forked from containers/crun
-
Notifications
You must be signed in to change notification settings - Fork 0
/
NEWS
347 lines (288 loc) · 12.9 KB
/
NEWS
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
* crun-1.1
- cgroup: use cgroup.kill when available. It is faster to kill a
container through its cgroup as there is no need to recurse over the
cgroup pids and terminate each one of them.
- exec: refuse to exec in a paused container/cgroup.
- container: Set primary process to 1 via LISTEN_PID by default if
user configuration is missing.
- criu: Add support for external PID namespace.
- criu: fix save of external descriptors. Now restored containers
attach correctly their standard streams.
- utils: retry openat2 on EAGAIN. If the openat2 syscall is
interrupted, try again.
* crun-1.0
- cgroup: chown the current container cgroup to root in the container.
- linux: treat pidfd_open failures EINVAL as ESRCH
- cgroup: add support for setting memory.use_hierarchy on cgroup v1.
- Makefile.am: fix link error when using directly libcrun.
- Fix symlink target mangling for tmpcopyup targets.
* crun-0.21
- honor memory swappiness set to 0
- status: add fields for owner and created timestamp
- cgroup: lookup pids controller as well when the memory controller
is not available
- when compiled with krun, automatically use it if the current
executable file is called "krun".
* crun-0.20.1
- container: ignore error when resetting the SELinux label for the
keyring.
* crun-0.20
- container: call prestart hooks before rootfs is RO.
- cgroup: added support cleaning custom controllers on cgroupv1.
- spec: add support for --bundle.
- exec: add --no-new-privs.
- exec: add --process-label and --apparmor to change SELinux and
AppArmor labels.
- cgroup: kill procs in cgroup on EBUSY.
- cgroup: ignore devices errors when running in a user namespace.
- seccomp: drop SECCOMP_FILTER_FLAG_LOG by default.
- seccomp: report correct action in error message.
- apply SELinux label to keyring.
- add custom annotation run.oci.delegate-cgroup.
- close_range fallbacks to close on EPERM.
- report error if the cgroup path was set and the cgroup could not be
joined.
* crun-0.19.1
- on exec, honor additional_gids from the process spec, not the
container definition.
- spec: add cgroup ns if on cgroup v2.
- systemd: support array of strings for cgroup annotation.
* crun-0.19
- join all the cgroup v1 controllers.
- raise a warning when newuidmap/newgidmap fail.
- handle eBPF access(dev_name, F_OK) call correctly.
- fix some memory leaks on errors when libcrun is used by a long
running process.
- fix the SELinux label for masked directories.
- support default seccomp errno value.
- fail if no default seccomp action specified.
- support OCI seccomp notify listener.
- improve OOM error messages.
- ignore unknown capabilities and raise a warning.
- always remount bind mounts to drop not requested mount flags.
* crun-0.18
- fix build without CLONE_NEWCGROUP.
- fix conversion from blkio to io.
- add custom annotation to load raw BPF.
- set working directory for libkrun
- fix symlink lookup on old kernels that lack openat2
- skip +cpu on EINVAL in cgroup root. Enabling the cpu controller is
not permitted if there are already realtime processes running on the
system.
- Fix permission error when using NOTIFY_SOCKET with username spaces.
- set HOME to root if the user not found.
- simplify mount logic to not use a temporary mount.
- ignore ENOSYS from keyctl.
* crun-0.17
- allow creating user namespaces without root being mapped.
- allow arbitrary IDs with single ID userns.
- use close_range(CLOSE_RANGE_CLOEXEC) where available.
- honor /sys/kernel/cgroup/delegate.
- fix an issue with hooks running in the container PID namespace.
- fix building without seccomp.
- fix building without libcap.
* crun-0.16
- CRIU support.
- fallback to openat if openat2 returns EPERM.
- ignore ENOENT for cgroup v1 mounts, if the mount fails with
ENOENT, the controller might have been unmounted.
- fix another race reading cgroup freeze. Reading from the cgroup
fails with ENODEV if the cgroup was deleted in the meanwhile.
* crun-0.15.1
- add experimental support for libkrun.
- fix check for pidfd availability on older kernels.
- linux: do not set data when remounting read-only. Fix 'ro' mounts
on older kernels when SELinux is enabled.
- linux: label the cgroup v1 tmpfs when SELinux is enabled.
- container: truncate the pid file before writing to it.
- exec: fix check for read bytes from the sync socket.
- check the process has a cgroup before allowing pause and resume.
- linux: always create a user namespace if not running with euid == 0.
- libcrun can use a hook instead of executing a container process.
- use libyajl to generate hooks json input.
- handle correctly ENOENT for seccomp notifications.
* crun-0.15
- add support for OCI unified cgroup v2.
- add json format option to `crun list`.
- get last kernel capability dynamically instead of using a build
time constant.
- enable all available cgroup controllers.
- support the seccomp SCMP_ACT_LOG action.
- support the seccomp SCMP_ACT_KILL_THREAD action.
- properly set a SELinux label for the mqueue mount.
- `crun kill` uses pidfd when supported.
- experimental support for seccomp notifications.
- fix bundle option for `crun create` and `crun run`.
- allow to declare path to config file.
- check /sys/kernel/security/apparmor when using AppArmor.
- doesn't accept type=bind alone anymore, but require either "bind"
or "rbind" to be present in the mount flags.
* crun-0.14.1
- fix a regression in crun-0.14 where openat2(2) would fail when bind
mounting a symlink.
- various small fixes to allow running regression tests outside of
source tree.
* crun-0.14
- cgroup, systemd: create container under subcgroup. Now a "/container"
sub-cgroup is created and fully managed by libcrun. This is a different
behaviour than what runc does.
- libcrun: use the openat2 syscall available since Linux 5.6.
- container: allow hooks output to file through an annotation.
- linux: support joining PID/IPC namespace not owned by the user namespace.
Requires Linux 5.3.
- linux: avoid double fork for creating the init process if not needed.
- linux: fix an issue where the basename for $NOTIFY_SOCKET is different
than /notify.
- rootless: allow /dev/{tty,ptmx} to be present in linux.devices.
- cgroup: fix an issue on CentOS 7.8 when using net_cls and net_prio.
- seccomp: honor errnoRet from OCI spec runtime.
- exec: set setresuid/setresgid before setting up the terminal.
- cgroup, v2: fix crun update with both --memory -1 --memory-swap -1.
- cgroup, v2: fixing setting unlimited swap.
- cgroup, v2: allow to set unlimited swap per se.
- cgroup, v2: treat negative numbers as "max"
- cgroup, v2: raise error if swap is set without memory limit.
- cgroup: ignore cpu resources if set to 0.
- libcrun: audit errno in crun_make_error calls
- libcrun: fix read_pid_stat usage.
- linux: fix double close on the same file descriptor.
- container: Prevent deletion of not stopped container
- status: Use process start time for identification
- CRIU: several improvements.
- linux: fix path lookups for relative paths containing '/'.
- linux: use the SELinux mount label for the notify socket.
- status: delete doesn't fail if the process already exited.
* crun-0.13
- license: change license to gplv2+ and lgpl2.1+.
- criu: initial support for `container restore`.
- state: If a container is paused, report its state as 'paused'.
- cgroup: use the memory controller to ready PIDs. The pid controller
is not available on kernels older than 4.3.
- linux: drop context= for remount. Older linux versions complain
when the selinux label is specified on a remount.
- utils: fix mount on not writeable path.
- cgroup: support systemd properties via annotations.
- systemd: do not set hard-code collectmode value. It can be set
through an annotation.
- cgroup: write the correct blkio settings.
- exec: do not inherit env variables from main pid.
- ebpf: fix endianness issue on s390x.
- linux: fix recursive mount on cgroup v1.
* crun-0.12.2.1
- when not using a cgroup namespace, mount only the cgroup v1 subpath.
* crun-0.12.2
- do not require read permissions on /
- add support for the "time" namespace via a custom annotation
- fix mount of cgroup v1 when using a cgroup namespace
- set default umask to 0022
- use the correct path for notify socket with "crun run -d"
- always use setsid
- use correct indices for seccomp generation
- fixed several issues with cgroup v2 and the cgroupfs driver
* crun-0.12.1
- fix the order of clone syscall arguments on s390 and cris.
- if no mode is specified use 0666 for devices.
- fix running with a relative bundle directory.
- fix some regressions in the mounts path resolution.
- drop a warning when cgroup are not available for rootless.
* crun-0.12
- masked paths use only MS_UNBINDABLE
- mount doesn't specify mount data when there are no options
- support new hook types: createRuntime, createContainer and startContainer
- safer mount options. A temporary mount is prepared outside of the
rootfs before being moved to it.
- apply selinux/apparmor before the pivot_root.
- handle correctly proc remounts. It is now supported to specify hidepid=
- fix exec if a namespace is not available.
- handle swap limit with the same semantic as on cgroup v1.
- bring network device up.
- reset all signal handlers to default.
* crun-0.11
- cgroups2: map memory reservation to memory.low
- statx fallbacks to stat on EINVAL
- utils: do not fail if the path we are trying to create already
exists
- generate seccomp profile in the parent process, not in the container
init process. Memory usage is more reliable now and a container can
run with ~250K of max memory.
- support for Linux personality.
- support for umask.
- support for the hugetlb controller on cgroup v2.
- PIDs from a cgroup are read recursively.
- do not fork on "create".
- now by default seccomp doesn't fail on an unknown syscall. The
previous behavior can be enabled with an annotation.
- fix joining cgroup on cgroup v2 when a named hierarchy is also
present.
- fix creating user namespaces with more than 2^32 IDs mapped.
- on exec, keep the SELinux label or AppArmor profile from the
- container configuration.
- runtime specific annotation are prefixed with run.oci.
* crun-0.10.6
- when running with a terminal, change the ownership for the terminal
to the specified user
- spec: honor the --rootless flag
- linux: make sure the source path is resolved when checking the file
type. Regression introduced with 0.10.5.
* crun-0.10.5
- fix CVE-2019-18837
- fix running on CentOS/RHEL 8
- report errors opening the console socket
- not leave config.json around if the container could not be created
* crun-0.10.4
- ignore errors creating /dev/console
- add an annotation "io.crun.keep_original_groups", if it is set then
crun won't drop additional groups when creating the container
* crun-0.10.3
- systemd: set collectmode=inactive-or-failed
- fix build on Alpine
- use the current working directory to lookup local paths
- improve the error message when a hook fails
- add granular enable/disable configure options
* crun-0.10.2
- fix a regression in 0.10.1 where cgroups v1 could not be created
- correctly chown cgroups when using a user namespace so that systemd
can run in a container that uses a user namespace
* crun-0.10.1
- linux: Keep MS_RDONLY when remounting bind mount of a read-only
source. It solves an issue on Fedora Silverblue where /usr is
mounted read only.
- fix exec of rootless containers when cgroups are not available
* crun-0.10
- support for AppArmor
- fix for CVE-2019-16884, make sure writes to /proc for the SELinux
and AppArmor labels are on procfs.
- exec supports --preserve-fds
- seccomp: fix lookup for pseudo syscalls, seccomp now works fine on
non native archs
- cgroup: ignore rootless errors if manager != systemd
- error: always write errors to stderr
- chroot: follow symlinks for the last component
- set $HOME if it is not already defined
* crun-0.9.1
- fix an issue with tmpcopyup that didn't work correctly with symlinks
- create a new cgroup namespace before mounting the cgroup file
system, so that it uses the correct namespace
* crun-0.9
- fix exec into containers running systemd on cgroups v2
- kill: honor --all
- kill: when not using a PID namespace, use the freezer controller to
prevent the container forking new processes
- linux: handle tmpcopyup option to copy files from the rootfs to the
new mounted tmpfs.
- OCI: honor seccomp options. If not specified any seccomp option,
now crun will default to using SECCOMP_FILTER_FLAG_SPEC_ALLOW |
SECCOMP_FILTER_FLAG_LOG when using the seccomp(2)
syscall
* crun-0.8
- executable lookup. Now create fails immediately if the specified
executable doesn't exist
- subreaper enabled only when crun is attached
- fix notify socket when used from create and prevent it hanging
indefinitely when the container exits
- correctly write cpu controller resources when using cgroups v2
- support for the freezer controller when using cgroups v2
- honor unspecified minor/major number for devices when using cgroups v2
- reintroduce --no-pivot
- do not add a cgroup path again if it was already specified in the
OCI configuration