Revisions of crun
buildservice-autocommit
accepted
request 1074967
from
Dirk Mueller (dirkmueller)
(revision 24)
baserev update by copy to link target
Dirk Mueller (dirkmueller)
committed
(revision 23)
- add keyring for GPG validation
Dirk Mueller (dirkmueller)
committed
(revision 22)
- update to 1.8.3: * update: initialize the rt limits only on cgroup v1. * lua bindings for libcrun. * wasmedge: add current directory to preopen paths. * linux: inherit parent mount flags when making a path masked. * libcrun: custom annotation to set the scheduler for the container process. * cgroup: fallback to blkio.bfq files if blkio is not available on cgroup v1. * cgroup: initialize rt limits when using systemd. * tty: chown the tty to the exec user instead of the user specified to create the container. * cgroup: fallback to create cgroupfs as sibling of the current cgroup if there is none specified and it cannot be created in the root cgroup.
buildservice-autocommit
accepted
request 1068702
from
Dario Faggioli (dfaggioli)
(revision 21)
baserev update by copy to link target
Dario Faggioli (dfaggioli)
accepted
request 1068319
from
Niels Abspoel (aboe76)
(revision 20)
- Update to 1.8.1 * linux: idmapped mounts expect the same configuration as the user namespace mappings. Before they were expecting the inverted mapping. It is a breaking change, but the behavior was aligned to what runc will do as well. * krun: always allow /dev/kvm in the cgroup configuration. * handlers: disable exec for handlers that do not support it. * selinux: allow setting fscontext using a custom annotation. * cgroup: reset systemd unit if start fails. * cgroup: rmdir the entire systemd scope. It fixes a leak on cgroupv1. * cgroup: always delete the cgroup on errors. On some errors it could have been leaked before. - changes from 1.8 * linux: precreate devices on the host. * cgroup: support cpuset mounted with noprefix. * linux: mount the source cgroup if cgroupns=host. * libcrun: don't clone self from read-only mount. * build: fix build without dlfcn.h. * linux: set PR_SET_DUMPABLE. * utils: fix applying AppArmor profile. * linux: write setgroups=deny when mapping a single uid/gid. * cgroup: fix enter cgroupv1 mount on RHEL 7.
buildservice-autocommit
accepted
request 1041192
from
Dario Faggioli (dfaggioli)
(revision 19)
baserev update by copy to link target
Dario Faggioli (dfaggioli)
accepted
request 1040893
from
Frederic Crozat (fcrozat)
(revision 18)
- Update to 1.7.2: * criu: hardcode library name to libcriu.so.2. * cgroup: always enable all controllers, even if the cgroup was already joined. Regression caused by crun-1.7. - Changes from 1.7.1: * criu: load libcriu dynamically. * seccomp: initialize libgcrypt. * handlers: fix rewriting the argv if the full cmdline doesn't fit. * utils: honor SELinux label when using a custom handler. * utils: honor AppArmor label when using a custom handler. * krun: copy the OCI configuration file into the container. * utils: fix creating the default user namespace when running with euid != 0. * Add setlinebuf() when --debug and --log=file: are used. * Fix timestamp format in the error messages. * krun: disable libkrun's collection of env vars. - Changes from 1.7: * seccomp: use a cache for the generated BPF. * add support for setting the domainname through the OCI spec. * handlers: define wasm and krun. * wasmtime: add support for compiling .wat format. * cgroup: honor checkBeforeUpdate on cgroupv2. * crun: chown std streams before joining the user namespace. * crun: display rundir in --version output. * container: with cgroupfs use clone3 to join directly the target cgroup. * linux: create parent directories for created devices with mode 0755. * wasm: inherit environment variables in the WasmEdge handler.
Dario Faggioli (dfaggioli)
accepted
request 1007882
from
Dario Faggioli (dfaggioli)
(revision 17)
- Update the libkrun dependency to the new libkrun1 library and devel package
buildservice-autocommit
accepted
request 1007084
from
Dirk Mueller (dirkmueller)
(revision 16)
baserev update by copy to link target
Dirk Mueller (dirkmueller)
accepted
request 1006927
from
Dario Faggioli (dfaggioli)
(revision 15)
- Update to 1.6 * runc compatibility: -v now prints the version string. * build: fix build with glibc 2.36. * container: drop intermediate userns custom feature. * cgroup: change the delegate cgroup semantic so that the cgroup is created in the container payload after the cgroup namespace is created. * seccomp: use helper process to send file descriptor to the listener socket. It enables to be notified on every syscall without hanging the main process. * linux: add a fallback to using kill(2) if pidfd_send_signal(2) fails with ENOSYS. * krun: add support for krun-sev. * wasmtime: always grant file system capability for workdir inside the container. * wasmtime: inherit arguments list from the handler instead of the current process. * wasmedge: use released wasmedge library instead of libwasmedge_c.so. - Update to 1.5 * add mono based native .NET handler * new Wasmtime backend for running WebAssembly * add support for wasmedge 0.10 and dropping support for wasmedge 0.9.x * dropping support for experimental WasmEdgeProcess from wasmedge handler * honor process user's uid when setting the HOME environment variable * create the current working directory if it is missing in the container * fallback to using a tmpfs mount if umount of /sys and /proc fails * fallback to netlink to setup lo device * fix creating devices in the rootfs * fallback to using io.weight if io.bfq.weight doesn't exist * remove tun/tap from the default allow list * linux: devices mounts have noexec and nosuid * fix copyup of files from the container to the tmpfs * honor $PATH for newgidmap and newguidmap * krun: limit the number of vCPUs to 8 * cgroup: add support for cpu.idle
buildservice-autocommit
accepted
request 976025
from
Dario Faggioli (dfaggioli)
(revision 14)
baserev update by copy to link target
Dario Faggioli (dfaggioli)
accepted
request 975835
from
Frederic Crozat (fcrozat)
(revision 13)
- Update to 1.4.5: + CRIU: add support for different manage cgroups modes. + linux: the hook processes inherit the crun process environment if there is no environment block specified in the OCI configuration. ° exec: fix double free when using --apparmor and --process-label.
buildservice-autocommit
accepted
request 969579
from
Dario Faggioli (dfaggioli)
(revision 12)
baserev update by copy to link target
Dario Faggioli (dfaggioli)
accepted
request 969577
from
Dario Faggioli (dfaggioli)
(revision 11)
- It'd be nice to run the test suite with %check. It however, still does not work properly inside OBS workers. Add it commented (and explain it in a comment) - switch to latest upstream version (1.4.4) - big jump from 0.21! Here's a short summary, for details, see: https://github.com/containers/crun/releases * 1.4.4 wasm, kubernetes: support wasm for kubernetes infrastructure with side-cars Resolve symlinks in bind mounts when creating a user namespace. Fix CVE-2022-27650: exec does not set inheritable capabilities. * 1.4.3 cgroup: avoid potential infinite loop when deleting a cgroup. support additional options for idmap mounts. open the source for a bind mount in the host. * 1.4.2 CRIU: add pre-dump support. Fix running with a read-only /dev. Ignore EROFS when chowning standard stream files. Add validation for sysctls before applying them. * 1.4.1 Fix check for an invalid path. Allow deleting a container while in created state. cgroup: do not set cpu limits if number of shares is set to 0. * 1.4 wasm: support for running on kubernetes with containerd. linux: add support for recursive mount options. add support for idmapped mounts through a new mount option "idmap". linux: improve detection of /dev target. now crun exec uses CLONE_INTO_CGROUP on supported kernels when using cgroup v2. retry the openat2 syscall if it fails with EAGAIN. cgroup: set the CPUWeight/CPUShares on the systemd scope cgroup. on new kernels, use setns with pidfd. attempt the chdir again with the specified user if it failed before changing credentials. * 1.3 add support to natively build and run WebAssembly workload and WebAssembly containers. allow to specify sub-cgroup for exec. chown std streams if they are not a TTY. attach the correct streams if the container is suspended and restored multiple times. fix race condition when enabling controllers on cgroup v2. * 1.2 exec: fix regression in 1.1 where containers are being wrongly reported as paused. criu: add support for external ipc, uts and time namespaces. * 1.1 cgroup: use cgroup.kill when available. exec: refuse to exec in a paused container/cgroup. container: Set primary process to 1 via LISTEN_PID by default if user configuration is missing. criu: Add support for external PID namespace. criu: fix save of external descriptors. utils: retry openat2 on EAGAIN. * 1.0 cgroup: chown the current container cgroup to root in the container. linux: treat pidfd_open failures EINVAL as ESRCH. cgroup: add support for setting memory.use_hierarchy on cgroup v1. Makefile.am: fix link error when using directly libcrun. Fix symlink target mangling for tmpcopyup targets. - fix bsc#1197871, CVE-2022-27650 (as 1.4.4 contains the fixes itself) - update and fixup dependencies
Dario Faggioli (dfaggioli)
accepted
request 928761
from
Dario Faggioli (dfaggioli)
(revision 10)
- Add libprotobuf-c-devel as an explicit dependency, for fixing the build; - Get rid of rpmlintrc, as it's no longer needed.
Dario Faggioli (dfaggioli)
accepted
request 914070
from
Dario Faggioli (dfaggioli)
(revision 9)
- make libkrun support conditional, so we can have crun (without libkrun, of course) on all arches, which may help with bsc#1188914.
Dario Faggioli (dfaggioli)
committed
(revision 8)
Dario Faggioli (dfaggioli)
accepted
request 911022
from
Frederic Crozat (fcrozat)
(revision 7)
- Drop libkrun-dlopen.patch and adapt to libkrun new package name, it is a plugin, not a regular shared library.
Dario Faggioli (dfaggioli)
accepted
request 910491
from
Frederic Crozat (fcrozat)
(revision 6)
- Add libkrun-dlopen.patch: use soname when dlopening libkrun.
Dario Faggioli (dfaggioli)
accepted
request 910479
from
Paolo Stivanin (polslinux)
(revision 5)
- Update to 0.21 - honor memory swappiness set to 0 - status: add fields for owner and created timestamp - cgroup: lookup pids controller as well when the memory controller is not available - when compiled with krun, automatically use it if the current executable file is called "krun". - container: ignore error when resetting the SELinux label for the keyring. - container: call prestart hooks before rootfs is RO. - cgroup: added support cleaning custom controllers on cgroupv1. - spec: add support for --bundle. - exec: add --no-new-privs. - exec: add --process-label and --apparmor to change SELinux and AppArmor labels. - cgroup: kill procs in cgroup on EBUSY. - cgroup: ignore devices errors when running in a user namespace. - seccomp: drop SECCOMP_FILTER_FLAG_LOG by default. - seccomp: report correct action in error message. - apply SELinux label to keyring. - add custom annotation run.oci.delegate-cgroup. - close_range fallbacks to close on EPERM. - report error if the cgroup path was set and the cgroup could not be joined. - on exec, honor additional_gids from the process spec, not the container definition. - spec: add cgroup ns if on cgroup v2. - systemd: support array of strings for cgroup annotation. - join all the cgroup v1 controllers. - raise a warning when newuidmap/newgidmap fail. - handle eBPF access(dev_name, F_OK) call correctly. - fix some memory leaks on errors when libcrun is used by a long running process. - fix the SELinux label for masked directories. - support default seccomp errno value. - fail if no default seccomp action specified. - support OCI seccomp notify listener. - improve OOM error messages. - ignore unknown capabilities and raise a warning. - always remount bind mounts to drop not requested mount flags.
Displaying revisions 21 - 40 of 44