-
Notifications
You must be signed in to change notification settings - Fork 417
Releases: containers/crun
Releases · containers/crun
1.28
@giuseppe
giuseppe
- CVE-2026-47766: do not follow rootfs /dev symlinks. Open rootfs /dev with safe_openat before creating default or handler-specific devices, preventing rootfs-controlled /dev symlinks from redirecting device setup outside the container rootfs.
- build: replace YAJL with json-c (>= 0.14) for JSON parsing and generation.
- build: use system libblake3 if available.
- status: restrict valid container ID names. Allow only IDs that match [a-zA-Z0-9_+-][a-zA-Z0-9_+.-]*, following the same validation used by runc.
- cgroup: reject ".." in delegate-cgroup annotation value to prevent path traversal.
- exec: use default environment variables with --env. Previously when crun exec --env was used, the environment from the container spec was not set.
- exec: more verbose error message, include the actual path that failed to exec.
- libcrun: use O_PATH where applicable so the kernel does not grant read/write access on the inode when a file descriptor is only used as a reference.
- chroot_realpath: fix potential buffer overflows in destination buffer when resolving symlink chains.
- fix UID/GID mapping buffer offset for multi-line mappings.
- krun: allow configuring the virtiofs device tag and shm_size.
- krun: request enabling DHCP client when using passt.
- krun: fix parsing optional fields from krun_vm.json.
Assets 26
- sha256:2aa6b7024a9c9f153895c0d11ae233d3758f54844011c3a039e3e89048d01d423.32 MB
2026年05月27日T11:19:31Z - sha256:137bce17e4a102683e9b6974f4141cf6c30da61c8ade43c8f2b2d6961a8b858b2.04 MB
2026年05月27日T11:19:33Z - sha256:6d6d07824f27837f0fefc7ce4da63bdb9afbfe78a30903ddb5594bf9d8e17cd5488 Bytes
2026年05月27日T11:19:33Z - sha256:69aae43564eb7f3b1ff93b3c496546493838f57248c95b765d030903d6b2d493488 Bytes
2026年05月27日T11:19:32Z - sha256:cc1e8ec89aef1422e0741be196f9ed099e2e09d2f48f30f27cd44a22ef1f03423.15 MB
2026年05月27日T11:19:34Z - sha256:decac16cacbc570a1d7739d2ba47da4ffe0d3918adb10e47712bd1da0a110a781.77 MB
2026年05月27日T11:19:35Z - sha256:c313dd682138680f818571ca2e4ba8d0119c6e4c2616e9762f1f3902f01917f7488 Bytes
2026年05月27日T11:19:36Z - sha256:f10a360501022b1dbdc2d8c6fa77daf9f34c906016a51a31aa5dfc4eadbb8fd3488 Bytes
2026年05月27日T11:19:35Z - sha256:22243a7980d82864f3dbbb0931805d1ed89b9af616f0897056544acf8fd4db4f4.52 MB
2026年05月27日T11:19:36Z - sha256:0297435cf03b06add634f32f03ee81d0444beaca9b6b68056b9a89bf6d758f6c2.71 MB
2026年05月27日T11:19:37Z -
2026年05月27日T10:47:03Z -
2026年05月27日T10:47:03Z - Loading
1 person reacted
1.27.1
@giuseppe
giuseppe
- linux: fix bind mount propagation regression. Mounts hot-plugged after container start (e.g. USB drives) were invisible or owned by nobody inside the container because propagation peer groups were destroyed.
- utils: fix AppArmor profile inside a user namespace.
- cgroup: fix recursive cgroup cleanup failure that could cause EBADF errors when deleting containers with sub-cgroups.
- libcrun: do not check the cgroup file system type when cgroups are disabled with --cgroup-manager=disabled, fixing startup failures on systems where /sys/fs/cgroup is not a standard mount (e.g. Android with Linux Deploy).
- libcrun: fix "unlink /dev/console: Read-only file system" error when running containers with --read-only.
- krun: add support for passt-based networking in microVMs via the krun.use_passt annotation.
- krun: ignore RAM configurations below 128MB.
Assets 26
1 person reacted
1.27
@giuseppe
giuseppe
- CVE-2026-30892: fix parsing in
crun exec -uthat could lead to the process running with the wrong user. - linux: use open_tree+mount_setattr and open_tree+move_mount for device mounts, masked paths, and readonly paths.
- linux: use mount_setattr for readonly remounts in finalize_mounts.
- linux: skip redundant MS_PRIVATE propagation mounts.
- linux: validate run.oci.mount_context_type annotation value.
- container: skip sigaction reset in unblock_signals for the run path.
- container: delete the container on poststart hooks failures.
- container: fix createRuntime hooks not receiving bundle path.
- container: fix exit code return.
- cgroup: skip enable_controllers when joined via CLONE_INTO_CGROUP.
- cgroup: pass cgroup2 mount options to the kernel.
- cgroup: fix read_pids_cgroup skipping child cgroups.
- hooks: allow ignoring chdir permission errors for container hooks.
- hooks: exit immediately if poststart hooks fail.
- krun: parse annotations for krun.cpus, krun.ram_mib, and krun.variant.
- krun: propagate crun log level to libkrun.
- krun: rename nitro module to awsnitro.
- criu: show excerpt from log file on checkpoint/restore error.
- criu: fix missing umount() in error path.
- scheduler: add diagnostic messages for SCHED_DEADLINE.
- utils: fix memory leak and missing cache in libcrun_initialize_apparmor().
- utils: use parent dir fd for bind on long socket paths.
- utils: retry fgetpwent_r() on EINTR.
- python: initialize error variable to NULL in Python bindings.
- container: fix CPU busy loop when output pipe is blocked.
- seccomp: fix n_plugins calculation.
- restore: fix memory leak.
- numerous fixes for error handling, errno usage, and resource leaks.
Assets 26
1 person reacted
1.26
@giuseppe
giuseppe
- criu: enable setting of RPC config file via annotation org.criu.config. crun also reads /etc/criu/crun.conf or /etc/criu/runc.conf for CRIU configuration.
- linux: run createContainer hooks before making root read-only.
- utils: handle NULL container passed to libcrun_open_proc_file().
- container: fix error release on failure paths.
Assets 26
5 people reacted
1.25.1
@giuseppe
giuseppe
- linux: harden opens under /proc. Use fsopen, when available, to get a trusted reference to the proc file system and use it for all subsequent accesses instead of relying on the /proc path directly.
Assets 26
3 people reacted
1.25
@giuseppe
giuseppe
- cgroup: enable all accounting properties to ensure stats are readable.
- intelrdt: honor default closID.
- src: fix some double allocations on errors.
Assets 26
3 people reacted
1.24
@giuseppe
giuseppe
- linux: add support for NUMA set_mempolicy.
- intelrdt: add support for EnableMonitoring.
- linux: optimize masked paths with shared empty directory.
- cgroup, systemd: validate the specified ebpf program is loaded by systemd.
- krun: avoid failing if sev/nitro are not available.
- linux: limit tmpfs memory usage for masked paths.
- linux: fix regression mounting within userns. Detect when running inside a user namespace and treat the mounts in the same way as they would be treated with a new user namespace.
- linux: never chown devices.
Assets 26
3 people reacted
1.23.1
@giuseppe
giuseppe
- exec: fix a bug where the terminal could lose some bytes when reading from the exec'ed process.
- utils: add bounds checking for Unix domain socket paths.
Assets 26
2 people reacted
1.23
@giuseppe
giuseppe
- krun: enable virtio-gpu. Enable and configure a virtio-gpu device if /dev/dri and /usr/libexec/virgl_render_server are present within the container.
- krun: add support for nitro enclaves.
- criu: Add support for tcp-close.
- linux: fix issue when RestrictAddressFamilies="AF_UNIX AF_NETLINK" is in place in the systemd unit. Regression introduced in crun 1.17.
- cgroup,systemd: use BPFProgram=device on systemd to install the device controller eBPF.
- cgroup,systemd: allow empty slice in cgroupsPath.
- crun: print the program version even with an invalid rundir.
- linux: fix regression with idmapped mounts. Support idmapped mounts also when there is no user namespace specified for the container. crun 1.22 introduced the regression.
- cgroup: change formula to convert from cpu shares to cpu weight. The OCI CPU shares (range [2-262144]) to cgroup v2
cpu.weight(range [1-10000]) conversion formula has been updated to use a quadratic function so that min, max and default values match.
Assets 26
3 people reacted
1.22
@giuseppe
giuseppe
- crun: add a new command crun mounts to dynamically add or remove mounts from a running container.
- linux: add support for moving existing network devices into the container namespace as defined in the OCI specification.
- linux: add src-nofollow and dest-nofollow mount options for more precise control over how symbolic links are handled.
- krun: implement support for external kernels, allowing users to bundle a kernel image with the container.
- krun: the vCPU limit has been increased to 16.
- krun: add support for specifying the libkrun flavor via the KRUN_VM_FILE.
- criu: fix checkpoint and restore for containers that have a bind mount where the destination is a symbolic link.
- criu: automatically create the directory specified by --work-path if it does not exist, improving compatibility with other runtimes.
- criu: re-enable support on the riscv64 architecture.
- cgroup: fix incorrect setting of cpu.max when the OCI quota is -1.
- hardening: replace all uses of the insecure sprintf function with safer alternatives like snprintf to prevent buffer overflows.
- fix a regression that caused issues when dealing with paths that do not exist and openat2 is not available.
- fix an issue where the file descriptor for the rootfs would become stale if the rootfs was replaced by a mount.
- fix parsing of rootless options.
- fix a potential crash in krun by checking if library handles exist before being unloaded.
- improve error messages for dlopen failures, making them more descriptive.
- cgroup: fix a regression on WSL when running with cgroup v1.
- libcrun: setup /dev/console as a symlink to pty instead of bind mount when possible.
Assets 26
4 people reacted