0.20

• container: call prestart hooks before rootfs is RO.
• cgroup: added support cleaning custom controllers on cgroupv1.
• spec: add support for --bundle.
• exec: add --no-new-privs.
• exec: add --process-label and --apparmor to change SELinux and AppArmor labels.
• cgroup: kill procs in cgroup on EBUSY.
• cgroup: ignore devices errors when running in a user namespace.
• seccomp: drop SECCOMP_FILTER_FLAG_LOG by default.
• seccomp: report correct action in error message.
• apply SELinux label to keyring.
• add custom annotation run.oci.delegate-cgroup.
• close_range fallbacks to close on EPERM.
• report error if the cgroup path was set and the cgroup could not be joined.

0.19.1

• on exec, honor additional_gids from the process spec, not the container definition.
• spec: add cgroup ns if on cgroup v2.
• systemd: support array of strings for cgroup annotation.

0.19

• join all the cgroup v1 controllers.
• raise a warning when newuidmap/newgidmap fail.
• handle eBPF access(dev_name, F_OK) call correctly.
• fix some memory leaks on errors when libcrun is used by a long running process.
• fix the SELinux label for masked directories.
• support default seccomp errno value.
• fail if no default seccomp action specified.
• support OCI seccomp notify listener.
• improve OOM error messages.
• ignore unknown capabilities and raise a warning.
• always remount bind mounts to drop not requested mount flags.

0.18

• fix build without CLONE_NEWCGROUP.
• fix conversion from blkio to io.
• add custom annotation to load raw BPF.
• set working directory for libkrun
• fix symlink lookup on old kernels that lack openat2
• skip +cpu on EINVAL in cgroup root. Enabling the cpu controller is not permitted if there are already realtime processes running on the system.
• Fix permission error when using NOTIFY_SOCKET with username spaces.
• set HOME to root if the user not found.
• simplify mount logic to not use a temporary mount.
• ignore ENOSYS from keyctl.

0.17

• allow creating user namespaces without root being mapped.
• allow arbitrary IDs with single ID userns.
• use close_range(CLOSE_RANGE_CLOEXEC) where available.
• honor /sys/kernel/cgroup/delegate.
• fix an issue with hooks running in the container PID namespace.
• fix building without seccomp.
• fix building without libcap.

0.16

• CRIU support.
• fallback to openat if openat2 returns EPERM.
• ignore ENOENT for cgroup v1 mounts, if the mount fails with ENOENT, the controller might have been unmounted.
• fix another race reading cgroup freeze. Reading from the cgroup fails with ENODEV if the cgroup was deleted in the meanwhile.

0.15.1

• add experimental support for libkrun.
• fix check for pidfd availability on older kernels.
• linux: do not set data when remounting read-only. Fix 'ro' mounts on older kernels when SELinux is enabled.
• linux: label the cgroup v1 tmpfs when SELinux is enabled.
• container: truncate the pid file before writing to it.
• exec: fix check for read bytes from the sync socket.
• check the process has a cgroup before allowing pause and resume.
• linux: always create a user namespace if not running with euid == 0.
• libcrun can use a hook instead of executing a container process.
• use libyajl to generate hooks json input.
• handle correctly ENOENT for seccomp notifications.

0.15

• add support for OCI unified cgroup v2.
• add json format option to crun list.
• get last kernel capability dynamically instead of using a build time constant.
• enable all available cgroup controllers.
• support the seccomp SCMP_ACT_LOG action.
• support the seccomp SCMP_ACT_KILL_THREAD action.
• properly set a SELinux label for the mqueue mount.
• crun kill uses pidfd when supported.
• experimental support for seccomp notifications.
• fix bundle option for crun create and crun run.
• allow to declare path to config file.
• check /sys/kernel/security/apparmor when using AppArmor.
• doesn't accept type=bind alone anymore, but require either "bind" or "rbind" to be present in the mount flags.

0.14.1

• fix a regression in crun-0.14 where openat2(2) would fail when bind mounting a symlink.
• various small fixes to allow running regression tests outside of source tree.

0.14

• cgroup, systemd: create container under subcgroup. Now a "/container" sub-cgroup is created and fully managed by libcrun. This is a different behaviour than what runc does.
• libcrun: use the openat2 syscall available since Linux 5.6.
• container: allow hooks output to file through an annotation.
• linux: support joining PID/IPC namespace not owned by the user namespace. Requires Linux 5.3.
• linux: avoid double fork for creating the init process if not needed.
• linux: fix an issue where the basename for $NOTIFY_SOCKET is different than /notify.
• rootless: allow /dev/{tty,ptmx} to be present in linux.devices.
• cgroup: fix an issue on CentOS 7.8 when using net_cls and net_prio.
• seccomp: honor errnoRet from OCI spec runtime.
• exec: set setresuid/setresgid before setting up the terminal.
• cgroup, v2: fix crun update with both --memory -1 --memory-swap -1.
• cgroup, v2: fixing setting unlimited swap.
• cgroup, v2: allow to set unlimited swap per se.
• cgroup, v2: treat negative numbers as "max"
• cgroup, v2: raise error if swap is set without memory limit.
• cgroup: ignore cpu resources if set to 0.
• libcrun: audit errno in crun_make_error calls
• libcrun: fix read_pid_stat usage.
• linux: fix double close on the same file descriptor.
• container: Prevent deletion of not stopped container
• status: Use process start time for identification
• CRIU: several improvements.
• linux: fix path lookups for relative paths containing '/'.
• linux: use the SELinux mount label for the notify socket.
• status: delete doesn't fail if the process already exited.