crun-1.6-bp155.1.6

- Update to 1.6
  * runc compatibility: -v now prints the version string.
  * build: fix build with glibc 2.36.
  * container: drop intermediate userns custom feature.
  * cgroup: change the delegate cgroup semantic so that the cgroup
    is created in the container payload after the cgroup namespace
    is created.
  * seccomp: use helper process to send file descriptor to the listener
    socket. It enables to be notified on every syscall without hanging
    the main process.
  * linux: add a fallback to using kill(2) if pidfd_send_signal(2)
    fails with ENOSYS.
  * krun: add support for krun-sev.
  * wasmtime: always grant file system capability for workdir inside
    the container.
  * wasmtime: inherit arguments list from the handler instead of the
    current process.
  * wasmedge: use released wasmedge library instead of libwasmedge_c.so.
- Update to 1.5
  * add mono based native .NET handler
  * new Wasmtime backend for running WebAssembly
  * add support for wasmedge 0.10 and dropping support for wasmedge 0.9.x
  * dropping support for experimental WasmEdgeProcess from wasmedge handler
  * honor process user's uid when setting the HOME environment variable
  * create the current working directory if it is missing in the container
  * fallback to using a tmpfs mount if umount of /sys and /proc fails
  * fallback to netlink to setup lo device
  * fix creating devices in the rootfs
  * fallback to using io.weight if io.bfq.weight doesn't exist
  * remove tun/tap from the default allow list
  * linux: devices mounts have noexec and nosuid
  * fix copyup of files from the container to the tmpfs
  * honor $PATH for newgidmap and newguidmap
  * krun: limit the number of vCPUs to 8
  * cgroup: add support for cpu.idle

- Update to 1.4.5:
  + CRIU: add support for different manage cgroups modes.
  + linux: the hook processes inherit the crun process
    environment if there is no environment block specified in the
    OCI configuration.
  ° exec: fix double free when using --apparmor and
  - -process-label.

- It'd be nice to run the test suite with %check. It however, still
  does not work properly inside OBS workers. Add it commented and
  explain it

- switch to latest upstream version (1.4.4)
- big jump from 0.21! Here's a short summary, for details,
  see: https://github.com/containers/crun/releases
  * 1.4.4
    wasm, kubernetes: support wasm for kubernetes infrastructure with side-cars
    Resolve symlinks in bind mounts when creating a user namespace.
    Fix CVE-2022-27650: exec does not set inheritable capabilities.
  * 1.4.3
    cgroup: avoid potential infinite loop when deleting a cgroup.
    support additional options for idmap mounts.
    open the source for a bind mount in the host.
  * 1.4.2
    CRIU: add pre-dump support.
    Fix running with a read-only /dev.
    Ignore EROFS when chowning standard stream files.
    Add validation for sysctls before applying them.
  * 1.4.1
    Fix check for an invalid path.
    Allow deleting a container while in created state.
    cgroup: do not set cpu limits if number of shares is set to 0.
  * 1.4
    wasm: support for running on kubernetes with containerd.
    linux: add support for recursive mount options.
    add support for idmapped mounts through a new mount option "idmap".
    linux: improve detection of /dev target.
    now crun exec uses CLONE_INTO_CGROUP on supported kernels when using cgroup v2.
    retry the openat2 syscall if it fails with EAGAIN.
    cgroup: set the CPUWeight/CPUShares on the systemd scope cgroup.
    on new kernels, use setns with pidfd.
    attempt the chdir again with the specified user if it failed before changing credentials.
  * 1.3
    add support to natively build and run WebAssembly workload and WebAssembly containers.
    allow to specify sub-cgroup for exec.
    chown std streams if they are not a TTY.
    attach the correct streams if the container is suspended and restored multiple times.
    fix race condition when enabling controllers on cgroup v2.
  * 1.2
    exec: fix regression in 1.1 where containers are being wrongly reported as paused.
    criu: add support for external ipc, uts and time namespaces.
  * 1.1
    cgroup: use cgroup.kill when available.
    exec: refuse to exec in a paused container/cgroup.
    container: Set primary process to 1 via LISTEN_PID by default if user configuration is missing.
    criu: Add support for external PID namespace.
    criu: fix save of external descriptors.
    utils: retry openat2 on EAGAIN.
  * 1.0
    cgroup: chown the current container cgroup to root in the container.
    linux: treat pidfd_open failures EINVAL as ESRCH.
    cgroup: add support for setting memory.use_hierarchy on cgroup v1.
    Makefile.am: fix link error when using directly libcrun.
    Fix symlink target mangling for tmpcopyup targets.
- fix bsc#1197871, CVE-2022-27650 (as 1.4.4 contains the fixes itself)
- update and fixup dependencies

- Add libprotobuf-c-devel as an explicit dependency, for fixing
  the build;
- Get rid of rpmlintrc, as it's no longer needed.

- make libkrun support conditional, so we can have crun (without
  libkrun, of course) on all arches, which may help with
  bsc#1188914.

- Drop libkrun-dlopen.patch and adapt to libkrun new package name,
  it is a plugin, not a regular shared library.

- Add libkrun-dlopen.patch: use soname when dlopening libkrun.

- Update to 0.21
  - honor memory swappiness set to 0
  - status: add fields for owner and created timestamp
  - cgroup: lookup pids controller as well when the memory controller
    is not available
  - when compiled with krun, automatically use it if the current
    executable file is called "krun".
  - container: ignore error when resetting the SELinux label for the
    keyring.
  - container: call prestart hooks before rootfs is RO.
  - cgroup: added support cleaning custom controllers on cgroupv1.
  - spec: add support for --bundle.
  - exec: add --no-new-privs.
  - exec: add --process-label and --apparmor to change SELinux and
    AppArmor labels.
  - cgroup: kill procs in cgroup on EBUSY.
  - cgroup: ignore devices errors when running in a user namespace.
  - seccomp: drop SECCOMP_FILTER_FLAG_LOG by default.
  - seccomp: report correct action in error message.
  - apply SELinux label to keyring.
  - add custom annotation run.oci.delegate-cgroup.
  - close_range fallbacks to close on EPERM.
  - report error if the cgroup path was set and the cgroup could not be
    joined.
  - on exec, honor additional_gids from the process spec, not the
    container definition.
  - spec: add cgroup ns if on cgroup v2.
  - systemd: support array of strings for cgroup annotation.
  - join all the cgroup v1 controllers.
  - raise a warning when newuidmap/newgidmap fail.
  - handle eBPF access(dev_name, F_OK) call correctly.
  - fix some memory leaks on errors when libcrun is used by a long
    running process.
  - fix the SELinux label for masked directories.
  - support default seccomp errno value.
  - fail if no default seccomp action specified.
  - support OCI seccomp notify listener.
  - improve OOM error messages.
  - ignore unknown capabilities and raise a warning.
  - always remount bind mounts to drop not requested mount flags.

- Add a mention to crun-rpmlintrc in the spec file

- Since we're building with libkrun support, let's enable only the
  arch-es for which we do have libkrun

- Suppress the (false positive) rpmlint warning

- Some fixes to the spec file (add some %doc, remove unused macros, etc)

- Initial package for 0.18
  Based on the package by Giuseppe Scrivano <gscrivan@redhat.com>