| Index | index by Group | index by Distribution | index by Vendor | index by creation date | index by Name | Mirrors | Help | Search |
| Name: cri-o | Distribution: openSUSE Tumbleweed |
| Version: 1.24.3 | Vendor: openSUSE |
| Release: 2.1 | Build date: Sat Sep 2 22:12:42 2023 |
| Group: Unspecified | Build host: i04-ch2c |
| Size: 91838041 | Source RPM: cri-o-1.24.3-2.1.src.rpm |
| Packager: https://bugs.opensuse.org | |
| Url: https://github.com/cri-o/cri-o | |
| Summary: OCI-based implementation of Kubernetes Container Runtime Interface | |
CRI-O provides an integration path between OCI conformant runtimes and the kubelet. Specifically, it implements the Kubelet Container Runtime Interface (CRI) using OCI conformant runtimes. The scope of CRI-O is tied to the scope of the CRI.
Apache-2.0
* Thu Aug 31 2023 Priyanka Saggu <priyanka.saggu@suse.com>
- (bsc#1214406) update `kubelet.env`:
* to remove the following deprecated/obselete flags:
* * `--container-runtime=remote --container-runtime-endpoint=unix:///var/run/crio/crio.sock --runtime-request-timeout=15m`
* to add new flag -> `--fail-swap-on=false`
* Mon Dec 19 2022 rbrown@suse.com
- Update to version 1.24.3:
* version: bump to 1.24.3
* set add_inheritable_capabilities to true by default
* use AddInheritableCapabilities
* config: add field AddInheritableCapabilities
* resourcestore: add test for stages
* server: update stages according to progress with resource creation
* resource store: return stage when a watcher is requested
* resource store: introduce stages
* build(deps): bump golangci/golangci-lint-action from 2 to 3
* Fix nginx based integration tests
* Revert "capabilities: drop inheritable"
* [1.24] vendor: bump containers/storage to v1.37.2
* Adding annotations for image and sandbox name.
* migrate image_list to quay.io
* server: handle exit files asynchronously
* server: remove exit file in exit monitor
* server: cleanup exit monitor function
* oci: take opLock for UpdateContainer
* version: bump to v1.24.2
* remove succinct option to fix jenkins
* Use a default umask of `0o022`
* Fix unit test coverage
* Fix release-notes tag determination
* Upload release notes for each tag
* Fix container status for HostToContainer propagation
* bump ocicni to 0.4.0
* Fix unit tests
* test: set cri stats more idiomatically
* utils/RunUnderSystemdScope: fix wrt channel deadlock
* oci: kill children of container if it is in the host pid namespace
* Mon Jul 25 2022 jkowalczyk@suse.com
- Update to version 1.24.1:
CVE-2022-1708
* boo#1200285 CVE-2022-1708
* bump to v1.24.1
* conmonmgr: query help text to see if it supports log-global-size-max
* add support for conmon log-global-size-max
* oci: cap exec sync length
* Fix review issues
* Fix it case failed
* Fix review issues
* Add integration test for remove paused ctr
* 1.When in paused state, stop contianer should unpause it 2.We should treat paused state as running, or kubelet will delete it and restart one
* fix review issues
* Try to force delete ctr when in paused state
* vendor: bump crypto package
* Thu May 19 2022 Jeff Kowalczyk <jkowalczyk@suse.com>
- Update BuildRequires: golang(API) >= 1.18
* Dependency Go module capnproto.org/go/capnp/v3 requires Go 1.18
* Thu May 19 2022 jkowalczyk@suse.com
- Update to version 1.24.0:
* oci: Move exec probe process to container cgroup, if enabled
* config: Add monitor_exec_cgroup config option
* Reenable pod runtime in package spec
* dependencies: Upversion conmon dependency to v2.0.27
* Sanitize conmonrs log level and print used version
* Wrap runtime pod errors
* openshift test: use go 1.18
* openshift test: add skip_pod_runtime to cri-o spec
* Bump nixpkgs and use go1.18
* Fix golangci-lint errors
* add runtime pod
* vendor conmon-rs
* oci: add IsInfra method
* oci: lock for runtime creation
* test: use go 1.18 for lint
* Move WillRunSystemd call after iterating the mounts
* Add sha256sum bundle files to uploaded artifacts
* crio:fix a bug about log container
* oci: use runtime handler level monitor fields
* config: assume default conmon cgroup if it's not specified
* template: add comment to runtimes table
* config: replace Conmon specific fields with runtime handler versions
* main(): don't treat reexec.Init() == true as an error
* crio:try fix integration test failed, because unpause not on time
* config: increase pids limit to unlimited and deprecate it and logSizeMax
* bump ocicni to 0.3.1
* bump containernetworking cni to 1.1.0
* crio: unpause ctr after test
* crio:fix golint check warning
* fix(stats): incorrect id on zfs driver
* crio:fix crun it failed
* crio:update status after pause/unpause container
* oci: cleanup log path if the container failed to create
* utils: remove unused io related packages
* runtime_vm: use containerd deps for container io directly
* remove the external dependency on the conntrack binary
* go.{mod,sum}: update CDI deps to v0.3.2.
* server: no longer use hardcoded timeouts
* fix builds by passing -buildvcs=false on 386
* test: bump to go 1.18.1
* Disable systemd-mode cgroup detection conditionally
* crio: Fix review issues and make format shell file
* Add bats test to ensure namespaces are cleaned up on pod stop
* pinns: Check calloc return value
* bump to 4.11 image
* crio: Fix code style
* crio: implement extended interface for pause/unpause container
* seccomp: drop unshare syscall from default profile
* Retry to set CPU load balancing before return the error
* build(deps): bump github.com/BurntSushi/toml from 0.4.1 to 1.1.0
* Fix integration tests
* Switch to registry.k8s.io for the sandbox Image:
* Change the mcs order in selinux.bats to test the canonization of selinux label
* Canonize selinux label for comparison with filesystem label
* oci: fix segfault in pod stop code
* capabilities: drop inheritable
* Bump ocicni to v0.3.0
* Switch to ginkgo/v2
* Add bats test for infra_ctr_cpuset taskset
* Add bats test for zombie conmon cleanup
* Update golangci-lint and config
* Bump golang to 1.18.x
* pinns: Pass sysctls as repeated '-s' arguments
* Fix shell format
* README: Update EOL & Version Skew links
* config/sysctl: fail if there is a + in the value
* Fix critest
* Enable `--seccomp-use-default-when-empty` by default
* test: update to new runc behavior
* Automatically chcon and restorecon on get script
* Pin `github.com/u-root/u-root`
* Switch to `main` for `get` script
* Bump nixpkgs
* Pin nixos/nix version
* test: allow state of failing tests to be kept intact.
* factory: take capabilities setup
* Add dedicated security information
* test/crio-wipe.bats: don't nuke $TESTDIR too early.
* test/cgroups.bats: fix incorrect setup order.
* test/cdi.bat: add CDI integration tests.
* config,cli: add configuration for CDI.
* pkg/container: implement CDI device injection.
* go.{mod,sum}: update deps, vendor.
* contrib/test: force BATS symlink in place.
* contrib/test: always install BATS for integration.
* openshift e2e: bump cri-o version
* bump to 1.24.0
* test: avoid concurrent crictl config writes.
* server: stop deleting pod from idIndex if already gone
* CI: use kubernetes from git tip
* test/e2e: update skipped test list
* contrib/test/int/build/kubernetes: rm deprecated RunAsGroup
* server: use syncfs instead of fsync
* config/sysctls: validate against invalid spaces
* [gitpod] use latest workspace full
* hack/build-rpms.sh: fix yum-builddep failures
* ci: bump shellcheck to 0.8.0
* test/apparmor: suppress bogus SC2031/2031
* test/cni_plugin_helper: suppress shellcheck warning
* test/test_runner: rm eval, fix comment
* OWNERS: move rhatdan to emeritus approvers
* OWNERS: move runcom to emeritus approvers
* utils: Sync: use f.Sync
* Deny empty `localhost/` AppArmor profiles
* OWNERS: add first round of reviewers
* OWNERS: Move @sboeuf to emeritus approver
* int/storage: getReferences: fix gocritic warning
* server: fix (rather than ignore) gocritic warning
* server/streaming: specify the linter
* ci: bump golangci-lint to 1.44.0
* scripts/release-notes: fix printf args
* scripts: fix a typo
* int/version: fix forcetypeassert linter warning
* server/container_create_linux: fix forcetypeassert warning
* utils: fix forcetypeassert linter warnings
* server/streaming: fix nolintlint warning
* int/storage: fix gosimple warning
* int/config/cgmgr: fix stylecheck warnings
* Format code using gofumpt 0.2.1
* Makefile: fix a comment
* test/crio-wipe: fixups
* ISSUE_TEMPLATE: fix grammatical error
* OWNERS: move @sameo to emeritus_approvers
* ISSUE_TEMPLATES: update membership form to be reviewer form
* ISSUE_TEMPLATES: add a couple of more
* image: use imageCache value for ImageStatus()
* contrib/bundle: remove deprecated kubelet option.
* minor edit: removed dead link from TOC
* oci: drop WaitContainerStateStopped
* oci: fix a leaked goroutine
* internal/factory/container: initialize from pkg/container
* internal/factory/sandbox: initialize from pkg/sandbox
* README: update branches
* Updated format
* Generate checksum files for artifacts
* test: add test for skipped sysctls
* server: skip sysctls that would affect the host
* deep copy List{PodSandbox,Container} structs
* GOVERNANCE: fix links
* oci: always have conmon log to syslog
* README: add reference to governance
* add GOVERNANCE.md
* issue templates: add membership request form
* Add Debian_11 OS variable on installation instructions of Debian Signed-off-by: Wang Kai <persistence201306@gmail.com>
* criocli: produce diff-friendlier zsh completions.
* ci: use main branch for conmon
* server: fix race with kubelet
* Fix runtime panic on pod sandbox stats retrieval
* update go to 1.17 in go.mod
* Reuse createContainerIO in CreateContainer
* Fix vm containers couldn't restore after CRI-O restart
* ci: use main version of runc
* openshift e2e: bump ci image
* server: fix a potential NULL-pointer dereference.
* Documentation: expand on CNI CIDRs in the kubeadm tutorial
* test: update tests for allowed_devices
* config: add AllowedDevices option
* pass the main mount point to fix crypto profiles binding
* Add Nestybox to the CRI-O adopters list.
* server: drop duplicate log message
* pkg/container: fix container device GID fallback.
* bump crio commit for upstream k8s CI
* adds config template linting
* adds comments to default values
* server: don't set memory swap when it's not enabled
* Inherits storage configurations from storage.conf if crio config does not set
* use cmdrunner singleton
* conmonmgr: refactor for new CommandRunner
* cmdrunner: update mocks and add target to makefile
* config: prepend commands with taskset if InfraCtrCPUSet is configured
* cmdrunner: add tests for prepended commands
* cmdrunner: create singleton
* Use timeout for conmon cgroup move
* build(deps): bump google.golang.org/grpc from 1.42.0 to 1.43.0
* Fixed a problem where metricImagePullsBytesTotal was getting updated twice and on second call getting incorrect labels
* test: add test ensuring a stopped pod is restored
* sandbox stop: remove namespaces
* restore: handle removed namespaces
* Partially revert "restore: restore stop before managing namespace"
* restore: ensure containers are wiped on reboot
* build(deps): bump go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc
* build(deps): bump github.com/opencontainers/runc from 1.0.2 to 1.0.3
* vendor: bump c/image to 5.17.0
* pinns: Add LDFLAGS to Makefile
- Packaging: unpin go version to BuildRequires: golang(API) >= 1.17
* Wed Mar 16 2022 rbrown@suse.com
- Update to version 1.23.2:
* config/sysctl: fail if there is a + in the value
* Revert "config/sysctl: fail if there is a + in the value"
* bump to version 1.23.2
* config/sysctl: fail if there is a + in the value
* config/sysctls: validate against invalid spaces
* server: stop deleting pod from idIndex if already gone
* [1.23] ci: use kubernetes 1.23, cri-tools 1.23
* contrib/test/int/build/kubernetes: rm deprecated RunAsGroup
* hack/build-rpms.sh: fix yum-builddep failures
* image: use imageCache value for ImageStatus()
* oci: fix a leaked goroutine
* Reuse createContainerIO in CreateContainer
* Fix vm containers couldn't restore after CRI-O restart
* release-notes: add args for checksum fields
* Updated format
* Generate checksum files for artifacts
* bump to v1.23.1
* test: add test for skipped sysctls
* server: skip sysctls that would affect the host
* server: don't set memory swap when it's not enabled
* deep copy List{PodSandbox,Container} structs
* ci: use main branch for conmon
* server: fix race with kubelet
* Fix runtime panic on pod sandbox stats retrieval
* ci: use main version of runc
* openshift e2e: bump ci image
* server: fix a potential NULL-pointer dereference.
* pass the main mount point to fix crypto profiles binding
* test: update tests for allowed_devices
* config: add AllowedDevices option
* server: drop duplicate log message
* test: add test ensuring a stopped pod is restored
* sandbox stop: remove namespaces
* restore: handle removed namespaces
* Partially revert "restore: restore stop before managing namespace"
* restore: ensure containers are wiped on reboot
* use cmdrunner singleton
* conmonmgr: refactor for new CommandRunner
* cmdrunner: update mocks and add target to makefile
* config: prepend commands with taskset if InfraCtrCPUSet is configured
* cmdrunner: add tests for prepended commands
* cmdrunner: create singleton
* Use timeout for conmon cgroup move
* Fixed a problem where metricImagePullsBytesTotal was getting updated twice and on second call getting incorrect labels
* vendor: bump c/image to 5.17.0
* Add new metrics that match Prometheus best practices and reduce cardinality * add metrics with new names that match naming best practices * use _total for all counters * use base unit seconds, bytes * metrics that do not follow best practices have been marked deprecated, these can be removed in a future release, it is to ensure non-breaking change for couple of releases
* unit test: fix relative log test
* unit tests: update pinns path in case it isn't found in PATH
* test: skip target tests for userns
* test: add test for target namespace
* add support for target PID namespaces
* test: give testunit sudo
* oci: add managed pidns to container object
* pkg/container: take container namespace configuration
* nsmgrtest: take some namespace related test code
* nsmgr: add function to pin existing namespace
* nsmgr: take (and rename) NamespacePathFromProc
* pkg/sandbox: take config initialization
* Bump Kubernetes to v1.23.0
* set user.max_user_namespaces in case it's not
* lint: bump cyclo complexity
* gh-actions/contrib: setup sub{g,u}id
* docs: add tutorial for setting up user namespaces
* oci: put conmon in infra ctr cpuset if it is in the pod cgroup
* test: add tests for user namespace annotations
* test: move workload creation function to helpers
* cni manager: catch server shutdown
* server: notify user when network isn't ready yet
* stop using hardcoded "pod" const
* oci: always reap conmon zombies
* clarify some error messages
* Drop intermediate CRI types
* Relabel containerenv files
* Add minimum_mappable_(u|g)id settings
* Fix runtime panic on stats server shutdown
* restore: restore stop before managing namespace
* server: add {,List}SandboxStats
* server: refactor sandbox list
* server: use stats server to get container stats
* container server: use stats server
* stats: add stats server
* config: add StatsCollectionPeriod field
* cgmgr: move most of stats handling to cgmgr
* oci: make changes in preparation for moving stats functionality:
* server: stub {List,}PodSandboxStats
* server/cri: add PodSandboxStats support
* vendor: bump cri-api
* server/cri: refactor to make stats processing unified
* pkg/config: use iota
* Add go 1.17+ go:build tags
* Remove redundant build tags
* Add containerenv file to containers This file indicates that the current environment is inside a container environment. The same technique is used by podman and docker. The same file name/path as podman was used, as it is vendor agnostic.
* build(deps): bump github.com/containerd/containerd from 1.5.7 to 1.5.8
* config: merge runtime and workload allowed annotations
* Updates kubeadm.md: The cgroup property is removed in [kubeadm-config.v1beta3](https://kubernetes.io/docs/reference/config-api/kubeadm-config.v1beta3/)
* build(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc
* Specify runtime table format in the error message
* build(deps): bump github.com/containerd/ttrpc from 1.0.2 to 1.1.0
* server: fix segfault when using cgroupv2
* gh-actions: add sed for kube e2e
* release-notes: update to main
* build(deps): bump github.com/onsi/gomega from 1.16.0 to 1.17.0
* build(deps): bump go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc
* Bug 2012838: fix override storage options from storage.conf
* oci: fix deadlock in container stop code
* build(deps): bump google.golang.org/grpc from 1.41.0 to 1.42.0
* oci: always close chControl
* oci: make some channels buffered
* build(deps): bump go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc
* build(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc
* build(deps): bump github.com/godbus/dbus/v5 from 5.0.5 to 5.0.6
* Add annotation that makes /sys/fs/cgroup writable
* Add support for CNI plugins v1.0.1
* bump(deps-opentelemetry)
* pin go.opentelemetry grpc/otelgrpc v0.25.0
* opentelemetry: add gRPC tracing
* build(deps): bump k8s.io/klog/v2 from 2.20.0 to 2.30.0
* build(deps): bump github.com/go-logr/logr from 1.1.0 to 1.2.0
* version: bump to 1.23.0
* build(deps): bump github.com/containers/podman/v3 from 3.3.1 to 3.4.1
* build(deps): bump github.com/containers/common from 0.43.2 to 0.46.0
* test: drop swap disable playbook
* server: add support for CRI unified field
* server: implement swap support
* server/cri: add support for 1.22 features
* test: bump cri-tools version
* scripts: pin cri-tools version
* server: reduce needless copying for sb.NamespaceOptions
* oci: refactor internal structure to use CRI type
* oci: use server CRI metadata type for containers
* sandbox: refactor internal structure to use CRI type
* sandbox: save createdAt as a int64
* build(deps): bump github.com/containerd/cgroups from 1.0.1 to 1.0.2
* build(deps): bump github.com/creack/pty from 1.1.16 to 1.1.17
* build(deps): bump github.com/Microsoft/go-winio from 0.5.0 to 0.5.1
* Bump Kubernetes to v1.22.2
* sandbox: use server CRI metadata type
* docs: emphasize deprecation notice
* update documentation for workloads
* add allowed annotations to workloads
* Log HTTP response writer message instead an error
* oci: use c/common signal parsing function
* Skip volume relabel for super privileged containers
* oci: chown stdin pipe to user in the container
* test: fix selinux test failures
* build(deps): bump github.com/onsi/ginkgo from 1.16.4 to 1.16.5
* Fix runtime handler docs
* build(deps): bump github.com/containers/image/v5 from 5.15.2 to 5.16.1
* scripts: fix release branch forward script
* server: FilterDisallowedAnnotations of containers earlier
* server: conditionally relabel volumes given annotation
* build(deps): bump github.com/containers/storage from 1.36.0 to 1.37.0
* test: refactor allowed_annotation tests
* server: reduce args in addOCIBindMounts
* build(deps): bump github.com/opencontainers/selinux from 1.8.5 to 1.9.1
* test: add label for openshift e2e in dockerfile
* build(deps): bump github.com/containerd/containerd from 1.5.5 to 1.5.7
* test: skip certificate check for downloading parallel
* Remove usge of deprecated apt-key in Ubuntu install
* Fix install.md links
* build(deps): bump google.golang.org/grpc from 1.40.0 to 1.41.0
* use a more appropriate console with code block
* build(deps): bump k8s.io/api from 0.22.1 to 0.22.2
* build(deps): bump k8s.io/cri-api from 0.22.1 to 0.22.2
* build(deps): bump sigs.k8s.io/yaml from 1.2.0 to 1.3.0
* build(deps): bump github.com/creack/pty from 1.1.15 to 1.1.16
* build(deps): bump k8s.io/apimachinery from 0.22.1 to 0.22.2
* fix node e2e
* build(deps): bump github.com/intel/goresctrl from 0.1.0 to 0.2.0
* bump crio commit used by node e2e installer
* server: mount cgroup if hostNetwork
* server: use container level host network setting
* server: don't recalculate hostnet
* Fix typo in install.md
* Remove one of the explanations for `bind_mount_prefix` because it is duplicated.
* node e2e: keep infra container
* add unit test for the `server/sandbox_remove`.
* test: fix journald test for new conmon
* fix shfmt
* update `install.md` for debian and ubuntu
* build(deps): bump github.com/json-iterator/go from 1.1.11 to 1.1.12
* build(deps): bump k8s.io/client-go from 0.22.1 to 0.22.2
* fix shfmt
* server: set spec when dropping infra
* Update 'master' branch links to 'main'
* bumps pause image to 3.6
* server: don't wait forever on conmon cgroup move fail
* build(deps): bump github.com/containers/storage from 1.34.1 to 1.36.0
* Remove bashism in sh script
* Do not log if Intel RDT is not supported
* build(deps): bump github.com/godbus/dbus/v5 from 5.0.4 to 5.0.5
* Fix cluster.yaml for kubectl create
* call cmd.Wait() in all cases we call Start()
* oci: call wait on conmon if cgroup move fails
* build(deps): bump github.com/go-logr/logr from 1.0.0 to 1.1.0
* Fix `crio_image_pulls_layer_size_` metrics docs
* Adapt to klog incompatible changes
* build(deps): bump k8s.io/klog/v2 from 2.10.0 to 2.20.0
* Add `--profile-cpu` and `--profile-mem` options
* build(deps): bump github.com/containers/podman/v3 from 3.3.0 to 3.3.1
* server: remove ineffective `updateLock`.
* Fix missing quantile in `latency_microseconds_total` metrics
* Update crio commit for node e2e
* build(deps): bump github.com/fsnotify/fsnotify from 1.4.9 to 1.5.1
* Bump runc binary to 1.0.2
* Switch to go1.17 for CI
* fix debian 10 build doc
* test/testdata/sandbox_config.json: fix the dns_config
* adds updating instructions to install.md
* Thu Sep 02 2021 alexandre.vicenzi@suse.com
- Update to version 1.22.0:
Dependency-Change
* Update runc within static binary bundle to v1.0.1
* Update static binary bundle runc version to v1.0.0-rc94.
* Update static binary bundle runc version to v1.0.0-rc95.
* Updated crun in static binary bundle to v0.20.1
Deprecation
* The internal_wipe option is now true by default.
Further, it is being deprecated, and will be unconditionally true in the future.
API Change
* Update how the resources for a workload is specified. Now, to override a workload,
the pod must have the annotation $prefix/$ctr_name = {"$resource_type": "$resource_value"}.
The workloads feature has also been marked as experimental, which should have happened
from the beginning.
Feature
* Added --metrics-collectors/metrics_collectors configuration to enable or disable certain metrics.
* All metrics collectors are enabled per default.
* Added crio_image_pulls_layer_size histogram metric to get insights about all pulled layer sizes.
* Added build tags as well as AppArmor and seccomp status to crio version output.
* Added generation of self-signed certificates for the secure metrics endpoint
* if the provided cert and key paths are not available on disk.
* Added secure metrics endpoint configuration options
* Added structural logging of container ID, sandbox ID and process ID on container start.
* Automatically reload metrics TLS certificate and key if any of those specified files change.
* CNI plugins are now passed a K8S_POD_UID environment variable containing the pod UID
this sandbox was started for.
* Changed the logging behavior of klog messages to be included in the CRI-O logs.
* The klog info verbositry is converted to CRI-O debug to lower the log verbosity.
* Cri-o now does not limit the DNS search paths.
* Enable the "volatile" option for the overlay drivers when it is supported by the underlying kernel.
* Rootless: enable resource limit when cgroup v2 controllers are delegated.
* Support io.kubernetes.cri.blockio-class container annotation for specifying blockio class.
* Support blockio.resources.beta.kubernetes.io/pod pod annotation for specifying the default blockio
class to all containers in the pod.
* Support blockio.resources.beta.kubernetes.io/container.NAME pod annotation for specifying
the blockio class of the NAME container in the pod.
* Add blockio_config_file config file option (and corresponding --blockio-config-file for command line)
for configuring blockio classes and their cgroups blockio controller parameters.
* Support io.kubernetes.cri.rdt-class container annotation for specifying RDT class.
* Add rdt_config_file config file option (and corresponding --rdt-config-file for command line)
for configuring the resctrl pseudo-filesystem.
* The config field drop_infra_ctr is now true by default
* The runtime_config_path option, which allows to specify the path of the runtime configuration file,
is now supported by CRI-O. This is specific to the VM runtime type.
* Validate certificate dates for TLS metrics endpoint
Design
* Drop support for the crio.shutdown.
* ExecSync requests now don't use conmon, instead calling the runtime directly, which reduces overhead.
Bug or Regression
* Add support for absent_mount_sources_to_reject, which allows admins to configure paths that,
when mounted into a container despite not existing on the host, causes a container creation
request to fail. This is useful for paths like /etc/hostname, which causes trouble as a directory,
but possibly shouldn't be created as a file either (in the case of a dynamic hostname).
* Add symlink /proc/mounts on /etc/mtab to container
* Add the config field internal_wipe which moves the responsibility of wiping containers after a reboot
and images after an upgrade from the external binary crio wipe to the main crio server.
This has a handful of advantages, the main one being crio is now better able to cleanup CNI resources after a reboot.
* Allow users to customize conmon's resources if a pod is in a workload.
* CRI-O now logs when it is using cgroupv2
* Fix a bug in internal_wipe that would mean CNI resources would be leaked across reboots.
* Fix a bug where CRI-O can't work with runc 1.0.0-rc93 because of an incorrectly specified list of capabilities
* Fix a bug where CRI-O would leak opened files for namespaces on a server restore
* Fix a bug where crio config would print a string for privileged_without_host_devices, not a boolean
* Fix a bug where a container exec process received a little less time than the timeout provided
* Fix a bug where an exec sync timeout would fail to cleanup the runtime exec process
* Fix a bug where cAdvisor couldn't read the disk usage of a pod with a dropped infra container
* Fix a bug where duplicate requests would stall even if the pod or container was already created
* Fix a bug where server startup was significantly slowed down by attempting to clean up CNI resources after a reboot.
* Fix a performance regression with exec probes
* Fix a segfault when CRI-O has takes more than 8 minutes to create a pod or container
* Fix an RSS regression with exec sync requests
* Fix an issue where a container started with a terminal fails on exec sync calls
* Fix drop ALL and add back few caps behavior to not include the default configured capabilities
* Fix potential panic when reopening a container's log
* Fixed bug where it was not possible to run containers using the default or no seccomp profile on
* seccomp disabled builds/machines
* Fixed bug where runtime VM created containers never reach their completed state.
* Fixed linkmode detection for on en_US systems crio version
* Fixed runtime panic for layers lockfile if its parent directory does not exist.
* Added support for repositories in auth.json
* Re-attempt setting up conmon's cgroup if it fails on EAGAIN from dbus
* Reduce the permission on the listen socket to 0660
* Reuse connection when connecting to dbus, as well as reattempt the connection if it fails temporarily
* The privileged_without_host_devices flag can now be given a an additional parameter to configure a runtime
* Wait for CNI plugins to be ready before starting non-host-network pods, to allow pods that may run CNI
plugins to start faster
Other (Cleanup or Flake)
* Add systemd After=crio.service to containers and conmon
* Switched build artifacts to be published via the cri-o bucket.
* Use build tag for linkmode detection on crio version.
Uncategorized
* Add Particule as adopters
* Add --device-ownership-from-security-context which allows an admin to specify devices be configured
to be owned by the container user and group, rather than unconditionally * being root.
* Added internal/process/defunct_processes.go and crio_processes_defunct metric to collect
the total number of defunct/zombie processes in a node.
* Raise a warning when creating a bind mount on the container root
* Fri Aug 20 2021 Bernhard Wiedemann <bwiedemann@suse.com>
- build with go 1.16 for reproducible binaries (boo#1102408)
* Fri Jul 23 2021 alexandre.vicenzi@suse.com
- Update to version 1.21.2:
* oci: be more precise about channels and routines
* oci: wait for runtime to write pidfile before starting timer
* oci: refactor fsnotify usage
* vendor: add notify package
* version: bump to v1.21.2
* server: use cnimgr to wait for cni plugin ready before creating a pod
* server: use cnimgr for runtime status
* config: add cnimgr
* Introduce cnimgr
* server: prevent segfault by not using a potentially nil sandbox
* network: pass pod UID to ocicni when performing network operations
* vendor: bump ocicni to 4ea5fb8752cfe
* Bump c/storage to v1.32.3
* oci: kill runtime process on exec if exec pid isn't written yet
* oci: don't pre-create pid file
* dbus: update retryondisconnect to handle eagain too
* simplify checking for dbus error
* utils: close dbus conn channel
* dbusmgr: protect against races in NewDbusConnManager
* cgmgr: reuse dbus connection
* cgmgr: create systemd manager constructor
* try again on EAGAIN from dbus
* test: fix cgroupfs workload tests
* Disable short name mode
* workloads: don't set conmon cpuset if systemd doesn't support AllowedCPUs
* test: add test for conmon in workloads
* workloads: setup on conmon cgroup
* Bump runc to get public RangeToBits function
* server: export InfraName and drop references to leaky
* storage: succeed in DeleteContainer if container is unknown
* bump to v1.21.1
* Fix CI
* oci: drop internal ExecSync structs
* oci: do not use conmon for exec sync
* bump c/storage to 1.31.1
* bump runc to 1.0.0-rc94
* Fix unit tests
* Add support to drop ALL and add back few capabilities
* server: call CNI del in separate routine in restore
* server: reduce log verbosity on restore
* reduce listen socket permissions to 0660
* test: adapt crio wipe tests to handle new behavior
* ignore storage.ErrNotAContainer
* move internal wipe to only wipe images
* server: properly remove sandbox network on failed restore
* runtimeVM: Use internal context to ensure goroutines are stopped
* Fix go.sum
* sandbox remove: unmount shm before removing infra container
* use more ContainerServer.StopContainer
* sandbox: fix race with cleanup
* server: don't unconditionally fail on sandbox cleanup
* server: group namespace cleanup with network stop
* resourcestore: run cleanup in parallel
* test: add test for delayed cleanup of network on restart
* InternalWipe: retry on failures
* server: get hooks after we've check if a sandbox is already stopped
* server: move newPodNetwork to a more logical place
* Add resource cleaner retry functionality
* test: add test for internal_wipe
* server: add support for internal_wipe
* crio wipe: add support for internal_wipe
* config: add InternalWipe
* server: breakup stop/remove all functions with internal helpers
* storage: remove RemovePodSandbox function
* server: reuse container removal code for infra
* Cleanup pod network on sandbox removal
* test: add test for absent_mount_sources_to_reject
* server: add support for absent_mount_sources_to_reject
* config: add absent_mount_sources_to_reject option
* server: use background context for network stop
* resource store: prevent segfault on cleanup step
* Pin gocapability to v0.0.0-20180916011248-d98352740cb2
* config: fix type of privileged_without_host_devices
* Fix podman name in README
* Fix RuntimeDefault seccomp behavior if disabled
* Add After=crio.service dependency to containers and conmon
* Use extra context for runtime VM
* workloads: move to more concrete type
* workloads: update how overrides are specified
* main: still rely on logrus (rather than using the internal log)
* container server: fix silly typo
* nsmgr: remove duplicate IsNSOrErr call
* nsmgr: fix some leaks with GetNamespace
* bump to containers/image 5.11.1
* Bug 1942608: do not list the image with error locating manifest
* runtimeVM: Calculate the WorkingSetBytes stats
* runtimeVM: Use containerd/cgroups for metrics
* runtimeVM: Move metricsToCtrStats() around
* runtimeVM: Vendor typeurl instead of maintain our own copy
* Thu Apr 15 2021 alexandre.vicenzi@suse.com
- Update to version 1.21.0:
* bump to v1.21.0
* config: drop registries field as it is no longer supported
* Revert "test: drop unneeded sed statement"
* WIP: add debug print
* test: drop unneeded sed statement
* config: fix template insecure_registries field
* config: drop commented config lines
* build(deps): bump google.golang.org/grpc from 1.36.1 to 1.37.0
* Bump OpenShift CI cri-tools version and fix build path
* build(deps): bump github.com/containers/image/v5 from 5.10.5 to 5.11.0
* Bump cri-tools to v1.21.0
* Update Kubernetes to v1.21.0
* Add container out of memory metrics
* [CLI] "crio config" only prints the fields that are differet than the default.
* Set short name mode to permissive
* docs-validation: update to handle workloads
* Fix unnecessary conversion lint report
* add tests for workloads
* integrate with server
* config: update workloads structure
* Clarify release cadence and version skew
* Add correct start time to initial log output
* Add support for workload settings
* refactor handling of allowed_annotations
* Do not push main binary into cachix cache
* resourcestore: introduce ResourceCleaner
* Use internal logging when context available
* build(deps): bump github.com/coreos/go-systemd/v22 from 22.3.0 to 22.3.1
* server: remove dead code
* sandbox: use defined CRI type for NamespaceOption
* config: remove dead code
* oci: remove dead code
* lib: remove dead code
* build(deps): bump github.com/containers/podman/v3
* build(deps): bump k8s.io/client-go from 0.20.1 to 0.20.5
* update pause image to 3.5 for non-root
* build(deps): bump github.com/soheilhy/cmux from 0.1.4 to 0.1.5
* build(deps): bump google.golang.org/grpc from 1.34.0 to 1.36.1
* build(deps): bump github.com/containers/buildah from 1.19.8 to 1.20.0
* build(deps): bump github.com/prometheus/client_golang
* build(deps): bump github.com/godbus/dbus/v5 from 5.0.3 to 5.0.4
* build(deps): bump k8s.io/cri-api from 0.20.1 to 0.20.5
* build(deps): bump github.com/containers/podman/v3
* build(deps): bump k8s.io/kubernetes from 1.13.0 to 1.20.5
* crio-wipe: only clear storage if CleanShutdownFile is supported
* Add static bundle node e2e tests to GitHub actions
* Reload the main config file when reloading configs
* crio wipe: only completely wipe storage after a reboot
* Bump static binary dependency versions
* Add dependabot config file
* runtimeVM: Fix shimv2 binary name construction
* config,runtimeVM: Improve runtime_path validation
* oci_test: Add basic coverage to "RuntimeType()"
* oci_test: Add basic coverage to "privileged_without_host_devices"
* oci_test: Leave invalidRuntime on its own line
* tweak scope dependencies
* Do not return `<none>` placeholders for images any more
* Fix invalid libcontainer GetExecUser call
* Update dependencies
* config: Don't fail if the non default runtime doesn't pass validation
* Remove check for CI env variable for release-notes and dependencies
* cgmgr: add CreateSandboxCgroup method
* inspect: send container PID for dropped infra sandbox
* oci: specify sbox id when creating spoofed container
* Run GitHub actions on release branches
* Update bats to v1.3.0 (#4661)
* use happy-eyeballs for port-forwarding
* fix mock issues
* fix lint issues
* install: drop support matrix and update instructions
* do not store context in runtime vm
* Fix lint GitHub action
* pkg/container: take process args
* Use and publish version marker for CRI-O
* Add GitHub API pages support to `get` script
* add libbtrfs-dev to unit tests
* Revert "server: use IsAlive() more"
* Fix GitHub actions cache key
* Bug 1881694: Add pull source as info level log
* test: use latest conmon
* runtime_vm: Create the global fifo inside the runtime root path
* stats: fix log spam
* Support CRI seccomp security profiles
* oci: add unit tests for stop timeouts
* oci: don't update stop timeout if it's earlier than old one
* oci: update timeout even if we're ignoring kill
* oci: don't wait too long on a long stop
* oci: check process is still around with kill
* Add integration test for started/finished container time
* fix: Don't set `image-endpoint` in crictl config
* feat: Add CLI option to set registries.conf.d path
* Add allowed io.containers.trace-syscall annotation to static bundle
* Make `get` script independent from `make`
* test: correct the env variable for dropping the infra container
* Add metric to grab latency of individual cri calls
* Fix `get` script commit SHA retrieval
* Add arm64 static build to GitHub actions
* Fix GitHub actions workflow syntax
* Updates yq commnands for yq v4
* gh-actions: also run on release branches
* pkg/sandbox: add InitInfraContainer endpoint
* test: reconfigure how runtimes are passed in
* test: add runtime() function
* sandbox/container: drop context
* test: drop workaround for crun
* pkg/sandbox: cleanup unused funcs/files
* fix doc log_level adding trace option
* Fix oci container update config
* Update e2e-aws logic for 4.8
* nsmgr: take Initalize method
* Switch to go 1.16 for GitHub actions and remove scripts/build-test-image
* config: remove and create the correct dir
* Update nix pin with `make nixpkgs`
* server: mount cgroup with rslave
* crio wipe: ensure a clean shutdown
* Move integration tests to GitHub actions
* Run release-notes GitHub action after dependencies
* Bumps github.com/containers/ocicrypt from 1.0.3 to 1.1.0.
* config/node: refactor checking for CollectMode
* Fix GitHub actions checkout permissions
* change binary version to 1.21.0-dev
* Set conmon scope KillSignal to SIGPIPE
* Move repo modification jobs to GitHub actions
* bump protobuf to 1.3.2
* Log container stop timeout
* ResourceStore: add close method
* Allow seccomp hook tracing for separate containers
* ResourceStore: extend tests to test WatcherForResource
* ResourceStore: update tests to all run
* ResourceStore: update docs for WatcherForResource
* ResourceStore: don't segfault
* server: support setting raw unified cgroupv2 settings
* vendor: update runtime-specs
* cgroup: implement fix for swap memcg on cgroup v2
* server: leave swap mem limit unset if not supported
* test: skip ServiceAccountIssuerDiscovery test
* hostport manager clean up host ports
* allows stream timeout to be set from config
* config: pre-create pinns directories
* Bump containers image to v5.10.1
* Move unit tests to GitHub actions
* Move go1.14 and 386 builds to GitHub actions
* set kubelet node IP
* Fix validate-completions GitHub action
* Add integration test for pprof over unix socket
* Add a flag for enabling profile over unix socket
* Lookup echo command for unit tests
* Move static build to GitHub actions
* pinns: Fixup 'pwarn' output to match 'pwarnf' output
* pinns: Don't put errno in the exit message for argument checks
* nsmgr: use host option
* nsmgr: Use config struct for NewPodNamespaces
* pinns: support pinning host ns
* Remove implicit GitHub action `name` fields
* Move docs and completions validation to GitHub actions
* Bump golangci-lint to v1.35.2
* Make config tests work rootless
* Make rootless namespace unit test execution work
* config: fix template to show infra_ctr_cpus option
* Do not log file path on ioutil.ReadFile
* fixes version_test.go
* Close the stdin/tty on server start to avoid shortname prompts
* docs: fix http link
* docs: update kubeadm tutorial
* Fix `make lint`
* Return runtime API version based on protocol
* Update compatibility matrix to mention v1.20
* add method comment
* restore irqbalance config only on system restart
* add blurb in doc and more informative name for unit tests
* add is-enabled check for irqbalance service
* fix unit tests
* add unit tests
* fix bash/zsh completions
* fix the docs validation
* handle irqbalance service
* runtime_vm: set finished time when containers stop
* nsmgr: fix/add calls to GetNamespace
* managed namespaces: move to dedicated package
* Provide integration test for infra-ctr-cpuset feature
* Set CPUs for the infra containers during the creation
* Add shell completion for infra-containers-cpu flag
* Add new infra-containers-cpus to the CLI and config file
* refine `registries` deprecation message
* Circle CI: install test/registries.conf
* crio.8.md: runroot defaults to /run/containers/storage
* support short-name aliases
* pull: do check for blocked registries
* config: deprecate registries
* Rollback gocapability vendor bump
* vendor: bump containers/storage to v1.24.4
* Update nix pin with `make nixpkgs`
* contrib/test/int: add Kata Containers runtime support
* contrib/test/int: enforce linking in parallel build process
* contrib/test/int: build parallel from sources in CentOS
* contrib/test/int: allow to skip user namespace testing
* contrib/test/int: allow to configure test timeout
* Capitalize Kubernetes
* modify the error url of podctl
* Add Digital Science to adopters
* crio.service: Request to be run before kubelet.service
* pinns: make binary not always static
* server: use IsAlive() more
* Support CRI v1 and v1alpha2 at the same time
* drop support for ManageNSLifecycle
* test/timeout.bats: increase timeout to fix flakes
* release-notes: fix flags
* test/timeout.bats: fix comments
* int/resourcestore: fix comment about Put
* test/image.bats: simplify some loops
* test/helpers.bats: simplify cleanup_*
* contrib/test/int: rm node-e2e test
* contrib/test/int: fix iptables rule
* critest: add unix:// prefix
* critest.yml: don't skip test on RHEL
* test: add timeout.bats
* bump network creation timeout to 5 minutes
* resourcecache: add watcher idiom
* server: use ResourceCache instead of dropping progress
* Add unit tests for ResourceCache
* Introduce ResourceCache
* moves shmsize to a handler allowed annotation
* image pull: close progress chan
* test/ctr.bats: fix a "ctr execsync" flake
* Fix the functions' name in completions
* make: drop link to crio.service
* test: rm "run ctr with image with Config.Volumes"
* test: add no-pull-on-run=true
* test/devices.bats: fix "additional device permissions" case
* test/devices.bats: rm unneeded run
* test/devices.bats: skip earlier
* Bandwidht CNI plugin reserved an upper limit on burst,in which banned include boundary. See: https://github.com/containernetworking/plugins/blob/v0.8.7/plugins/meta/bandwidth/main.go#L113
- Drop config-fix-tz.patch as upstream dependency was patched
* Fri Apr 09 2021 alexandre.vicenzi@suse.com
- Update to version 1.20.2:
* bump to latest c/storage 1.24 branch
* Remove check for CI env variable for release-notes and dependencies
* fix lint
* test: pin cri-tools to 1.20
* bump to v1.20.2
* Run GitHub actions on release branches
* Pin gocapability to v0.0.0-20180916011248-d98352740cb2
* [PATCH 9/9] add method comment
* [PATCH 8/9] restore irqbalance config only on system restart
- Add vendor.tar.gz to avoid dependency downloads
- Add config-fix-tz.patch to fix crio validation error while building
* Fri Jan 08 2021 rbrown@suse.com
- Update to version 1.19.1:
* bump to v1.19.1
* don't do unnecesary iptables restore
* switch CRI-O to use its own hostport manager
* dual-stack host port manager
* fix upstream hostport manager
* Add README to hostport folder
* fork hosport kubernetes code
* [1.19] vendor: bump containers/storage to v1.20.5
* runtime_vm: Ensure closeIOChan is not nil inside CloseStdin's function
* runtime: parse oom file for VM type runtimes
* runtime_vm: Ignore ttrpc.ErrClosed when removing a container
* runtime_vm: StopContainers() should not fail when the VM is shutdown
* runtime_vm: Don't let wait() return ttrpc.ErrClosed
* runtime_vm: Fix updateContainerStatus() logic
* runtime_vm: set Pid and InitPid for VM runtimes
* internal/config/node: add checkFsMayDetachMounts
* Fix bogus CI test failures
* test/config: fix shellcheck warning
* test/config: fix "config dir should fail with invalid option"
* server: cleanup container in runtime after failed creation
* Tue Sep 15 2020 Sascha Grunert <sgrunert@suse.com>
- API Change
- CRI-O now manages namespace lifecycles by default
- Feature
- Add --version-file-persist, a place to put the version file in
persistent storage. Now, crio wipe wipes containers if
- -version-file is not present
- Add big_files_temporary_dir to allow customization of where
large temporary files are put
- Add build support for setting SOURCE_DATE_EPOCH
- Added `--metrics-socket`/`metrics_socket` configuration option
to allow exposing the metrics endpoint on a local socket path
- Added `crio_image_layer_reuse` metric which counts layer reuses
during image pull
- Added `privileged` field to container status `info`
- Added behavior to allow filtering by a partial Pod Sandbox ID
- Added configuration validation to ensure a `conmon_cgroup ==
"pod"` if `cgroup_manager == "cgroupfs"`
- Added latest `crun` version to static binary bundle
- Added metrics-exporter and [documentation]
- Added new metrics `crio_image_pulls_failures` and
`crio_image_pulls_successes`. For more information please refer
to the [CRI-O metrics guide]
- Container HostPort with SCTP protocol is supported.
- Containers running `init` or `systemd` are now given a new
selinux label `container_init_t`, giving it selinux privileges
more appropriate for the workload
- If users want the container_kvm_t label when using a runtime
that supports kvm separation, they will need to either set the
runtime_type to "vm" or have "kata" in the runtime name. E.g
[crio.runtime.runtimes.my-kata-runtime]
runtime_path = ""
runtime_type = "oci"
runtime_root = "/run/kata"
or
[crio.runtime.runtimes.my-kata-runtime]
runtime_path = ""
runtime_type = "vm"
runtime_root = "/run/kata"
- Re-add the behavior that string slices can be passed to the CLI
comma separated, for example `--default-capabilities
CHOWN,KILL`
- Removed `socat` runtime dependency which was needed for pod
port forwarding
- Return pod image, pid and spec in sandbox_status CRI verbose
mode
- Design
- Hooks_dir entries are now created if they don't exist
- Documentation
- Added `crun` container runtime to `crio.conf`
- Added dependency report to generated release notes
- The changelog is now rendered by a custom go template and
contains the table of contents
- Bug or Regression
- Adding additional runtime handler doesn't require the user to
copy existing default runtime handler configuration. The
existing default runtime handler configuration will be
preserved while adding the new runtime handler.
- ExecSync requests will ask conmon to not double fork, causing
systemd to have fewer conmons re-parented to it. conmon v2.0.19
or greater is required for this feature.
- Fix handling of the --cni-plugin-dir and other multivalue
command line flags
- Fix path to bash via `/usr/bin/env` in crio-shutdown.service
- Fix the container cgroup in case cgroupfs cgroup manager is
used
- Fix working set calculation
- Fixed `crio version` binary mode parsing on musl toolchains
- Fixed a bug where crictl only showed pod level stats, not
container level stats.
- Fixed a bug where exec sync requests (manually or automatically
triggered via readiness/liveness probes) overwrite the runtime
`info.runtimeSpec.process.args` of the container status
- Fixed bug where Pod creation would fail if Uid was not
specified in Metadata of sandbox config passed in a run pod
sandbox request
- Fixed bug where pod names would sometimes leak on creation,
causing the kubelet to fail to recreate
- Fixed crio restart behavior to make sure that Pod creation
timestamps are restored and the order in the list of pods stays
stable across restarts
- Fixed wrong linkmode output
- Reflects resource updates under the container spec.
- Other
- Added info logs for image pulls and image status
- Cleanup default info logging
- Cleanup go module and vendor files.
- Pod creation now fails if conmon cannot be moved to the cgroup
specified in `conmon_cgroup`. Our default value for
`conmon_cgroup` is `system.slice`, which is invalid for
cgroupfs. As such, if you use cgroupfs, you should change
`conmon_cgroup` to `pod`
- Removed `crio-wipe.service` and `crio-shutdown.service` systemd
units from the static bundle since they are not required
- Uncategorized
- Add `--drop-infra-ctr` option to ask CRI-O to drop the infra
container when a pod level pid namespace isn't requested. This
feature is considered experimental
- Adds a new optional field, runtime_type, to the "--runtimes"
option.
- Cleanup and update nix derivation for static builds
- Fix a bug where a sudden reboot causes incomplete image writes.
This could cause image storage to be corrupted, resulting in an
error `layer not known`.
- Fix bug where empty config fields having to do with storage
cause `/info` requests to return incorrect information
- Fixes panic when /sys/fs/cgroup can't be stat'ed
- If the default_runtime is changed from the default
configuration, the corresponding existing default entry in the
runtime map in the configuration will be ignored.
- Remove support for `--runtime` flag
- Updated `crictl.yaml` configuration inside the repository to
reflect cri-tools v1.19.0 changes
- Dependency-Change
- Compile with go 1.15
* Sun Aug 02 2020 Callum Farmer <callumjfarmer13@gmail.com>
- Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075)
* Tue Jul 28 2020 Fabian Vogt <fvogt@suse.com>
- Suggest katacontainers instead of recommending it. It's not
enabled by default, so it's just bloat
* Mon Jul 20 2020 Sascha Grunert <sgrunert@suse.com>
- Update to version 1.18.3:
- Fix a bug where a sudden reboot causes incomplete image writes.
This could cause image storage to be corrupted, resulting in an
error layer not known.
- Fixed bug where pod names would sometimes leak on creation,
causing the kubelet to fail to recreate
- If conmon is v2.0.19 or greater, ExecSync requests will not
double fork, causing systemd to have fewer conmons re-parented
to it
* Thu Jun 18 2020 dmueller@suse.com
- Update to version 1.18.2:
* Bump version to v1.18.2
* criocli: Avoid parsing the config twice
* StringSliceTrySplit: return a copy of the underlying slice
* Restore version output from crio --version
* Add info logs for image pull and status CRI calls
* managed_ns: deflake tests
* bump containers image to 5.4.4 (fixes gh#containers/image/issues/898)
* Mon May 18 2020 sgrunert@suse.com
- Update to version 1.18.1:
- Feature
- Add -–version-file-persist, a place to put the version file
in persistent storage. Now, crio wipe wipes containers if
- –version-file is not present (presumably it is on temporary
storage), and wipes images if both -–version-file and
- –version-file-persist are out of date (presumably there has
been an upgrade of cri-o’s minor version
- Containers running init or systemd are now given a new
selinux label container_init_t, giving it selinux privileges
more appropriate for the workload
- Other (Bug, Cleanup or Flake)
- Fix linkmode retrieval on crio version for static binaries
- Fix a bug where CRI-O could not start a container if
CONFIG_CGROUP_HUGETLB was not set in the kernel
- Re-add the behavior that string slices can be passed to the
CLI comma separated, for example --default-capabilities
CHOWN,KILL
- Removed crio-wipe.service and crio-shutdown.service systemd
units from the static bundle since they are not required
- Fix some crio version oddities
* Wed Apr 29 2020 Sascha Grunert <sgrunert@suse.com>
- Remove the `go >= 1.13` build requirement
* Mon Apr 27 2020 Ralf Haferkamp <rhafer@suse.com>
- Restore calls to %service_* macros that were accidently removed
with the last change
* Thu Apr 23 2020 Sascha Grunert <sgrunert@suse.com>
- Remove crio-wipe.service and crio-shutdown.service
- Update to version 1.18.0:
- Deprecation
- Drop support for golang < v1.13
- API Change
- Removed version from default AppArmor profile name in config
- CRI-O now runs containers without NET_RAW and SYS_CHROOT
capabilities by default. This can result in permission denied
errors when the container tries to do something that would
require either of these capabilities. For instance, using
`ping` requires NET_RAW, unless the container is given the
sysctl `net.ipv4.ip_forward`. Further, if you have a
container that runs buildah or configures RPMs, they may fail
without SYS_CHROOT. Ultimately, the dropped capabilities are
worth it, as the majority of containers don't need them. The
fewer capabilities CRI-O gives out by default, the more
secure it is by default.
- When pinning namespaces, CRI-O now pins to
/var/run/$NS_NAMEns/$RAND_ID instead of
/var/run/crio/ns/$RAND_ID/$NS_NAME for better compatibility
with third party networking plugins
- Feature
- Add `crio config -m/--migrate` option which supports
migrating a v1.17.0 configuration file to the latest version.
- Add available image labels to image status info
- Add cgroup namespace unsharing to pinns
- Add live configuration reload to AppArmor profile option
- Add live configuration reload to seccomp profile option
- Add log context to container stats to improve logging
- Added `--cni-default-network`/`cni_default_network` option to
specify the CNI network to select. The default value is
`crio`, but this option can be explicitly set to `""` to
pickup the first network found in
`--cni-config-dir`/`network_dir`.
- Added `conmon`, `runc` and `cni-plugins` to the static
release bundle
- Added `linkmode` (dynamic or static) output to `crio version`
subcommand
- Added gRPC method names to log entries to increase
trace-ablity
- Added live reload to `decryption_keys_path`
- Added pinns binary to static bundle
- Improve `crio --version` / `version` output to show more
details
- Provide the possibility to set the default config path via
`make DEFAULTS_PATH=<PATH>`
- Take local images into account when pulling images prefixed
with `localhost/`
- Added support for drop-in registries.conf configuration
files. Please refer to the registries.conf.d documentation
(https://github.com/containers/image/blob/master/docs/containers-registries.conf.d.5.md)
for further details.
- If a specified or the default hooks directory is not
available, then we warn the user but do not fail any more.
- Documentation
- Update documentation that the lowest possible value for the
ctr_stop_timeout is 30seconds. We also move the validation of
this fact into the config validation part of the library.
- Added man page for crio.conf.d(5)
- Other (Bug, Cleanup or Flake)
- Empty sandbox labels are now serialized into proper JSON (`null`)
- Fixed CRI-O to fail to start when `runc` is no configured
runtime and the `runc` binary is not in `$PATH`
- Fixed SIGHUP reload for drop-in configuration files
- Provide the latest release bundle via a Google Cloud Storage
Bucket at:
https://console.cloud.google.com/storage/browser/k8s-conform-cri-o/artifacts
- Removed annoying logs coming directly from lower level
runtimes like runc
- Removed the musl libc build target from the static binary
bundle in favor of the existing glibc variant
- Removed warning about non-absolute container log paths when
creating a container
- CRI-O's version can be overriden at buildtime with
`VERSION=my.version.number make bin/crio`
- ContainerStatus no longer waits for a container operation
(such as start or stop) to finish.
- Fix bug resulting in false reports of OOM
- Fixed SIGHUP reload behavior for unqualified search
registries
- Return grpc code NotFound when we can't find a container or
pod
- Systemd unit file: drop crio-wipe.service as a requirement
* Thu Apr 16 2020 Richard Brown <rbrown@suse.com>
- criconfig: Require kubernetes-kubeadm-provider to be compatable with multi-version kubernetes packaging
* Thu Apr 16 2020 Michal Jura <mjura@suse.com>
- Update apparmor_profile with current cri-o version, bsc#1161056
* Fri Apr 10 2020 Michal Jura <mjura@suse.com>
- Update to version 1.17.3:
* Bump version to 1.17.3
* Update c/image to v5.3.1
* sandbox: Make sure the label annotation is proper JSON
* container_server: Wrap a few more errors in LoadSandbox
* restore tests: verify some namespace lifecycle cases work
* fail on failed pinns
* pinns: pin to /var/run/*ns instead of /var/run/crio/ns/*
* Add the -d flag when installing runc for circle ci
* Add the mounts that are required by systemd
* bump to 1.17.2
* Fri Mar 27 2020 Richard Brown <rbrown@suse.com>
- Use new pause:3.2 image
* Mon Mar 16 2020 Sascha Grunert <sgrunert@suse.com>
- Update to v1.17.1:
* Drop conmonmon
* Update docs and completions for crio wipe --force
* wipe: Add a force flag for skipping version check
* Restore sandbox selinux labels directly from config.json
* klog: don't write to /tmp
* Pass down the integer value of the stop signal
* exec: Close pipe fds to prevent hangs
* Unwrap errors from label.Relabel() before checking for ENOTSUP
* oci: Handle timeouts correctly for probes
* Mon Feb 10 2020 Sascha Grunert <sgrunert@suse.com>
- Put default configuration in /etc/crio/crio.conf.d/00-default.conf
in replacement for /etc/crio/crio.conf
* Mon Feb 10 2020 Sascha Grunert <sgrunert@suse.com>
- Uncomment default apparmor profile to always fallback to the
default one
* Mon Feb 10 2020 Sascha Grunert <sgrunert@suse.com>
- Remove prevent-local-loopback-teardown-rh1754154.patch which is
now included in upstream
- Update to v1.17.0:
* Major Changes
- Allow CRI-O to manage IPC and UTS namespaces, in addition to
Network
- Add support for drop-in configuration files
- Added image pull and network setup metrics
- Image decryption support
- Remove unneeded host_ip configuration value
* Minor Changes
- Setup container environment variables before user
- Move default version file location to a tmpfs
- Failures to stop the network will now cause a stop sandbox
request to fail
- Persist container exit codes across reboot
- Add conmonmon: a conmon monitoring loop to protect against
conmon being OOM'd
- Add namespaces{-_}dir CLI and config option
- Add disk usage for ListContainerStats
- Introduce new runtime field to restrict devices in privileged
mode
* Sat Jan 18 2020 Sascha Grunert <sgrunert@suse.com>
- Fix invalid apparmor profile (bsc#1161179)
* Thu Jan 16 2020 Sascha Grunert <sgrunert@suse.com>
- Include system proxy settings in service if present (bsc#1155323)
* Thu Jan 16 2020 Sascha Grunert <sgrunert@suse.com>
- Removed the usage of `name_` variables to reduce the error
proneness
- Fixed systemd unit install locations for crio-wipe.service and
crio-shutdown.service (bsc#1161056)
* Fri Jan 10 2020 Richard Brown <rbrown@suse.com>
- Add prevent-local-loopback-teardown-rh1754154.patch to stop local loopback interfaces being torndown before cluster is bootstrapped
/etc/crio /etc/crio/crio.conf.d /etc/crio/crio.conf.d/00-default.conf /etc/zsh_completion.d /etc/zsh_completion.d/_crio /etc/zsh_completion.d/_crio-status /usr/bin/crio /usr/bin/crio-status /usr/bin/pinns /usr/lib/systemd/system/crio.service /usr/libexec/crio /usr/libexec/crio/bin /usr/sbin/rccrio /usr/share/bash-completion/completions/crio /usr/share/bash-completion/completions/crio-status /usr/share/fillup-templates/sysconfig.crio /usr/share/fish /usr/share/fish/completions /usr/share/fish/completions/crio-status.fish /usr/share/fish/completions/crio.fish /usr/share/licenses/cri-o /usr/share/licenses/cri-o/LICENSE /usr/share/man/man5/crio.conf.5.gz /usr/share/man/man8/crio.8.gz /usr/share/oci-umount /usr/share/oci-umount/oci-umount.d /usr/share/oci-umount/oci-umount.d/cri-umount.conf
Generated by rpm2html 1.8.1
Fabrice Bellet, Wed Nov 13 00:41:02 2024