crun-1.6-bp155.1.6

- Update to 1.6
  * runc compatibility: -v now prints the version string.
  * build: fix build with glibc 2.36.
  * container: drop intermediate userns custom feature.
  * cgroup: change the delegate cgroup semantic so that the cgroup
    is created in the container payload after the cgroup namespace
    is created.
  * seccomp: use helper process to send file descriptor to the listener
    socket. It enables to be notified on every syscall without hanging
    the main process.
  * linux: add a fallback to using kill(2) if pidfd_send_signal(2)
    fails with ENOSYS.
  * krun: add support for krun-sev.
  * wasmtime: always grant file system capability for workdir inside
    the container.
  * wasmtime: inherit arguments list from the handler instead of the
    current process.
  * wasmedge: use released wasmedge library instead of libwasmedge_c.so.
- Update to 1.5
  * add mono based native .NET handler
  * new Wasmtime backend for running WebAssembly
  * add support for wasmedge 0.10 and dropping support for wasmedge 0.9.x
  * dropping support for experimental WasmEdgeProcess from wasmedge handler
  * honor process user's uid when setting the HOME environment variable
  * create the current working directory if it is missing in the container
  * fallback to using a tmpfs mount if umount of /sys and /proc fails
  * fallback to netlink to setup lo device
  * fix creating devices in the rootfs
  * fallback to using io.weight if io.bfq.weight doesn't exist
  * remove tun/tap from the default allow list
  * linux: devices mounts have noexec and nosuid
  * fix copyup of files from the container to the tmpfs
  * honor $PATH for newgidmap and newguidmap
  * krun: limit the number of vCPUs to 8
  * cgroup: add support for cpu.idle

- Update to 1.4.5:
  + CRIU: add support for different manage cgroups modes.
  + linux: the hook processes inherit the crun process
    environment if there is no environment block specified in the
    OCI configuration.
  ° exec: fix double free when using --apparmor and
  - -process-label.

- It'd be nice to run the test suite with %check. It however, still
  does not work properly inside OBS workers. Add it commented and
  explain it

- switch to latest upstream version (1.4.4)
- big jump from 0.21! Here's a short summary, for details,
  see: https://github.com/containers/crun/releases
  * 1.4.4
    wasm, kubernetes: support wasm for kubernetes infrastructure with side-cars
    Resolve symlinks in bind mounts when creating a user namespace.
    Fix CVE-2022-27650: exec does not set inheritable capabilities.
  * 1.4.3
    cgroup: avoid potential infinite loop when deleting a cgroup.
    support additional options for idmap mounts.
    open the source for a bind mount in the host.
  * 1.4.2
    CRIU: add pre-dump support.
    Fix running with a read-only /dev.
    Ignore EROFS when chowning standard stream files.
    Add validation for sysctls before applying them.
  * 1.4.1
    Fix check for an invalid path.
    Allow deleting a container while in created state.
    cgroup: do not set cpu limits if number of shares is set to 0.
  * 1.4
    wasm: support for running on kubernetes with containerd.
    linux: add support for recursive mount options.
    add support for idmapped mounts through a new mount option "idmap".
    linux: improve detection of /dev target.
    now crun exec uses CLONE_INTO_CGROUP on supported kernels when using cgroup v2.
    retry the openat2 syscall if it fails with EAGAIN.
    cgroup: set the CPUWeight/CPUShares on the systemd scope cgroup.
    on new kernels, use setns with pidfd.
    attempt the chdir again with the specified user if it failed before changing credentials.
  * 1.3
    add support to natively build and run WebAssembly workload and WebAssembly containers.
    allow to specify sub-cgroup for exec.
    chown std streams if they are not a TTY.
    attach the correct streams if the container is suspended and restored multiple times.
    fix race condition when enabling controllers on cgroup v2.
  * 1.2
    exec: fix regression in 1.1 where containers are being wrongly reported as paused.
    criu: add support for external ipc, uts and time namespaces.
  * 1.1
    cgroup: use cgroup.kill when available.
    exec: refuse to exec in a paused container/cgroup.
    container: Set primary process to 1 via LISTEN_PID by default if user configuration is missing.
    criu: Add support for external PID namespace.
    criu: fix save of external descriptors.
    utils: retry openat2 on EAGAIN.
  * 1.0
    cgroup: chown the current container cgroup to root in the container.
    linux: treat pidfd_open failures EINVAL as ESRCH.
    cgroup: add support for setting memory.use_hierarchy on cgroup v1.
    Makefile.am: fix link error when using directly libcrun.
    Fix symlink target mangling for tmpcopyup targets.
- fix bsc#1197871, CVE-2022-27650 (as 1.4.4 contains the fixes itself)
- update and fixup dependencies

- Add libprotobuf-c-devel as an explicit dependency, for fixing
  the build;
- Get rid of rpmlintrc, as it's no longer needed.

- make libkrun support conditional, so we can have crun (without
  libkrun, of course) on all arches, which may help with
  bsc#1188914.

- Drop libkrun-dlopen.patch and adapt to libkrun new package name,
  it is a plugin, not a regular shared library.

- Add libkrun-dlopen.patch: use soname when dlopening libkrun.

- Update to 0.21
  - honor memory swappiness set to 0
  - status: add fields for owner and created timestamp
  - cgroup: lookup pids controller as well when the memory controller
    is not available
  - when compiled with krun, automatically use it if the current
    executable file is called "krun".
  - container: ignore error when resetting the SELinux label for the
    keyring.
  - container: call prestart hooks before rootfs is RO.
  - cgroup: added support cleaning custom controllers on cgroupv1.
  - spec: add support for --bundle.
  - exec: add --no-new-privs.
  - exec: add --process-label and --apparmor to change SELinux and
    AppArmor labels.
  - cgroup: kill procs in cgroup on EBUSY.
  - cgroup: ignore devices errors when running in a user namespace.
  - seccomp: drop SECCOMP_FILTER_FLAG_LOG by default.
  - seccomp: report correct action in error message.
  - apply SELinux label to keyring.
  - add custom annotation run.oci.delegate-cgroup.
  - close_range fallbacks to close on EPERM.
  - report error if the cgroup path was set and the cgroup could not be
    joined.
  - on exec, honor additional_gids from the process spec, not the
    container definition.
  - spec: add cgroup ns if on cgroup v2.
  - systemd: support array of strings for cgroup annotation.
  - join all the cgroup v1 controllers.
  - raise a warning when newuidmap/newgidmap fail.
  - handle eBPF access(dev_name, F_OK) call correctly.
  - fix some memory leaks on errors when libcrun is used by a long
    running process.
  - fix the SELinux label for masked directories.
  - support default seccomp errno value.
  - fail if no default seccomp action specified.
  - support OCI seccomp notify listener.
  - improve OOM error messages.
  - ignore unknown capabilities and raise a warning.
  - always remount bind mounts to drop not requested mount flags.

- Add a mention to crun-rpmlintrc in the spec file

- Since we're building with libkrun support, let's enable only the
  arch-es for which we do have libkrun

- Suppress the (false positive) rpmlint warning

- Some fixes to the spec file (add some %doc, remove unused macros, etc)

- Initial package for 0.18
  Based on the package by Giuseppe Scrivano <gscrivan@redhat.com>

- Update to 1.20
  * krun: fix CVE-2025-24965. The .krun_config.json file could be created outside of the container rootfs.
  * cgroup: reverted the removal of tun/tap from the default allow list, this was done in crun-1.5. The tun/tap device is now added by default again.
  * CRIU: do not set network_lock unless explicitly specified.
  * status: disallow container names containing slashes in their name.
  * linux: Improved error message when failing to set the net.ipv4.ping_group_range sysctl.
  * scheduler: Ignore ENOSYS errors when resetting the CPU affinity mask.
  * linux: return a better error message when pidfd_open fails with EINVAL.
  * cgroup: display the absolute path to cgroup.controllers when a controller is unavailable.
  * exec: always call setsid. Now processes created through exec get the correct process group id.

- Update to 1.19.1
  * linux: fix a hang if there are no reads from the tty. Use non blocking sockets to read and write from the tty so that the "crun exec" process doesn't hang when the terminal is not consuming any data.
  * linux: remove the workaround needed to mount a cgroup on top of another cgroup mount. The workaround had the disadvantage to temporarily leak a mount on the host. The alternative that is currently used is to mount a temporary tmpfs between the twoo cgroup mounts.
- Update to 1.19
  * wasm: add new handler wamr.
  * criu: allow passing network lock method to libcriu.
  * linux: honor exec cpu affinity mask.
  * build: fix build with musl libc.
  * crun: use mount API to self-clone.
  * cgroup, systemd: do not override devices on update. If the "update" request has no device block configured, do not reset the previously configuration.
  * cgroup: handle case where cgroup v1 freezer is disabled. On systems without the freezer controller, containers were mistakenly reported as paused.
  * cgroup: do not stop process on exec. The cpu mask is configured on the systemd scope, the previous workaround to stop the container until the cgroup is fully configured is no longer needed.

- Update crun.keyring to point to primary key. The original packaging of
  crun.keyring used the subkey 0xAF60FCA3CDAA6DEAD157EA3A67E38F7A8BA21772 as
  the key to verify against, rather than the primary key
  0xAC404C1C0BF735C63FF4D562263D6DF2E163E1EA. If/when upstream rotates their
  signing keys, the old key verification would start to fail.

- Update to crun v1.18.2 Upstream changelog is available from
  <https://github.com/containers/crun/releases/tag/1.18.2>

- Update to crun v1.18. Upstream changelog is available from
  <https://github.com/containers/crun/releases/tag/1.18>
- Remove URL from crun.keyring source declaration. If the Ubuntu keyservers
  update their server software or some other minor change causes the output of
  the key to change (such as the maintainer updating their key expiry), we will
  end up with build failures despite the key still being a totally valid key to
  do verifications with. This also matches how keyring files are managed for
  most packages.

- update to 1.17:
  * Add --log-level option. It accepts error, warning and error.
  * Add debug logs for container creation.
  * Fix double-free in crun exec code that could lead to a crash.
  * Allow passing an ID to the journald log driver.
  * Report "executable not found" errors after tty has been setup.
  * Do not treat EPIPE from hooks as an error.
  * Make sure DefaultDependencies is correctly set in the systemd scope.
  * Improve the error message when the container process is not found.
  * Improve error handling for the mnt namespace restoration.
  * Fix error handling for getpwuid_r, recvfrom and libcrun_kill_linux.
  * Fix handling of device paths with trailing slashes.
- add url for keyring
- enable leap by disabling wasmedge (not packaged for leap)

- new upstream release 1.16.1
  1.16.1:
- fix a regression introduced by 1.16 where using 'rshared' rootfs mount propagation and the rootfs itself is a mountpoint.
- inherit user from original process on exec, if not overridden.
  1.16:
- build: fix build for s390x.
- linux: fix mount of special files with rro.  Open the mount target with O_PATH to prevent open(2) failures with special files like FIFOs or UNIX sockets.
- Fix sd-bus error handling for cpu quota and period props update.
- container: use relative path for rootfs if possible.  If the rootfs cannot be resolved and it is below the current working directory, only use its relative path.
- wasmedge: access container environment variables for the WasmEdge configuration.
- cgroup, systemd: use MemoryMax instead of MemoryLimit.  Fixes a warning for using an old configuration name.
- cgroup, systemd: improve checks for sd_bus_message_append errors

- New upstream release 1.15
  * fix a mount point leak under /run/crun, add a retry mechanism to unmount the directory if the removal failed with EBUSY.
  * linux: cgroups: fix potential mount leak when /sys/fs/cgroup is already mounted, causing the posthooks to not run.
  * release: build s390x binaries using musl libc.
  * features: add support for potentiallyUnsafeConfigAnnotations.
  * handlers: add option to load wasi-nn plugin for wasmedge.
  * linux: fix "harden chdir()" security measure. The previous check was not correct.
  * crun: add option --keep to the run command. When specified the container is not automatically deleted when it exits.

- New upstream release 1.14.4
  * crun-1.14.4
- linux: fix mount of file with recursive flags.  Do not assume it is
  a directory, but check the source type.
  * crun-1.14.3
- follow up for 1.14.2.  Drop the version check for each command.
  * crun-1.14.2
- crun: drop check for OCI version.  A recent bump in the OCI runtime
  specs caused crun to fail with every config file.  Just drop the
  check since it doesn't add any value.
  * crun-1.14.1
- there was recently a security vulnerability (CVE-2024-21626) in runc
  that allowed a malicious user to chdir(2) to a /proc/*/fd entry that is
  outside the container rootfs.  While crun is not affected directly,
  harden chdir by validating that we are still inside the container
  rootfs.
- container: attempt to close all the files before execv(2).
  if we leak any fd, it prevents execv to gain access to files outside
  the container rootfs through /proc/self/fd/$fd.
- fix a regression caused by 1.14 when installing the ebpf filter on a
  kernel older than 5.11.
- cgroup, systemd: fix segfault if the resources block is not specified.

- update to 1.14:
  * build: drop dependency on libgcrypt. Use blake3 to compute the cache key.
  * cpuset: don't clobber parent cgroup value when writing the cpuset value.
  * linux: force umask(0). It ensures that the mknodat syscall is not affected by the umask of the calling process,
    allowing file permissions to be set as specified in the OCI configuration.
  * ebpf: do not require MEMLOCK for eBPF programs. This requirement was relaxed in Linux 5.11.
- update to 1.13:
  * src: use O_CLOEXEC for all open/openat calls
  * cgroup v1: use "max" when pids limit < 0.
  * improve error message when idmap mount fails because the underlying file system has no support for it.
  * libcrun: fix compilation when building without libseccomp and libcap.
  * fix relative idmapped mount when using the custom annotation.

- New upstream release 1.12:
  * add new WebAssembly handler: spin.
  * systemd: fallback to system bus if session bus is not available.
  * configure the cpu rt and cpuset controllers before joining them to
    avoid running temporarily the workload on the wrong cpus.
  * preconfigure the cpuset with required resources instead of using the
    parent's set.  This prevents needless churn in the kernel as it
    tracks which CPUs have load balancing disabled.
  * try attr/<lsm>/* before the attr/* files.  Writes to the attr/*
    files may fail if apparmor is not the first "major" LSM in the list
    of loaded LSMs (e.g. lsm=apparmor,bpf vs lsm=bpf,apparmor).
- New upstream release 1.11.2:
  * fix a regression caused by 1.11.1 where the process crashes if there
    are no CPU limits configured on cgroup v1. (bsc#1217590)
  * fix error code check for the ptsname_r function.

- update to 1.11.1:
  * force a remount operation with bind mounts from the host to
    correctly set all the mount flags.
  * cgroup: honor cpu burst.
  * systemd: set CPUQuota and CPUPeriod on the scope cgroup.
  * linux: append tmpfs mode if missing for mounts.  This is the
    same behavior of runc.
  * cgroup: always use the user session for rootless.
  * support for Intel Resource Director Technology (RDT).
  * new mount option "copy-symlink".  When provided for a mount,
    if the source is a symlink, then it is copied in the container
    instead of attempting a mount.
  * linux: open mounts before setgroups if in a userns.  This
    solves a problem where a directory that was previously
    accessible to the user, become inaccessible after setgroups
    causing the bind mount to fail.

- New upstream release 1.9.2:
  * cgroup: reset the inherited cpu affinity after moving to cgroup. Old kernels
    do that automatically, but new kernels remember the affinity that was set
    before the cgroup move, so we need to reset it in order to honor the cpuset
    configuration.
- New upstream release 1.9.1:
  * utils: ignore ENOTSUP when chmod a symlink. It fixes a problem on Linux 6.6
    that always refuses chmod on a symlink.
  * build: fix build on CentOS 7
  * linux: add new fallback when mount fails with EBUSY, so that there is not an
    additional tmpfs mount if not needed.
  * utils: improve error message when a directory cannot be created as a
    component of the path is already existing as a non directory.
- Only build with wasmedge on x86_64 & aarch64

- Add crun-wasm symlink for platform 'wasi/wasm'

- Update to 1.9:
  * linux: support arbitrary idmapped mounts.
  * linux: add support for "ridmap" mount option to support recursive
    idmapped mounts.
  * crun delete: call systemd's reset-failed.
  * linux: fix check for oom_score_adj.
  * features: Support mountExtensions.
  * linux: correctly handle unknown signal string when it doesn't start with
    a digit.
  * linux: do not attempt to join again already joined namespace.
  * wasmer: use latest wasix API.

- Enable WasmEdge support to run Wasm compat containers.