crun icon indicating copy to clipboard operation
crun copied to clipboard
verified publisher icon containers

Update runtime-spec submodule pin to resolve cgroup PID field compatibility

Open siretart opened this issue 1 month ago • 2 comments

Summary The runtime-spec submodule in crun is currently pinned to an older commit that predates a crucial change in OCI specification around cgroup PID field handling. This is causing compatibility issues when integrating crun with newer runtime-spec dependencies.

Detailed Description The upstream opencontainers/runtime-spec introduced a breaking change regarding the serialization/deserialization of PID fields within the cgroup settings. Specifically, the handling of these fields was updated, which likely affects the ABI/API when consuming the specification header files.

As the Debian maintainer, this outdated submodule pin prevents proper integration with a recent runtime-spec update.

I strongly suspect the required fix is in opencontainers/runtime-spec commit 869b2d5b0c9fbb9db559ab53cf1fa61a170835e9 (titled: linux: clarify pids cgroup settings). The current stable release of crun does not appear to include this change.

Request Please bump the opencontainers/runtime-spec git submodule pin in crun to a commit that is equal to or newer than 869b2d5b0c9fbb9db559ab53cf1fa61a170835e9 to restore compatibility with updated OCI specifications.

siretart avatar Dec 08 '25 11:12 siretart

crun doesn't have any API/ABI dependency on the library, it only uses the schema definitions, so no code from the runtime-spec repository is used. We generate the parser from the schema definitions but this is done internally in crun/libocispec.

I am updating the dependencies (but I've currently hit another regression in runtime-spec so I am blocked until the upstream patch is not merged), but I don't think the package should care about this dependency, since there is no code shared.

giuseppe avatar Dec 09 '25 11:12 giuseppe

In Debian, for better or worse I do care, because the package build is replacing the internal copy with the distro version of the OCI spec, leading to the build failure outlined in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1122251

I can see you arguing this being a self-inflicted wound that can be addressed by simply using the internal copy instead.

siretart avatar Dec 09 '25 11:12 siretart

opened a PR: https://github.com/containers/crun/pull/1923

giuseppe avatar Dec 11 '25 09:12 giuseppe