1) https://github.com/containers/crun/releases 2) Please add live (9999) version so that user can stand on bleeding edge 3) Here is my emerge --info crun app-containers/crun-1.8.4::gentoo was built with the following: USE="bpf caps seccomp systemd -criu (-selinux) -static-libs" Here is my output of crun -v: crun version 1.8.4 commit: 5a8fa99a5e41facba2eda4af12fa26313918805b rundir: /run/user/1000/crun spec: 1.0.0 +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL why +SELINUX? 4) If possible please provide USE apparmor. 5) Even though RESTRICT=test, I saw some some tests getting executed. So maybe move these in src_test or give test USE? /usr/bin/python3.11 ./src/ocispec/generate.py --gen-ref --root=./tests/test-spec --out=./src/ocispec ./tests/test-spec/basic Reflection: /var/tmp/portage/app-containers/crun-1.8.4/work/crun-1.8.4/libocispec/image-spec/schema/defs-descriptor.json Success Reflection: /var/tmp/portage/app-containers/crun-1.8.4/work/crun-1.8.4/libocispec/tests/test-spec/basic/test_top_double_array_string.json Success Reflection: /var/tmp/portage/app-containers/crun-1.8.4/work/crun-1.8.4/libocispec/tests/test-spec/imageManifestItems/image-manifest-items-schema.json Success .. .. ..
> bump please submitted a PR bumping to v1.9.1 https://github.com/gentoo/gentoo/pull/33086 > why +SELINUX? that just indicates the crun has support for selinux labels etc. which is not something that is guarded by a feature flag: https://github.com/containers/crun/blob/master/src/crun.c#L243 > please provide USE apparmor what is supposed to happen when it's set? > libocispec tests running during compile phase i looked into it. these are in place to validate the generated spec-handling code. i don't think there's currently a toggle for these. i'm trying to see what would need to happen upstream to support making those optional
thanks for the bump. It would be better if upstream actually checks if it has been compiled selinux/apparmor. Maybe create an "issue" on crun github?
(In reply to Rahil Bhimjiani from comment #2) > thanks for the bump. It would be better if upstream actually checks if it > has been compiled selinux/apparmor. Maybe create an "issue" on crun github? Why? You mean just purely for the --version output or something else? That would imply adding a library dependency purely for aesthetic purposes?