|
|
|
|
Changelog for cri-o-1.24.3-2.4.x86_64.rpm :
* Thu Aug 31 2023 Priyanka Saggu - (bsc#1214406) update `kubelet.env`: * to remove the following deprecated/obselete flags: * * `--container-runtime=remote --container-runtime-endpoint=unix:///var/run/crio/crio.sock --runtime-request-timeout=15m` * to add new flag -> `--fail-swap-on=false` * Mon Dec 19 2022 rbrownAATTsuse.com- Update to version 1.24.3: * version: bump to 1.24.3 * set add_inheritable_capabilities to true by default * use AddInheritableCapabilities * config: add field AddInheritableCapabilities * resourcestore: add test for stages * server: update stages according to progress with resource creation * resource store: return stage when a watcher is requested * resource store: introduce stages * build(deps): bump golangci/golangci-lint-action from 2 to 3 * Fix nginx based integration tests * Revert \"capabilities: drop inheritable\" * [1.24] vendor: bump containers/storage to v1.37.2 * Adding annotations for image and sandbox name. * migrate image_list to quay.io * server: handle exit files asynchronously * server: remove exit file in exit monitor * server: cleanup exit monitor function * oci: take opLock for UpdateContainer * version: bump to v1.24.2 * remove succinct option to fix jenkins * Use a default umask of `0o022` * Fix unit test coverage * Fix release-notes tag determination * Upload release notes for each tag * Fix container status for HostToContainer propagation * bump ocicni to 0.4.0 * Fix unit tests * test: set cri stats more idiomatically * utils/RunUnderSystemdScope: fix wrt channel deadlock * oci: kill children of container if it is in the host pid namespace * Mon Jul 25 2022 jkowalczykAATTsuse.com- Update to version 1.24.1: CVE-2022-1708 * boo#1200285 CVE-2022-1708 * bump to v1.24.1 * conmonmgr: query help text to see if it supports log-global-size-max * add support for conmon log-global-size-max * oci: cap exec sync length * Fix review issues * Fix it case failed * Fix review issues * Add integration test for remove paused ctr * 1.When in paused state, stop contianer should unpause it 2.We should treat paused state as running, or kubelet will delete it and restart one * fix review issues * Try to force delete ctr when in paused state * vendor: bump crypto package * Thu May 19 2022 Jeff Kowalczyk - Update BuildRequires: golang(API) >= 1.18 * Dependency Go module capnproto.org/go/capnp/v3 requires Go 1.18 * Thu May 19 2022 jkowalczykAATTsuse.com- Update to version 1.24.0: * oci: Move exec probe process to container cgroup, if enabled * config: Add monitor_exec_cgroup config option * Reenable pod runtime in package spec * dependencies: Upversion conmon dependency to v2.0.27 * Sanitize conmonrs log level and print used version * Wrap runtime pod errors * openshift test: use go 1.18 * openshift test: add skip_pod_runtime to cri-o spec * Bump nixpkgs and use go1.18 * Fix golangci-lint errors * add runtime pod * vendor conmon-rs * oci: add IsInfra method * oci: lock for runtime creation * test: use go 1.18 for lint * Move WillRunSystemd call after iterating the mounts * Add sha256sum bundle files to uploaded artifacts * crio:fix a bug about log container * oci: use runtime handler level monitor fields * config: assume default conmon cgroup if it\'s not specified * template: add comment to runtimes table * config: replace Conmon specific fields with runtime handler versions * main(): don\'t treat reexec.Init() == true as an error * crio:try fix integration test failed, because unpause not on time * config: increase pids limit to unlimited and deprecate it and logSizeMax * bump ocicni to 0.3.1 * bump containernetworking cni to 1.1.0 * crio: unpause ctr after test * crio:fix golint check warning * fix(stats): incorrect id on zfs driver * crio:fix crun it failed * crio:update status after pause/unpause container * oci: cleanup log path if the container failed to create * utils: remove unused io related packages * runtime_vm: use containerd deps for container io directly * remove the external dependency on the conntrack binary * go.{mod,sum}: update CDI deps to v0.3.2. * server: no longer use hardcoded timeouts * fix builds by passing -buildvcs=false on 386 * test: bump to go 1.18.1 * Disable systemd-mode cgroup detection conditionally * crio: Fix review issues and make format shell file * Add bats test to ensure namespaces are cleaned up on pod stop * pinns: Check calloc return value * bump to 4.11 image * crio: Fix code style * crio: implement extended interface for pause/unpause container * seccomp: drop unshare syscall from default profile * Retry to set CPU load balancing before return the error * build(deps): bump github.com/BurntSushi/toml from 0.4.1 to 1.1.0 * Fix integration tests * Switch to registry.k8s.io for the sandbox Image: * Change the mcs order in selinux.bats to test the canonization of selinux label * Canonize selinux label for comparison with filesystem label * oci: fix segfault in pod stop code * capabilities: drop inheritable * Bump ocicni to v0.3.0 * Switch to ginkgo/v2 * Add bats test for infra_ctr_cpuset taskset * Add bats test for zombie conmon cleanup * Update golangci-lint and config * Bump golang to 1.18.x * pinns: Pass sysctls as repeated \'-s\' arguments * Fix shell format * README: Update EOL & Version Skew links * config/sysctl: fail if there is a + in the value * Fix critest * Enable `--seccomp-use-default-when-empty` by default * test: update to new runc behavior * Automatically chcon and restorecon on get script * Pin `github.com/u-root/u-root` * Switch to `main` for `get` script * Bump nixpkgs * Pin nixos/nix version * test: allow state of failing tests to be kept intact. * factory: take capabilities setup * Add dedicated security information * test/crio-wipe.bats: don\'t nuke $TESTDIR too early. * test/cgroups.bats: fix incorrect setup order. * test/cdi.bat: add CDI integration tests. * config,cli: add configuration for CDI. * pkg/container: implement CDI device injection. * go.{mod,sum}: update deps, vendor. * contrib/test: force BATS symlink in place. * contrib/test: always install BATS for integration. * openshift e2e: bump cri-o version * bump to 1.24.0 * test: avoid concurrent crictl config writes. * server: stop deleting pod from idIndex if already gone * CI: use kubernetes from git tip * test/e2e: update skipped test list * contrib/test/int/build/kubernetes: rm deprecated RunAsGroup * server: use syncfs instead of fsync * config/sysctls: validate against invalid spaces * [gitpod] use latest workspace full * hack/build-rpms.sh: fix yum-builddep failures * ci: bump shellcheck to 0.8.0 * test/apparmor: suppress bogus SC2031/2031 * test/cni_plugin_helper: suppress shellcheck warning * test/test_runner: rm eval, fix comment * OWNERS: move rhatdan to emeritus approvers * OWNERS: move runcom to emeritus approvers * utils: Sync: use f.Sync * Deny empty `localhost/` AppArmor profiles * OWNERS: add first round of reviewers * OWNERS: Move AATTsboeuf to emeritus approver * int/storage: getReferences: fix gocritic warning * server: fix (rather than ignore) gocritic warning * server/streaming: specify the linter * ci: bump golangci-lint to 1.44.0 * scripts/release-notes: fix printf args * scripts: fix a typo * int/version: fix forcetypeassert linter warning * server/container_create_linux: fix forcetypeassert warning * utils: fix forcetypeassert linter warnings * server/streaming: fix nolintlint warning * int/storage: fix gosimple warning * int/config/cgmgr: fix stylecheck warnings * Format code using gofumpt 0.2.1 * Makefile: fix a comment * test/crio-wipe: fixups * ISSUE_TEMPLATE: fix grammatical error * OWNERS: move AATTsameo to emeritus_approvers * ISSUE_TEMPLATES: update membership form to be reviewer form * ISSUE_TEMPLATES: add a couple of more * image: use imageCache value for ImageStatus() * contrib/bundle: remove deprecated kubelet option. * minor edit: removed dead link from TOC * oci: drop WaitContainerStateStopped * oci: fix a leaked goroutine * internal/factory/container: initialize from pkg/container * internal/factory/sandbox: initialize from pkg/sandbox * README: update branches * Updated format * Generate checksum files for artifacts * test: add test for skipped sysctls * server: skip sysctls that would affect the host * deep copy List{PodSandbox,Container} structs * GOVERNANCE: fix links * oci: always have conmon log to syslog * README: add reference to governance * add GOVERNANCE.md * issue templates: add membership request form * Add Debian_11 OS variable on installation instructions of Debian Signed-off-by: Wang Kai * criocli: produce diff-friendlier zsh completions. * ci: use main branch for conmon * server: fix race with kubelet * Fix runtime panic on pod sandbox stats retrieval * update go to 1.17 in go.mod * Reuse createContainerIO in CreateContainer * Fix vm containers couldn\'t restore after CRI-O restart * ci: use main version of runc * openshift e2e: bump ci image * server: fix a potential NULL-pointer dereference. * Documentation: expand on CNI CIDRs in the kubeadm tutorial * test: update tests for allowed_devices * config: add AllowedDevices option * pass the main mount point to fix crypto profiles binding * Add Nestybox to the CRI-O adopters list. * server: drop duplicate log message * pkg/container: fix container device GID fallback. * bump crio commit for upstream k8s CI * adds config template linting * adds comments to default values * server: don\'t set memory swap when it\'s not enabled * Inherits storage configurations from storage.conf if crio config does not set * use cmdrunner singleton * conmonmgr: refactor for new CommandRunner * cmdrunner: update mocks and add target to makefile * config: prepend commands with taskset if InfraCtrCPUSet is configured * cmdrunner: add tests for prepended commands * cmdrunner: create singleton * Use timeout for conmon cgroup move * build(deps): bump google.golang.org/grpc from 1.42.0 to 1.43.0 * Fixed a problem where metricImagePullsBytesTotal was getting updated twice and on second call getting incorrect labels * test: add test ensuring a stopped pod is restored * sandbox stop: remove namespaces * restore: handle removed namespaces * Partially revert \"restore: restore stop before managing namespace\" * restore: ensure containers are wiped on reboot * build(deps): bump go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc * build(deps): bump github.com/opencontainers/runc from 1.0.2 to 1.0.3 * vendor: bump c/image to 5.17.0 * pinns: Add LDFLAGS to Makefile- Packaging: unpin go version to BuildRequires: golang(API) >= 1.17 * Wed Mar 16 2022 rbrownAATTsuse.com- Update to version 1.23.2: * config/sysctl: fail if there is a + in the value * Revert \"config/sysctl: fail if there is a + in the value\" * bump to version 1.23.2 * config/sysctl: fail if there is a + in the value * config/sysctls: validate against invalid spaces * server: stop deleting pod from idIndex if already gone * [1.23] ci: use kubernetes 1.23, cri-tools 1.23 * contrib/test/int/build/kubernetes: rm deprecated RunAsGroup * hack/build-rpms.sh: fix yum-builddep failures * image: use imageCache value for ImageStatus() * oci: fix a leaked goroutine * Reuse createContainerIO in CreateContainer * Fix vm containers couldn\'t restore after CRI-O restart * release-notes: add args for checksum fields * Updated format * Generate checksum files for artifacts * bump to v1.23.1 * test: add test for skipped sysctls * server: skip sysctls that would affect the host * server: don\'t set memory swap when it\'s not enabled * deep copy List{PodSandbox,Container} structs * ci: use main branch for conmon * server: fix race with kubelet * Fix runtime panic on pod sandbox stats retrieval * ci: use main version of runc * openshift e2e: bump ci image * server: fix a potential NULL-pointer dereference. * pass the main mount point to fix crypto profiles binding * test: update tests for allowed_devices * config: add AllowedDevices option * server: drop duplicate log message * test: add test ensuring a stopped pod is restored * sandbox stop: remove namespaces * restore: handle removed namespaces * Partially revert \"restore: restore stop before managing namespace\" * restore: ensure containers are wiped on reboot * use cmdrunner singleton * conmonmgr: refactor for new CommandRunner * cmdrunner: update mocks and add target to makefile * config: prepend commands with taskset if InfraCtrCPUSet is configured * cmdrunner: add tests for prepended commands * cmdrunner: create singleton * Use timeout for conmon cgroup move * Fixed a problem where metricImagePullsBytesTotal was getting updated twice and on second call getting incorrect labels * vendor: bump c/image to 5.17.0 * Add new metrics that match Prometheus best practices and reduce cardinality * add metrics with new names that match naming best practices * use _total for all counters * use base unit seconds, bytes * metrics that do not follow best practices have been marked deprecated, these can be removed in a future release, it is to ensure non-breaking change for couple of releases * unit test: fix relative log test * unit tests: update pinns path in case it isn\'t found in PATH * test: skip target tests for userns * test: add test for target namespace * add support for target PID namespaces * test: give testunit sudo * oci: add managed pidns to container object * pkg/container: take container namespace configuration * nsmgrtest: take some namespace related test code * nsmgr: add function to pin existing namespace * nsmgr: take (and rename) NamespacePathFromProc * pkg/sandbox: take config initialization * Bump Kubernetes to v1.23.0 * set user.max_user_namespaces in case it\'s not * lint: bump cyclo complexity * gh-actions/contrib: setup sub{g,u}id * docs: add tutorial for setting up user namespaces * oci: put conmon in infra ctr cpuset if it is in the pod cgroup * test: add tests for user namespace annotations * test: move workload creation function to helpers * cni manager: catch server shutdown * server: notify user when network isn\'t ready yet * stop using hardcoded \"pod\" const * oci: always reap conmon zombies * clarify some error messages * Drop intermediate CRI types * Relabel containerenv files * Add minimum_mappable_(u|g)id settings * Fix runtime panic on stats server shutdown * restore: restore stop before managing namespace * server: add {,List}SandboxStats * server: refactor sandbox list * server: use stats server to get container stats * container server: use stats server * stats: add stats server * config: add StatsCollectionPeriod field * cgmgr: move most of stats handling to cgmgr * oci: make changes in preparation for moving stats functionality: * server: stub {List,}PodSandboxStats * server/cri: add PodSandboxStats support * vendor: bump cri-api * server/cri: refactor to make stats processing unified * pkg/config: use iota * Add go 1.17+ go:build tags * Remove redundant build tags * Add containerenv file to containers This file indicates that the current environment is inside a container environment. The same technique is used by podman and docker. The same file name/path as podman was used, as it is vendor agnostic. * build(deps): bump github.com/containerd/containerd from 1.5.7 to 1.5.8 * config: merge runtime and workload allowed annotations * Updates kubeadm.md: The cgroup property is removed in [kubeadm-config.v1beta3](https://kubernetes.io/docs/reference/config-api/kubeadm-config.v1beta3/) * build(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc * Specify runtime table format in the error message * build(deps): bump github.com/containerd/ttrpc from 1.0.2 to 1.1.0 * server: fix segfault when using cgroupv2 * gh-actions: add sed for kube e2e * release-notes: update to main * build(deps): bump github.com/onsi/gomega from 1.16.0 to 1.17.0 * build(deps): bump go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc * Bug 2012838: fix override storage options from storage.conf * oci: fix deadlock in container stop code * build(deps): bump google.golang.org/grpc from 1.41.0 to 1.42.0 * oci: always close chControl * oci: make some channels buffered * build(deps): bump go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc * build(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc * build(deps): bump github.com/godbus/dbus/v5 from 5.0.5 to 5.0.6 * Add annotation that makes /sys/fs/cgroup writable * Add support for CNI plugins v1.0.1 * bump(deps-opentelemetry) * pin go.opentelemetry grpc/otelgrpc v0.25.0 * opentelemetry: add gRPC tracing * build(deps): bump k8s.io/klog/v2 from 2.20.0 to 2.30.0 * build(deps): bump github.com/go-logr/logr from 1.1.0 to 1.2.0 * version: bump to 1.23.0 * build(deps): bump github.com/containers/podman/v3 from 3.3.1 to 3.4.1 * build(deps): bump github.com/containers/common from 0.43.2 to 0.46.0 * test: drop swap disable playbook * server: add support for CRI unified field * server: implement swap support * server/cri: add support for 1.22 features * test: bump cri-tools version * scripts: pin cri-tools version * server: reduce needless copying for sb.NamespaceOptions * oci: refactor internal structure to use CRI type * oci: use server CRI metadata type for containers * sandbox: refactor internal structure to use CRI type * sandbox: save createdAt as a int64 * build(deps): bump github.com/containerd/cgroups from 1.0.1 to 1.0.2 * build(deps): bump github.com/creack/pty from 1.1.16 to 1.1.17 * build(deps): bump github.com/Microsoft/go-winio from 0.5.0 to 0.5.1 * Bump Kubernetes to v1.22.2 * sandbox: use server CRI metadata type * docs: emphasize deprecation notice * update documentation for workloads * add allowed annotations to workloads * Log HTTP response writer message instead an error * oci: use c/common signal parsing function * Skip volume relabel for super privileged containers * oci: chown stdin pipe to user in the container * test: fix selinux test failures * build(deps): bump github.com/onsi/ginkgo from 1.16.4 to 1.16.5 * Fix runtime handler docs * build(deps): bump github.com/containers/image/v5 from 5.15.2 to 5.16.1 * scripts: fix release branch forward script * server: FilterDisallowedAnnotations of containers earlier * server: conditionally relabel volumes given annotation * build(deps): bump github.com/containers/storage from 1.36.0 to 1.37.0 * test: refactor allowed_annotation tests * server: reduce args in addOCIBindMounts * build(deps): bump github.com/opencontainers/selinux from 1.8.5 to 1.9.1 * test: add label for openshift e2e in dockerfile * build(deps): bump github.com/containerd/containerd from 1.5.5 to 1.5.7 * test: skip certificate check for downloading parallel * Remove usge of deprecated apt-key in Ubuntu install * Fix install.md links * build(deps): bump google.golang.org/grpc from 1.40.0 to 1.41.0 * use a more appropriate console with code block * build(deps): bump k8s.io/api from 0.22.1 to 0.22.2 * build(deps): bump k8s.io/cri-api from 0.22.1 to 0.22.2 * build(deps): bump sigs.k8s.io/yaml from 1.2.0 to 1.3.0 * build(deps): bump github.com/creack/pty from 1.1.15 to 1.1.16 * build(deps): bump k8s.io/apimachinery from 0.22.1 to 0.22.2 * fix node e2e * build(deps): bump github.com/intel/goresctrl from 0.1.0 to 0.2.0 * bump crio commit used by node e2e installer * server: mount cgroup if hostNetwork * server: use container level host network setting * server: don\'t recalculate hostnet * Fix typo in install.md * Remove one of the explanations for `bind_mount_prefix` because it is duplicated. * node e2e: keep infra container * add unit test for the `server/sandbox_remove`. * test: fix journald test for new conmon * fix shfmt * update `install.md` for debian and ubuntu * build(deps): bump github.com/json-iterator/go from 1.1.11 to 1.1.12 * build(deps): bump k8s.io/client-go from 0.22.1 to 0.22.2 * fix shfmt * server: set spec when dropping infra * Update \'master\' branch links to \'main\' * bumps pause image to 3.6 * server: don\'t wait forever on conmon cgroup move fail * build(deps): bump github.com/containers/storage from 1.34.1 to 1.36.0 * Remove bashism in sh script * Do not log if Intel RDT is not supported * build(deps): bump github.com/godbus/dbus/v5 from 5.0.4 to 5.0.5 * Fix cluster.yaml for kubectl create * call cmd.Wait() in all cases we call Start() * oci: call wait on conmon if cgroup move fails * build(deps): bump github.com/go-logr/logr from 1.0.0 to 1.1.0 * Fix `crio_image_pulls_layer_size_` metrics docs * Adapt to klog incompatible changes * build(deps): bump k8s.io/klog/v2 from 2.10.0 to 2.20.0 * Add `--profile-cpu` and `--profile-mem` options * build(deps): bump github.com/containers/podman/v3 from 3.3.0 to 3.3.1 * server: remove ineffective `updateLock`. * Fix missing quantile in `latency_microseconds_total` metrics * Update crio commit for node e2e * build(deps): bump github.com/fsnotify/fsnotify from 1.4.9 to 1.5.1 * Bump runc binary to 1.0.2 * Switch to go1.17 for CI * fix debian 10 build doc * test/testdata/sandbox_config.json: fix the dns_config * adds updating instructions to install.md * Thu Sep 02 2021 alexandre.vicenziAATTsuse.com- Update to version 1.22.0: Dependency-Change * Update runc within static binary bundle to v1.0.1 * Update static binary bundle runc version to v1.0.0-rc94. * Update static binary bundle runc version to v1.0.0-rc95. * Updated crun in static binary bundle to v0.20.1 Deprecation * The internal_wipe option is now true by default. Further, it is being deprecated, and will be unconditionally true in the future. API Change * Update how the resources for a workload is specified. Now, to override a workload, the pod must have the annotation $prefix/$ctr_name = {\"$resource_type\": \"$resource_value\"}. The workloads feature has also been marked as experimental, which should have happened from the beginning. Feature * Added --metrics-collectors/metrics_collectors configuration to enable or disable certain metrics. * All metrics collectors are enabled per default. * Added crio_image_pulls_layer_size histogram metric to get insights about all pulled layer sizes. * Added build tags as well as AppArmor and seccomp status to crio version output. * Added generation of self-signed certificates for the secure metrics endpoint * if the provided cert and key paths are not available on disk. * Added secure metrics endpoint configuration options * Added structural logging of container ID, sandbox ID and process ID on container start. * Automatically reload metrics TLS certificate and key if any of those specified files change. * CNI plugins are now passed a K8S_POD_UID environment variable containing the pod UID this sandbox was started for. * Changed the logging behavior of klog messages to be included in the CRI-O logs. * The klog info verbositry is converted to CRI-O debug to lower the log verbosity. * Cri-o now does not limit the DNS search paths. * Enable the \"volatile\" option for the overlay drivers when it is supported by the underlying kernel. * Rootless: enable resource limit when cgroup v2 controllers are delegated. * Support io.kubernetes.cri.blockio-class container annotation for specifying blockio class. * Support blockio.resources.beta.kubernetes.io/pod pod annotation for specifying the default blockio class to all containers in the pod. * Support blockio.resources.beta.kubernetes.io/container.NAME pod annotation for specifying the blockio class of the NAME container in the pod. * Add blockio_config_file config file option (and corresponding --blockio-config-file for command line) for configuring blockio classes and their cgroups blockio controller parameters. * Support io.kubernetes.cri.rdt-class container annotation for specifying RDT class. * Add rdt_config_file config file option (and corresponding --rdt-config-file for command line) for configuring the resctrl pseudo-filesystem. * The config field drop_infra_ctr is now true by default * The runtime_config_path option, which allows to specify the path of the runtime configuration file, is now supported by CRI-O. This is specific to the VM runtime type. * Validate certificate dates for TLS metrics endpoint Design * Drop support for the crio.shutdown. * ExecSync requests now don\'t use conmon, instead calling the runtime directly, which reduces overhead. Bug or Regression * Add support for absent_mount_sources_to_reject, which allows admins to configure paths that, when mounted into a container despite not existing on the host, causes a container creation request to fail. This is useful for paths like /etc/hostname, which causes trouble as a directory, but possibly shouldn\'t be created as a file either (in the case of a dynamic hostname). * Add symlink /proc/mounts on /etc/mtab to container * Add the config field internal_wipe which moves the responsibility of wiping containers after a reboot and images after an upgrade from the external binary crio wipe to the main crio server. This has a handful of advantages, the main one being crio is now better able to cleanup CNI resources after a reboot. * Allow users to customize conmon\'s resources if a pod is in a workload. * CRI-O now logs when it is using cgroupv2 * Fix a bug in internal_wipe that would mean CNI resources would be leaked across reboots. * Fix a bug where CRI-O can\'t work with runc 1.0.0-rc93 because of an incorrectly specified list of capabilities * Fix a bug where CRI-O would leak opened files for namespaces on a server restore * Fix a bug where crio config would print a string for privileged_without_host_devices, not a boolean * Fix a bug where a container exec process received a little less time than the timeout provided * Fix a bug where an exec sync timeout would fail to cleanup the runtime exec process * Fix a bug where cAdvisor couldn\'t read the disk usage of a pod with a dropped infra container * Fix a bug where duplicate requests would stall even if the pod or container was already created * Fix a bug where server startup was significantly slowed down by attempting to clean up CNI resources after a reboot. * Fix a performance regression with exec probes * Fix a segfault when CRI-O has takes more than 8 minutes to create a pod or container * Fix an RSS regression with exec sync requests * Fix an issue where a container started with a terminal fails on exec sync calls * Fix drop ALL and add back few caps behavior to not include the default configured capabilities * Fix potential panic when reopening a container\'s log * Fixed bug where it was not possible to run containers using the default or no seccomp profile on * seccomp disabled builds/machines * Fixed bug where runtime VM created containers never reach their completed state. * Fixed linkmode detection for on en_US systems crio version * Fixed runtime panic for layers lockfile if its parent directory does not exist. * Added support for repositories in auth.json * Re-attempt setting up conmon\'s cgroup if it fails on EAGAIN from dbus * Reduce the permission on the listen socket to 0660 * Reuse connection when connecting to dbus, as well as reattempt the connection if it fails temporarily * The privileged_without_host_devices flag can now be given a an additional parameter to configure a runtime * Wait for CNI plugins to be ready before starting non-host-network pods, to allow pods that may run CNI plugins to start faster Other (Cleanup or Flake) * Add systemd After=crio.service to containers and conmon * Switched build artifacts to be published via the cri-o bucket. * Use build tag for linkmode detection on crio version. Uncategorized * Add Particule as adopters * Add --device-ownership-from-security-context which allows an admin to specify devices be configured to be owned by the container user and group, rather than unconditionally * being root. * Added internal/process/defunct_processes.go and crio_processes_defunct metric to collect the total number of defunct/zombie processes in a node. * Raise a warning when creating a bind mount on the container root * Fri Aug 20 2021 Bernhard Wiedemann - build with go 1.16 for reproducible binaries (boo#1102408) * Fri Jul 23 2021 alexandre.vicenziAATTsuse.com- Update to version 1.21.2: * oci: be more precise about channels and routines * oci: wait for runtime to write pidfile before starting timer * oci: refactor fsnotify usage * vendor: add notify package * version: bump to v1.21.2 * server: use cnimgr to wait for cni plugin ready before creating a pod * server: use cnimgr for runtime status * config: add cnimgr * Introduce cnimgr * server: prevent segfault by not using a potentially nil sandbox * network: pass pod UID to ocicni when performing network operations * vendor: bump ocicni to 4ea5fb8752cfe * Bump c/storage to v1.32.3 * oci: kill runtime process on exec if exec pid isn\'t written yet * oci: don\'t pre-create pid file * dbus: update retryondisconnect to handle eagain too * simplify checking for dbus error * utils: close dbus conn channel * dbusmgr: protect against races in NewDbusConnManager * cgmgr: reuse dbus connection * cgmgr: create systemd manager constructor * try again on EAGAIN from dbus * test: fix cgroupfs workload tests * Disable short name mode * workloads: don\'t set conmon cpuset if systemd doesn\'t support AllowedCPUs * test: add test for conmon in workloads * workloads: setup on conmon cgroup * Bump runc to get public RangeToBits function * server: export InfraName and drop references to leaky * storage: succeed in DeleteContainer if container is unknown * bump to v1.21.1 * Fix CI * oci: drop internal ExecSync structs * oci: do not use conmon for exec sync * bump c/storage to 1.31.1 * bump runc to 1.0.0-rc94 * Fix unit tests * Add support to drop ALL and add back few capabilities * server: call CNI del in separate routine in restore * server: reduce log verbosity on restore * reduce listen socket permissions to 0660 * test: adapt crio wipe tests to handle new behavior * ignore storage.ErrNotAContainer * move internal wipe to only wipe images * server: properly remove sandbox network on failed restore * runtimeVM: Use internal context to ensure goroutines are stopped * Fix go.sum * sandbox remove: unmount shm before removing infra container * use more ContainerServer.StopContainer * sandbox: fix race with cleanup * server: don\'t unconditionally fail on sandbox cleanup * server: group namespace cleanup with network stop * resourcestore: run cleanup in parallel * test: add test for delayed cleanup of network on restart * InternalWipe: retry on failures * server: get hooks after we\'ve check if a sandbox is already stopped * server: move newPodNetwork to a more logical place * Add resource cleaner retry functionality * test: add test for internal_wipe * server: add support for internal_wipe * crio wipe: add support for internal_wipe * config: add InternalWipe * server: breakup stop/remove all functions with internal helpers * storage: remove RemovePodSandbox function * server: reuse container removal code for infra * Cleanup pod network on sandbox removal * test: add test for absent_mount_sources_to_reject * server: add support for absent_mount_sources_to_reject * config: add absent_mount_sources_to_reject option * server: use background context for network stop * resource store: prevent segfault on cleanup step * Pin gocapability to v0.0.0-20180916011248-d98352740cb2 * config: fix type of privileged_without_host_devices * Fix podman name in README * Fix RuntimeDefault seccomp behavior if disabled * Add After=crio.service dependency to containers and conmon * Use extra context for runtime VM * workloads: move to more concrete type * workloads: update how overrides are specified * main: still rely on logrus (rather than using the internal log) * container server: fix silly typo * nsmgr: remove duplicate IsNSOrErr call * nsmgr: fix some leaks with GetNamespace * bump to containers/image 5.11.1 * Bug 1942608: do not list the image with error locating manifest * runtimeVM: Calculate the WorkingSetBytes stats * runtimeVM: Use containerd/cgroups for metrics * runtimeVM: Move metricsToCtrStats() around * runtimeVM: Vendor typeurl instead of maintain our own copy * Thu Apr 15 2021 alexandre.vicenziAATTsuse.com- Update to version 1.21.0: * bump to v1.21.0 * config: drop registries field as it is no longer supported * Revert \"test: drop unneeded sed statement\" * WIP: add debug print * test: drop unneeded sed statement * config: fix template insecure_registries field * config: drop commented config lines * build(deps): bump google.golang.org/grpc from 1.36.1 to 1.37.0 * Bump OpenShift CI cri-tools version and fix build path * build(deps): bump github.com/containers/image/v5 from 5.10.5 to 5.11.0 * Bump cri-tools to v1.21.0 * Update Kubernetes to v1.21.0 * Add container out of memory metrics * [CLI] \"crio config\" only prints the fields that are differet than the default. * Set short name mode to permissive * docs-validation: update to handle workloads * Fix unnecessary conversion lint report * add tests for workloads * integrate with server * config: update workloads structure * Clarify release cadence and version skew * Add correct start time to initial log output * Add support for workload settings * refactor handling of allowed_annotations * Do not push main binary into cachix cache * resourcestore: introduce ResourceCleaner * Use internal logging when context available * build(deps): bump github.com/coreos/go-systemd/v22 from 22.3.0 to 22.3.1 * server: remove dead code * sandbox: use defined CRI type for NamespaceOption * config: remove dead code * oci: remove dead code * lib: remove dead code * build(deps): bump github.com/containers/podman/v3 * build(deps): bump k8s.io/client-go from 0.20.1 to 0.20.5 * update pause image to 3.5 for non-root * build(deps): bump github.com/soheilhy/cmux from 0.1.4 to 0.1.5 * build(deps): bump google.golang.org/grpc from 1.34.0 to 1.36.1 * build(deps): bump github.com/containers/buildah from 1.19.8 to 1.20.0 * build(deps): bump github.com/prometheus/client_golang * build(deps): bump github.com/godbus/dbus/v5 from 5.0.3 to 5.0.4 * build(deps): bump k8s.io/cri-api from 0.20.1 to 0.20.5 * build(deps): bump github.com/containers/podman/v3 * build(deps): bump k8s.io/kubernetes from 1.13.0 to 1.20.5 * crio-wipe: only clear storage if CleanShutdownFile is supported * Add static bundle node e2e tests to GitHub actions * Reload the main config file when reloading configs * crio wipe: only completely wipe storage after a reboot * Bump static binary dependency versions * Add dependabot config file * runtimeVM: Fix shimv2 binary name construction * config,runtimeVM: Improve runtime_path validation * oci_test: Add basic coverage to \"RuntimeType()\" * oci_test: Add basic coverage to \"privileged_without_host_devices\" * oci_test: Leave invalidRuntime on its own line * tweak scope dependencies * Do not return `` placeholders for images any more * Fix invalid libcontainer GetExecUser call * Update dependencies * config: Don\'t fail if the non default runtime doesn\'t pass validation * Remove check for CI env variable for release-notes and dependencies * cgmgr: add CreateSandboxCgroup method * inspect: send container PID for dropped infra sandbox * oci: specify sbox id when creating spoofed container * Run GitHub actions on release branches * Update bats to v1.3.0 (#4661) * use happy-eyeballs for port-forwarding * fix mock issues * fix lint issues * install: drop support matrix and update instructions * do not store context in runtime vm * Fix lint GitHub action * pkg/container: take process args * Use and publish version marker for CRI-O * Add GitHub API pages support to `get` script * add libbtrfs-dev to unit tests * Revert \"server: use IsAlive() more\" * Fix GitHub actions cache key * Bug 1881694: Add pull source as info level log * test: use latest conmon * runtime_vm: Create the global fifo inside the runtime root path * stats: fix log spam * Support CRI seccomp security profiles * oci: add unit tests for stop timeouts * oci: don\'t update stop timeout if it\'s earlier than old one * oci: update timeout even if we\'re ignoring kill * oci: don\'t wait too long on a long stop * oci: check process is still around with kill * Add integration test for started/finished container time * fix: Don\'t set `image-endpoint` in crictl config * feat: Add CLI option to set registries.conf.d path * Add allowed io.containers.trace-syscall annotation to static bundle * Make `get` script independent from `make` * test: correct the env variable for dropping the infra container * Add metric to grab latency of individual cri calls * Fix `get` script commit SHA retrieval * Add arm64 static build to GitHub actions * Fix GitHub actions workflow syntax * Updates yq commnands for yq v4 * gh-actions: also run on release branches * pkg/sandbox: add InitInfraContainer endpoint * test: reconfigure how runtimes are passed in * test: add runtime() function * sandbox/container: drop context * test: drop workaround for crun * pkg/sandbox: cleanup unused funcs/files * fix doc log_level adding trace option * Fix oci container update config * Update e2e-aws logic for 4.8 * nsmgr: take Initalize method * Switch to go 1.16 for GitHub actions and remove scripts/build-test-image * config: remove and create the correct dir * Update nix pin with `make nixpkgs` * server: mount cgroup with rslave * crio wipe: ensure a clean shutdown * Move integration tests to GitHub actions * Run release-notes GitHub action after dependencies * Bumps github.com/containers/ocicrypt from 1.0.3 to 1.1.0. * config/node: refactor checking for CollectMode * Fix GitHub actions checkout permissions * change binary version to 1.21.0-dev * Set conmon scope KillSignal to SIGPIPE * Move repo modification jobs to GitHub actions * bump protobuf to 1.3.2 * Log container stop timeout * ResourceStore: add close method * Allow seccomp hook tracing for separate containers * ResourceStore: extend tests to test WatcherForResource * ResourceStore: update tests to all run * ResourceStore: update docs for WatcherForResource * ResourceStore: don\'t segfault * server: support setting raw unified cgroupv2 settings * vendor: update runtime-specs * cgroup: implement fix for swap memcg on cgroup v2 * server: leave swap mem limit unset if not supported * test: skip ServiceAccountIssuerDiscovery test * hostport manager clean up host ports * allows stream timeout to be set from config * config: pre-create pinns directories * Bump containers image to v5.10.1 * Move unit tests to GitHub actions * Move go1.14 and 386 builds to GitHub actions * set kubelet node IP * Fix validate-completions GitHub action * Add integration test for pprof over unix socket * Add a flag for enabling profile over unix socket * Lookup echo command for unit tests * Move static build to GitHub actions * pinns: Fixup \'pwarn\' output to match \'pwarnf\' output * pinns: Don\'t put errno in the exit message for argument checks * nsmgr: use host option * nsmgr: Use config struct for NewPodNamespaces * pinns: support pinning host ns * Remove implicit GitHub action `name` fields * Move docs and completions validation to GitHub actions * Bump golangci-lint to v1.35.2 * Make config tests work rootless * Make rootless namespace unit test execution work * config: fix template to show infra_ctr_cpus option * Do not log file path on ioutil.ReadFile * fixes version_test.go * Close the stdin/tty on server start to avoid shortname prompts * docs: fix http link * docs: update kubeadm tutorial * Fix `make lint` * Return runtime API version based on protocol * Update compatibility matrix to mention v1.20 * add method comment * restore irqbalance config only on system restart * add blurb in doc and more informative name for unit tests * add is-enabled check for irqbalance service * fix unit tests * add unit tests * fix bash/zsh completions * fix the docs validation * handle irqbalance service * runtime_vm: set finished time when containers stop * nsmgr: fix/add calls to GetNamespace * managed namespaces: move to dedicated package * Provide integration test for infra-ctr-cpuset feature * Set CPUs for the infra containers during the creation * Add shell completion for infra-containers-cpu flag * Add new infra-containers-cpus to the CLI and config file * refine `registries` deprecation message * Circle CI: install test/registries.conf * crio.8.md: runroot defaults to /run/containers/storage * support short-name aliases * pull: do check for blocked registries * config: deprecate registries * Rollback gocapability vendor bump * vendor: bump containers/storage to v1.24.4 * Update nix pin with `make nixpkgs` * contrib/test/int: add Kata Containers runtime support * contrib/test/int: enforce linking in parallel build process * contrib/test/int: build parallel from sources in CentOS * contrib/test/int: allow to skip user namespace testing * contrib/test/int: allow to configure test timeout * Capitalize Kubernetes * modify the error url of podctl * Add Digital Science to adopters * crio.service: Request to be run before kubelet.service * pinns: make binary not always static * server: use IsAlive() more * Support CRI v1 and v1alpha2 at the same time * drop support for ManageNSLifecycle * test/timeout.bats: increase timeout to fix flakes * release-notes: fix flags * test/timeout.bats: fix comments * int/resourcestore: fix comment about Put * test/image.bats: simplify some loops * test/helpers.bats: simplify cleanup_ * * contrib/test/int: rm node-e2e test * contrib/test/int: fix iptables rule * critest: add unix:// prefix * critest.yml: don\'t skip test on RHEL * test: add timeout.bats * bump network creation timeout to 5 minutes * resourcecache: add watcher idiom * server: use ResourceCache instead of dropping progress * Add unit tests for ResourceCache * Introduce ResourceCache * moves shmsize to a handler allowed annotation * image pull: close progress chan * test/ctr.bats: fix a \"ctr execsync\" flake * Fix the functions\' name in completions * make: drop link to crio.service * test: rm \"run ctr with image with Config.Volumes\" * test: add no-pull-on-run=true * test/devices.bats: fix \"additional device permissions\" case * test/devices.bats: rm unneeded run * test/devices.bats: skip earlier * Bandwidht CNI plugin reserved an upper limit on burst,in which banned include boundary. See: https://github.com/containernetworking/plugins/blob/v0.8.7/plugins/meta/bandwidth/main.go#L113- Drop config-fix-tz.patch as upstream dependency was patched * Fri Apr 09 2021 alexandre.vicenziAATTsuse.com- Update to version 1.20.2: * bump to latest c/storage 1.24 branch * Remove check for CI env variable for release-notes and dependencies * fix lint * test: pin cri-tools to 1.20 * bump to v1.20.2 * Run GitHub actions on release branches * Pin gocapability to v0.0.0-20180916011248-d98352740cb2 * [PATCH 9/9] add method comment * [PATCH 8/9] restore irqbalance config only on system restart- Add vendor.tar.gz to avoid dependency downloads- Add config-fix-tz.patch to fix crio validation error while building * Fri Jan 08 2021 rbrownAATTsuse.com- Update to version 1.19.1: * bump to v1.19.1 * don\'t do unnecesary iptables restore * switch CRI-O to use its own hostport manager * dual-stack host port manager * fix upstream hostport manager * Add README to hostport folder * fork hosport kubernetes code * [1.19] vendor: bump containers/storage to v1.20.5 * runtime_vm: Ensure closeIOChan is not nil inside CloseStdin\'s function * runtime: parse oom file for VM type runtimes * runtime_vm: Ignore ttrpc.ErrClosed when removing a container * runtime_vm: StopContainers() should not fail when the VM is shutdown * runtime_vm: Don\'t let wait() return ttrpc.ErrClosed * runtime_vm: Fix updateContainerStatus() logic * runtime_vm: set Pid and InitPid for VM runtimes * internal/config/node: add checkFsMayDetachMounts * Fix bogus CI test failures * test/config: fix shellcheck warning * test/config: fix \"config dir should fail with invalid option\" * server: cleanup container in runtime after failed creation
|
|
|