMkyOTjxjm6Q3+WP/Wfue8j +7U99dslvGD/YEH/wFyyZ9xHKUCBhDRYe4Ewc8LrIUW10D4F5Jqot+FPyi5FmI5F/ +rzUfnMioOjiS4sxc4F9yMqfcVuV0aru3SJYBTrR4WCIJEM9ceUJGEGaYzed5ZXV8 +S6lV3jpWqXRVGuuJ7LpCaNR/WiY/Y5cdIcBmN1KobAxP6B2omaiItSzJ0M8+GqVr +Nz1/RZZldsUL/wcrBJxOyeTousaTV74/eZNadLrG/Wc6BhDw9MT0ex7WkHG2ZTCB +uAd8YL5rncwie4Pd69PdufTs5dgLGLkBDQRcNmNiAQgAwsqx2rWkd5HVeGrPmrat ++Kwb5mDvu/j17oXpfiN5nnRmg80aHpAE+ctbo78Ero/gQWigmdlmzjdLuIj1En3e +lOrCjjWvPfVVwIfvTV47GrPexzFAPBefWMYrPHuxvh6SycfHtPsLO0zdaOs69CEj +blzf0KZHJT+2iQ1sOnnPTG0GY3S5TMUwzFB6t5XlH54AF/vBwu9nnKfhMefawD7W +EhxPbxiqP1d4DeRsLIWUINqVhz0/QJFBB5FOQUq+B+mB5G9awH3rbyS5ujx7cFZ7 +FsoNL+OrkBY4I/xdaKA4S8SrdiKnWctkP3UtuUQw1tCvDiH+A+rAW+P4qZ7j+5Lz +GwARAQABiQNsBBgBCgAgFiEErEBMHAv3NcY/9NViJj1t8uFj4eoFAlw2Y2ICGwIB +QAkQJj1t8uFj4erAdCAEGQEKAB0WIQSvYPyjzapt6tFX6jpn4496i6IXcgUCXDZj +YgAKCRBn4496i6IXcpaIB/4xZOB+VKQtNyp+VYp67RE6YBzlbXq23/fg9vAKZ1R5 +OseVoSQ83lkxfmNC1S8nDePf95DlC+pyubcMpvu42FZn5/zgkSzUJvj7eTKSEpUg +q3PLDE+3+vtoeXglShdGENmvz3WZm+wLV7YmqhKxAW3jFNt5ciu/BFe6TlKti0vI +02+RZhyALPiiR5uwmR/MJoejnKQ0Mj46l7L0lB7yOcilj+jOcQiYCCW9DHHQUwYT +9tal5HK3EE7WblRSKKgo1XjZnoM8CSht4LTH6w8PFESxlx0S85Vt+Cx1H7jQiwfD +sT/poCMNDpkXzS6nYd3sAEJ5FJiR74s3qJgCbVXzib/3B70QAKGapT8LDwlGqSyy +ORBXmJKq+uLoCY09H6eBNjFR43+g3qdhCkq1u0aI1T9IXtnk33rw4hycKzhkYHxI +IG9pSjDyI4w5eFzR3wK836Tra8cmtsnJv+cD7tV6voxM8AJwBcwR1COZRVURlpkF +7kvBfiJs/C5Z/AdAXCXoUjKloSjgoTil3EOJqHY8q86YDddelcEKg+xVP/uAjTgG +m2qFQWAuOx2vajoAusKwgw/5Zi12iln02Obwqm8QSoLAM9/I45sBwbtjbgpnNTo3 +3tNIETIDuGeGXgjwRnsTAsc9aNlq8iU8Elci722pg1uoCzDNxxgkT4BAdYkc+Xxj +KpTOtLfKbZcKRz2Us6E1czhFJAYy4LJ1LCDxhfG/qs6n3agC2dCO5tIqr1Z5ZH7h +Vu1AkbH1Ygo2UEVeU46ciBnxZnsnlWW3dXtknnWk/ex+vo+6qj0LbNZnPXr0r4MX +G4QgAbNJzP4lTjguoLETWMg07mRgKPzWKQqf2lW6U+ssAbB4kbapck9MfXAw9Yhq +oD6kJJwPx8Wq/c4I05lXO8Ib/8Eex3DN3KS1+B2SSQo9KuO3vDfxTmMnz346a9Lx +bNlZv/D9OGL4wj7I0uBF3k8lrB4DYC892GQbRu1EeGW1BUj05HFo/XF0yv1sa6q8 +/9/6U5Iz+fgwUfMwonpPImyKev/D +=asWG +-----END PGP PUBLIC KEY BLOCK----- \ No newline at end of file diff --git a/crun.spec b/crun.spec new file mode 100644 index 0000000..5374208 --- /dev/null +++ b/crun.spec @@ -0,0 +1,108 @@ +# +# spec file for package crun +# +# Copyright (c) 2024 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%ifarch x86_64 aarch64 +%if 0%{?suse_version} >= 1600 +%define with_wasmedge 1 +%else +%define with_wasmedge 0 +%endif +%else +%define with_wasmedge 0 +%endif + +Name: crun +Version: 1.18.2 +Release: 0 +Summary: OCI runtime written in C +License: GPL-2.0-or-later +URL: https://github.com/containers/crun +Source0: %{URL}/releases/download/%{version}/%{name}-%{version}.tar.gz +Source1: %{URL}/releases/download/%{version}/%{name}-%{version}.tar.gz.asc +# From . See . +Source2: %{name}.keyring +# We always run autogen.sh +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: gcc +BuildRequires: gettext +BuildRequires: glibc-devel-static +BuildRequires: go-md2man +BuildRequires: libcap-devel +BuildRequires: libprotobuf-c-devel +BuildRequires: libseccomp-devel +BuildRequires: libtool +BuildRequires: libyajl-devel +BuildRequires: make +BuildRequires: python3 +BuildRequires: python3-libmount +BuildRequires: systemd-devel +%ifnarch %{ix86} +BuildRequires: criu-devel >= 3.15 +%endif +%ifarch x86_64 aarch64 +BuildRequires: libkrun-devel +Requires: libkrun1 +%endif +%if %with_wasmedge +BuildRequires: wasmedge-devel +%endif + +%description +crun is a runtime for running OCI containers. It is built with libkrun support + +%prep +%autosetup -p1 + +%build +%ifarch x86_64 aarch64 +export LIBKRUN="--with-libkrun" +%endif +%if %with_wasmedge +export WASMEDGE="--with-wasmedge" +%endif + +./autogen.sh +%configure --disable-silent-rules $LIBKRUN $WASMEDGE CFLAGS='-I %{_includedir}/libseccomp' +%make_build + +# TODO: +# - it would be nice to enable the test-suite, but seems to behave (and fail!) +# differently when run inside of an OBS worker, with respect to when it's +# run manually on the host... Need to investigate more. +#%%dnl %%check +#make test-suite.log + +%install +%make_install +rm -rf %{buildroot}/%{_libdir}/lib* + +%files +%license COPYING +%doc README.md +%doc SECURITY.md +%{_bindir}/%{name} +%ifarch x86_64 aarch64 +%{_bindir}/krun +%endif +%if %with_wasmedge +%{_bindir}/crun-wasm +%endif +%{_mandir}/man1/* + +%changelog