Releases: containers/crun
Releases · containers/crun
1.17
- Add
--log-level
option. It acceptserror
,warning
anderror
. - Add debug logs for container creation.
- Fix double-free in crun exec code that could lead to a crash.
- Allow passing an ID to the journald log driver.
- Report "executable not found" errors after tty has been setup.
- Do not treat EPIPE from hooks as an error.
- Make sure
DefaultDependencies
is correctly set in the systemd scope. - Improve the error message when the container process is not found.
- Improve error handling for the mnt namespace restoration.
- Fix error handling for
getpwuid_r
,recvfrom
andlibcrun_kill_linux
. - Fix handling of device paths with trailing slashes.
1.16.1
1.16
- build: fix build for s390x.
- linux: fix mount of special files with rro. Open the mount target with O_PATH to prevent open(2) failures with special files like FIFOs or UNIX sockets.
- Fix sd-bus error handling for cpu quota and period props update.
- container: use relative path for rootfs if possible. If the rootfs cannot be resolved and it is below the current working directory, only use its relative path.
- wasmedge: access container environment variables for the WasmEdge configuration.
- cgroup, systemd: use MemoryMax instead of MemoryLimit. Fixes a warning for using an old configuration name.
- cgroup, systemd: improve checks for sd_bus_message_append errors
1.15
What's Changed
- fix a mount point leak under /run/crun, add a retry mechanism to unmount the directory if the removal failed with EBUSY.
- linux: cgroups: fix potential mount leak when /sys/fs/cgroup is already mounted, causing the posthooks to not run.
- release: build s390x binaries using musl libc.
- features: add support for potentiallyUnsafeConfigAnnotations.
- handlers: add option to load wasi-nn plugin for wasmedge.
- linux: fix "harden chdir()" security measure. The previous check was not correct.
- crun: add option --keep to the run command. When specified the container is not automatically deleted when it exits.
New Contributors
- @Ecordonnier made their first contribution in #1448
- @martinetd made their first contribution in #1456
Full Changelog: 1.14.4...1.15
1.14.4
1.14.3
1.14.2
1.14.1
- there was recently a security vulnerability (CVE-2024-21626) in runc
that allowed a malicious user to chdir(2) to a /proc/*/fd entry that is
outside the container rootfs. While crun is not affected directly,
harden chdir by validating that we are still inside the container
rootfs. - container: attempt to close all the files before execv(2).
if we leak any fd, it prevents execv to gain access to files outside
the container rootfs through /proc/self/fd/$fd. - fix a regression caused by 1.14 when installing the ebpf filter on a
kernel older than 5.11. - cgroup, systemd: fix segfault if the resources block is not specified.
1.14
- build: drop dependency on libgcrypt. Use blake3 to compute the cache key.
- cpuset: don't clobber parent cgroup value when writing the cpuset value.
- linux: force umask(0). It ensures that the
mknodat
syscall is not affected by the umask of the calling process, allowing file permissions to be set as specified in the OCI configuration. - ebpf: do not require MEMLOCK for eBPF programs. This requirement was relaxed in Linux 5.11.
1.13
- src: use O_CLOEXEC for all open/openat calls
- cgroup v1: use "max" when pids limit < 0.
- improve error message when idmap mount fails because the underlying file system has no support for it.
- libcrun: fix compilation when building without libseccomp and libcap.
- fix relative idmapped mount when using the custom annotation.