crun

A fast and lightweight fully featured OCI runtime and C library for running containers

GPL-2.0 License

Downloads
647
Stars
3K
Committers
109
View Code on GitHub
Ecosystems: Linux

Bot releases are hidden (Show)

crun - 1.0

Published by giuseppe about 3 years ago

  • cgroup: chown the current container cgroup to root in the container.
  • linux: treat pidfd_open failures EINVAL as ESRCH.
  • cgroup: add support for setting memory.use_hierarchy on cgroup v1.
  • Makefile.am: fix link error when using directly libcrun.
  • Fix symlink target mangling for tmpcopyup targets.
crun - 0.21

Published by giuseppe about 3 years ago

  • honor memory swappiness set to 0
  • status: add fields for owner and created timestamp
  • cgroup: lookup pids controller as well when the memory controller is not available
  • when compiled with krun, automatically use it if the current executable file is called "krun"
crun - 0.20.1

Published by giuseppe over 3 years ago

  • container: ignore error when resetting the SELinux label for the keyring.
crun - 0.20

Published by giuseppe over 3 years ago

  • container: call prestart hooks before rootfs is RO.
  • cgroup: added support cleaning custom controllers on cgroupv1.
  • spec: add support for --bundle.
  • exec: add --no-new-privs.
  • exec: add --process-label and --apparmor to change SELinux and AppArmor labels.
  • cgroup: kill procs in cgroup on EBUSY.
  • cgroup: ignore devices errors when running in a user namespace.
  • seccomp: drop SECCOMP_FILTER_FLAG_LOG by default.
  • seccomp: report correct action in error message.
  • apply SELinux label to keyring.
  • add custom annotation run.oci.delegate-cgroup.
  • close_range fallbacks to close on EPERM.
  • report error if the cgroup path was set and the cgroup could not be joined.
crun - 0.19.1

Published by giuseppe over 3 years ago

  • on exec, honor additional_gids from the process spec, not the container definition.
  • spec: add cgroup ns if on cgroup v2.
  • systemd: support array of strings for cgroup annotation.
crun - 0.19

Published by giuseppe over 3 years ago

  • join all the cgroup v1 controllers.
  • raise a warning when newuidmap/newgidmap fail.
  • handle eBPF access(dev_name, F_OK) call correctly.
  • fix some memory leaks on errors when libcrun is used by a long running process.
  • fix the SELinux label for masked directories.
  • support default seccomp errno value.
  • fail if no default seccomp action specified.
  • support OCI seccomp notify listener.
  • improve OOM error messages.
  • ignore unknown capabilities and raise a warning.
  • always remount bind mounts to drop not requested mount flags.
crun - 0.18

Published by giuseppe over 3 years ago

  • fix build without CLONE_NEWCGROUP.
  • fix conversion from blkio to io.
  • add custom annotation to load raw BPF.
  • set working directory for libkrun
  • fix symlink lookup on old kernels that lack openat2
  • skip +cpu on EINVAL in cgroup root. Enabling the cpu controller is not permitted if there are already realtime processes running on the system.
  • Fix permission error when using NOTIFY_SOCKET with username spaces.
  • set HOME to root if the user not found.
  • simplify mount logic to not use a temporary mount.
  • ignore ENOSYS from keyctl.
crun - 0.17

Published by giuseppe over 3 years ago

  • allow creating user namespaces without root being mapped.
  • allow arbitrary IDs with single ID userns.
  • use close_range(CLOSE_RANGE_CLOEXEC) where available.
  • honor /sys/kernel/cgroup/delegate.
  • fix an issue with hooks running in the container PID namespace.
  • fix building without seccomp.
  • fix building without libcap.
crun - 0.16

Published by giuseppe almost 4 years ago

  • CRIU support.
  • fallback to openat if openat2 returns EPERM.
  • ignore ENOENT for cgroup v1 mounts, if the mount fails with ENOENT, the controller might have been unmounted.
  • fix another race reading cgroup freeze. Reading from the cgroup fails with ENODEV if the cgroup was deleted in the meanwhile.
crun - 0.15.1

Published by giuseppe almost 4 years ago

  • add experimental support for libkrun.
  • fix check for pidfd availability on older kernels.
  • linux: do not set data when remounting read-only. Fix 'ro' mounts on older kernels when SELinux is enabled.
  • linux: label the cgroup v1 tmpfs when SELinux is enabled.
  • container: truncate the pid file before writing to it.
  • exec: fix check for read bytes from the sync socket.
  • check the process has a cgroup before allowing pause and resume.
  • linux: always create a user namespace if not running with euid == 0.
  • libcrun can use a hook instead of executing a container process.
  • use libyajl to generate hooks json input.
  • handle correctly ENOENT for seccomp notifications.
crun - 0.15

Published by giuseppe about 4 years ago

  • add support for OCI unified cgroup v2.
  • add json format option to crun list.
  • get last kernel capability dynamically instead of using a build time constant.
  • enable all available cgroup controllers.
  • support the seccomp SCMP_ACT_LOG action.
  • support the seccomp SCMP_ACT_KILL_THREAD action.
  • properly set a SELinux label for the mqueue mount.
  • crun kill uses pidfd when supported.
  • experimental support for seccomp notifications.
  • fix bundle option for crun create and crun run.
  • allow to declare path to config file.
  • check /sys/kernel/security/apparmor when using AppArmor.
  • doesn't accept type=bind alone anymore, but require either "bind" or "rbind" to be present in the mount flags.
crun - 0.14.1

Published by giuseppe over 4 years ago

  • fix a regression in crun-0.14 where openat2(2) would fail when bind mounting a symlink.
  • various small fixes to allow running regression tests outside of source tree.
crun - 0.14

Published by giuseppe over 4 years ago

  • cgroup, systemd: create container under subcgroup. Now a "/container" sub-cgroup is created and fully managed by libcrun. This is a different behaviour than what runc does.
  • libcrun: use the openat2 syscall available since Linux 5.6.
  • container: allow hooks output to file through an annotation.
  • linux: support joining PID/IPC namespace not owned by the user namespace. Requires Linux 5.3.
  • linux: avoid double fork for creating the init process if not needed.
  • linux: fix an issue where the basename for $NOTIFY_SOCKET is different than /notify.
  • rootless: allow /dev/{tty,ptmx} to be present in linux.devices.
  • cgroup: fix an issue on CentOS 7.8 when using net_cls and net_prio.
  • seccomp: honor errnoRet from OCI spec runtime.
  • exec: set setresuid/setresgid before setting up the terminal.
  • cgroup, v2: fix crun update with both --memory -1 --memory-swap -1.
  • cgroup, v2: fixing setting unlimited swap.
  • cgroup, v2: allow to set unlimited swap per se.
  • cgroup, v2: treat negative numbers as "max"
  • cgroup, v2: raise error if swap is set without memory limit.
  • cgroup: ignore cpu resources if set to 0.
  • libcrun: audit errno in crun_make_error calls
  • libcrun: fix read_pid_stat usage.
  • linux: fix double close on the same file descriptor.
  • container: Prevent deletion of not stopped container
  • status: Use process start time for identification
  • CRIU: several improvements.
  • linux: fix path lookups for relative paths containing '/'.
  • linux: use the SELinux mount label for the notify socket.
  • status: delete doesn't fail if the process already exited.
crun - 0.13

Published by giuseppe over 4 years ago

  • license: change license to gplv2+ and lgpl2.1+.
  • criu: initial support for container restore.
  • state: If a container is paused, report its state as 'paused'.
  • cgroup: use the memory controller to ready PIDs. The pid controller is not available on kernels older than 4.3.
  • linux: drop context= for remount. Older linux versions complain when the selinux label is specified on a remount.
  • utils: fix mount on not writeable path.
  • cgroup: support systemd properties via annotations.
  • systemd: do not set hard-code collectmode value. It can be set through an annotation.
  • cgroup: write the correct blkio settings.
  • exec: do not inherit env variables from main pid.
  • ebpf: fix endianess issue on s390x.
  • linux: fix recursive mount on cgroup v1.
crun - 0.12.2.1

Published by giuseppe over 4 years ago

  • when not using a cgroup namespace, mount only the cgroup v1 subpath.
crun - 0.12.2

Published by giuseppe over 4 years ago

  • do not require read permissions on /
  • add support for the "time" namespace via a custom annotation
  • fix mount of cgroup v1 when using a cgroup namespace
  • set default umask to 0022
  • use the correct path for notify socket with "crun run -d"
  • always use setsid
  • use correct indices for seccomp generation
  • fixed several issues with cgroup v2 and the cgroupfs driver
crun - 0.12.1

Published by giuseppe over 4 years ago

  • fix the order of clone syscall arguments on s390 and cris.
  • if no mode is specified use 0666 for devices.
  • fix running with a relative bundle directory.
  • fix some regressions in the mounts path resolution.
  • drop a warning when cgroup are not available for rootless.
crun - 0.12

Published by giuseppe over 4 years ago

  • masked paths use only MS_UNBINDABLE
  • mount doesn't specify mount data when there are no options
  • support new hook types: createRuntime, createContainer and startContainer
  • safer mount options. A temporary mount is prepared outside of the
    rootfs before being moved to it.
  • apply selinux/apparmor before the pivot_root.
  • handle correctly proc remounts. It is now supported to specify hidepid=
  • fix exec if a namespace is not available.
  • handle swap limit with the same semantic as on cgroup v1.
  • bring network device up.
  • reset all signal handlers to default.
crun - 0.11

Published by giuseppe almost 5 years ago

  • cgroups2: map memory reservation to memory.low
  • statx fallbacks to stat on EINVAL
  • utils: do not fail if the path we are trying to create already exists
  • generate seccomp profile in the parent process, not in the container init process. Memory usage is more reliable now and a container can run with ~250K of max memory.
  • support for Linux personality.
  • support for umask.
  • support for the hugetlb controller on cgroup v2.
  • PIDs from a cgroup are read recursively.
  • do not fork on "create".
  • now by default seccomp doesn't fail on an unknown syscall. The previous behavior can be enabled with an annotation.
  • fix joining cgroup on cgroup v2 when a named hierarchy is also present.
  • fix creating user namespaces with more than 2^32 IDs mapped.
  • on exec, keep the SELinux label or AppArmor profile from the
  • container configuration.
  • runtime specific annotation are prefixed with run.oci.
crun - 0.10.6

Published by giuseppe almost 5 years ago

  • when running with a terminal, change the ownership for the terminal to the specified user
  • spec: honor the --rootless flag
  • linux: make sure the the source path is resolved when checking the file type. Regression introduced with 0.10.5
Package Rankings
Top 26.17% on Conda-forge.org
Top 4.41% on Alpine-v3.17
Top 3.2% on Alpine-v3.15
Top 6.93% on Alpine-v3.13
Top 2.77% on Alpine-v3.18
Top 4.5% on Alpine-v3.16
Top 6.84% on Alpine-edge
Top 7.48% on Alpine-v3.14
Top 7.19% on Alpine-v3.12
Top 36.85% on Formulae.brew.sh
Badges
Extracted from project README
Coverity Status CodeQL
Related Projects
img

Standalone, daemon-less, unprivileged Dockerfile and OCI compatible container image builder.

08 Dec 2017 3,864
cross

“Zero setup” cross compilation and “cross testing” of Rust crates

25 Dec 2016 6,149
muslrust

Docker environment for building musl based static linux rust binaries

15 Mar 2016 920