Releases: containers/crun
Releases · containers/crun
0.19
- join all the cgroup v1 controllers.
- raise a warning when newuidmap/newgidmap fail.
- handle eBPF access(dev_name, F_OK) call correctly.
- fix some memory leaks on errors when libcrun is used by a long running process.
- fix the SELinux label for masked directories.
- support default seccomp errno value.
- fail if no default seccomp action specified.
- support OCI seccomp notify listener.
- improve OOM error messages.
- ignore unknown capabilities and raise a warning.
- always remount bind mounts to drop not requested mount flags.
0.18
- fix build without CLONE_NEWCGROUP.
- fix conversion from blkio to io.
- add custom annotation to load raw BPF.
- set working directory for libkrun
- fix symlink lookup on old kernels that lack openat2
- skip +cpu on EINVAL in cgroup root. Enabling the cpu controller is not permitted if there are already realtime processes running on the system.
- Fix permission error when using NOTIFY_SOCKET with username spaces.
- set HOME to root if the user not found.
- simplify mount logic to not use a temporary mount.
- ignore ENOSYS from keyctl.
0.17
- allow creating user namespaces without root being mapped.
- allow arbitrary IDs with single ID userns.
- use close_range(CLOSE_RANGE_CLOEXEC) where available.
- honor /sys/kernel/cgroup/delegate.
- fix an issue with hooks running in the container PID namespace.
- fix building without seccomp.
- fix building without libcap.
0.16
- CRIU support.
- fallback to openat if openat2 returns EPERM.
- ignore ENOENT for cgroup v1 mounts, if the mount fails with ENOENT, the controller might have been unmounted.
- fix another race reading cgroup freeze. Reading from the cgroup fails with ENODEV if the cgroup was deleted in the meanwhile.
0.15.1
- add experimental support for libkrun.
- fix check for pidfd availability on older kernels.
- linux: do not set data when remounting read-only. Fix 'ro' mounts on older kernels when SELinux is enabled.
- linux: label the cgroup v1 tmpfs when SELinux is enabled.
- container: truncate the pid file before writing to it.
- exec: fix check for read bytes from the sync socket.
- check the process has a cgroup before allowing pause and resume.
- linux: always create a user namespace if not running with euid == 0.
- libcrun can use a hook instead of executing a container process.
- use libyajl to generate hooks json input.
- handle correctly ENOENT for seccomp notifications.
0.15
- add support for OCI unified cgroup v2.
- add json format option to
crun list
. - get last kernel capability dynamically instead of using a build time constant.
- enable all available cgroup controllers.
- support the seccomp SCMP_ACT_LOG action.
- support the seccomp SCMP_ACT_KILL_THREAD action.
- properly set a SELinux label for the mqueue mount.
crun kill
uses pidfd when supported.- experimental support for seccomp notifications.
- fix bundle option for
crun create
andcrun run
. - allow to declare path to config file.
- check /sys/kernel/security/apparmor when using AppArmor.
- doesn't accept type=bind alone anymore, but require either "bind" or "rbind" to be present in the mount flags.
0.14.1
0.14
- cgroup, systemd: create container under subcgroup. Now a "/container" sub-cgroup is created and fully managed by libcrun. This is a different behaviour than what runc does.
- libcrun: use the openat2 syscall available since Linux 5.6.
- container: allow hooks output to file through an annotation.
- linux: support joining PID/IPC namespace not owned by the user namespace. Requires Linux 5.3.
- linux: avoid double fork for creating the init process if not needed.
- linux: fix an issue where the basename for $NOTIFY_SOCKET is different than /notify.
- rootless: allow /dev/{tty,ptmx} to be present in linux.devices.
- cgroup: fix an issue on CentOS 7.8 when using net_cls and net_prio.
- seccomp: honor errnoRet from OCI spec runtime.
- exec: set setresuid/setresgid before setting up the terminal.
- cgroup, v2: fix crun update with both --memory -1 --memory-swap -1.
- cgroup, v2: fixing setting unlimited swap.
- cgroup, v2: allow to set unlimited swap per se.
- cgroup, v2: treat negative numbers as "max"
- cgroup, v2: raise error if swap is set without memory limit.
- cgroup: ignore cpu resources if set to 0.
- libcrun: audit errno in crun_make_error calls
- libcrun: fix read_pid_stat usage.
- linux: fix double close on the same file descriptor.
- container: Prevent deletion of not stopped container
- status: Use process start time for identification
- CRIU: several improvements.
- linux: fix path lookups for relative paths containing '/'.
- linux: use the SELinux mount label for the notify socket.
- status: delete doesn't fail if the process already exited.
0.13
- license: change license to gplv2+ and lgpl2.1+.
- criu: initial support for
container restore
. - state: If a container is paused, report its state as 'paused'.
- cgroup: use the memory controller to ready PIDs. The pid controller is not available on kernels older than 4.3.
- linux: drop context= for remount. Older linux versions complain when the selinux label is specified on a remount.
- utils: fix mount on not writeable path.
- cgroup: support systemd properties via annotations.
- systemd: do not set hard-code collectmode value. It can be set through an annotation.
- cgroup: write the correct blkio settings.
- exec: do not inherit env variables from main pid.
- ebpf: fix endianess issue on s390x.
- linux: fix recursive mount on cgroup v1.