Index index by Group index by Distribution index by Vendor index by creation date index by Name Mirrors Help Search

crun-1.15-slfo.1.1.12 RPM for x86_64

From OpenSuSE Leap 16.0 for x86_64

Name: crun Distribution: SUSE Linux Framework One
Version: 1.15 Vendor: SUSE LLC <https://www.suse.com/>
Release: slfo.1.1.12 Build date: Thu May 30 14:30:26 2024
Group: Unspecified Build host: reproducible
Size: 908344 Source RPM: crun-1.15-slfo.1.1.12.src.rpm
Packager: https://www.suse.com/
Url: https://github.com/containers/crun
Summary: OCI runtime written in C
crun is a runtime for running OCI containers. It is built with libkrun support

Provides

Requires

License

GPL-2.0-or-later

Changelog

* Thu May 30 2024 [email protected]
  - New upstream release 1.15
    * fix a mount point leak under /run/crun, add a retry mechanism to unmount the directory if the removal failed with EBUSY.
    * linux: cgroups: fix potential mount leak when /sys/fs/cgroup is already mounted, causing the posthooks to not run.
    * release: build s390x binaries using musl libc.
    * features: add support for potentiallyUnsafeConfigAnnotations.
    * handlers: add option to load wasi-nn plugin for wasmedge.
    * linux: fix "harden chdir()" security measure. The previous check was not correct.
    * crun: add option --keep to the run command. When specified the container is not automatically deleted when it exits.
* Wed Mar 06 2024 [email protected]
  - New upstream release 1.14.4
    * crun-1.14.4
  - linux: fix mount of file with recursive flags.  Do not assume it is
    a directory, but check the source type.
    * crun-1.14.3
  - follow up for 1.14.2.  Drop the version check for each command.
    * crun-1.14.2
  - crun: drop check for OCI version.  A recent bump in the OCI runtime
    specs caused crun to fail with every config file.  Just drop the
    check since it doesn't add any value.
    * crun-1.14.1
  - there was recently a security vulnerability (CVE-2024-21626) in runc
    that allowed a malicious user to chdir(2) to a /proc/*/fd entry that is
    outside the container rootfs.  While crun is not affected directly,
    harden chdir by validating that we are still inside the container
    rootfs.
  - container: attempt to close all the files before execv(2).
    if we leak any fd, it prevents execv to gain access to files outside
    the container rootfs through /proc/self/fd/$fd.
  - fix a regression caused by 1.14 when installing the ebpf filter on a
    kernel older than 5.11.
  - cgroup, systemd: fix segfault if the resources block is not specified.
* Sat Jan 27 2024 [email protected]
  - update to 1.14:
    * build: drop dependency on libgcrypt. Use blake3 to compute the cache key.
    * cpuset: don't clobber parent cgroup value when writing the cpuset value.
    * linux: force umask(0). It ensures that the mknodat syscall is not affected by the umask of the calling process,
      allowing file permissions to be set as specified in the OCI configuration.
    * ebpf: do not require MEMLOCK for eBPF programs. This requirement was relaxed in Linux 5.11.
  - update to 1.13:
    * src: use O_CLOEXEC for all open/openat calls
    * cgroup v1: use "max" when pids limit < 0.
    * improve error message when idmap mount fails because the underlying file system has no support for it.
    * libcrun: fix compilation when building without libseccomp and libcap.
    * fix relative idmapped mount when using the custom annotation.
* Fri Dec 01 2023 [email protected]
  - New upstream release 1.12:
    * add new WebAssembly handler: spin.
    * systemd: fallback to system bus if session bus is not available.
    * configure the cpu rt and cpuset controllers before joining them to
      avoid running temporarily the workload on the wrong cpus.
    * preconfigure the cpuset with required resources instead of using the
      parent's set.  This prevents needless churn in the kernel as it
      tracks which CPUs have load balancing disabled.
    * try attr/<lsm>/* before the attr/* files.  Writes to the attr/*
      files may fail if apparmor is not the first "major" LSM in the list
      of loaded LSMs (e.g. lsm=apparmor,bpf vs lsm=bpf,apparmor).
  - New upstream release 1.11.2:
    * fix a regression caused by 1.11.1 where the process crashes if there
      are no CPU limits configured on cgroup v1. (bsc#1217590)
    * fix error code check for the ptsname_r function.
* Mon Nov 06 2023 [email protected]
  - update to 1.11.1:
    * force a remount operation with bind mounts from the host to
      correctly set all the mount flags.
    * cgroup: honor cpu burst.
    * systemd: set CPUQuota and CPUPeriod on the scope cgroup.
    * linux: append tmpfs mode if missing for mounts.  This is the
      same behavior of runc.
    * cgroup: always use the user session for rootless.
    * support for Intel Resource Director Technology (RDT).
    * new mount option "copy-symlink".  When provided for a mount,
      if the source is a symlink, then it is copied in the container
      instead of attempting a mount.
    * linux: open mounts before setgroups if in a userns.  This
      solves a problem where a directory that was previously
      accessible to the user, become inaccessible after setgroups
      causing the bind mount to fail.
* Thu Oct 12 2023 [email protected]
  - New upstream release 1.9.2:
    * cgroup: reset the inherited cpu affinity after moving to cgroup. Old kernels
      do that automatically, but new kernels remember the affinity that was set
      before the cgroup move, so we need to reset it in order to honor the cpuset
      configuration.
  - New upstream release 1.9.1:
    * utils: ignore ENOTSUP when chmod a symlink. It fixes a problem on Linux 6.6
      that always refuses chmod on a symlink.
    * build: fix build on CentOS 7
    * linux: add new fallback when mount fails with EBUSY, so that there is not an
      additional tmpfs mount if not needed.
    * utils: improve error message when a directory cannot be created as a
      component of the path is already existing as a non directory.
  - Only build with wasmedge on x86_64 & aarch64
* Wed Oct 11 2023 [email protected]
  - Add crun-wasm symlink for platform 'wasi/wasm'
* Wed Sep 13 2023 [email protected]
  - Update to 1.9:
    * linux: support arbitrary idmapped mounts.
    * linux: add support for "ridmap" mount option to support recursive
      idmapped mounts.
    * crun delete: call systemd's reset-failed.
    * linux: fix check for oom_score_adj.
    * features: Support mountExtensions.
    * linux: correctly handle unknown signal string when it doesn't start with
      a digit.
    * linux: do not attempt to join again already joined namespace.
    * wasmer: use latest wasix API.
* Tue Sep 05 2023 [email protected]
  - Enable WasmEdge support to run Wasm compat containers.
* Mon Aug 14 2023 [email protected]
  - Update to 1.8.6:
    * crun: new command "crun features".
    * linux: fix handling of idmapped mounts when the container joins an
      existing PID namespace.
    * linux: support io_priority from the OCI specs.
    * linux: handle correctly the case where the status file is not written
      yet for a container.
    * crun: fix segfault for "ps" when the container is not using cgroups.
    * cgroup: allow setting swap to 0.
* Wed Jun 14 2023 [email protected]
  - Update to 1.8.5:
    * scheduler: use definition from the OCI configuration file
      instead of the custom label that is now dropped and not
      supported anymore.
    * cgroup: fix creating cgroup under "domain threaded".
    * cgroup, systemd: set the memory limit on the system scope.
    * restore tty settings from the correct file descriptor.  It was
      previously restoring the settings from the wrong file
      descriptor causing the tty settings  to be changed on the
      calling terminal.
    * criu: check if the criu_join_ns_add function exists.
      Fix a segfault with new versions of CRIU.
    * linux: do not precreate devs with euid > 0.  Fix creating
      devices when running the OCI runtime as non root user.
    * linux: improve PID detection on systems that lack pidfd.
      While there is still a window of time that the PID could be
      recycled, now it is now reduced to a minimum.
    * criu: fix memory leak.
    * logging: improve error message when dlopen fails.
  - Changes from 1.8.4:
    * drop custom annotation to set the time namespace and use
      the OCI specs instead.
    * cgroup: workaround cpu quota/period issue with v1.  Sometimes
      setting CPU quota period fails when a new period is lower,
      and a parent cgroup has CPU quota limit set.
    * cgroup: fix set quota to -1 on cgroup v1.
    * criu: drop loading unused functions.
* Tue Mar 28 2023 [email protected]
  - update to 1.8.3:
    * update: initialize the rt limits only on cgroup v1.
    * lua bindings for libcrun.
    * wasmedge: add current directory to preopen paths.
    * linux: inherit parent mount flags when making a path masked.
    * libcrun: custom annotation to set the scheduler for the
      container process.
    * cgroup: fallback to blkio.bfq files if blkio is not available
      on cgroup v1.
    * cgroup: initialize rt limits when using systemd.
    * tty: chown the tty to the exec user instead of the user
      specified to create the container.
    * cgroup: fallback to create cgroupfs as sibling of the current
      cgroup if there is none specified and it cannot be created in
      the root cgroup.
  - add keyring for GPG validation
* Tue Feb 28 2023 [email protected]
  - Update to 1.8.1
    * linux: idmapped mounts expect the same configuration as
      the user namespace mappings. Before they were expecting the inverted
      mapping. It is a breaking change, but the behavior was aligned
      to what runc will do as well.
    * krun: always allow /dev/kvm in the cgroup configuration.
    * handlers: disable exec for handlers that do not support it.
    * selinux: allow setting fscontext using a custom annotation.
    * cgroup: reset systemd unit if start fails.
    * cgroup: rmdir the entire systemd scope. It fixes a leak on cgroupv1.
    * cgroup: always delete the cgroup on errors.
      On some errors it could have been leaked before.
  - changes from 1.8
    * linux: precreate devices on the host.
    * cgroup: support cpuset mounted with noprefix.
    * linux: mount the source cgroup if cgroupns=host.
    * libcrun: don't clone self from read-only mount.
    * build: fix build without dlfcn.h.
    * linux: set PR_SET_DUMPABLE.
    * utils: fix applying AppArmor profile.
    * linux: write setgroups=deny when mapping a single uid/gid.
    * cgroup: fix enter cgroupv1 mount on RHEL 7.
* Wed Dec 07 2022 [email protected]
  - Update to 1.7.2:
    * criu: hardcode library name to libcriu.so.2.
    * cgroup: always enable all controllers, even if the cgroup was
      already joined. Regression caused by crun-1.7.
  - Changes from 1.7.1:
    * criu: load libcriu dynamically.
    * seccomp: initialize libgcrypt.
    * handlers: fix rewriting the argv if the full cmdline doesn't
      fit.
    * utils: honor SELinux label when using a custom handler.
    * utils: honor AppArmor label when using a custom handler.
    * krun: copy the OCI configuration file into the container.
    * utils: fix creating the default user namespace when running
      with euid != 0.
    * Add setlinebuf() when --debug and --log=file: are used.
    * Fix timestamp format in the error messages.
    * krun: disable libkrun's collection of env vars.
  - Changes from 1.7:
    * seccomp: use a cache for the generated BPF.
    * add support for setting the domainname through the OCI spec.
    * handlers: define wasm and krun.
    * wasmtime: add support for compiling .wat format.
    * cgroup: honor checkBeforeUpdate on cgroupv2.
    * crun: chown std streams before joining the user namespace.
    * crun: display rundir in --version output.
    * container: with cgroupfs use clone3 to join directly the target
      cgroup.
    * linux: create parent directories for created devices with mode
      0755.
    * wasm: inherit environment variables in the WasmEdge handler.
* Fri Sep 30 2022 [email protected]
  - Update the libkrun dependency to the new libkrun1 library and
    devel package
* Thu Sep 29 2022 [email protected]
  - Update to 1.6
    * runc compatibility: -v now prints the version string.
    * build: fix build with glibc 2.36.
    * container: drop intermediate userns custom feature.
    * cgroup: change the delegate cgroup semantic so that the cgroup
      is created in the container payload after the cgroup namespace
      is created.
    * seccomp: use helper process to send file descriptor to the listener
      socket. It enables to be notified on every syscall without hanging
      the main process.
    * linux: add a fallback to using kill(2) if pidfd_send_signal(2)
      fails with ENOSYS.
    * krun: add support for krun-sev.
    * wasmtime: always grant file system capability for workdir inside
      the container.
    * wasmtime: inherit arguments list from the handler instead of the
      current process.
    * wasmedge: use released wasmedge library instead of libwasmedge_c.so.
  - Update to 1.5
    * add mono based native .NET handler
    * new Wasmtime backend for running WebAssembly
    * add support for wasmedge 0.10 and dropping support for wasmedge 0.9.x
    * dropping support for experimental WasmEdgeProcess from wasmedge handler
    * honor process user's uid when setting the HOME environment variable
    * create the current working directory if it is missing in the container
    * fallback to using a tmpfs mount if umount of /sys and /proc fails
    * fallback to netlink to setup lo device
    * fix creating devices in the rootfs
    * fallback to using io.weight if io.bfq.weight doesn't exist
    * remove tun/tap from the default allow list
    * linux: devices mounts have noexec and nosuid
    * fix copyup of files from the container to the tmpfs
    * honor $PATH for newgidmap and newguidmap
    * krun: limit the number of vCPUs to 8
    * cgroup: add support for cpu.idle
* Mon May 09 2022 [email protected]
  - Update to 1.4.5:
    + CRIU: add support for different manage cgroups modes.
    + linux: the hook processes inherit the crun process
      environment if there is no environment block specified in the
      OCI configuration.
    ° exec: fix double free when using --apparmor and
    - -process-label.
* Tue Apr 12 2022 [email protected]
  - It'd be nice to run the test suite with %check. It however, still
    does not work properly inside OBS workers. Add it commented and
    explain it
* Tue Apr 12 2022 [email protected]
  - switch to latest upstream version (1.4.4)
  - big jump from 0.21! Here's a short summary, for details,
    see: https://github.com/containers/crun/releases
    * 1.4.4
      wasm, kubernetes: support wasm for kubernetes infrastructure with side-cars
      Resolve symlinks in bind mounts when creating a user namespace.
      Fix CVE-2022-27650: exec does not set inheritable capabilities.
    * 1.4.3
      cgroup: avoid potential infinite loop when deleting a cgroup.
      support additional options for idmap mounts.
      open the source for a bind mount in the host.
    * 1.4.2
      CRIU: add pre-dump support.
      Fix running with a read-only /dev.
      Ignore EROFS when chowning standard stream files.
      Add validation for sysctls before applying them.
    * 1.4.1
      Fix check for an invalid path.
      Allow deleting a container while in created state.
      cgroup: do not set cpu limits if number of shares is set to 0.
    * 1.4
      wasm: support for running on kubernetes with containerd.
      linux: add support for recursive mount options.
      add support for idmapped mounts through a new mount option "idmap".
      linux: improve detection of /dev target.
      now crun exec uses CLONE_INTO_CGROUP on supported kernels when using cgroup v2.
      retry the openat2 syscall if it fails with EAGAIN.
      cgroup: set the CPUWeight/CPUShares on the systemd scope cgroup.
      on new kernels, use setns with pidfd.
      attempt the chdir again with the specified user if it failed before changing credentials.
    * 1.3
      add support to natively build and run WebAssembly workload and WebAssembly containers.
      allow to specify sub-cgroup for exec.
      chown std streams if they are not a TTY.
      attach the correct streams if the container is suspended and restored multiple times.
      fix race condition when enabling controllers on cgroup v2.
    * 1.2
      exec: fix regression in 1.1 where containers are being wrongly reported as paused.
      criu: add support for external ipc, uts and time namespaces.
    * 1.1
      cgroup: use cgroup.kill when available.
      exec: refuse to exec in a paused container/cgroup.
      container: Set primary process to 1 via LISTEN_PID by default if user configuration is missing.
      criu: Add support for external PID namespace.
      criu: fix save of external descriptors.
      utils: retry openat2 on EAGAIN.
    * 1.0
      cgroup: chown the current container cgroup to root in the container.
      linux: treat pidfd_open failures EINVAL as ESRCH.
      cgroup: add support for setting memory.use_hierarchy on cgroup v1.
      Makefile.am: fix link error when using directly libcrun.
      Fix symlink target mangling for tmpcopyup targets.
  - fix bsc#1197871, CVE-2022-27650 (as 1.4.4 contains the fixes itself)
  - update and fixup dependencies
* Tue Nov 02 2021 [email protected]
  - Add libprotobuf-c-devel as an explicit dependency, for fixing
    the build;
  - Get rid of rpmlintrc, as it's no longer needed.
* Mon Aug 23 2021 [email protected]
  - make libkrun support conditional, so we can have crun (without
    libkrun, of course) on all arches, which may help with
    bsc#1188914.
* Fri Aug 06 2021 [email protected]
  - Drop libkrun-dlopen.patch and adapt to libkrun new package name,
    it is a plugin, not a regular shared library.
* Fri Aug 06 2021 [email protected]
  - Add libkrun-dlopen.patch: use soname when dlopening libkrun.
* Wed Jul 28 2021 [email protected]
  - Update to 0.21
    - honor memory swappiness set to 0
    - status: add fields for owner and created timestamp
    - cgroup: lookup pids controller as well when the memory controller
      is not available
    - when compiled with krun, automatically use it if the current
      executable file is called "krun".
    - container: ignore error when resetting the SELinux label for the
      keyring.
    - container: call prestart hooks before rootfs is RO.
    - cgroup: added support cleaning custom controllers on cgroupv1.
    - spec: add support for --bundle.
    - exec: add --no-new-privs.
    - exec: add --process-label and --apparmor to change SELinux and
      AppArmor labels.
    - cgroup: kill procs in cgroup on EBUSY.
    - cgroup: ignore devices errors when running in a user namespace.
    - seccomp: drop SECCOMP_FILTER_FLAG_LOG by default.
    - seccomp: report correct action in error message.
    - apply SELinux label to keyring.
    - add custom annotation run.oci.delegate-cgroup.
    - close_range fallbacks to close on EPERM.
    - report error if the cgroup path was set and the cgroup could not be
      joined.
    - on exec, honor additional_gids from the process spec, not the
      container definition.
    - spec: add cgroup ns if on cgroup v2.
    - systemd: support array of strings for cgroup annotation.
    - join all the cgroup v1 controllers.
    - raise a warning when newuidmap/newgidmap fail.
    - handle eBPF access(dev_name, F_OK) call correctly.
    - fix some memory leaks on errors when libcrun is used by a long
      running process.
    - fix the SELinux label for masked directories.
    - support default seccomp errno value.
    - fail if no default seccomp action specified.
    - support OCI seccomp notify listener.
    - improve OOM error messages.
    - ignore unknown capabilities and raise a warning.
    - always remount bind mounts to drop not requested mount flags.
* Tue Mar 23 2021 [email protected]
  - Add a mention to crun-rpmlintrc in the spec file
* Fri Mar 19 2021 [email protected]
  - Since we're building with libkrun support, let's enable only the
    arch-es for which we do have libkrun
* Sat Mar 13 2021 [email protected]
  - Suppress the (false positive) rpmlint warning
* Sat Mar 13 2021 [email protected]
  - Some fixes to the spec file (add some %doc, remove unused macros, etc)
* Thu Mar 11 2021 [email protected]
  - Initial package for 0.18
    Based on the package by Giuseppe Scrivano <[email protected]>

Files

/usr/bin/crun
/usr/bin/crun-wasm
/usr/bin/krun
/usr/share/doc/packages/crun
/usr/share/doc/packages/crun/README.md
/usr/share/doc/packages/crun/SECURITY.md
/usr/share/licenses/crun
/usr/share/licenses/crun/COPYING
/usr/share/man/man1/crun.1.gz
/usr/share/man/man1/krun.1.gz


Generated by rpm2html 1.8.1

Fabrice Bellet, Fri Dec 13 23:36:37 2024