crun | Linux Ecosystem Directory

Bot releases are hidden (Show)

crun - 1.8.5

Published by giuseppe over 1 year ago

scheduler: use definition from the OCI configuration file instead of the custom label that is now dropped and not supported anymore.
cgroup: fix creating cgroup under "domain threaded".
cgroup, systemd: set the memory limit on the system scope.
restore tty settings from the correct file descriptor. It was previously restoring the settings from the wrong file descriptor causing the tty settings to be changed on the calling terminal.
criu: check if the criu_join_ns_add function exists. Fix a segfault with new versions of CRIU.
linux: do not precreate devs with euid > 0. Fix creating devices when running the OCI runtime as non root user.
linux: improve PID detection on systems that lack pidfd. While there is still a window of time that the PID could be recycled, now it is now reduced to a minimum.
criu: fix memory leak.
logging: improve error message when dlopen fails.

crun - 1.8.4

Published by giuseppe over 1 year ago

fix build on CentOS 7.
drop custom annotation to set the time namespace and use the OCI specs instead.
cgroup: workaround cpu quota/period issue with v1. Sometimes setting CPU quota period fails when a new period is lower, and a parent cgroup has CPU quota limit set.
cgroup: fix set quota to -1 on cgroup v1.
criu: drop loading unused functions.

crun - 1.8.3

Published by giuseppe over 1 year ago

crun - 1.8.2

Published by giuseppe over 1 year ago

lua bindings for libcrun.
wasmedge: add current directory to preopen paths.
linux: inherit parent mount flags when making a path masked.
libcrun: custom annotation to set the scheduler for the container process.
cgroup: fallback to blkio.bfq files if blkio is not available on cgroup v1.
cgroup: initialize rt limits when using systemd.
tty: chown the tty to the exec user instead of the user specified to create the container.
cgroup: fallback to create cgroupfs as sibling of the current cgroup if there is none specified and it cannot be created in the root cgroup.

crun - 1.8.1

Published by giuseppe over 1 year ago

linux: idmapped mounts expect the same configuration as the user namespace mappings. Before they were expecting the inverted
mapping. It is a breaking change, but the behavior was aligned to what runc will do as well.
krun: always allow /dev/kvm in the cgroup configuration.
handlers: disable exec for handlers that do not support it.
selinux: allow setting fscontext using a custom annotation.
cgroup: reset systemd unit if start fails.
cgroup: rmdir the entire systemd scope. It fixes a leak on cgroupv1.
cgroup: always delete the cgroup on errors. On some errors it could have been leaked before.

crun - 1.8

Published by giuseppe over 1 year ago

linux: precreate devices on the host.
cgroup: support cpuset mounted with noprefix.
linux: mount the source cgroup if cgroupns=host.
libcrun: don't clone self from read-only mount.
build: fix build without dlfcn.h.
linux: set PR_SET_DUMPABLE.
utils: fix applying AppArmor profile.
linux: write setgroups=deny when mapping a single uid/gid.
cgroup: fix enter cgroupv1 mount on RHEL 7.

crun - 1.7.2

Published by giuseppe almost 2 years ago

criu: hardcode library name to libcriu.so.2.
cgroup: always enable all controllers, even if the cgroup was already joined. Regression caused by crun-1.7.

crun - 1.7.1

Published by giuseppe almost 2 years ago

criu: load libcriu dynamically.
seccomp: initialize libgcrypt.
handlers: fix rewriting the argv if the full cmdline doesn't fit.
utils: honor SELinux label when using a custom handler.
utils: honor AppArmor label when using a custom handler.
krun: copy the OCI configuration file into the container.
utils: fix creating the default user namespace when running with euid != 0.
Add setlinebuf() when --debug and --log=file: are used.
Fix timestamp format in the error messages.
krun: disable libkrun's collection of env vars.

crun - 1.7

Published by giuseppe almost 2 years ago

seccomp: use a cache for the generated BPF.
add support for setting the domainname through the OCI spec.
handlers: define wasm and krun.
wasmtime: add support for compiling .wat format.
cgroup: honor checkBeforeUpdate on cgroupv2.
crun: chown std streams before joining the user namespace.
crun: display rundir in --version output.
container: with cgroupfs use clone3 to join directly the target cgroup.
linux: create parent directories for created devices with mode 0755.
wasm: inherit environment variables in the WasmEdge handler.

crun - 1.6

Published by giuseppe about 2 years ago

runc compatibility: -v now prints the version string.
build: fix build with glibc 2.36.
container: drop intermediate userns custom feature.
cgroup: change the delegate cgroup semantic so that the cgroup is created in the container payload after the cgroup namespace is created.
seccomp: use helper process to send file descriptor to the listener socket. It enables to be notified on every syscall without hanging the main process.
linux: add a fallback to using kill(2) if pidfd_send_signal(2) fails with ENOSYS.
krun: add support for krun-sev.
wasmtime: always grant file system capability for workdir inside the container.
wasmtime: inherit arguments list from the handler instead of the current process.
wasmedge: use released wasmedge library instead of libwasmedge_c.so.

crun - 1.5

Published by giuseppe over 2 years ago

add mono based native .NET handler
new Wasmtime backend for running WebAssembly
add support for wasmedge 0.10 and dropping support for wasmedge 0.9.x
dropping support for experimental WasmEdgeProcess from wasmedge handler
honor process user's uid when setting the HOME environment variable
create the current working directory if it is missing in the container
fallback to using a tmpfs mount if umount of /sys and /proc fails
fallback to netlink to setup lo device
fix creating devices in the rootfs
fallback to using io.weight if io.bfq.weight doesn't exist
remove tun/tap from the default allow list
linux: devices mounts have noexec and nosuid
fix copyup of files from the container to the tmpfs
honor $PATH for newgidmap and newguidmap
krun: limit the number of vCPUs to 8
cgroup: add support for cpu.idle

crun - 1.4.5

Published by giuseppe over 2 years ago

CRIU: add support for different manage cgroups modes.
linux: the hook processes inherit the crun process environment if there is no environment block specified in the OCI configuration.
exec: fix double free when using --apparmor and --process-label.

crun - 1.4.4

Published by giuseppe over 2 years ago

wasm, kubernetes: support wasm for kubernetes infrastructure with side-cars
Resolve symlinks in bind mounts when creating a user namespace.
Fix CVE-2022-27650: exec does not set inheritable capabilities.

crun - 1.4.3

Published by giuseppe over 2 years ago

cgroup: avoid infinite loop when deleting a cgroup if it contains processes that cannot be terminated.
support additional options for idmap mounts. It is now possible to specify what mappings must be used for the idmapped mount.
open the source for a bind mount in the host. It is useful when creating a user namespace so that the parent directories for the source directory are not required to be accessible to the users in the user namespace.

crun - 1.4.2

Published by giuseppe over 2 years ago

CRIU: add pre-dump support.
Fix running with a read-only /dev. The /dev/console file is created before re-mounting /dev as read-only.
Ignore EROFS when chowning standard stream files.
Add validation for sysctls before applying them.
Attempt looking up the executable after the setresuid syscall, this solves an issue on NFS when the executable file is not owned by root in the container, but the UID:GID combination configured for the container can access it.

crun - 1.4.1

Published by giuseppe almost 3 years ago

Fix check for an invalid path. crun was performing the wrong check to validate a path, causing spurious failures at runtime.
Allow deleting a container while in created state. It goes against what the OCI runtime specs dictate, but it is the expected
behavior since runc allows it.
Fix regression when joining a container that has explicit paths for the namespaces.
cgroup: do not set cpu limits if number of shares is set to 0. Moby uses 0 to indicate no limits.
Fix build issues when configured with --enable-shared.
Fix build on systems where OPEN_TREE_CLOEXEC is not defined.
Improve diagnostics for errors returned by dbus.

crun - 1.4

Published by giuseppe almost 3 years ago

wasm: support for running on kubernetes with containerd.
linux: add support for recursive mount options. e.g. it is possible to specify "rro" to make the mount read-only recursively.
add support for idmapped mounts through a new mount option "idmap".
linux: improve detection of /dev target. Previously a mount like /dev/ was not properly detected as mounting /dev/ from the host.
now crun exec uses CLONE_INTO_CGROUP on supported kernels when using cgroup v2.
retry the openat2 syscall if it fails with EAGAIN.
cgroup: set the CPUWeight/CPUShares on the systemd scope cgroup.
on new kernels, use setns with pidfd.
attempt the chdir again with the specified user if it failed before changing credentials.
ebpf: fix build on 32 bits systems.
crun --version shows the configured handlers.

crun - 1.3

Published by giuseppe almost 3 years ago

add support to natively build and run WebAssembly workload and WebAssembly containers.
allow to specify sub-cgroup for exec.
chown std streams if they are not a TTY.
attach the correct streams if the container is suspended and restored multiple times.
fix race condition when enabling controllers on cgroup v2.
the fallback code to mount cgroupfs bind mounts the current cgroup path instead of the host /sys.

crun - 1.2

Published by giuseppe about 3 years ago

exec: fix regression in 1.1 where containers are being wrongly reported as paused.
criu: add support for external ipc, uts and time namespaces.

crun - 1.1

Published by giuseppe about 3 years ago

cgroup: use cgroup.kill when available. It is faster to kill a container through its cgroup as there is no need to recurse over the cgroup pids and terminate each one of them.
exec: refuse to exec in a paused container/cgroup.
container: Set primary process to 1 via LISTEN_PID by default if user configuration is missing.
criu: Add support for external PID namespace.
criu: fix save of external descriptors. Now restored containers attach correctly their standard streams.
utils: retry openat2 on EAGAIN. If the openat2 syscall is interrupted, try again.