File crun.changes of Package crun
-------------------------------------------------------------------
Wed Jun 14 12:55:19 UTC 2023 - Frederic Crozat <fcrozat@suse.com>
- Update to 1.8.5:
* scheduler: use definition from the OCI configuration file
instead of the custom label that is now dropped and not
supported anymore.
* cgroup: fix creating cgroup under "domain threaded".
* cgroup, systemd: set the memory limit on the system scope.
* restore tty settings from the correct file descriptor. It was
previously restoring the settings from the wrong file
descriptor causing the tty settings to be changed on the
calling terminal.
* criu: check if the criu_join_ns_add function exists.
Fix a segfault with new versions of CRIU.
* linux: do not precreate devs with euid > 0. Fix creating
devices when running the OCI runtime as non root user.
* linux: improve PID detection on systems that lack pidfd.
While there is still a window of time that the PID could be
recycled, now it is now reduced to a minimum.
* criu: fix memory leak.
* logging: improve error message when dlopen fails.
- Changes from 1.8.4:
* drop custom annotation to set the time namespace and use
the OCI specs instead.
* cgroup: workaround cpu quota/period issue with v1. Sometimes
setting CPU quota period fails when a new period is lower,
and a parent cgroup has CPU quota limit set.
* cgroup: fix set quota to -1 on cgroup v1.
* criu: drop loading unused functions.
-------------------------------------------------------------------
Tue Mar 28 10:27:06 UTC 2023 - Dirk Müller <dmueller@suse.com>
- update to 1.8.3:
* update: initialize the rt limits only on cgroup v1.
* lua bindings for libcrun.
* wasmedge: add current directory to preopen paths.
* linux: inherit parent mount flags when making a path masked.
* libcrun: custom annotation to set the scheduler for the
container process.
* cgroup: fallback to blkio.bfq files if blkio is not available
on cgroup v1.
* cgroup: initialize rt limits when using systemd.
* tty: chown the tty to the exec user instead of the user
specified to create the container.
* cgroup: fallback to create cgroupfs as sibling of the current
cgroup if there is none specified and it cannot be created in
the root cgroup.
- add keyring for GPG validation
-------------------------------------------------------------------
Tue Feb 28 20:14:52 UTC 2023 - Niels Abspoel <aboe76@gmail.com>
- Update to 1.8.1
* linux: idmapped mounts expect the same configuration as
the user namespace mappings. Before they were expecting the inverted
mapping. It is a breaking change, but the behavior was aligned
to what runc will do as well.
* krun: always allow /dev/kvm in the cgroup configuration.
* handlers: disable exec for handlers that do not support it.
* selinux: allow setting fscontext using a custom annotation.
* cgroup: reset systemd unit if start fails.
* cgroup: rmdir the entire systemd scope. It fixes a leak on cgroupv1.
* cgroup: always delete the cgroup on errors.
On some errors it could have been leaked before.
- changes from 1.8
* linux: precreate devices on the host.
* cgroup: support cpuset mounted with noprefix.
* linux: mount the source cgroup if cgroupns=host.
* libcrun: don't clone self from read-only mount.
* build: fix build without dlfcn.h.
* linux: set PR_SET_DUMPABLE.
* utils: fix applying AppArmor profile.
* linux: write setgroups=deny when mapping a single uid/gid.
* cgroup: fix enter cgroupv1 mount on RHEL 7.
-------------------------------------------------------------------
Wed Dec 7 09:24:19 UTC 2022 - Frederic Crozat <fcrozat@suse.com>
- Update to 1.7.2:
* criu: hardcode library name to libcriu.so.2.
* cgroup: always enable all controllers, even if the cgroup was
already joined. Regression caused by crun-1.7.
- Changes from 1.7.1:
* criu: load libcriu dynamically.
* seccomp: initialize libgcrypt.
* handlers: fix rewriting the argv if the full cmdline doesn't
fit.
* utils: honor SELinux label when using a custom handler.
* utils: honor AppArmor label when using a custom handler.
* krun: copy the OCI configuration file into the container.
* utils: fix creating the default user namespace when running
with euid != 0.
* Add setlinebuf() when --debug and --log=file: are used.
* Fix timestamp format in the error messages.
* krun: disable libkrun's collection of env vars.
- Changes from 1.7:
* seccomp: use a cache for the generated BPF.
* add support for setting the domainname through the OCI spec.
* handlers: define wasm and krun.
* wasmtime: add support for compiling .wat format.
* cgroup: honor checkBeforeUpdate on cgroupv2.
* crun: chown std streams before joining the user namespace.
* crun: display rundir in --version output.
* container: with cgroupfs use clone3 to join directly the target
cgroup.
* linux: create parent directories for created devices with mode
0755.
* wasm: inherit environment variables in the WasmEdge handler.
-------------------------------------------------------------------
Fri Sep 30 12:31:47 UTC 2022 - Dario Faggioli <dfaggioli@suse.com>
- Update the libkrun dependency to the new libkrun1 library and
devel package
-------------------------------------------------------------------
Thu Sep 29 10:44:19 UTC 2022 - Dario Faggioli <dfaggioli@suse.com>
- Update to 1.6
* runc compatibility: -v now prints the version string.
* build: fix build with glibc 2.36.
* container: drop intermediate userns custom feature.
* cgroup: change the delegate cgroup semantic so that the cgroup
is created in the container payload after the cgroup namespace
is created.
* seccomp: use helper process to send file descriptor to the listener
socket. It enables to be notified on every syscall without hanging
the main process.
* linux: add a fallback to using kill(2) if pidfd_send_signal(2)
fails with ENOSYS.
* krun: add support for krun-sev.
* wasmtime: always grant file system capability for workdir inside
the container.
* wasmtime: inherit arguments list from the handler instead of the
current process.
* wasmedge: use released wasmedge library instead of libwasmedge_c.so.
- Update to 1.5
* add mono based native .NET handler
* new Wasmtime backend for running WebAssembly
* add support for wasmedge 0.10 and dropping support for wasmedge 0.9.x
* dropping support for experimental WasmEdgeProcess from wasmedge handler
* honor process user's uid when setting the HOME environment variable
* create the current working directory if it is missing in the container
* fallback to using a tmpfs mount if umount of /sys and /proc fails
* fallback to netlink to setup lo device
* fix creating devices in the rootfs
* fallback to using io.weight if io.bfq.weight doesn't exist
* remove tun/tap from the default allow list
* linux: devices mounts have noexec and nosuid
* fix copyup of files from the container to the tmpfs
* honor $PATH for newgidmap and newguidmap
* krun: limit the number of vCPUs to 8
* cgroup: add support for cpu.idle
-------------------------------------------------------------------
Mon May 9 12:43:12 UTC 2022 - Frederic Crozat <fcrozat@suse.com>
- Update to 1.4.5:
+ CRIU: add support for different manage cgroups modes.
+ linux: the hook processes inherit the crun process
environment if there is no environment block specified in the
OCI configuration.
° exec: fix double free when using --apparmor and
--process-label.
-------------------------------------------------------------------
Tue Apr 12 08:59:23 UTC 2022 - Dario Faggioli <dfaggioli@suse.com>
- It'd be nice to run the test suite with %check. It however, still
does not work properly inside OBS workers. Add it commented and
explain it
-------------------------------------------------------------------
Tue Apr 12 08:36:54 UTC 2022 - Dario Faggioli <dfaggioli@suse.com>
- switch to latest upstream version (1.4.4)
- big jump from 0.21! Here's a short summary, for details,
see: https://github.com/containers/crun/releases
* 1.4.4
wasm, kubernetes: support wasm for kubernetes infrastructure with side-cars
Resolve symlinks in bind mounts when creating a user namespace.
Fix CVE-2022-27650: exec does not set inheritable capabilities.
* 1.4.3
cgroup: avoid potential infinite loop when deleting a cgroup.
support additional options for idmap mounts.
open the source for a bind mount in the host.
* 1.4.2
CRIU: add pre-dump support.
Fix running with a read-only /dev.
Ignore EROFS when chowning standard stream files.
Add validation for sysctls before applying them.
* 1.4.1
Fix check for an invalid path.
Allow deleting a container while in created state.
cgroup: do not set cpu limits if number of shares is set to 0.
* 1.4
wasm: support for running on kubernetes with containerd.
linux: add support for recursive mount options.
add support for idmapped mounts through a new mount option "idmap".
linux: improve detection of /dev target.
now crun exec uses CLONE_INTO_CGROUP on supported kernels when using cgroup v2.
retry the openat2 syscall if it fails with EAGAIN.
cgroup: set the CPUWeight/CPUShares on the systemd scope cgroup.
on new kernels, use setns with pidfd.
attempt the chdir again with the specified user if it failed before changing credentials.
* 1.3
add support to natively build and run WebAssembly workload and WebAssembly containers.
allow to specify sub-cgroup for exec.
chown std streams if they are not a TTY.
attach the correct streams if the container is suspended and restored multiple times.
fix race condition when enabling controllers on cgroup v2.
* 1.2
exec: fix regression in 1.1 where containers are being wrongly reported as paused.
criu: add support for external ipc, uts and time namespaces.
* 1.1
cgroup: use cgroup.kill when available.
exec: refuse to exec in a paused container/cgroup.
container: Set primary process to 1 via LISTEN_PID by default if user configuration is missing.
criu: Add support for external PID namespace.
criu: fix save of external descriptors.
utils: retry openat2 on EAGAIN.
* 1.0
cgroup: chown the current container cgroup to root in the container.
linux: treat pidfd_open failures EINVAL as ESRCH.
cgroup: add support for setting memory.use_hierarchy on cgroup v1.
Makefile.am: fix link error when using directly libcrun.
Fix symlink target mangling for tmpcopyup targets.
- fix bsc#1197871, CVE-2022-27650 (as 1.4.4 contains the fixes itself)
- update and fixup dependencies
-------------------------------------------------------------------
Tue Nov 2 08:58:05 UTC 2021 - Dario Faggioli <dfaggioli@suse.com>
- Add libprotobuf-c-devel as an explicit dependency, for fixing
the build;
- Get rid of rpmlintrc, as it's no longer needed.
-------------------------------------------------------------------
Mon Aug 23 15:22:18 UTC 2021 - Dario Faggioli <dfaggioli@suse.com>
- make libkrun support conditional, so we can have crun (without
libkrun, of course) on all arches, which may help with
bsc#1188914.
-------------------------------------------------------------------
Fri Aug 6 13:37:49 UTC 2021 - Frederic Crozat <fcrozat@suse.com>
- Drop libkrun-dlopen.patch and adapt to libkrun new package name,
it is a plugin, not a regular shared library.
-------------------------------------------------------------------
Fri Aug 6 09:55:53 UTC 2021 - Frederic Crozat <fcrozat@suse.com>
- Add libkrun-dlopen.patch: use soname when dlopening libkrun.
-------------------------------------------------------------------
Wed Jul 28 11:56:01 UTC 2021 - Paolo Stivanin <info@paolostivanin.com>
- Update to 0.21
- honor memory swappiness set to 0
- status: add fields for owner and created timestamp
- cgroup: lookup pids controller as well when the memory controller
is not available
- when compiled with krun, automatically use it if the current
executable file is called "krun".
- container: ignore error when resetting the SELinux label for the
keyring.
- container: call prestart hooks before rootfs is RO.
- cgroup: added support cleaning custom controllers on cgroupv1.
- spec: add support for --bundle.
- exec: add --no-new-privs.
- exec: add --process-label and --apparmor to change SELinux and
AppArmor labels.
- cgroup: kill procs in cgroup on EBUSY.
- cgroup: ignore devices errors when running in a user namespace.
- seccomp: drop SECCOMP_FILTER_FLAG_LOG by default.
- seccomp: report correct action in error message.
- apply SELinux label to keyring.
- add custom annotation run.oci.delegate-cgroup.
- close_range fallbacks to close on EPERM.
- report error if the cgroup path was set and the cgroup could not be
joined.
- on exec, honor additional_gids from the process spec, not the
container definition.
- spec: add cgroup ns if on cgroup v2.
- systemd: support array of strings for cgroup annotation.
- join all the cgroup v1 controllers.
- raise a warning when newuidmap/newgidmap fail.
- handle eBPF access(dev_name, F_OK) call correctly.
- fix some memory leaks on errors when libcrun is used by a long
running process.
- fix the SELinux label for masked directories.
- support default seccomp errno value.
- fail if no default seccomp action specified.
- support OCI seccomp notify listener.
- improve OOM error messages.
- ignore unknown capabilities and raise a warning.
- always remount bind mounts to drop not requested mount flags.
-------------------------------------------------------------------
Tue Mar 23 17:52:10 UTC 2021 - Dario Faggioli <dfaggioli@suse.com>
- Add a mention to crun-rpmlintrc in the spec file
-------------------------------------------------------------------
Fri Mar 19 02:18:44 UTC 2021 - Dario Faggioli <dfaggioli@suse.com>
- Since we're building with libkrun support, let's enable only the
arch-es for which we do have libkrun
-------------------------------------------------------------------
Sat Mar 13 01:12:19 UTC 2021 - Dario Faggioli <dfaggioli@suse.com>
- Suppress the (false positive) rpmlint warning
-------------------------------------------------------------------
Sat Mar 13 00:43:54 UTC 2021 - Dario Faggioli <dfaggioli@suse.com>
- Some fixes to the spec file (add some %doc, remove unused macros, etc)
-------------------------------------------------------------------
Thu Mar 11 08:08:36 UTC 2021 - Dario Faggioli <dfaggioli@suse.com>
- Initial package for 0.18
Based on the package by Giuseppe Scrivano <gscrivan@redhat.com>
