Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 914758

Summary: app-containers/crun-1.11.1 version bump
Product: Gentoo Linux Reporter: Rahil Bhimjiani <me>
Component: Current packagesAssignee: robertgzr <robert>
Status: RESOLVED FIXED    
Severity: normal CC: proxy-maint
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Rahil Bhimjiani 2023-09-26 19:12:59 UTC 
1) https://github.com/containers/crun/releases
2) Please add live (9999) version so that user can stand on bleeding edge
3) Here is my emerge --info crun

app-containers/crun-1.8.4::gentoo was built with the following:
USE="bpf caps seccomp systemd -criu (-selinux) -static-libs"


Here is my output of crun -v:

crun version 1.8.4
commit: 5a8fa99a5e41facba2eda4af12fa26313918805b
rundir: /run/user/1000/crun
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL

why +SELINUX? 

4) If possible please provide USE apparmor.
5) Even though RESTRICT=test, I saw some some tests getting executed. So maybe move these in src_test or give test USE?

/usr/bin/python3.11 ./src/ocispec/generate.py --gen-ref --root=./tests/test-spec --out=./src/ocispec ./tests/test-spec/basic
Reflection:	/var/tmp/portage/app-containers/crun-1.8.4/work/crun-1.8.4/libocispec/image-spec/schema/defs-descriptor.json Success
Reflection:	/var/tmp/portage/app-containers/crun-1.8.4/work/crun-1.8.4/libocispec/tests/test-spec/basic/test_top_double_array_string.json Success
Reflection:	/var/tmp/portage/app-containers/crun-1.8.4/work/crun-1.8.4/libocispec/tests/test-spec/imageManifestItems/image-manifest-items-schema.json Success
..
..
..
Comment 1 robertgzr 2023-09-27 09:21:12 UTC 
> bump please
submitted a PR bumping to v1.9.1 https://github.com/gentoo/gentoo/pull/33086


> why +SELINUX?
that just indicates the crun has support for selinux labels etc. which is not something that is guarded by a feature flag: https://github.com/containers/crun/blob/master/src/crun.c#L243

> please provide USE apparmor
what is supposed to happen when it's set?

> libocispec tests running during compile phase
i looked into it. these are in place to validate the generated spec-handling code. i don't think there's currently a toggle for these. i'm trying to see what would need to happen upstream to support making those optional
Comment 2 Rahil Bhimjiani 2023-09-27 11:16:24 UTC 
thanks for the bump. It would be better if upstream actually checks if it has been compiled selinux/apparmor. Maybe create an "issue" on crun github?
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-10-04 22:17:27 UTC 
(In reply to Rahil Bhimjiani from comment #2)
> thanks for the bump. It would be better if upstream actually checks if it
> has been compiled selinux/apparmor. Maybe create an "issue" on crun github?

Why? You mean just purely for the --version output or something else? That would imply adding a library dependency purely for aesthetic purposes?