1.23.1

• exec: fix a bug where the terminal could lose some bytes when reading from the exec'ed process.
• utils: add bounds checking for Unix domain socket paths.

1.23

• krun: enable virtio-gpu. Enable and configure a virtio-gpu device if /dev/dri and /usr/libexec/virgl_render_server are present within the container.
• krun: add support for nitro enclaves.
• criu: Add support for tcp-close.
• linux: fix issue when RestrictAddressFamilies="AF_UNIX AF_NETLINK" is in place in the systemd unit. Regression introduced in crun 1.17.
• cgroup,systemd: use BPFProgram=device on systemd to install the device controller eBPF.
• cgroup,systemd: allow empty slice in cgroupsPath.
• crun: print the program version even with an invalid rundir.
• linux: fix regression with idmapped mounts. Support idmapped mounts also when there is no user namespace specified for the container. crun 1.22 introduced the regression.
• cgroup: change formula to convert from cpu shares to cpu weight. The OCI CPU shares (range [2-262144]) to cgroup v2 cpu.weight (range [1-10000]) conversion formula has been updated to use a quadratic function so that min, max and default values match.

1.22

• crun: add a new command crun mounts to dynamically add or remove mounts from a running container.
• linux: add support for moving existing network devices into the container namespace as defined in the OCI specification.
• linux: add src-nofollow and dest-nofollow mount options for more precise control over how symbolic links are handled.
• krun: implement support for external kernels, allowing users to bundle a kernel image with the container.
• krun: the vCPU limit has been increased to 16.
• krun: add support for specifying the libkrun flavor via the KRUN_VM_FILE.
• criu: fix checkpoint and restore for containers that have a bind mount where the destination is a symbolic link.
• criu: automatically create the directory specified by --work-path if it does not exist, improving compatibility with other runtimes.
• criu: re-enable support on the riscv64 architecture.
• cgroup: fix incorrect setting of cpu.max when the OCI quota is -1.
• hardening: replace all uses of the insecure sprintf function with safer alternatives like snprintf to prevent buffer overflows.
• fix a regression that caused issues when dealing with paths that do not exist and openat2 is not available.
• fix an issue where the file descriptor for the rootfs would become stale if the rootfs was replaced by a mount.
• fix parsing of rootless options.
• fix a potential crash in krun by checking if library handles exist before being unloaded.
• improve error messages for dlopen failures, making them more descriptive.
• cgroup: fix a regression on WSL when running with cgroup v1.
• libcrun: setup /dev/console as a symlink to pty instead of bind mount when possible.

1.21

• criu: when running under systemd, use a proxy process to initialize the cgroup so that all the container processes are restored in the correct cgroup.
• set HOME to "/" if the specified user is not present in the /etc/passwd file.
• do not fail if any of stdin/stdout/stderr is closed.
• cgroup: fix handling of absent subcgroup when configuring cpuset on cgroup v1.
• ignore SIGWINCH when a tty is not used.
• utils: improve error message if the specified command is not executable.
• fix PATH lookup. Support filenames starting with a dot.
• krun: create context after loading the library.
• krun: stop using krun_set_exec but use the command line directly from the OCI configuration file.

1.20

• krun: fix CVE-2025-24965. The .krun_config.json file could be created outside of the container rootfs.
• cgroup: reverted the removal of tun/tap from the default allow list, this was done in crun-1.5. The tun/tap device is now added by default again.
• CRIU: do not set network_lock unless explicitly specified.
• status: disallow container names containing slashes in their name.
• linux: Improved error message when failing to set the net.ipv4.ping_group_range sysctl.
• scheduler: Ignore ENOSYS errors when resetting the CPU affinity mask.
• linux: return a better error message when pidfd_open fails with EINVAL.
• cgroup: display the absolute path to cgroup.controllers when a controller is unavailable.
• exec: always call setsid. Now processes created through exec get the correct process group id.

1.19.1

• linux: fix a hang if there are no reads from the tty. Use non blocking sockets to read and write from the tty so that the "crun exec" process doesn't hang when the terminal is not consuming any data.
• linux: remove the workaround needed to mount a cgroup on top of another cgroup mount. The workaround had the disadvantage to temporarily leak a mount on the host. The alternative that is currently used is to mount a temporary tmpfs between the twoo cgroup mounts.

1.19

• wasm: add new handler wamr.
• criu: allow passing network lock method to libcriu.
• linux: honor exec cpu affinity mask.
• build: fix build with musl libc.
• crun: use mount API to self-clone.
• cgroup, systemd: do not override devices on update. If the "update" request has no device block configured, do not reset the previously configuration.
• cgroup: handle case where cgroup v1 freezer is disabled. On systems without the freezer controller, containers were mistakenly reported as paused.
• cgroup: do not stop process on exec. The cpu mask is configured on the systemd scope, the previous workaround to stop the container until the cgroup is fully configured is no longer needed.

1.18.2

• cgroup, systemd: fix a regression when a configuration file includes only one default rule.

1.18.1

• cgroup: deprecate cgroup v1.
• cgroup: fix regression setting up the devices cgroup on cgroup v1.
• cgroup: fix regression and work again with the default Docker devices configuration on systemd.
• linux: fix setting up user namespace when newuidmap/newgidmap are not available.

1.18

• cgroup: support running without a sub-cgroup with systemd. Use the d-bus API to set the container limits on the systemd scope itself. It allows running without a sub-cgroup when the systemd driver is used, the run.oci.systemd.subgroup annotation controls it. For now, a sub-cgroup is still created, but it might be changed in future.
• cgroup: add support for the misc controller.
• linux: fix running on kernel without user namespaces.
• criu, restore: add lsm-profile option.
• criu, restore: add lsm-mount-context option.
• linux: add duplicate namespace detection.