0.13

• license: change license to gplv2+ and lgpl2.1+.
• criu: initial support for container restore.
• state: If a container is paused, report its state as 'paused'.
• cgroup: use the memory controller to ready PIDs. The pid controller is not available on kernels older than 4.3.
• linux: drop context= for remount. Older linux versions complain when the selinux label is specified on a remount.
• utils: fix mount on not writeable path.
• cgroup: support systemd properties via annotations.
• systemd: do not set hard-code collectmode value. It can be set through an annotation.
• cgroup: write the correct blkio settings.
• exec: do not inherit env variables from main pid.
• ebpf: fix endianess issue on s390x.
• linux: fix recursive mount on cgroup v1.

0.12.2.1

• when not using a cgroup namespace, mount only the cgroup v1 subpath.

0.12.2

• do not require read permissions on /
• add support for the "time" namespace via a custom annotation
• fix mount of cgroup v1 when using a cgroup namespace
• set default umask to 0022
• use the correct path for notify socket with "crun run -d"
• always use setsid
• use correct indices for seccomp generation
• fixed several issues with cgroup v2 and the cgroupfs driver

0.12.1

• fix the order of clone syscall arguments on s390 and cris.
• if no mode is specified use 0666 for devices.
• fix running with a relative bundle directory.
• fix some regressions in the mounts path resolution.
• drop a warning when cgroup are not available for rootless.

0.12

• masked paths use only MS_UNBINDABLE
• mount doesn't specify mount data when there are no options
• support new hook types: createRuntime, createContainer and startContainer
• safer mount options. A temporary mount is prepared outside of the
  rootfs before being moved to it.
• apply selinux/apparmor before the pivot_root.
• handle correctly proc remounts. It is now supported to specify hidepid=
• fix exec if a namespace is not available.
• handle swap limit with the same semantic as on cgroup v1.
• bring network device up.
• reset all signal handlers to default.

0.11

• cgroups2: map memory reservation to memory.low
• statx fallbacks to stat on EINVAL
• utils: do not fail if the path we are trying to create already exists
• generate seccomp profile in the parent process, not in the container init process. Memory usage is more reliable now and a container can run with ~250K of max memory.
• support for Linux personality.
• support for umask.
• support for the hugetlb controller on cgroup v2.
• PIDs from a cgroup are read recursively.
• do not fork on "create".
• now by default seccomp doesn't fail on an unknown syscall. The previous behavior can be enabled with an annotation.
• fix joining cgroup on cgroup v2 when a named hierarchy is also present.
• fix creating user namespaces with more than 2^32 IDs mapped.
• on exec, keep the SELinux label or AppArmor profile from the
• container configuration.
• runtime specific annotation are prefixed with run.oci.

0.10.6

• when running with a terminal, change the ownership for the terminal to the specified user
• spec: honor the --rootless flag
• linux: make sure the the source path is resolved when checking the file type. Regression introduced with 0.10.5

0.10.5

• fix CVE-2019-18837
• fix running on CentOS/RHEL 8
• report errors opening the console socket
• not leave config.json around if the container could not be created

0.10.4

• ignore errors creating /dev/console
• add an annotation "io.crun.keep_original_groups", if it is set then crun won't drop additional groups when creating the container

0.10.3

• systemd: set collectmode=inactive-or-failed
• fix build on Alpine
• use the the current working directory to lookup local paths
• improve the error message when a hook fails
• add granular enable/disable configure options