* crun-0.13

- license: change license to gplv2+ and lgpl2.1+.
- criu: initial support for `container restore`.
- state: If a container is paused, report its state as 'paused'.
- cgroup: use the memory controller to ready PIDs.  The pid controller
  is not available on kernels older than 4.3.
- linux: drop context= for remount.  Older linux versions complain
  when the selinux label is specified on a remount.
- utils: fix mount on not writeable path.
- cgroup: support systemd properties via annotations.
- systemd: do not set hard-code collectmode value.  It can be set
  through an annotation.
- cgroup: write the correct blkio settings.
- exec: do not inherit env variables from main pid.
- ebpf: fix endianess issue on s390x.
- linux: fix recursive mount on cgroup v1.

* crun-0.12.2.1

- when not using a cgroup namespace, mount only the cgroup v1 subpath.

* crun-0.12.2

- do not require read permissions on /
- add support for the "time" namespace via a custom annotation
- fix mount of cgroup v1 when using a cgroup namespace
- set default umask to 0022
- use the correct path for notify socket with "crun run -d"
- always use setsid
- use correct indices for seccomp generation
- fixed several issues with cgroup v2 and the cgroupfs driver

* crun-0.12.1

- fix the order of clone syscall arguments on s390 and cris.
- if no mode is specified use 0666 for devices.
- fix running with a relative bundle directory.
- fix some regressions in the mounts path resolution.
- drop a warning when cgroup are not available for rootless.

* crun-0.12

- masked paths use only MS_UNBINDABLE
- mount doesn't specify mount data when there are no options
- support new hook types: createRuntime, createContainer and startContainer
- safer mount options.  A temporary mount is prepared outside of the
  rootfs before being moved to it.
- apply selinux/apparmor before the pivot_root.
- handle correctly proc remounts.  It is now supported to specify hidepid=
- fix exec if a namespace is not available.
- handle swap limit with the same semantic as on cgroup v1.
- bring network device up.
- reset all signal handlers to default.

* crun-0.11

- cgroups2: map memory reservation to memory.low
- statx fallbacks to stat on EINVAL
- utils: do not fail if the path we are trying to create already
  exists
- generate seccomp profile in the parent process, not in the container
  init process.  Memory usage is more reliable now and a container can
  run with ~250K of max memory.
- support for Linux personality.
- support for umask.
- support for the hugetlb controller on cgroup v2.
- PIDs from a cgroup are read recursively.
- do not fork on "create".
- now by default seccomp doesn't fail on an unknown syscall.  The
  previous behavior can be enabled with an annotation.
- fix joining cgroup on cgroup v2 when a named hierarchy is also
  present.
- fix creating user namespaces with more than 2^32 IDs mapped.
- on exec, keep the SELinux label or AppArmor profile from the
- container configuration.
- runtime specific annotation are prefixed with run.oci.

* crun-0.10.6

- when running with a terminal, change the ownership for the terminal
  to the specified user
- spec: honor the --rootless flag
- linux: make sure the source path is resolved when checking the file
  type.  Regression introduced with 0.10.5.

* crun-0.10.5

- fix CVE-2019-18837
- fix running on CentOS/RHEL 8
- report errors opening the console socket
- not leave config.json around if the container could not be created

* crun-0.10.4

- ignore errors creating /dev/console
- add an annotation "io.crun.keep_original_groups", if it is set then
  crun won't drop additional groups when creating the container

* crun-0.10.3

- systemd: set collectmode=inactive-or-failed
- fix build on Alpine
- use the current working directory to lookup local paths
- improve the error message when a hook fails
- add granular enable/disable configure options

* crun-0.10.2

- fix a regression in 0.10.1 where cgroups v1 could not be created
- correctly chown cgroups when using a user namespace so that systemd
  can run in a container that uses a user namespace

* crun-0.10.1

- linux: Keep MS_RDONLY when remounting bind mount of a read-only
  source.  It solves an issue on Fedora Silverblue where /usr is
  mounted read only.
- fix exec of rootless containers when cgroups are not available

* crun-0.10

- support for AppArmor
- fix for CVE-2019-16884, make sure writes to /proc for the SELinux
  and AppArmor labels are on procfs.
- exec supports --preserve-fds
- seccomp: fix lookup for pseudo syscalls, seccomp now works fine on
  non native archs
- cgroup: ignore rootless errors if manager != systemd
- error: always write errors to stderr
- chroot: follow symlinks for the last component
- set $HOME if it is not already defined

* crun-0.9.1

- fix an issue with tmpcopyup that didn't work correctly with symlinks
- create a new cgroup namespace before mounting the cgroup file
  system, so that it uses the correct namespace

* crun-0.9

- fix exec into containers running systemd on cgroups v2
- kill: honor --all
- kill: when not using a PID namespace, use the freezer controller to
  prevent the container forking new processes
- linux: handle tmpcopyup option to copy files from the rootfs to the
  new mounted tmpfs.
- OCI: honor seccomp options.  If not specified any seccomp option,
  now crun will default to using SECCOMP_FILTER_FLAG_SPEC_ALLOW |
  SECCOMP_FILTER_FLAG_LOG when using the seccomp(2)
  syscall

* crun-0.8

- executable lookup. Now create fails immediately if the specified
  executable doesn't exist
- subreaper enabled only when crun is attached
- fix notify socket when used from create and prevent it hanging
  indefinitely when the container exits
- correctly write cpu controller resources when using cgroups v2
- support for the freezer controller when using cgroups v2
- honor unspecified minor/major number for devices when using cgroups v2
- reintroduce --no-pivot
- do not add a cgroup path again if it was already specified in the
  OCI configuration
