SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for cri-o-1.24.3-2.4.x86_64.rpm :

* Thu Aug 31 2023 Priyanka Saggu - (bsc#1214406) update `kubelet.env`:
* to remove the following deprecated/obselete flags:
*
* `--container-runtime=remote --container-runtime-endpoint=unix:///var/run/crio/crio.sock --runtime-request-timeout=15m`
* to add new flag -> `--fail-swap-on=false`
* Mon Dec 19 2022 rbrownAATTsuse.com- Update to version 1.24.3:
* version: bump to 1.24.3
* set add_inheritable_capabilities to true by default
* use AddInheritableCapabilities
* config: add field AddInheritableCapabilities
* resourcestore: add test for stages
* server: update stages according to progress with resource creation
* resource store: return stage when a watcher is requested
* resource store: introduce stages
* build(deps): bump golangci/golangci-lint-action from 2 to 3
* Fix nginx based integration tests
* Revert \"capabilities: drop inheritable\"
* [1.24] vendor: bump containers/storage to v1.37.2
* Adding annotations for image and sandbox name.
* migrate image_list to quay.io
* server: handle exit files asynchronously
* server: remove exit file in exit monitor
* server: cleanup exit monitor function
* oci: take opLock for UpdateContainer
* version: bump to v1.24.2
* remove succinct option to fix jenkins
* Use a default umask of `0o022`
* Fix unit test coverage
* Fix release-notes tag determination
* Upload release notes for each tag
* Fix container status for HostToContainer propagation
* bump ocicni to 0.4.0
* Fix unit tests
* test: set cri stats more idiomatically
* utils/RunUnderSystemdScope: fix wrt channel deadlock
* oci: kill children of container if it is in the host pid namespace
* Mon Jul 25 2022 jkowalczykAATTsuse.com- Update to version 1.24.1: CVE-2022-1708
* boo#1200285 CVE-2022-1708
* bump to v1.24.1
* conmonmgr: query help text to see if it supports log-global-size-max
* add support for conmon log-global-size-max
* oci: cap exec sync length
* Fix review issues
* Fix it case failed
* Fix review issues
* Add integration test for remove paused ctr
* 1.When in paused state, stop contianer should unpause it 2.We should treat paused state as running, or kubelet will delete it and restart one
* fix review issues
* Try to force delete ctr when in paused state
* vendor: bump crypto package
* Thu May 19 2022 Jeff Kowalczyk - Update BuildRequires: golang(API) >= 1.18
* Dependency Go module capnproto.org/go/capnp/v3 requires Go 1.18
* Thu May 19 2022 jkowalczykAATTsuse.com- Update to version 1.24.0:
* oci: Move exec probe process to container cgroup, if enabled
* config: Add monitor_exec_cgroup config option
* Reenable pod runtime in package spec
* dependencies: Upversion conmon dependency to v2.0.27
* Sanitize conmonrs log level and print used version
* Wrap runtime pod errors
* openshift test: use go 1.18
* openshift test: add skip_pod_runtime to cri-o spec
* Bump nixpkgs and use go1.18
* Fix golangci-lint errors
* add runtime pod
* vendor conmon-rs
* oci: add IsInfra method
* oci: lock for runtime creation
* test: use go 1.18 for lint
* Move WillRunSystemd call after iterating the mounts
* Add sha256sum bundle files to uploaded artifacts
* crio:fix a bug about log container
* oci: use runtime handler level monitor fields
* config: assume default conmon cgroup if it\'s not specified
* template: add comment to runtimes table
* config: replace Conmon specific fields with runtime handler versions
* main(): don\'t treat reexec.Init() == true as an error
* crio:try fix integration test failed, because unpause not on time
* config: increase pids limit to unlimited and deprecate it and logSizeMax
* bump ocicni to 0.3.1
* bump containernetworking cni to 1.1.0
* crio: unpause ctr after test
* crio:fix golint check warning
* fix(stats): incorrect id on zfs driver
* crio:fix crun it failed
* crio:update status after pause/unpause container
* oci: cleanup log path if the container failed to create
* utils: remove unused io related packages
* runtime_vm: use containerd deps for container io directly
* remove the external dependency on the conntrack binary
* go.{mod,sum}: update CDI deps to v0.3.2.
* server: no longer use hardcoded timeouts
* fix builds by passing -buildvcs=false on 386
* test: bump to go 1.18.1
* Disable systemd-mode cgroup detection conditionally
* crio: Fix review issues and make format shell file
* Add bats test to ensure namespaces are cleaned up on pod stop
* pinns: Check calloc return value
* bump to 4.11 image
* crio: Fix code style
* crio: implement extended interface for pause/unpause container
* seccomp: drop unshare syscall from default profile
* Retry to set CPU load balancing before return the error
* build(deps): bump github.com/BurntSushi/toml from 0.4.1 to 1.1.0
* Fix integration tests
* Switch to registry.k8s.io for the sandbox Image:
* Change the mcs order in selinux.bats to test the canonization of selinux label
* Canonize selinux label for comparison with filesystem label
* oci: fix segfault in pod stop code
* capabilities: drop inheritable
* Bump ocicni to v0.3.0
* Switch to ginkgo/v2
* Add bats test for infra_ctr_cpuset taskset
* Add bats test for zombie conmon cleanup
* Update golangci-lint and config
* Bump golang to 1.18.x
* pinns: Pass sysctls as repeated \'-s\' arguments
* Fix shell format
* README: Update EOL & Version Skew links
* config/sysctl: fail if there is a + in the value
* Fix critest
* Enable `--seccomp-use-default-when-empty` by default
* test: update to new runc behavior
* Automatically chcon and restorecon on get script
* Pin `github.com/u-root/u-root`
* Switch to `main` for `get` script
* Bump nixpkgs
* Pin nixos/nix version
* test: allow state of failing tests to be kept intact.
* factory: take capabilities setup
* Add dedicated security information
* test/crio-wipe.bats: don\'t nuke $TESTDIR too early.
* test/cgroups.bats: fix incorrect setup order.
* test/cdi.bat: add CDI integration tests.
* config,cli: add configuration for CDI.
* pkg/container: implement CDI device injection.
* go.{mod,sum}: update deps, vendor.
* contrib/test: force BATS symlink in place.
* contrib/test: always install BATS for integration.
* openshift e2e: bump cri-o version
* bump to 1.24.0
* test: avoid concurrent crictl config writes.
* server: stop deleting pod from idIndex if already gone
* CI: use kubernetes from git tip
* test/e2e: update skipped test list
* contrib/test/int/build/kubernetes: rm deprecated RunAsGroup
* server: use syncfs instead of fsync
* config/sysctls: validate against invalid spaces
* [gitpod] use latest workspace full
* hack/build-rpms.sh: fix yum-builddep failures
* ci: bump shellcheck to 0.8.0
* test/apparmor: suppress bogus SC2031/2031
* test/cni_plugin_helper: suppress shellcheck warning
* test/test_runner: rm eval, fix comment
* OWNERS: move rhatdan to emeritus approvers
* OWNERS: move runcom to emeritus approvers
* utils: Sync: use f.Sync
* Deny empty `localhost/` AppArmor profiles
* OWNERS: add first round of reviewers
* OWNERS: Move AATTsboeuf to emeritus approver
* int/storage: getReferences: fix gocritic warning
* server: fix (rather than ignore) gocritic warning
* server/streaming: specify the linter
* ci: bump golangci-lint to 1.44.0
* scripts/release-notes: fix printf args
* scripts: fix a typo
* int/version: fix forcetypeassert linter warning
* server/container_create_linux: fix forcetypeassert warning
* utils: fix forcetypeassert linter warnings
* server/streaming: fix nolintlint warning
* int/storage: fix gosimple warning
* int/config/cgmgr: fix stylecheck warnings
* Format code using gofumpt 0.2.1
* Makefile: fix a comment
* test/crio-wipe: fixups
* ISSUE_TEMPLATE: fix grammatical error
* OWNERS: move AATTsameo to emeritus_approvers
* ISSUE_TEMPLATES: update membership form to be reviewer form
* ISSUE_TEMPLATES: add a couple of more
* image: use imageCache value for ImageStatus()
* contrib/bundle: remove deprecated kubelet option.
* minor edit: removed dead link from TOC
* oci: drop WaitContainerStateStopped
* oci: fix a leaked goroutine
* internal/factory/container: initialize from pkg/container
* internal/factory/sandbox: initialize from pkg/sandbox
* README: update branches
* Updated format
* Generate checksum files for artifacts
* test: add test for skipped sysctls
* server: skip sysctls that would affect the host
* deep copy List{PodSandbox,Container} structs
* GOVERNANCE: fix links
* oci: always have conmon log to syslog
* README: add reference to governance
* add GOVERNANCE.md
* issue templates: add membership request form
* Add Debian_11 OS variable on installation instructions of Debian Signed-off-by: Wang Kai
* criocli: produce diff-friendlier zsh completions.
* ci: use main branch for conmon
* server: fix race with kubelet
* Fix runtime panic on pod sandbox stats retrieval
* update go to 1.17 in go.mod
* Reuse createContainerIO in CreateContainer
* Fix vm containers couldn\'t restore after CRI-O restart
* ci: use main version of runc
* openshift e2e: bump ci image
* server: fix a potential NULL-pointer dereference.
* Documentation: expand on CNI CIDRs in the kubeadm tutorial
* test: update tests for allowed_devices
* config: add AllowedDevices option
* pass the main mount point to fix crypto profiles binding
* Add Nestybox to the CRI-O adopters list.
* server: drop duplicate log message
* pkg/container: fix container device GID fallback.
* bump crio commit for upstream k8s CI
* adds config template linting
* adds comments to default values
* server: don\'t set memory swap when it\'s not enabled
* Inherits storage configurations from storage.conf if crio config does not set
* use cmdrunner singleton
* conmonmgr: refactor for new CommandRunner
* cmdrunner: update mocks and add target to makefile
* config: prepend commands with taskset if InfraCtrCPUSet is configured
* cmdrunner: add tests for prepended commands
* cmdrunner: create singleton
* Use timeout for conmon cgroup move
* build(deps): bump google.golang.org/grpc from 1.42.0 to 1.43.0
* Fixed a problem where metricImagePullsBytesTotal was getting updated twice and on second call getting incorrect labels
* test: add test ensuring a stopped pod is restored
* sandbox stop: remove namespaces
* restore: handle removed namespaces
* Partially revert \"restore: restore stop before managing namespace\"
* restore: ensure containers are wiped on reboot
* build(deps): bump go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc
* build(deps): bump github.com/opencontainers/runc from 1.0.2 to 1.0.3
* vendor: bump c/image to 5.17.0
* pinns: Add LDFLAGS to Makefile- Packaging: unpin go version to BuildRequires: golang(API) >= 1.17
* Wed Mar 16 2022 rbrownAATTsuse.com- Update to version 1.23.2:
* config/sysctl: fail if there is a + in the value
* Revert \"config/sysctl: fail if there is a + in the value\"
* bump to version 1.23.2
* config/sysctl: fail if there is a + in the value
* config/sysctls: validate against invalid spaces
* server: stop deleting pod from idIndex if already gone
* [1.23] ci: use kubernetes 1.23, cri-tools 1.23
* contrib/test/int/build/kubernetes: rm deprecated RunAsGroup
* hack/build-rpms.sh: fix yum-builddep failures
* image: use imageCache value for ImageStatus()
* oci: fix a leaked goroutine
* Reuse createContainerIO in CreateContainer
* Fix vm containers couldn\'t restore after CRI-O restart
* release-notes: add args for checksum fields
* Updated format
* Generate checksum files for artifacts
* bump to v1.23.1
* test: add test for skipped sysctls
* server: skip sysctls that would affect the host
* server: don\'t set memory swap when it\'s not enabled
* deep copy List{PodSandbox,Container} structs
* ci: use main branch for conmon
* server: fix race with kubelet
* Fix runtime panic on pod sandbox stats retrieval
* ci: use main version of runc
* openshift e2e: bump ci image
* server: fix a potential NULL-pointer dereference.
* pass the main mount point to fix crypto profiles binding
* test: update tests for allowed_devices
* config: add AllowedDevices option
* server: drop duplicate log message
* test: add test ensuring a stopped pod is restored
* sandbox stop: remove namespaces
* restore: handle removed namespaces
* Partially revert \"restore: restore stop before managing namespace\"
* restore: ensure containers are wiped on reboot
* use cmdrunner singleton
* conmonmgr: refactor for new CommandRunner
* cmdrunner: update mocks and add target to makefile
* config: prepend commands with taskset if InfraCtrCPUSet is configured
* cmdrunner: add tests for prepended commands
* cmdrunner: create singleton
* Use timeout for conmon cgroup move
* Fixed a problem where metricImagePullsBytesTotal was getting updated twice and on second call getting incorrect labels
* vendor: bump c/image to 5.17.0
* Add new metrics that match Prometheus best practices and reduce cardinality
* add metrics with new names that match naming best practices
* use _total for all counters
* use base unit seconds, bytes
* metrics that do not follow best practices have been marked deprecated, these can be removed in a future release, it is to ensure non-breaking change for couple of releases
* unit test: fix relative log test
* unit tests: update pinns path in case it isn\'t found in PATH
* test: skip target tests for userns
* test: add test for target namespace
* add support for target PID namespaces
* test: give testunit sudo
* oci: add managed pidns to container object
* pkg/container: take container namespace configuration
* nsmgrtest: take some namespace related test code
* nsmgr: add function to pin existing namespace
* nsmgr: take (and rename) NamespacePathFromProc
* pkg/sandbox: take config initialization
* Bump Kubernetes to v1.23.0
* set user.max_user_namespaces in case it\'s not
* lint: bump cyclo complexity
* gh-actions/contrib: setup sub{g,u}id
* docs: add tutorial for setting up user namespaces
* oci: put conmon in infra ctr cpuset if it is in the pod cgroup
* test: add tests for user namespace annotations
* test: move workload creation function to helpers
* cni manager: catch server shutdown
* server: notify user when network isn\'t ready yet
* stop using hardcoded \"pod\" const
* oci: always reap conmon zombies
* clarify some error messages
* Drop intermediate CRI types
* Relabel containerenv files
* Add minimum_mappable_(u|g)id settings
* Fix runtime panic on stats server shutdown
* restore: restore stop before managing namespace
* server: add {,List}SandboxStats
* server: refactor sandbox list
* server: use stats server to get container stats
* container server: use stats server
* stats: add stats server
* config: add StatsCollectionPeriod field
* cgmgr: move most of stats handling to cgmgr
* oci: make changes in preparation for moving stats functionality:
* server: stub {List,}PodSandboxStats
* server/cri: add PodSandboxStats support
* vendor: bump cri-api
* server/cri: refactor to make stats processing unified
* pkg/config: use iota
* Add go 1.17+ go:build tags
* Remove redundant build tags
* Add containerenv file to containers This file indicates that the current environment is inside a container environment. The same technique is used by podman and docker. The same file name/path as podman was used, as it is vendor agnostic.
* build(deps): bump github.com/containerd/containerd from 1.5.7 to 1.5.8
* config: merge runtime and workload allowed annotations
* Updates kubeadm.md: The cgroup property is removed in [kubeadm-config.v1beta3](https://kubernetes.io/docs/reference/config-api/kubeadm-config.v1beta3/)
* build(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc
* Specify runtime table format in the error message
* build(deps): bump github.com/containerd/ttrpc from 1.0.2 to 1.1.0
* server: fix segfault when using cgroupv2
* gh-actions: add sed for kube e2e
* release-notes: update to main
* build(deps): bump github.com/onsi/gomega from 1.16.0 to 1.17.0
* build(deps): bump go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc
* Bug 2012838: fix override storage options from storage.conf
* oci: fix deadlock in container stop code
* build(deps): bump google.golang.org/grpc from 1.41.0 to 1.42.0
* oci: always close chControl
* oci: make some channels buffered
* build(deps): bump go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc
* build(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc
* build(deps): bump github.com/godbus/dbus/v5 from 5.0.5 to 5.0.6
* Add annotation that makes /sys/fs/cgroup writable
* Add support for CNI plugins v1.0.1
* bump(deps-opentelemetry)
* pin go.opentelemetry grpc/otelgrpc v0.25.0
* opentelemetry: add gRPC tracing
* build(deps): bump k8s.io/klog/v2 from 2.20.0 to 2.30.0
* build(deps): bump github.com/go-logr/logr from 1.1.0 to 1.2.0
* version: bump to 1.23.0
* build(deps): bump github.com/containers/podman/v3 from 3.3.1 to 3.4.1
* build(deps): bump github.com/containers/common from 0.43.2 to 0.46.0
* test: drop swap disable playbook
* server: add support for CRI unified field
* server: implement swap support
* server/cri: add support for 1.22 features
* test: bump cri-tools version
* scripts: pin cri-tools version
* server: reduce needless copying for sb.NamespaceOptions
* oci: refactor internal structure to use CRI type
* oci: use server CRI metadata type for containers
* sandbox: refactor internal structure to use CRI type
* sandbox: save createdAt as a int64
* build(deps): bump github.com/containerd/cgroups from 1.0.1 to 1.0.2
* build(deps): bump github.com/creack/pty from 1.1.16 to 1.1.17
* build(deps): bump github.com/Microsoft/go-winio from 0.5.0 to 0.5.1
* Bump Kubernetes to v1.22.2
* sandbox: use server CRI metadata type
* docs: emphasize deprecation notice
* update documentation for workloads
* add allowed annotations to workloads
* Log HTTP response writer message instead an error
* oci: use c/common signal parsing function
* Skip volume relabel for super privileged containers
* oci: chown stdin pipe to user in the container
* test: fix selinux test failures
* build(deps): bump github.com/onsi/ginkgo from 1.16.4 to 1.16.5
* Fix runtime handler docs
* build(deps): bump github.com/containers/image/v5 from 5.15.2 to 5.16.1
* scripts: fix release branch forward script
* server: FilterDisallowedAnnotations of containers earlier
* server: conditionally relabel volumes given annotation
* build(deps): bump github.com/containers/storage from 1.36.0 to 1.37.0
* test: refactor allowed_annotation tests
* server: reduce args in addOCIBindMounts
* build(deps): bump github.com/opencontainers/selinux from 1.8.5 to 1.9.1
* test: add label for openshift e2e in dockerfile
* build(deps): bump github.com/containerd/containerd from 1.5.5 to 1.5.7
* test: skip certificate check for downloading parallel
* Remove usge of deprecated apt-key in Ubuntu install
* Fix install.md links
* build(deps): bump google.golang.org/grpc from 1.40.0 to 1.41.0
* use a more appropriate console with code block
* build(deps): bump k8s.io/api from 0.22.1 to 0.22.2
* build(deps): bump k8s.io/cri-api from 0.22.1 to 0.22.2
* build(deps): bump sigs.k8s.io/yaml from 1.2.0 to 1.3.0
* build(deps): bump github.com/creack/pty from 1.1.15 to 1.1.16
* build(deps): bump k8s.io/apimachinery from 0.22.1 to 0.22.2
* fix node e2e
* build(deps): bump github.com/intel/goresctrl from 0.1.0 to 0.2.0
* bump crio commit used by node e2e installer
* server: mount cgroup if hostNetwork
* server: use container level host network setting
* server: don\'t recalculate hostnet
* Fix typo in install.md
* Remove one of the explanations for `bind_mount_prefix` because it is duplicated.
* node e2e: keep infra container
* add unit test for the `server/sandbox_remove`.
* test: fix journald test for new conmon
* fix shfmt
* update `install.md` for debian and ubuntu
* build(deps): bump github.com/json-iterator/go from 1.1.11 to 1.1.12
* build(deps): bump k8s.io/client-go from 0.22.1 to 0.22.2
* fix shfmt
* server: set spec when dropping infra
* Update \'master\' branch links to \'main\'
* bumps pause image to 3.6
* server: don\'t wait forever on conmon cgroup move fail
* build(deps): bump github.com/containers/storage from 1.34.1 to 1.36.0
* Remove bashism in sh script
* Do not log if Intel RDT is not supported
* build(deps): bump github.com/godbus/dbus/v5 from 5.0.4 to 5.0.5
* Fix cluster.yaml for kubectl create
* call cmd.Wait() in all cases we call Start()
* oci: call wait on conmon if cgroup move fails
* build(deps): bump github.com/go-logr/logr from 1.0.0 to 1.1.0
* Fix `crio_image_pulls_layer_size_` metrics docs
* Adapt to klog incompatible changes
* build(deps): bump k8s.io/klog/v2 from 2.10.0 to 2.20.0
* Add `--profile-cpu` and `--profile-mem` options
* build(deps): bump github.com/containers/podman/v3 from 3.3.0 to 3.3.1
* server: remove ineffective `updateLock`.
* Fix missing quantile in `latency_microseconds_total` metrics
* Update crio commit for node e2e
* build(deps): bump github.com/fsnotify/fsnotify from 1.4.9 to 1.5.1
* Bump runc binary to 1.0.2
* Switch to go1.17 for CI
* fix debian 10 build doc
* test/testdata/sandbox_config.json: fix the dns_config
* adds updating instructions to install.md
* Thu Sep 02 2021 alexandre.vicenziAATTsuse.com- Update to version 1.22.0: Dependency-Change
* Update runc within static binary bundle to v1.0.1
* Update static binary bundle runc version to v1.0.0-rc94.
* Update static binary bundle runc version to v1.0.0-rc95.
* Updated crun in static binary bundle to v0.20.1 Deprecation
* The internal_wipe option is now true by default. Further, it is being deprecated, and will be unconditionally true in the future. API Change
* Update how the resources for a workload is specified. Now, to override a workload, the pod must have the annotation $prefix/$ctr_name = {\"$resource_type\": \"$resource_value\"}. The workloads feature has also been marked as experimental, which should have happened from the beginning. Feature
* Added --metrics-collectors/metrics_collectors configuration to enable or disable certain metrics.
* All metrics collectors are enabled per default.
* Added crio_image_pulls_layer_size histogram metric to get insights about all pulled layer sizes.
* Added build tags as well as AppArmor and seccomp status to crio version output.
* Added generation of self-signed certificates for the secure metrics endpoint
* if the provided cert and key paths are not available on disk.
* Added secure metrics endpoint configuration options
* Added structural logging of container ID, sandbox ID and process ID on container start.
* Automatically reload metrics TLS certificate and key if any of those specified files change.
* CNI plugins are now passed a K8S_POD_UID environment variable containing the pod UID this sandbox was started for.
* Changed the logging behavior of klog messages to be included in the CRI-O logs.
* The klog info verbositry is converted to CRI-O debug to lower the log verbosity.
* Cri-o now does not limit the DNS search paths.
* Enable the \"volatile\" option for the overlay drivers when it is supported by the underlying kernel.
* Rootless: enable resource limit when cgroup v2 controllers are delegated.
* Support io.kubernetes.cri.blockio-class container annotation for specifying blockio class.
* Support blockio.resources.beta.kubernetes.io/pod pod annotation for specifying the default blockio class to all containers in the pod.
* Support blockio.resources.beta.kubernetes.io/container.NAME pod annotation for specifying the blockio class of the NAME container in the pod.
* Add blockio_config_file config file option (and corresponding --blockio-config-file for command line) for configuring blockio classes and their cgroups blockio controller parameters.
* Support io.kubernetes.cri.rdt-class container annotation for specifying RDT class.
* Add rdt_config_file config file option (and corresponding --rdt-config-file for command line) for configuring the resctrl pseudo-filesystem.
* The config field drop_infra_ctr is now true by default
* The runtime_config_path option, which allows to specify the path of the runtime configuration file, is now supported by CRI-O. This is specific to the VM runtime type.
* Validate certificate dates for TLS metrics endpoint Design
* Drop support for the crio.shutdown.
* ExecSync requests now don\'t use conmon, instead calling the runtime directly, which reduces overhead. Bug or Regression
* Add support for absent_mount_sources_to_reject, which allows admins to configure paths that, when mounted into a container despite not existing on the host, causes a container creation request to fail. This is useful for paths like /etc/hostname, which causes trouble as a directory, but possibly shouldn\'t be created as a file either (in the case of a dynamic hostname).
* Add symlink /proc/mounts on /etc/mtab to container
* Add the config field internal_wipe which moves the responsibility of wiping containers after a reboot and images after an upgrade from the external binary crio wipe to the main crio server. This has a handful of advantages, the main one being crio is now better able to cleanup CNI resources after a reboot.
* Allow users to customize conmon\'s resources if a pod is in a workload.
* CRI-O now logs when it is using cgroupv2
* Fix a bug in internal_wipe that would mean CNI resources would be leaked across reboots.
* Fix a bug where CRI-O can\'t work with runc 1.0.0-rc93 because of an incorrectly specified list of capabilities
* Fix a bug where CRI-O would leak opened files for namespaces on a server restore
* Fix a bug where crio config would print a string for privileged_without_host_devices, not a boolean
* Fix a bug where a container exec process received a little less time than the timeout provided
* Fix a bug where an exec sync timeout would fail to cleanup the runtime exec process
* Fix a bug where cAdvisor couldn\'t read the disk usage of a pod with a dropped infra container
* Fix a bug where duplicate requests would stall even if the pod or container was already created
* Fix a bug where server startup was significantly slowed down by attempting to clean up CNI resources after a reboot.
* Fix a performance regression with exec probes
* Fix a segfault when CRI-O has takes more than 8 minutes to create a pod or container
* Fix an RSS regression with exec sync requests
* Fix an issue where a container started with a terminal fails on exec sync calls
* Fix drop ALL and add back few caps behavior to not include the default configured capabilities
* Fix potential panic when reopening a container\'s log
* Fixed bug where it was not possible to run containers using the default or no seccomp profile on
* seccomp disabled builds/machines
* Fixed bug where runtime VM created containers never reach their completed state.
* Fixed linkmode detection for on en_US systems crio version
* Fixed runtime panic for layers lockfile if its parent directory does not exist.
* Added support for repositories in auth.json
* Re-attempt setting up conmon\'s cgroup if it fails on EAGAIN from dbus
* Reduce the permission on the listen socket to 0660
* Reuse connection when connecting to dbus, as well as reattempt the connection if it fails temporarily
* The privileged_without_host_devices flag can now be given a an additional parameter to configure a runtime
* Wait for CNI plugins to be ready before starting non-host-network pods, to allow pods that may run CNI plugins to start faster Other (Cleanup or Flake)
* Add systemd After=crio.service to containers and conmon
* Switched build artifacts to be published via the cri-o bucket.
* Use build tag for linkmode detection on crio version. Uncategorized
* Add Particule as adopters
* Add --device-ownership-from-security-context which allows an admin to specify devices be configured to be owned by the container user and group, rather than unconditionally
* being root.
* Added internal/process/defunct_processes.go and crio_processes_defunct metric to collect the total number of defunct/zombie processes in a node.
* Raise a warning when creating a bind mount on the container root
* Fri Aug 20 2021 Bernhard Wiedemann - build with go 1.16 for reproducible binaries (boo#1102408)
* Fri Jul 23 2021 alexandre.vicenziAATTsuse.com- Update to version 1.21.2:
* oci: be more precise about channels and routines
* oci: wait for runtime to write pidfile before starting timer
* oci: refactor fsnotify usage
* vendor: add notify package
* version: bump to v1.21.2
* server: use cnimgr to wait for cni plugin ready before creating a pod
* server: use cnimgr for runtime status
* config: add cnimgr
* Introduce cnimgr
* server: prevent segfault by not using a potentially nil sandbox
* network: pass pod UID to ocicni when performing network operations
* vendor: bump ocicni to 4ea5fb8752cfe
* Bump c/storage to v1.32.3
* oci: kill runtime process on exec if exec pid isn\'t written yet
* oci: don\'t pre-create pid file
* dbus: update retryondisconnect to handle eagain too
* simplify checking for dbus error
* utils: close dbus conn channel
* dbusmgr: protect against races in NewDbusConnManager
* cgmgr: reuse dbus connection
* cgmgr: create systemd manager constructor
* try again on EAGAIN from dbus
* test: fix cgroupfs workload tests
* Disable short name mode
* workloads: don\'t set conmon cpuset if systemd doesn\'t support AllowedCPUs
* test: add test for conmon in workloads
* workloads: setup on conmon cgroup
* Bump runc to get public RangeToBits function
* server: export InfraName and drop references to leaky
* storage: succeed in DeleteContainer if container is unknown
* bump to v1.21.1
* Fix CI
* oci: drop internal ExecSync structs
* oci: do not use conmon for exec sync
* bump c/storage to 1.31.1
* bump runc to 1.0.0-rc94
* Fix unit tests
* Add support to drop ALL and add back few capabilities
* server: call CNI del in separate routine in restore
* server: reduce log verbosity on restore
* reduce listen socket permissions to 0660
* test: adapt crio wipe tests to handle new behavior
* ignore storage.ErrNotAContainer
* move internal wipe to only wipe images
* server: properly remove sandbox network on failed restore
* runtimeVM: Use internal context to ensure goroutines are stopped
* Fix go.sum
* sandbox remove: unmount shm before removing infra container
* use more ContainerServer.StopContainer
* sandbox: fix race with cleanup
* server: don\'t unconditionally fail on sandbox cleanup
* server: group namespace cleanup with network stop
* resourcestore: run cleanup in parallel
* test: add test for delayed cleanup of network on restart
* InternalWipe: retry on failures
* server: get hooks after we\'ve check if a sandbox is already stopped
* server: move newPodNetwork to a more logical place
* Add resource cleaner retry functionality
* test: add test for internal_wipe
* server: add support for internal_wipe
* crio wipe: add support for internal_wipe
* config: add InternalWipe
* server: breakup stop/remove all functions with internal helpers
* storage: remove RemovePodSandbox function
* server: reuse container removal code for infra
* Cleanup pod network on sandbox removal
* test: add test for absent_mount_sources_to_reject
* server: add support for absent_mount_sources_to_reject
* config: add absent_mount_sources_to_reject option
* server: use background context for network stop
* resource store: prevent segfault on cleanup step
* Pin gocapability to v0.0.0-20180916011248-d98352740cb2
* config: fix type of privileged_without_host_devices
* Fix podman name in README
* Fix RuntimeDefault seccomp behavior if disabled
* Add After=crio.service dependency to containers and conmon
* Use extra context for runtime VM
* workloads: move to more concrete type
* workloads: update how overrides are specified
* main: still rely on logrus (rather than using the internal log)
* container server: fix silly typo
* nsmgr: remove duplicate IsNSOrErr call
* nsmgr: fix some leaks with GetNamespace
* bump to containers/image 5.11.1
* Bug 1942608: do not list the image with error locating manifest
* runtimeVM: Calculate the WorkingSetBytes stats
* runtimeVM: Use containerd/cgroups for metrics
* runtimeVM: Move metricsToCtrStats() around
* runtimeVM: Vendor typeurl instead of maintain our own copy
* Thu Apr 15 2021 alexandre.vicenziAATTsuse.com- Update to version 1.21.0:
* bump to v1.21.0
* config: drop registries field as it is no longer supported
* Revert \"test: drop unneeded sed statement\"
* WIP: add debug print
* test: drop unneeded sed statement
* config: fix template insecure_registries field
* config: drop commented config lines
* build(deps): bump google.golang.org/grpc from 1.36.1 to 1.37.0
* Bump OpenShift CI cri-tools version and fix build path
* build(deps): bump github.com/containers/image/v5 from 5.10.5 to 5.11.0
* Bump cri-tools to v1.21.0
* Update Kubernetes to v1.21.0
* Add container out of memory metrics
* [CLI] \"crio config\" only prints the fields that are differet than the default.
* Set short name mode to permissive
* docs-validation: update to handle workloads
* Fix unnecessary conversion lint report
* add tests for workloads
* integrate with server
* config: update workloads structure
* Clarify release cadence and version skew
* Add correct start time to initial log output
* Add support for workload settings
* refactor handling of allowed_annotations
* Do not push main binary into cachix cache
* resourcestore: introduce ResourceCleaner
* Use internal logging when context available
* build(deps): bump github.com/coreos/go-systemd/v22 from 22.3.0 to 22.3.1
* server: remove dead code
* sandbox: use defined CRI type for NamespaceOption
* config: remove dead code
* oci: remove dead code
* lib: remove dead code
* build(deps): bump github.com/containers/podman/v3
* build(deps): bump k8s.io/client-go from 0.20.1 to 0.20.5
* update pause image to 3.5 for non-root
* build(deps): bump github.com/soheilhy/cmux from 0.1.4 to 0.1.5
* build(deps): bump google.golang.org/grpc from 1.34.0 to 1.36.1
* build(deps): bump github.com/containers/buildah from 1.19.8 to 1.20.0
* build(deps): bump github.com/prometheus/client_golang
* build(deps): bump github.com/godbus/dbus/v5 from 5.0.3 to 5.0.4
* build(deps): bump k8s.io/cri-api from 0.20.1 to 0.20.5
* build(deps): bump github.com/containers/podman/v3
* build(deps): bump k8s.io/kubernetes from 1.13.0 to 1.20.5
* crio-wipe: only clear storage if CleanShutdownFile is supported
* Add static bundle node e2e tests to GitHub actions
* Reload the main config file when reloading configs
* crio wipe: only completely wipe storage after a reboot
* Bump static binary dependency versions
* Add dependabot config file
* runtimeVM: Fix shimv2 binary name construction
* config,runtimeVM: Improve runtime_path validation
* oci_test: Add basic coverage to \"RuntimeType()\"
* oci_test: Add basic coverage to \"privileged_without_host_devices\"
* oci_test: Leave invalidRuntime on its own line
* tweak scope dependencies
* Do not return `` placeholders for images any more
* Fix invalid libcontainer GetExecUser call
* Update dependencies
* config: Don\'t fail if the non default runtime doesn\'t pass validation
* Remove check for CI env variable for release-notes and dependencies
* cgmgr: add CreateSandboxCgroup method
* inspect: send container PID for dropped infra sandbox
* oci: specify sbox id when creating spoofed container
* Run GitHub actions on release branches
* Update bats to v1.3.0 (#4661)
* use happy-eyeballs for port-forwarding
* fix mock issues
* fix lint issues
* install: drop support matrix and update instructions
* do not store context in runtime vm
* Fix lint GitHub action
* pkg/container: take process args
* Use and publish version marker for CRI-O
* Add GitHub API pages support to `get` script
* add libbtrfs-dev to unit tests
* Revert \"server: use IsAlive() more\"
* Fix GitHub actions cache key
* Bug 1881694: Add pull source as info level log
* test: use latest conmon
* runtime_vm: Create the global fifo inside the runtime root path
* stats: fix log spam
* Support CRI seccomp security profiles
* oci: add unit tests for stop timeouts
* oci: don\'t update stop timeout if it\'s earlier than old one
* oci: update timeout even if we\'re ignoring kill
* oci: don\'t wait too long on a long stop
* oci: check process is still around with kill
* Add integration test for started/finished container time
* fix: Don\'t set `image-endpoint` in crictl config
* feat: Add CLI option to set registries.conf.d path
* Add allowed io.containers.trace-syscall annotation to static bundle
* Make `get` script independent from `make`
* test: correct the env variable for dropping the infra container
* Add metric to grab latency of individual cri calls
* Fix `get` script commit SHA retrieval
* Add arm64 static build to GitHub actions
* Fix GitHub actions workflow syntax
* Updates yq commnands for yq v4
* gh-actions: also run on release branches
* pkg/sandbox: add InitInfraContainer endpoint
* test: reconfigure how runtimes are passed in
* test: add runtime() function
* sandbox/container: drop context
* test: drop workaround for crun
* pkg/sandbox: cleanup unused funcs/files
* fix doc log_level adding trace option
* Fix oci container update config
* Update e2e-aws logic for 4.8
* nsmgr: take Initalize method
* Switch to go 1.16 for GitHub actions and remove scripts/build-test-image
* config: remove and create the correct dir
* Update nix pin with `make nixpkgs`
* server: mount cgroup with rslave
* crio wipe: ensure a clean shutdown
* Move integration tests to GitHub actions
* Run release-notes GitHub action after dependencies
* Bumps github.com/containers/ocicrypt from 1.0.3 to 1.1.0.
* config/node: refactor checking for CollectMode
* Fix GitHub actions checkout permissions
* change binary version to 1.21.0-dev
* Set conmon scope KillSignal to SIGPIPE
* Move repo modification jobs to GitHub actions
* bump protobuf to 1.3.2
* Log container stop timeout
* ResourceStore: add close method
* Allow seccomp hook tracing for separate containers
* ResourceStore: extend tests to test WatcherForResource
* ResourceStore: update tests to all run
* ResourceStore: update docs for WatcherForResource
* ResourceStore: don\'t segfault
* server: support setting raw unified cgroupv2 settings
* vendor: update runtime-specs
* cgroup: implement fix for swap memcg on cgroup v2
* server: leave swap mem limit unset if not supported
* test: skip ServiceAccountIssuerDiscovery test
* hostport manager clean up host ports
* allows stream timeout to be set from config
* config: pre-create pinns directories
* Bump containers image to v5.10.1
* Move unit tests to GitHub actions
* Move go1.14 and 386 builds to GitHub actions
* set kubelet node IP
* Fix validate-completions GitHub action
* Add integration test for pprof over unix socket
* Add a flag for enabling profile over unix socket
* Lookup echo command for unit tests
* Move static build to GitHub actions
* pinns: Fixup \'pwarn\' output to match \'pwarnf\' output
* pinns: Don\'t put errno in the exit message for argument checks
* nsmgr: use host option
* nsmgr: Use config struct for NewPodNamespaces
* pinns: support pinning host ns
* Remove implicit GitHub action `name` fields
* Move docs and completions validation to GitHub actions
* Bump golangci-lint to v1.35.2
* Make config tests work rootless
* Make rootless namespace unit test execution work
* config: fix template to show infra_ctr_cpus option
* Do not log file path on ioutil.ReadFile
* fixes version_test.go
* Close the stdin/tty on server start to avoid shortname prompts
* docs: fix http link
* docs: update kubeadm tutorial
* Fix `make lint`
* Return runtime API version based on protocol
* Update compatibility matrix to mention v1.20
* add method comment
* restore irqbalance config only on system restart
* add blurb in doc and more informative name for unit tests
* add is-enabled check for irqbalance service
* fix unit tests
* add unit tests
* fix bash/zsh completions
* fix the docs validation
* handle irqbalance service
* runtime_vm: set finished time when containers stop
* nsmgr: fix/add calls to GetNamespace
* managed namespaces: move to dedicated package
* Provide integration test for infra-ctr-cpuset feature
* Set CPUs for the infra containers during the creation
* Add shell completion for infra-containers-cpu flag
* Add new infra-containers-cpus to the CLI and config file
* refine `registries` deprecation message
* Circle CI: install test/registries.conf
* crio.8.md: runroot defaults to /run/containers/storage
* support short-name aliases
* pull: do check for blocked registries
* config: deprecate registries
* Rollback gocapability vendor bump
* vendor: bump containers/storage to v1.24.4
* Update nix pin with `make nixpkgs`
* contrib/test/int: add Kata Containers runtime support
* contrib/test/int: enforce linking in parallel build process
* contrib/test/int: build parallel from sources in CentOS
* contrib/test/int: allow to skip user namespace testing
* contrib/test/int: allow to configure test timeout
* Capitalize Kubernetes
* modify the error url of podctl
* Add Digital Science to adopters
* crio.service: Request to be run before kubelet.service
* pinns: make binary not always static
* server: use IsAlive() more
* Support CRI v1 and v1alpha2 at the same time
* drop support for ManageNSLifecycle
* test/timeout.bats: increase timeout to fix flakes
* release-notes: fix flags
* test/timeout.bats: fix comments
* int/resourcestore: fix comment about Put
* test/image.bats: simplify some loops
* test/helpers.bats: simplify cleanup_
*
* contrib/test/int: rm node-e2e test
* contrib/test/int: fix iptables rule
* critest: add unix:// prefix
* critest.yml: don\'t skip test on RHEL
* test: add timeout.bats
* bump network creation timeout to 5 minutes
* resourcecache: add watcher idiom
* server: use ResourceCache instead of dropping progress
* Add unit tests for ResourceCache
* Introduce ResourceCache
* moves shmsize to a handler allowed annotation
* image pull: close progress chan
* test/ctr.bats: fix a \"ctr execsync\" flake
* Fix the functions\' name in completions
* make: drop link to crio.service
* test: rm \"run ctr with image with Config.Volumes\"
* test: add no-pull-on-run=true
* test/devices.bats: fix \"additional device permissions\" case
* test/devices.bats: rm unneeded run
* test/devices.bats: skip earlier
* Bandwidht CNI plugin reserved an upper limit on burst,in which banned include boundary. See: https://github.com/containernetworking/plugins/blob/v0.8.7/plugins/meta/bandwidth/main.go#L113- Drop config-fix-tz.patch as upstream dependency was patched
* Fri Apr 09 2021 alexandre.vicenziAATTsuse.com- Update to version 1.20.2:
* bump to latest c/storage 1.24 branch
* Remove check for CI env variable for release-notes and dependencies
* fix lint
* test: pin cri-tools to 1.20
* bump to v1.20.2
* Run GitHub actions on release branches
* Pin gocapability to v0.0.0-20180916011248-d98352740cb2
* [PATCH 9/9] add method comment
* [PATCH 8/9] restore irqbalance config only on system restart- Add vendor.tar.gz to avoid dependency downloads- Add config-fix-tz.patch to fix crio validation error while building
* Fri Jan 08 2021 rbrownAATTsuse.com- Update to version 1.19.1:
* bump to v1.19.1
* don\'t do unnecesary iptables restore
* switch CRI-O to use its own hostport manager
* dual-stack host port manager
* fix upstream hostport manager
* Add README to hostport folder
* fork hosport kubernetes code
* [1.19] vendor: bump containers/storage to v1.20.5
* runtime_vm: Ensure closeIOChan is not nil inside CloseStdin\'s function
* runtime: parse oom file for VM type runtimes
* runtime_vm: Ignore ttrpc.ErrClosed when removing a container
* runtime_vm: StopContainers() should not fail when the VM is shutdown
* runtime_vm: Don\'t let wait() return ttrpc.ErrClosed
* runtime_vm: Fix updateContainerStatus() logic
* runtime_vm: set Pid and InitPid for VM runtimes
* internal/config/node: add checkFsMayDetachMounts
* Fix bogus CI test failures
* test/config: fix shellcheck warning
* test/config: fix \"config dir should fail with invalid option\"
* server: cleanup container in runtime after failed creation
 
ICM