1.14.3

• follow up for 1.14.2. Drop the version check for each command.

1.14.2

• drop check for OCI version. A recent bump in the OCI runtime specs caused crun to fail with every config file. Just drop the check since it doesn't add any value.

1.14.1

• there was recently a security vulnerability (CVE-2024-21626) in runc
  that allowed a malicious user to chdir(2) to a /proc/*/fd entry that is
  outside the container rootfs. While crun is not affected directly,
  harden chdir by validating that we are still inside the container
  rootfs.
• container: attempt to close all the files before execv(2).
  if we leak any fd, it prevents execv to gain access to files outside
  the container rootfs through /proc/self/fd/$fd.
• fix a regression caused by 1.14 when installing the ebpf filter on a
  kernel older than 5.11.
• cgroup, systemd: fix segfault if the resources block is not specified.

1.14

• build: drop dependency on libgcrypt. Use blake3 to compute the cache key.
• cpuset: don't clobber parent cgroup value when writing the cpuset value.
• linux: force umask(0). It ensures that the mknodat syscall is not affected by the umask of the calling process, allowing file permissions to be set as specified in the OCI configuration.
• ebpf: do not require MEMLOCK for eBPF programs. This requirement was relaxed in Linux 5.11.

1.13

• src: use O_CLOEXEC for all open/openat calls
• cgroup v1: use "max" when pids limit < 0.
• improve error message when idmap mount fails because the underlying file system has no support for it.
• libcrun: fix compilation when building without libseccomp and libcap.
• fix relative idmapped mount when using the custom annotation.

1.12

• add new WebAssembly handler: spin.
• systemd: fallback to system bus if session bus is not available.
• configure the cpu rt and cpuset controllers before joining them to avoid running temporarily the workload on the wrong cpus.
• preconfigure the cpuset with required resources instead of using the parent's set. This prevents needless churn in the kernel as it tracks which CPUs have load balancing disabled.
• try attr//* before the attr/* files. Writes to the attr/* files may fail if apparmor is not the first "major" LSM in the list of loaded LSMs (e.g. lsm=apparmor,bpf vs lsm=bpf,apparmor).

1.11.2

• fix a regression caused by 1.11.1 where the process crashes if there are no CPU limits configured on cgroup v1.
• fix error code check for the ptsname_r function.

1.11.1

• force a remount operation with bind mounts from the host to correctly set all the mount flags.

1.11

• cgroup: honor cpu burst.
• systemd: set CPUQuota and CPUPeriod on the scope cgroup.
• linux: append tmpfs mode if missing for mounts. This is the same behavior of runc.
• cgroup: always use the user session for rootless.

1.10

• support for Intel Resource Director Technology (RDT).
• new mount option "copy-symlink". When provided for a mount, if the source is a symlink, then it is copied in the container instead of attempting a mount.
• linux: open mounts before setgroups if in a userns. This solves a problem where a directory that was previously accessible to the user, become inaccessible after setgroups causing the bind mount to fail.