|
|
|
|
Changelog for cri-o-1.24.2-3.17.x86_64.rpm :
* Thu Aug 18 2022 jkowalczykAATTsuse.com- Update to version 1.24.2: * version: bump to v1.24.2 * remove succinct option to fix jenkins * Use a default umask of `0o022` * Fix unit test coverage * Fix release-notes tag determination * Upload release notes for each tag * Fix container status for HostToContainer propagation * bump ocicni to 0.4.0 * Fix unit tests * test: set cri stats more idiomatically * utils/RunUnderSystemdScope: fix wrt channel deadlock * oci: kill children of container if it is in the host pid namespace * Mon Jul 25 2022 jkowalczykAATTsuse.com- Update to version 1.24.1: CVE-2022-1708 * boo#1200285 CVE-2022-1708 * bump to v1.24.1 * conmonmgr: query help text to see if it supports log-global-size-max * add support for conmon log-global-size-max * oci: cap exec sync length * Fix review issues * Fix it case failed * Fix review issues * Add integration test for remove paused ctr * 1.When in paused state, stop contianer should unpause it 2.We should treat paused state as running, or kubelet will delete it and restart one * fix review issues * Try to force delete ctr when in paused state * vendor: bump crypto package * Thu May 19 2022 Jeff Kowalczyk - Update BuildRequires: golang(API) >= 1.18 * Dependency Go module capnproto.org/go/capnp/v3 requires Go 1.18 * Thu May 19 2022 jkowalczykAATTsuse.com- Update to version 1.24.0: * oci: Move exec probe process to container cgroup, if enabled * config: Add monitor_exec_cgroup config option * Reenable pod runtime in package spec * dependencies: Upversion conmon dependency to v2.0.27 * Sanitize conmonrs log level and print used version * Wrap runtime pod errors * openshift test: use go 1.18 * openshift test: add skip_pod_runtime to cri-o spec * Bump nixpkgs and use go1.18 * Fix golangci-lint errors * add runtime pod * vendor conmon-rs * oci: add IsInfra method * oci: lock for runtime creation * test: use go 1.18 for lint * Move WillRunSystemd call after iterating the mounts * Add sha256sum bundle files to uploaded artifacts * crio:fix a bug about log container * oci: use runtime handler level monitor fields * config: assume default conmon cgroup if it\'s not specified * template: add comment to runtimes table * config: replace Conmon specific fields with runtime handler versions * main(): don\'t treat reexec.Init() == true as an error * crio:try fix integration test failed, because unpause not on time * config: increase pids limit to unlimited and deprecate it and logSizeMax * bump ocicni to 0.3.1 * bump containernetworking cni to 1.1.0 * crio: unpause ctr after test * crio:fix golint check warning * fix(stats): incorrect id on zfs driver * crio:fix crun it failed * crio:update status after pause/unpause container * oci: cleanup log path if the container failed to create * utils: remove unused io related packages * runtime_vm: use containerd deps for container io directly * remove the external dependency on the conntrack binary * go.{mod,sum}: update CDI deps to v0.3.2. * server: no longer use hardcoded timeouts * fix builds by passing -buildvcs=false on 386 * test: bump to go 1.18.1 * Disable systemd-mode cgroup detection conditionally * crio: Fix review issues and make format shell file * Add bats test to ensure namespaces are cleaned up on pod stop * pinns: Check calloc return value * bump to 4.11 image * crio: Fix code style * crio: implement extended interface for pause/unpause container * seccomp: drop unshare syscall from default profile * Retry to set CPU load balancing before return the error * build(deps): bump github.com/BurntSushi/toml from 0.4.1 to 1.1.0 * Fix integration tests * Switch to registry.k8s.io for the sandbox Image: * Change the mcs order in selinux.bats to test the canonization of selinux label * Canonize selinux label for comparison with filesystem label * oci: fix segfault in pod stop code * capabilities: drop inheritable * Bump ocicni to v0.3.0 * Switch to ginkgo/v2 * Add bats test for infra_ctr_cpuset taskset * Add bats test for zombie conmon cleanup * Update golangci-lint and config * Bump golang to 1.18.x * pinns: Pass sysctls as repeated \'-s\' arguments * Fix shell format * README: Update EOL & Version Skew links * config/sysctl: fail if there is a + in the value * Fix critest * Enable `--seccomp-use-default-when-empty` by default * test: update to new runc behavior * Automatically chcon and restorecon on get script * Pin `github.com/u-root/u-root` * Switch to `main` for `get` script * Bump nixpkgs * Pin nixos/nix version * test: allow state of failing tests to be kept intact. * factory: take capabilities setup * Add dedicated security information * test/crio-wipe.bats: don\'t nuke $TESTDIR too early. * test/cgroups.bats: fix incorrect setup order. * test/cdi.bat: add CDI integration tests. * config,cli: add configuration for CDI. * pkg/container: implement CDI device injection. * go.{mod,sum}: update deps, vendor. * contrib/test: force BATS symlink in place. * contrib/test: always install BATS for integration. * openshift e2e: bump cri-o version * bump to 1.24.0 * test: avoid concurrent crictl config writes. * server: stop deleting pod from idIndex if already gone * CI: use kubernetes from git tip * test/e2e: update skipped test list * contrib/test/int/build/kubernetes: rm deprecated RunAsGroup * server: use syncfs instead of fsync * config/sysctls: validate against invalid spaces * [gitpod] use latest workspace full * hack/build-rpms.sh: fix yum-builddep failures * ci: bump shellcheck to 0.8.0 * test/apparmor: suppress bogus SC2031/2031 * test/cni_plugin_helper: suppress shellcheck warning * test/test_runner: rm eval, fix comment * OWNERS: move rhatdan to emeritus approvers * OWNERS: move runcom to emeritus approvers * utils: Sync: use f.Sync * Deny empty `localhost/` AppArmor profiles * OWNERS: add first round of reviewers * OWNERS: Move AATTsboeuf to emeritus approver * int/storage: getReferences: fix gocritic warning * server: fix (rather than ignore) gocritic warning * server/streaming: specify the linter * ci: bump golangci-lint to 1.44.0 * scripts/release-notes: fix printf args * scripts: fix a typo * int/version: fix forcetypeassert linter warning * server/container_create_linux: fix forcetypeassert warning * utils: fix forcetypeassert linter warnings * server/streaming: fix nolintlint warning * int/storage: fix gosimple warning * int/config/cgmgr: fix stylecheck warnings * Format code using gofumpt 0.2.1 * Makefile: fix a comment * test/crio-wipe: fixups * ISSUE_TEMPLATE: fix grammatical error * OWNERS: move AATTsameo to emeritus_approvers * ISSUE_TEMPLATES: update membership form to be reviewer form * ISSUE_TEMPLATES: add a couple of more * image: use imageCache value for ImageStatus() * contrib/bundle: remove deprecated kubelet option. * minor edit: removed dead link from TOC * oci: drop WaitContainerStateStopped * oci: fix a leaked goroutine * internal/factory/container: initialize from pkg/container * internal/factory/sandbox: initialize from pkg/sandbox * README: update branches * Updated format * Generate checksum files for artifacts * test: add test for skipped sysctls * server: skip sysctls that would affect the host * deep copy List{PodSandbox,Container} structs * GOVERNANCE: fix links * oci: always have conmon log to syslog * README: add reference to governance * add GOVERNANCE.md * issue templates: add membership request form * Add Debian_11 OS variable on installation instructions of Debian Signed-off-by: Wang Kai * criocli: produce diff-friendlier zsh completions. * ci: use main branch for conmon * server: fix race with kubelet * Fix runtime panic on pod sandbox stats retrieval * update go to 1.17 in go.mod * Reuse createContainerIO in CreateContainer * Fix vm containers couldn\'t restore after CRI-O restart * ci: use main version of runc * openshift e2e: bump ci image * server: fix a potential NULL-pointer dereference. * Documentation: expand on CNI CIDRs in the kubeadm tutorial * test: update tests for allowed_devices * config: add AllowedDevices option * pass the main mount point to fix crypto profiles binding * Add Nestybox to the CRI-O adopters list. * server: drop duplicate log message * pkg/container: fix container device GID fallback. * bump crio commit for upstream k8s CI * adds config template linting * adds comments to default values * server: don\'t set memory swap when it\'s not enabled * Inherits storage configurations from storage.conf if crio config does not set * use cmdrunner singleton * conmonmgr: refactor for new CommandRunner * cmdrunner: update mocks and add target to makefile * config: prepend commands with taskset if InfraCtrCPUSet is configured * cmdrunner: add tests for prepended commands * cmdrunner: create singleton * Use timeout for conmon cgroup move * build(deps): bump google.golang.org/grpc from 1.42.0 to 1.43.0 * Fixed a problem where metricImagePullsBytesTotal was getting updated twice and on second call getting incorrect labels * test: add test ensuring a stopped pod is restored * sandbox stop: remove namespaces * restore: handle removed namespaces * Partially revert \"restore: restore stop before managing namespace\" * restore: ensure containers are wiped on reboot * build(deps): bump go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc * build(deps): bump github.com/opencontainers/runc from 1.0.2 to 1.0.3 * vendor: bump c/image to 5.17.0 * pinns: Add LDFLAGS to Makefile- Packaging: unpin go version to BuildRequires: golang(API) >= 1.17 * Wed Mar 16 2022 rbrownAATTsuse.com- Update to version 1.23.2: * config/sysctl: fail if there is a + in the value * Revert \"config/sysctl: fail if there is a + in the value\" * bump to version 1.23.2 * config/sysctl: fail if there is a + in the value * config/sysctls: validate against invalid spaces * server: stop deleting pod from idIndex if already gone * [1.23] ci: use kubernetes 1.23, cri-tools 1.23 * contrib/test/int/build/kubernetes: rm deprecated RunAsGroup * hack/build-rpms.sh: fix yum-builddep failures * image: use imageCache value for ImageStatus() * oci: fix a leaked goroutine * Reuse createContainerIO in CreateContainer * Fix vm containers couldn\'t restore after CRI-O restart * release-notes: add args for checksum fields * Updated format * Generate checksum files for artifacts * bump to v1.23.1 * test: add test for skipped sysctls * server: skip sysctls that would affect the host * server: don\'t set memory swap when it\'s not enabled * deep copy List{PodSandbox,Container} structs * ci: use main branch for conmon * server: fix race with kubelet * Fix runtime panic on pod sandbox stats retrieval * ci: use main version of runc * openshift e2e: bump ci image * server: fix a potential NULL-pointer dereference. * pass the main mount point to fix crypto profiles binding * test: update tests for allowed_devices * config: add AllowedDevices option * server: drop duplicate log message * test: add test ensuring a stopped pod is restored * sandbox stop: remove namespaces * restore: handle removed namespaces * Partially revert \"restore: restore stop before managing namespace\" * restore: ensure containers are wiped on reboot * use cmdrunner singleton * conmonmgr: refactor for new CommandRunner * cmdrunner: update mocks and add target to makefile * config: prepend commands with taskset if InfraCtrCPUSet is configured * cmdrunner: add tests for prepended commands * cmdrunner: create singleton * Use timeout for conmon cgroup move * Fixed a problem where metricImagePullsBytesTotal was getting updated twice and on second call getting incorrect labels * vendor: bump c/image to 5.17.0 * Add new metrics that match Prometheus best practices and reduce cardinality * add metrics with new names that match naming best practices * use _total for all counters * use base unit seconds, bytes * metrics that do not follow best practices have been marked deprecated, these can be removed in a future release, it is to ensure non-breaking change for couple of releases * unit test: fix relative log test * unit tests: update pinns path in case it isn\'t found in PATH * test: skip target tests for userns * test: add test for target namespace * add support for target PID namespaces * test: give testunit sudo * oci: add managed pidns to container object * pkg/container: take container namespace configuration * nsmgrtest: take some namespace related test code * nsmgr: add function to pin existing namespace * nsmgr: take (and rename) NamespacePathFromProc * pkg/sandbox: take config initialization * Bump Kubernetes to v1.23.0 * set user.max_user_namespaces in case it\'s not * lint: bump cyclo complexity * gh-actions/contrib: setup sub{g,u}id * docs: add tutorial for setting up user namespaces * oci: put conmon in infra ctr cpuset if it is in the pod cgroup * test: add tests for user namespace annotations * test: move workload creation function to helpers * cni manager: catch server shutdown * server: notify user when network isn\'t ready yet * stop using hardcoded \"pod\" const * oci: always reap conmon zombies * clarify some error messages * Drop intermediate CRI types * Relabel containerenv files * Add minimum_mappable_(u|g)id settings * Fix runtime panic on stats server shutdown * restore: restore stop before managing namespace * server: add {,List}SandboxStats * server: refactor sandbox list * server: use stats server to get container stats * container server: use stats server * stats: add stats server * config: add StatsCollectionPeriod field * cgmgr: move most of stats handling to cgmgr * oci: make changes in preparation for moving stats functionality: * server: stub {List,}PodSandboxStats * server/cri: add PodSandboxStats support * vendor: bump cri-api * server/cri: refactor to make stats processing unified * pkg/config: use iota * Add go 1.17+ go:build tags * Remove redundant build tags * Add containerenv file to containers This file indicates that the current environment is inside a container environment. The same technique is used by podman and docker. The same file name/path as podman was used, as it is vendor agnostic. * build(deps): bump github.com/containerd/containerd from 1.5.7 to 1.5.8 * config: merge runtime and workload allowed annotations * Updates kubeadm.md: The cgroup property is removed in [kubeadm-config.v1beta3](https://kubernetes.io/docs/reference/config-api/kubeadm-config.v1beta3/) * build(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc * Specify runtime table format in the error message * build(deps): bump github.com/containerd/ttrpc from 1.0.2 to 1.1.0 * server: fix segfault when using cgroupv2 * gh-actions: add sed for kube e2e * release-notes: update to main * build(deps): bump github.com/onsi/gomega from 1.16.0 to 1.17.0 * build(deps): bump go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc * Bug 2012838: fix override storage options from storage.conf * oci: fix deadlock in container stop code * build(deps): bump google.golang.org/grpc from 1.41.0 to 1.42.0 * oci: always close chControl * oci: make some channels buffered * build(deps): bump go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc * build(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc * build(deps): bump github.com/godbus/dbus/v5 from 5.0.5 to 5.0.6 * Add annotation that makes /sys/fs/cgroup writable * Add support for CNI plugins v1.0.1 * bump(deps-opentelemetry) * pin go.opentelemetry grpc/otelgrpc v0.25.0 * opentelemetry: add gRPC tracing * build(deps): bump k8s.io/klog/v2 from 2.20.0 to 2.30.0 * build(deps): bump github.com/go-logr/logr from 1.1.0 to 1.2.0 * version: bump to 1.23.0 * build(deps): bump github.com/containers/podman/v3 from 3.3.1 to 3.4.1 * build(deps): bump github.com/containers/common from 0.43.2 to 0.46.0 * test: drop swap disable playbook * server: add support for CRI unified field * server: implement swap support * server/cri: add support for 1.22 features * test: bump cri-tools version * scripts: pin cri-tools version * server: reduce needless copying for sb.NamespaceOptions * oci: refactor internal structure to use CRI type * oci: use server CRI metadata type for containers * sandbox: refactor internal structure to use CRI type * sandbox: save createdAt as a int64 * build(deps): bump github.com/containerd/cgroups from 1.0.1 to 1.0.2 * build(deps): bump github.com/creack/pty from 1.1.16 to 1.1.17 * build(deps): bump github.com/Microsoft/go-winio from 0.5.0 to 0.5.1 * Bump Kubernetes to v1.22.2 * sandbox: use server CRI metadata type * docs: emphasize deprecation notice * update documentation for workloads * add allowed annotations to workloads * Log HTTP response writer message instead an error * oci: use c/common signal parsing function * Skip volume relabel for super privileged containers * oci: chown stdin pipe to user in the container * test: fix selinux test failures * build(deps): bump github.com/onsi/ginkgo from 1.16.4 to 1.16.5 * Fix runtime handler docs * build(deps): bump github.com/containers/image/v5 from 5.15.2 to 5.16.1 * scripts: fix release branch forward script * server: FilterDisallowedAnnotations of containers earlier * server: conditionally relabel volumes given annotation * build(deps): bump github.com/containers/storage from 1.36.0 to 1.37.0 * test: refactor allowed_annotation tests * server: reduce args in addOCIBindMounts * build(deps): bump github.com/opencontainers/selinux from 1.8.5 to 1.9.1 * test: add label for openshift e2e in dockerfile * build(deps): bump github.com/containerd/containerd from 1.5.5 to 1.5.7 * test: skip certificate check for downloading parallel * Remove usge of deprecated apt-key in Ubuntu install * Fix install.md links * build(deps): bump google.golang.org/grpc from 1.40.0 to 1.41.0 * use a more appropriate console with code block * build(deps): bump k8s.io/api from 0.22.1 to 0.22.2 * build(deps): bump k8s.io/cri-api from 0.22.1 to 0.22.2 * build(deps): bump sigs.k8s.io/yaml from 1.2.0 to 1.3.0 * build(deps): bump github.com/creack/pty from 1.1.15 to 1.1.16 * build(deps): bump k8s.io/apimachinery from 0.22.1 to 0.22.2 * fix node e2e * build(deps): bump github.com/intel/goresctrl from 0.1.0 to 0.2.0 * bump crio commit used by node e2e installer * server: mount cgroup if hostNetwork * server: use container level host network setting * server: don\'t recalculate hostnet * Fix typo in install.md * Remove one of the explanations for `bind_mount_prefix` because it is duplicated. * node e2e: keep infra container * add unit test for the `server/sandbox_remove`. * test: fix journald test for new conmon * fix shfmt * update `install.md` for debian and ubuntu * build(deps): bump github.com/json-iterator/go from 1.1.11 to 1.1.12 * build(deps): bump k8s.io/client-go from 0.22.1 to 0.22.2 * fix shfmt * server: set spec when dropping infra * Update \'master\' branch links to \'main\' * bumps pause image to 3.6 * server: don\'t wait forever on conmon cgroup move fail * build(deps): bump github.com/containers/storage from 1.34.1 to 1.36.0 * Remove bashism in sh script * Do not log if Intel RDT is not supported * build(deps): bump github.com/godbus/dbus/v5 from 5.0.4 to 5.0.5 * Fix cluster.yaml for kubectl create * call cmd.Wait() in all cases we call Start() * oci: call wait on conmon if cgroup move fails * build(deps): bump github.com/go-logr/logr from 1.0.0 to 1.1.0 * Fix `crio_image_pulls_layer_size_` metrics docs * Adapt to klog incompatible changes * build(deps): bump k8s.io/klog/v2 from 2.10.0 to 2.20.0 * Add `--profile-cpu` and `--profile-mem` options * build(deps): bump github.com/containers/podman/v3 from 3.3.0 to 3.3.1 * server: remove ineffective `updateLock`. * Fix missing quantile in `latency_microseconds_total` metrics * Update crio commit for node e2e * build(deps): bump github.com/fsnotify/fsnotify from 1.4.9 to 1.5.1 * Bump runc binary to 1.0.2 * Switch to go1.17 for CI * fix debian 10 build doc * test/testdata/sandbox_config.json: fix the dns_config * adds updating instructions to install.md * Thu Sep 02 2021 alexandre.vicenziAATTsuse.com- Update to version 1.22.0: Dependency-Change * Update runc within static binary bundle to v1.0.1 * Update static binary bundle runc version to v1.0.0-rc94. * Update static binary bundle runc version to v1.0.0-rc95. * Updated crun in static binary bundle to v0.20.1 Deprecation * The internal_wipe option is now true by default. Further, it is being deprecated, and will be unconditionally true in the future. API Change * Update how the resources for a workload is specified. Now, to override a workload, the pod must have the annotation $prefix/$ctr_name = {\"$resource_type\": \"$resource_value\"}. The workloads feature has also been marked as experimental, which should have happened from the beginning. Feature * Added --metrics-collectors/metrics_collectors configuration to enable or disable certain metrics. * All metrics collectors are enabled per default. * Added crio_image_pulls_layer_size histogram metric to get insights about all pulled layer sizes. * Added build tags as well as AppArmor and seccomp status to crio version output. * Added generation of self-signed certificates for the secure metrics endpoint * if the provided cert and key paths are not available on disk. * Added secure metrics endpoint configuration options * Added structural logging of container ID, sandbox ID and process ID on container start. * Automatically reload metrics TLS certificate and key if any of those specified files change. * CNI plugins are now passed a K8S_POD_UID environment variable containing the pod UID this sandbox was started for. * Changed the logging behavior of klog messages to be included in the CRI-O logs. * The klog info verbositry is converted to CRI-O debug to lower the log verbosity. * Cri-o now does not limit the DNS search paths. * Enable the \"volatile\" option for the overlay drivers when it is supported by the underlying kernel. * Rootless: enable resource limit when cgroup v2 controllers are delegated. * Support io.kubernetes.cri.blockio-class container annotation for specifying blockio class. * Support blockio.resources.beta.kubernetes.io/pod pod annotation for specifying the default blockio class to all containers in the pod. * Support blockio.resources.beta.kubernetes.io/container.NAME pod annotation for specifying the blockio class of the NAME container in the pod. * Add blockio_config_file config file option (and corresponding --blockio-config-file for command line) for configuring blockio classes and their cgroups blockio controller parameters. * Support io.kubernetes.cri.rdt-class container annotation for specifying RDT class. * Add rdt_config_file config file option (and corresponding --rdt-config-file for command line) for configuring the resctrl pseudo-filesystem. * The config field drop_infra_ctr is now true by default * The runtime_config_path option, which allows to specify the path of the runtime configuration file, is now supported by CRI-O. This is specific to the VM runtime type. * Validate certificate dates for TLS metrics endpoint Design * Drop support for the crio.shutdown. * ExecSync requests now don\'t use conmon, instead calling the runtime directly, which reduces overhead. Bug or Regression * Add support for absent_mount_sources_to_reject, which allows admins to configure paths that, when mounted into a container despite not existing on the host, causes a container creation request to fail. This is useful for paths like /etc/hostname, which causes trouble as a directory, but possibly shouldn\'t be created as a file either (in the case of a dynamic hostname). * Add symlink /proc/mounts on /etc/mtab to container * Add the config field internal_wipe which moves the responsibility of wiping containers after a reboot and images after an upgrade from the external binary crio wipe to the main crio server. This has a handful of advantages, the main one being crio is now better able to cleanup CNI resources after a reboot. * Allow users to customize conmon\'s resources if a pod is in a workload. * CRI-O now logs when it is using cgroupv2 * Fix a bug in internal_wipe that would mean CNI resources would be leaked across reboots. * Fix a bug where CRI-O can\'t work with runc 1.0.0-rc93 because of an incorrectly specified list of capabilities * Fix a bug where CRI-O would leak opened files for namespaces on a server restore * Fix a bug where crio config would print a string for privileged_without_host_devices, not a boolean * Fix a bug where a container exec process received a little less time than the timeout provided * Fix a bug where an exec sync timeout would fail to cleanup the runtime exec process * Fix a bug where cAdvisor couldn\'t read the disk usage of a pod with a dropped infra container * Fix a bug where duplicate requests would stall even if the pod or container was already created * Fix a bug where server startup was significantly slowed down by attempting to clean up CNI resources after a reboot. * Fix a performance regression with exec probes * Fix a segfault when CRI-O has takes more than 8 minutes to create a pod or container * Fix an RSS regression with exec sync requests * Fix an issue where a container started with a terminal fails on exec sync calls * Fix drop ALL and add back few caps behavior to not include the default configured capabilities * Fix potential panic when reopening a container\'s log * Fixed bug where it was not possible to run containers using the default or no seccomp profile on * seccomp disabled builds/machines * Fixed bug where runtime VM created containers never reach their completed state. * Fixed linkmode detection for on en_US systems crio version * Fixed runtime panic for layers lockfile if its parent directory does not exist. * Added support for repositories in auth.json * Re-attempt setting up conmon\'s cgroup if it fails on EAGAIN from dbus * Reduce the permission on the listen socket to 0660 * Reuse connection when connecting to dbus, as well as reattempt the connection if it fails temporarily * The privileged_without_host_devices flag can now be given a an additional parameter to configure a runtime * Wait for CNI plugins to be ready before starting non-host-network pods, to allow pods that may run CNI plugins to start faster Other (Cleanup or Flake) * Add systemd After=crio.service to containers and conmon * Switched build artifacts to be published via the cri-o bucket. * Use build tag for linkmode detection on crio version. Uncategorized * Add Particule as adopters * Add --device-ownership-from-security-context which allows an admin to specify devices be configured to be owned by the container user and group, rather than unconditionally * being root. * Added internal/process/defunct_processes.go and crio_processes_defunct metric to collect the total number of defunct/zombie processes in a node. * Raise a warning when creating a bind mount on the container root * Fri Aug 20 2021 Bernhard Wiedemann - build with go 1.16 for reproducible binaries (boo#1102408) * Fri Jul 23 2021 alexandre.vicenziAATTsuse.com- Update to version 1.21.2: * oci: be more precise about channels and routines * oci: wait for runtime to write pidfile before starting timer * oci: refactor fsnotify usage * vendor: add notify package * version: bump to v1.21.2 * server: use cnimgr to wait for cni plugin ready before creating a pod * server: use cnimgr for runtime status * config: add cnimgr * Introduce cnimgr * server: prevent segfault by not using a potentially nil sandbox * network: pass pod UID to ocicni when performing network operations * vendor: bump ocicni to 4ea5fb8752cfe * Bump c/storage to v1.32.3 * oci: kill runtime process on exec if exec pid isn\'t written yet * oci: don\'t pre-create pid file * dbus: update retryondisconnect to handle eagain too * simplify checking for dbus error * utils: close dbus conn channel * dbusmgr: protect against races in NewDbusConnManager * cgmgr: reuse dbus connection * cgmgr: create systemd manager constructor * try again on EAGAIN from dbus * test: fix cgroupfs workload tests * Disable short name mode * workloads: don\'t set conmon cpuset if systemd doesn\'t support AllowedCPUs * test: add test for conmon in workloads * workloads: setup on conmon cgroup * Bump runc to get public RangeToBits function * server: export InfraName and drop references to leaky * storage: succeed in DeleteContainer if container is unknown * bump to v1.21.1 * Fix CI * oci: drop internal ExecSync structs * oci: do not use conmon for exec sync * bump c/storage to 1.31.1 * bump runc to 1.0.0-rc94 * Fix unit tests * Add support to drop ALL and add back few capabilities * server: call CNI del in separate routine in restore * server: reduce log verbosity on restore * reduce listen socket permissions to 0660 * test: adapt crio wipe tests to handle new behavior * ignore storage.ErrNotAContainer * move internal wipe to only wipe images * server: properly remove sandbox network on failed restore * runtimeVM: Use internal context to ensure goroutines are stopped * Fix go.sum * sandbox remove: unmount shm before removing infra container * use more ContainerServer.StopContainer * sandbox: fix race with cleanup * server: don\'t unconditionally fail on sandbox cleanup * server: group namespace cleanup with network stop * resourcestore: run cleanup in parallel * test: add test for delayed cleanup of network on restart * InternalWipe: retry on failures * server: get hooks after we\'ve check if a sandbox is already stopped * server: move newPodNetwork to a more logical place * Add resource cleaner retry functionality * test: add test for internal_wipe * server: add support for internal_wipe * crio wipe: add support for internal_wipe * config: add InternalWipe * server: breakup stop/remove all functions with internal helpers * storage: remove RemovePodSandbox function * server: reuse container removal code for infra * Cleanup pod network on sandbox removal * test: add test for absent_mount_sources_to_reject * server: add support for absent_mount_sources_to_reject * config: add absent_mount_sources_to_reject option * server: use background context for network stop * resource store: prevent segfault on cleanup step * Pin gocapability to v0.0.0-20180916011248-d98352740cb2 * config: fix type of privileged_without_host_devices * Fix podman name in README * Fix RuntimeDefault seccomp behavior if disabled * Add After=crio.service dependency to containers and conmon * Use extra context for runtime VM * workloads: move to more concrete type * workloads: update how overrides are specified * main: still rely on logrus (rather than using the internal log) * container server: fix silly typo * nsmgr: remove duplicate IsNSOrErr call * nsmgr: fix some leaks with GetNamespace * bump to containers/image 5.11.1 * Bug 1942608: do not list the image with error locating manifest * runtimeVM: Calculate the WorkingSetBytes stats * runtimeVM: Use containerd/cgroups for metrics * runtimeVM: Move metricsToCtrStats() around * runtimeVM: Vendor typeurl instead of maintain our own copy * Thu Apr 15 2021 alexandre.vicenziAATTsuse.com- Update to version 1.21.0: * bump to v1.21.0 * config: drop registries field as it is no longer supported * Revert \"test: drop unneeded sed statement\" * WIP: add debug print * test: drop unneeded sed statement * config: fix template insecure_registries field * config: drop commented config lines * build(deps): bump google.golang.org/grpc from 1.36.1 to 1.37.0 * Bump OpenShift CI cri-tools version and fix build path * build(deps): bump github.com/containers/image/v5 from 5.10.5 to 5.11.0 * Bump cri-tools to v1.21.0 * Update Kubernetes to v1.21.0 * Add container out of memory metrics * [CLI] \"crio config\" only prints the fields that are differet than the default. * Set short name mode to permissive * docs-validation: update to handle workloads * Fix unnecessary conversion lint report * add tests for workloads * integrate with server * config: update workloads structure * Clarify release cadence and version skew * Add correct start time to initial log output * Add support for workload settings * refactor handling of allowed_annotations * Do not push main binary into cachix cache * resourcestore: introduce ResourceCleaner * Use internal logging when context available * build(deps): bump github.com/coreos/go-systemd/v22 from 22.3.0 to 22.3.1 * server: remove dead code * sandbox: use defined CRI type for NamespaceOption * config: remove dead code * oci: remove dead code * lib: remove dead code * build(deps): bump github.com/containers/podman/v3 * build(deps): bump k8s.io/client-go from 0.20.1 to 0.20.5 * update pause image to 3.5 for non-root * build(deps): bump github.com/soheilhy/cmux from 0.1.4 to 0.1.5 * build(deps): bump google.golang.org/grpc from 1.34.0 to 1.36.1 * build(deps): bump github.com/containers/buildah from 1.19.8 to 1.20.0 * build(deps): bump github.com/prometheus/client_golang * build(deps): bump github.com/godbus/dbus/v5 from 5.0.3 to 5.0.4 * build(deps): bump k8s.io/cri-api from 0.20.1 to 0.20.5 * build(deps): bump github.com/containers/podman/v3 * build(deps): bump k8s.io/kubernetes from 1.13.0 to 1.20.5 * crio-wipe: only clear storage if CleanShutdownFile is supported * Add static bundle node e2e tests to GitHub actions * Reload the main config file when reloading configs * crio wipe: only completely wipe storage after a reboot * Bump static binary dependency versions * Add dependabot config file * runtimeVM: Fix shimv2 binary name construction * config,runtimeVM: Improve runtime_path validation * oci_test: Add basic coverage to \"RuntimeType()\" * oci_test: Add basic coverage to \"privileged_without_host_devices\" * oci_test: Leave invalidRuntime on its own line * tweak scope dependencies * Do not return `` placeholders for images any more * Fix invalid libcontainer GetExecUser call * Update dependencies * config: Don\'t fail if the non default runtime doesn\'t pass validation * Remove check for CI env variable for release-notes and dependencies * cgmgr: add CreateSandboxCgroup method * inspect: send container PID for dropped infra sandbox * oci: specify sbox id when creating spoofed container * Run GitHub actions on release branches * Update bats to v1.3.0 (#4661) * use happy-eyeballs for port-forwarding * fix mock issues * fix lint issues * install: drop support matrix and update instructions * do not store context in runtime vm * Fix lint GitHub action * pkg/container: take process args * Use and publish version marker for CRI-O * Add GitHub API pages support to `get` script * add libbtrfs-dev to unit tests * Revert \"server: use IsAlive() more\" * Fix GitHub actions cache key * Bug 1881694: Add pull source as info level log * test: use latest conmon * runtime_vm: Create the global fifo inside the runtime root path * stats: fix log spam * Support CRI seccomp security profiles * oci: add unit tests for stop timeouts * oci: don\'t update stop timeout if it\'s earlier than old one * oci: update timeout even if we\'re ignoring kill * oci: don\'t wait too long on a long stop * oci: check process is still around with kill * Add integration test for started/finished container time * fix: Don\'t set `image-endpoint` in crictl config * feat: Add CLI option to set registries.conf.d path * Add allowed io.containers.trace-syscall annotation to static bundle * Make `get` script independent from `make` * test: correct the env variable for dropping the infra container * Add metric to grab latency of individual cri calls * Fix `get` script commit SHA retrieval * Add arm64 static build to GitHub actions * Fix GitHub actions workflow syntax * Updates yq commnands for yq v4 * gh-actions: also run on release branches * pkg/sandbox: add InitInfraContainer endpoint * test: reconfigure how runtimes are passed in * test: add runtime() function * sandbox/container: drop context * test: drop workaround for crun * pkg/sandbox: cleanup unused funcs/files * fix doc log_level adding trace option * Fix oci container update config * Update e2e-aws logic for 4.8 * nsmgr: take Initalize method * Switch to go 1.16 for GitHub actions and remove scripts/build-test-image * config: remove and create the correct dir * Update nix pin with `make nixpkgs` * server: mount cgroup with rslave * crio wipe: ensure a clean shutdown * Move integration tests to GitHub actions * Run release-notes GitHub action after dependencies * Bumps github.com/containers/ocicrypt from 1.0.3 to 1.1.0. * config/node: refactor checking for CollectMode * Fix GitHub actions checkout permissions * change binary version to 1.21.0-dev * Set conmon scope KillSignal to SIGPIPE * Move repo modification jobs to GitHub actions * bump protobuf to 1.3.2 * Log container stop timeout * ResourceStore: add close method * Allow seccomp hook tracing for separate containers * ResourceStore: extend tests to test WatcherForResource * ResourceStore: update tests to all run * ResourceStore: update docs for WatcherForResource * ResourceStore: don\'t segfault * server: support setting raw unified cgroupv2 settings * vendor: update runtime-specs * cgroup: implement fix for swap memcg on cgroup v2 * server: leave swap mem limit unset if not supported * test: skip ServiceAccountIssuerDiscovery test * hostport manager clean up host ports * allows stream timeout to be set from config * config: pre-create pinns directories * Bump containers image to v5.10.1 * Move unit tests to GitHub actions * Move go1.14 and 386 builds to GitHub actions * set kubelet node IP * Fix validate-completions GitHub action * Add integration test for pprof over unix socket * Add a flag for enabling profile over unix socket * Lookup echo command for unit tests * Move static build to GitHub actions * pinns: Fixup \'pwarn\' output to match \'pwarnf\' output * pinns: Don\'t put errno in the exit message for argument checks * nsmgr: use host option * nsmgr: Use config struct for NewPodNamespaces * pinns: support pinning host ns * Remove implicit GitHub action `name` fields * Move docs and completions validation to GitHub actions * Bump golangci-lint to v1.35.2 * Make config tests work rootless * Make rootless namespace unit test execution work * config: fix template to show infra_ctr_cpus option * Do not log file path on ioutil.ReadFile * fixes version_test.go * Close the stdin/tty on server start to avoid shortname prompts * docs: fix http link * docs: update kubeadm tutorial * Fix `make lint` * Return runtime API version based on protocol * Update compatibility matrix to mention v1.20 * add method comment * restore irqbalance config only on system restart * add blurb in doc and more informative name for unit tests * add is-enabled check for irqbalance service * fix unit tests * add unit tests * fix bash/zsh completions * fix the docs validation * handle irqbalance service * runtime_vm: set finished time when containers stop * nsmgr: fix/add calls to GetNamespace * managed namespaces: move to dedicated package * Provide integration test for infra-ctr-cpuset feature * Set CPUs for the infra containers during the creation * Add shell completion for infra-containers-cpu flag * Add new infra-containers-cpus to the CLI and config file * refine `registries` deprecation message * Circle CI: install test/registries.conf * crio.8.md: runroot defaults to /run/containers/storage * support short-name aliases * pull: do check for blocked registries * config: deprecate registries * Rollback gocapability vendor bump * vendor: bump containers/storage to v1.24.4 * Update nix pin with `make nixpkgs` * contrib/test/int: add Kata Containers runtime support * contrib/test/int: enforce linking in parallel build process * contrib/test/int: build parallel from sources in CentOS * contrib/test/int: allow to skip user namespace testing * contrib/test/int: allow to configure test timeout * Capitalize Kubernetes * modify the error url of podctl * Add Digital Science to adopters * crio.service: Request to be run before kubelet.service * pinns: make binary not always static * server: use IsAlive() more * Support CRI v1 and v1alpha2 at the same time * drop support for ManageNSLifecycle * test/timeout.bats: increase timeout to fix flakes * release-notes: fix flags * test/timeout.bats: fix comments * int/resourcestore: fix comment about Put * test/image.bats: simplify some loops * test/helpers.bats: simplify cleanup_ * * contrib/test/int: rm node-e2e test * contrib/test/int: fix iptables rule * critest: add unix:// prefix * critest.yml: don\'t skip test on RHEL * test: add timeout.bats * bump network creation timeout to 5 minutes * resourcecache: add watcher idiom * server: use ResourceCache instead of dropping progress * Add unit tests for ResourceCache * Introduce ResourceCache * moves shmsize to a handler allowed annotation * image pull: close progress chan * test/ctr.bats: fix a \"ctr execsync\" flake * Fix the functions\' name in completions * make: drop link to crio.service * test: rm \"run ctr with image with Config.Volumes\" * test: add no-pull-on-run=true * test/devices.bats: fix \"additional device permissions\" case * test/devices.bats: rm unneeded run * test/devices.bats: skip earlier * Bandwidht CNI plugin reserved an upper limit on burst,in which banned include boundary. See: https://github.com/containernetworking/plugins/blob/v0.8.7/plugins/meta/bandwidth/main.go#L113- Drop config-fix-tz.patch as upstream dependency was patched * Fri Apr 09 2021 alexandre.vicenziAATTsuse.com- Update to version 1.20.2: * bump to latest c/storage 1.24 branch * Remove check for CI env variable for release-notes and dependencies * fix lint * test: pin cri-tools to 1.20 * bump to v1.20.2 * Run GitHub actions on release branches * Pin gocapability to v0.0.0-20180916011248-d98352740cb2 * [PATCH 9/9] add method comment * [PATCH 8/9] restore irqbalance config only on system restart- Add vendor.tar.gz to avoid dependency downloads- Add config-fix-tz.patch to fix crio validation error while building * Fri Jan 08 2021 rbrownAATTsuse.com- Update to version 1.19.1: * bump to v1.19.1 * don\'t do unnecesary iptables restore * switch CRI-O to use its own hostport manager * dual-stack host port manager * fix upstream hostport manager * Add README to hostport folder * fork hosport kubernetes code * [1.19] vendor: bump containers/storage to v1.20.5 * runtime_vm: Ensure closeIOChan is not nil inside CloseStdin\'s function * runtime: parse oom file for VM type runtimes * runtime_vm: Ignore ttrpc.ErrClosed when removing a container * runtime_vm: StopContainers() should not fail when the VM is shutdown * runtime_vm: Don\'t let wait() return ttrpc.ErrClosed * runtime_vm: Fix updateContainerStatus() logic * runtime_vm: set Pid and InitPid for VM runtimes * internal/config/node: add checkFsMayDetachMounts * Fix bogus CI test failures * test/config: fix shellcheck warning * test/config: fix \"config dir should fail with invalid option\" * server: cleanup container in runtime after failed creation * Tue Sep 15 2020 Sascha Grunert - API Change - CRI-O now manages namespace lifecycles by default- Feature - Add --version-file-persist, a place to put the version file in persistent storage. Now, crio wipe wipes containers if - -version-file is not present - Add big_files_temporary_dir to allow customization of where large temporary files are put - Add build support for setting SOURCE_DATE_EPOCH - Added `--metrics-socket`/`metrics_socket` configuration option to allow exposing the metrics endpoint on a local socket path - Added `crio_image_layer_reuse` metric which counts layer reuses during image pull - Added `privileged` field to container status `info` - Added behavior to allow filtering by a partial Pod Sandbox ID - Added configuration validation to ensure a `conmon_cgroup == \"pod\"` if `cgroup_manager == \"cgroupfs\"` - Added latest `crun` version to static binary bundle - Added metrics-exporter and [documentation] - Added new metrics `crio_image_pulls_failures` and `crio_image_pulls_successes`. For more information please refer to the [CRI-O metrics guide] - Container HostPort with SCTP protocol is supported. - Containers running `init` or `systemd` are now given a new selinux label `container_init_t`, giving it selinux privileges more appropriate for the workload - If users want the container_kvm_t label when using a runtime that supports kvm separation, they will need to either set the runtime_type to \"vm\" or have \"kata\" in the runtime name. E.g [crio.runtime.runtimes.my-kata-runtime] runtime_path = \"\" runtime_type = \"oci\" runtime_root = \"/run/kata\" or [crio.runtime.runtimes.my-kata-runtime] runtime_path = \"\" runtime_type = \"vm\" runtime_root = \"/run/kata\" - Re-add the behavior that string slices can be passed to the CLI comma separated, for example `--default-capabilities CHOWN,KILL` - Removed `socat` runtime dependency which was needed for pod port forwarding - Return pod image, pid and spec in sandbox_status CRI verbose mode- Design - Hooks_dir entries are now created if they don\'t exist- Documentation - Added `crun` container runtime to `crio.conf` - Added dependency report to generated release notes - The changelog is now rendered by a custom go template and contains the table of contents- Bug or Regression - Adding additional runtime handler doesn\'t require the user to copy existing default runtime handler configuration. The existing default runtime handler configuration will be preserved while adding the new runtime handler. - ExecSync requests will ask conmon to not double fork, causing systemd to have fewer conmons re-parented to it. conmon v2.0.19 or greater is required for this feature. - Fix handling of the --cni-plugin-dir and other multivalue command line flags - Fix path to bash via `/usr/bin/env` in crio-shutdown.service - Fix the container cgroup in case cgroupfs cgroup manager is used - Fix working set calculation - Fixed `crio version` binary mode parsing on musl toolchains - Fixed a bug where crictl only showed pod level stats, not container level stats. - Fixed a bug where exec sync requests (manually or automatically triggered via readiness/liveness probes) overwrite the runtime `info.runtimeSpec.process.args` of the container status - Fixed bug where Pod creation would fail if Uid was not specified in Metadata of sandbox config passed in a run pod sandbox request - Fixed bug where pod names would sometimes leak on creation, causing the kubelet to fail to recreate - Fixed crio restart behavior to make sure that Pod creation timestamps are restored and the order in the list of pods stays stable across restarts - Fixed wrong linkmode output - Reflects resource updates under the container spec.- Other - Added info logs for image pulls and image status - Cleanup default info logging - Cleanup go module and vendor files. - Pod creation now fails if conmon cannot be moved to the cgroup specified in `conmon_cgroup`. Our default value for `conmon_cgroup` is `system.slice`, which is invalid for cgroupfs. As such, if you use cgroupfs, you should change `conmon_cgroup` to `pod` - Removed `crio-wipe.service` and `crio-shutdown.service` systemd units from the static bundle since they are not required- Uncategorized - Add `--drop-infra-ctr` option to ask CRI-O to drop the infra container when a pod level pid namespace isn\'t requested. This feature is considered experimental - Adds a new optional field, runtime_type, to the \"--runtimes\" option. - Cleanup and update nix derivation for static builds - Fix a bug where a sudden reboot causes incomplete image writes. This could cause image storage to be corrupted, resulting in an error `layer not known`. - Fix bug where empty config fields having to do with storage cause `/info` requests to return incorrect information - Fixes panic when /sys/fs/cgroup can\'t be stat\'ed - If the default_runtime is changed from the default configuration, the corresponding existing default entry in the runtime map in the configuration will be ignored. - Remove support for `--runtime` flag - Updated `crictl.yaml` configuration inside the repository to reflect cri-tools v1.19.0 changes- Dependency-Change - Compile with go 1.15 * Sun Aug 02 2020 Callum Farmer - Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075) * Tue Jul 28 2020 Fabian Vogt - Suggest katacontainers instead of recommending it. It\'s not enabled by default, so it\'s just bloat * Mon Jul 20 2020 Sascha Grunert - Update to version 1.18.3: - Fix a bug where a sudden reboot causes incomplete image writes. This could cause image storage to be corrupted, resulting in an error layer not known. - Fixed bug where pod names would sometimes leak on creation, causing the kubelet to fail to recreate - If conmon is v2.0.19 or greater, ExecSync requests will not double fork, causing systemd to have fewer conmons re-parented to it * Thu Jun 18 2020 dmuellerAATTsuse.com- Update to version 1.18.2: * Bump version to v1.18.2 * criocli: Avoid parsing the config twice * StringSliceTrySplit: return a copy of the underlying slice * Restore version output from crio --version * Add info logs for image pull and status CRI calls * managed_ns: deflake tests * bump containers image to 5.4.4 (fixes gh#containers/image/issues/898) * Mon May 18 2020 sgrunertAATTsuse.com- Update to version 1.18.1: - Feature - Add -–version-file-persist, a place to put the version file in persistent storage. Now, crio wipe wipes containers if - –version-file is not present (presumably it is on temporary storage), and wipes images if both -–version-file and - –version-file-persist are out of date (presumably there has been an upgrade of cri-o’s minor version - Containers running init or systemd are now given a new selinux label container_init_t, giving it selinux privileges more appropriate for the workload - Other (Bug, Cleanup or Flake) - Fix linkmode retrieval on crio version for static binaries - Fix a bug where CRI-O could not start a container if CONFIG_CGROUP_HUGETLB was not set in the kernel - Re-add the behavior that string slices can be passed to the CLI comma separated, for example --default-capabilities CHOWN,KILL - Removed crio-wipe.service and crio-shutdown.service systemd units from the static bundle since they are not required - Fix some crio version oddities * Wed Apr 29 2020 Sascha Grunert - Remove the `go >= 1.13` build requirement * Mon Apr 27 2020 Ralf Haferkamp - Restore calls to %service_ * macros that were accidently removed with the last change * Thu Apr 23 2020 Sascha Grunert - Remove crio-wipe.service and crio-shutdown.service- Update to version 1.18.0: - Deprecation - Drop support for golang < v1.13 - API Change - Removed version from default AppArmor profile name in config - CRI-O now runs containers without NET_RAW and SYS_CHROOT capabilities by default. This can result in permission denied errors when the container tries to do something that would require either of these capabilities. For instance, using `ping` requires NET_RAW, unless the container is given the sysctl `net.ipv4.ip_forward`. Further, if you have a container that runs buildah or configures RPMs, they may fail without SYS_CHROOT. Ultimately, the dropped capabilities are worth it, as the majority of containers don\'t need them. The fewer capabilities CRI-O gives out by default, the more secure it is by default. - When pinning namespaces, CRI-O now pins to /var/run/$NS_NAMEns/$RAND_ID instead of /var/run/crio/ns/$RAND_ID/$NS_NAME for better compatibility with third party networking plugins - Feature - Add `crio config -m/--migrate` option which supports migrating a v1.17.0 configuration file to the latest version. - Add available image labels to image status info - Add cgroup namespace unsharing to pinns - Add live configuration reload to AppArmor profile option - Add live configuration reload to seccomp profile option - Add log context to container stats to improve logging - Added `--cni-default-network`/`cni_default_network` option to specify the CNI network to select. The default value is `crio`, but this option can be explicitly set to `\"\"` to pickup the first network found in `--cni-config-dir`/`network_dir`. - Added `conmon`, `runc` and `cni-plugins` to the static release bundle - Added `linkmode` (dynamic or static) output to `crio version` subcommand - Added gRPC method names to log entries to increase trace-ablity - Added live reload to `decryption_keys_path` - Added pinns binary to static bundle - Improve `crio --version` / `version` output to show more details - Provide the possibility to set the default config path via `make DEFAULTS_PATH=` - Take local images into account when pulling images prefixed with `localhost/` - Added support for drop-in registries.conf configuration files. Please refer to the registries.conf.d documentation (https://github.com/containers/image/blob/master/docs/containers-registries.conf.d.5.md) for further details. - If a specified or the default hooks directory is not available, then we warn the user but do not fail any more. - Documentation - Update documentation that the lowest possible value for the ctr_stop_timeout is 30seconds. We also move the validation of this fact into the config validation part of the library. - Added man page for crio.conf.d(5) - Other (Bug, Cleanup or Flake) - Empty sandbox labels are now serialized into proper JSON (`null`) - Fixed CRI-O to fail to start when `runc` is no configured runtime and the `runc` binary is not in `$PATH` - Fixed SIGHUP reload for drop-in configuration files - Provide the latest release bundle via a Google Cloud Storage Bucket at: https://console.cloud.google.com/storage/browser/k8s-conform-cri-o/artifacts - Removed annoying logs coming directly from lower level runtimes like runc - Removed the musl libc build target from the static binary bundle in favor of the existing glibc variant - Removed warning about non-absolute container log paths when creating a container - CRI-O\'s version can be overriden at buildtime with `VERSION=my.version.number make bin/crio` - ContainerStatus no longer waits for a container operation (such as start or stop) to finish. - Fix bug resulting in false reports of OOM - Fixed SIGHUP reload behavior for unqualified search registries - Return grpc code NotFound when we can\'t find a container or pod - Systemd unit file: drop crio-wipe.service as a requirement * Thu Apr 16 2020 Richard Brown - criconfig: Require kubernetes-kubeadm-provider to be compatable with multi-version kubernetes packaging * Thu Apr 16 2020 Michal Jura - Update apparmor_profile with current cri-o version, bsc#1161056 * Fri Apr 10 2020 Michal Jura - Update to version 1.17.3: * Bump version to 1.17.3 * Update c/image to v5.3.1 * sandbox: Make sure the label annotation is proper JSON * container_server: Wrap a few more errors in LoadSandbox * restore tests: verify some namespace lifecycle cases work * fail on failed pinns * pinns: pin to /var/run/ *ns instead of /var/run/crio/ns/ * * Add the -d flag when installing runc for circle ci * Add the mounts that are required by systemd * bump to 1.17.2 * Fri Mar 27 2020 Richard Brown - Use new pause:3.2 image * Mon Mar 16 2020 Sascha Grunert - Update to v1.17.1: * Drop conmonmon * Update docs and completions for crio wipe --force * wipe: Add a force flag for skipping version check * Restore sandbox selinux labels directly from config.json * klog: don\'t write to /tmp * Pass down the integer value of the stop signal * exec: Close pipe fds to prevent hangs * Unwrap errors from label.Relabel() before checking for ENOTSUP * oci: Handle timeouts correctly for probes * Mon Feb 10 2020 Sascha Grunert - Put default configuration in /etc/crio/crio.conf.d/00-default.conf in replacement for /etc/crio/crio.conf * Mon Feb 10 2020 Sascha Grunert - Uncomment default apparmor profile to always fallback to the default one * Mon Feb 10 2020 Sascha Grunert - Remove prevent-local-loopback-teardown-rh1754154.patch which is now included in upstream- Update to v1.17.0: * Major Changes - Allow CRI-O to manage IPC and UTS namespaces, in addition to Network - Add support for drop-in configuration files - Added image pull and network setup metrics - Image decryption support - Remove unneeded host_ip configuration value * Minor Changes - Setup container environment variables before user - Move default version file location to a tmpfs - Failures to stop the network will now cause a stop sandbox request to fail - Persist container exit codes across reboot - Add conmonmon: a conmon monitoring loop to protect against conmon being OOM\'d - Add namespaces{-_}dir CLI and config option - Add disk usage for ListContainerStats - Introduce new runtime field to restrict devices in privileged mode * Sat Jan 18 2020 Sascha Grunert - Fix invalid apparmor profile (bsc#1161179) * Thu Jan 16 2020 Sascha Grunert - Include system proxy settings in service if present (bsc#1155323) * Thu Jan 16 2020 Sascha Grunert - Removed the usage of `name_` variables to reduce the error proneness- Fixed systemd unit install locations for crio-wipe.service and crio-shutdown.service (bsc#1161056) * Fri Jan 10 2020 Richard Brown - Add prevent-local-loopback-teardown-rh1754154.patch to stop local loopback interfaces being torndown before cluster is bootstrapped * Tue Dec 17 2019 jmassaguerplaAATTsuse.com- Make cgroup-driver for kubelet be cgroupfs for SLE to be consistent with the cri-o configuration * Wed Nov 27 2019 Sascha Grunert - Update to v1.16.1: * Add manifest list support * Default to system.slice for conmon cgroup * Don\'t set PodIPs on host network pods * Tue Nov 26 2019 Dirk Mueller - switch to libcontainers-common requires, as the other two are provided by it already (avant-garde#1056) * Tue Nov 19 2019 David Cassany - Revert cgroup_manager from systemd to cgroupsfs for SLE15 k8s default is cgroupfs and in can be modified at runtime by the `--kubelet-cgroups` flag. However this flag is deprecated and avoinding it is currently preferred over introducing it. In order to switch to systemd as the cgroups manager in SLE15 further analysis is required to find a suitable configuration strategy. * Fri Nov 15 2019 Sascha Grunert - Use single service macro invocation- Add shell completions directories to files * Thu Nov 14 2019 Sascha Grunert - Add crio and crio-status shell completions- Add crio-wipe and crio-shutdown services- Update kubelet verbosity to `-v=2`- Update conmon cgroup to `system.slice`- Update crio.conf to match latest version- Update to v1.16.0: * Major Changes * Add support for manifest lists * Dual stack IPv6 support * HUP reload of SystemRegistries * file_locking is no longer a supported option in the configuration file * Hooks are no longer found implicitally. * conmon now lives in a separate repository and must be downloaded separately. * Minor * All OCI mounts are mounted as rw when a pod is privileged * CRI-O can now run on a cgroupv2 system (only with the runtime crun) * Add environment variables to CLI flags * Add crio-status client to conveniently query status of crio or a container * Conmon is now found in $PATH if a path isn\'t specified or is empty * Add metrics to configuration file * Bandwidth burst can only be 4GB * If another container manager shares CRI-O\'s storage (like podman), CRI-O no longer attempts to restore them * Increase validation for log_dir and runtime_type in configuration * Allow usage of short container ID in ContainerStats * Make image volumes writeable by the container user * Various man page fixes * The crio-wipe script is now included in the crio binary (as crio wipe), and only removes CRI-O containers and images. * Set some previously public packages as internal (client, lib, oci, pkg, tools, version) * infra container now spawned as not privileged * Mon Nov 11 2019 Richard Brown - Switch to `systemd` cgroup driver in kubelet config also * Thu Oct 24 2019 Sascha Grunert - Switch to `systemd` cgroup manager in replacement for `cgroupfs` * Thu Oct 17 2019 Richard Brown - Remove obsolete Groups tag (fate#326485) * Mon Oct 07 2019 Sascha Grunert - Fix default apparmor profile to match the latest version * Tue Sep 10 2019 Sascha Grunert - Update to v1.15.2: * Use HTTP2MatchHeaderFieldSendSettings for incoming gRPC connections * Fix 32 bit builds * crio-wipe: Fix int compare in lib.bash * Thu Sep 05 2019 Marco Vedovati - Add katacontainers as a recommended package, and include it as an additional OCI runtime in the configuration.- Document the format of the [crio.runtime.runtimes] table entries, and remove clutter from the current runc entry. * Thu Sep 05 2019 David Cassany - Updating to v1.15.1 included de fix for CVE-2019-10214 (bsc#1144065) * Thu Sep 05 2019 Sascha Grunert - Update to v1.15.1: * Bump container storage to v1.12.6 * Allow building with go1.10 * Allow default IP route to not be present * Update libpod to the latest version * Require crio-wipe for crio service file * Disable crio-wipe in systemd by default * Change default apparmor profile to actually contain the version * Thu Aug 29 2019 Sascha Grunert - Update crio.conf to: * set manage_network_ns_lifecycle per default to true * Tue Aug 06 2019 Sascha Grunert - Update crio.conf to: * use `127.0.0.1` as streaming address * use any ephemeral port for streaming server * Thu Jul 25 2019 Richard Brown - Update crio.conf to use correct pause_command * Thu Jul 18 2019 Richard Brown - Update crio.conf to use better versioned pause container * Wed Jul 17 2019 Richard Brown - Update crio.conf to use official kubic pause container * Wed Jul 03 2019 Sascha Grunert - Update CRI-O to v1.15.0: * update readme for currently supported branches * Update deps for k8s 1.15.0 * Remove invalid unit test * Remove unnecessary indirect dependency gopopulate * go.mod: drop github.com/containerd/cgroups * cgroups: use libpod/pkg/cgroups * go.mod: update libpod and godbus/dbus * Move the creation of sourceCtx in Server.PullImage out of the loop * Remove the imageAuthFile parameter to RuntimeServer.CreateContainer * Set SystemContext.AuthFilePath in global Server.systemContext * Set SystemContext.DockerRegistryUserAgent in global Server.systemContext * Base copy.Options.{Source,Destination}Ctx both on the input systemContext * Expect a non-nil copy.Options in ImageServer.PullImage * Use a types.SystemContext instead of copy.Options in PrepareImage * Use an explicit DockerInsecureSkipTLSVerify = types.OptionalBoolTrue * Split imageService.remoteImageReference from prepareReference * Simplify the handling of PullImageRequest.auth * Build copy.Options.SourceCtx from Server.systemContext * Add a buildImageResult helper to avoid duplicating the code * Call buildImageCacheItem in ImageStatus * Don\'t redundantly look up an already available store.Image * Don\'t use path.join for docker references * Remove redundant manifest parsing to get config digest * Remove redundant calls to types.ImageSource.Size * When looking up a local image by transport:name reference, use the tag/digest as well * Use reference.Named.String() instead of open-coding it * Use reference.ParseNormalizedNamed for parsing storage.Image.Names * Don\'t modify the caller-provided SystemContext in server.New * Remove `seccomp.json` and fallback to internal defaults * Fix mockGetRef, and deal with all of the fallout * Return mockSequence from mockListImage and mockLoop, use global inOrder everywhere * Remove ImageServer.RemoveImage * Rename mockToCreate to mockCreateContainerOrPodSandboxImageExists * Add mockStorageImageSourceGetSize and mockNewImage * Don\'t split the first gomock expecation into a BeforeEach * Add mockGetStoreImage and mockResolveImage * Add a shared mockParseStoreReference * Add mockStorageReferenceStringWithinTransport and use it instead of open-coded sequences * Add an inOrder helper * Create a separate MockController for every test * Remove duplicate Dockerfile\'s * Discover runtimePath from $PATH environment * Use GlobalAuthFile, incl. for the pause image if PauseImageAuthFile is not set * Don\'t discard copy.Options.SourceCtx when credentials are provided * Don\'t set non-default copy.Options in imageService.PullImage if it is nil * Remove the *copy.Options parameter to RuntimeService.Create{PodSandbox,Container} * Add global_auth_file option to crio.image config * Remove the types.SystemContext parameter where no longer necessary * Don\'t read registries.conf for the defaults of --registry and --insecure-registry * Add state of infracontainer to disk when stopped * Use repository logo instead of rawgit * Exclude \'vendor\' for git-validation checks * Bump up minMemoryLimit to 12Mb * enable inline exec and attach test * Mark file_locking deprecated * Disable file locking by default * Add release bundle target * Update dependency containerd/cgroups * crio-wipe: fix readme nits * conmon: force unlink attach socket * Add junit test files to .gitignore * Use *config.Config within OCI runtime * Move lib.Config to a dedicated package * Refactor sandbox and container name reservation * Update dependencies * Remove travis in favor of CircleCI * Vendor Kubernetes v1.15.0 * Fix e2e_features_ * selinux denials * add vrothberg to OWNERS file * Add documentation about the HTTP API * Default to runc is default_runtime is not set * Set default run root if not specified * Fix redundant if in lib/rename.go * Add codecov upload step to CircleCI config * Add flake attempts to critest integration testing * Add CircleCI badge * Add live reload feature to pause configuration * Update dependencies * Rebase containers/image to 2.0.0, buildah to 1.8.4, libpod to 1.4.1 * Fix Vagrantfile vendor inconsistency * version: if git commit is empty, silently ignore * Use the official nix package for building static binaries * Add status related server unit tests * Create network directory if it doesn\'t exist * Small stderr fixes in crio-wipe * Add crio-wipe * Add version file functionality * Enable ppc64le Travis CI * Fix mentioned distributions in README.md * crictl.md: Fix a typo * Vendor Kubernetes 1.15.0-rc.1 * Update golangci-lint to v1.17.1 * README.md: Fix a typo * Fix missing images names on list * Update dependencies * Update setup.md * Refactor sandbox cgroup annotation * Fix gomega matcher syntax * Fix mentioned distributions within the setup tutorial * Go mod tidy * Add bandwidth limiting support * Switch to \'stable status\' badge * Cleanup README.md * Vendor Kubernetes v1.15.0-beta.1 * Close temporary image in PullImage * Add live reload integration tests and /config endpoint * Fix errcheck lint for network namespace creation * remove PluginDir from config if it existed * Change plugin_dir to plugin_dirs * Update dependencies * Bump github.com/containernetworking/plugins from 0.7.5 to 0.8.0 * Enable errcheck lint and fixup error paths * Add critest to integration test suite * Update Dockerfile CNI plugins to v0.8.0 * Update contrib systemd unit files to match project name * Fix runtime panic when having concurrent writes to runtime impl map * Fix build issues on 32-bit architectures * tests: added log max test to ctr.bats and command.bats * Update device cgroup permissions for configured devices. * Revert old fix * test: set container runtime to remote for e2e and fixup crio.conf * server: do not add default /sys if bind mounted * skip runtimes handler test until we can get a better solution * Fix possible runtime panic on store shutdown * Update Makefile to be usable without git * Ensure the test suite configures config directories. * Update depedencies * Add predefined build tags to .golangci.yml * Add container server unit tests * README.md: fix a typo * conmon: support OOM monitor under cgroup v2 * Fix logging to journal * refresh apt before installation * Bump github.com/containers/libpod from 1.2.0 to 1.3.1 * docs/crio.conf.5: Add \"have\" to \"higher precedence\" typo * Update scripts to find correct bash path * Fix links in tutorials/setup.md * Improve CI speed * Remove redundant source remove * setup: fix broken link * readme: Remove timeout from kube documentation * Remove terminal watch after success * Vendor Kubernetes v1.15.0-beta.0 * Cleanup SystemContext usage * Bump github.com/golang/mock from 1.3.0 to 1.3.1 * Bump github.com/containers/storage from 1.12.6 to 1.12.7 * Bump github.com/docker/go-units from 0.3.3 to 0.4.0 * Remove debug output from integration tests * sandbox_run: Log a warning if we can\'t find a slice * test: Add test for conmon cgroups * readme: Remove roadmap * Add config validation for conmon cgroup * Add CLI flag for --conmon-cgroup * Add config to run conmon under a custom cgroup slice * Add gocritic paramTypeCombine linter and fixes * Add awesome CRI-O list * Add config live reload feature * Update unit test target to not run `mockgen` * Add gocritic builtinShadow linter and fixes * Fix sandbox tests * conmon: detect cgroup2 and skip OOM handling * conmon: properly set conmon logs * Update test suites * Add gocritic importShadow linter and fixes * Add server sandbox unit tests * Add gocritic wrapperFunc linter and fixes * Add gocritic unnamedResult linter and fix issues * Add gocritic sloppyReassign linter and fixes * Add gocritic appendCombine linter and fixes * Add gocritic appendAssign linter and fixes * Add fossa badge * Add nakedret linter and related fixes * Bump github.com/go-zoo/bone from 0.0.0 to 1.3.0 * Improve error handling for crio main.go * Bump github.com/containernetworking/cni from 0.7.0-rc2 to 0.7.0 * Bump github.com/kr/pty from 1.1.1 to 1.1.4 * Bump github.com/opencontainers/runc from 1.0.0-rc7 to 1.0.0-rc8 * Bump github.com/opencontainers/selinux from 1.2.1 to 1.2.2 * Bump google.golang.org/grpc from 1.20.0 to 1.20.1 * Bump github.com/Microsoft/go-winio from 0.4.11 to 0.4.12 * Bump golang.org/x/text from 0.3.1 to 0.3.2 * Bump github.com/golang/mock from 1.2.0 to 1.3.0 * Bump github.com/containers/storage from 1.12.4 to 1.12.6 * Bump github.com/opencontainers/runtime-spec from 1.0.0 to 1.0.1 * Add useragent unit tests * Add username and homedir to generated password * conmon: fix cross-compilation * Fix kubernetes import paths for cri-api * fixes make fmt/spacing issue * fixes assumption that socklen_t is always an unsigned long * Fix logic of server.restore() * Update CNI plugin test dependency to v0.7.5 * Update runc test dependency to v1.0.0-rc8 * Add server image unit tests * Vendor Kubernetes v1.15.0-alpha.2 * Remove references to kubernetes/pause image * Migrate server config test to ginkgo * Add CircleCI support * Fix hack/openpgp_tag.sh on older distributions * Add server test suite and initial cases * Update `LogDir` to be configurable * Add documentation about static builds * Vendor containers/storage v1.12.4 * Add server config interface * Add unit test inject files * Add additional build tags to setup guide * Remove ostree dependency from tutorial * Update PluginDir to be created if not existing * Add static crio binary build for x86_64 (glibc/musl) * Add openpgp_tag.sh as fallback if no gpgme available * Remove go build -i flag * Update test to use empty CNI hooks dir per default * Fix testunit-bin makefile target * Remove gofmt Makefile target * Remove ostree dependency * Vendor updated opencontainers/runtime-tools & runtime-spec * Fix coverity scan problem * run make vendor * Add min memory limit check to sandbox_run_linux.go * Add nil check for image status size * Add infra container check for pod sandbox * Revert back some changes from master * Use format strings instead of `Value` attribute * Remove default str in `Usage` when `Value` is used * Add default text to flags * Remove unnecessary golints * Update bats tests to run in parallel * Began documentation update. * conmon, exec: specify runtime root * test: use crictl inspect instead of RUNTIME state * Fix travis badge URL * fix broken link to policy.json(5) in readme * tests: added negative metrics testing to command.bats * tests: added metrics test to ctr.bats * Fix Makefile targets for sudo * Fix travis build * Switch to go modules * conmon: use sd_journal_sendv * Add stylecheck, unused and gosimple linters * Add config interface nil check * Update cri-tools versions * Allow containers/storage to manage SELinux labels * Move ContainerAttachSocketDir/containerExitsDir to lib * Use libpod registrar instead of pkg/registrar * travis: Switch to go 1.12.x * test: Switch to go 1.12.2 * Add RuntimeHandler.RuntimeRoot * utils: add license headers for pulled files * userns: drop intermediate mount namespace * Refactor: use idtools.ParseIDMap instead of bundling own version * Fix parallel make build failure * rootless: propagate XDG_RUNTIME_DIR * oci: fix segfault when cgroup cannot be configured * Update error handling paths for sandbox add and removal * Add go-md2man to repo * netns can be nil which can cause a segfault * test: Fix oom test * test: ami fixups * conmon: do not leak fd when creating oom file * Fixup for moving to github.com/cri-o/cri-o * update github.com/containers/ * dependencies * Do not crash when netns is not set up * readme: Update support matrix for 1.14 * test: Increase number of inotify user watches * Remove timeout flag from kubernetes.yml * Log oom_handling_score failure to debug * tests: allow to switch manage_network_ns_lifecycle * Update linter to use hugeParam * config: export manage_network_ns_lifecycle * Fix possible out of bounds access during log parsing- Update crio.conf to match the latest version- Remove registry-mirror.patch since it is now included in upstream- Remove unnecessary dependencies git-core and go-go-md2man- Remove custom build and use native build target `make`- Remove unit-test execution during package build since it requires (local) networking- Remove seccomp.json since it is now included in the binary- Fix apparmor dependencies * Fri May 24 2019 Sascha Grunert - Add apparmor-parser as dependency (bsc#1136403) * Thu May 16 2019 Guillaume GARDET - Add _constraints to avoid OOM * Thu May 09 2019 Sascha Grunert - Update cri-o to v1.14.1 * Add min memory limit check to sandbox_run_linux.go * Fix crash when network namespace is not setup * Log oom_handling_score failure to debug * Fix possible out of bounds access during log parsing * Fix sandbox segfault with manage_network_ns_lifecycle- Add registry-mirror.patch- Update repository paths from `kubernetes-sigs` to `cri-o`- Remove unnecessary ostree dependency * Thu Apr 18 2019 Michal Rostecki - Use /opt/cni/bin as the additional directory where cri-o is going to look up for CNI plugins installed by DaemonSets running on Kubernetes (i.e. Cilium). * Fri Apr 12 2019 Sascha Grunert - Update the configuration to fallback to the storage driver specified in libcontainers-common (`/etc/containers/storage.conf`)- Update go version to >= 1.12 to be in sync with upstream * Mon Apr 01 2019 Flavio Castelli - Introduce new runtime dependency conntrack-tools: the conntrack package is required to avoid failures in network connection cleanup. * Fri Mar 29 2019 Flavio Castelli - Update cri-o to v1.14.0 * Fix possible out of bounds access during log parsing- Update default configuration file: crio.network.plugin_dir is now a list instead of being a string * Thu Mar 28 2019 Daniel Orf - Update go requirements to >= go1.11.3 to fix * bsc#1118897 CVE-2018-16873 go#29230 cmd/go: remote command execution during \"go get -u\" * bsc#1118898 CVE-2018-16874 * Mon Mar 18 2019 Sascha Grunert - Update cri-o to v1.13.3 * Always set gid if returned from container user files * server: delete the container if it cannot be restored * Bump github.com/containers/storage to v1.11 * Add support for host ip configuration * Pause credentials 1.13 * Allow device mounting to work in privileged mode * Fix detach non tty * Tue Feb 26 2019 Richard Brown - Update cri-o to v1.13.1 * container: fix potential segfault on setup failure * container_create: fix race with sandbox being stopped * oci: read conmon process status * oci: Extend container stop timeout
|
|
|