CRI-O v1.18.0-rc1

The release notes have been generated for the commit range v1.17.0-rc1…f0aef34 on Tue, 14 Apr 2020 19:27:06 UTC.

Downloads

Download the static release bundle via our Google Cloud Bucket: crio-f0aef34b8.tar.gz

Changes by Kind

Deprecation

• Drop support for golang < v1.13 (#3312, @saschagrunert)

API Change

• Removed version from default AppArmor profile name in config (#3287, @saschagrunert)
• CRI-O now runs containers without NET_RAW and SYS_CHROOT capabilities by default. This can result in permission denied errors when the container tries to do something that would require either of these capabilities. For instance, using ping requires NET_RAW, unless the container is given the sysctl net.ipv4.ip_forward. Further, if you have a container that runs buildah or configures RPMs, they may fail without SYS_CHROOT. Ultimately, the dropped capabilities are worth it, as the majority of containers don’t need them. The fewer capabilities CRI-O gives out by default, the more secure it is by default. (#3119, @haircommander)
• When pinning namespaces, CRI-O now pins to /var/run/$NS_NAMEns/$RAND_ID instead of /var/run/crio/ns/$RAND_ID/$NS_NAME for better compatibility with third party networking plugins (#3509, @haircommander)

Feature

• Add crio config -m/--migrate option which supports migrating a v1.17.0 configuration file to the latest version. (#3487, @saschagrunert)
• Add available image labels to image status info (#3510, @saschagrunert)
• Add cgroup namespace unsharing to pinns (#3297, @saschagrunert)
• Add live configuration reload to AppArmor profile option (#3313, @saschagrunert)
• Add live configuration reload to seccomp profile option (#3300, @saschagrunert)
• Add log context to container stats to improve logging (#3204, @saschagrunert)
• Added --cni-default-network/cni_default_network option to specify the CNI network to select. The default value is crio, but this option can be explicitly set to "" to pickup the first network found in --cni-config-dir/network_dir. (#3452, @saschagrunert)
• Added conmon, runc and cni-plugins to the static release bundle (#3345, @saschagrunert)
• Added linkmode (dynamic or static) output to crio version subcommand (#3450, @saschagrunert)
• Added gRPC method names to log entries to increase trace-ablity (#3383, @saschagrunert)
• Added live reload to decryption_keys_path (#3246, @saschagrunert)
• Added pinns binary to static bundle (#3237, @saschagrunert)
• Improve crio --version / version output to show more details (#3320, @saschagrunert)
• Provide the possibility to set the default config path via make DEFAULTS_PATH=<PATH> (#3321, @saschagrunert)
• Take local images into account when pulling images prefixed with localhost/ (#3309, @saschagrunert)
• Added support for drop-in registries.conf configuration files. Please refer to the registries.conf.d documentation (https://github.com/containers/image/blob/master/docs/containers-registries.conf.d.5.md) for further details. (#3428, @vrothberg)
• If a specified or the default hooks directory is not available, then we warn the user but do not fail any more. (#3203, @saschagrunert)

Documentation

• Update documentation that the lowest possible value for the ctr_stop_timeout is 30seconds. We also move the validation of this fact into the config validation part of the library. (#3282, @saschagrunert)
• Added man page for crio.conf.d(5) (#3341, @rhafer)

Other (Bug, Cleanup or Flake)

• Empty sandbox labels are now serialized into proper JSON (null) (#3523, @rhafer)
• Fixed CRI-O to fail to start when runc is no configured runtime and the runc binary is not in $PATH (#3367, @saschagrunert)
• Fixed SIGHUP reload for drop-in configuration files (#3241, @saschagrunert)
• Provide the latest release bundle via a Google Cloud Storage Bucket at: https://console.cloud.google.com/storage/browser/k8s-conform-cri-o/artifacts (#3331, @saschagrunert)
• Removed annoying logs coming directly from lower level runtimes like runc (#3416, @saschagrunert)
• Removed the musl libc build target from the static binary bundle in favor of the existing glibc variant (#3463, @saschagrunert)
• Removed warning about non-absolute container log paths when creating a container (#3415, @saschagrunert)
• CRI-O’s version can be overriden at buildtime with VERSION=my.version.number make bin/crio (#3542, @haircommander)
• ContainerStatus no longer waits for a container operation (such as start or stop) to finish. (#3457, @kolyshkin)
• Fix bug resulting in false reports of OOM (#3423, @haircommander)
• Fixed SIGHUP reload behavior for unqualified search registries (#3209, @saschagrunert)
• Return grpc code NotFound when we can’t find a container or pod (#3412, @mrunalp)
• Systemd unit file: drop crio-wipe.service as a requirement (#3545, @haircommander)