containers · xw19 · May 1, 2026
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -45,15 +45,15 @@ jobs:
           run: |
             find $(pwd) -name '.git' -exec bash -c 'git config --global --add safe.directory ${0%/.git}' {} \;
             ./autogen.sh
-            ./configure CFLAGS='-Wall -Werror' || cat config.log
+            ./configure --enable-embedded-blake3 CFLAGS='-Wall -Werror' || cat config.log
             make -j $(nproc) -C libocispec libocispec.la
             make git-version.h
             make -j $(nproc) libcrun.la
             make -j $(nproc) crun
 
             make -j $(nproc) clean
 
-            if ./configure CFLAGS='-Wall -Werror --enable-shared'; then
+            if ./configure --enable-embedded-blake3 CFLAGS='-Wall -Werror --enable-shared'; then
                         make -j $(nproc) -C libocispec libocispec.la
                         make git-version.h
                         make -j $(nproc) libcrun.la
@@ -68,6 +68,8 @@ jobs:
         include:
           - test: disable-systemd
           - test: check
+          - test: embedded-blake3
+          - test: system-blake3
           - test: podman
           #- test: cri-o
           - test: containerd
@@ -109,12 +111,12 @@ jobs:
         run: |
           case "${{ matrix.test }}" in
               disable-systemd)
-                  ./configure --disable-systemd
+                  ./configure --enable-embedded-blake3 --disable-systemd
                   make -j $(nproc)
               ;;
               check)
                   sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
-                  ./configure --disable-dl
+                  ./configure --enable-embedded-blake3 --disable-dl
                   make
                   # Check that autogenerated files that are in git has not changed.
                   git diff --exit-code
@@ -170,8 +172,30 @@ jobs:
                   sudo docker build -t crun-clang-check tests/clang-check
                   sudo docker run --privileged --rm -w /crun -v ${PWD}:/crun crun-clang-check
               ;;
+              embedded-blake3)
+                  ./configure --enable-embedded-blake3
+                  make -j $(nproc)
+              ;;
+              system-blake3)
+                  # Build blake3 as a local "system" library since libblake3-dev
+                  # is not yet available on ubuntu-latest (24.04).
+                  mkdir -p /tmp/blake3-inst/{lib/pkgconfig,include}
+                  gcc -O2 -shared -fPIC \
+                      -o /tmp/blake3-inst/lib/libblake3.so \
+                      src/libcrun/blake3/blake3.c \
+                      src/libcrun/blake3/blake3_portable.c
+                  cp src/libcrun/blake3/blake3.h /tmp/blake3-inst/include/
+                  printf 'prefix=/tmp/blake3-inst\nexec_prefix=${prefix}\nlibdir=${exec_prefix}/lib\nincludedir=${prefix}/include\n\nName: libblake3\nDescription: BLAKE3\nVersion: 0\nLibs: -L${libdir} -lblake3\nCflags: -I${includedir}\n' \
+                      > /tmp/blake3-inst/lib/pkgconfig/libblake3.pc
+                  PKG_CONFIG_PATH=/tmp/blake3-inst/lib/pkgconfig \
+                      LD_LIBRARY_PATH=/tmp/blake3-inst/lib \
+                      ./configure
+                  PKG_CONFIG_PATH=/tmp/blake3-inst/lib/pkgconfig \
+                      LD_LIBRARY_PATH=/tmp/blake3-inst/lib \
+                      make -j $(nproc)
+              ;;
               checkpoint-restore)
-                  ./configure
+                  ./configure --enable-embedded-blake3
                   make -j $(nproc)
                   sudo python3 tests/test_checkpoint_restore.py
               ;;
@@ -214,5 +238,5 @@ jobs:
         run: |
           find $(pwd) -name '.git' -exec bash -c 'git config --global --add safe.directory ${0%/.git}' {} \;
           ./autogen.sh
-          ./configure
+          ./configure --enable-embedded-blake3
           make shellcheck
diff --git a/Makefile.am b/Makefile.am
@@ -39,8 +39,6 @@ endif
 libcrun_SOURCES = src/libcrun/utils.c \
 		src/libcrun/string_map.c \
 		src/libcrun/ring_buffer.c \
-		src/libcrun/blake3/blake3.c \
-		src/libcrun/blake3/blake3_portable.c \
 		src/libcrun/cgroup-cgroupfs.c \
 		src/libcrun/cgroup-resources.c \
 		src/libcrun/cgroup-setup.c \
@@ -84,6 +82,11 @@ endif
 libocispec/libocispec.la:
 	$(MAKE) $(AM_MAKEFLAGS) -C libocispec libocispec.la
 
+if HAVE_EMBEDDED_BLAKE3
+libcrun_SOURCES += src/libcrun/blake3/blake3.c \
+		src/libcrun/blake3/blake3_portable.c
+endif
+
 libcrun_la_SOURCES = $(libcrun_SOURCES)
 libcrun_la_CFLAGS = -I $(abs_top_builddir)/libocispec/src -I $(abs_top_srcdir)/libocispec/src -fvisibility=hidden
 if ENABLE_COVERAGE
@@ -170,6 +173,7 @@ endif
 
 EXTRA_DIST = COPYING COPYING.libcrun README.md NEWS SECURITY.md rpm/crun.spec autogen.sh \
 	src/libcrun/blake3/blake3_impl.h src/libcrun/blake3/blake3.h \
+	src/libcrun/blake3/blake3.c src/libcrun/blake3/blake3_portable.c \
 	src/crun.h src/list.h src/run.h src/run_create.h src/delete.h src/kill.h src/pause.h src/unpause.h \
 	src/create.h src/start.h src/state.h src/exec.h src/oci_features.h src/spec.h src/update.h src/ps.h src/mounts.h \
 	src/checkpoint.h src/restore.h src/libcrun/seccomp_notify.h src/libcrun/seccomp_notify_plugin.h \

diff --git a/build-aux/release.sh b/build-aux/release.sh
@@ -11,7 +11,7 @@ test -e Makefile && make distclean
 
 ./autogen.sh
 
-./configure
+./configure --enable-embedded-blake3
 
 make -j "$(nproc)"
 

diff --git a/configure.ac b/configure.ac
@@ -93,6 +93,29 @@ AC_SEARCH_LIBS(yajl_tree_get, [yajl], [AC_DEFINE([HAVE_YAJL], 1, [Define if liby
 PKG_CHECK_MODULES([YAJL], [yajl >= 2.0.0])
 ])
 
+dnl embedded blake3
+AC_ARG_ENABLE(embedded-blake3,
+AS_HELP_STRING([--enable-embedded-blake3], [Statically link a modified blake3 version]),
+[
+case "${enableval}" in
+	yes) embedded_blake3=true ;;
+	no)  embedded_blake3=false ;;
+	*) AC_MSG_ERROR(bad value ${enableval} for --enable-embedded-blake3) ;;
+esac],[embedded_blake3=false])
+
+AM_CONDITIONAL([HAVE_EMBEDDED_BLAKE3], [test x"$embedded_blake3" = xtrue])
+AM_COND_IF([HAVE_EMBEDDED_BLAKE3], [], [
+PKG_CHECK_MODULES([BLAKE3], [libblake3], [
+  AC_DEFINE([HAVE_BLAKE3], 1, [Define if libblake3 is available])
+  LIBS="$LIBS $BLAKE3_LIBS"
+  CPPFLAGS="$CPPFLAGS $BLAKE3_CFLAGS"
+], [
+  AC_SEARCH_LIBS(blake3_hasher_init, [blake3], [AC_DEFINE([HAVE_BLAKE3], 1, [Define if libblake3 is available])], [
+    AC_MSG_ERROR([*** libblake3 not found; install libblake3 or use --enable-embedded-blake3])
+  ])
+])
+])
+
 dnl libcap
 AC_ARG_ENABLE([caps],
 	AS_HELP_STRING([--disable-caps], [Ignore libcap and disable support]))

diff --git a/nix/derivation.nix b/nix/derivation.nix
@@ -36,7 +36,7 @@ with pkgs; stdenv.mkDerivation {
       libsystemd
       yajl
     ] ++ lib.optionals enableCriu [ criu ];
-  configureFlags = [ "--enable-static" ] ++ lib.optional (!enableSystemd) [ "--disable-systemd" ];
+  configureFlags = [ "--enable-static" "--enable-embedded-blake3" ] ++ lib.optional (!enableSystemd) [ "--disable-systemd" ];
   prePatch = let
     staticLibs =
       lib.optional enableCriu "${criu}/lib/libcriu.a"

diff --git a/rpm/crun.spec b/rpm/crun.spec
@@ -1,6 +1,7 @@
 %global krun_opts %{nil}
 %global wasmedge_opts %{nil}
 %global yajl_opts %{nil}
+%global blake3_opts --enable-embedded-blake3
 
 %if %{defined copr_username}
 %define copr_build 1
@@ -110,7 +111,7 @@ Recommends: wasmedge
 
 %build
 ./autogen.sh
-./configure --disable-silent-rules %{krun_opts} %{wasmedge_opts} %{yajl_opts}
+./configure --disable-silent-rules %{krun_opts} %{wasmedge_opts} %{yajl_opts} %{blake3_opts}
 %make_build
 
 %install

diff --git a/src/libcrun/seccomp.c b/src/libcrun/seccomp.c
@@ -19,7 +19,6 @@
 #define _GNU_SOURCE
 
 #include <config.h>
-#include "blake3/blake3.h"
 #include "seccomp.h"
 #include "linux.h"
 #include "utils.h"
@@ -38,6 +37,12 @@
 #include <sys/stat.h>
 #include <sys/mman.h>
 
+#ifdef HAVE_BLAKE3
+#  include <blake3.h>
+#else
+#  include "blake3/blake3.h"
+#endif
+
 #if HAVE_STDATOMIC_H
 #  include <stdatomic.h>
 #  ifndef HAVE_ATOMIC_INT

diff --git a/tests/alpine-build/run-tests.sh b/tests/alpine-build/run-tests.sh
@@ -3,5 +3,5 @@
 set -e
 cd /crun
 ./autogen.sh
-./configure CFLAGS='-Wall -Wextra -Werror' --disable-systemd
+./configure --enable-embedded-blake3 CFLAGS='-Wall -Wextra -Werror' --disable-systemd
 make -j "$(nproc)"
diff --git a/tests/centos10-build/run-tests.sh b/tests/centos10-build/run-tests.sh
@@ -7,14 +7,14 @@ git config --global --add safe.directory /crun
 
 git clean -fdx
 ./autogen.sh
-./configure --enable-embedded-yajl CFLAGS='-Wall -Wextra -Werror'
+./configure --enable-embedded-yajl --enable-embedded-blake3 CFLAGS='-Wall -Wextra -Werror'
 make -j "$(nproc)"
 
-make -j "$(nproc)" distcheck DISTCHECK_CONFIGURE_FLAGS="--enable-embedded-yajl"
+make -j "$(nproc)" distcheck DISTCHECK_CONFIGURE_FLAGS="--enable-embedded-yajl --enable-embedded-blake3"
 
 git clean -fdx
 ./autogen.sh
-./configure --enable-embedded-yajl CFLAGS='-Wall -Wextra -Werror' --disable-systemd
+./configure --enable-embedded-yajl --enable-embedded-blake3 CFLAGS='-Wall -Wextra -Werror' --disable-systemd
 make -j "$(nproc)"
 
-make -j "$(nproc)" distcheck DISTCHECK_CONFIGURE_FLAGS="--enable-embedded-yajl"
+make -j "$(nproc)" distcheck DISTCHECK_CONFIGURE_FLAGS="--enable-embedded-yajl --enable-embedded-blake3"
diff --git a/tests/centos8-build/run-tests.sh b/tests/centos8-build/run-tests.sh
@@ -7,10 +7,10 @@ git config --global --add safe.directory /crun
 
 git clean -fdx
 ./autogen.sh
-./configure CFLAGS='-Wall -Wextra -Werror'
+./configure --enable-embedded-blake3 CFLAGS='-Wall -Wextra -Werror'
 make -j "$(nproc)"
 
 git clean -fdx
 ./autogen.sh
-./configure CFLAGS='-Wall -Wextra -Werror' --disable-systemd
+./configure --enable-embedded-blake3 CFLAGS='-Wall -Wextra -Werror' --disable-systemd
 make -j "$(nproc)"
diff --git a/tests/centos9-build/run-tests.sh b/tests/centos9-build/run-tests.sh
@@ -7,10 +7,10 @@ git config --global --add safe.directory /crun
 
 git clean -fdx
 ./autogen.sh
-./configure CFLAGS='-Wall -Wextra -Werror'
+./configure --enable-embedded-blake3 CFLAGS='-Wall -Wextra -Werror'
 make -j "$(nproc)"
 
 git clean -fdx
 ./autogen.sh
-./configure CFLAGS='-Wall -Wextra -Werror' --disable-systemd
+./configure --enable-embedded-blake3 CFLAGS='-Wall -Wextra -Werror' --disable-systemd
 make -j "$(nproc)"
diff --git a/tests/clang-check/run-tests.sh b/tests/clang-check/run-tests.sh
@@ -6,7 +6,7 @@ cd /crun
 git config --global --add safe.directory /crun
 git clean -fdx
 ./autogen.sh
-./configure CFLAGS='-Wall -Wextra -Werror' CC=clang
+./configure --enable-embedded-blake3 CFLAGS='-Wall -Wextra -Werror' CC=clang
 intercept-build make
 
 echo -e "\n\n----------------------------- clang-check -------------------------------\n\n"

diff --git a/tests/clang-format/run-tests.sh b/tests/clang-format/run-tests.sh
@@ -8,6 +8,6 @@ cd /crun
 # which happens if we run it via a Dockerfile with a volume mounted.
 git config --global --add safe.directory "$(pwd)"
 
-./configure
+./configure --enable-embedded-blake3
 make clang-format
 git diff --ignore-submodules --exit-code
diff --git a/tests/containerd/run-tests.sh b/tests/containerd/run-tests.sh
@@ -9,7 +9,7 @@ set -e
 (
 cd /crun
 ./autogen.sh
-./configure CFLAGS='-Wall -Wextra -Werror'
+./configure --enable-embedded-blake3 CFLAGS='-Wall -Wextra -Werror'
 make -j "$(nproc)"
 cp crun /usr/bin/runc
 )

diff --git a/tests/cri-o/run-tests.sh b/tests/cri-o/run-tests.sh
@@ -11,7 +11,7 @@ cd /crun
 git config --global --add safe.directory /crun
 git clean -fdx
 ./autogen.sh
-./configure CFLAGS='-Wall -Wextra -Werror' --prefix=/usr
+./configure --enable-embedded-blake3 CFLAGS='-Wall -Wextra -Werror' --prefix=/usr
 make -j "$(nproc)"
 make install
 )

diff --git a/tests/fuzzing/run-tests.sh b/tests/fuzzing/run-tests.sh
@@ -15,7 +15,7 @@ CORPUS=${CORPUS:=/testcases}
 git config --global --add safe.directory /crun
 git clean -fdx
 ./autogen.sh
-./configure --enable-embedded-yajl HFUZZ_CC_UBSAN=1 HFUZZ_CC_ASAN=1 CC=hfuzz-clang CPPFLAGS="-D FUZZER" CFLAGS="-ggdb3 -fsanitize-coverage=trace-pc-guard,trace-cmp,trace-div,indirect-calls"
+./configure --enable-embedded-blake3 --enable-embedded-yajl HFUZZ_CC_UBSAN=1 HFUZZ_CC_ASAN=1 CC=hfuzz-clang CPPFLAGS="-D FUZZER" CFLAGS="-ggdb3 -fsanitize-coverage=trace-pc-guard,trace-cmp,trace-div,indirect-calls"
 make -j "$(nproc)"
 make -j "$(nproc)" tests/tests_libcrun_fuzzer
 

diff --git a/tests/oci-validation/run-tests.sh b/tests/oci-validation/run-tests.sh
@@ -13,7 +13,7 @@ cd /crun
 git config --global --add safe.directory /crun
 git clean -fdx
 ./autogen.sh
-./configure
+./configure --enable-embedded-blake3
 make -j "$(nproc)"
 )
 

diff --git a/tests/podman/run-tests.sh b/tests/podman/run-tests.sh
@@ -12,7 +12,7 @@ cd /crun
 git config --global --add safe.directory /crun
 git clean -fdx
 ./autogen.sh
-./configure CFLAGS='-Wall -Wextra -Werror' --prefix=/usr
+./configure --enable-embedded-blake3 CFLAGS='-Wall -Wextra -Werror' --prefix=/usr
 make -j "$(nproc)"
 make install
 )

diff --git a/tests/wasmedge-build/run-tests.sh b/tests/wasmedge-build/run-tests.sh
@@ -11,7 +11,7 @@ rm -rf /usr/bin/crun /usr/local/bin/crun-wasm /usr/bin/crun-wasm
 git config --global --add safe.directory /crun
 git clean -fdx
 ./autogen.sh
-./configure CFLAGS='-Wall -Wextra -Werror' --with-wasmedge --prefix=/usr
+./configure --enable-embedded-blake3 CFLAGS='-Wall -Wextra -Werror' --with-wasmedge --prefix=/usr
 make -j "$(nproc)"
 make install