nsjail-3.4

• Improved cgroups2 support
• Improved cgroups2 + docker interoperability
• New configs: hexchat, telegram
• Better support for clone3
• New signals displayed: SIGPWR
• Support for nvim+.clangd
• Improved .clang-format rules
• Print help to stdout if -h | --help was used

nsjail-3.3

• Build fix: Unset LDFLAGS for kafel
• Setup cgroup.subtree_control controllers when necessary in cgroupsv2

nsjail-3.2

• switch to C++14
• various example configs improvements
• using atomics in signal handlers
• improve debug logging
• use only CPUs from current affinity set
• add option to forward fatal signals to the child

nsjail-3.1

• config proto fields remunerated
• various compilation/build error fixes
• process is killed in listen mode once tcp connection is closed
• Support for newly added Linux capabilities (CAP_BPF, CAP_PERFMON, CAP_CHECKPOINT_RESTORE)
• Added global connection limit for listen mode
• Added support for rlimit_mlock, rlimit_rtpr, rlimit_msgq
• Added switch_root option useful for embedded systems that use rootfs
• Fix setting CPU CFS limit
• Allow mount options to contain colons
• Added support for setting cgroup memory.memsw.limit_in_bytes
• Added option to disable TSC

nsjail-3.0

• the TCP proxy mode a socketpair proxy now
• fixes for some configs/ (e.g. for xchat and for znc)
• fixes to the Dockerfile and to the dockerpush.yml
• new clone option recognized (CLONE_NEWPID)
• fixed max_conns_per_ip
• clarification of units for cgroups_mem_max

nsjail-2.9

• even more C++-isms (e.g. RETURN_ON_FAILURE)
• improved EINTR handling
• improved configs for some tools
• changed default RLIMIT_AS to 4GiB
• rudimentary support for cgroups2
• added option to ignore rlimits
• fixed setcwd() w/o CLONE_NEWNS

nsjail-2.8

• even more C++-isms
• clearer main process loop
• refactored cgroup setting code
• ability to specify noexec/nodev/nosuid in mounts
• updated kafel
• added --macvlan_vs_ma option
• better configs/
• changed behavior of --env - empty var means passing it from parent

nsjail-2.7

• More C++'isms across the code
• Removed 'tmpfs_size', '-m none:dest:tmpfs:size=....' can be used for that
• Added support for SECCOMP_FILTER_FLAG_LOG
• Save and restore console state before/after running the subprocesses
• Make use of newer kafel version
• '--iface_own' can be used to put some interface into a jail
• Updated some configs/ (e.g. for Firefox)
• '-s' can be used to specify symlinks via the cmd-line

nsjail-2.6

• Various smaller bugfixes
• Updated man page
• Newer kafel with support for i386
• Updated Dockerfile

nsjail-2.5

• Convert code to C++ to simplify sys/queue -> vector operations
• Make it compile under gcc/g++-4.8
• Add -m option for arbitrary mounts
• Create BPF policy once only