Releases: containers/crun
Releases · containers/crun
1.4.1
- Fix check for an invalid path. crun was performing the wrong check to validate a path, causing spurious failures at runtime.
- Allow deleting a container while in
created
state. It goes against what the OCI runtime specs dictate, but it is the expected
behavior since runc allows it. - Fix regression when joining a container that has explicit paths for the namespaces.
- cgroup: do not set cpu limits if number of shares is set to 0. Moby uses 0 to indicate no limits.
- Fix build issues when configured with --enable-shared.
- Fix build on systems where OPEN_TREE_CLOEXEC is not defined.
- Improve diagnostics for errors returned by dbus.
1.4
- wasm: support for running on kubernetes with containerd.
- linux: add support for recursive mount options. e.g. it is possible to specify "rro" to make the mount read-only recursively.
- add support for idmapped mounts through a new mount option "idmap".
- linux: improve detection of /dev target. Previously a mount like
/dev/
was not properly detected as mounting /dev/ from the host. - now crun exec uses CLONE_INTO_CGROUP on supported kernels when using cgroup v2.
- retry the openat2 syscall if it fails with EAGAIN.
- cgroup: set the CPUWeight/CPUShares on the systemd scope cgroup.
- on new kernels, use setns with pidfd.
- attempt the chdir again with the specified user if it failed before changing credentials.
- ebpf: fix build on 32 bits systems.
- crun --version shows the configured handlers.
1.3
- add support to natively build and run WebAssembly workload and WebAssembly containers.
- allow to specify sub-cgroup for exec.
- chown std streams if they are not a TTY.
- attach the correct streams if the container is suspended and restored multiple times.
- fix race condition when enabling controllers on cgroup v2.
- the fallback code to mount cgroupfs bind mounts the current cgroup path instead of the host /sys.
1.2
1.1
- cgroup: use cgroup.kill when available. It is faster to kill a container through its cgroup as there is no need to recurse over the cgroup pids and terminate each one of them.
- exec: refuse to exec in a paused container/cgroup.
- container: Set primary process to 1 via LISTEN_PID by default if user configuration is missing.
- criu: Add support for external PID namespace.
- criu: fix save of external descriptors. Now restored containers attach correctly their standard streams.
- utils: retry openat2 on EAGAIN. If the openat2 syscall is interrupted, try again.
1.0
- cgroup: chown the current container cgroup to root in the container.
- linux: treat pidfd_open failures EINVAL as ESRCH.
- cgroup: add support for setting memory.use_hierarchy on cgroup v1.
- Makefile.am: fix link error when using directly libcrun.
- Fix symlink target mangling for tmpcopyup targets.
0.21
- honor memory swappiness set to 0
- status: add fields for owner and created timestamp
- cgroup: lookup pids controller as well when the memory controller is not available
- when compiled with krun, automatically use it if the current executable file is called "krun"
0.20.1
0.20
- container: call prestart hooks before rootfs is RO.
- cgroup: added support cleaning custom controllers on cgroupv1.
- spec: add support for --bundle.
- exec: add --no-new-privs.
- exec: add --process-label and --apparmor to change SELinux and AppArmor labels.
- cgroup: kill procs in cgroup on EBUSY.
- cgroup: ignore devices errors when running in a user namespace.
- seccomp: drop SECCOMP_FILTER_FLAG_LOG by default.
- seccomp: report correct action in error message.
- apply SELinux label to keyring.
- add custom annotation run.oci.delegate-cgroup.
- close_range fallbacks to close on EPERM.
- report error if the cgroup path was set and the cgroup could not be joined.