- update to 1.17:

* Add --log-level option. It accepts error, warning and error. * Add debug logs for container creation. * Fix double-free in crun exec code that could lead to a crash. * Allow passing an ID to the journald log driver. * Report "executable not found" errors after tty has been setup. * Do not treat EPIPE from hooks as an error. * Make sure DefaultDependencies is correctly set in the systemd scope. * Improve the error message when the container process is not found. * Improve error handling for the mnt namespace restoration. * Fix error handling for getpwuid_r, recvfrom and libcrun_kill_linux. * Fix handling of device paths with trailing slashes. - add url for keyring - enable leap by disabling wasmedge (not packaged for leap) OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/crun?expand=0&rev=49
2024-09-12 17:12:27 +00:00 · 2024-09-12 17:12:27 +00:00 · b640a28496
commit b640a28496
11 changed files with 1094 additions and 0 deletions
--- a/.gitattributes
+++ b/.gitattributes
@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1 @@
+.osc
--- a/crun-1.15.tar.gz
+++ b/crun-1.15.tar.gz
--- a/crun-1.15.tar.gz.asc
+++ b/crun-1.15.tar.gz.asc
@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCAAdFiEEr2D8o82qberRV+o6Z+OPeouiF3IFAmYzfXgACgkQZ+OPeoui
+F3KNlAf+JPTyqSazEqx+TWdxHwXhzdfaWzgJ7O0mtM3KruCKIodvF+V/tsIDJrwc
+gF5tGgLVBD9Tlt+wzCSaoWbxEbz2eZmDRNVtxZt6e/QfHSID8PzVm8jVZiBMmy8n
+wPs3chVGM/T0Fh+8hBv2fmueYWPnSMnA4SSxp6eNjAYt5H59OXyVRw5hk0lQTzQQ
+U+GeMRTRVkorNq8dZ+LdPHg8+u5ndPCD93wfdelK2wI2X4UlAcTA2qcuL1MowCCC
+fqPigsOGiRNjzDCfptbCrG778nZu32AGn4ohBXmxoLDbfz2X3ZjgySzSZaVb/D7S
+R4c3fkxsV7PNXt6sNx+J8UAGntztBA==
+=pgGE
+-----END PGP SIGNATURE-----
--- a/crun-1.16.1.tar.gz
+++ b/crun-1.16.1.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:70548de4874f0c9e7e1e080ff092e23f8fcc772a23261ee26e26d79f24df289e
+size 1760357
--- a/crun-1.16.1.tar.gz.asc
+++ b/crun-1.16.1.tar.gz.asc
@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCAAdFiEEr2D8o82qberRV+o6Z+OPeouiF3IFAma7dj0ACgkQZ+OPeoui
+F3LNNwgAidlpoqDuVBqh9ykjXfA0fnZ58NpWlU2wuHTk1zt+3vgTuFNGKmSimEZI
+c8mcgjq3nvTTmCBWr6Qikh5neSCerJJ+eprvmRQwHHuJj1sPoM/KhmVVc4pfLhQF
+B9MQxKrWf635TRh9r5V8kpx0K43ffL7ZVVNJ6Iumm4G1MOaEqpSZYSkgXMePFTGB
+kRh9zaHJ66m50i7ctokyfI1Y07hexviDXOhJi5znA0Y2GBSoiZLQcY8hwB7xg/m1
+vd9vI9CHA2E05dWE/Zuz9v/1YRH+hb1fRpnJP6LQPYjlUM/CnmMEDE6yJjQYwDQU
+Gu6uuqxH3nXMPJzv0MFpznEva5eLGQ==
+=++ex
+-----END PGP SIGNATURE-----
--- a/crun-1.17.tar.gz
+++ b/crun-1.17.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b766609814c0b0a3c0d2d235af1b061bd71da1aa2e8bb181d66e89f1b9a4e874
+size 1773153
--- a/crun-1.17.tar.gz.asc
+++ b/crun-1.17.tar.gz.asc
@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCAAdFiEEr2D8o82qberRV+o6Z+OPeouiF3IFAmbe+kIACgkQZ+OPeoui
+F3Kr8Af+Lr1TLt/nDA6Dgjo55pQScbgAa7nq1iM2yZEQpq2WwpXvj6M15pZ3vWAj
+kzeotA3JX3VrggjgLZ5j2GPh37BQfNteehX9yae3AkaltLkANZSaAbekqWCvX4Pk
+PeD9LzPLqOHGBCGi58UjeXl9Ov4bYhrDvIv7+LL3Q5qG2fp2ynfm7IEhSz7wjXns
+Yd6rqbs+bP+RlJUp6fcy5gBZEoCrLiBBh9TH1mPHURkzSsJNCf3Vqm2pQXfQlHBU
+VtWZU0D5XYnhyBHSPmZCdMjy7WAdACYN9euBDP2XhXSvv95bQy/NLC/IMUDJq5FL
+/ihOb/YV2LpSGoUvbBOliIdqtbVftw==
+=jC+F
+-----END PGP SIGNATURE-----
--- a/crun.changes
+++ b/crun.changes
@ -0,0 +1,535 @@
+-------------------------------------------------------------------
+Wed Sep 11 20:12:48 UTC 2024 - Richard Rahl <rrahl0@opensuse.org>
+
+- update to 1.17:
+  * Add --log-level option. It accepts error, warning and error.
+  * Add debug logs for container creation.
+  * Fix double-free in crun exec code that could lead to a crash.
+  * Allow passing an ID to the journald log driver.
+  * Report "executable not found" errors after tty has been setup.
+  * Do not treat EPIPE from hooks as an error.
+  * Make sure DefaultDependencies is correctly set in the systemd scope.
+  * Improve the error message when the container process is not found.
+  * Improve error handling for the mnt namespace restoration.
+  * Fix error handling for getpwuid_r, recvfrom and libcrun_kill_linux.
+  * Fix handling of device paths with trailing slashes.
+- add url for keyring
+- enable leap by disabling wasmedge (not packaged for leap)
+
+-------------------------------------------------------------------
+Thu Sep  5 13:18:43 UTC 2024 - Dan Čermák <dcermak@suse.com>
+
+- new upstream release 1.16.1
+
+1.16.1:
+
+- fix a regression introduced by 1.16 where using 'rshared' rootfs mount propagation and the rootfs itself is a mountpoint.
+- inherit user from original process on exec, if not overridden.
+
+1.16:
+
+- build: fix build for s390x.
+- linux: fix mount of special files with rro.  Open the mount target with O_PATH to prevent open(2) failures with special files like FIFOs or UNIX sockets.
+- Fix sd-bus error handling for cpu quota and period props update.
+- container: use relative path for rootfs if possible.  If the rootfs cannot be resolved and it is below the current working directory, only use its relative path.
+- wasmedge: access container environment variables for the WasmEdge configuration.
+- cgroup, systemd: use MemoryMax instead of MemoryLimit.  Fixes a warning for using an old configuration name.
+- cgroup, systemd: improve checks for sd_bus_message_append errors
+
+-------------------------------------------------------------------
+Thu May 30 12:30:26 UTC 2024 - Dario Faggioli <dfaggioli@suse.com>
+
+- New upstream release 1.15
+  * fix a mount point leak under /run/crun, add a retry mechanism to unmount the directory if the removal failed with EBUSY.
+  * linux: cgroups: fix potential mount leak when /sys/fs/cgroup is already mounted, causing the posthooks to not run.
+  * release: build s390x binaries using musl libc.
+  * features: add support for potentiallyUnsafeConfigAnnotations.
+  * handlers: add option to load wasi-nn plugin for wasmedge.
+  * linux: fix "harden chdir()" security measure. The previous check was not correct.
+  * crun: add option --keep to the run command. When specified the container is not automatically deleted when it exits. 
+
+-------------------------------------------------------------------
+Wed Mar  6 10:06:50 UTC 2024 - Dan Čermák <dcermak@suse.com>
+
+- New upstream release 1.14.4
+
+* crun-1.14.4
+
+- linux: fix mount of file with recursive flags.  Do not assume it is
+  a directory, but check the source type.
+
+* crun-1.14.3
+
+- follow up for 1.14.2.  Drop the version check for each command.
+
+* crun-1.14.2
+
+- crun: drop check for OCI version.  A recent bump in the OCI runtime
+  specs caused crun to fail with every config file.  Just drop the
+  check since it doesn't add any value.
+
+* crun-1.14.1
+
+- there was recently a security vulnerability (CVE-2024-21626) in runc
+  that allowed a malicious user to chdir(2) to a /proc/*/fd entry that is
+  outside the container rootfs.  While crun is not affected directly,
+  harden chdir by validating that we are still inside the container
+  rootfs.
+- container: attempt to close all the files before execv(2).
+  if we leak any fd, it prevents execv to gain access to files outside
+  the container rootfs through /proc/self/fd/$fd.
+- fix a regression caused by 1.14 when installing the ebpf filter on a
+  kernel older than 5.11.
+- cgroup, systemd: fix segfault if the resources block is not specified.
+
+-------------------------------------------------------------------
+Sat Jan 27 16:21:04 UTC 2024 - Andrea Manzini <andrea.manzini@suse.com>
+
+- update to 1.14:
+  * build: drop dependency on libgcrypt. Use blake3 to compute the cache key.
+  * cpuset: don't clobber parent cgroup value when writing the cpuset value.
+  * linux: force umask(0). It ensures that the mknodat syscall is not affected by the umask of the calling process, 
+    allowing file permissions to be set as specified in the OCI configuration.
+  * ebpf: do not require MEMLOCK for eBPF programs. This requirement was relaxed in Linux 5.11.
+
+- update to 1.13:
+  * src: use O_CLOEXEC for all open/openat calls
+  * cgroup v1: use "max" when pids limit < 0.
+  * improve error message when idmap mount fails because the underlying file system has no support for it.
+  * libcrun: fix compilation when building without libseccomp and libcap.
+  * fix relative idmapped mount when using the custom annotation.
+
+-------------------------------------------------------------------
+Fri Dec  1 13:41:35 UTC 2023 - Dan Čermák <dcermak@suse.com>
+
+- New upstream release 1.12:
+
+  * add new WebAssembly handler: spin.
+  * systemd: fallback to system bus if session bus is not available.
+  * configure the cpu rt and cpuset controllers before joining them to
+    avoid running temporarily the workload on the wrong cpus.
+  * preconfigure the cpuset with required resources instead of using the
+    parent's set.  This prevents needless churn in the kernel as it
+    tracks which CPUs have load balancing disabled.
+  * try attr/<lsm>/* before the attr/* files.  Writes to the attr/*
+    files may fail if apparmor is not the first "major" LSM in the list
+    of loaded LSMs (e.g. lsm=apparmor,bpf vs lsm=bpf,apparmor).
+
+- New upstream release 1.11.2:
+
+  * fix a regression caused by 1.11.1 where the process crashes if there
+    are no CPU limits configured on cgroup v1. (bsc#1217590)
+  * fix error code check for the ptsname_r function.
+
+-------------------------------------------------------------------
+Mon Nov  6 10:19:58 UTC 2023 - Dirk Müller <dmueller@suse.com>
+
+- update to 1.11.1:
+  * force a remount operation with bind mounts from the host to
+    correctly set all the mount flags.
+  * cgroup: honor cpu burst.
+  * systemd: set CPUQuota and CPUPeriod on the scope cgroup.
+  * linux: append tmpfs mode if missing for mounts.  This is the
+    same behavior of runc.
+  * cgroup: always use the user session for rootless.
+  * support for Intel Resource Director Technology (RDT).
+  * new mount option "copy-symlink".  When provided for a mount,
+    if the source is a symlink, then it is copied in the container
+    instead of attempting a mount.
+  * linux: open mounts before setgroups if in a userns.  This
+    solves a problem where a directory that was previously
+    accessible to the user, become inaccessible after setgroups
+    causing the bind mount to fail.
+
+-------------------------------------------------------------------
+Thu Oct 12 08:02:18 UTC 2023 - Dan Čermák <dcermak@suse.com>
+
+- New upstream release 1.9.2:
+
+  * cgroup: reset the inherited cpu affinity after moving to cgroup. Old kernels
+    do that automatically, but new kernels remember the affinity that was set
+    before the cgroup move, so we need to reset it in order to honor the cpuset
+    configuration.
+
+- New upstream release 1.9.1:
+
+  * utils: ignore ENOTSUP when chmod a symlink. It fixes a problem on Linux 6.6
+    that always refuses chmod on a symlink.
+  * build: fix build on CentOS 7
+  * linux: add new fallback when mount fails with EBUSY, so that there is not an
+    additional tmpfs mount if not needed.
+  * utils: improve error message when a directory cannot be created as a
+    component of the path is already existing as a non directory.
+
+- Only build with wasmedge on x86_64 & aarch64
+
+-------------------------------------------------------------------
+Wed Oct 11 11:29:21 UTC 2023 - Alexandre Vicenzi <alexandre.vicenzi@suse.com>
+
+- Add crun-wasm symlink for platform 'wasi/wasm'
+
+-------------------------------------------------------------------
+Wed Sep 13 06:04:30 UTC 2023 - Danish Prakash <danish.prakash@suse.com>
+
+- Update to 1.9:
+  * linux: support arbitrary idmapped mounts.
+  * linux: add support for "ridmap" mount option to support recursive
+    idmapped mounts.
+  * crun delete: call systemd's reset-failed.
+  * linux: fix check for oom_score_adj.
+  * features: Support mountExtensions.
+  * linux: correctly handle unknown signal string when it doesn't start with
+    a digit.
+  * linux: do not attempt to join again already joined namespace.
+  * wasmer: use latest wasix API.
+
+-------------------------------------------------------------------
+Tue Sep  5 11:41:14 UTC 2023 - Alexandre Vicenzi <alexandre.vicenzi@suse.com>
+
+- Enable WasmEdge support to run Wasm compat containers.
+
+-------------------------------------------------------------------
+Mon Aug 14 12:55:14 UTC 2023 - Danish Prakash <danish.prakash@suse.com>
+
+- Update to 1.8.6:
+  * crun: new command "crun features".
+  * linux: fix handling of idmapped mounts when the container joins an
+    existing PID namespace.
+  * linux: support io_priority from the OCI specs.
+  * linux: handle correctly the case where the status file is not written
+    yet for a container.
+  * crun: fix segfault for "ps" when the container is not using cgroups.
+  * cgroup: allow setting swap to 0.
+
+-------------------------------------------------------------------
+Wed Jun 14 12:55:19 UTC 2023 - Frederic Crozat <fcrozat@suse.com>
+
+- Update to 1.8.5:
+  * scheduler: use definition from the OCI configuration file
+    instead of the custom label that is now dropped and not
+    supported anymore.
+  * cgroup: fix creating cgroup under "domain threaded".
+  * cgroup, systemd: set the memory limit on the system scope.
+  * restore tty settings from the correct file descriptor.  It was
+    previously restoring the settings from the wrong file
+    descriptor causing the tty settings  to be changed on the
+    calling terminal.
+  * criu: check if the criu_join_ns_add function exists.
+    Fix a segfault with new versions of CRIU.
+  * linux: do not precreate devs with euid > 0.  Fix creating
+    devices when running the OCI runtime as non root user.
+  * linux: improve PID detection on systems that lack pidfd.
+    While there is still a window of time that the PID could be
+    recycled, now it is now reduced to a minimum.
+  * criu: fix memory leak.
+  * logging: improve error message when dlopen fails.
+
+- Changes from 1.8.4:
+  * drop custom annotation to set the time namespace and use
+    the OCI specs instead.
+  * cgroup: workaround cpu quota/period issue with v1.  Sometimes
+    setting CPU quota period fails when a new period is lower,
+    and a parent cgroup has CPU quota limit set.
+  * cgroup: fix set quota to -1 on cgroup v1.
+  * criu: drop loading unused functions.
+
+-------------------------------------------------------------------
+Tue Mar 28 10:27:06 UTC 2023 - Dirk Müller <dmueller@suse.com>
+
+- update to 1.8.3:
+  * update: initialize the rt limits only on cgroup v1.
+  * lua bindings for libcrun.
+  * wasmedge: add current directory to preopen paths.
+  * linux: inherit parent mount flags when making a path masked.
+  * libcrun: custom annotation to set the scheduler for the
+    container process.
+  * cgroup: fallback to blkio.bfq files if blkio is not available
+    on cgroup v1.
+  * cgroup: initialize rt limits when using systemd.
+  * tty: chown the tty to the exec user instead of the user
+    specified to create the container.
+  * cgroup: fallback to create cgroupfs as sibling of the current
+    cgroup if there is none specified and it cannot be created in
+    the root cgroup.
+- add keyring for GPG validation
+
+-------------------------------------------------------------------
+Tue Feb 28 20:14:52 UTC 2023 - Niels Abspoel <aboe76@gmail.com>
+
+- Update to 1.8.1
+  * linux: idmapped mounts expect the same configuration as
+    the user namespace mappings. Before they were expecting the inverted
+    mapping. It is a breaking change, but the behavior was aligned
+    to what runc will do as well.
+  * krun: always allow /dev/kvm in the cgroup configuration.
+  * handlers: disable exec for handlers that do not support it.
+  * selinux: allow setting fscontext using a custom annotation.
+  * cgroup: reset systemd unit if start fails.
+  * cgroup: rmdir the entire systemd scope. It fixes a leak on cgroupv1.
+  * cgroup: always delete the cgroup on errors.
+    On some errors it could have been leaked before.
+
+- changes from 1.8
+  * linux: precreate devices on the host.
+  * cgroup: support cpuset mounted with noprefix.
+  * linux: mount the source cgroup if cgroupns=host.
+  * libcrun: don't clone self from read-only mount.
+  * build: fix build without dlfcn.h.
+  * linux: set PR_SET_DUMPABLE.
+  * utils: fix applying AppArmor profile.
+  * linux: write setgroups=deny when mapping a single uid/gid.
+  * cgroup: fix enter cgroupv1 mount on RHEL 7.
+
+-------------------------------------------------------------------
+Wed Dec  7 09:24:19 UTC 2022 - Frederic Crozat <fcrozat@suse.com>
+
+- Update to 1.7.2:
+  * criu: hardcode library name to libcriu.so.2.
+  * cgroup: always enable all controllers, even if the cgroup was
+    already joined. Regression caused by crun-1.7.
+
+- Changes from 1.7.1:
+  * criu: load libcriu dynamically.
+  * seccomp: initialize libgcrypt.
+  * handlers: fix rewriting the argv if the full cmdline doesn't
+    fit.
+  * utils: honor SELinux label when using a custom handler.
+  * utils: honor AppArmor label when using a custom handler.
+  * krun: copy the OCI configuration file into the container.
+  * utils: fix creating the default user namespace when running
+    with euid != 0.
+  * Add setlinebuf() when --debug and --log=file: are used.
+  * Fix timestamp format in the error messages.
+  *  krun: disable libkrun's collection of env vars.
+
+- Changes from 1.7:
+  * seccomp: use a cache for the generated BPF.
+  * add support for setting the domainname through the OCI spec.
+  * handlers: define wasm and krun.
+  * wasmtime: add support for compiling .wat format.
+  * cgroup: honor checkBeforeUpdate on cgroupv2.
+  * crun: chown std streams before joining the user namespace.
+  * crun: display rundir in --version output.
+  * container: with cgroupfs use clone3 to join directly the target
+    cgroup.
+  * linux: create parent directories for created devices with mode
+    0755.
+  * wasm: inherit environment variables in the WasmEdge handler.
+
+-------------------------------------------------------------------
+Fri Sep 30 12:31:47 UTC 2022 - Dario Faggioli <dfaggioli@suse.com>
+
+- Update the libkrun dependency to the new libkrun1 library and
+  devel package
+
+-------------------------------------------------------------------
+Thu Sep 29 10:44:19 UTC 2022 - Dario Faggioli <dfaggioli@suse.com>
+
+- Update to 1.6
+  * runc compatibility: -v now prints the version string.
+  * build: fix build with glibc 2.36.
+  * container: drop intermediate userns custom feature.
+  * cgroup: change the delegate cgroup semantic so that the cgroup
+    is created in the container payload after the cgroup namespace
+    is created.
+  * seccomp: use helper process to send file descriptor to the listener
+    socket. It enables to be notified on every syscall without hanging
+    the main process.
+  * linux: add a fallback to using kill(2) if pidfd_send_signal(2)
+    fails with ENOSYS.
+  * krun: add support for krun-sev.
+  * wasmtime: always grant file system capability for workdir inside
+    the container.
+  * wasmtime: inherit arguments list from the handler instead of the
+    current process.
+  * wasmedge: use released wasmedge library instead of libwasmedge_c.so.
+
+- Update to 1.5
+  * add mono based native .NET handler
+  * new Wasmtime backend for running WebAssembly
+  * add support for wasmedge 0.10 and dropping support for wasmedge 0.9.x
+  * dropping support for experimental WasmEdgeProcess from wasmedge handler
+  * honor process user's uid when setting the HOME environment variable
+  * create the current working directory if it is missing in the container
+  * fallback to using a tmpfs mount if umount of /sys and /proc fails
+  * fallback to netlink to setup lo device
+  * fix creating devices in the rootfs
+  * fallback to using io.weight if io.bfq.weight doesn't exist
+  * remove tun/tap from the default allow list
+  * linux: devices mounts have noexec and nosuid
+  * fix copyup of files from the container to the tmpfs
+  * honor $PATH for newgidmap and newguidmap
+  * krun: limit the number of vCPUs to 8
+  * cgroup: add support for cpu.idle
+
+-------------------------------------------------------------------
+Mon May  9 12:43:12 UTC 2022 - Frederic Crozat <fcrozat@suse.com>
+
+- Update to 1.4.5:
+  + CRIU: add support for different manage cgroups modes.
+  + linux: the hook processes inherit the crun process
+    environment if there is no environment block specified in the
+    OCI configuration.
+  ° exec: fix double free when using --apparmor and
+    --process-label.
+
+-------------------------------------------------------------------
+Tue Apr 12 08:59:23 UTC 2022 - Dario Faggioli <dfaggioli@suse.com>
+
+- It'd be nice to run the test suite with %check. It however, still
+  does not work properly inside OBS workers. Add it commented and
+  explain it
+
+-------------------------------------------------------------------
+Tue Apr 12 08:36:54 UTC 2022 - Dario Faggioli <dfaggioli@suse.com>
+
+- switch to latest upstream version (1.4.4)
+- big jump from 0.21! Here's a short summary, for details,
+  see: https://github.com/containers/crun/releases
+  * 1.4.4
+    wasm, kubernetes: support wasm for kubernetes infrastructure with side-cars
+    Resolve symlinks in bind mounts when creating a user namespace.
+    Fix CVE-2022-27650: exec does not set inheritable capabilities.
+  * 1.4.3
+    cgroup: avoid potential infinite loop when deleting a cgroup.
+    support additional options for idmap mounts.
+    open the source for a bind mount in the host.
+  * 1.4.2
+    CRIU: add pre-dump support.
+    Fix running with a read-only /dev.
+    Ignore EROFS when chowning standard stream files.
+    Add validation for sysctls before applying them.
+  * 1.4.1
+    Fix check for an invalid path.
+    Allow deleting a container while in created state.
+    cgroup: do not set cpu limits if number of shares is set to 0.
+  * 1.4
+    wasm: support for running on kubernetes with containerd.
+    linux: add support for recursive mount options.
+    add support for idmapped mounts through a new mount option "idmap".
+    linux: improve detection of /dev target.
+    now crun exec uses CLONE_INTO_CGROUP on supported kernels when using cgroup v2.
+    retry the openat2 syscall if it fails with EAGAIN.
+    cgroup: set the CPUWeight/CPUShares on the systemd scope cgroup.
+    on new kernels, use setns with pidfd.
+    attempt the chdir again with the specified user if it failed before changing credentials.
+  * 1.3
+    add support to natively build and run WebAssembly workload and WebAssembly containers.
+    allow to specify sub-cgroup for exec.
+    chown std streams if they are not a TTY.
+    attach the correct streams if the container is suspended and restored multiple times.
+    fix race condition when enabling controllers on cgroup v2.
+  * 1.2
+    exec: fix regression in 1.1 where containers are being wrongly reported as paused.
+    criu: add support for external ipc, uts and time namespaces.
+  * 1.1
+    cgroup: use cgroup.kill when available.
+    exec: refuse to exec in a paused container/cgroup.
+    container: Set primary process to 1 via LISTEN_PID by default if user configuration is missing.
+    criu: Add support for external PID namespace.
+    criu: fix save of external descriptors.
+    utils: retry openat2 on EAGAIN.
+  * 1.0
+    cgroup: chown the current container cgroup to root in the container.
+    linux: treat pidfd_open failures EINVAL as ESRCH.
+    cgroup: add support for setting memory.use_hierarchy on cgroup v1.
+    Makefile.am: fix link error when using directly libcrun.
+    Fix symlink target mangling for tmpcopyup targets.
+- fix bsc#1197871, CVE-2022-27650 (as 1.4.4 contains the fixes itself)
+- update and fixup dependencies
+
+-------------------------------------------------------------------
+Tue Nov  2 08:58:05 UTC 2021 - Dario Faggioli <dfaggioli@suse.com>
+
+- Add libprotobuf-c-devel as an explicit dependency, for fixing
+  the build;
+- Get rid of rpmlintrc, as it's no longer needed.
+
+-------------------------------------------------------------------
+Mon Aug 23 15:22:18 UTC 2021 - Dario Faggioli <dfaggioli@suse.com>
+
+- make libkrun support conditional, so we can have crun (without
+  libkrun, of course) on all arches, which may help with
+  bsc#1188914.
+
+-------------------------------------------------------------------
+Fri Aug  6 13:37:49 UTC 2021 - Frederic Crozat <fcrozat@suse.com>
+
+- Drop libkrun-dlopen.patch and adapt to libkrun new package name,
+  it is a plugin, not a regular shared library.
+
+-------------------------------------------------------------------
+Fri Aug  6 09:55:53 UTC 2021 - Frederic Crozat <fcrozat@suse.com>
+
+- Add libkrun-dlopen.patch: use soname when dlopening libkrun.
+
+-------------------------------------------------------------------
+Wed Jul 28 11:56:01 UTC 2021 - Paolo Stivanin <info@paolostivanin.com>
+
+- Update to 0.21
+  - honor memory swappiness set to 0
+  - status: add fields for owner and created timestamp
+  - cgroup: lookup pids controller as well when the memory controller
+    is not available
+  - when compiled with krun, automatically use it if the current
+    executable file is called "krun".
+  - container: ignore error when resetting the SELinux label for the
+    keyring.
+  - container: call prestart hooks before rootfs is RO.
+  - cgroup: added support cleaning custom controllers on cgroupv1.
+  - spec: add support for --bundle.
+  - exec: add --no-new-privs.
+  - exec: add --process-label and --apparmor to change SELinux and
+    AppArmor labels.
+  - cgroup: kill procs in cgroup on EBUSY.
+  - cgroup: ignore devices errors when running in a user namespace.
+  - seccomp: drop SECCOMP_FILTER_FLAG_LOG by default.
+  - seccomp: report correct action in error message.
+  - apply SELinux label to keyring.
+  - add custom annotation run.oci.delegate-cgroup.
+  - close_range fallbacks to close on EPERM.
+  - report error if the cgroup path was set and the cgroup could not be
+    joined.
+  - on exec, honor additional_gids from the process spec, not the
+    container definition.
+  - spec: add cgroup ns if on cgroup v2.
+  - systemd: support array of strings for cgroup annotation.
+  - join all the cgroup v1 controllers.
+  - raise a warning when newuidmap/newgidmap fail.
+  - handle eBPF access(dev_name, F_OK) call correctly.
+  - fix some memory leaks on errors when libcrun is used by a long
+    running process.
+  - fix the SELinux label for masked directories.
+  - support default seccomp errno value.
+  - fail if no default seccomp action specified.
+  - support OCI seccomp notify listener.
+  - improve OOM error messages.
+  - ignore unknown capabilities and raise a warning.
+  - always remount bind mounts to drop not requested mount flags.
+
+-------------------------------------------------------------------
+Tue Mar 23 17:52:10 UTC 2021 - Dario Faggioli <dfaggioli@suse.com>
+
+- Add a mention to crun-rpmlintrc in the spec file
+
+-------------------------------------------------------------------
+Fri Mar 19 02:18:44 UTC 2021 - Dario Faggioli <dfaggioli@suse.com>
+
+- Since we're building with libkrun support, let's enable only the
+  arch-es for which we do have libkrun
+
+-------------------------------------------------------------------
+Sat Mar 13 01:12:19 UTC 2021 - Dario Faggioli <dfaggioli@suse.com>
+
+- Suppress the (false positive) rpmlint warning
+
+-------------------------------------------------------------------
+Sat Mar 13 00:43:54 UTC 2021 - Dario Faggioli <dfaggioli@suse.com>
+
+- Some fixes to the spec file (add some %doc, remove unused macros, etc)
+
+-------------------------------------------------------------------
+Thu Mar 11 08:08:36 UTC 2021 - Dario Faggioli <dfaggioli@suse.com>
+
+- Initial package for 0.18
+  Based on the package by Giuseppe Scrivano <gscrivan@redhat.com>
--- a/crun.keyring
+++ b/crun.keyring
@ -0,0 +1,386 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: Hockeypuck 2.2
+Comment: Hostname: 
+
+xsFNBFJtp1EBEAC/8IKgtgDH/BWRWUkM7pDWWZJJgaE2wMhCKXbXMbtyJHBco/TG
+7Ow2bD35H0QAmhh6gGVYu9hwrzK3EiP9SmTMXjJmhm6b2iFlhV9bbU5pjb/q3pT6
+gaP22DMOXOlo7aCZiTCQ4UY2p86meJ1xM585wnvmfY9CZ3V4rloa5eKwVU3wUflL
+dv8im81fNGpWFRaV/rhWbEcL0zft4hmkwppCFGJe9XP4houjVIFArb31mBPFguJS
+O4zEdiJh+Oj9htbrxAXqiaJwW1MRRBMkMvJDYUSZnV90lWUUdxglO4/V7uOxdpXY
+tDdMcOlSY+mnU36yyrTN4o7UAzvXEXkc7YHQZGhY/XW4zXDhnH0G8c+cx6XnEml8
+zVrU8PrdKNo5nqxZ+ZdLz2kzAxXpVum7LABkzWIQ/+0ShhX7cS6/P12odabQpQGH
+QpZgTIP2BrpFJ+L2j+I69dKl7BtmZVy0ya3P8SG7ny819aNLSa9PDOWxKk3rxk/v
+4BI6vYWY1N4AQ8bXQHHzUQ/V9E2uuslSUabp7WDqVPcWxhekBIzfVsxqNsXEycYZ
+ZwA0VKacrbDR9iT9cP75xDXw9RHxsrETfGYEXEia8FPSR1bGYw9yLExdDPdSRUl/
+JEotHv4+Zt9gXC2MspitNs8LlL4iB+wrb+CvBBCEupufcDXnmcAGRupWCQARAQAB
+zSdHaXVzZXBwZSBTY3JpdmFubyA8Z3Njcml2YW5vQGdtYWlsLmNvbT7CwokEEwEK
+ATMCGwMCHgECF4AFCwkIBwMFFQoJCAsFFgIDAQAWIQSsQEwcC/c1xj/01WImPW3y
+4WPh6gUCY2rCy1oUgAAAAAAQAEFwcm9vZkBhcmlhZG5lLmlkaHR0cHM6Ly9naXN0
+LmdpdGh1Yi5jb20vZ2l1c2VwcGUvZjg5MTM4MDQ5NTIzM2MzZGY2OTBmMTMxZmQ4
+MjMwOGI4FIAAAAAAEAAfcHJvb2ZAYXJpYWRuZS5pZGh0dHBzOi8vZm9zc3RvZG9u
+Lm9yZy9AZ2l1c2VwcGUyFIAAAAAAEAAZcHJvb2ZAYXJpYWRuZS5pZGRuczpzY3Jp
+dmFuby5vcmc/dHlwZT1UWFQzFIAAAAAAEAAacHJvb2ZAYXJpYWRuZS5pZGlyYzov
+L2xpYmVyYS5jaGF0L2dpdXNlcHBlAAoJECY9bfLhY+HqGi0P/iBSdveMNNbBjdrj
+ZUiPY2+PTKmV8nluKtyNAsUsI6hwMPg782K7ohZDcWu3SBIlvDqBR4EWvGLSHo/o
+VzK029oaJLgtzTguJ2uygVSIJ5e+pUJ906dOWy5sUC6y0gO3L2FgiwjLvOVXassL
+OiQ1XdW/4ZZs3qddFUnD+NUnIOS/Czec3bI/spZuoIe0HQjDJg72f1JbMk/VDs6D
+pFlzqr5y19sJCPDwmX8PUGAi11nzmWigu0ohG88HM0W6jfEEdNFKkEbTNi0EEjqn
+6HEPJSXvuwP7bDR9EelazA/C7HDaFC92UoxyVUWucAQJKeryIBqwiMeoP+ZwMReC
+34Uj63G81/MS0v92Cf7mydqQTzIflruWjuoDVbwf9MeJi3r7WnDrFYyU7XJdDzXO
+DizVFjrAGGMjQ6LOoiQ9l93Nh+AZfnlK8zCNx+1Agp3QVgqms6kVBOJIn6fVRwbZ
+j2b4lMN7E7bYyiEkkcSJSSufGUD2Pph7B5xgWX8/udczcBWzu3f24JxAo+mCTZDl
+xJp755kvV7NAddXkcRw7S89N6q17HAZWn7TyKDtFx19tbznKF7DBkmUlFMy14DeF
+5skQKD6ohKk0aL8jcYIJZP5STMdjj3p6qRJFY8I9EV81Byg+AP2x0JyXdIiNzk2+
+gHQ2nlREL9dn8rPEOPdk7SiPZUeSwsF3BBMBCgAhAhsDAh4BAheABQJYsGOCBQsJ
+CAcDBRUKCQgLBRYCAwEAAAoJECY9bfLhY+Hqo8MP/jBgRMAu4VUszCaNmRB5Js83
+aeLH5qS9FCCJv96DbY0jdLGrnXb0clXtQrktrU1f+UAlOc2zHvwX6XuRW/Ew1m5e
+0zmBSpiKCMdIlTHVseu/wTs5gXUEtFKMmz4xzHjcYNghjv11KA70F45NBeX8dy8u
+6NDQ5Z2LxVQ0UyH2XxPUkpE3woMc9v6F7yhQFWMSibCMO1iYkNmDcZt/TyAC8yeG
+qPgec4vxkvBURKAaV3LqZ6fpzECVk09lVQjhv8GwNsFTyQ1VeRJULnAxxJVexdt0
+4uQO40cIl9ckxjY+jDW01T0IY6o9ectUXlPrqR/xI84DIEwLofpp7/vOkB/q2D4R
+OaKYP97G9hyuoX1vkmEFvCee1JdgYgpznArgNF7viVI+oKZ4GpkMJH5dimf0qyvf
+6rrGzZXsrkSaJC1dcjA8yvct11uY8ZpD62Zp83nkuvUDiDW5U4Zx5077/fIcJfFU
+yCd3EuZqy3Uca8p8tWntqDrS7/cn1W4whkhvmyDuMtDLckEKpWyVP5SvyFLo1Q7t
+YzYLoZ7ESrWZw+qvEWDdYzlCVBEBdsnsT3fp4YpKwL5qRw1pLd6ysC+eFhdVZYa3
+mMWrOwANLp6yWYdLYXOvuyK4BVgpLmpQ7iwm/PH8RGtn4j7p65Ch2Sr6TCbmBD0t
+isYMHaEwksi5RYw3qI+OwsF4BBMBAgAiBQJSbafvAhsDBgsJCAcDAgYVCAIJCgsE
+FgIDAQIeAQIXgAAKCRAmPW3y4WPh6p9OD/9ynTKgcd1Gsv5VOSWVpfPBitz27Lcg
+T3ruSd2KTExLDIHi04RghlV6E6g8KEM/Np9oUYqXpXvzDLvIppbf0aIpY595xS2/
+xiura5w4pH3ul10UduSe4eFB9RtLjWutJosy7OvPYq8q+xMTqkRUFDhmZP6hU4Bp
+S+uibgXnhSPxfsMXiYYO5pD+2lE1NVZpQnZUWZT8IdwpohX0qwifab0eB33FD/mg
+Lw0WSwD6iI1GrvqTUR56t0VTaJAgukAogTDgE3tab1yO6FcpfSMykesSV5OlpoIh
+R+SWrn5XkDXRWTNxroWvRAkdzNMQTquIRMu2m/e68II/LqNNO4okL3AOUO/B2xyO
+2aZ3WHZjSDTTslgSBpcUw+4g2mlwD2XD8TGIeezjGAz/rbmlHGrHO/9ma2yL9bzf
+Vie7R9234VPMIsaaUHm8DIAJV80qyYbwyjNvlZxqw7Q1qSK0A0hYOmxF19zHLEsR
+BE13dVo3Boea8nKR0lkwKhquxTsoChckQAj5JM8bFWZT4bPntJzJ+JM6tvlWbBKT
+EBnYJMzSgyBQDZN1nfRCbmDsBsgKKsx78BiiBmrKNVsko3pLzahKplQ/AGrLP5xa
+fKFntDUMBBqpGsMgmzf9Z3JUBXt8HZJA73XanF4OkMZEjdZJoCEyOYCJjkDbfDtw
+ENVn2llyH3wYZcJGBBARAgAGBQJSbaggAAoJEAeRr4zAM2P0egcAn0nF+4YjkLsQ
+zyXL3a5G94axfwnEAJ9w+NZTP2g8eeFPwnrTb0SkNa3vrcLBXAQQAQIABgUCUn5L
+zAAKCRA++QUjswSvCM4YEACXvumQNvW0c7o0gtpOAqTwkttAMpPXJE2mny8drsTh
+IwRUdbC7f6VEfR99TtqkMFwW0XAK1Uxq2hJDT9oa9DphrEYRS9qHx+mgUt421YO3
+e8zCRlkgRvglJTH/Ljj72hnmscUOa182P5PYPq0ndCDYHBfq+MgxTLN1knjRYYIm
+oDfOEBAzySzj+HdZV2+FBFn+lYE/bFBoQ95qPqVENWG9sCIn5uLQZ9C907GpzTRL
+1At98kdpIGzJtePxYwwK6OD5I53c4/AfgKLzI17I7KcAyVO5uln9wHx4HP80kqQk
+atpsIXXdJMZAwCWUPBUTgmZajbyqbGOtxQCb1Ans8gOao7yzd5nkYKLKSSkrqXbo
+hOwV0qi6P1Iy+lH3JX8ImNx13hRC0zx0h+E42KkkAq9+pvxTe4WHfKv29rJSqKTf
+1hXrHKwOyqqxt8kVG5t5MgNZyLKibzMdAK1OcyqQfePE2uBR5uIL9JULPeRZlZDq
+LcDD/GLdCRcuLk/eQyglYafCeutZKJ7Y/jBBDrKbwzCF4Pw9Vs2zLFGnAx8Y9Xux
+/5w3y5oP/36yjjwBq7apbXAYz3UFdnRN+e+JqDUtSOa/S4wNgz6F8fHLZ4fTfaxn
+U0k77TWzESROYKlT/PuKEHsqQR2LVQgSWXpKB6oXe0SODxINYC2xGzyh9oXPLIAy
+Yc0lR2l1c2VwcGUgU2NyaXZhbm8gPGdzY3JpdmFub0BnbnUub3JnPsLBwQQTAQoA
+awIbAwIeAQIXgAULCQgHAwUVCgkICwUWAgMBABYhBKxATBwL9zXGP/TVYiY9bfLh
+Y+HqBQJjarsuMhSAAAAAABAAGXByb29mQGFyaWFkbmUuaWRkbnM6c2NyaXZhbm8u
+b3JnP3R5cGU9VFhUAAoJECY9bfLhY+HqvAUP/iPOqQZo4YdN6uefPIxeXCgXZ3H/
+Ozqt+6ThlKr11WEQHEDZ4Fqe4CokxQ+UyPuCs9YyVBFmx83Olu95ogEx1KLOv4ju
+jyuPtrKx1flzjKFf6xxT1jRxaIGVXtkerZJ8GpaHmIWokwCDKEfF7Z3QToZlAzC8
+IgjhWjGeBV37+DUtpoQB5xv03VXzrx8MtjP8FXmtyz/QTRIE0gAgxSYNDF8BXvi/
+7+T3fRPDbRDzm+HxcUWI5dWimGvhXnRkF8ONpEp/kSNQWemSHtCvvTQ7yOzX9fix
+5Sb3t7Cx4DwVNVBvNf6pcF7wb/tyr+uYP2F/HhIFyIEayrw3tjkriYHJb1x7wZqQ
+/xkw/D7DXkek0oU/vT3caZ/ZcMMAqjBzs8Q9BNiQ6fa1skdMzOQssjE10W9zAtDj
+93FsnU3+AA8Do0UpTxrugrP7w5H9yK8RFEdpJ+AR3jW75YXJzsCUYRvMyNalO9yz
+vyvCB4EvY/W0D58Q2dddM5vcrVDdxqdlOghgv3Dr2R/Oew8F1e9jyLGpQYSE6ilI
+oOS1b9veX8BAPX4HZPC6ZdSQTpUlvE03oNeyCDiLsYrtu5gwrwl+4DK5WhVX14H+
+BKvhd4YYcwrr+i7EQZlRyTcVeGEdcaioxaUpelpw2KGu3lNA9XCGRcB8wesqBGs+
+B0fUv6S/1SdI0oGJwsF3BBMBCgAhAhsDAh4BAheABQJYsGOCBQsJCAcDBRUKCQgL
+BRYCAwEAAAoJECY9bfLhY+Hq5W0P/Rq2TUBpxOvjyga90D5G0k+AlgZUp3W+J2Ol
+632t3Q+ZI03zbRwmtyF/Bq9J4wsAUiAJb3M6BQjaExdzdgM2DOPT5UDichHushTT
+zeO3NjAxUzBrN7ZXReRevq1ulysSsTEqZlGUr6HztdAlN4hTetAnVibQQ8dMyCO3
+t8s/wgXUtsV8LZ2wwt6JaPTBpkuRECSspOEg39Id382tHMTUGDcKj5nRaxV6tjyy
+TnTJOvkL1xmYGUcHSPoWl4RycrJCmfl8rcZF/kbhUckRcIRPWBG4Uks4qUeq+YxO
+47kJi0Yu5fBEc370ydOzkEoGeKgyfiQtIn1FURFKNPG3ooB4U+L3AWieMl8374dq
+Ts+x+S3io+Bxo363mP1FYvo5bWFSQ2siUBWg5Ab+UjWYIcyqA7Jsdnig0+N9LoCT
+a0+Ba/wFO//ejBvyHss5EhbJyjdToPc30NUU8OjX23vQO20bM7JAVvb9YEpXOPkv
+xmb8DrMzvU35gBxgeyspaukiuoe/rPTT6daCOXTXJ4CeSNP9ggzTvcqZn47lQtVU
+dxB1UnYkmsOG9lv1SEV23ahSnvA0pV4C3481z9u2iBvj9tVjmCNcaGPPTiYJr7/T
+SPGIqAVGYiNWNbYBeWYCNWfrCByvWuJDPhtonT6vON65uKSWbDyNjbGf4QvTfs7C
+LEaXce4dwsF4BBMBAgAiBQJSbadRAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIX
+gAAKCRAmPW3y4WPh6slnD/9XrBZcGXmnnfjI2NZoEOcSdr4IRe07+ndm0WtsmVxe
+l6rEUizDS9auWPqMT6OmWobbzDBJnyaHEliE2ZgD+E65XjNV5dvbgyXEZ4NRLnwO
+4jnLeDnpKVFqlWGU884IscV1NINjdDSA2waDuKpb3Z6+MOBxTFRDEZyWvDterN4p
+esmlzJLew/IxDVegthyboXfj+TrMKDGwzai4+9JVN9vqFBUTfM26ODkxEjgknk96
+XaIE2wR8yXZiMu5ym6ivIOxE+dNeDClTrzFH/PVS7SNE5ZpZWGK1nAG8BWUqNqY2
+J0JPhh1KWmK0j5WktMSiZQDTftX/bnP0iDRnpvE9w4YZ/kAMN/uqIAlYU3wxv0LG
+xHvHLCMXQTD3erct7iqK9jMZtVuqUUGf6V055WX52ehwU8PXtAy4e5BXVIOHQ572
+cg2DZ5Nc5O9yL3hXCpVlzr72WrG4aKpN4MZzgD0CaVLh3/tXSagNjLjQRjPtfYdE
+8Sn9QeyStpIvuUFWBBDPWOG0gqbJDaVA2BtemMSymiuhR7FSAUiMi5L5Fozaoffr
+S7GKDOA0LY/Ecue733fTLaORqGMZjlddJhNN6NqJ0DyR1av/W2cQNrEJIyJY/edp
+3RTNQkkpl+SD4/VpI89yIfjzdYcxEcBp2MLsWmNr9CcJXBmjpYWFNd8ZUvmwpqm7
+jMJGBBARAgAGBQJSbaggAAoJEAeRr4zAM2P0qXQAoNIUipQxGhhZgF/unhtLG5yb
+SYGRAJ9n3IV20MeoA5rYWg8/t06xC8H0fMLBXAQQAQIABgUCUn5LzAAKCRA++QUj
+swSvCFfAD/4qVpe+yzRyaw8PLif5Kg6mdkMmcEZQaCX+zlO+eDbjds3vqRMZWs5s
+TNydJH7OqqAXFMqYlrWvJHhyelab1GIo+tu3jrWF6dkxGA2/cM68F9ZRYlOAZnZq
+m6Qomeu/7hcpAJWCj63QAb/Engf+ZmbGzrzup2Ap5vEskAUscSbCtq3m+Z3JWcEq
+msfl0y1QCmf9ChfBnh1Tv5UmMMPyk4srwRlvdxsaAiJ7Cwm9W1cCM8R0VNo1pofr
+EdRPwdovDnPnK5DaSaelaODrQAb+NlNqzC2X8Q6XxebguEN2RRPkvhI5Z0bLOZei
+BU5qRub7hk6scZy1t6jCXml34KyyHtFNhX+LYSuwTzeM0ENeqN6NhtAstGnGD63l
+R0D/MwiXudXr8bshFDk9CsMeL901h7RIIrV/IaPZCGAF+puz//ri5FuFAMonb3IM
+ScIekBHqh0HJ/1wd9CuHAp8VJZa6TDSKT8d1rs2pytaDYe0n5jnNQ9f/RM8n8nXr
+NbNNsYXAwU96Bjs5jgSY6IflCLWLwHJ3wf5F7T2xuEvWUjMF4Q3NxB4HLxu12FSB
+NQwAhlr0dq/zabgzK11ri1iRtsxqPQ2eZTIczyTUq18D7BS65rpziGQ/uq/EkUZB
+oUpyRZ8OePzWmKr/pKMtHHHFXto2Zc98263fi4U2c0vph4SW95hG/80nR2l1c2Vw
+cGUgU2NyaXZhbm8gPGdzY3JpdmFuQHJlZGhhdC5jb20+wsHBBBMBCgBrAhsDAh4B
+AheABQsJCAcDBRUKCQgLBRYCAwEAFiEErEBMHAv3NcY/9NViJj1t8uFj4eoFAmNq
+uy4yFIAAAAAAEAAZcHJvb2ZAYXJpYWRuZS5pZGRuczpzY3JpdmFuby5vcmc/dHlw
+ZT1UWFQACgkQJj1t8uFj4epa5RAAvg2Y6TQXXpHyTO7kumZoAXUfsg5lCTfqkVjT
+lDoH2FURsT54pKIfABjTfyUckgPjLsG51umBiy4Z1FNWdwr10ldYCpJkP3ecpISb
+Sa6zdfkb9yuhzeSsd4DRH5b+2yVV4RMMHzshV2JzapYZfimbjy5DkFzAWipFucLR
+ctJPChFV3IfZFUCHyV8Mc/r7feEESmX9b5/oeqb1bgUDijBe14BfM8YW5THHDWGN
+XsxkpQEHU8YkR2R0dtgEg01sF/2fZyYBY8brOK2hkxLsVxgT6/KzGVEQ7IReF+U3
+lAtUkszOiQryT6W/b4XLWu7HOhZOI+W3Gf64a6SL3PTWhQyXxSVQN9Yh39g90y01
+xubiZRILWNnDDp1/PD7ACKWaP+gzjxy+7/kidKs1AHISJvARcvDkNzJRXIUterPA
+GP+eKTcnkbX/gS3O7OKowluswhdktog+wdnnVzCEJLS6CPr6qxrL8ItK4doQcMTP
+DYob5Ht8XRliMNfo8dr85d0rfpvYE2vfUATA+aTUZRUx8CGyb1lgJs8BH850BXYd
+tTXtTuw19c3RHWZ5Ifrcw5NugLmGhv8Vqgj+Iwj+Y3fJsafPgOTNQbaovAKA7LDw
+cnZPqb2jiUx88k9I/uMe1l8pzMMta12t25IrWAtqVvGU1D1E3O9kPe095h5DjjPS
+YXHvySPCwXcEEwEKACECGwMCHgECF4AFAliwY4IFCwkIBwMFFQoJCAsFFgIDAQAA
+CgkQJj1t8uFj4eoqWhAAvdQlRb9TjEOe1K2/SQGM1COQwg/9h7vQEFg4P5Okfb9p
+gu5XYB8qU72UudNShA1ZAJ5beN9VjatD7l+e4T1YL8ZrnUvzQwnytsnHrJI+n+KO
+GJH3jHi7Fms0vhl1KuOtiYTdiM2mJjA/0aE+e14FPBM7/1tbcVzmYy5CHZcOXcOf
+gxu7tFO1PsUne4GVfInwV+k2O+6gQ+7mKgHF0IB1ic2t4ih5jcTeY1Zga+GToOtp
+I89Stz0g6QTnu+03P1wbmLhw5sxgcD/AyrHhuOnYCmR58TJSmWHpClNneR8T1qIa
+f1JWhPlXgCchAMPZRZLHGAg3q/zALJ1RHXytT2KZeVZ8DdOu3fkOt63r4aVNtOZY
+RR8kKhuSJiWH8HnmqcW0/cujvt1ZAKXkBABhPABwv/3mK+JhItz+MJp4PWycqayA
+PerVY+lM3MU+kDfQzHuAw7C+KX2NOxT4FjWmlW5kzOfBiQqPTEQCR/1pPRISYSE/
+AnVHx4qAGKQYg9LMopzY6CT4d3/N9RbEdRPfJKGEu174LcOGA8qF4jLtd3gJEna0
+PrucisT0WaW3tZwv8vxLsu1glUr23Uxgj5AAahQpTf6CRknuE6LGeSqepdFy0fIL
+VGQFjWbpgYe40pvc9jBZ6YMn6f1bjT8iOToCtFcoAO6+30hsyixOkq9DUC3d/jrC
+wXgEEwECACIFAlJtqAMCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJECY9
+bfLhY+HqwhYP/0mohSlKW+PZPV0JDFAq1y0a9RQVJrmwVluuXej7peq3v/st8JIA
+lAkTa4nYP2Lz9s4rd6idlTip/TbrsPa8X+i5ZgowIRNjgM8PZy+sfaS4PKiYbyKA
+RB2cyCJbmmI3gdnkr4ZnAfW21w2UR7i/UHFQViWRTmw7FYx+7Y8JRJ/3lom94PST
+wuERhkqUM9qk2IPPWJ/MgziQ9YT9FhPbk8liIFednp/fIfLo/qdOypk+QmX/cEXv
+5DuPhbwRfcJz8gDA8ePW4hxsH329Yrb7Sm5QnTlEmJDGXMooWDOtQMohIV6zvN8x
+4m1tU61jKR8VnWHCkIDAqMNnCoGU8udqlChTDQx3Nwqzsej4u9hd3M9WxFmqiZ/Q
+6VQ96wywpZGR9b8G27049d6Lri7Exw5DqBh/rQ2Wr8/x0qhcfdTu+rM1aDk1CV9Z
+Qp+oF4Gi3Q72gLd10mN9PBer5tFl584IX3vp12M6GZ9bvOqcjWbGyDndWh5/BAVg
+6+X2GPQqbRjVHyDEqPvuOVXcjk0jPD3iCx+2depdf6EjNW8Avv0VFPDn6q8IcV6j
+5CK2mfBJ237WCarju1By0+WvBXfX2CTEomPm17iNs9yyCNJyH4tLIvYJhQHdFOkB
+xUbAjIynI8aAPdKsIABMbHnQqMeDX+ZC+o7/ZjRg4r5ANEyVDJP3v23HwkYEEBEC
+AAYFAlJtqCAACgkQB5GvjMAzY/QYogCgggEjL/hoLt0gUhRCQjVT6xlSB6UAoIua
+r9cxqmL0uf4/4P5bP0063yiqwsFcBBABAgAGBQJSfkvMAAoJED75BSOzBK8I2gQP
+/jepR0rfv2XiTzJhsxg18OoqVRsjxepNKKpyBTxXLU2f1OKRL06/+hcB80+t9fQN
+GPuVehsepVzBY75KezfIoKPJzmAWeyKoZ/+u3QK6NCbHLGHeWKmo6QHn6OseruTO
+hJ4ZRnP9aKyIxFJmTllxIsW4GbtshzJ8Tu/hYYze2Syzr+Qy7LX99sEdPqx9NJji
+vdp9UWHiIJx3fy6PMuBSzvvAqfDxSl1bF0dapdNleofIfJpeq4DKpy54PAx2Gmne
+L0z+aVssS/takIYwKKAsbXvrAWYP+VAylWHIAUjO4zMH0D+XAEiTq7wfINXwg7dA
+aBDA9B5bQ/kCcKfwiRCgquurxIVjmrJcvZ7LgwDCxfqHfP0d5ZUcQTgOXc7rr66F
+OyrclHlCa4wPYuvIKJch9fcjI6rPZjNnx2eeq465nWPbI/zloMXK4mD741e2gGB6
+R5sVrm2KBoOCu3se+m2pMLGccxuefe77eAezLoAjS/XJUsyvQObptW7rQsQXw5U+
+L4mKsFlb2VdGoEp9HvNp5ezrBckAZaxPrY7WwlcIwKwmfMCP3OZppgjOpvbo1+ZV
+8x1QNdGMIbwaaqclwfRXLfWrKR9/unu5MFB5cAVVLU5zhngZ4X+uyXQjiPaB8lKA
+ETP613zaJeogy0JU5TXzTLFoU3Gb/cvA9P1D7hg5ErUazSlHaXVzZXBwZSBTY3Jp
+dmFubyA8Z2l1c2VwcGVAc2NyaXZhbm8ub3JnPsLBwQQTAQoAawIbAwULCQgHAwUV
+CgkICwUWAgMBAAIeAQIXgBYhBKxATBwL9zXGP/TVYiY9bfLhY+HqBQJjarq8MhSA
+AAAAABAAGXByb29mQGFyaWFkbmUuaWRkbnM6c2NyaXZhbm8ub3JnP3R5cGU9VFhU
+AAoJECY9bfLhY+HqSxYP/ivpKr5ooW559K200oaxfj36i7RPWremItOIt80Csdx+
+bO9HjKD/c0GEobuRd1gnwxCaTITbhbn1GWuLO9z30UUB7o+BKaEHokfwxZffZF/9
+sJo44LF1IdfnLtv2cXJALYJRER/L7bCCSeGPmkSGMNoxhDBF6/DW3J+1qMRu4+EN
+9A75CGSPke2A49smbbt3+dDMsA+WZlrB6nTbyPfGm5u4JBxhwuEs3feHt+U2U+7b
+XpE+Le2aKqNQrmxab853tn3GsmlaFCthwwbkbDL/eLQmTfbBn1+uFEUdEtmYg2Dh
+LJK/WlBcyuYfeXUr23p1cHyMkDy8V6TiP8QV6vplyYjUKJ/1jcj8ynjBbkf7Z9M2
+0DluT58/juKhNv4Tik2qavP37EOGMzreSid1XgnEJccsvOzDsundcIduUTjCzm/t
+lDirdH+7W4PugUE5gdpJNoUp9UJqUDLFx/nwzteFaIxrON2L84aojbNHHA1Rc63D
+tBEKsDIjDCf5+EEGOL5LO+tRhR/Of96hrjIfaLKTRUPoOZpYAKNN89QhAV3u1zJt
+cur1jVQkmyLRqZDkOc57Ttc/R72/vVDuoHHWJkeXCBokvwvrA3wf8MZE6H3ztIM4
+jVNUROSFVM+6GMHXATpb3tTn0yokbKeaF9Ik5WZSNCnBCiNAt5+mnOqcPA4imVKJ
+wsGOBBMBCgA4FiEErEBMHAv3NcY/9NViJj1t8uFj4eoFAlsGigkCGwMFCwkIBwMF
+FQoJCAsFFgIDAQACHgECF4AACgkQJj1t8uFj4erK2w/+MS2DbFJBMMI45Q0spsww
+NMI2HWRmKeqi3BKn3dOlute0Uv7YIXXwdh1os2kK2e0zU4jBSIKbTv/rBKnVu6iS
+A6Cy0jsK+vBMxkI5y+994z6Nglzkw/HASm5TmkMuM92oDQ+fTxgGfEmEHKmzWPcR
+7XaJrYO6NqQsV7RLSh/8hvfGw//YuPwfXx1MecL6QoRP9BBYTHDSY9gEFKTWTXNH
+QXuQAoXMNuIxAav8iEDddsriH07lsVonHU8NYP7LB9WDwcWhVgaLCM13s3NLQfEw
+RGu6SMHsShkZrv6tkiahsRozemoZT5iOgTBaXgvWNwWjaZDKagTBx7r6y0v2/sW/
+TX59ECJAGy4P+PAhvE6fjrZZvQL9ndkc64iDiem6MqnUk3ObiFTvc9pipch4mhXP
+rqeohqDdt02ViVKNX5Oxjb/jFmvXGeEiMp0FD0EvrIOPAykUz3rw4jVvLov6zxfN
+apzokaaMqEJ/Ln2i1Y/r2xd6cUqZzmxDO5tKtHafDIwuk7z9sGIWbbXSS6OL6nO3
+8lo4G6dFQMTil/S094SMOjMmLB0GXcegfsJhApwF2oR4f6CZa6BmUPeebYDTxjdL
+La1OKAo7NN1SO8e6Y5z3psCr2Obn6edBEXwm3ewPDM3lUa4+pZJfIAzrwbdrcNmL
+X/tw8oNYOvpCjVDL7klizrCwXcEEwEKACECGwMCHgECF4AFAliwY34FCwkIBwMF
+FQoJCAsFFgIDAQAACgkQJj1t8uFj4eph8BAAkv9zRz+2Xycw5tbC7vBJN8auPX3g
+sKi9rsEcLI6jibHMyO55qHdTFuTGZx+eyFITFBcpBgNaGn5MHzACdd+pBfIShCED
+uauGI6Fk12euBCmXZgl5Q7hFiGlvgGsrykmhlub+zYVun7SbISFBQi2kAZwNYN2v
+SP9sNAx7ojQlrdkMQ8ZmRZT6GF2HGyuYkfiBLpBaqmWpQ/EbGMQMvsSMh1XyRNW+
+dppU742C6xLaAD9w7R7i0/RMEPScTIZE/lNHWHFJJXvByfQChcx+WS8kKNdZO65v
+k7x5YjTvz9DO4Wnl3tDhyFyFsbHpb/Rs+DSV/NxXz7c6OjmoiDf//wwv1LR5JAJ
+Q7TzVUVrppRDnD+4nzWKbHpWW8iHdv4BaN+CRKDz6Qo4sNu56oyVpsvdM/gkrCaO
+f7UHiJ3D7PSoWpOG4/k3ciqO8ija864UC2dDdk/koNCIof43yE376dm9FLEDJba6
+bPlcuCFODmjcWhn+sPqiLDicW9L3j56Cnvnkr9R6rI7pbn4Olr2NXHn0ydHj1jRk
+CKumjvyOV/hilisvrS6/II7Mnu/CZxxaqWmUZJ1ir01YG4VTBrgRCgeCA4t9mfPC
+uAPYEHGlQzYYNayBZiRe7VsIvdcJlcyDrNBhFpR6sfRWogvBH92/MaRFlwmFzFj3
+He4lhG9cI0Di/z/CwXgEEwECACIFAlVMzPQCGwMGCwkIBwMCBhUIAgkKCwQWAgMB
+Ah4BAheAAAoJECY9bfLhY+HqfBQP/1Ai2d+uvqYK5ZpaYnWdl7hVZqJg3mJYeClM
+0cVFk+PxSaLbF0W6UP8mWXi3QVuGVcNM2zKvAH//fRW71XHmgHeoG6aoB6doVswY
+bINPlas+I1lLCznswSpSYGLf7J4c7Vpqpp5rfHZU9jG03J4dK5JRd7y2pAxK2jte
+0CayHqUwZhNF6s41V1GiCPXlbG5j4u5nAAHkTwAXt+zzVr5ixGn7nSHnWcTBSK12
+UQyEqcbbn4WQRBCN6agvYpwHbnqVMuNz6rU/xX4tUncE5h1t2NOBSTvwaxT30Ox5
+nPwb4HnTxYW8d7zYl+2DtT0r/CAxZkOpHOKNFHswhniHnqC3tPqecWnY1/I/JKOv
+o8G8QT43BLzJOKGxNQYlKOiw2+vyoYcBdEC77RGrks6RA3KDuxPETubIPPLac1pF
+1VEHtOg0tCXz4YwvB5hvqbBBbrf2fVpkSpxtZs+zbqctr4/xOnNWt+fpvTkND9/A
+tTs4dDmJxSQjep/USCkJzyoszVTiA6gwNRRiQdmlVedcIC1lMCQCsWmYGgprqJoY
+cqHNHmQVYGPWO0FHyC2My4gWtBpYBoVjZ1x32/O6PRZMt72jjZbUky5bxJPA3eUd
+mJVydHnKINUHV790hhJw/Vq6y53ljQpOA7fXmk9UzkEL/nuxb6EV9TJWDIo0RPe4
+lvUqcUw0wkYEEBEKAAYFAlsjsbwACgkQB5GvjMAzY/RrgQCfT7KZtNV7n0lejq6o
+j5veQ0RrKVMAnjEidiLYNaofkkbpaNbEzLlmGyS6zsBNBFw2Y2IBCADCyrHataR3
+kdV4as+atq34rBvmYO+7+PXuhel+I3medGaDzRoekAT5y1ujvwSuj+BBaKCZ2WbO
+N0u4iPUSfd6U6sKONa899VXAh+9NXjsas97HMUA8F59Yxis8e7G+HpLJx8e0+ws7
+TN1o6zr0ISNuXN/QpkclP7aJDWw6ec9MbQZjdLlMxTDMUHq3leUfngAX+8HC72ec
+p+Ex59rAPtYSHE9vGKo/V3gN5GwshZQg2pWHPT9AkUEHkU5BSr4H6YHkb1rAfetv
+JLm6PHtwVnsWyg0v46uQFjgj/F1ooDhLxKt2IqdZy2Q/dS25RDDW0K8OIf4D6sBb
+4/ipnuP7kvMbABEBAAHCwqwEGAEKACAWIQSsQEwcC/c1xj/01WImPW3y4WPh6gUC
+XDZjYgIbAgFACRAmPW3y4WPh6sB0IAQZAQoAHRYhBK9g/KPNqm3q0VfqOmfjj3qL
+ohdyBQJcNmNiAAoJEGfjj3qLohdylogH/jFk4H5UpC03Kn5VinrtETpgHOVterbf
+9+D28ApnVHk6x5WhJDzeWTF+Y0LVLycN49/3kOUL6nK5twym+7jYVmfn/OCRLNQm
+Pt5MpISlSCrc8sMT7f6+2h5eCVKF0YQ2a/PdZmb7AtXtiaqErEBbeMU23lyK78E
+V7pOUq2LS8jTb5FmHIAs+KJHm7CZH8wmh6OcpDQyPjqXsvSUHvI5yKWP6M5xCJgI
+Jb0McdBTBhP21qXkcrcQTtZuVFIoqCjVeNmegzwJKG3gtMfrDw8URLGXHRLzlW34
+LHUfuNCLB8OxP+mgIw0OmRfNLqdh3ewAQnkUmJHvizeomAJtVfOJv/cHvRAAoZql
+PwsPCUapLLI5EFeYkqr64ugJjT0fp4E2MVHjf6Dep2EKSrW7RojVP0he2eTfevDi
+HJwrOGRgfEggb2lKMPIjjDl4XNHfArzfpOtrxya2ycm/5wPu1Xq+jEzwAnAFzBHU
+I5lFVRGWmQXuS8F+Imz8Lln8B0BcJehSMqWhKOChOKXcQ4modjyrzpgN116VwQqD
+7FU/+4CNOAabaoVBYC47Ha9qOgC6wrCDD/lmLXaKWfTY5vCqbxBKgsAz38jjmwHB
+u2NuCmc1Ojfe00gRMgO4Z4ZeCPBGexMCxz1o2WryJTwSVyLvbamDW6gLMM3HGCRP
+gEB1iRz5fGMqlM60t8ptlwpHPZSzoTVzOEUkBjLgsnUsIPGF8b+qzqfdqALZ0I7m
+0iqvVnlkfuFW7UCRsfViCjZQRV5TjpyIGfFmeyeVZbd1e2SedaT97H6+j7qqPQts
+1mc9evSvgxcbhCABs0nM/iVOOC6gsRNYyDTuZGAo/NYpCp/aVbpT6ywBsHiRtqly
+T0x9cDD1iGqgPqQknA/Hxar9zgjTmVc7whv/wR7HcM3cpLX4HZJJCj0q47e8N/FO
+YyfPfjpr0vFs2Vm/8P04YvjCPsjS4EXeTyWsHgNgLz3YZBtG7UR4ZbUFSPTkcWj9
+cXTK/Wxrqrz/3/pTkjP5+DBR8zCiek8ibIp6/8POwE0EW50EYgEIAOFJvfHksz6p
+1nPpIJZFB8auV4vGH09xjOSb8vSaJtlcFd/Hcm+97hm25Nw+Kz/hibmpOndb8EIw
+Iyr9VUmo2BvWNRteYQYuIqv8VYSgdTuy5oZnYOw/BpQQHJW056BhCYqUbrqOIa9u
+Q5X48zvvzQpW24pRt6sYv4/1Hw/jr9u68oxPL6nDcX2QQhtOH2AYLNAG9LoXEcFa
+C034yisd7ARJjg1F85MJZPDNLhcIUkZNaeL9RfzVgC6wEtwyIj4CLtqnjvTSnlsk
+ZfAWSM+xU7NV9UIpXanX7dly5IrCFiay8vUGajU+hkbGQultMsQ+IKXXFQHgwLMm
+f5F9EcQ/+RkAEQEAAcLBdgQYAQoAIBYhBKxATBwL9zXGP/TVYiY9bfLhY+HqBQJb
+nQRiAhsMAAoJECY9bfLhY+HqzkUP/jGNn7aizhy/j4aHJE/45ZGsOzCYDO7zGVvP
+Yn78ekIOlrDYma89eRyJkDEbKO0BkEpqYbiE4UyvI+QCEeT5a8usF9DayXW0D25z
+r5hsjBD9KJHxPYzJt619Py5MgGZmQU6snvp7qr+TfJM3c8Les4MU8Dk6eHHa3MrV
+INDcF2Y1kb9FeHeNgjjyOUjbYOHw8C4c6vNE4Zip6jzC13NODLVbn5UPRXrbmKWI
+oDE8zNljbRWHvB2AvKl/YaiRLq4XsGnIUMlIZzU3Wq21/VX4+CVJCBe5Fu/EPpry
+JnWe4ONX6105wvoyBpZ5Yw6hZk6Qfkt7fye4Qo1xlT8oTai6q+GkXr7jwGP2sD5v
+9hVpihPC3y3zQtlLwqgdgyTI5OPGObpDf5Y/9Z+57yPtT312yW8YP9gQf/AXLJn3
+EcpQIGENFh7gTBzwushRbXQPgXkmqi34U/KLkWYjkX+vNR+cyKg6OJLizFzgX3Iy
+p9xW5XRqu7dIlgFOtHhYIgkQz1x5QkYQZpjN53lldXxLqVXeOlapdFUa64nsukJo
+1H9aJj9jlx0hwGY3UqhsDE/oHaiZqIi1LMnQzz4apWs3PX9FlmV2xQv/BysEnE7J
+5Oi6xpNXvj95k1p0usb9ZzoGEPD0xPR7HtaQcbZlMIG4B3xgvmudzCJ7g93r0925
+9Ozl2AsYzsBNBFsGtRcBCADEld1p2+NbQkSF+WzzzmQjbIWUEQy8N0wEl0t1aRda
+WV8gIdtC3q9Eg4Bpd7wUczNsCYWkiGBi7EEfn93vcXhvqX3YQY/xTc/88PoTtIDg
+iU+j1LsPmi4u0oIHg/hOCuFyLoWCkJPxm7TiqXAqWiEwgp+1TPh54EXUQWBQO5W4
+JjLxpLvkXpWQGKJF21s9GulRUP3E30FFa/twLFuHbJrG8+/7Zynu4t/z+KjHvEfp
+IQX/6z+NlSkNigubD9jbTvMuY2zbZDN1OdQHs7ZyI9A8AdxqXHCBRpZECo77X3mY
+QUbmYQfB/aX60TMYQt3UBivggU15u6mdrGo1bedCLvDhABEBAAHCwqwEGAEKACAW
+IQSsQEwcC/c1xj/01WImPW3y4WPh6gUCWwa1FwIbLgFACRAmPW3y4WPh6sB0IAQZ
+AQoAHRYhBAJ/O9WFlMoYG7XsUORzD5f2AobtBQJbBrUXAAoJEORzD5f2AobthwEH
+/1fxABg0deOflZE8SS9VTR0BiM6IIOnzbXlJ/yHOoAihE93PppLsmzheWH0N31TW
+/OHJ70nmdhVgNM1IAjZAO6NjeCaAaJ3FvX9/FcYUetLeVO5r09JQ3KWhyLxSp3HG
+zBMvZ5UITPz5NylUBh1s1PQoZKuB8sfhdFs9t9HBWK1E0V0uMzL6uTNmDeMxK1XO
+2R0i3s4WalF4PeSMqvrL5wgrEAw7hFi3QZT9VtfGcm7D68qCu5KvkttEjzjH1F0J
+Ud15kgtd/D2zN1ekzrEoARwuaPnTOmfidCNUIvbHKo0cvLw/kCsWkdCidptCEnPA
+A5j8QwZmPkdlUGdWoo+t1k34GQ/+MMZ2uxoul8w/pTFhYhLFrJQId49sgtuZ4H5E
+ysBfYMcLWAMecYzp/3Oj6LTRFisBnWVdcuV4v39UN8ra8ZKSGJ5fz86pEEljjggW
+O9oCrkt4djhSMrCXOuEKHyarnf+EsLfHHYssz40TnWGfwTuBOomAkJRd2xZFsDia
+weoTqdWhUnb/9rFNFUuR9s2ij2u1TpVnSK4pu9Tl8gGjWyHuLi4GYPOdu50abBuV
+vxtDokOT3P+st5YCHI0fr56MykhsTUsBBJnbYXJOJZkLHWg3umyDZ18/wE+kiSrW
+qly8UiDFMA4DBR+K+V9/VdeDYjKB9GmAJqmPf0+knLF2TwPMufZwx/VXwUmphBj
+Gn2sqBVP46YoC/dxH7GFYusLSYofQhMK6K/9vsjqhACMyMsWr6VzxYgu5bhs1G74
+JXlJkaX3wezGScakX/shP2KbmvB3cbfUYeqo1Kiv9N0iiWZNaGXcJ/7wXUTLWPAh
+J48a5YTLnG8aqJSGI7dCDbMUcPTRuDSFi4ZQER46HgqoXqhaql4fSWFxCSbM3YA9
+hs+74oeNHb0QHEPAxfls58gAHRzhZSVcbyGpyv09L41RXpYGX4gCbmLkugg/y6m5
+WtOuuJxV6UmeQLTPD721jlBPpALOTicKph3axybnW2w/zw0hEH9NOJIFePftgE42
+SLolicHOwE0EWwaY+AEIAK+RSbW/yR8qK5GvRqLWAKU9Si30ZaA1PWJgA0dEhFsQ
+h5Ba7kOoB8s/Q/crSlJGyU33fU1UqCLZ6EZ55Uprh+viXi3f0t7K1fEJLIueKZ7D
+dJD1vANHHkAp/vI/Xf+/oEfhjvh9QbroItMuiq/TT/Uyqj/4u+JZsa2tLRDy8MhS
+WJ2VWqM9IXDA6HUw7xXuli+0wYTkOmS6G0lMZuJwNQSUAXt7cZ2ATcd4saDajjWJ
+0o+/L42yhPHgUiBXVID5wlX3NL8jigqjYOzxY1UxVezCmXzo1hzZEkvrFOvkQHZd
+yGdcGQ6x/X+lU7xb+iLq3YK8vZPBJXeoba+0RNJjQ6MAEQEAAcLBdgQYAQoAIBYh
+BKxATBwL9zXGP/TVYiY9bfLhY+HqBQJbBpj4AhsgAAoJECY9bfLhY+Hq1fQP/2JB
+9FSCIQ9Td21K98P9/3cXwAkbiyjPkUSYfarRqb4VXrpiMbTzJZeSxvywm1ByqGw/
+j9NUgZAroEQtIiC9QLVJJa/kqF+qXAeSQVX8NzDY5gONcwvkm9s3vt9izCxSzfqe
+15YCKjZLWDdquAlDMe06DJdS1KY55/yGwwaOPmz2TkiApszQEf24+E+QII6sYV/+
+oiyR3bTs5JxjdRnCUp23Jyh493Zm9ANDqreDSywNv7q9+0PMmUnmUWDdNNqrboAa
+wsR6fVCFp57Eyha9zEV6e/P8WMWVRkdhvd/QeUGJLnoZL4mqsQiRgJyjlaB+1zY4
+giowwl9w4vjK9QDmX2s8HvoR6i30dy5Zy7Tk7tLerlDG4opjEGh4oZl3C1qNsVFB
+u1obkRzKk6UtAYW7+bKfFuKgKL54tXhuyClR+gMMInN+88mh/DVDGhfBKa/vlweg
+NUFXb/uBKMO37R4PM+ao+6aupRA2i22K9X1DmMyQpk9VDDub9B5jBlIQ8HRE4wR8
+W6/xAAEE9MTv4UNFEDEB4Y9uqe7XnCcNBTLEu3IjNaYckk7X/qsia5ztVVpIsXnO
+bSpbh8KOzzHqM1bPHLEp1RYSTPy1q1VMwhyRTz0bRdWOFsXU7A7F+yVAT/WbMorK
+Jj63H3JJ+v35nXZSzixkx1x1eNdW3bUT0ZSZ5TUczsFNBFJtp1EBEADJ/d/waJe9
+hlvi4RBfGpige5p1AKwHCOeep5oTqgKmBOvNlgV/g6PKhiV4sH/VEWnsl5jg9e2L
+AfjpMUBYr3yfRtMu/ruDAavVvKjUQwHuogXtVreXiL/m2HNyDq8ed52h/RZ2O8Q3
+rPeiahMSZ3FgwMWTrbqDRwVM9gL4dC8aj7YlUSNIN40Vmv0sp8BXS9TToxYdqB1F
+DXrp6DQEWSvdKGQ64VFPlw7T+1eh3vfC/mTg62eu+QhAvTt1OFM7sELGER1jG9GT
+byThDQyfOA+scgGn2X4tRSr9OCmpZXh3wqJ/UiZiK29aBmPU+m2oCtXzsnUiupL0
+OO+Na6Vb3RUplhSkeMfcYkHQ79NHJ9px3MleZwdt7ojFbD7zXZoCj8FPm7Pm/oFo
+F17XOqLSQeqGjEQz87y2NtKt5/zM7SAgG08xuuH+6Tzhcr/IDmcj1Ch1yEVEwVUs
+EY9tQwArSgQbI74CDyt0Ex66omgavcbDUotsXaT/ZacBoIdRNsTvSO3X2uLiMxs4
+DCxbTDsGWqNTyq8qUa16RXUkaAzsyhW11sy9YkOYyTyat4et0w/o7ima0sAYjon9
+89m2gPRnncEpCWkUP8C6ujw3ae77KtOgOIL+dlZESU5qpGaNdNBw9hhkLq+sg1LJ
+w3sCVvjORoEufVEoVlQjqOsHuyKRqbAAJwARAQABwsFfBBgBAgAJBQJSbadRAhsM
+AAoJECY9bfLhY+HqAewP/0tTNtq9iUHLlLERkeppm9OXOkcKXZn5i1NcPpSTRrUV
+U7C5BnV4APRT7kes9mHiSgnRuhTKZh/FPBF3rdPv//GNzgac1IeMlmZPPVCg68R
+1QOraJh/IOeTrTVH48zg0xC/U3vhibKm8FfVY6fdvI/76gPoC7XSA8DpkS3529Ly
+YJYAy09g3OELQKgZ4L7t2hQumFy675psknwqc5sDGRYKFcxbAhgFSFi32B4aLsfK
+vPtW2DvfnBkXYM0+5sKI7kjmKydJbqKPeYQ2npXwz1Bw+x5qagr8FPGaWAcd5x8V
+3ychdWVrhfyU0puA14GGrxtEQ+BWko4SgwlDfD/+ojd4/6Jxtm07Pw4Nv8hcNPRl
+1yYh9Qe1OT+2X+yIPtLZ+18CG1ATnLBirxsAjLYhn+gSNALDCunmmqzmJrQKYboD
+ttgOl9A22tb/08fXa3RCbEg74ohPi7uFncA8TdQK+y8n0Pk87JxjbHTMsvcxQBWt
+2NlqmupDnFQNLCv9dxARUB1lznrN2dXfprTLIDjE8CYBYnDah0gMmPIXhIAubqfz
+o6P+bfCMdyR298fguSZjLgXcDFOcVrNqx5EY/pfnqB1usZQTWgr6CKG4F5Hzvgng
+fU+zYExi0PGH+KR6rgDyh5QRPpx9eD28X5AOj8oblNabDhgQ7u8fMvydOTrhku1+
+zsBNBFsGmc8BCACzDYoyyPwY8bbd3QDgvxaxqX0XpRs3eZ5p226AQKhoFpKwbpKW
+qhv5i4eCzLX1sKvS+Ofk3YRaeABBa7R9g7x6R/CyFdxBkauZleSpdzzCKZ1AMoeG
+wlZHj8XD9bnDOfecVFa5gUVWyWFGNPXs4JRXvaX0okxwZ2+K5QOAe2vxpWELKfdS
+WXYwAVoJMNffr9bQ+aPbpdbx0UGCfloYwmV19Firiz1PAzvJYEAVslvr1fCQexUB
+UkmppKlXzmG0gasMy9K7YxX5rI6DK7jUohj5/N7K3v1IUPqXKrpAPmGEAOgS49pQ
+scMmH8ZBenqFFo6rScut1pIWEvjcX2GmWHNVABEBAAHCwXYEKAEKACAWIQSsQEwc
+C/c1xj/01WImPW3y4WPh6gUCW47qCQIdAQAKCRAmPW3y4WPh6lDlEACmYygTs76r
+SOwsHZ2YLH3bluq1sIELcnNZfm0ZkYj5mTKkuU46/IfOQe2kDL5rN7GmRprIB79m
+myFadgTmfkb+9u5/o0dUwbUsZwBRr/EL6gcuGY4mvwjPC6xNX0CVCvMha4xR4e+W
+bC71hHTZXzvWuyRMNjr0w3dhW66FY5kRtl3qhqsWhmmw3lvneNNHJi46wTY79oYN
+IEd98daos52HbV4wt22hbx6/D0GkrKaoc57ZrWY4jr5R1OAiOyGFguJZ6LiwD7q5
+TWEK06ixbhsU/nxCyCIZRcbgRe71fy9vUscZL0Iz7OXMxKxDlaKmEfQ0zdmkHApf
+9610DcwTQcwT3cvUsLJ9sC7d3mRb8oUqkHJi25efxEHnYBHoz9XxuX5lITTo6bxW
+CobBw5/e/+aDGMuBGfaBOkwj/F0Drej6MB3aupxHSj96bgrqH7+42cSIGPqd5iLi
+/UOL4hu3KlQDOKl2ygBNEcN9+42G9r0B8TaUHBiQCleHQBYVhuzExVei7hlx3sPb
+5vx/u+arTJ9ZCoVZjsUubJYe4j3bkZwXMRETqnQ/MYSlsMqH3qzpEWdLbFrRdbj7
+L8v9Mtp2pBjlbiKCBiPV7gWy1h3+boSOj0WNZ5kSOQEm7n2RIIPsQpC6cc/0Htt2
+pTvPlJeDPOQ6bEmZzHQ5n24vEw119NhNgMLCsgQYAQoAJhYhBKxATBwL9zXGP/TV
+YiY9bfLhY+HqAhsuBQJbjum2BQkAiaFJAUDAdCAEGQEKAB0WIQTz0Ti6kOYcPK7n
+Aba3JfP9vazURgUCWwaZzwAKCRC3JfP9vazURvneCACeIFcjkWw7YCSV2W7llvoC
+Qr+v4m4S3gRNe/hkOnbwKwUuCQRoa8RcVQp3tgPQBDePaOUxZSR9Fwr24mXob0Dq
+EAn2GYtgWbsrNG2CqlLxXQGwZvdFlde+7N6aLwBz+EPGF4iAEmLq1lu2mFvtZd94
+ygRVsHxXEnFMcAaoQKCaUjQKmpEpm6n+9hTTnJb5OumT6kLvtDgc47TafVfz1R3m
+eqS3iDGKW/cOZolxj23di3aIqy6gnsKYY0LaH9jXqlD/P2vSi4TYe/PrtMCgqQ4l
+LbYgT+49aLanll7Ypk99zX6aOHD7ywBvEkcehlNX4+e9I+dfy/X1o+nXuMzYNPM+
+CRAmPW3y4WPh6qgVD/45y25gzNhSUKuaLACRJxDYOFqQe6GoKa7PXvYhtPoqWgkZ
+glzmBQsQMlFxiVWrVqR9S44pBrlaxxPkcNTBthonH9TliUSA1M3PMfDZ2UlqrfFW
+pLjNEXCYyAKLLAH/zqy8zrGPNzKXDpD6eq/NueopNG6T2HqDnaabA5g/Zuut9DX1
+E8neRupq73Ftcfzk4MWY00vtS0GvNbmI30CN/WYlvyiKA7P22FOYXm6VWA0qrnPv
+12qSb9k4ZT2Mxro5xEHv7Inc6J6syURUcHlsKRbIwYlvDgsN+IVoV0TLeJObrGs8
+ck6vRWz3tNlWiaX5Lr4gBTT+ooMm/Box1LZC6gu1ROjwco1c3YnEqNdeRTZts971
+UDRXK3ZvaqeFYNYvDqlOuoczruk4H8BbqXY+Gy/VuMrPcJuCd61Tdjb+EbaZ+V1M
+DolsRlvwjtx4WgSC6DhFbp8iB79g/0IPNMzTdccmDW0wttAwaLjBSDWh4iT3GUYa
+N5gXPVdVN3C7A1bpzM7hF5pGT/GvOnza0IJ8ssbVx0N9H5/svTPtbpukryciTCbK
+x0HstWr0RCngzGhv5Bx97ZrCxgCGYc+i51oQWvyIfaKWDI7Ha46maBbDK3u/ZkQk
+z79FpIAZCLhHfFi76yeyN4IbLXJfHIUzV75nukAVwnd2JBluGk+of/ZqzIwyuMLC
+rAQYAQoAIBYhBKxATBwL9zXGP/TVYiY9bfLhY+HqBQJbBpnPAhsuAUAJECY9bfLh
+Y+HqwHQgBBkBCgAdFiEE89E4upDmHDyu5wG2tyXz/b2s1EYFAlsGmc8ACgkQtyXz
+/b2s1Eb53ggAniBXI5FsO2Akldlu5Zb6AkK/r+JuEt4ETXv4ZDp28CsFLgkEaGvE
+XFUKd7YD0AQ3j2jlMWUkfRcK9uJl6G9A6hAJ9hmLYFm7KzRtgqpS8V0BsGb3RZXX
+vuzemi8Ac/hDxheIgBJi6tZbtphb7WXfeMoEVbB8VxJxTHAGqECgmlI0CpqRKZup
+/vYU05yW+Trpk+pC77Q4HOO02n1X89Ud5nqkt4gxilv3DmaJcY9t3Yt2iKsuoJ7C
+mGNC2h/Y16pQ/z9r0ouE2Hvz67TAoKkOJS22IE/uPWi2p5Ze2KZPfc1+mjhw+8sA
+bxJHHoZTV+PnvSPnX8v19aPp17jM2DTzPtKREACAd7ki0iZPBfPLgm9sQPxyZ7Lp
+AX/iJHKswgNPYokKkehxPzGe7Lk2oZXRH2rl8fnEBnU8xKkBJmR2tMl08zXXrrRD
+tA6ZoGiykequS2DVgRxhjHPe/XileyLMXRqY70DZFSKkghI8SwReKdg9tNq73c2Z
+9GAiic4JXhdgLi+C6x36fI6vuQ+W8X4ZxFOVyYLHkT1PnQty6s03qsVFHoz9j91F
+BCyDdPNhCJ0RAz3XQXSPwsRSIGWfC2B3+jBRt1Kgn+9o+WOlHWSMMTOw031jhdz
+yS3A1OvUPT/wtO6cxs/r7UCTuG/4HxGGhi4VeOCFMf0bH+iGBh83cykKAXnUnHnI
+nwUU2cRRvZjInoXTcaGdmt5zp0WwzBHmpyLmQLfey43sVYBoJvLSbzYsb94F6cbO
+3c60YdNbXfx30pzVJbAn4yzq7I4KreT6O8yOnLbZXIn2tZL513l+Lp4zbqo70Xxt
+U/j4JVI/cNEpIT8I6JKw+N4zCXVW44Wf5GRHnSNs3grf95xzyBvIXMxBXkeKhJbz
+GOS1k+b9l3xEALIt1rULmGLhZBd8R9x7/z6g4iPg0GS+6R80Utd5RHl1z3/gMDtw
+seSZF9RHRRfv9ZsQOGCNDAt+5yNL22IE87NXOCzgX0CIBSAKhqAC2wLXFSf4JyDH
+CnbTKmjTJGwZmHRnrw==
+=yIJv
+-----END PGP PUBLIC KEY BLOCK-----
--- a/crun.spec
+++ b/crun.spec
@ -0,0 +1,107 @@
+#
+# spec file for package crun
+#
+# Copyright (c) 2024 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+%ifarch x86_64 aarch64
+%if 0%{?suse_version} >= 1600
+%define with_wasmedge 1
+%else
+%define with_wasmedge 0
+%endif
+%else
+%define with_wasmedge 0
+%endif
+
+Name:           crun
+Version:        1.17
+Release:        0
+Summary:        OCI runtime written in C
+License:        GPL-2.0-or-later
+URL:            https://github.com/containers/crun
+Source0:        %{URL}/releases/download/%{version}/%{name}-%{version}.tar.gz
+Source1:        %{URL}/releases/download/%{version}/%{name}-%{version}.tar.gz.asc
+Source2:        https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xac404c1c0bf735c63ff4d562263d6df2e163e1ea#/%{name}.keyring
+# We always run autogen.sh
+BuildRequires:  autoconf
+BuildRequires:  automake
+BuildRequires:  gcc
+BuildRequires:  gettext
+BuildRequires:  glibc-devel-static
+BuildRequires:  go-md2man
+BuildRequires:  libcap-devel
+BuildRequires:  libprotobuf-c-devel
+BuildRequires:  libseccomp-devel
+BuildRequires:  libtool
+BuildRequires:  libyajl-devel
+BuildRequires:  make
+BuildRequires:  python3
+BuildRequires:  python3-libmount
+BuildRequires:  systemd-devel
+%ifnarch %{ix86}
+BuildRequires:  criu-devel >= 3.15
+%endif
+%ifarch x86_64 aarch64
+BuildRequires:  libkrun-devel
+Requires:       libkrun1
+%endif
+%if %with_wasmedge
+BuildRequires:  wasmedge-devel
+%endif
+
+%description
+crun is a runtime for running OCI containers. It is built with libkrun support
+
+%prep
+%autosetup -p1
+
+%build
+%ifarch x86_64 aarch64
+export LIBKRUN="--with-libkrun"
+%endif
+%if %with_wasmedge
+export WASMEDGE="--with-wasmedge"
+%endif
+
+./autogen.sh
+%configure --disable-silent-rules $LIBKRUN $WASMEDGE CFLAGS='-I %{_includedir}/libseccomp'
+%make_build
+
+# TODO:
+# - it would be nice to enable the test-suite, but seems to behave (and fail!)
+#   differently when run inside of an OBS worker, with respect to when it's
+#   run manually on the host... Need to investigate more.
+#%%dnl %%check
+#make test-suite.log
+
+%install
+%make_install
+rm -rf %{buildroot}/%{_libdir}/lib*
+
+%files
+%license COPYING
+%doc README.md
+%doc SECURITY.md
+%{_bindir}/%{name}
+%ifarch x86_64 aarch64
+%{_bindir}/krun
+%endif
+%if %with_wasmedge
+%{_bindir}/crun-wasm
+%endif
+%{_mandir}/man1/*
+
+%changelog