changelog 1.9.2:
- cgroup: reset the inherited cpu affinity after moving to cgroup. Old kernels do that automatically, but new kernels remember the affinity that was set before the cgroup move, so we need to reset it in order to honor the cpuset configuration.
changelog 1.9.1:
- utils: ignore ENOTSUP when chmod a symlink. It fixes a problem on Linux 6.6 that always refuses chmod on a symlink.
- build: fix build on CentOS 7
- linux: add new fallback when mount fails with EBUSY, so that there is not an additional tmpfs mount if not needed.
- utils: improve error message when a directory cannot be created as a component of the path is already existing as a non directory.
Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
Changes:
- support arbitrary idmapped mounts. Now it is possible to specify a mapping for any type of mount, not only bind mounts.
- add support for "ridmap" mount option to support recursive idmapped mounts.
- fix check for oom_score_adj. Write the oom_score_adj file even when the new value is 0.
- features: Support mountExtensions.
- correctly handle unknown signal string when it doesn't start with a digit.
- do not attempt to join again already joined namespace.
- wasmer: use latest wasix API.
- refresh libocispec
Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
Moved to from git to release version,
but release version does not have submodule
libocispec included, so additional download added.
Release notes: https://github.com/containers/crun/releases
Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
This fixes compilation problems with glibc 2.36.
Full changelog:
* crun-1.6
- runc compatibility: -v now prints the version string.
- build: fix build with glibc 2.36.
- container: drop intermediate userns custom feature.
- cgroup: change the delegate cgroup semantic so that the cgroup is
created in the container payload after the cgroup namespace is created.
- seccomp: use helper process to send file descriptor to the listener
socket. It enables to be notified on every syscall without hanging
the main process.
- linux: add a fallback to using kill(2) if pidfd_send_signal(2) fails
with ENOSYS.
- krun: add support for krun-sev.
- wasmtime: always grant file system capability for workdir inside the container.
- wasmtime: inherit arguments list from the handler instead of the current process.
- wasmedge: use released wasmedge library instead of libwasmedge_c.so.
* crun-1.5
- add mono based native .NET handler
- new Wasmtime backend for running WebAssembly
- add support for wasmedge 0.10 and dropping support for wasmedge 0.9.x
- dropping support for experimental `WasmEdgeProcess` from wasmedge handler
- honor process user's uid when setting the HOME environment variable
- create the current working directory if it is missing in the container
- fallback to using a tmpfs mount if umount of /sys and /proc fails
- fallback to netlink to setup lo device
- fix creating devices in the rootfs
- fallback to using io.weight if io.bfq.weight doesn't exist
- remove tun/tap from the default allow list
- linux: devices mounts have noexec and nosuid
- fix copyup of files from the container to the tmpfs
- honor $PATH for newgidmap and newguidmap
- krun: limit the number of vCPUs to 8
- cgroup: add support for cpu.idle
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
- CRIU: add support for different manage cgroups modes.
- the hook processes inherit the crun process environment if there is no environment block specified in the OCI configuration.
- exec: fix double free when using --apparmor and --process-label.
Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
release notes:
0.20.1
- container: ignore error when resetting the SELinux label for the keyring.
0.21
- when compiled with krun, automatically use it if the current executable file is called "krun"
- cgroup: lookup pids controller as well when the memory controller is not available
- status: add fields for owner and created timestamp
- honor memory swappiness set to 0
1.0
- Fix symlink target mangling for tmpcopyup targets.
- Makefile.am: fix link error when using directly libcrun.
- cgroup: add support for setting memory.use_hierarchy on cgroup v1.
- linux: treat pidfd_open failures EINVAL as ESRCH.
- cgroup: chown the current container cgroup to root in the container.
1.1
- utils: retry openat2 on EAGAIN. If the openat2 syscall is interrupted, try again.
- criu: fix save of external descriptors. Now restored containers attach correctly their standard streams.
- criu: Add support for external PID namespace.
- container: Set primary process to 1 via LISTEN_PID by default if user configuration is missing.
- exec: refuse to exec in a paused container/cgroup.
- cgroup: use cgroup.kill when available. It is faster to kill a container through its cgroup as there is no need to recurse over the cgroup pids and terminate each one of them.
1.2
- criu: add support for external ipc, uts and time namespaces.
- exec: fix regression in 1.1 where containers are being wrongly reported as paused.
Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
The package needs libseccomp, which does not currently support arc.
In order to avoid a circular dependency, we must avoid arc here as well.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
crun is the prefered container run-time of podman, it's faster than
runc and has a much lower memory footprint.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
Oskari Rauta