baserev update by copy to link target

• Files Changed
• Browse Source

- add keyring for GPG validation

• Files Changed
• Browse Source

- update to 1.8.3:
  * update: initialize the rt limits only on cgroup v1.
  * lua bindings for libcrun.
  * wasmedge: add current directory to preopen paths.
  * linux: inherit parent mount flags when making a path masked.
  * libcrun: custom annotation to set the scheduler for the
    container process.
  * cgroup: fallback to blkio.bfq files if blkio is not available
    on cgroup v1.
  * cgroup: initialize rt limits when using systemd.
  * tty: chown the tty to the exec user instead of the user
    specified to create the container.
  * cgroup: fallback to create cgroupfs as sibling of the current
    cgroup if there is none specified and it cannot be created in
    the root cgroup.

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

- Update to 1.8.1
  * linux: idmapped mounts expect the same configuration as 
    the user namespace mappings. Before they were expecting the inverted
    mapping. It is a breaking change, but the behavior was aligned 
    to what runc will do as well.
  * krun: always allow /dev/kvm in the cgroup configuration.
  * handlers: disable exec for handlers that do not support it.
  * selinux: allow setting fscontext using a custom annotation.
  * cgroup: reset systemd unit if start fails.
  * cgroup: rmdir the entire systemd scope. It fixes a leak on cgroupv1.
  * cgroup: always delete the cgroup on errors. 
    On some errors it could have been leaked before.
- changes from 1.8
  * linux: precreate devices on the host.
  * cgroup: support cpuset mounted with noprefix.
  * linux: mount the source cgroup if cgroupns=host.
  * libcrun: don't clone self from read-only mount.
  * build: fix build without dlfcn.h.
  * linux: set PR_SET_DUMPABLE.
  * utils: fix applying AppArmor profile.
  * linux: write setgroups=deny when mapping a single uid/gid.
  * cgroup: fix enter cgroupv1 mount on RHEL 7.

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

- Update to 1.7.2:
  * criu: hardcode library name to libcriu.so.2.
  * cgroup: always enable all controllers, even if the cgroup was
    already joined. Regression caused by crun-1.7.
- Changes from 1.7.1:
  * criu: load libcriu dynamically.
  * seccomp: initialize libgcrypt.
  * handlers: fix rewriting the argv if the full cmdline doesn't
    fit.
  * utils: honor SELinux label when using a custom handler.
  * utils: honor AppArmor label when using a custom handler.
  * krun: copy the OCI configuration file into the container.
  * utils: fix creating the default user namespace when running
    with euid != 0.
  * Add setlinebuf() when --debug and --log=file: are used.
  * Fix timestamp format in the error messages.
  *  krun: disable libkrun's collection of env vars.
- Changes from 1.7:
  * seccomp: use a cache for the generated BPF.
  * add support for setting the domainname through the OCI spec.
  * handlers: define wasm and krun.
  * wasmtime: add support for compiling .wat format.
  * cgroup: honor checkBeforeUpdate on cgroupv2.
  * crun: chown std streams before joining the user namespace.
  * crun: display rundir in --version output.
  * container: with cgroupfs use clone3 to join directly the target
    cgroup.
  * linux: create parent directories for created devices with mode
    0755.
  * wasm: inherit environment variables in the WasmEdge handler.

• Files Changed
• Browse Source

- Update the libkrun dependency to the new libkrun1 library and
  devel package

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

- Update to 1.6
  * runc compatibility: -v now prints the version string.
  * build: fix build with glibc 2.36.
  * container: drop intermediate userns custom feature.
  * cgroup: change the delegate cgroup semantic so that the cgroup
    is created in the container payload after the cgroup namespace
    is created.
  * seccomp: use helper process to send file descriptor to the listener
    socket. It enables to be notified on every syscall without hanging
    the main process.
  * linux: add a fallback to using kill(2) if pidfd_send_signal(2)
    fails with ENOSYS.
  * krun: add support for krun-sev.
  * wasmtime: always grant file system capability for workdir inside
    the container.
  * wasmtime: inherit arguments list from the handler instead of the
    current process.
  * wasmedge: use released wasmedge library instead of libwasmedge_c.so.
- Update to 1.5
  * add mono based native .NET handler
  * new Wasmtime backend for running WebAssembly
  * add support for wasmedge 0.10 and dropping support for wasmedge 0.9.x
  * dropping support for experimental WasmEdgeProcess from wasmedge handler
  * honor process user's uid when setting the HOME environment variable
  * create the current working directory if it is missing in the container
  * fallback to using a tmpfs mount if umount of /sys and /proc fails
  * fallback to netlink to setup lo device
  * fix creating devices in the rootfs
  * fallback to using io.weight if io.bfq.weight doesn't exist
  * remove tun/tap from the default allow list
  * linux: devices mounts have noexec and nosuid
  * fix copyup of files from the container to the tmpfs
  * honor $PATH for newgidmap and newguidmap
  * krun: limit the number of vCPUs to 8
  * cgroup: add support for cpu.idle

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

- Update to 1.4.5:
  + CRIU: add support for different manage cgroups modes.
  + linux: the hook processes inherit the crun process
    environment if there is no environment block specified in the
    OCI configuration.
  ° exec: fix double free when using --apparmor and 
    --process-label.

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

- It'd be nice to run the test suite with %check. It however, still
  does not work properly inside OBS workers. Add it commented (and
  explain it in a comment)
- switch to latest upstream version (1.4.4)
- big jump from 0.21! Here's a short summary, for details,
  see: https://github.com/containers/crun/releases
  * 1.4.4
    wasm, kubernetes: support wasm for kubernetes infrastructure with side-cars
    Resolve symlinks in bind mounts when creating a user namespace.
    Fix CVE-2022-27650: exec does not set inheritable capabilities.
  * 1.4.3
    cgroup: avoid potential infinite loop when deleting a cgroup.
    support additional options for idmap mounts.
    open the source for a bind mount in the host.
  * 1.4.2
    CRIU: add pre-dump support.
    Fix running with a read-only /dev.
    Ignore EROFS when chowning standard stream files.
    Add validation for sysctls before applying them.
  * 1.4.1
    Fix check for an invalid path.
    Allow deleting a container while in created state.
    cgroup: do not set cpu limits if number of shares is set to 0.
  * 1.4
    wasm: support for running on kubernetes with containerd.
    linux: add support for recursive mount options.
    add support for idmapped mounts through a new mount option "idmap".
    linux: improve detection of /dev target.
    now crun exec uses CLONE_INTO_CGROUP on supported kernels when using cgroup v2.
    retry the openat2 syscall if it fails with EAGAIN.
    cgroup: set the CPUWeight/CPUShares on the systemd scope cgroup.
    on new kernels, use setns with pidfd.
    attempt the chdir again with the specified user if it failed before changing credentials.
  * 1.3
    add support to natively build and run WebAssembly workload and WebAssembly containers.
    allow to specify sub-cgroup for exec.
    chown std streams if they are not a TTY.
    attach the correct streams if the container is suspended and restored multiple times.
    fix race condition when enabling controllers on cgroup v2.
  * 1.2
    exec: fix regression in 1.1 where containers are being wrongly reported as paused.
    criu: add support for external ipc, uts and time namespaces.
  * 1.1
    cgroup: use cgroup.kill when available.
    exec: refuse to exec in a paused container/cgroup.
    container: Set primary process to 1 via LISTEN_PID by default if user configuration is missing.
    criu: Add support for external PID namespace.
    criu: fix save of external descriptors.
    utils: retry openat2 on EAGAIN.
  * 1.0
    cgroup: chown the current container cgroup to root in the container.
    linux: treat pidfd_open failures EINVAL as ESRCH.
    cgroup: add support for setting memory.use_hierarchy on cgroup v1.
    Makefile.am: fix link error when using directly libcrun.
    Fix symlink target mangling for tmpcopyup targets.
- fix bsc#1197871, CVE-2022-27650 (as 1.4.4 contains the fixes itself)
- update and fixup dependencies

• Files Changed
• Browse Source

- Add libprotobuf-c-devel as an explicit dependency, for fixing
  the build;
- Get rid of rpmlintrc, as it's no longer needed.

• Files Changed
• Browse Source

- make libkrun support conditional, so we can have crun (without
  libkrun, of course) on all arches, which may help with
  bsc#1188914.

• Files Changed
• Browse Source

• Files Changed
• Browse Source

- Drop libkrun-dlopen.patch and adapt to libkrun new package name,
  it is a plugin, not a regular shared library.

• Files Changed
• Browse Source

- Add libkrun-dlopen.patch: use soname when dlopening libkrun.

• Files Changed
• Browse Source

- Update to 0.21
  - honor memory swappiness set to 0
  - status: add fields for owner and created timestamp
  - cgroup: lookup pids controller as well when the memory controller
    is not available
  - when compiled with krun, automatically use it if the current
    executable file is called "krun".
  - container: ignore error when resetting the SELinux label for the
    keyring.
  - container: call prestart hooks before rootfs is RO.
  - cgroup: added support cleaning custom controllers on cgroupv1.
  - spec: add support for --bundle.
  - exec: add --no-new-privs.
  - exec: add --process-label and --apparmor to change SELinux and
    AppArmor labels.
  - cgroup: kill procs in cgroup on EBUSY.
  - cgroup: ignore devices errors when running in a user namespace.
  - seccomp: drop SECCOMP_FILTER_FLAG_LOG by default.
  - seccomp: report correct action in error message.
  - apply SELinux label to keyring.
  - add custom annotation run.oci.delegate-cgroup.
  - close_range fallbacks to close on EPERM.
  - report error if the cgroup path was set and the cgroup could not be
    joined.
  - on exec, honor additional_gids from the process spec, not the
    container definition.
  - spec: add cgroup ns if on cgroup v2.
  - systemd: support array of strings for cgroup annotation.
  - join all the cgroup v1 controllers.
  - raise a warning when newuidmap/newgidmap fail.
  - handle eBPF access(dev_name, F_OK) call correctly.
  - fix some memory leaks on errors when libcrun is used by a long
    running process.
  - fix the SELinux label for masked directories.
  - support default seccomp errno value.
  - fail if no default seccomp action specified.
  - support OCI seccomp notify listener.
  - improve OOM error messages.
  - ignore unknown capabilities and raise a warning.
  - always remount bind mounts to drop not requested mount flags.

• Files Changed
• Browse Source