1.8.2

• lua bindings for libcrun.
• wasmedge: add current directory to preopen paths.
• linux: inherit parent mount flags when making a path masked.
• libcrun: custom annotation to set the scheduler for the container process.
• cgroup: fallback to blkio.bfq files if blkio is not available on cgroup v1.
• cgroup: initialize rt limits when using systemd.
• tty: chown the tty to the exec user instead of the user specified to create the container.
• cgroup: fallback to create cgroupfs as sibling of the current cgroup if there is none specified and it cannot be created in the root cgroup.

1.8.1

• linux: idmapped mounts expect the same configuration as the user namespace mappings. Before they were expecting the inverted
  mapping. It is a breaking change, but the behavior was aligned to what runc will do as well.
• krun: always allow /dev/kvm in the cgroup configuration.
• handlers: disable exec for handlers that do not support it.
• selinux: allow setting fscontext using a custom annotation.
• cgroup: reset systemd unit if start fails.
• cgroup: rmdir the entire systemd scope. It fixes a leak on cgroupv1.
• cgroup: always delete the cgroup on errors. On some errors it could have been leaked before.

1.8

• linux: precreate devices on the host.
• cgroup: support cpuset mounted with noprefix.
• linux: mount the source cgroup if cgroupns=host.
• libcrun: don't clone self from read-only mount.
• build: fix build without dlfcn.h.
• linux: set PR_SET_DUMPABLE.
• utils: fix applying AppArmor profile.
• linux: write setgroups=deny when mapping a single uid/gid.
• cgroup: fix enter cgroupv1 mount on RHEL 7.

1.7.2

• criu: hardcode library name to libcriu.so.2.
• cgroup: always enable all controllers, even if the cgroup was already joined. Regression caused by crun-1.7.

1.7.1

• criu: load libcriu dynamically.
• seccomp: initialize libgcrypt.
• handlers: fix rewriting the argv if the full cmdline doesn't fit.
• utils: honor SELinux label when using a custom handler.
• utils: honor AppArmor label when using a custom handler.
• krun: copy the OCI configuration file into the container.
• utils: fix creating the default user namespace when running with euid != 0.
• Add setlinebuf() when --debug and --log=file: are used.
• Fix timestamp format in the error messages.
• krun: disable libkrun's collection of env vars.

1.7

• seccomp: use a cache for the generated BPF.
• add support for setting the domainname through the OCI spec.
• handlers: define wasm and krun.
• wasmtime: add support for compiling .wat format.
• cgroup: honor checkBeforeUpdate on cgroupv2.
• crun: chown std streams before joining the user namespace.
• crun: display rundir in --version output.
• container: with cgroupfs use clone3 to join directly the target cgroup.
• linux: create parent directories for created devices with mode 0755.
• wasm: inherit environment variables in the WasmEdge handler.

1.6

• runc compatibility: -v now prints the version string.
• build: fix build with glibc 2.36.
• container: drop intermediate userns custom feature.
• cgroup: change the delegate cgroup semantic so that the cgroup is created in the container payload after the cgroup namespace is created.
• seccomp: use helper process to send file descriptor to the listener socket. It enables to be notified on every syscall without hanging the main process.
• linux: add a fallback to using kill(2) if pidfd_send_signal(2) fails with ENOSYS.
• krun: add support for krun-sev.
• wasmtime: always grant file system capability for workdir inside the container.
• wasmtime: inherit arguments list from the handler instead of the current process.
• wasmedge: use released wasmedge library instead of libwasmedge_c.so.

1.5

• add mono based native .NET handler
• new Wasmtime backend for running WebAssembly
• add support for wasmedge 0.10 and dropping support for wasmedge 0.9.x
• dropping support for experimental WasmEdgeProcess from wasmedge handler
• honor process user's uid when setting the HOME environment variable
• create the current working directory if it is missing in the container
• fallback to using a tmpfs mount if umount of /sys and /proc fails
• fallback to netlink to setup lo device
• fix creating devices in the rootfs
• fallback to using io.weight if io.bfq.weight doesn't exist
• remove tun/tap from the default allow list
• linux: devices mounts have noexec and nosuid
• fix copyup of files from the container to the tmpfs
• honor $PATH for newgidmap and newguidmap
• krun: limit the number of vCPUs to 8
• cgroup: add support for cpu.idle

1.4.5

• CRIU: add support for different manage cgroups modes.
• linux: the hook processes inherit the crun process environment if there is no environment block specified in the OCI configuration.
• exec: fix double free when using --apparmor and --process-label.

1.4.4

• wasm, kubernetes: support wasm for kubernetes infrastructure with side-cars
• Resolve symlinks in bind mounts when creating a user namespace.
• Fix CVE-2022-27650: exec does not set inheritable capabilities.