crun has a hard dependency on systemd, we need to add it to the
recipe to avoid failing package QA checks.
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
As part of this update to crun, we now much run autogen.sh before
running configure.
Otherwise, these are incremental changes and comprise the following
commits:
9effaeb On exec, honor additional_gids from the process spec, not the container definition
c25a2db tests: add explicit python3-pip dependency
e67a756 NEWS: tag 0.19
18c0274 gitignore: update
471a7b8 libocispec: update from upstream
f642968 tests: fix check for cgroup v2
3e7fa1d linux: always remount bind mounts
78aeac9 linux: ignore unknown capabilities
f11d742 Add linuxdevicecgroup to maintain parity with runc spec
9aa382b cgroup: skip parsing empty file
d9c9fd0 container: initialize tmp_err
00371ae src: initialize statx struct
2e88d19 src: initialize first_arg
5e4efb7 seccomp: always NUL terminate lowercase_arch
7812572 tests: add test for seccomp listener
f80e98d init: add check for seccomp listener
5d9010b init: fix check for nargs
5a627f4 seccomp: support notify listener
c3361c1 status: use function to convert from yajl errors
873b62d container: use new error function for hooks JSON
14083ab error: new function to convert from yajl errors
6e19235 linux: pass own pid to container process
8fd3320 contrib: new tool to test seccomp notifications
8722858 crun: always use absolute path for the bundle
ae9ea92 container: improve OOM error message
919aac9 utils: receive fd detect closed connection
a52e480 cgroup: new function to detect OOM
2e37d2a sync-libocispec
75ad96b Let autogen.sh generate m4
14c260f libcrun_warn if newuidmap/newgidmap invoke fails
5598401 README.md: drop pids limit comparison
9ea6857 github: add fuzzing test
0fd03ba tests: add container image for fuzzing libcrun
bbd5c7d fuzzer: reap child processes
c7350ef tests: add more fuzzing tests
816f95b fuzzer: merge two tests
effa508 linux: cleanup zombie on errors
b32f1eb linux: release only on error
5ca72f5 status: attempt open again on interrupts
9b5d4c1 Added static analysis Adding clang compilation Fixing comparison of integers of different signs
3b199ef Update GNUmakefile
dcd1a34 linux: label the tmpfs for masked directories
edf7f15 seccomp: check if the action supports errnoRet
bc222b6 seccomp: fail if no default action specified
0c5b920 seccomp: honor default errno value
92c0afe yajl: support static link of containers/yajl
f3d920d src: fix unitialized variable
7d89a02 src: add error check
765971c status: fix memory leak on error
31274d8 utils: fix check for fd
62d1c4d tests: add test to feed honggfuzz
ab75091 ebpf: return the program instead of NULL
8b16552 src: check if seccomp is defined
f721efb container: fix error ownership
4472e35 container: allow config from memory
6b369b8 container: fix memory leak
0fede0f container: initialize variable
2b6c0b6 container: fix dereference of def->linux if NULL
1dd9b5b container: check for def->process before deref
1b1a691 fix: cross-compiling for Android
b25cb2d tests: add device access test
86251b0 ebpf: handle access(dev_name, F_OK) call correctly
e2d79dc fix: access violate if ret < -2
4f35406 cgroup: read controllers from /proc/self/cgroup
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Bumping to the release, which pulls in the
808420e release: distribute CHECKSUMS file
c2b0064 build-aux: provide arm build without systemd
7cc03f7 .gitignore: update file
f5274bd NEWS: tag 0.18
94e8364 src: add missing definitions
baed691 libocispec: sync from upstream
8d0ebf6 Add arm64 static binary build
b66d5d9 tests: fix make check in a user namespace
e10205e linux: remove temporary mount logic
7819f4c linux: use targetfd for move_mount
891cd3c linux: use safe_openat for masked/readonly paths
6c5577f linux: use new function
9aa264d utils: add function to safely create and open
436daef src: add function to cleanup container struct
c955ece src: pull function out
7bd51a0 build: check for linux/openat2.h
dcb1914 utils: add function to remove initial slashes
a1c958c utils: memoize check result
25c6f07 container: rename function to get_root_in_the_userns
f08bd31 src: fix leak of the descriptors buffer
df88061 tests: disable more Podman flaky tests
052bab7 utils: set HOME to root if the user not found
efe35f1 linux: ignore ENOSYS on keyctl
1b65163 tests: enable asan sanitizer
a0f322a tests: build init always statically
a656698 configure.ac: allow to disable dl support
6adb26b tests: disable hooks_stdin for oci-validation
06199c7 tests: update to podman 3.0
bc888b9 tests: disable podman pull test
f1373f9 tests: install crun under /usr/bin
257f442 Fix permission error when using both user namespaces & NOTIFY_SOCKET
617a212 cgroup: skip +cpu on EINVAL in cgroup root
b6ac8de linux: use safe_openat for tmpcopyup
2d1f910 utils: avoid reopening the root during lookup
3ce74e8 utils: fix symlink lookup
cbb67ae container: set working directory for libkrun
df01709 seccomp: custom annotation to load raw bpf
b229dca linux: refactor allocate_tmp_mounts
68bb50f linux: disable temporary mounts with [r]slave
d6ae36b libocispec: update from upstream
487e792 github: enable clang-format checks
61d6844 src: run make clang-format
1d559d0 clang-format: change ColumnLimit to 0
643d05b linux: disable temporary mounts with [r]shared
de6082f cgroup: fix conversion from blkio to io
1db8312 Update nix pin with `make nixpkgs`
540444c Makefile.am: crun depends on libocispec.la
1df96e5 linux: fix build without CLONE_NEWCGROUP
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
We bump crun, and its dependency repositories to their latest
revisions.
Along with the code changes, we have a new systemd dependency
(or the build fails), and the License was incorrectly set to
GPLv3 previously, and we correct it to v2 as part of this update.
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Create the initial recipe to provide crun as an alternative OCI runtime
provider.
This currently has a depdenency on seccomp, but it would be nice if we
can make that optional in the future to avoid pulling in all of
meta-security as a dependency.
Example:
% skopeo copy docker://busybox oci:busybox-oci:latest
% mkdir busybox-bundle
% oci-image-tool create --ref platform.os=linux busybox-oci busybox-bundle
% cd busybox-bundle/
% rm config.json
% runc spec
% runc run foo
^D
% crun run foo
^D
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
