1.4.3

• cgroup: avoid infinite loop when deleting a cgroup if it contains processes that cannot be terminated.
• support additional options for idmap mounts. It is now possible to specify what mappings must be used for the idmapped mount.
• open the source for a bind mount in the host. It is useful when creating a user namespace so that the parent directories for the source directory are not required to be accessible to the users in the user namespace.

1.4.2

• CRIU: add pre-dump support.
• Fix running with a read-only /dev. The /dev/console file is created before re-mounting /dev as read-only.
• Ignore EROFS when chowning standard stream files.
• Add validation for sysctls before applying them.
• Attempt looking up the executable after the setresuid syscall, this solves an issue on NFS when the executable file is not owned by root in the container, but the UID:GID combination configured for the container can access it.

1.4.1

• Fix check for an invalid path. crun was performing the wrong check to validate a path, causing spurious failures at runtime.
• Allow deleting a container while in created state. It goes against what the OCI runtime specs dictate, but it is the expected
  behavior since runc allows it.
• Fix regression when joining a container that has explicit paths for the namespaces.
• cgroup: do not set cpu limits if number of shares is set to 0. Moby uses 0 to indicate no limits.
• Fix build issues when configured with --enable-shared.
• Fix build on systems where OPEN_TREE_CLOEXEC is not defined.
• Improve diagnostics for errors returned by dbus.

1.4

• wasm: support for running on kubernetes with containerd.
• linux: add support for recursive mount options. e.g. it is possible to specify "rro" to make the mount read-only recursively.
• add support for idmapped mounts through a new mount option "idmap".
• linux: improve detection of /dev target. Previously a mount like /dev/ was not properly detected as mounting /dev/ from the host.
• now crun exec uses CLONE_INTO_CGROUP on supported kernels when using cgroup v2.
• retry the openat2 syscall if it fails with EAGAIN.
• cgroup: set the CPUWeight/CPUShares on the systemd scope cgroup.
• on new kernels, use setns with pidfd.
• attempt the chdir again with the specified user if it failed before changing credentials.
• ebpf: fix build on 32 bits systems.
• crun --version shows the configured handlers.

1.3

• add support to natively build and run WebAssembly workload and WebAssembly containers.
• allow to specify sub-cgroup for exec.
• chown std streams if they are not a TTY.
• attach the correct streams if the container is suspended and restored multiple times.
• fix race condition when enabling controllers on cgroup v2.
• the fallback code to mount cgroupfs bind mounts the current cgroup path instead of the host /sys.

1.2

• exec: fix regression in 1.1 where containers are being wrongly reported as paused.
• criu: add support for external ipc, uts and time namespaces.

1.1

• cgroup: use cgroup.kill when available. It is faster to kill a container through its cgroup as there is no need to recurse over the cgroup pids and terminate each one of them.
• exec: refuse to exec in a paused container/cgroup.
• container: Set primary process to 1 via LISTEN_PID by default if user configuration is missing.
• criu: Add support for external PID namespace.
• criu: fix save of external descriptors. Now restored containers attach correctly their standard streams.
• utils: retry openat2 on EAGAIN. If the openat2 syscall is interrupted, try again.

1.0

• cgroup: chown the current container cgroup to root in the container.
• linux: treat pidfd_open failures EINVAL as ESRCH.
• cgroup: add support for setting memory.use_hierarchy on cgroup v1.
• Makefile.am: fix link error when using directly libcrun.
• Fix symlink target mangling for tmpcopyup targets.

0.21

• honor memory swappiness set to 0
• status: add fields for owner and created timestamp
• cgroup: lookup pids controller as well when the memory controller is not available
• when compiled with krun, automatically use it if the current executable file is called "krun"

0.20.1

• container: ignore error when resetting the SELinux label for the keyring.