0.12.2

• do not require read permissions on /
• add support for the "time" namespace via a custom annotation
• fix mount of cgroup v1 when using a cgroup namespace
• set default umask to 0022
• use the correct path for notify socket with "crun run -d"
• always use setsid
• use correct indices for seccomp generation
• fixed several issues with cgroup v2 and the cgroupfs driver

0.12.1

• fix the order of clone syscall arguments on s390 and cris.
• if no mode is specified use 0666 for devices.
• fix running with a relative bundle directory.
• fix some regressions in the mounts path resolution.
• drop a warning when cgroup are not available for rootless.

0.12

• masked paths use only MS_UNBINDABLE
• mount doesn't specify mount data when there are no options
• support new hook types: createRuntime, createContainer and startContainer
• safer mount options. A temporary mount is prepared outside of the
  rootfs before being moved to it.
• apply selinux/apparmor before the pivot_root.
• handle correctly proc remounts. It is now supported to specify hidepid=
• fix exec if a namespace is not available.
• handle swap limit with the same semantic as on cgroup v1.
• bring network device up.
• reset all signal handlers to default.

0.11

• cgroups2: map memory reservation to memory.low
• statx fallbacks to stat on EINVAL
• utils: do not fail if the path we are trying to create already exists
• generate seccomp profile in the parent process, not in the container init process. Memory usage is more reliable now and a container can run with ~250K of max memory.
• support for Linux personality.
• support for umask.
• support for the hugetlb controller on cgroup v2.
• PIDs from a cgroup are read recursively.
• do not fork on "create".
• now by default seccomp doesn't fail on an unknown syscall. The previous behavior can be enabled with an annotation.
• fix joining cgroup on cgroup v2 when a named hierarchy is also present.
• fix creating user namespaces with more than 2^32 IDs mapped.
• on exec, keep the SELinux label or AppArmor profile from the
• container configuration.
• runtime specific annotation are prefixed with run.oci.

0.10.6

• when running with a terminal, change the ownership for the terminal to the specified user
• spec: honor the --rootless flag
• linux: make sure the the source path is resolved when checking the file type. Regression introduced with 0.10.5

0.10.5

• fix CVE-2019-18837
• fix running on CentOS/RHEL 8
• report errors opening the console socket
• not leave config.json around if the container could not be created

0.10.4

• ignore errors creating /dev/console
• add an annotation "io.crun.keep_original_groups", if it is set then crun won't drop additional groups when creating the container

0.10.3

• systemd: set collectmode=inactive-or-failed
• fix build on Alpine
• use the the current working directory to lookup local paths
• improve the error message when a hook fails
• add granular enable/disable configure options

0.10.2

• fix a regression in 0.10.1 where cgroups v1 could not be created
• correctly chown cgroups when using a user namespace so that systemd can run in a container that uses a user namespace

0.10.1

• linux: Keep MS_RDONLY when remounting bind mount of a read-only source. It solves an issue on Fedora Silverblue where /usr is mounted read only.
• fix exec of rootless containers when cgroups are not available