* Add --log-level option. It accepts error, warning and error.
* Add debug logs for container creation.
* Fix double-free in crun exec code that could lead to a crash.
* Allow passing an ID to the journald log driver.
* Report "executable not found" errors after tty has been setup.
* Do not treat EPIPE from hooks as an error.
* Make sure DefaultDependencies is correctly set in the systemd scope.
* Improve the error message when the container process is not found.
* Improve error handling for the mnt namespace restoration.
* Fix error handling for getpwuid_r, recvfrom and libcrun_kill_linux.
* Fix handling of device paths with trailing slashes.
- add url for keyring
- enable leap by disabling wasmedge (not packaged for leap)
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/crun?expand=0&rev=49
- New upstream release 1.15
* fix a mount point leak under /run/crun, add a retry mechanism to unmount the directory if the removal failed with EBUSY.
* linux: cgroups: fix potential mount leak when /sys/fs/cgroup is already mounted, causing the posthooks to not run.
* release: build s390x binaries using musl libc.
* features: add support for potentiallyUnsafeConfigAnnotations.
* handlers: add option to load wasi-nn plugin for wasmedge.
* linux: fix "harden chdir()" security measure. The previous check was not correct.
* crun: add option --keep to the run command. When specified the container is not automatically deleted when it exits.
OBS-URL: https://build.opensuse.org/request/show/1178752
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/crun?expand=0&rev=45
- update to 1.14:
* build: drop dependency on libgcrypt. Use blake3 to compute the cache key.
* cpuset: don't clobber parent cgroup value when writing the cpuset value.
* linux: force umask(0). It ensures that the mknodat syscall is not affected by the umask of the calling process,
allowing file permissions to be set as specified in the OCI configuration.
* ebpf: do not require MEMLOCK for eBPF programs. This requirement was relaxed in Linux 5.11.
- update to 1.13:
* src: use O_CLOEXEC for all open/openat calls
* cgroup v1: use "max" when pids limit < 0.
* improve error message when idmap mount fails because the underlying file system has no support for it.
* libcrun: fix compilation when building without libseccomp and libcap.
* fix relative idmapped mount when using the custom annotation.
OBS-URL: https://build.opensuse.org/request/show/1141976
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/crun?expand=0&rev=41
- update to 1.11.1:
* force a remount operation with bind mounts from the host to
correctly set all the mount flags.
* cgroup: honor cpu burst.
* systemd: set CPUQuota and CPUPeriod on the scope cgroup.
* linux: append tmpfs mode if missing for mounts. This is the
same behavior of runc.
* cgroup: always use the user session for rootless.
* support for Intel Resource Director Technology (RDT).
* new mount option "copy-symlink". When provided for a mount,
if the source is a symlink, then it is copied in the container
instead of attempting a mount.
* linux: open mounts before setgroups if in a userns. This
solves a problem where a directory that was previously
accessible to the user, become inaccessible after setgroups
causing the bind mount to fail.
* linux: idmapped mounts expect the same configuration as
mapping. It is a breaking change, but the behavior was aligned
* cgroup: always delete the cgroup on errors.
° exec: fix double free when using --apparmor and
OBS-URL: https://build.opensuse.org/request/show/1123539
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/crun?expand=0&rev=37
- Update to 1.8.5:
* scheduler: use definition from the OCI configuration file
instead of the custom label that is now dropped and not
supported anymore.
* cgroup: fix creating cgroup under "domain threaded".
* cgroup, systemd: set the memory limit on the system scope.
* restore tty settings from the correct file descriptor. It was
previously restoring the settings from the wrong file
descriptor causing the tty settings to be changed on the
calling terminal.
* criu: check if the criu_join_ns_add function exists.
Fix a segfault with new versions of CRIU.
* linux: do not precreate devs with euid > 0. Fix creating
devices when running the OCI runtime as non root user.
* linux: improve PID detection on systems that lack pidfd.
While there is still a window of time that the PID could be
recycled, now it is now reduced to a minimum.
* criu: fix memory leak.
* logging: improve error message when dlopen fails.
- Changes from 1.8.4:
* drop custom annotation to set the time namespace and use
the OCI specs instead.
* cgroup: workaround cpu quota/period issue with v1. Sometimes
setting CPU quota period fails when a new period is lower,
and a parent cgroup has CPU quota limit set.
* cgroup: fix set quota to -1 on cgroup v1.
* criu: drop loading unused functions.
OBS-URL: https://build.opensuse.org/request/show/1093131
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/crun?expand=0&rev=25
- update to 1.8.3:
* update: initialize the rt limits only on cgroup v1.
* lua bindings for libcrun.
* wasmedge: add current directory to preopen paths.
* linux: inherit parent mount flags when making a path masked.
* libcrun: custom annotation to set the scheduler for the
container process.
* cgroup: fallback to blkio.bfq files if blkio is not available
on cgroup v1.
* cgroup: initialize rt limits when using systemd.
* tty: chown the tty to the exec user instead of the user
specified to create the container.
* cgroup: fallback to create cgroupfs as sibling of the current
cgroup if there is none specified and it cannot be created in
the root cgroup.
- add keyring for GPG validation
OBS-URL: https://build.opensuse.org/request/show/1074967
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/crun?expand=0&rev=11
* update: initialize the rt limits only on cgroup v1.
* lua bindings for libcrun.
* wasmedge: add current directory to preopen paths.
* linux: inherit parent mount flags when making a path masked.
* libcrun: custom annotation to set the scheduler for the
container process.
* cgroup: fallback to blkio.bfq files if blkio is not available
on cgroup v1.
* cgroup: initialize rt limits when using systemd.
* tty: chown the tty to the exec user instead of the user
specified to create the container.
* cgroup: fallback to create cgroupfs as sibling of the current
cgroup if there is none specified and it cannot be created in
the root cgroup.
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/crun?expand=0&rev=22
- Update to 1.8.1
* linux: idmapped mounts expect the same configuration as
the user namespace mappings. Before they were expecting the inverted
mapping. It is a breaking change, but the behavior was aligned
to what runc will do as well.
* krun: always allow /dev/kvm in the cgroup configuration.
* handlers: disable exec for handlers that do not support it.
* selinux: allow setting fscontext using a custom annotation.
* cgroup: reset systemd unit if start fails.
* cgroup: rmdir the entire systemd scope. It fixes a leak on cgroupv1.
* cgroup: always delete the cgroup on errors.
On some errors it could have been leaked before.
- changes from 1.8
* linux: precreate devices on the host.
* cgroup: support cpuset mounted with noprefix.
* linux: mount the source cgroup if cgroupns=host.
* libcrun: don't clone self from read-only mount.
* build: fix build without dlfcn.h.
* linux: set PR_SET_DUMPABLE.
* utils: fix applying AppArmor profile.
* linux: write setgroups=deny when mapping a single uid/gid.
* cgroup: fix enter cgroupv1 mount on RHEL 7.
OBS-URL: https://build.opensuse.org/request/show/1068319
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/crun?expand=0&rev=20
- Update to 1.7.2:
* criu: hardcode library name to libcriu.so.2.
* cgroup: always enable all controllers, even if the cgroup was
already joined. Regression caused by crun-1.7.
- Changes from 1.7.1:
* criu: load libcriu dynamically.
* seccomp: initialize libgcrypt.
* handlers: fix rewriting the argv if the full cmdline doesn't
fit.
* utils: honor SELinux label when using a custom handler.
* utils: honor AppArmor label when using a custom handler.
* krun: copy the OCI configuration file into the container.
* utils: fix creating the default user namespace when running
with euid != 0.
* Add setlinebuf() when --debug and --log=file: are used.
* Fix timestamp format in the error messages.
* krun: disable libkrun's collection of env vars.
- Changes from 1.7:
* seccomp: use a cache for the generated BPF.
* add support for setting the domainname through the OCI spec.
* handlers: define wasm and krun.
* wasmtime: add support for compiling .wat format.
* cgroup: honor checkBeforeUpdate on cgroupv2.
* crun: chown std streams before joining the user namespace.
* crun: display rundir in --version output.
* container: with cgroupfs use clone3 to join directly the target
cgroup.
* linux: create parent directories for created devices with mode
0755.
* wasm: inherit environment variables in the WasmEdge handler.
OBS-URL: https://build.opensuse.org/request/show/1040893
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/crun?expand=0&rev=18
- Update to 1.6
* runc compatibility: -v now prints the version string.
* build: fix build with glibc 2.36.
* container: drop intermediate userns custom feature.
* cgroup: change the delegate cgroup semantic so that the cgroup
is created in the container payload after the cgroup namespace
is created.
* seccomp: use helper process to send file descriptor to the listener
socket. It enables to be notified on every syscall without hanging
the main process.
* linux: add a fallback to using kill(2) if pidfd_send_signal(2)
fails with ENOSYS.
* krun: add support for krun-sev.
* wasmtime: always grant file system capability for workdir inside
the container.
* wasmtime: inherit arguments list from the handler instead of the
current process.
* wasmedge: use released wasmedge library instead of libwasmedge_c.so.
- Update to 1.5
* add mono based native .NET handler
* new Wasmtime backend for running WebAssembly
* add support for wasmedge 0.10 and dropping support for wasmedge 0.9.x
* dropping support for experimental WasmEdgeProcess from wasmedge handler
* honor process user's uid when setting the HOME environment variable
* create the current working directory if it is missing in the container
* fallback to using a tmpfs mount if umount of /sys and /proc fails
* fallback to netlink to setup lo device
* fix creating devices in the rootfs
* fallback to using io.weight if io.bfq.weight doesn't exist
* remove tun/tap from the default allow list
* linux: devices mounts have noexec and nosuid
* fix copyup of files from the container to the tmpfs
* honor $PATH for newgidmap and newguidmap
* krun: limit the number of vCPUs to 8
* cgroup: add support for cpu.idle
OBS-URL: https://build.opensuse.org/request/show/1006927
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/crun?expand=0&rev=15
- It'd be nice to run the test suite with %check. It however, still
does not work properly inside OBS workers. Add it commented (and
explain it in a comment)
- switch to latest upstream version (1.4.4)
- big jump from 0.21! Here's a short summary, for details,
see: https://github.com/containers/crun/releases
* 1.4.4
wasm, kubernetes: support wasm for kubernetes infrastructure with side-cars
Resolve symlinks in bind mounts when creating a user namespace.
Fix CVE-2022-27650: exec does not set inheritable capabilities.
* 1.4.3
cgroup: avoid potential infinite loop when deleting a cgroup.
support additional options for idmap mounts.
open the source for a bind mount in the host.
* 1.4.2
CRIU: add pre-dump support.
Fix running with a read-only /dev.
Ignore EROFS when chowning standard stream files.
Add validation for sysctls before applying them.
* 1.4.1
Fix check for an invalid path.
Allow deleting a container while in created state.
cgroup: do not set cpu limits if number of shares is set to 0.
* 1.4
wasm: support for running on kubernetes with containerd.
linux: add support for recursive mount options.
add support for idmapped mounts through a new mount option "idmap".
linux: improve detection of /dev target.
now crun exec uses CLONE_INTO_CGROUP on supported kernels when using cgroup v2.
retry the openat2 syscall if it fails with EAGAIN.
cgroup: set the CPUWeight/CPUShares on the systemd scope cgroup.
on new kernels, use setns with pidfd.
attempt the chdir again with the specified user if it failed before changing credentials.
* 1.3
add support to natively build and run WebAssembly workload and WebAssembly containers.
allow to specify sub-cgroup for exec.
chown std streams if they are not a TTY.
attach the correct streams if the container is suspended and restored multiple times.
fix race condition when enabling controllers on cgroup v2.
* 1.2
exec: fix regression in 1.1 where containers are being wrongly reported as paused.
criu: add support for external ipc, uts and time namespaces.
* 1.1
cgroup: use cgroup.kill when available.
exec: refuse to exec in a paused container/cgroup.
container: Set primary process to 1 via LISTEN_PID by default if user configuration is missing.
criu: Add support for external PID namespace.
criu: fix save of external descriptors.
utils: retry openat2 on EAGAIN.
* 1.0
cgroup: chown the current container cgroup to root in the container.
linux: treat pidfd_open failures EINVAL as ESRCH.
cgroup: add support for setting memory.use_hierarchy on cgroup v1.
Makefile.am: fix link error when using directly libcrun.
Fix symlink target mangling for tmpcopyup targets.
- fix bsc#1197871, CVE-2022-27650 (as 1.4.4 contains the fixes itself)
- update and fixup dependencies
OBS-URL: https://build.opensuse.org/request/show/969577
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/crun?expand=0&rev=11
- Update to 0.21
- honor memory swappiness set to 0
- status: add fields for owner and created timestamp
- cgroup: lookup pids controller as well when the memory controller
is not available
- when compiled with krun, automatically use it if the current
executable file is called "krun".
- container: ignore error when resetting the SELinux label for the
keyring.
- container: call prestart hooks before rootfs is RO.
- cgroup: added support cleaning custom controllers on cgroupv1.
- spec: add support for --bundle.
- exec: add --no-new-privs.
- exec: add --process-label and --apparmor to change SELinux and
AppArmor labels.
- cgroup: kill procs in cgroup on EBUSY.
- cgroup: ignore devices errors when running in a user namespace.
- seccomp: drop SECCOMP_FILTER_FLAG_LOG by default.
- seccomp: report correct action in error message.
- apply SELinux label to keyring.
- add custom annotation run.oci.delegate-cgroup.
- close_range fallbacks to close on EPERM.
- report error if the cgroup path was set and the cgroup could not be
joined.
- on exec, honor additional_gids from the process spec, not the
container definition.
- spec: add cgroup ns if on cgroup v2.
- systemd: support array of strings for cgroup annotation.
- join all the cgroup v1 controllers.
- raise a warning when newuidmap/newgidmap fail.
- handle eBPF access(dev_name, F_OK) call correctly.
- fix some memory leaks on errors when libcrun is used by a long
running process.
- fix the SELinux label for masked directories.
- support default seccomp errno value.
- fail if no default seccomp action specified.
- support OCI seccomp notify listener.
- improve OOM error messages.
- ignore unknown capabilities and raise a warning.
- always remount bind mounts to drop not requested mount flags.
OBS-URL: https://build.opensuse.org/request/show/910479
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/crun?expand=0&rev=5
