CRI-O v1.18.0

The release notes have been generated for the commit range v1.17.0…d2cf7b8 on Wed, 13 May 2020 14:23:44 UTC.

Downloads

Download the static release bundle via our Google Cloud Bucket: crio-d2cf7b890.tar.gz

Changes by Kind

Dependency-Change

• Update cri-tools to v1.18.0 in static release bundle (#3520, @saschagrunert)
• Default pause image is k8s.gcr.io/pause:3.2 (#3582, @haircommander)

Deprecation

• Drop support for golang < v1.13 (#3312, @saschagrunert)

API Change

• Removed version from default AppArmor profile name in config (#3287, @saschagrunert)
• CRI-O now runs containers without NET_RAW and SYS_CHROOT capabilities by default. This can result in permission denied errors when the container tries to do something that would require either of these capabilities. For instance, using ping requires NET_RAW, unless the container is given the sysctl net.ipv4.ip_forward. Further, if you have a container that runs buildah or configures RPMs, they may fail without SYS_CHROOT. Ultimately, the dropped capabilities are worth it, as the majority of containers don’t need them. The fewer capabilities CRI-O gives out by default, the more secure it is by default. (#3119, @haircommander)
• When pinning namespaces, CRI-O now pins to /var/run/$NS_NAMEns/$RAND_ID instead of /var/run/crio/ns/$RAND_ID/$NS_NAME for better compatibility with third party networking plugins (#3509, @haircommander)

Feature

• Add crio config -m/--migrate option which supports migrating a v1.17.0 configuration file to the latest version. (#3487, @saschagrunert)
• Add available image labels to image status info (#3510, @saschagrunert)
• Add cgroup namespace unsharing to pinns (#3297, @saschagrunert)
• Add live configuration reload to AppArmor profile option (#3313, @saschagrunert)
• Add live configuration reload to seccomp profile option (#3300, @saschagrunert)
• Add log context to container stats to improve logging (#3204, @saschagrunert)
• Added --cni-default-network/cni_default_network option to specify the CNI network to select. The default value is crio, but this option can be explicitly set to "" to pickup the first network found in --cni-config-dir/network_dir. (#3452, @saschagrunert)
• Added --metrics-socket/metrics_socket configuration option to allow exposing the metrics endpoint on a local socket path (#3724, @saschagrunert)
• Added conmon, runc and cni-plugins to the static release bundle (#3345, @saschagrunert)
• Added linkmode (dynamic or static) output to crio version subcommand (#3450, @saschagrunert)
• Added gRPC method names to log entries to increase trace-ablity (#3383, @saschagrunert)
• Added live reload to decryption_keys_path (#3246, @saschagrunert)
• Added pinns binary to static bundle (#3237, @saschagrunert)
• Added the full OCI image spec to the verbose ImageStatusResponse, for example when running crictl inspecti $IMAGE. (#3570, @saschagrunert)
• Added the full OCI runtime spec to the verbose ContainerStatusResponse, for example when running crictl inspect $CONTAINER_ID (#3569, @saschagrunert)
• Added verification of provided --default-capabilities/default_capabilities on configuration validation (CRI-O startup) (#3478, @saschagrunert)
• Improve crio --version / version output to show more details (#3320, @saschagrunert)
• Provide the possibility to set the default config path via make DEFAULTS_PATH=<PATH> (#3321, @saschagrunert)
• Re-add the behavior that string slices can be passed to the CLI comma separated, for example --default-capabilities CHOWN,KILL (#3636, @saschagrunert)
• Take local images into account when pulling images prefixed with localhost/ (#3309, @saschagrunert)
• Add –version-file-persist, a place to put the version file in persistent storage. Now, crio wipe wipes containers if –version-file is not present (presumably it is on temporary storage), and wipes images if both –version-file and –version-file-persist are out of date (presumably there has been an upgrade of cri-o’s minor version (#3648, @haircommander)
• Add build support for setting SOURCE_DATE_EPOCH (#3708, @afbjorklund)
• Add configuration for setting default environment in all containers. (#3611, @mrunalp)
• Added support for drop-in registries.conf configuration files. Please refer to the registries.conf.d documentation (https://github.com/containers/image/blob/master/docs/containers-registries.conf.d.5.md) for further details. (#3428, @vrothberg)
• Containers running init or systemd are now given a new selinux label container_init_t, giving it selinux privileges more appropriate for the workload (#3754, @haircommander)

Documentation

• The changelog is now rendered by a custom go template and contains the table of contents (#3739, @saschagrunert)
• Update documentation that the lowest possible value for the ctr_stop_timeout is 30seconds. We also move the validation of this fact into the config validation part of the library. (#3282, @saschagrunert)
• Added man page for crio.conf.d(5) (#3341, @rhafer)

Other (Bug, Cleanup or Flake)

• Empty sandbox labels are now serialized into proper JSON (null) (#3523, @rhafer)
• Fix bug in crio version output where the linkmode cannot be retrieved because of non absolute paths of the executable (#3627, @saschagrunert)
• Fixed CRI-O to fail to start when runc is no configured runtime and the runc binary is not in $PATH (#3367, @saschagrunert)
• Fixed SIGHUP reload for drop-in configuration files (#3241, @saschagrunert)
• Fixed glibc static binary bug to not resolve DNS correctly (#3615, @saschagrunert)
• Fixed wrong linkmode output (on crio version) for static binaries (#3638, @saschagrunert)
• Provide the latest release bundle via a Google Cloud Storage Bucket at: https://console.cloud.google.com/storage/browser/k8s-conform-cri-o/artifacts (#3331, @saschagrunert)
• Removed crio-wipe.service and crio-shutdown.service systemd units from the static bundle since they are not required (#3689, @saschagrunert)
• Removed annoying logs coming directly from lower level runtimes like runc (#3416, @saschagrunert)
• Removed the musl libc build target from the static binary bundle in favor of the existing glibc variant (#3463, @saschagrunert)
• Removed warning about non-absolute container log paths when creating a container (#3415, @saschagrunert)
• CRI-O’s version can be overriden at buildtime with VERSION=my.version.number make bin/crio (#3542, @haircommander)
• Cleanup go module and vendor files. (#3722, @mrunalp)
• ContainerStatus no longer waits for a container operation (such as start or stop) to finish. (#3457, @kolyshkin)
• Fix bug resulting in false reports of OOM (#3423, @haircommander)
• Return grpc code NotFound when we can’t find a container or pod (#3412, @mrunalp)
• Systemd unit file: drop crio-wipe.service as a requirement (#3545, @haircommander)
• The CNI loopback plugin is no longer required as a dependency of cri-o. (#3616, @dcbw)
• When setting the limit of memory resource usage in a container’s runtime spec, we now disable use of swap by the container. (#3564, @haircommander)