1.7.1

• criu: load libcriu dynamically.
• seccomp: initialize libgcrypt.
• handlers: fix rewriting the argv if the full cmdline doesn't fit.
• utils: honor SELinux label when using a custom handler.
• utils: honor AppArmor label when using a custom handler.
• krun: copy the OCI configuration file into the container.
• utils: fix creating the default user namespace when running with euid != 0.
• Add setlinebuf() when --debug and --log=file: are used.
• Fix timestamp format in the error messages.
• krun: disable libkrun's collection of env vars.

1.7

• seccomp: use a cache for the generated BPF.
• add support for setting the domainname through the OCI spec.
• handlers: define wasm and krun.
• wasmtime: add support for compiling .wat format.
• cgroup: honor checkBeforeUpdate on cgroupv2.
• crun: chown std streams before joining the user namespace.
• crun: display rundir in --version output.
• container: with cgroupfs use clone3 to join directly the target cgroup.
• linux: create parent directories for created devices with mode 0755.
• wasm: inherit environment variables in the WasmEdge handler.

1.6

• runc compatibility: -v now prints the version string.
• build: fix build with glibc 2.36.
• container: drop intermediate userns custom feature.
• cgroup: change the delegate cgroup semantic so that the cgroup is created in the container payload after the cgroup namespace is created.
• seccomp: use helper process to send file descriptor to the listener socket. It enables to be notified on every syscall without hanging the main process.
• linux: add a fallback to using kill(2) if pidfd_send_signal(2) fails with ENOSYS.
• krun: add support for krun-sev.
• wasmtime: always grant file system capability for workdir inside the container.
• wasmtime: inherit arguments list from the handler instead of the current process.
• wasmedge: use released wasmedge library instead of libwasmedge_c.so.

1.5

• add mono based native .NET handler
• new Wasmtime backend for running WebAssembly
• add support for wasmedge 0.10 and dropping support for wasmedge 0.9.x
• dropping support for experimental WasmEdgeProcess from wasmedge handler
• honor process user's uid when setting the HOME environment variable
• create the current working directory if it is missing in the container
• fallback to using a tmpfs mount if umount of /sys and /proc fails
• fallback to netlink to setup lo device
• fix creating devices in the rootfs
• fallback to using io.weight if io.bfq.weight doesn't exist
• remove tun/tap from the default allow list
• linux: devices mounts have noexec and nosuid
• fix copyup of files from the container to the tmpfs
• honor $PATH for newgidmap and newguidmap
• krun: limit the number of vCPUs to 8
• cgroup: add support for cpu.idle

1.4.5

• CRIU: add support for different manage cgroups modes.
• linux: the hook processes inherit the crun process environment if there is no environment block specified in the OCI configuration.
• exec: fix double free when using --apparmor and --process-label.

1.4.4

• wasm, kubernetes: support wasm for kubernetes infrastructure with side-cars
• Resolve symlinks in bind mounts when creating a user namespace.
• Fix CVE-2022-27650: exec does not set inheritable capabilities.

1.4.3

• cgroup: avoid infinite loop when deleting a cgroup if it contains processes that cannot be terminated.
• support additional options for idmap mounts. It is now possible to specify what mappings must be used for the idmapped mount.
• open the source for a bind mount in the host. It is useful when creating a user namespace so that the parent directories for the source directory are not required to be accessible to the users in the user namespace.

1.4.2

• CRIU: add pre-dump support.
• Fix running with a read-only /dev. The /dev/console file is created before re-mounting /dev as read-only.
• Ignore EROFS when chowning standard stream files.
• Add validation for sysctls before applying them.
• Attempt looking up the executable after the setresuid syscall, this solves an issue on NFS when the executable file is not owned by root in the container, but the UID:GID combination configured for the container can access it.

1.4.1

• Fix check for an invalid path. crun was performing the wrong check to validate a path, causing spurious failures at runtime.
• Allow deleting a container while in created state. It goes against what the OCI runtime specs dictate, but it is the expected
  behavior since runc allows it.
• Fix regression when joining a container that has explicit paths for the namespaces.
• cgroup: do not set cpu limits if number of shares is set to 0. Moby uses 0 to indicate no limits.
• Fix build issues when configured with --enable-shared.
• Fix build on systems where OPEN_TREE_CLOEXEC is not defined.
• Improve diagnostics for errors returned by dbus.

1.4

• wasm: support for running on kubernetes with containerd.
• linux: add support for recursive mount options. e.g. it is possible to specify "rro" to make the mount read-only recursively.
• add support for idmapped mounts through a new mount option "idmap".
• linux: improve detection of /dev target. Previously a mount like /dev/ was not properly detected as mounting /dev/ from the host.
• now crun exec uses CLONE_INTO_CGROUP on supported kernels when using cgroup v2.
• retry the openat2 syscall if it fails with EAGAIN.
• cgroup: set the CPUWeight/CPUShares on the systemd scope cgroup.
• on new kernels, use setns with pidfd.
• attempt the chdir again with the specified user if it failed before changing credentials.
• ebpf: fix build on 32 bits systems.
• crun --version shows the configured handlers.