Skip to content

Releases: containers/crun

0.19

02 Apr 14:14
0.19
e67a756
Compare
Choose a tag to compare
  • join all the cgroup v1 controllers.
  • raise a warning when newuidmap/newgidmap fail.
  • handle eBPF access(dev_name, F_OK) call correctly.
  • fix some memory leaks on errors when libcrun is used by a long running process.
  • fix the SELinux label for masked directories.
  • support default seccomp errno value.
  • fail if no default seccomp action specified.
  • support OCI seccomp notify listener.
  • improve OOM error messages.
  • ignore unknown capabilities and raise a warning.
  • always remount bind mounts to drop not requested mount flags.

0.18

19 Feb 07:42
0.18
808420e
Compare
Choose a tag to compare
  • fix build without CLONE_NEWCGROUP.
  • fix conversion from blkio to io.
  • add custom annotation to load raw BPF.
  • set working directory for libkrun
  • fix symlink lookup on old kernels that lack openat2
  • skip +cpu on EINVAL in cgroup root. Enabling the cpu controller is not permitted if there are already realtime processes running on the system.
  • Fix permission error when using NOTIFY_SOCKET with username spaces.
  • set HOME to root if the user not found.
  • simplify mount logic to not use a temporary mount.
  • ignore ENOSYS from keyctl.

0.17

21 Jan 22:11
0.17
0e9229a
Compare
Choose a tag to compare
  • allow creating user namespaces without root being mapped.
  • allow arbitrary IDs with single ID userns.
  • use close_range(CLOSE_RANGE_CLOEXEC) where available.
  • honor /sys/kernel/cgroup/delegate.
  • fix an issue with hooks running in the container PID namespace.
  • fix building without seccomp.
  • fix building without libcap.

0.16

24 Nov 09:01
0.16
91ec195
Compare
Choose a tag to compare
  • CRIU support.
  • fallback to openat if openat2 returns EPERM.
  • ignore ENOENT for cgroup v1 mounts, if the mount fails with ENOENT, the controller might have been unmounted.
  • fix another race reading cgroup freeze. Reading from the cgroup fails with ENODEV if the cgroup was deleted in the meanwhile.

0.15.1

03 Nov 15:26
0.15.1
eb0145e
Compare
Choose a tag to compare
  • add experimental support for libkrun.
  • fix check for pidfd availability on older kernels.
  • linux: do not set data when remounting read-only. Fix 'ro' mounts on older kernels when SELinux is enabled.
  • linux: label the cgroup v1 tmpfs when SELinux is enabled.
  • container: truncate the pid file before writing to it.
  • exec: fix check for read bytes from the sync socket.
  • check the process has a cgroup before allowing pause and resume.
  • linux: always create a user namespace if not running with euid == 0.
  • libcrun can use a hook instead of executing a container process.
  • use libyajl to generate hooks json input.
  • handle correctly ENOENT for seccomp notifications.

0.15

23 Sep 15:00
0.15
56ca95e
Compare
Choose a tag to compare
  • add support for OCI unified cgroup v2.
  • add json format option to crun list.
  • get last kernel capability dynamically instead of using a build time constant.
  • enable all available cgroup controllers.
  • support the seccomp SCMP_ACT_LOG action.
  • support the seccomp SCMP_ACT_KILL_THREAD action.
  • properly set a SELinux label for the mqueue mount.
  • crun kill uses pidfd when supported.
  • experimental support for seccomp notifications.
  • fix bundle option for crun create and crun run.
  • allow to declare path to config file.
  • check /sys/kernel/security/apparmor when using AppArmor.
  • doesn't accept type=bind alone anymore, but require either "bind" or "rbind" to be present in the mount flags.

0.14.1

08 Jul 07:30
0.14.1
88886ae
Compare
Choose a tag to compare
  • fix a regression in crun-0.14 where openat2(2) would fail when bind mounting a symlink.
  • various small fixes to allow running regression tests outside of source tree.

0.14

02 Jul 19:06
0.14
ebc56fc
Compare
Choose a tag to compare
  • cgroup, systemd: create container under subcgroup. Now a "/container" sub-cgroup is created and fully managed by libcrun. This is a different behaviour than what runc does.
  • libcrun: use the openat2 syscall available since Linux 5.6.
  • container: allow hooks output to file through an annotation.
  • linux: support joining PID/IPC namespace not owned by the user namespace. Requires Linux 5.3.
  • linux: avoid double fork for creating the init process if not needed.
  • linux: fix an issue where the basename for $NOTIFY_SOCKET is different than /notify.
  • rootless: allow /dev/{tty,ptmx} to be present in linux.devices.
  • cgroup: fix an issue on CentOS 7.8 when using net_cls and net_prio.
  • seccomp: honor errnoRet from OCI spec runtime.
  • exec: set setresuid/setresgid before setting up the terminal.
  • cgroup, v2: fix crun update with both --memory -1 --memory-swap -1.
  • cgroup, v2: fixing setting unlimited swap.
  • cgroup, v2: allow to set unlimited swap per se.
  • cgroup, v2: treat negative numbers as "max"
  • cgroup, v2: raise error if swap is set without memory limit.
  • cgroup: ignore cpu resources if set to 0.
  • libcrun: audit errno in crun_make_error calls
  • libcrun: fix read_pid_stat usage.
  • linux: fix double close on the same file descriptor.
  • container: Prevent deletion of not stopped container
  • status: Use process start time for identification
  • CRIU: several improvements.
  • linux: fix path lookups for relative paths containing '/'.
  • linux: use the SELinux mount label for the notify socket.
  • status: delete doesn't fail if the process already exited.

0.13

05 Mar 15:08
0.13
e79e4de
Compare
Choose a tag to compare
  • license: change license to gplv2+ and lgpl2.1+.
  • criu: initial support for container restore.
  • state: If a container is paused, report its state as 'paused'.
  • cgroup: use the memory controller to ready PIDs. The pid controller is not available on kernels older than 4.3.
  • linux: drop context= for remount. Older linux versions complain when the selinux label is specified on a remount.
  • utils: fix mount on not writeable path.
  • cgroup: support systemd properties via annotations.
  • systemd: do not set hard-code collectmode value. It can be set through an annotation.
  • cgroup: write the correct blkio settings.
  • exec: do not inherit env variables from main pid.
  • ebpf: fix endianess issue on s390x.
  • linux: fix recursive mount on cgroup v1.

0.12.2.1

17 Feb 22:37
0.12.2.1
cd7cea7
Compare
Choose a tag to compare
  • when not using a cgroup namespace, mount only the cgroup v1 subpath.