crun

• fix CVE-2019-18837
• fix running on CentOS/RHEL 8
• report errors opening the console socket
• not leave config.json around if the container could not be created

• ignore errors creating /dev/console
• add an annotation "io.crun.keep_original_groups", if it is set then crun won't drop additional groups when creating the container

• systemd: set collectmode=inactive-or-failed
• fix build on Alpine
• use the the current working directory to lookup local paths
• improve the error message when a hook fails
• add granular enable/disable configure options

• fix a regression in 0.10.1 where cgroups v1 could not be created
• correctly chown cgroups when using a user namespace so that systemd can run in a container that uses a user namespace

• linux: Keep MS_RDONLY when remounting bind mount of a read-only source. It solves an issue on Fedora Silverblue where /usr is mounted read only.
• fix exec of rootless containers when cgroups are not available

• support for AppArmor
• fix for CVE-2019-16884, make sure writes to /proc for the SELinux and AppArmor labels are on procfs
• exec supports --preserve-fds
• seccomp: fix lookup for pseudo syscalls, seccomp now works fine on non native archs
• cgroup: ignore rootless errors if manager != systemd
• error: always write errors to stderr
• chroot: follow symlinks for the last component
• set $HOME if it is not already defined

• fix an issue with tmpcopyup that didn't work correctly with symlinks
• create a new cgroup namespace before mounting the cgroup file system, so that it uses the correct namespace

• fix exec into containers running systemd on cgroups v2
• kill: honor --all
• kill: when not using a PID namespace, use the freezer controller to prevent the container forking new processes
• linux: handle tmpcopyup option to copy files from the rootfs to the new mounted tmpfs.
• OCI: honor seccomp options. If not specified any seccomp option, now crun will default to using SECCOMP_FILTER_FLAG_SPEC_ALLOW|SECCOMP_FILTER_FLAG_LOG when using the seccomp(2) syscall.

• executable lookup. Now create fails immediately if the specified executable doesn't exist
• subreaper enabled only when crun is attached
• fix notify socket when used from create and prevent it hanging indefinitely when the container exits
• correctly write cpu controller resources when using cgroups v2
• support for the freezer controller when using cgroups v2
• honor unspecified minor/major number for devices when using cgroups v2
• reintroduce --no-pivot
• do not add a cgroup path again if it was already specified in the OCI configuration

• support devices on cgroups v2 using eBPF.
• new option --cgroup-manager=MANAGER. Accepted values are cgroupfs, systemd and disabled.
• can run without using cgroups also as root.
• NOTIFY_SOCKET works also for containers created via create/start.
• when using systemd, create the same name for the scope as runc does.

• tty: set the size on the exec tty
• cgroup: enable only the controllers needed
• cgroup: in unified mode report the errors also for rootless
• cgroup2: add support for the cpuset controller
• linux: ignore tmpcopyup

• logging: support --log=syslog: and log=journald:
• seccomp: if the syscall is not known, ignore it
• container: move set oom before entering userns
• status: always honor XDG_RUNTIME_DIR
• linux: resolve symlinks in the target for bind mounts
• fix all issues found by Coverity
• pass Kubernetes e2e tests on Fedora with CRI-O.

differences from v0.3:

• partial support for cgroup v2 (cpu, io, memory, pids controllers)

• pass all the OCI validation tests (https://github.com/opencontainers/runtime-tools)

• implement --log-format. crun now works with containerd

• fixed some issues that prevented crun to work on older kernels