Skip to content

Releases: containers/crun

1.4.1

14 Jan 10:31
1.4.1
8026135
Compare
Choose a tag to compare
  • Fix check for an invalid path. crun was performing the wrong check to validate a path, causing spurious failures at runtime.
  • Allow deleting a container while in created state. It goes against what the OCI runtime specs dictate, but it is the expected
    behavior since runc allows it.
  • Fix regression when joining a container that has explicit paths for the namespaces.
  • cgroup: do not set cpu limits if number of shares is set to 0. Moby uses 0 to indicate no limits.
  • Fix build issues when configured with --enable-shared.
  • Fix build on systems where OPEN_TREE_CLOEXEC is not defined.
  • Improve diagnostics for errors returned by dbus.

1.4

22 Dec 10:52
1.4
3daded0
Compare
Choose a tag to compare
1.4
  • wasm: support for running on kubernetes with containerd.
  • linux: add support for recursive mount options. e.g. it is possible to specify "rro" to make the mount read-only recursively.
  • add support for idmapped mounts through a new mount option "idmap".
  • linux: improve detection of /dev target. Previously a mount like /dev/ was not properly detected as mounting /dev/ from the host.
  • now crun exec uses CLONE_INTO_CGROUP on supported kernels when using cgroup v2.
  • retry the openat2 syscall if it fails with EAGAIN.
  • cgroup: set the CPUWeight/CPUShares on the systemd scope cgroup.
  • on new kernels, use setns with pidfd.
  • attempt the chdir again with the specified user if it failed before changing credentials.
  • ebpf: fix build on 32 bits systems.
  • crun --version shows the configured handlers.

1.3

05 Nov 08:30
1.3
8e5757a
Compare
Choose a tag to compare
1.3
  • add support to natively build and run WebAssembly workload and WebAssembly containers.
  • allow to specify sub-cgroup for exec.
  • chown std streams if they are not a TTY.
  • attach the correct streams if the container is suspended and restored multiple times.
  • fix race condition when enabling controllers on cgroup v2.
  • the fallback code to mount cgroupfs bind mounts the current cgroup path instead of the host /sys.

1.2

08 Oct 07:30
1.2
4f6c8e0
Compare
Choose a tag to compare
1.2
  • exec: fix regression in 1.1 where containers are being wrongly reported as paused.
  • criu: add support for external ipc, uts and time namespaces.

1.1

27 Sep 14:56
1.1
5b341a1
Compare
Choose a tag to compare
1.1
  • cgroup: use cgroup.kill when available. It is faster to kill a container through its cgroup as there is no need to recurse over the cgroup pids and terminate each one of them.
  • exec: refuse to exec in a paused container/cgroup.
  • container: Set primary process to 1 via LISTEN_PID by default if user configuration is missing.
  • criu: Add support for external PID namespace.
  • criu: fix save of external descriptors. Now restored containers attach correctly their standard streams.
  • utils: retry openat2 on EAGAIN. If the openat2 syscall is interrupted, try again.

1.0

25 Aug 19:04
1.0
139dc69
Compare
Choose a tag to compare
1.0
  • cgroup: chown the current container cgroup to root in the container.
  • linux: treat pidfd_open failures EINVAL as ESRCH.
  • cgroup: add support for setting memory.use_hierarchy on cgroup v1.
  • Makefile.am: fix link error when using directly libcrun.
  • Fix symlink target mangling for tmpcopyup targets.

0.21

26 Jul 14:55
0.21
c4c3cdf
Compare
Choose a tag to compare
  • honor memory swappiness set to 0
  • status: add fields for owner and created timestamp
  • cgroup: lookup pids controller as well when the memory controller is not available
  • when compiled with krun, automatically use it if the current executable file is called "krun"

0.20.1

09 Jun 10:49
0.20.1
38271d1
Compare
Choose a tag to compare
  • container: ignore error when resetting the SELinux label for the keyring.

0.20

01 Jun 19:01
0.20
0d42f11
Compare
Choose a tag to compare
  • container: call prestart hooks before rootfs is RO.
  • cgroup: added support cleaning custom controllers on cgroupv1.
  • spec: add support for --bundle.
  • exec: add --no-new-privs.
  • exec: add --process-label and --apparmor to change SELinux and AppArmor labels.
  • cgroup: kill procs in cgroup on EBUSY.
  • cgroup: ignore devices errors when running in a user namespace.
  • seccomp: drop SECCOMP_FILTER_FLAG_LOG by default.
  • seccomp: report correct action in error message.
  • apply SELinux label to keyring.
  • add custom annotation run.oci.delegate-cgroup.
  • close_range fallbacks to close on EPERM.
  • report error if the cgroup path was set and the cgroup could not be joined.

0.19.1

20 Apr 12:45
0.19.1
1535fed
Compare
Choose a tag to compare
  • on exec, honor additional_gids from the process spec, not the container definition.
  • spec: add cgroup ns if on cgroup v2.
  • systemd: support array of strings for cgroup annotation.