crun

• Add --log-level option. It accepts error, warning and error.
• Add debug logs for container creation.
• Fix double-free in crun exec code that could lead to a crash.
• Allow passing an ID to the journald log driver.
• Report "executable not found" errors after tty has been setup.
• Do not treat EPIPE from hooks as an error.
• Make sure DefaultDependencies is correctly set in the systemd scope.
• Improve the error message when the container process is not found.
• Improve error handling for the mnt namespace restoration.
• Fix error handling for getpwuid_r, recvfrom and libcrun_kill_linux.
• Fix handling of device paths with trailing slashes.

• fix a regression introduced by 1.16 where using 'rshared' rootfs mount propagation and the rootfs itself is a mountpoint.
• inherit user from original process on exec, if not overridden.

• build: fix build for s390x.
• linux: fix mount of special files with rro. Open the mount target with O_PATH to prevent open(2) failures with special files like FIFOs or UNIX sockets.
• Fix sd-bus error handling for cpu quota and period props update.
• container: use relative path for rootfs if possible. If the rootfs cannot be resolved and it is below the current working directory, only use its relative path.
• wasmedge: access container environment variables for the WasmEdge configuration.
• cgroup, systemd: use MemoryMax instead of MemoryLimit. Fixes a warning for using an old configuration name.
• cgroup, systemd: improve checks for sd_bus_message_append errors

What's Changed

• fix a mount point leak under /run/crun, add a retry mechanism to unmount the directory if the removal failed with EBUSY.
• linux: cgroups: fix potential mount leak when /sys/fs/cgroup is already mounted, causing the posthooks to not run.
• release: build s390x binaries using musl libc.
• features: add support for potentiallyUnsafeConfigAnnotations.
• handlers: add option to load wasi-nn plugin for wasmedge.
• linux: fix "harden chdir()" security measure. The previous check was not correct.
• crun: add option --keep to the run command. When specified the container is not automatically deleted when it exits.

New Contributors

• @Ecordonnier made their first contribution in https://github.com/containers/crun/pull/1448
• @martinetd made their first contribution in https://github.com/containers/crun/pull/1456

Full Changelog: https://github.com/containers/crun/compare/1.14.4...1.15

• linux: fix mount of file with recursive flags. Do not assume it is a directory, but check the source type.
• new build for s390x

• follow up for 1.14.2. Drop the version check for each command.

• drop check for OCI version. A recent bump in the OCI runtime specs caused crun to fail with every config file. Just drop the check since it doesn't add any value.

• there was recently a security vulnerability (CVE-2024-21626) in runc
  that allowed a malicious user to chdir(2) to a /proc/*/fd entry that is
  outside the container rootfs. While crun is not affected directly,
  harden chdir by validating that we are still inside the container
  rootfs.
• container: attempt to close all the files before execv(2).
  if we leak any fd, it prevents execv to gain access to files outside
  the container rootfs through /proc/self/fd/$fd.
• fix a regression caused by 1.14 when installing the ebpf filter on a
  kernel older than 5.11.
• cgroup, systemd: fix segfault if the resources block is not specified.

• build: drop dependency on libgcrypt. Use blake3 to compute the cache key.
• cpuset: don't clobber parent cgroup value when writing the cpuset value.
• linux: force umask(0). It ensures that the mknodat syscall is not affected by the umask of the calling process, allowing file permissions to be set as specified in the OCI configuration.
• ebpf: do not require MEMLOCK for eBPF programs. This requirement was relaxed in Linux 5.11.

• src: use O_CLOEXEC for all open/openat calls
• cgroup v1: use "max" when pids limit < 0.
• improve error message when idmap mount fails because the underlying file system has no support for it.
• libcrun: fix compilation when building without libseccomp and libcap.
• fix relative idmapped mount when using the custom annotation.

• add new WebAssembly handler: spin.
• systemd: fallback to system bus if session bus is not available.
• configure the cpu rt and cpuset controllers before joining them to avoid running temporarily the workload on the wrong cpus.
• preconfigure the cpuset with required resources instead of using the parent's set. This prevents needless churn in the kernel as it tracks which CPUs have load balancing disabled.
• try attr//* before the attr/* files. Writes to the attr/* files may fail if apparmor is not the first "major" LSM in the list of loaded LSMs (e.g. lsm=apparmor,bpf vs lsm=bpf,apparmor).

• fix a regression caused by 1.11.1 where the process crashes if there are no CPU limits configured on cgroup v1.
• fix error code check for the ptsname_r function.

• force a remount operation with bind mounts from the host to correctly set all the mount flags.

• cgroup: honor cpu burst.
• systemd: set CPUQuota and CPUPeriod on the scope cgroup.
• linux: append tmpfs mode if missing for mounts. This is the same behavior of runc.
• cgroup: always use the user session for rootless.

• support for Intel Resource Director Technology (RDT).
• new mount option "copy-symlink". When provided for a mount, if the source is a symlink, then it is copied in the container instead of attempting a mount.
• linux: open mounts before setgroups if in a userns. This solves a problem where a directory that was previously accessible to the user, become inaccessible after setgroups causing the bind mount to fail.

• cgroup: reset the inherited cpu affinity after moving to cgroup. Old kernels do that automatically, but new kernels remember the affinity that was set before the cgroup move, so we need to reset it in order to honor the cpuset configuration.

• utils: ignore ENOTSUP when chmod a symlink. It fixes a problem on Linux 6.6 that always refuses chmod on a symlink.
• build: fix build on CentOS 7
• linux: add new fallback when mount fails with EBUSY, so that there is not an additional tmpfs mount if not needed.
• utils: improve error message when a directory cannot be created as a component of the path is already existing as a non directory.

• linux: support arbitrary idmapped mounts. Now it is possible to specify a mapping for any type of mount, not only bind mounts.
• linux: add support for "ridmap" mount option to support recursive idmapped mounts.
• crun delete: call systemd's reset-failed. In case systemd cgroup driver is used, and the systemd unit has failed (e.g. oom-killed), systemd won't remove the unit (that is, unless the "CollectMode: inactive-or-failed" property is set).
• linux: fix check for oom_score_adj. Write the oom_score_adj file even when the new value is 0.
• features: Support mountExtensions.
• linux: correctly handle unknown signal string when it doesn't start with a digit.
• linux: do not attempt to join again already joined namespace.
• wasmer: use latest wasix API.

• linux: fix a race condition when an exec was performed immediately after the start and the setns with the procfd failed.
• features: Fix annotations formatting.
• linux: do not write some errors twice.
• libcrun: handle SIGWINCH by resizing the terminal file descriptor.

• crun: new command "crun features".
• linux: fix handling of idmapped mounts when the container joins an existing PID namespace.
• linux: support io_priority from the OCI specs.
• linux: handle correctly the case where the status file is not written yet for a container.
• crun: fix segfault for "ps" when the container is not using cgroups.
• cgroup: allow setting swap to 0.