CRI-O v1.20.0-dev
The release notes have been generated for the commit range
v1.19.0…fd2a16d on Tue, 09 Feb 2021 01:52:51 UTC.
Downloads
Download the static release bundle via our Google Cloud Bucket:
crio-fd2a16d43.tar.gz
Changelog since v1.19.0
Changes by Kind
Deprecation
- The config option
manage_ns_lifecycle
is now deprecated and unconditionally true. (#4428, @haircommander)
API Change
- Add allowed_annotations option to runtime handler structure, which allows admins to gate which runtime classes interpret the annotation io.kubernetes.cri-o.userns-mode. In doing so, also drop the experimental allow_userns_annotation option. (#4281, @haircommander)
Feature
- Add
io.kubernetes.cri-o.Devices
annotation to the list interpretable allowed annotations. Now, users can pass in devices they want added to their containers, but only if the runtime class is allowed to use the annotation. (#4349, @haircommander)
- Add option
seccomp_override_empty
to override an unspecified seccomp profile from being unconfined to being the runtime default. Note: setting this option makes CRI-O not fully CRI compliant, but does increase security. (#4212, @haircommander)
- Add support for CRI v1 protocol side by side to the existing v1alpha2 (#4408, @saschagrunert)
- Added
crio-status.8
man page to static release bundle (#4510, @saschagrunert)
- Allow using userns together with ManageNSLifecycle (#4333, @kolyshkin)
- Bump containers image to v5.10.1 (#4519, @QiWang19)
- Changed
VersionResponse.RuntimeApiVersion
to return either the v1alpha2
or v1
CRI API version (#4473, @saschagrunert)
- Fix a bug where pods with
hostNetwork: true
couldn’t have ports forwarded from them when drop_infra_ctr=true (#4495, @haircommander)
- It is possible to override cgroup v2 unified configuration through the io.kubernetes.cri-o.UnifiedCgroup.$CTR_NAME annotation (#4479, @giuseppe)
- Moves shm size to a handler-allowed annotation (#4402, @wgahnagl)
- Provide a new configuration flag to specify CPUs that will be used to run infra containers (#4459, @cynepco3hahue)
- Support enabling pprof profile over CRI-O’s unix socket (#4514, @mrunalp)
Design
- When running under systemd, image pulls happen in a new cgroup (#4057, @giuseppe)
Documentation
- The
manage_ns_lifecycle
option is now deprecated, and will be set to true unconditionally in the future. (#4209, @haircommander)
Bug or Regression
- CRIO allow to run pods with default runtime profile in the Pod.Spec, if seccomp is disabled (#4370, @aojea)
- Crio-o portMapping dual-stack support (#4361, @aojea)
- Fix a bug where a timeout in RunPodSandbox or CreateContainer requests caused CRI-O to delete the newly created resource. Now, it saves that resource, until the kubelet re-requests it, thus allowing kubelet and CRI-O to reconcile quicker when nodes are under load. (#4394, @haircommander)
- Fix a bug where containers didn’t have a finished time set when using the “vm” style runtimes. (#4468, @haircommander)
- Fix bug where runAsUser would only work with runAsGroup if userns annotations were specified (#4300, @haircommander)
- Fix bug where we attempted to chown with the mappings configured on server level, when they could have been from annotations (#4294, @haircommander)
- Fix making /etc/resolv.conf bind-mount to be readonly for a readonly container. (#4268, @kolyshkin)
- Fix occasional “chown: interrupted system call” error on container creation. (#4334, @kolyshkin)
- Fixed bug that all custom sandbox annotations will be passed to OCI hooks and therefore are also available on the containers (#4138, @saschagrunert)
- Ingress/Egress burst limit is now set slightly below 4GB, which properly sets 4GB as the upper limit of burst (#4348, @zizon)
- Provide an option to run performance hooks via specifying allowed_annotations under the runtime handler configuration
[DEPRECATION] The run of performance hooks for the high-performance runtime handler without specifying allowed_annotations will be deprecated under release 1.21
[DEPRECATION] Usage of performance annotation with the true value, will be deprecated under release 1.21, instead, the disable value should be used (#4389, @cynepco3hahue)
Other (Cleanup or Flake)
- Changed the output of the printed seccomp profile to JSON instead of the struct. The profile will be only printed on CRI-O startup and if the
--log-level
/log_level
is set to trace
. (#4158, @saschagrunert)
- Fixed a bug where a container creation failure caused that container to leak in the runtime (#4198, @haircommander)
Uncategorized
- CRI-O now supports short-name aliases which can be configured in the
containers-registries.conf(5)
configuration files. Please refer to the following article for further details on short-name aliases: www.redhat.com/sysadmin/container-image-short-names
The registries
option in the crio.conf has been deprecated and takes no effect any more. CRI-O will warn when loading the config and note that containers-registries.conf(5)
should be used instead for configuring unqualified-search registries. (#4455, @vrothberg)
- Fix a goroutine leak when checking image pulling progress (#4412, @haircommander)
- Fix broken symlink of systemd unit file (#3890, @haircommander)
- Fixed a bug where image authentication failed from not finding the auth file. (#4461, @QiWang19)
- Update broken link for podman tutorial (#4179, @lovebaby979)
- Update broken link for tutorials (#4180, @lovebaby979)
- Update nix pin with
make nixpkgs
(#4395, @hswong3i)
- When using high performance hooks, CRI-O now restarts the irqbalance service after updating the irqbalance config file. rather than calling
irqbalance --oneshot
. A new config value irqbalance_config_file
has been introduced to configure the file to update with IRQBALANCE_BANNED_CPUS
settings. The default of this config value is /etc/sysconfig/irqbalance
, but must be set to /etc/default/irqbalance
for Ubuntu-like distributions. (#4441, @pperiyasamy)
Dependencies
Added
- bazil.org/fuse: 371fbbd
- cloud.google.com/go/firestore: v1.1.0
- cloud.google.com/go/logging: v1.1.0
- github.com/Azure/go-autorest: v14.2.0+incompatible
- github.com/armon/go-metrics: f0300d1
- github.com/armon/go-radix: 7fddfc3
- github.com/bketelsen/crypt: 5cbc8cc
- github.com/cenkalti/backoff/v4: v4.1.0
- github.com/containers/libpod/v2: v2.0.6
- github.com/docker/cli: a8ff7f8
- github.com/form3tech-oss/jwt-go: v3.2.2+incompatible
- github.com/fvbommel/sortorder: v1.0.1
- github.com/go-gl/glfw: e6da0ac
- github.com/gomarkdown/markdown: 8c8b381
- github.com/google/go-containerregistry: v0.1.3
- github.com/google/martian/v3: v3.1.0
- github.com/hashicorp/consul/api: v1.1.0
- github.com/hashicorp/consul/sdk: v0.1.1
- github.com/hashicorp/go-cleanhttp: v0.5.1
- github.com/hashicorp/go-immutable-radix: v1.0.0
- github.com/hashicorp/go-msgpack: v0.5.3
- github.com/hashicorp/go-rootcerts: v1.0.0
- github.com/hashicorp/go-sockaddr: v1.0.0
- github.com/hashicorp/go-uuid: v1.0.1
- github.com/hashicorp/go.net: v0.0.1
- github.com/hashicorp/logutils: v1.0.0
- github.com/hashicorp/mdns: v1.0.0
- github.com/hashicorp/memberlist: v0.1.3
- github.com/hashicorp/serf: v0.8.2
- github.com/jmespath/go-jmespath/internal/testify: v1.5.1
- github.com/juju/ansiterm: 720a095
- github.com/lunixbochs/vtclean: 2d01aac
- github.com/manifoldco/promptui: v0.8.0
- github.com/mitchellh/cli: v1.0.0
- github.com/mitchellh/go-testing-interface: v1.0.0
- github.com/mitchellh/gox: v0.4.0
- github.com/mitchellh/iochan: v1.0.0
- github.com/mmarkdown/mmark: v2.0.40+incompatible
- github.com/pascaldekloe/goe: 57f6aae
- github.com/pelletier/go-buffruneio: v0.2.0
- github.com/posener/complete: v1.1.1
- github.com/ryanuber/columnize: 9b3edd6
- github.com/sclevine/agouti: v3.0.0+incompatible
- github.com/sean-/seed: e2103e2
- github.com/src-d/gcfg: v1.4.0
- github.com/vdemeester/k8s-pkg-credentialprovider: v1.17.4
- github.com/willf/bitset: v1.1.11
- golang.org/dl: 82a15e2
- gopkg.in/src-d/go-billy.v4: v4.3.2
- gopkg.in/src-d/go-git-fixtures.v3: v3.5.0
- gopkg.in/src-d/go-git.v4: v4.13.1
- k8s.io/kubernetes/staging/src/k8s.io/component-helpers: 3321f00
- k8s.io/kubernetes/staging/src/k8s.io/controller-manager: 3321f00
- k8s.io/kubernetes/staging/src/k8s.io/mount-utils: 3321f00
- sigs.k8s.io/mdtoc: v1.0.1
- sigs.k8s.io/structured-merge-diff/v4: v4.0.2
Changed
Removed
- github.com/containers/libpod: v1.9.2
- github.com/etcd-io/bbolt: v1.3.3
- github.com/go-ini/ini: v1.9.0
- github.com/openshift/api: 7ab22a2
- github.com/theckman/go-flock: v0.7.1
- sigs.k8s.io/structured-merge-diff/v3: 43c19bb