Changes:
- support arbitrary idmapped mounts. Now it is possible to specify a mapping for any type of mount, not only bind mounts.
- add support for "ridmap" mount option to support recursive idmapped mounts.
- fix check for oom_score_adj. Write the oom_score_adj file even when the new value is 0.
- features: Support mountExtensions.
- correctly handle unknown signal string when it doesn't start with a digit.
- do not attempt to join again already joined namespace.
- wasmer: use latest wasix API.
- refresh libocispec
Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
Moved to from git to release version,
but release version does not have submodule
libocispec included, so additional download added.
Release notes: https://github.com/containers/crun/releases
Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
This fixes compilation problems with glibc 2.36.
Full changelog:
* crun-1.6
- runc compatibility: -v now prints the version string.
- build: fix build with glibc 2.36.
- container: drop intermediate userns custom feature.
- cgroup: change the delegate cgroup semantic so that the cgroup is
created in the container payload after the cgroup namespace is created.
- seccomp: use helper process to send file descriptor to the listener
socket. It enables to be notified on every syscall without hanging
the main process.
- linux: add a fallback to using kill(2) if pidfd_send_signal(2) fails
with ENOSYS.
- krun: add support for krun-sev.
- wasmtime: always grant file system capability for workdir inside the container.
- wasmtime: inherit arguments list from the handler instead of the current process.
- wasmedge: use released wasmedge library instead of libwasmedge_c.so.
* crun-1.5
- add mono based native .NET handler
- new Wasmtime backend for running WebAssembly
- add support for wasmedge 0.10 and dropping support for wasmedge 0.9.x
- dropping support for experimental `WasmEdgeProcess` from wasmedge handler
- honor process user's uid when setting the HOME environment variable
- create the current working directory if it is missing in the container
- fallback to using a tmpfs mount if umount of /sys and /proc fails
- fallback to netlink to setup lo device
- fix creating devices in the rootfs
- fallback to using io.weight if io.bfq.weight doesn't exist
- remove tun/tap from the default allow list
- linux: devices mounts have noexec and nosuid
- fix copyup of files from the container to the tmpfs
- honor $PATH for newgidmap and newguidmap
- krun: limit the number of vCPUs to 8
- cgroup: add support for cpu.idle
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
- CRIU: add support for different manage cgroups modes.
- the hook processes inherit the crun process environment if there is no environment block specified in the OCI configuration.
- exec: fix double free when using --apparmor and --process-label.
Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
release notes:
0.20.1
- container: ignore error when resetting the SELinux label for the keyring.
0.21
- when compiled with krun, automatically use it if the current executable file is called "krun"
- cgroup: lookup pids controller as well when the memory controller is not available
- status: add fields for owner and created timestamp
- honor memory swappiness set to 0
1.0
- Fix symlink target mangling for tmpcopyup targets.
- Makefile.am: fix link error when using directly libcrun.
- cgroup: add support for setting memory.use_hierarchy on cgroup v1.
- linux: treat pidfd_open failures EINVAL as ESRCH.
- cgroup: chown the current container cgroup to root in the container.
1.1
- utils: retry openat2 on EAGAIN. If the openat2 syscall is interrupted, try again.
- criu: fix save of external descriptors. Now restored containers attach correctly their standard streams.
- criu: Add support for external PID namespace.
- container: Set primary process to 1 via LISTEN_PID by default if user configuration is missing.
- exec: refuse to exec in a paused container/cgroup.
- cgroup: use cgroup.kill when available. It is faster to kill a container through its cgroup as there is no need to recurse over the cgroup pids and terminate each one of them.
1.2
- criu: add support for external ipc, uts and time namespaces.
- exec: fix regression in 1.1 where containers are being wrongly reported as paused.
Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
The package needs libseccomp, which does not currently support arc.
In order to avoid a circular dependency, we must avoid arc here as well.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
crun is the prefered container run-time of podman, it's faster than
runc and has a much lower memory footprint.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
