mirror of
git://git.yoctoproject.org/meta-virtualization.git
synced 2025-07-19 20:59:41 +02:00
fc423a7cb8
43 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Bruce Ashfield
|
0b47478ebc |
crun: update to 1.19.1
Bumping crun to version 1.19.1-13-g6f010b5f, which comprises the following commits:
25efd10a Remove surplus ENOENT error check
99f2824f utils: return error from set_home_env() if the user was not found
3158e491 criu: improve error handling for CRIU function calls
3cd9c2c9 criu: do not set network_lock if not specified
a542ecc7 github: enable unprivileged userns
38122ac9 test: fix compiler warnings
ec5947ce TMT: Add sanity tests from c9s downstream
d08e304a Packit: Remove RHEL jobs
3e32a70c NEWS: tag 1.19.1
8b972be9 linux: fix a hang if there are no reads from the tty
e50e47ca libcrun: add ring buffer implementation
20ec0982 utils: extend epoll_helper to monitor writeable fds
77a72bdf utils: use bool for set_blocking_fd()
5f9ca9eb utils: skip copy_file_range if not usable
e2380490 tests: adjust test to upstream code
d7933486 build-aux: use an init process for the nix container
0ec1522b nix: update packages list
9b014718 Generated crun.1
d700d9db Add missing periods at the end of sentence
1832c170 linux: remove tmpmount workaround
9e3615a4 ci: build tests_libcrun_fuzzer before fuzzing
6b2e6193 build: use libtool to create libcrun_testing
3c5292b2 build: don't compile tests during normal build
db31c42a NEWS: tag 1.19
c4f8c87a checkpoint/restore: allow passing network lock method to libcriu
1942efc9 Handle case where cgroup v1 freezer is disabled
b366a785 wamr: revitalize wamr handler
21219504 cgroup, systemd: do not override devices on update
d1531073 error: 'CHAR_BIT' undeclared. fix compile failure with musl libc
5d66b309 build: Don't build cloned_binary as part of crun
fd69065d test: add new test for exec-cpu-affinity
b941d6c5 linux: move reset cpu affinity to scheduler
ef33259c linux: honor exec cpu affinity mask
047b7485 src: move cpuset_string_to_bitmask to utils
2c8088c4 libocispec: sync
42b959b5 container: initialize max caps before accessing process block
46bd62b1 cgroup: do not stop process on exec
19bbd8da utils: silence compiler warning
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
||
|
Bruce Ashfield
|
755520c5fd |
crun: update to 1.18.2
Bumping crun to version 1.18.2-17-g52ed5880, which comprises the following commits:
fd69065d test: add new test for exec-cpu-affinity
b941d6c5 linux: move reset cpu affinity to scheduler
ef33259c linux: honor exec cpu affinity mask
047b7485 src: move cpuset_string_to_bitmask to utils
2c8088c4 libocispec: sync
42b959b5 container: initialize max caps before accessing process block
46bd62b1 cgroup: do not stop process on exec
19bbd8da utils: silence compiler warning
8a0ee4b5 src: use mount API to self-clone
85d4db3d crun: check for integer overflow
10b2146e linux: add check before deref
2525752d cgroup: drop unuseful check
1ae190b0 src: run make clang-format
00ab38af NEWS: tag 1.18.2
5bc6b50e cgroup, systemd: fix first rule selection for systemd
c41f034f NEWS: tag 1.18.1
6628d7a3 utils: check for snprintf truncation
7c4a3f9c cgroup: skip DevicePolicy if all devices are allowed
ef60ec90 libcrun: deprecate cgroup v1
77e4233a cgroup, systemd: ignore rules before a default deny one
8a30a57a cgroup: ignore redundant deny dev cgroup rules
369dd95b CONTRIBUTING.md: new file
3647ecab linux: copy map_file before tokenizing in uidgidmap_helper
8656b254 NEWS: tag 1.18
bf0a3516 rpm: use embedded yajl in RHEL builds
41461290 crun.1.md: add lsm-profile and lsm-mount-context
ed642593 criu: load lsm functions
ce89aa66 restore: add lsm-mount-context option
9efd6a87 restore: add lsm-profile option
aee13711 github: update run-on-arch-action
c4a65aad cgroup: split lines when writing raw unified files
dd7adb22 cgroup: write_cgroup_file_or_alias uses write_cgroup_file
22b018d0 cgroup: convert block_io devices to IODeviceWeight
c7745e9a cgroup, systemd: add support for IODeviceWeight
8e3e693e cgroup: refactor handling of io.weight
7d0e2cdb cgroup: report errors if value contains not parsed data
efae52ab cgroup: add support for the misc controller
d55194b2 cgroup systemd: ignore unsupported properties
500cf802 cgroup, systemd: honor cpu.idle
5f64da6a linux: pass down state_root to the cgroup handler
80d9677b cgroup, systemd: honor memory.zswap.max
01fa4993 cgroup: specify devices rules to systemd
667442e4 cgroup: move standard devs definition in a common place
335d8cfb cgroup: specify TasksMax to systemd
f6d8373f cgroup: specify MemorySwapMax to systemd
1a04566d cgroup: specify MemoryLow|MemoryHigh|MemoryMin to systemd
8d90eb3a cgroup: use macro to refactor common pattern
34061ab5 add duplicate namespace detection
b29ccd7e cgroup: rename function
af034b91 cgroup: special handle value "max"
2825a579 cgroup: set io weight on systemd owned cgroup
6cf5324b Packit: constrain koji and bodhi jobs to the fedora package
7140aea1 nix: replace gitMinimal with git
27b5a2f6 Fix running on kernel without user namespaces
b5ff44f2 nix: update list of packages
3b40d773 build: specify --extra-experimental-features to nix
da616875 release.sh: update nix image
dee824e6 Fix segfault in `crun features`
4ea62f25 Disable criu support on riscv64
Bumping libocispec to latest, which comprises the following commits:
ed23e6a runtime-spec: sync from upstream
412ce10 image-spec: sync from upstream
4b8feed common: make sizeof the last argument for calloc
Bumping image-spec to version v1.1.0-44-gc66e811, which comprises the following commits:
40d3096 add example using .wh. and move opaque example to its section
cee95e9 Ignore uname/gname where uid/gid are supported
d44515e Changes requested from review
5db69d9 Feat: Pin external references on a release
76b8bae README: update runtime-spec links to use main branch
716f83b Implementations should support zstd
Bumping runtime-spec to version v1.2.0-23-g9505701, which comprises the following commits:
9ceba9f update http links to https
faf82be doc: fix the invalid hyperlink naming-a-volume
adaa517 config: simplify final CPU affinity rule
119ae42 Add CPU affinity to executed processes
2149fb5 config-linux: describe the format of cpus and mems
c6af124 ci: remove redundunt actions
d4aa6d8 chore: format JSON file `make -C schema fmt`
b983fbf CODEOWNERS: remove vbatts
bf698d0 MAINTAINERS: move vbatts to EMERITUS
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
||
|
Bruce Ashfield
|
5dfe66298a |
crun: conditionally offer runc binary via symlink
When integrating into some container stacks (such as containerd), the detailed configuration toml changes to change the container runtime from runc to crun is not always trivial. To avoid (for now) carrying configuration snippets as part of the recipes, we can symlink runc to crun as crun is fully compatible with runc. Note: this means you can't have runc and crun installed on the same image if the symlinking is done. Hence why this symlinking is conditional. Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com> |
||
|
Bruce Ashfield
|
7ea990b79d |
crun: update to 1.17
Bumping crun to version 1.17-5-g4b75c7c, which comprises the following commits:
4ea62f2 Disable criu support on riscv64
969fd2e Packit: Create missing path components in files_to_sync
000fa0d NEWS: tag 1.17
e3b5a26 Packit: Reuse Fedora targets wherever possible
556b808 Packit: separate out ELN build jobs
a5320ae Add debug logs for container creation
228ad7c container: remove manual dup operation
13ea475 libocispec: sync from upstream
3dbf152 error: do not write error twice to stderr
5e35dfe libcrun: vanity, color debug messages
2c4db99 linux: ignore EPIPE for hooks
7fcede6 RPM/Packit: Fix wasm conditionals, cleanup rpm spec, update packit config
0f556b7 build: force install symlinks
23d5e49 Fix warning around unused result on chdir("/")
6bf9e7c Report executable not found errors after tty has been setup
a295e70 Only log to stderr if `--log` is not provided
fb593fc fix getpwuid_r error handling
d29fdae tests: bump containerd version
f36c216 tests: bump ubuntu version
d065a5a Revert "Add `--log-stderr` option"
dc31069 src/libcrun: fix handling of device paths with trailing slashes
ab64a5c linux: fix recvfrom error handling
a32d433 Fix `additional_gids_size` on `process_user_dup`
b98e0dd Add `--log-stderr` option
544fe3f Allow passing an ID to journald log driver
6d92b28 Log only after crun context has been setup
29259e4 Add log options documentation
f72483a Fix double-free in crun exec
e4b4a21 src/libcrun: fix error handling in libcrun_kill_linux
83c1355 src/libcrun: improve error handling for the mnt namespace restoration
6fb1f08 src/libcrun: added custom error message for ESRCH case
9f06d3c Add autoPatchelfHook to static build
19b9893 Add `--log-level` option
fd7f50a tests: fix wasmedge build
0380369 Remove libcrun_setup_terminal_ptmx
1edf6d0 src/libcrun: ensure DefaultDependencies respects CRI-O annotation
42b0b99 configure.ac: fix condition for wasm detection
afa829c NEWS: tag 1.16.1
c6ecb3b linux: attempt to make rootfs private too
109f1e9 container: fix comment
f23aaa1 linux: fix error message
72b4eea Inherit user from original process on exec
cf1ec33 cgroup-utils: check for open error
a958fcd cgroup-systemd: fix comment
7112df4 cgroup: remove redundant check
3bcd26a Use write_file_at_with_flags in write_file_with_flags
2dc1598 NEWS: tag 1.16
bfa0640 Add more O_PATH flags
0613ec5 cgroup-systemd: check for sd_bus_message_append error
fcfac99 Fix sd-bus error handling for cpu quota and period props update.
6682432 linux: make_parent_mount_private uses fds
5943335 container: use relative path for rootfs if possible
27d7dd3 README: update podman demo
f916acf Enable systemd in s390x builds
e6eab76 wasmedge: access container environment variables for WasmEdge configuration
Bumping libocispec to latest, which comprises the following commits:
4b8feed common: make sizeof the last argument for calloc
2ba727a sources: silence compiler warning
3ec73ba generate: generate clone operations for deep-copy
d371222 ocispec: fix style
2236d50 github: test with the embedded yajl library
bed19ad configure.ac: --enable-embedded-yajl skips check for yajl
b633f89 Makefile.am: distribute the src/yajl symlink
Bumping image-spec to version v1.1.0-35-gda92727, which comprises the following commits:
716f83b Implementations should support zstd
7327da4 Add deprecation notices to nondistributable layers
1d3daab Update linter and Go releases
16101e2 Remove misleading "must" in `ref.name` requirements
65dea7a Remove IRC link
a977bd3 Remove validation warnings to stdout
4bbdd7f Switch jsonschema validation libraries
89fee07 MAINTAINERS: move jonboulle to EMERITUS
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
||
|
Michal Sieron
|
75b6a5cf61 |
crun: Add PACKAGECONFIG options
Neither systemd nor seccomp is hard required by crun. They can actually be disabled during configuration with --disable-systemd or --disable-seccomp. Introduce PACKAGECONFIG options for them and default them to presence of corresponding entries in DISTRO_FEATURES. Now REQUIRED_DISTRO_FEATURES and features_check can also be removed. Similarly dependency on libcap can be made optional. crun actually contains pregenerated manpages in the repository so dependency on go-md2man-native can be made optional as well. As there is a configuration option for embedding yajl I added an option for that as well. However, as PACKAGECONFIG can only specify dependencies when config is enabled I had to invert the options so the config is for external-yajl. I set default PACKAGECONFIG value to match previous state (except detecting if systemd and seccomp are in DISTRO_FEATURES). Signed-off-by: Michal Sieron <michalwsieron@gmail.com> Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com> |
||
|
Bruce Ashfield
|
099e911253 |
crun: update to v1.15-tip
Bumping crun to version 1.15-51-g6c158dd, which comprises the following commits:
e6eab76 wasmedge: access container environment variables for WasmEdge configuration
0475016 restore: update console-socket option description
9861254 tests: bump wasmedge to 0.14
fd6b748 cgroup: use MemoryMax instead of MemoryLimit
3980447 nix: upgrade dependencies
526f959 test: pass volume for /var/lib/containers
adb5cb3 linux: improve error message on EACCES
474bc17 remove duplicate initialization cgroup manager in the cgroup args
cb947d0 tests: use vault.centos.org
61fdfc6 tests: skip push tests with podman
42b9fd1 [crun run] Avoid setting crun_context.handler redundantly
976029a libcrun: fix error message argument
ca42c18 RPM: Remove wasmtime support
6879c4c Packit: enable epel9 on c9s targets to fetch wasmedge
315f732 RPM: no separate krun symlink creation
0b33840 Downstream: Add rpm/gating.yaml to handle downstream gating tests
c017ce5 Packit: sync downstream gating test files on every upstream release
e452395 TMT: rewrite podman revdep tests to be usable without CI
163037a tests: fix issues reported by shellcheck
4cbab15 RPM: Fix epoch value for copr builds
fd745e0 dist: install symlinks as part of make install
9533613 ci: Cancel in progress tests on updates
c6c1c7f crun run --help: say --no-subreaper is ignored
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
||
|
Bruce Ashfield
|
bad7f6f1d8 |
crun: update to v1.15
Bumping crun to version 1.15-13-g700e2ed, which comprises the following commits:
c6c1c7f crun run --help: say --no-subreaper is ignored
8801bc4 github: disable CentOS 10 tests
5f0643c github: fix running tests on CentOS 10
d795081 tests: build on CentOS 10 without yajl
f00fa22 libocispec: sync from upstream
dd9428b blake3: initialize chunks_array
8c80ab9 utils: initialize fd
81b8f45 linux: fix mount of special files with rro
e6eacaf NEWS: tag 1.15
08b5e78 Packit: Enable c10s downstream sync, rhel / centos separation in tests
4618d50 status: rmdirfd: try harder to remove mount points
c72bf7f linux: cgroups: cleanup unused mount if move failed
ff321e1 tests: install slirp4netns
a946f04 utils: fix a compiler warning
aa72cc4 Packit/TMT: add centos-stream-10, cleanup tests
f39bc4a tests, oci-validation: use perl tap driver
f5548f2 tests, oci-validation: use tap-18
18e84a1 tests, oci-validation: use git clone
49090f2 Build s390x binaries using musl libc
307d35e Fix clang format test
4b8f7c9 build(deps): bump uraimo/run-on-arch-action from 2.7.1 to 2.7.2
e6a8d51 libocispec: update
1809973 tests: use npm-18
475a3fd features: add support for potentiallyUnsafeConfigAnnotations
4f5479e src/libcrun/handlers: add option to load wasi-nn plugin for wasmedge
631e767 release: use zstd instead of xz
0722689 release.sh: generate .zst release instead of .xz
3ad68ed linux: fixup libcrun_safe_chdir
699564b rpm: remove eln macro
f50da23 Packit: reuse non-RHEL failure message notification on RHEL
0b7fc08 packit: podman reverse dependency tests
820471a libocispec: use runtime-spec v1.2.0
9eea9ff cgroup: make error clearer
59ad70a container: validate option flags
7918dca container: split create and run options
8894495 crun: add option --keep to run
35dccc3 libcrun, run: add option to not delete containers
a220ca6 NEWS: tag 1.14.4
6cd74cb Add support for s390x
5884fd4 linux: fix mount of file with recursive flags
b9e87e7 tests: test bind mounts of files
crun/ocispec: update to latest
2236d50 github: test with the embedded yajl library
bed19ad configure.ac: --enable-embedded-yajl skips check for yajl
b633f89 Makefile.am: distribute the src/yajl symlink
86650dc fix compilation error with clang++17
20d3936 helpers.py: remove __str__()
afed951 generate.py: fix some typos
daeb197 runtime-spec: use version v1.2.0
66f6f71 optimize writefile
e9a99a8 Optimize headers writefile
7a5f2b6 Refresh strings format sources
210f4d3 Refresh strings format headers
b085839 runtime-spec: update
crun/ispec: update to v1.1.0
535d657 Fix a typo in the annotations spec
89fee07 MAINTAINERS: move jonboulle to EMERITUS
f17d647 CODEOWNERS: remove vbatts
818209a MAINTAINERS: move vbatts to EMERITUS
652ec7c Add note about `ImageID` to the `config` section of `manifest.md`
2d95dde Reformat "Platform Variants", especially to add amd64, ppc64le, riscv64
e191267 Update Go versions in release scripts
4da0cfc Update GitHub Actions packages to resolve warnings in CI
a32e6c3 Pin golangci-lint for Go v1.20
8baa69b media-types: Fix broken links
0a41c19 version: bump back to +dev
e7f7c0c version: release v1.1.0
d0f90e6 Clarify that subject references a separate DAG
8b1e951 version: bump back to +dev
6c2b5fa version: release v1.1.0-rc6
53d9855 new section for projects no longer maintained
b391bc0 fix: SPDX licenses URL
dd66b54 Test older versions of Go with toolchain=local
93f6e65 Makefile: remove stray trailing space (#1126)
d881fa8 deps: remove deprecated github.com/pkg/errors (#1125)
072574d add ORAS to implementations.md
9954739 specs-go: group MediaTypes
344b098 fix markdown table formatting
c7a064f Update supported Go range to 1.19 - 1.21
f0ef80e version: bump back to +dev
1e54f01 version: release v1.1.0-rc5
061cba3 Fix golangci-lint install on older versions of Go
a2a5750 Add step to update website after a release
0c1622e Add `riscv64` arch to `check{Architecture|Platform}`
e6a75e6 Provide a decision tree for artifacts
9ac8f92 Quote lint-md wildcard expression
a6af2b4 Add a markdown linter and fix linting issues
af9c838 OCI has a distribution-spec
37bac87 Create artifacts guidance
ddf2dfd chore(descriptor.md): correct canonicalization reference
d36ccf1 MediaType is required in the descriptor
f6c60b5 Clean up the markdown in considerations
da8994a Cleanup broken links and markdown spacing
56877ad Remove deprecated golangci lint checks
b29a06c Hacking markdown and Makefile cleanup
73aca56 Cleanup markdown in governance
fd95ded Fix label schema link
aed07a8 Test subject field in index
8620a49 version: bump HEAD back to +dev
82e8329 version: bump for release of v1.1.0-rc.4
988df0a specs-go: remove artifact prefixed annotations
a845c7a image-index: add artifactType to specs and schema
73f386c Add constants for "index.json" and "blobs"
25fc553 Switch from scratch to empty
749ea9a Add artifactType to image index
32036d8 Apply version change from #1050
e13840d Add language from artifacttype field to forbid allowlists of media types
77efc6e spec: clarify descriptor, align with de facto artifact usage
c6854a6 image-index: add the `subject` field
crun/rspec: update to v1.2.0
b983fbf CODEOWNERS: remove vbatts
bf698d0 MAINTAINERS: move vbatts to EMERITUS
12b653d Update golangci-lint to v1.56.1 in CI
8547911 Add Go v1.21 and v1.22 to GitHub Actions CI matrix
1a729af Update GitHub Actions packages to resolve warnings in CI
65cd1f8 Back to +dev
36852b0 version: release v1.2.0
021ba94 config.md: allow empty mappings for [r]idmap
5e98fec features: add potentiallyUnsafeConfigAnnotations
cabeea7 specs-go: mark LinuxMemory.Kernel as deprecated
4005c81 specs-go: add missing deprecation comment for Hooks.Prestart
2f6b090 config: improve bind mount and propagation doc
0ec4e6b fix link to hooks in features
6ffddf6 mount: Allow relative mount destinations on Linux
f329913 features-linux: Expose idmap information
7b8eb69 config: add reference to mount_setattr(2) for idmapped mounts
2547bb0 config: add idmap and ridmap mount options
3f552ce version: release v1.1.0+dev
0625254 version: release v1.1.0
d56ba70 ChangeLog: squash v1.1.0-rc.1...v1.1.0
5430e36 ChangeLog: Document changes since v1.1.0-rc.3
2bd22fa features.md: add a note to avoid confusion about annotations
5612d21 Remove outdated meeting.ics
085728a README.md: update chat information
8b4cadd version: v1.1.0-rc.3+dev
ae35e39 version: release v1.1.0-rc.3
d8be1e3 ChangeLog: Document changes since v1.1.0-rc.2
1beaf68 CODEOWNER: Add Toru Komatsu(@utam0) to sync with MAINTAINERS
fccfb09 config: add support for org.opencontainers.image annotations
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
||
|
Bruce Ashfield
|
4ec4055f38 |
crun: update to v1.14.3
Bumping crun to version 1.14.3-8-g89d4446, which comprises the following commits:
5884fd4 linux: fix mount of file with recursive flags
b9e87e7 tests: test bind mounts of files
e81086b rpm: Use relative, not absolute, symbolic links
9079a6d release: enable parallel builds
1961d21 NEWS: tag 1.14.3
0860c0f crun: really drop version check
32b139f NEWS: tag 1.14.2
4532a38 crun: drop check for OCI version
de537a7 NEWS: tag 1.14.1
fdb41c3 linux: initialize options variable
31b08fc container: do not leak capabilities buffer
1716fde container: do not leak version_string
e72f3bc container: fix leak of mount_options_list
242bb34 cgroup: do not leak dirfd
deffa39 cgroup: fix leak of cpus/mems string buffer
3df8f0c Add force_no_cgroup & no_pivot arguments to make_context() Python function
b883e6c Make function arguments valid Python identifiers
e0027bc Add no_new_keyring argument to make_context() Python function
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
||
|
Chen Qi
|
799c5a90b7 |
crun: remove unneeded deps
These two deps do not affect the build result and are not used, remove them. Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com> |
||
|
Bruce Ashfield
|
2118aace8f |
crun: update to v1.14
Bumping crun to version 1.14-19-g9d01392, which comprises the following commits:
3df8f0c Add force_no_cgroup & no_pivot arguments to make_context() Python function
b883e6c Make function arguments valid Python identifiers
e0027bc Add no_new_keyring argument to make_context() Python function
cb3ffb5 apparmor: Fix wrong determination whether crun is confined
adb912d linux: harden chdir()
f157e80 container: attempt to close all the files before execv(2)
ed1abf9 container: simplify statement
3aaadf3 ebpf: add fallback when bpf(2) fails with ENOSPC
f2ade60 ebpf: add fallback when bpf(2) fails
8b611f2 ebpf: try harder to bump RLIMIT_MEMLOCK
d88d77e build(deps): bump uraimo/run-on-arch-action from 2.6.0 to 2.7.1
f70fe0b cgroup, systemd: fix segfault if resources not specified
667e6eb NEWS: tag version 1.14
688f186 build(deps): bump actions/cache from 3 to 4
8d96f08 build: drop gcrypt dependency
5221ca8 seccomp: use blake3 instead of libgcrypt
6d9fa42 cpuset: don't clobber parent cgroup value
3873541 build: embed blake3 hashing function
4f1f3d4 seccomp: include default_errno_ret in cache digest
beb9565 utils: remove unneeded if statement
9306457 ebpf: do not require MEMLOCK for eBPF programs
87740ce linux: force umask(0)
5078ce6 apparmor: stack apparmor profiles if nnp and confined
c761349 NEWS: tag 1.13
cb53ac2 build(deps): bump actions/upload-artifact from 3 to 4
94a5950 cgroup: use "max" when pids limit < 0
3b819bc Improve error msg on idmap mounts
bace3a2 build(deps): bump github/codeql-action from 2 to 3
4ddf5e6 criu: remove unneeded if statement
8c27dea error: reset pointer after vasprintf failure
c5643c4 status: fix double free
ece4f9e utils: return a valid error if access fails
68a9487 list: initialize variable
ea27b13 libcrun: fix compile error without libseccomp and libcap
487ba3a fix checking of relative idmapped mount
49f439d ctx: drop no_subreaper bool
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
||
|
Bruce Ashfield
|
8c6303bb83 |
crun: update to v1.12
Bumping crun to version 1.12-19-g90b21dd, which comprises the following commits:
49f439d ctx: drop no_subreaper bool
b5ad30f krun: fix use of uninitialized integer
7c5a32a criu: do not set CLOEXEC on fds to inherit
c9e23a8 criu: fix error return value
501aa98 handlers: Fix -Werror=unused-parameter build error for spin
c9014f8 src: use O_CLOEXEC with pipes
3ad89be src: use O_CLOEXEC for all open/openat calls
0f0d5be src: close std streams on exec
08b7d33 build(deps): bump uraimo/run-on-arch-action from 2.5.1 to 2.6.0
2ad31d4 linux: fix error string
ce429cb NEWS: tag 1.12
08d9fea preconfigure cpuset with required resources
a18356e README.md: update the correct Nix channel
da991db utils: try attr/<lsm>/* before attr/*
616aea7 feat: add spin handler
172bbd0 container: move dereference after check
2cc04ea systemd: fallback to system bus
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
||
|
Bruce Ashfield
|
2e11f93ab4 |
crun: update to v1.11.2
Bumping crun to version 1.11.2-7-gff2b74f, which comprises the following commits:
2cc04ea systemd: fallback to system bus
767ba88 Fix build without libcap
98d9cc9 systemd, cgroup: configure cgroups before joining them
ab0edee NEWS: tag 1.11.2
c965462 src: fix codespell error
267f2c5 make: fix clang-format
6e65f5e cgroup: fix crash on cgroup v1 without cpu resources
57e6f9c terminal: adopt ptsname_r POSIX specified return value
6674353 fix: remove the redundant header file
1084f95 NEWS: tag 1.11.1
4cbc9ad linux: force remount with mounts from parent
11f8d3d NEWS: tag 1.11
f8e4f4e cgroup: honor cpu burst
8b44699 systemd: set CPUQuota and CPUPeriod on the scope
5a0ede2 systemd, cgroupv1: set the cpuset data also on the scope
20bb4aa systemd, cgroupv2: set the cpuset data also on the scope
970d20e tests: fix ioprio test
3b874c2 linux: append tmpfs mode if missing for mounts
863008d init: add new function to check file mode
7c3393c cgroup: always use the user session for rootless
c60c9f2 Update nixpkgs
c053c83 NEWS: tag 1.10
2cc7390 linux: new mount option "copy-symlink"
33cabe6 tests: fix test name
9ee3460 linux: fix error propagation
53c28d9 utils: export safe_readlinkat
a549ce0 tests: skip ioprio tests as rootless
1466b7b linux: Fix -Wunused-result compiler warnings when run './configure' only
bdb95d6 features: export intelRDT status
e2f9853 update: support update of Intel RDT
05bc600 libcrun: support update of Intel RDT
41ae2a2 libcrun: plug Intel RDT support
52d5faa libcrun: add Intel RDT support functions
a7a1af9 container: fix early return
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
||
|
Bruce Ashfield
|
c431b46959 |
crun: update to v1.9.2
Bumping crun to version 1.9.2-12-g8af8ee2, which comprises the following commits:
bdb95d6 features: export intelRDT status
e2f9853 update: support update of Intel RDT
05bc600 libcrun: support update of Intel RDT
41ae2a2 libcrun: plug Intel RDT support
52d5faa libcrun: add Intel RDT support functions
a7a1af9 container: fix early return
122f8ae linux: open mounts before setgroups if in a userns
64105d9 Use overlay and single nix derivation
35274d3 NEWS: tag 1.9.2
8f6b76f tests, podman: enable more tests
255268d Reset the inherited cpu affinity after moving to cgroup
745b6d9 tests, podman: run tests on overlay
f42e279 tests, podman: get more information on the environment
379b17c tests, podman: avoid deprecated options
bd251c9 rpm: do not special case krun man
fe4e15d build: install krun.1 only if krun is enabled
0cabf0c rpm: fix manpage installation
67ee730 Packit: notify @containers/packit-build team on failed tasks
1f2769e linux: fix fallback mechanism in a userns
a0b7e18 NEWS: tag 1.9.1
bb4e975 utils: partially rewrite improve error message patch
14afa8a utils: fix ignore ENOTSUP when chmod a symlink
0acb237 oci-validation,test: lock tap to @16.3.8
bbb1c87 tests: install device-mapper-devel
75dd83c podman, test: disable more tests failing in the CI
98db1d2 utils: improve error message for ensure_dir
57262a2 utils: ignore ENOTSUP when chmod a symlink
523eed3 linux: add new fallback when mount fails with EBUSY
2239c50 linux: teach MS_MOVE to do_mount
c9a1a12 Add man page for krun
8645d1a Fix CentOS 7 Build by Checking if FSOPEN_CLOEXEC exists
a538ac4 NEWS: tag 1.9
1e2f0c4 fix: correctly handle unknow signal string
41fa779 crun delete: call systemd's reset-failed
76b80ae fix random errors
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
||
|
Bruce Ashfield
|
81fb357125 |
crun: update to v1.8.7
Bumping crun to version 1.8.7-32-gf8fa497, which comprises the following commits:
76b80ae fix random errors
d602fc0 build(deps): bump actions/checkout from 3 to 4
d348000 linux: fix check for oom_score_adj
382edc9 wasmer: inherit_stdout instead of capture
5057f98 wasmer: use latest wasix API
f60a903 linux: do not join already joined namespaces
46ef792 lua: fixed luarocks package directory structure
0e506e5 linux: add support for ridmap mount option
44e51fa linux: honor rbind
f6f92b8 utils: tighten check in check_fd_under_path()
58fa192 fix typos in comments
9e66109 linux + cgroup-systemd: fix error return values
668f5d5 features: Support mountExtensions
1836bed lua: rename variable to fix spelling
2779f02 linux: support arbitrary idmapped mounts
08def0a linux: move function definition forward
53a9996 NEWS: tag 1.8.7
a867e35 lua: fix missing dereference of pointer
c90c3ca cgroup-systemd: fix error return value
b6c8708 tests: Update expected features output
7c524e7 features: Fix annotations formatting
f0054ea src/libcrun: Mark we implement up to OCI 1.1.0
59e2b84 build(deps): bump uraimo/run-on-arch-action from 2.5.0 to 2.5.1
3a50988 use just enough arg_unused to silence -Wunused-parameter
9864f09 Packit: enable eln builds, enable wasmedge on all non-eln builds
cf72f8b container: fix error return value
88441d9 linux: simplify setns with pidfd
261a4fa mount_flags.c: regenerate
f9f4e06 mount_flags.perf: add get_mount_flags_from_wordlist
387d3ac packit: Build PRs into default packit COPRs
907d032 libcrun: handle SIGWINCH by resizing terminal_fd
57a252b nix: rename `default-nix` to `default-amd64.nix`
5224aa2 build-aux: simplify `release.sh`
a7102e8 github: simplify `release.yml`
8908248 Add support for riscv64 arch
31eeb19 cgroup: fix error return value
fec9b0f RPM: include criu dependencies
02ee7c4 linux: do not create error twice
c786d4c linux: simplify error handling
c972772 linux: do not write twice errors
74a3874 linux: use helper functions instead of custom read/write
35a0166 linux: define helper to ack on the sync socket
c3e518e libcrun: drop symbol for crun_make_error
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
||
|
Bruce Ashfield
|
3fe898899f |
crun: update to v1.8.6
Bumping crun to version 1.8.6-11-gd7ee549, which comprises the following commits:
c786d4c linux: simplify error handling
c972772 linux: do not write twice errors
74a3874 linux: use helper functions instead of custom read/write
35a0166 linux: define helper to ack on the sync socket
c3e518e libcrun: drop symbol for crun_make_error
080e560 features: use exported function libcrun_make_error
5c2dedc Make the spec file parseable without copr_username defined
73f759f NEWS: tag 1.8.6
26ef1e0 linux: add sync before sending mounts
71c53b0 RPM: Set Epoch only for Copr builds
ee0e405 tests: install procps-ng for podman tests
6a3d7a7 Packit: initial enablement
58bb52c tests: fix cpu-weight-systemd test under a user manager
ee111ae tests: skip test_uid_tty if no tty is attached
74dd5f9 tests: use get_crun_path() in oci_features
b160e2c cgroup-resources: allow setting swap to 0
19cd8aa ps: fix segfault with pids=NULL
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
||
|
Bruce Ashfield
|
feb1d78952 |
crun: update to v1.8.5-tip
Bumping crun to version 1.8.5-40-g56d9d9a, which comprises the following commits:
19cd8aa ps: fix segfault with pids=NULL
d006733 features: add wasm annotation
935f4fe tests: add test for oci_features
366af73 src/*: implement features
21b1733 Makefile.am: update clang-format command
9e5a749 libcrun: report when status file not found
84a6599 libcrun: crun_path_exists distinguish ENOENT
ef224f9 docs: remove module.wasm.image/variant=compat annotation
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
||
|
Renato Caldas
|
7e6f503083 |
crun: fix compilation with musl
Requires either libargp or argp-standalone. Signed-off-by: Renato Caldas <renato@calgera.com> Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com> |
||
|
Bruce Ashfield
|
de3a655dc0 |
crun: update to v1.8.5
Bumping crun to version 1.8.5-30-g7da99fb, which comprises the following commits:
ef224f9 docs: remove module.wasm.image/variant=compat annotation
38f29c2 ci, wasmedge: use --platform wasi/wasm
62e68e2 ci,wasmedge: use latest instead of rawhide
5c9dbca libcrun: return with no-op when io_priority is NULL
755b47a lua: added luarocks packing
1d5748e src: define symbol for /proc/self/timens_offsets
c56e556 src: replace /proc/sys/kernel/cap_last_cap with symbol
db9274f src: define PROC_SELF_CGROUP and use it
1eeba46 src: quote more strings
8ca1f68 build: add check for atomic_bool
e542666 build: add explicit check for atomic_int
43fc74c src: uniform the quoting style
3839e6e src: add missing quotes
0ca1f0b container: do proper cleanup on errors
ee3e6f6 tests: add tests for ioprio
63a4f97 src: fix macro check
e6306b8 tests: reorder includes
edfd0c9 container: support io_priority from the OCI specs
478f047 libocispec: sync
b6f80f7 NEWS: tag 1.8.5
a1f9b7d tests: update ubuntu to lunar
026f249 tests: update containerd
6494b69 cgroup: set the memory limit on the system scope
4d2d5b3 cgroup: move code to an utility function
c56c3c4 cgroups: fix creating cgroup under "domain threaded"
bbee4bc More informative error message for the case where dlopen fails
1ad17f8 Refactor: Restore serial settings for incorrect serial
087db89 scheduler: use definition from OCI
0135eb1 libocispec: update
76ed8df criu: fix memory leak
7a45ba8 ci: temporarily disable cri-o tests
a717db7 criu: fix segfault if CRIU_JOIN_NS_SUPPORT is defined
3f972e1 github: try not loading kernel modules
bca0b3b linux: check the PID is valid before kill(2)
62b149b tests: skip slow cri-o tests
7bbacf9 fix clang-format
c0eb006 src: make clang-format
6639649 lua: fix typo
906142d linux: do not precreate devs with euid > 0
f40d974 Improve whitespace in generated `crun spec`
ed25b47 tests/test_exec: don't fail on PIDs < 10000
909ae4d tests: abstract tests/init to get_init_path()
df8ee48 criu: check if the criu_join_ns_add function exists
5a8fa99 NEWS: tag 1.8.4
898ffb5 tests: fix idmap mount test
a2ac2b9 tests: install irqbalance
6b33ec5 tests: drop cri-o tests instead of deleting file
6824924 cgroup: workaround cpu quota/period issue with v1
fc276e6 cgroup: fix set quota to -1
58b394a build(deps): bump lumaxis/shellcheck-problem-matchers from 1 to 2
bf79b09 src: wire the runtime spec time namespace
bfa4f48 linux: create PID namespace as part of the last step
4320b5d libocispec: sync
39bf623 criu: drop loading unused functions
59f2beb NEWS: tag 1.8.3
ae18930 update: initialize the rt_scheduler only on cgroupv1
crun/rspec: update to 1.1.0-rc.2
1beaf68 CODEOWNER: Add Toru Komatsu(@utam0) to sync with MAINTAINERS
d46c8b2 schema: fix definition for ioPriority
504f70e Add I/O Priority Configuration for Process Group in Linux Containers
05563ea features: update Example
d89ef1e glossary: s/features document/Features structure/g
39bd2ef MAINTAINERS: add Toru Komatsu (utam0k)
f66aad4 Update ociVersion in config-linux.md example
206251f releases: use +dev as in-development suffix
8947849 spec: add scheduler entity
4ee185a version: v1.1.0-rc.2-dev
a5b4da4 version: release v1.1.0-rc.2
54f948c ChangeLog: Document changes since v1.1.0-rc.1
6152be4 schema: remove duplicate keys
9d7c878 Clarify I/O throttling differences between cgroup v1 and v2
b6980b0 schema: fix schema for timeOffsets
689874f Add `features.md` to formalize the `runc features` JSON
167ffb4 Add Go 1.20 support to CI
15d2a5a Switch Go linting to use golangci-lint
c9b5d0e Remove references to deprecated io/ioutil package
77c37f1 Update config-linux.md fix time_namespaces url error.
6c638b1 config: clarify Linux mount options
72efacb runtime: remove `When serialized in JSON, the format MUST adhere to the following pattern`
c42f9ae version: v1.1.0-rc.1-dev
3e013c2 version: release v1.1.0-rc.1
f790b68 ChangeLog: Document changes since v1.0.2
36bb632 Add support for time namespace
f225699 config: change prestart hook spec to match reality
d931d4b config-linux: add CFS bandwidth burst
9e658bc config-linux: add memory.checkBeforeUpdate
3565df5 config-linux: Clarify where device nodes can be created
a650533 config-linux: add support for rsvd hugetlb cgroup
crun/ispec: update to 1.1.0-rc.3
32036d8 Apply version change from #1050
f3f0906 Specify the content of the scratch blob
29a1380 Remove special guidance around wasm
2720969 Update descriptor.go
a68ca3e Remove artifact media type reference
428b1e5 releases: use +dev as in-development suffix
2f691e8 version: bump HEAD back to -dev
085b884 version: bump for release of v1.1.0-rc.3
fd45b6b Add scratch descriptor and scope layer limits
63b8bd0 Remove artifact manifest
23c4647 Define image manifest artifactType and guidance
5751791 Add Tianon as maintainer
f4fc83a Fix unused variable linting error
d09d13d Update Jon Johnson's email
4136bec descriptor schema: add missing data and artifactType definitions
729a03e manifest, specs-go/: provide guidance on SCRATCH config descriptor
31de013 manifest schema: add tests for the subject field
7a9efbd manifest schema: add the missing `subject` field
f2f1956 descriptor: clarify artifactType field must have compliant values
98f35df Update image spec and conversion to clarify groups
336b02c Require IANA mediaType for image config.mediaType and layers.mediaType
1f60184 Add Go 1.20 support
f99b121 Remove filtersApplied from image-spec
b5998ba specs-go/v1/*.go: align the deprecation style
6687119 Chore: fix go.mod - split direct/indirect dependencies
ccb86b9 mention deprecation in media-types.md
9b4e6c0 even fewer words
2cdbef2 Deprecate non-distributable layers
265874e Note an exception to the platform.os recommendation for wasi
0a97fe7 docs: Added artifact.md to docs and spec.md
293f064 Reverting json schema to well known value
crun/libocispec: update to -tip
b085839 runtime-spec: update
553cfb4 image-spec: update
384a230 runtime-spec: update
2c9fb39 libocispec: write _present tags together
dc7412b image-spec: update
2e11380 runtime-spec: update
e7b7344 rust: sync runtime-spec and image-spec
df3036c runtime-spec: sync
8a0ee41 image-spec: sync
70826dc clean: remove unwanted diff file
4d1d608 add redefine for stdin stdout stderr when using musl
02f231b Move header files under ocispec/
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
||
|
Martin Jansa
|
31e8dc838b |
crun: fix REQUIRED_DISTRO_FEATURES
* features_check was inherit twice and REQUIRED_DISTRO_FEATURES was set twice as well but both with ?= so the 2nd one was ignored * seccomp was added in: commit |
||
|
Bruce Ashfield
|
874647c061 |
crun: update to v1.8.3
Bumping crun to version 1.8.3-5-gd2ff390, which comprises the following commits:
59f2beb NEWS: tag 1.8.3
ae18930 update: initialize the rt_scheduler only on cgroupv1
5855e70 [1.8.2][CentOS 7] Missing `#include <linux/sched.h>`
a4393f2 docs: add a tryout example with podman
bf70c97 NEWS: tag 1.8.2
ba6c957 cgroup: cgroupfs attempt new sibling cgroup
74dc9b4 cgroup: libcrun_get_current_unified_cgroup can return relative path
b7b5265 cgroup: drop duplicated variable
11bdc13 linux: set label for pre-created devices
4b04b01 linux: refactor code in a new function
770ad48 linux: extend fsopen_mount to specify label
7578a1a wasm, wasmedge: add current directory to preopen paths
90dd7b7 test_mount: fix incorrect comment
51aba04 linux: readonlyPaths should inherit flags from parent mount
5ad1507 lua: add Lua bindings
5d54a85 scheduler: use sched_setattr
6a132c3 libcrun_container_create(): fix memory leak
6ba6a00 container: add custom annotation to specify the scheduler
5bdd930 cgroup: systemd initialize rt limits
8b18fc7 cgroup: add new function openat_with_alias
e914059 libcrun: add alias argument to function
a4aebb9 libcrun: new function write_cgroup_file_or_alias
d36c1a2 test: remove irqbalance tests
56a2550 cgroup: fallback to blkio.bfq files
34950dc crio: skip test
710d8dd libcrun: chown tty to the exec user
e067714 python: fix create() referencing container_run()
11d1baf build(deps): bump actions/upload-artifact from 2 to 3
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
||
|
Bruce Ashfield
|
28491d29ed |
crun: update to v1.8.1
Bumping crun to version 1.8.1-3-ga09ab72, which comprises the following commits:
11d1baf build(deps): bump actions/upload-artifact from 2 to 3
f8a096b NEWS: tag 1.8.1
4748543 utils: drop magic number 4096
b022227 utils: use mempage size buffer to read /proc/mounts
2da0773 linux: always use direct mapping
6cdf51c container: delete cgroup on errors
fba646e cgroup: rmdir the entire systemd scope
3221684 crun.1.md: fix typo
31bcf8f crun.1.md: fix markup
5007784 build: delete .version file on make clean
46fbeee cgroup: reset systemd unit if start fails
7e7a4db cgroup: do not add default dependencies
4bd4c4e test: run codespell on the correct directory
8b46c45 src: run codespell
b841b71 Support passing an attribute to change the mount_context_type
2ca4233 test: fix path for crictl
ce66b2e Revert "Support passing an attribute to change the mount_context_type"
87b69c3 Support passing an attribute to change the mount_context_type
d23a94a krun: create /dev/sev as part of the OCI configuration
84092f6 handlers: add hook for exec
83f3ab2 handlers: rename exec_func to run_func
93a8e2f krun: always allow /dev/kvm
675e87c handlers: update uses modify_oci_configuration
1efd61a update: move json parsing to container
c9b230a handlers: provide cleanup function
bd22751 handlers: move cookie data under the same struct
71bf884 handlers: add new hook to modify the OCI configuration
b3e167d crun: set handler for all commands
f0f7b8c handlers: initialize handler in the parent process
cfec5ce NEWS: tag 1.8
957796e libcrun: remove unused intprops.h
8363deb linux: move PR_SET_DUMPABLE after userns creation
83de960 dist: do not include binary tests
188e0ce nix: add gcrypt dependency
f7c715d nix: remove protobuf dependency
765161c nix: refactor same command line
98898d2 nix: update image to nixos/nix:2.12.0
bcae634 Add support for ppc64le
9b287dd README.md: add CodeQL badge
ed7598d README.md: drop lgtm badges
1a61b4d utils: shrink read buffer if necessary
2a5cc1d nix: update packages
7d9fa03 tests, centos8-build: add safe.directory /crun
822ca4a utils: add utils to access /proc/$PID/fd/$FD paths
0554b0a utils: change initial size for buffer
742e8fc utils: reallocate only if needed
4e379c6 cgroup: support cpuset mounted with noprefix
58166e6 linux: set PR_SET_DUMPABLE
908bfc4 linux: mount cgroup ro on /sys bind mount fallback
cd1cf0b linux: add two new arguments to get_bind_mount
b84bde9 linux: mount the source cgroup if cgroupns=host
03d2969 linux: refactor out helper function
75f5c1a linux: fix error message
234d77c linux: precreate devices on the host
f23cd15 utils: add functions to read overflow IDs
85767be linux: remove duplicate slash
1e29136 linux: generalize fsopen_mount
a186e8a linux: add dirfd argument to get_bind_mount
7e42a18 linux: add infra to send devices mounts
a6c9453 linux: generalize receive_mounts
b0fe2e4 linux: refactor code in a separate function
05f1298 contrib, seccomp-notify-plugin: free args on error to prevent leak
a34dd94 cri-o,test: skip failing test unrelated to crun
78cf10f crun: fix clang format
278b9b4 src/crun.c: fix build without dlfcn.h
0ebf4e7 build(deps): bump uraimo/run-on-arch-action from 2.3.0 to 2.5.0
4832ca4 Don't clone self from read-only mount
9df7442 tests, wasmedge: copy libraries under /usr/lib64
2044720 tests, wasmedge-build: install which
6f0d03c tests, crio: skip checkpoint/restore tests
d406a97 tests, centos9-build: add safe.directory /crun
81b4ba0 tests, cri-o: add criu-libs rpm
ca41c80 cloned_binary: use cleanup_close
e1c3906 tests, cri-o: update go to 1.19
a83001b cgroups v1: fix legacy mode mount.
26fe138 utils: fix applying AppArmor profile
1cfaf54 tests: disable some CRI-O failing tests
5e3ef32 crun: write setgroups=deny when mapping a single uid/gid
da84be0 github: fix cri-o CI on cgroupv2
cdf7864 tests: disable test that requires io.bfq.weight
c54fc6f github: fix running on cgroupv2
0356bf4 NEWS: tag 1.7.2
d389308 criu: hardcode to libcriu version 2
3880f04 cgroup: always enable controller
258c237 crun: fix compile time check for CRIU
6ce11e8 copr: enable wasmedge on all active envs
ada59b2 tests: fix podman tests
d068462 NEWS: tag 1.7.1
9893e99 utils: Improve debug message
db08071 linux: include terminal \0 when copying mapping
67f58c6 utils: fix creating default userns
5689bd1 krun: disable libkrun's collection of env vars
6b8da56 krun: copy the OCI configuration file
92db973 configure.ac: do not link libcriu dynamically
f6a5109 criu: add check at runtime for the version
8c3fc12 criu: load libcriu dynamically
b3189ef src: run make clang-format
be6c22c fix timestamp format, tv_usec is microsecond not nanosecond
ff95309 copr: enable wasmedge on epel9
40f66c0 seccomp: initialize libgcrypt
9bff00a Add setlinebuf() when --debug and --log=file: are used.
cb6ae27 handlers: set selinux/apparmor profile
0efbe56 utils: change AppArmor profile for the current proc
f1f286a utils: change SELinux label for the current proc
a1cd1a6 handlers: use only the handler name if needed
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
||
|
Bruce Ashfield
|
d48db9ba95 |
crun: update to v1.7
Bumping crun to version 1.7-6-gbebd67f, which comprises the following commits:
cb6ae27 handlers: set selinux/apparmor profile
0efbe56 utils: change AppArmor profile for the current proc
f1f286a utils: change SELinux label for the current proc
a1cd1a6 handlers: use only the handler name if needed
40d996e NEWS: tag 1.7
3239c52 container: do not leak container status
ab73033 utils: do not leak error
fe21bee cgroup: fix memory leak
10c1fcc handlers: add an alias field
92e67d7 wasm: check pointers before dereferencing
cc2ab3b copr: enable wasmedge support for f36 and higher
9c5ad48 container: rewrite argv when using a handler
a81b115 libcrun: propagate argc and argv
0a94c5b linux: create parent dir with 0755
5308c49 copr: crun-wasm subpackage
8743809 crun: automatically pick handler from argv0
ddb614b crio,test: skip unrelated seccomp notifier with *
6feeff4 wasmtime: add support for compiling .wat format
7b49b79 NEWS: fill data for old releases
baa98f4 container: use clone3 to join directly the target cgroup
37a438d cgroupfs: implement precreate cgroup
c4af47e cgroup: new interface to preload a cgroup
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
||
|
Bruce Ashfield
|
40c9a3afca |
crun: update to 1.6+
Bumping crun to version 1.6-75-g4907f10, which comprises the following commits:
0e4cf20 container: pass the argv0 on errors with handlers
6da989c wasmtime: honor error message length
2f46f21 wasmtime: mark unused argument
baa98f4 container: use clone3 to join directly the target cgroup
2497b9b linux: add run.oci.pidfd_receiver=PATH annotation
37a438d cgroupfs: implement precreate cgroup
c4af47e cgroup: new interface to preload a cgroup
352d8ac criu: use a temporary error
3ebaba3 container: cache the bpf generated by seccomp
18abbfc Typos: a/an
e5d4c07 man: fix indentation for run.oci.handler=HANDLER
74d097b seccomp: use relative paths to open bpf
8cfcc8f seccomp: move copy bpf to seccomp
7a66ccc container: move open_seccomp_output to seccomp
a2de8fb seccomp: add functions to calculate checksum
6861b2a container: compute seccomp options earlier
dd310aa configure.ac: add check for libgcrypt
81d3b16 exec: set context
0cffffe crun: display rundir in --version output
882a054 wasm: inherit environment variables in the WasmEdge handler
1f71880 man: cleanup run.oci.handler and define krun and wasm
d474211 Refer to libocispec header files under ocispec/
5027629 build(deps): bump uraimo/run-on-arch-action from 2.2.1 to 2.3.0
fef6ce2 build(deps): bump github/codeql-action from 1 to 2
5837234 crun: open libcrun with dlopen
5f2464f build(deps): bump actions/cache from 2 to 3
ba0adeb build(deps): bump uraimo/run-on-arch-action from 2.2.0 to 2.2.1
5d2a536 build(deps): bump actions/upload-artifact from 2 to 3
a4ffe17 build(deps): bump actions/checkout from 2 to 3
108d9ec Check for github actions updates on weekly basis
9f2acfc cgroup: account for swap usage for checkBeforeUsage
6666dec list: remove yajl usage
6fdcb89 container: new API libcrun_write_json_containers_list
e1b32c7 update: remove yajl usage
270961f python: Fix argument type in container_delete
17f4e55 container: new API libcrun_container_update_from_values
1c681c1 python: Fix argument parsing in make_context
e666af1 crun: chown std streams before joining the user namespace
391df45 linux: reject sysctl kernel.domainname when OCI knob domainname is set
f94655c test: ack (none) as output of getdomainname
fdb26d0 cgroup: honor checkBeforeUpdate
8758f31 add support for setting the domainname
17ba516 libocispec update
7ea7617 systemd: create sub-cgroup on v1 as well
08bccc7 tests: update containerd to 1.6.8
978e719 Copr: Fix i386 builds
18cf2ef NEWS: tag 1.6
396ac88 seccomp: honor SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV
074cd9a wasm: provide an integration test for crun with wasmedge support
399e5ea wasm: use wasmedge library soname in dlopen
3e34345 crun: reintroduce -V (uppercase) as an alias for --version
17337c4 seccomp: use helper process to send listener fd
f34ebf2 Copr: wasmtime support only for non-x86
df20997 crun: now -v prints the version
fdcf83a utils: wrap mmap and munmap
95744c8 utils: unify read process exit status
44c305f linux: move definition of syscall_clone to linux.h
d254d3e utils: run process with timeout restores sigmask
57df79b init mask
430dea1 container: drop intermediate userns feature
2e647e0 crio,CI: skip failing checkpoint and restore one container
8d0dfc3 podman,CI: skip top on priviledged container
ad9008b copr: depend on wasmtime-c-api for shared lib
Bumping runtime-spec to version v1.0.2-114-g494a5a6, which comprises the following commits:
4bcd065 seccomp: Add flag SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV
6be797c CODEOWNERS: sync with MAINTAINERS
9e658bc config-linux: add memory.checkBeforeUpdate
1924f6b GOVERNANCE: correct the Charter URL
744912b add domainname spec entity
0da1600 fix rfc link
b57ada5 maintainer updates as per #1101
e78a3c3 Add available `LinuxSeccompFlag`s
Bumping libocispec to latest, which comprises the following commits:
02f231b Move header files under ocispec/
39e1872 Make libocispec installable
6fd1d94 update runtime-spec to latest
1e37c8a rust, runtime: add domainname to spec
d59cc93 rust,runtime: add MountUidMapping and MountGidMapping
ac69f5a rust,runtime: add idle type to CPU
e9c21c1 rust,runtime: rename GidMapping,UidMapping to Linux{Uid/Gid}Mapping
8258e1d image-spec: update from upstream
b2e74e1 runtime-spec: update from upstream
ce973fd parser: allocate empty arrays
845aad5 runtime-spec: sync from upstream
1380666 image-spec: sync from upstream
9bb6aa9 src: fix regression
27763d8 runtime-spec: sync from upstream
8abb1b1 image-spec: update from upstream
2ea0d22 runtime-spec: update from upstream
cde73d8 yajl: update from upstream
fc57095 src: fix generated code indentation
e739a1c .github: set safe directory
f09f411 build: fix bashism in configure.ac
23ed5eb git: ignore newly added test binary to prevent untracked changes in crun
d15ed35 fix bug when contain null value in json
2a622ef image-spec: update from upstream
3dd60db runtime-spec: update from upstream
88241d7 sync: add CMT and MBM fields to Intel RDT
Bumping image-spec to version v1.1.0-rc2-12-g4df8887, which comprises the following commits:
867ce74 ArtifactType is optional, omit when empty
59780aa Add ArgsEscaped field to image config
3625ee3 doc: fix example in artifact.md
94f2431 version: bump main back to -dev
19a74bc version: release v1.1.0-rc2
0a97fe7 docs: Added artifact.md to docs and spec.md
c91663b Update RELEASES.md
0e7e0dd docs: Update release process docs with checklist
5d055a4 version: switch back to -dev
4728b6e version: bump for 1.1.0-rc1 release
a7ac485 Rename refers field to subject (#950)
4c15674 Use go install and full path to commands
ce50f1f Bump from Go 1.16 to 1.17
ca2e500 Embed Platform in Image
a865bc0 Fix whitespace consistency in config.md
da33ef0 Remove io/ioutil references
ed7e07b Add artifact to spec.md
bc9c4bd Update schema for mediaType validation (#933)
b04b320 Working Group Proposal for Reference Types
ba36edd Add regclient to implementations
ba3f174 Add maintainer nomination template
08825b8 Pinning version of golangci-lint to support 1.16
9747134 Move inactive maintainers to emeritus
0bd8a03 Add Brandon as maintainer
c7ca3ac Update URLs to https
874a191 Add Sajay as maintainer
6ffdc78 Move inactive maintainers to emeritus
d6ce48a Add mediaType fields into example manifest & image index JSON references
bc44f5b Fixing charter link
0895292 implementations: point to krustlet/oci-distribution
02c5c05 implementations: adding the C and Rust libraries
a36b0c8 Handle multiple matching index entries
a3eee7d README.md: Remove link to OCI scope table The OCI scope table no-longer exists.
4533d3e schema: use Go's embed package instead of esc
d147780 .tool: remove lint tool, call linter directly
0e094f3 schema, specs-go: fix lint errors
d3cd202 *: switch to golangci-lint
4d865bc go: have the go.mod at top-level
0f6c001 Remove unneeded docker pull of pandoc image
de28903 Makefile: stale installation of glide was failing
3a46ac8 github: bring forward the versions of golang tested/built with
6ced3bd media-types: `.mediaType` is available in both OCI and Docker
3be64d9 version: bump main back to -dev
beccafd version: release 1.0.2
5b82148 specs-go: adding `mediaType` to the index and manifest structures
2eb4046 *.md: bring mediaType out of reserved status
e3885ce version: bump main back to -dev
67d2d56 version: release 1.0.2
dcdcb7f specs-go: adding `mediaType` to the index and manifest structures
5f31485 *.md: bring mediaType out of reserved status
3fee04b Adding ACR to implementations
8087946 Reflect docker dontation of distribution to CNCF
bd2fa25 Minor spelling correction
fc4df0a Fix very minor oversight in config example
0d98a6c Scope data verification to content consumers
83479d4 Clean up portability considerations
fccc435 Implementations MUST NOT populate data arbitrarily
2596ec0 Expand godoc for Data
58c082d Add note about portability concerns
ce281ce Add Embedded Data section
aaf8045 Define the data field
4f080a7 Add go.mod and pin dependencies
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
||
|
Bruce Ashfield
|
28472ab0d6 |
crun: update to v1.5
Bumping crun to version 1.5-41-gce7533a, which comprises the following commits:
ad9008b copr: depend on wasmtime-c-api for shared lib
972d595 krun: add support for krun-sev
e539aae tests: fix fedora rawhide mockbuild
559902d autobuild copr rpms with wasmtime support
d39f45d wasmtime: always grant filesystem capability for wrkdir inside container
b937322 wasmtime: inherit argv from handler argument instead of process
477ecc8 crun: restore will work on realpath
1083f9d tests,podman: skip push to local registry with authorization
29599a5 tests: disable login/logout tests
8ff3eba rpm/Makefile: Fix copr build (follow-up on #979)
f5244c7 rpm/Makefile: install all dependencies on mock environments
a37b06a rpm/Makefile: install git-core in tarball-prep
ab18c71 cgroup: change delegate cgroup after cgroupns creation
4716692 cgroup: add new function libcrun_cgroup_enter_finalize
9139896 tests: disable broken test
a45faa2 rpm/Makefile: autobuild rpms on podman-next copr
7ea284f src: make some error messages lower case
43f420a syntax-check: enable prohibit atoi and atof
9920e7b wasmer: move definitions earlier
54e2519 wasmer: drop not needed indentation
54fe445 wasmer: fix errors return code
86f9a5c syntax-check: enable prohibit always true header tests
a07112c syntax-check: enable no period at end of message check
2656de5 maint.mk: update from upstream gnulib
3df1458 linux: fix build with glibc 2.36
14b2102 pidfd: fallback on ENOSYS
fd01ef4 nix: allow to pass extra args to the runtime
a91e905 NEWS: tag 1.5
2c94290 nix: update nix dependencies
76ead7b wasm: add support for running containers using wasmtime
88e8710 python: unset LIBCRUN_RUN_OPTIONS_PREFORK for run
9ceba95 crun: move config_file* to container
639c98f cgroup: add fallback to io.weight
c75b58d wasm,wasmedge: drop support for experimental WasmEdgeProcess
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
||
|
Bruce Ashfield
|
19375812f9 |
crun: update to 1.4.5
Bumping crun to version 1.4.5-74-gba3cb60, which comprises the following commits:
5af21e2 linux: fix idmap annotation
c75b58d wasm,wasmedge: drop support for experimental WasmEdgeProcess
22c6181 linux: fix creating devices in the rootfs
6f46ad5 chore(wasmedge): remove legacy option
0de6bb2 fix unknown type name 'uint64_t'
3a16555 linux: fallback to netlink to setup lo device
1a3f8f1 linux: use $PATH for newgidmap and newguidmap
74679c6 krun: use library soname in dlopen
0130f08 krun: limit the number of vCPUs to 8
2a4458d linux: fallback to tmpfs mount if umount fails
fd33331 artifacts, centos9-build: add libprotobuf-c-dev for protobuf headers
77f5c99 linux: devices mounts should have NOEXEC and NOSUID
c923cec tests: add wasmedge build test
33f900c fix(wasmedge): breaking changes in wasmedge c api
699757b test, podman: skip podman pod create --share-parent test
eb4ff94 handler: move notifer for phase HANDLER_CONFIGURE_AFTER_MOUNTS just after finalizing mounts
b02a68d linux: honor mount mappings
8d774c5 libocispec: sync from upstream
38f60b1 ci: re-enable and fix clang-format
d21594a *.c: clang-format
9ed3c1b mono: remove incorrect wasm headings from mono docs
c44937b tests: disable "podman kill paused container"
965129b test/check: fix wrong argument
17d1c16 cgroup: make target cgroup threaded if needed
77d2ac5 readme: show crun logo
2ebd7fc Adding crun logo SVG file
ec9ab49 container, exec: honor process user's uid while setting HOME env
d8a0c7f tests/podman/Dockerfile: build on fedora:35 and fedora:36
21de997 copy_recursive_fd_to_fd(): copy the whole file
3445f0f tests: add tests for covering '--pid-file' and '--no-new-privs' options
e48db34 mono: add documentation and tryout example
f8b85e8 windows/mono: bind mount windows dlls and runtime config from host
0df040d handler: add support for HANDLER_CONFIGURE_MOUNTS for handlers
6b3b4dc linux: add public api libcrun_container_do_bind_mount for adding ctr mounts
009430c windows: add mono based native dotnet handler
eb48a65 cri-o: bump golang to 1.18.1 for capnproto.org/go/capnp
6cc7b03 test: set /crun as safe directory on containers running the tests
2f13875 linux: create missing cwd
1e30424 cgroup: remove tun/tap from the default allow list
6904cf4 cgroup: add support for cpu.idle
2824e92 libocispec: sync from upstream
70deaf0 podman-tests: change default log-driver to k8s-file instead of journald
c381048 NEWS: tag 1.4.5
359e26d crun.1: regenerate
f0cd1a7 .github: fix CI
9998f00 linux: hooks inherit env if not specified
9e361c8 tests: specify the user in the form UID[:GID]
4a61eb1 github: fix CI
db77ef2 libcrun: fix typo
69289ce tests: add an environment variable
81ccd00 criu: add support for different manage cgroups modes
27b7fe5 tests: specify an additional capability to add to the process
cdbc357 tests: delete multiple containers
a39b07d podman: skip authenticated push
0ce2f2d exec: fix double free
5a528f4 docs: fix dependencies on RHEL/CentOS 8 section
cd93941 git-version-gen: fix version comparison
38256da tests: disable failing CRI-O tests
6521fcc NEWS: tag 1.4.4
1aeeed2 exec: --cap do not set inheritable capabilities
b847d14 spec: do not set inheritable capabilities
ca75d1f feat(terminal-receiver): make terminal interactive
ed6e424 remove duplicate "libtool" from install commands
d10fe74 linux: resolve symlinks in bind mounts
ba17004 tests, clang-check: install git
1a4fae9 rhcontainerbot/podman-next COPR autobuild
77df89b docs: update known issues with CRI and side-cars
164d753 wasm, kubernetes: support wasm for kubernetes infrastructure with side-cars
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
crun: update runtimespec
Bumping runtime-spec to version v1.0.2-100-g8d0d6d4, which comprises the following commits:
0da1600 fix rfc link
9d1130d IDMapping field for mount point
fc985aa config-linux: update type of LinuxCPU.Idle to *int64
bc545ec schema: add cpu idle
1fef707 Update Windows CPU comments
600a8bd cgroup ownership: clarify that some files may not exist
b8dbce9 update idle type of LinuxCPU from *int64 to int64
9d363b3 config-linux: add idle option for container cgroup
b05eb53 typo: seccompFD -> seccompFd
0608c1f Switch to GitHub Actions, CODEOWNERS, etc.
f4ef391 specify cgroup ownership semantics
104385d config-linux: MAY reject an unfit cgroup
411082c add youki to implementations.md
6641127 alphabetize the implementation list.
84251a4 specs-go: export LinuxBlockIODevice
3f30167 schema: make with golang 1.16
34a7544 schema: update README.md
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
||
|
Bruce Ashfield
|
8babc8e616 |
crun: update to 1.4.3
Bumping crun to version 1.4.3-4-g3b3061a, which comprises the following commits:
77df89b docs: update known issues with CRI and side-cars
164d753 wasm, kubernetes: support wasm for kubernetes infrastructure with side-cars
61c9600 NEWS: tag 1.4.3
040c59f chore(utils): add pointer casts to avoid C++ permissive mode
16850e4 build: fix bashism in configure.ac
e094499 test: fix CI
22284a9 tests: add codespell tests
37f13e3 crun.1.md: fix typo
8fca8bf tests: add fuzzing for idmapped mounts option
abfdf1f fuzzing: move chdir to Dockerfile
d935d0a linux: move parsing to separate function
5c7165a centos9: enable only needed repo
160e626 centos8: enable only needed repo
648b132 tests: add tests for idmapped mounts
916c5cd tests: add check for file ownership
934e19a tests: add feature check for idmapped mounts
bf06c8c linux: support options to idmap
e1ee353 test, container-delete: ignore warn for cgroupv1 when cgroup cleanup fails
4355edc test: add a test for crun delete
cdc4f6a utils, rmdir-all: transfer ownership and responsiblity of fd to rmdir_all_fd
bb5bc67 linux: open source bind mount in the host
df2fecd cgroup-destory: terminate infinite loop and relay error back to callee
44d7816 cgroup-destroy: bump delay while deleting from 0.1ms to 10ms
ec9fa1c Remove ignored arguments
9854c71 Fix compilation error with seccomp
58d33b8 crio-tests: skip userns tests with auto annotation
b3301ad crio-tests: use golang 1.17.6
192ff3e cri-o: remove locking to a specific commit in CI and use master
f6fbc8f NEWS: tag 1.4.2
4029e63 utils: check for dup error
83668f1 linux: create_missing_devs creates /dev/console
0b09d62 utils: always create trailing file
5c47eac container: ignore EROFS when chowning std stream files
8ff9652 linux: validate sysctls before applying them
2f5be74 python: fix build
da28cf1 container: attempt find_executable after setresuid
9646fde utils: drop const from find_executable
8026135 NEWS: tag 1.4.1
8711fbd utils: add a len argument to get_current_timestamp
b5987ee utils: add printf attribute to xasprintf
e9ba4ae libcrun: add printf attribute to error functions
2ca2d06 utils: add attribute malloc to x.*alloc.* functions
ece4431 utils: add the sentinel attribute to append_paths
bb57968 cgroup: do not lookup string twice
d74c5e4 wasm: add docs and example for using crun wasm support on kubernetes
78384da tests/oci-validation: optimize build
c7aac36 Revert "oci-validation: checkout last working commit for runtime-tools"
4cd65c3 utils: drop check for invalid path
90c6b1f tests/fuzzing/run-tests.sh: fix
e65f285 ci: add shellcheck job
b1c520c tests/*/*.sh: add set -e, fix shellcheck warns
1613f4e tests/cri-o: don't remove non-existing files
ff3e33b tests/fuzzing: nits
28c5f89 tests/oci-validation: rename script to run-tests.sh
2bf7a93 tests/*/*.sh: rm redundant cd
a51137c ci/gha: skip installing deps if Dockefile is used
209fe89 ci/gha: don't start docker
9174557 .github/workflows/test.yaml: nits
b97d397 errors: use printf compiler annotation
f12a5ac linux: fix lookup for namespace
acc5f87 linux: skip setns_with_pidfd with explicit paths
5f924cb container: allow delete while in created state
cc70b0a container: merge two if blocks
6aff973 cgroups: skip setting cpu limits if shares==0
5930bfa cgroup: append the sd error message in the error
c9f0b16 gha: simplify deps install
08b621f tests/podman: exclude --ip6 test case
1da6b96 Fix some typos found by codespell
fd6da89 src: rename libcrun_container_kill_all to libcrun_container_killall
dfd5dae libcrun: unexport str2sig
21a8daf libcrun: let libcrun_container_kill* accept a string
dd80179 libcrun: unexport append_paths
eada263 tests: skip sd_notify tests without systemd
8ead30f ci: enable codeql analysis
3a1da09 .github: fix ci build
a834e9b .github: test --enable-shared
95b482f src: export some symbols used by crun
7f37f2e src/libcrun/linux.c:425:77: error: 'OPEN_TREE_CLOEXEC' undeclared (first use in this function); did you mean 'OPEN_TREE_CLONE'?
3daded0 NEWS: tag 1.4
a400e8b libocispec: sync from upstream
76271c9 cgroup: initialize status
d583bdc utils: fix path check
2b74dc1 handler: add support for running handlers on kubernetes with containerd
9b25f52 tests: extend checkpoint/restore test with pre-dump
587d0b2 tests: add memhog command to init
fb2a7ed docs: add pre-copy migration options to the man page
0683fec checkpoint: add pre-dump support
7ecb4b0 handlers, wasm: add lost support for run.oci.handler=wasm
020ee61 tests: add tests for CPUShares/CPUWeight on systemd
58b8879 state: export systemd scope
3adb2d5 tests: allow to override cgroup manager
bcbc72d cgroup-systemd: update CPUShares/CPUWeight
2ba3106 cgroup: add custom update_resources
2d7a495 update: fix shares file name
ec70d28 cgroup-systemd: set CPUWeight/CPUShares on the scope cgroup
4012668 cgroup-resources: move CONVERT_SHARES_TO_CGROUPS_V2 to function
77318e4 cgroup: add function to write to the files
6457228 tests: add CRI-O integration tests to the CI
d6ab372 configure.ac: mark unused variable
cb4152d ebpf: fix build on 32 bits arches
2eafdff cgroup: ignore swap limit if it is not enabled
62e84d8 nix: lock nix version to last working release
1efb0f9 linux: fix join cgroup v1
f72414e crun, spec: allow override file name
5231a30 utils: retry openat2 on EAGAIN
782fb02 crun: load custom handlers
e6fda97 build: define CRUN_LIBDIR
af950dd handlers: support load from .so files
6d093a0 handlers: split each handler to its own file
46fb105 utils: remove hardcoded check for wasm
8f9337e crun, libcrun: move handlers behind an interface
fd0e171 handler: split libcrun_configure_wasm
4eb1f03 container: move custom handlers code to new file
2063305 wasmedge: The wasmedge.h is moved to wasmedge/wasmedge.h
2b4dfef container, handler: close files marked with O_CLOEXEC
4898342 linux, exec: try setns with pidfd
a14ae9e linux: move join namespaces to a new function
a32286c linux, exec: use CLONE_INTO_CGROUP
cb5bf95 linux: use clone3 if available
0e2eda2 tests: fail fuzzing test on crashes
74a21ed ebpf: handle missing access string
c1127a3 container: propagate close for ready-fd
c9c89c6 container: wait_process accepts a struct
9bf58f2 container: replace sprintf with snprintf
3191e49 container: drop argument for write_container_status
91b47f6 container: replace same failure code with a goto
b5405fc linux: improve detection of /dev target
dcc87a3 cgroup: move errors check to helper
0af034d cgroup: hide create/destroy behind a struct
f95e56a cgroup: move cgroupfs code to new file
98e4e46 cgroup: move cgroup setup code to new file
c3119e7 cgroup: move more functions to cgroup-utils
0272dae cgroup: move setting resources to new file
80925dc cgroup: move some functions to a new file
9c014c6 cgroup: rearrange code
24f6b40 cgroup: quote file names
ed31849 cgroup: separate each cleanup to a different function
d9eba41 cgroup: drop argument from libcrun_cgroup_destroy
f47d933 cgroup: split systemd code to a new file
aed4362 cgroup: drop unused function
384cf2a cgroup: drop usage of raw paths
1f313a8 libcrun: new function libcrun_container_read_pids
ce7dedf cgroup: move returned data to different struct
e2670b4 cgroup: drop argument delegate_cgroup
22d9dcb cgroup: drop argument systemd_subgroup
a0d4d9f cgroup: drop unused argument create_if_missing
dc135cf cgroup: drop cgroup_mode argument
4dcbf43 cgroup: remove unused argument
16db42f libcrun: unexport unused functions
4b18425 Also run clang-format on *.c files in tests/
abdeabf container: allow libcrun_run_linux_container to call final _exit() for handlers
2d177df container, exec: refactor to new function
d78dff2 container: attempt chdir twice
c9052f2 container: make chdir error clearer
78cf48b linux: use sd_notify_barrier if available
0fa6447 libocispec: sync with recent commits
40e4736 utils: move safe_openat fallback to separate function
82d2170 mounts: handle paths with multiple slashes
79699be utils: write_file truncates existing files
ef37d51 linux: Enter specified cgroup namespace
a36bcdd tests: disable podman unuseful test
53f2615 .github: use a bind mount for /var dirs
5566520 tests: add build test for centos:stream9
940705f tests, centos8: use centos:stream8
0e99990 Change podman branch to fix CI
1575f2f Add file-locks checkpoint/restore option
d7029af linux: replace mounts lookup with gperf hashing
5511255 linux: support more recursive options
2dbce9b linux: use bool for is_user_ns
827b873 linux: new mount option "idmap"
02938ac linux: add function to send mounts from the host
b5fc60e linux: provide cleanup private data callback
a5a2ca5 linux: generalize opening mounts earlier
4523486 linux: silence warning
a01a03a tests: update podman
3c6d57d wasmedge: fix error message if VM fails to get valid result object
b48b654 crun: show if version supports wasm with configured runtime
365dc57 linux: new mount option "rro"
85c5bc9 linux: fix a race when saving external descriptors
825108e wasm: add support for wasmedge runtime
33e75d0 fix build error on ubuntu
e1c7293 clang-check: refactor to suppress -Wunused-but-set-variable where needed
575c4a6 ci: use latest docker with seccomp profiles supporting clone3
8e5757a NEWS: tag 1.3
685078a tests: temporarily switch to fedora:34
9ea94e9 wasm: allow wasi modules to read args from config
76759f1 fix status.h compile error in C++
952913b wasm: replace printf while relaying output to stdout with safe_write
152a3fc linux: bind mount the current cgroup path
ce211c5 linux: fix mounting cgroup2 with --net=host
e31ab81 wasm: add support for annotation module.wasm.image/variant=compat
2559696 wasm: add documentation
7407be1 wasm: add support to natively build and run wasm workload and wasm containers
6d046d6 oci-validation: checkout last working commit for runtime-tools
eeae045 cgroup: fix race condition when enabling controllers
fd7b3cb criu: do not override external_descriptors
979f6f0 criu: save the new descriptors after restore
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
||
|
Bruce Ashfield
|
108e089f7e |
global: update licence values to SPDX values
These changes are the result of running the convert-spdx-licenses.py oe-core script. There's no impact to the build, but we will avoid issues when interacting with core QA by the alignment. Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com> |
||
|
Bruce Ashfield
|
a9b1fb1787 |
crun: update runtime-spec branch to main
runtime-spec has moved to main instead of master, so we tweak our branch name to match. Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com> |
||
|
Bruce Ashfield
|
0a7ae8bc50 |
global: convert github SRC_URIs to use https protocol
github is removing git:// access, and fetches will start experiencing interruptions in service, and eventually will fail completely. bitbake will also begin to warn on github src_uri's that don't use https. So we convert the meta-virt instances to use protocol=https (done using the oe-core contrib conversion script) Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com> |
||
|
Bruce Ashfield
|
77111bf4f9 |
crun: bump to version 1.2
Bumping crun to version 1.2-16-g718b94e, which comprises the following commits:
979f6f0 criu: save the new descriptors after restore
cab3d52 crun: chown std streams
c68c4ce crun.1.md: fix formatting
62e9ba0 test: bump base and ubuntu to 1.16 for containerd tests
07303d8 exec: support --cgroup
9c96ca4 libcrun: allow to specify sub-cgroup for exec
e32af6c cgroup: allow to create missing dirs
baa786c exec: use new function
6d70af2 exec: new function libcrun_container_exec_with_options
97c2eac tests: add userns to sd_notify_proxy test
4f6c8e0 NEWS: tag 1.2
aee580f exec: fix containers being wrongly reported as paused
762269c test/criu: enable external ipc,uts,time namespaces
e334260 criu: Add support for shared ipc,uts,time ns
1353be8 configure: convert indentation to tabs
44bb0b2 artifacts: add libprotobuf-c-dev for protobuf headers
5b341a1 NEWS: tag 1.1
55d293c .github: add libprotobuf-c-dev
2162435 criu: store external descriptors as JSON string
9c7d928 .github: check tests leave the working dir clean
d99bb51 .github: report make check failures
0d64e1d linux: fix fix-test-mount-symlink-not-existing test
7260dc8 tests: fix number of tests
b0d64b6 tests: skip caps tests if rootless
a538e4e tests: disable exec_additional_gids when rootless
b055575 criu: fix save of external descriptors
c0f5460 criu: use has_prefix instead of strncmp
0fa5a11 criu: use write_file instead of open+write
1604c54 criu: drop \n from error messages
a967d78 criu: fix fd leak
f624c93 tests: disable unrelated failing Podman tests
ee35311 utils: add new function safe_readlinkat
ef24f0c README.md: ./configure.sh → ./configure
3e82d10 tests: add test for c/r with ext namespace
2257680 tests_utils: drop unused variable
f41c979 tests: drop unused imports
be18607 criu: Add support for external PID namespace
4810ac6 exec: refuse paused container/cgroup
7d35659 cgroup: drop cgroup_mode arg from libcrun_cgroup_is_container_paused
44377aa container: Set primary process to 1 via LISTEN_PID by default if user configuration is missing
bc0b3d1 utils: retry openat2 on EAGAIN
8a70bcd cgroup: use cgroup.kill if available
c819e9c tests: update Podman to 3.3.0
74543d3 linux: silence two false positives reported by lgtm
c1798ad status: check for owner before using it
5399935 utils: NUL terminate readlinkat buffer
2557c81 NEWS: tag 1.0
dad6ef2 crun.1: regenerate
2199d10 tests: update containerd version
We also bump the oci/image/runtime spec SRCREVs to ensure that we have
all the source dependencies up to date.
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
||
|
Bruce Ashfield
|
21fc48f10e |
crun: fix offline builds
The 'autogen.sh' script of crun was fetching dependencies that we already have in our SRC_URI. We want the OE git fetcher to manage the source, not scripts in the source of a package. We grab the two lines out of autogen.sh that we need, and use them directly in the configure_prepend. We also add yajl to the source code dependencies as the package DEPENDS is not enough as crun is explicitly building source that looks for the yajl code. Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com> |
||
|
Bruce Ashfield
|
214942a349 |
crun: update to 0.21-latest
Bumping crun to version 0.21-15-g360f5d0, which comprises the following commits:
2199d10 tests: update containerd version
1798d5a cgroup: chown cgroup to root
b5cdeb5 cgroupv1: add support for setting memory.use_hierarchy
7cfdf09 Makefile.am: link libcrun to $(FOUND_LIBS)
d4d1825 linux: treat pidfd_open EINVAL as ESRCH
62149b3 Update nixpkgs
ac00581 Dockerfile: delete file
c4c3cdf NEWS: release 0.21
69bd7dc Doc: cgroups v2 and RT processes unsupported
6397998 krun/kvm: crun should silently/gracefully switch to krun when needed.
92499bd container: wrap execv in retry-on-eintr
b04a335 cgroup: lookup pids controller as well
448494e README.md: drop travis badge
1bbf562 Reflect #696 in crun's manpage
e836219 rpm: fix license
2b88faa status: add fields for owner and created timestamp
b07c389 criu: fix error check
09401bb linux: fix unitialized variable
b222968 cgroup: fix a memory leak
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
||
|
Bruce Ashfield
|
d876cfc5bf |
global: overrides syntax conversion
OEcore/bitbake are moving to use the clearer ":" as an overrides
separator.
This is pass one of updating the meta-virt recipes to use that
syntax.
This has only been minimally build/runtime tested, more changes
will be required for missed overrides, or incorrect conversions
Note: A recent bitbake is required:
commit 75fad23fc06c008a03414a1fc288a8614c6af9ca
Author: Richard Purdie <richard.purdie@linuxfoundation.org>
Date: Sun Jul 18 12:59:15 2021 +0100
bitbake: data_smart/parse: Allow ':' characters in variable/function names
It is becomming increasingly clear we need to find a way to show what
is/is not an override in our syntax. We need to do this in a way which
is clear to users, readable and in a way we can transition to.
The most effective way I've found to this is to use the ":" charater
to directly replace "_" where an override is being specified. This
includes "append", "prepend" and "remove" which are effectively special
override directives.
This patch simply adds the character to the parser so bitbake accepts
the value but maps it back to "_" internally so there is no behaviour
change.
This change is simple enough it could potentially be backported to older
version of bitbake meaning layers using the new syntax/markup could
work with older releases. Even if other no other changes are accepted
at this time and we don't backport, it does set us on a path where at
some point in future we could
require a more explict syntax.
I've tested this patch by converting oe-core/meta-yocto to the new
syntax for overrides (9000+ changes) and then seeing that builds
continue to work with this patch.
(Bitbake rev: 0dbbb4547cb2570d2ce607e9a53459df3c0ac284)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
||
|
Bruce Ashfield
|
172d5f47d5 |
crun: adjust image-spec repository from master to main
We need to change our branch to avoid parse errors. Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com> |
||
|
Bruce Ashfield
|
b8f2edd39a |
crun: add seccomp distro features check
Since seccomp depends on libseccomp, and seccomp is only available when the distro feature is enabled, we add the same dependency and distro feature check to this recipe. Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com> |
||
|
Bruce Ashfield
|
299c418144 |
crun: update to latest
Bumping crun to version 0.20.1-7-g7ef74c9, which comprises the following commits:
b07c389 criu: fix error check
09401bb linux: fix unitialized variable
b222968 cgroup: fix a memory leak
1182975 cgroup: honor memory swappiness set to 0
38271d1 NEWS: tag 0.20.1
923447b container: ignore resetting keyring SELinux label
b26493f Dockerfile: install required python3-jinja2 package
0d42f11 NEWS: tag 0.20
9042ac5 seccomp: drop SECCOMP_FILTER_FLAG_LOG by default
0f4156f cgroup: Refactor libcrun-cgroup-destory to support picking subsystems dynamically and clean custom controllers.
d6be344 cgroup: ignore devices errors in a userns
6e187fb cgroup: do not join empty controller
badb23d seccomp: report correct action in error message
5201956 container: apply SELinux label to keyring
4b664e9 linux: attempt to open existing dev file first
dd1c419 libocispec: sync from upstream
5f74e2a Makefile.am: make sure libocispec uses main branch
f0c76e1 utils: close_range fallbacks to close on EPERM
1596ab1 Update crun manual with recently added flags
1d84d62 Fix type for LinuxDeviceCgroup.linux.resources.devices.allow in default Spec
62d251d container: call prestart hooks before rootfs is RO
48bc33d Exec: Add --process-label and --apparmor to allow modifying selinux_label and apparmor_profile
0e53e87 Exec: Add --no-new-privs to and adhere if noNewPriviledges is false in basespec config
2de8b43 Fix SIGSEGV for rootless container caused by case when def->linux is defined but def->linux->cgroups_path is NULL
54e77c2 Add support for spec --bundle
ae11886 cgroup: fix regression in mode detection
194b72d kill: fix race condition with pidfd_open
2910d9b cgroup: add custom annotation run.oci.delegate-cgroup
407eef9 cgroup: drop argument from function
0485de6 cgroup: report error if the cgroup path was set
bf5020a cgroup: improve error message
a131715 cgroup: fix recursive cleanup
6e95060 cgroup: kill procs in cgroup on EBUSY
0274d6f tests: disable go modules
1272eaf tests: skip podman create --pull
04f1a6a container: read the error from the init process
29afcd6 Update README.md
9863a8e Update README.md
55f5ed5 utils: use /proc/self/fd to open unix socket
fa40930 contrib: fix warning from the rust compiler
1535fed NEWS: tag 0.19.1
227e0be spec: add cgroup ns if on cgroup v2
3fbe777 libcrun: add const to spec_file
eb34661 libcrun: annotate cgroup_mode < 0 checks
92bcc81 tests: add fuzzing tests
af3509d cgroup: support array of strings
9effaeb On exec, honor additional_gids from the process spec, not the container definition
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
||
|
Bruce Ashfield
|
6adc4f64d5 |
crun: switch to main as specified branch
The upstream project has moved from master to main, so we adjust our recipe accordingly. Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com> |
||
|
Bruce Ashfield
|
51c195d761 |
crun: switch branch to main
crun has renamed master -> main, so we adjust our fetching to match. Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com> |
||
|
Bruce Ashfield
|
144d1ae897 |
crun: use REQUIRED_DISTRO_FEATURES to indicate systemd dependency
crun has a hard dependency on systemd, we need to add it to the recipe to avoid failing package QA checks. Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com> |
||
|
Bruce Ashfield
|
cbec1240f9 |
crun: bump to latest
As part of this update to crun, we now much run autogen.sh before running configure. Otherwise, these are incremental changes and comprise the following commits: 9effaeb On exec, honor additional_gids from the process spec, not the container definition c25a2db tests: add explicit python3-pip dependency e67a756 NEWS: tag 0.19 18c0274 gitignore: update 471a7b8 libocispec: update from upstream f642968 tests: fix check for cgroup v2 3e7fa1d linux: always remount bind mounts 78aeac9 linux: ignore unknown capabilities f11d742 Add linuxdevicecgroup to maintain parity with runc spec 9aa382b cgroup: skip parsing empty file d9c9fd0 container: initialize tmp_err 00371ae src: initialize statx struct 2e88d19 src: initialize first_arg 5e4efb7 seccomp: always NUL terminate lowercase_arch 7812572 tests: add test for seccomp listener f80e98d init: add check for seccomp listener 5d9010b init: fix check for nargs 5a627f4 seccomp: support notify listener c3361c1 status: use function to convert from yajl errors 873b62d container: use new error function for hooks JSON 14083ab error: new function to convert from yajl errors 6e19235 linux: pass own pid to container process 8fd3320 contrib: new tool to test seccomp notifications 8722858 crun: always use absolute path for the bundle ae9ea92 container: improve OOM error message 919aac9 utils: receive fd detect closed connection a52e480 cgroup: new function to detect OOM 2e37d2a sync-libocispec 75ad96b Let autogen.sh generate m4 14c260f libcrun_warn if newuidmap/newgidmap invoke fails 5598401 README.md: drop pids limit comparison 9ea6857 github: add fuzzing test 0fd03ba tests: add container image for fuzzing libcrun bbd5c7d fuzzer: reap child processes c7350ef tests: add more fuzzing tests 816f95b fuzzer: merge two tests effa508 linux: cleanup zombie on errors b32f1eb linux: release only on error 5ca72f5 status: attempt open again on interrupts 9b5d4c1 Added static analysis Adding clang compilation Fixing comparison of integers of different signs 3b199ef Update GNUmakefile dcd1a34 linux: label the tmpfs for masked directories edf7f15 seccomp: check if the action supports errnoRet bc222b6 seccomp: fail if no default action specified 0c5b920 seccomp: honor default errno value 92c0afe yajl: support static link of containers/yajl f3d920d src: fix unitialized variable 7d89a02 src: add error check 765971c status: fix memory leak on error 31274d8 utils: fix check for fd 62d1c4d tests: add test to feed honggfuzz ab75091 ebpf: return the program instead of NULL 8b16552 src: check if seccomp is defined f721efb container: fix error ownership 4472e35 container: allow config from memory 6b369b8 container: fix memory leak 0fede0f container: initialize variable 2b6c0b6 container: fix dereference of def->linux if NULL 1dd9b5b container: check for def->process before deref 1b1a691 fix: cross-compiling for Android b25cb2d tests: add device access test 86251b0 ebpf: handle access(dev_name, F_OK) call correctly e2d79dc fix: access violate if ret < -2 4f35406 cgroup: read controllers from /proc/self/cgroup Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com> |
||
|
Bruce Ashfield
|
2eda91539f |
crun: update to 0.18
Bumping to the release, which pulls in the 808420e release: distribute CHECKSUMS file c2b0064 build-aux: provide arm build without systemd 7cc03f7 .gitignore: update file f5274bd NEWS: tag 0.18 94e8364 src: add missing definitions baed691 libocispec: sync from upstream 8d0ebf6 Add arm64 static binary build b66d5d9 tests: fix make check in a user namespace e10205e linux: remove temporary mount logic 7819f4c linux: use targetfd for move_mount 891cd3c linux: use safe_openat for masked/readonly paths 6c5577f linux: use new function 9aa264d utils: add function to safely create and open 436daef src: add function to cleanup container struct c955ece src: pull function out 7bd51a0 build: check for linux/openat2.h dcb1914 utils: add function to remove initial slashes a1c958c utils: memoize check result 25c6f07 container: rename function to get_root_in_the_userns f08bd31 src: fix leak of the descriptors buffer df88061 tests: disable more Podman flaky tests 052bab7 utils: set HOME to root if the user not found efe35f1 linux: ignore ENOSYS on keyctl 1b65163 tests: enable asan sanitizer a0f322a tests: build init always statically a656698 configure.ac: allow to disable dl support 6adb26b tests: disable hooks_stdin for oci-validation 06199c7 tests: update to podman 3.0 bc888b9 tests: disable podman pull test f1373f9 tests: install crun under /usr/bin 257f442 Fix permission error when using both user namespaces & NOTIFY_SOCKET 617a212 cgroup: skip +cpu on EINVAL in cgroup root b6ac8de linux: use safe_openat for tmpcopyup 2d1f910 utils: avoid reopening the root during lookup 3ce74e8 utils: fix symlink lookup cbb67ae container: set working directory for libkrun df01709 seccomp: custom annotation to load raw bpf b229dca linux: refactor allocate_tmp_mounts 68bb50f linux: disable temporary mounts with [r]slave d6ae36b libocispec: update from upstream 487e792 github: enable clang-format checks 61d6844 src: run make clang-format 1d559d0 clang-format: change ColumnLimit to 0 643d05b linux: disable temporary mounts with [r]shared de6082f cgroup: fix conversion from blkio to io 1db8312 Update nix pin with `make nixpkgs` 540444c Makefile.am: crun depends on libocispec.la 1df96e5 linux: fix build without CLONE_NEWCGROUP Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com> |
||
|
Bruce Ashfield
|
4a16ba75b1 |
crun: update to 0.17
We bump crun, and its dependency repositories to their latest revisions. Along with the code changes, we have a new systemd dependency (or the build fails), and the License was incorrectly set to GPLv3 previously, and we correct it to v2 as part of this update. Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com> |
||
|
Bruce Ashfield
|
a6ae07c0d3 |
crun: introduce crun (OCI runtime provider)
Create the initial recipe to provide crun as an alternative OCI runtime provider. This currently has a depdenency on seccomp, but it would be nice if we can make that optional in the future to avoid pulling in all of meta-security as a dependency. Example: % skopeo copy docker://busybox oci:busybox-oci:latest % mkdir busybox-bundle % oci-image-tool create --ref platform.os=linux busybox-oci busybox-bundle % cd busybox-bundle/ % rm config.json % runc spec % runc run foo ^D % crun run foo ^D Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com> |