CRI-O v1.18.0-rc1
The release notes have been generated for the commit range
v1.17.0-rc1…f0aef34 on Tue, 14 Apr 2020 19:27:06 UTC.
Downloads
Download the static release bundle via our Google Cloud Bucket:
crio-f0aef34b8.tar.gz
Changes by Kind
Deprecation
API Change
- Removed version from default AppArmor profile name in config (#3287, @saschagrunert)
- CRI-O now runs containers without NET_RAW and SYS_CHROOT capabilities by default. This can result in permission denied errors when the container tries to do something that would require either of these capabilities. For instance, using
ping
requires NET_RAW, unless the container is given the sysctl net.ipv4.ip_forward
. Further, if you have a container that runs buildah or configures RPMs, they may fail without SYS_CHROOT. Ultimately, the dropped capabilities are worth it, as the majority of containers don’t need them. The fewer capabilities CRI-O gives out by default, the more secure it is by default. (#3119, @haircommander)
- When pinning namespaces, CRI-O now pins to /var/run/$NS_NAMEns/$RAND_ID instead of /var/run/crio/ns/$RAND_ID/$NS_NAME for better compatibility with third party networking plugins (#3509, @haircommander)
Feature
- Add
crio config -m/--migrate
option which supports migrating a v1.17.0 configuration file to the latest version. (#3487, @saschagrunert)
- Add available image labels to image status info (#3510, @saschagrunert)
- Add cgroup namespace unsharing to pinns (#3297, @saschagrunert)
- Add live configuration reload to AppArmor profile option (#3313, @saschagrunert)
- Add live configuration reload to seccomp profile option (#3300, @saschagrunert)
- Add log context to container stats to improve logging (#3204, @saschagrunert)
- Added
--cni-default-network
/cni_default_network
option to specify the CNI network
to select. The default value is crio
, but this option can be explicitly set to ""
to pickup
the first network found in --cni-config-dir
/network_dir
. (#3452, @saschagrunert)
- Added
conmon
, runc
and cni-plugins
to the static release bundle (#3345, @saschagrunert)
- Added
linkmode
(dynamic or static) output to crio version
subcommand (#3450, @saschagrunert)
- Added gRPC method names to log entries to increase trace-ablity (#3383, @saschagrunert)
- Added live reload to
decryption_keys_path
(#3246, @saschagrunert)
- Added pinns binary to static bundle (#3237, @saschagrunert)
- Improve
crio --version
/ version
output to show more details (#3320, @saschagrunert)
- Provide the possibility to set the default config path via
make DEFAULTS_PATH=<PATH>
(#3321, @saschagrunert)
- Take local images into account when pulling images prefixed with
localhost/
(#3309, @saschagrunert)
- Added support for drop-in registries.conf configuration files. Please refer to the registries.conf.d documentation (https://github.com/containers/image/blob/master/docs/containers-registries.conf.d.5.md) for further details. (#3428, @vrothberg)
- If a specified or the default hooks directory is not available, then we warn the user but do not fail any more. (#3203, @saschagrunert)
Documentation
- Update documentation that the lowest possible value for the ctr_stop_timeout is 30seconds. We also move the validation of this fact into the config validation part of the library. (#3282, @saschagrunert)
- Added man page for crio.conf.d(5) (#3341, @rhafer)
Other (Bug, Cleanup or Flake)
- Empty sandbox labels are now serialized into proper JSON (
null
) (#3523, @rhafer)
- Fixed CRI-O to fail to start when
runc
is no configured runtime and the runc
binary is not in $PATH
(#3367, @saschagrunert)
- Fixed SIGHUP reload for drop-in configuration files (#3241, @saschagrunert)
- Provide the latest release bundle via a Google Cloud Storage Bucket at:
https://console.cloud.google.com/storage/browser/k8s-conform-cri-o/artifacts (#3331, @saschagrunert)
- Removed annoying logs coming directly from lower level runtimes like runc (#3416, @saschagrunert)
- Removed the musl libc build target from the static binary bundle in favor of the existing glibc variant (#3463, @saschagrunert)
- Removed warning about non-absolute container log paths when creating a container (#3415, @saschagrunert)
- CRI-O’s version can be overriden at buildtime with
VERSION=my.version.number make bin/crio
(#3542, @haircommander)
- ContainerStatus no longer waits for a container operation (such as start or stop) to finish. (#3457, @kolyshkin)
- Fix bug resulting in false reports of OOM (#3423, @haircommander)
- Fixed SIGHUP reload behavior for unqualified search registries (#3209, @saschagrunert)
- Return grpc code NotFound when we can’t find a container or pod (#3412, @mrunalp)
- Systemd unit file: drop crio-wipe.service as a requirement (#3545, @haircommander)