CRI-O v1.20.0
The release notes have been generated for the commit range
v1.19.0…fdbdf43 on Tue, 09 Feb 2021 23:36:44 UTC.
Downloads
Download the static release bundle via our Google Cloud Bucket:
crio-fdbdf433c.tar.gz
Changelog since v1.19.0
Changes by Kind
Other
API Change
- Add allowed_annotations option to runtime handler structure, which allows admins to gate which runtime classes interpret the annotation io.kubernetes.cri-o.userns-mode. In doing so, also drop the experimental allow_userns_annotation option. (#4281, @haircommander)
Feature
- Add
io.kubernetes.cri-o.Devices
annotation to the list interpretable allowed annotations. Now, users can pass in devices they want added to their containers, but only if the runtime class is allowed to use the annotation. (#4349, @haircommander)
- Add option
seccomp_override_empty
to override an unspecified seccomp profile from being unconfined to being the runtime default. Note: setting this option makes CRI-O not fully CRI compliant, but does increase security. (#4212, @haircommander)
- Allow using userns together with ManageNSLifecycle (#4333, @kolyshkin)
- Bump containers image to v5.10.1 (#4531, @QiWang19)
- Provide a new configuration flag to specify CPUs that will be used to run infra containers (#4469, @haircommander)
- Support enabling pprof profile over CRI-O’s unix socket (#4520, @mrunalp)
Design
- When running under systemd, image pulls happen in a new cgroup (#4057, @giuseppe)
Documentation
- The
manage_ns_lifecycle
option is now deprecated, and will be set to true unconditionally in the future. (#4209, @haircommander)
Bug or Regression
- CRIO allow to run pods with default runtime profile in the Pod.Spec, if seccomp is disabled (#4370, @aojea)
- Crio-o portMapping dual-stack support (#4361, @aojea)
- Fix a bug where a timeout in RunPodSandbox or CreateContainer requests caused CRI-O to delete the newly created resource. Now, it saves that resource, until the kubelet re-requests it, thus allowing kubelet and CRI-O to reconcile quicker when nodes are under load. (#4430, @haircommander)
- Fix bug where runAsUser would only work with runAsGroup if userns annotations were specified (#4300, @haircommander)
- Fix bug where we attempted to chown with the mappings configured on server level, when they could have been from annotations (#4294, @haircommander)
- Fix making /etc/resolv.conf bind-mount to be readonly for a readonly container. (#4268, @kolyshkin)
- Fix occasional “chown: interrupted system call” error on container creation. (#4334, @kolyshkin)
- Fixed a bug that could cause CRI-O to segfault when a node is under heavy load (#4535, @haircommander)
- Fixed bug that all custom sandbox annotations will be passed to OCI hooks and therefore are also available on the containers (#4138, @saschagrunert)
- Provide an option to run performance hooks via specifying allowed_annotations under the runtime handler configuration
[DEPRECATION] The run of performance hooks for the high-performance runtime handler without specifying allowed_annotations will be deprecated under release 1.21
[DEPRECATION] Usage of performance annotation with the true value, will be deprecated under release 1.21, instead, the disable value should be used (#4389, @cynepco3hahue)
Other (Cleanup or Flake)
- Changed the output of the printed seccomp profile to JSON instead of the struct. The profile will be only printed on CRI-O startup and if the
--log-level
/log_level
is set to trace
. (#4158, @saschagrunert)
- Fixed a bug where a container creation failure caused that container to leak in the runtime (#4198, @haircommander)
- Log the container stop timeout at default log level (#4554, @mrunalp)
Uncategorized
- Fix a bug where containers didn’t have a finished time set when using the “vm” style runtimes. (#4496, @openshift-cherrypick-robot)
- Fix a goroutine leak when checking image pulling progress (#4413, @openshift-cherrypick-robot)
- Fixed a bug where image authentication failed from not finding the auth file. (#4462, @QiWang19)
- Moves shm size to a handler-allowed annotation (#4417, @openshift-cherrypick-robot)
- Revert systemd KillMode to control-group (default) (#4547, @mrunalp)
- Set conmon scope KillSignal to SIGPIPE (#4546, @mrunalp)
- Set systemd KillMode to mixed for container scopes modifying behavior on node shutdown (#4539, @mrunalp)
- The
registries
option from crio.conf(5) has been deprecated in favour of using containers-registries.conf(5) for configuring unqualified-search registries. The registries
option will be removed from CRI-O 1.21. (#4477, @vrothberg)
- Update broken link for podman tutorial (#4179, @lovebaby979)
- Update broken link for tutorials (#4180, @lovebaby979)
- Update nix pin with
make nixpkgs
(#4347, @hswong3i)
Dependencies
Added
- bazil.org/fuse: 371fbbd
- cloud.google.com/go/firestore: v1.1.0
- cloud.google.com/go/logging: v1.1.0
- github.com/Azure/go-autorest: v14.2.0+incompatible
- github.com/armon/go-metrics: f0300d1
- github.com/armon/go-radix: 7fddfc3
- github.com/bketelsen/crypt: 5cbc8cc
- github.com/cenkalti/backoff/v4: v4.1.0
- github.com/containers/libpod/v2: v2.0.6
- github.com/docker/cli: a8ff7f8
- github.com/form3tech-oss/jwt-go: v3.2.2+incompatible
- github.com/fvbommel/sortorder: v1.0.1
- github.com/go-gl/glfw: e6da0ac
- github.com/gomarkdown/markdown: 8c8b381
- github.com/google/go-containerregistry: v0.1.3
- github.com/google/martian/v3: v3.1.0
- github.com/hashicorp/consul/api: v1.1.0
- github.com/hashicorp/consul/sdk: v0.1.1
- github.com/hashicorp/go-cleanhttp: v0.5.1
- github.com/hashicorp/go-immutable-radix: v1.0.0
- github.com/hashicorp/go-msgpack: v0.5.3
- github.com/hashicorp/go-rootcerts: v1.0.0
- github.com/hashicorp/go-sockaddr: v1.0.0
- github.com/hashicorp/go-uuid: v1.0.1
- github.com/hashicorp/go.net: v0.0.1
- github.com/hashicorp/logutils: v1.0.0
- github.com/hashicorp/mdns: v1.0.0
- github.com/hashicorp/memberlist: v0.1.3
- github.com/hashicorp/serf: v0.8.2
- github.com/jmespath/go-jmespath/internal/testify: v1.5.1
- github.com/juju/ansiterm: 720a095
- github.com/lunixbochs/vtclean: 2d01aac
- github.com/manifoldco/promptui: v0.8.0
- github.com/mitchellh/cli: v1.0.0
- github.com/mitchellh/go-testing-interface: v1.0.0
- github.com/mitchellh/gox: v0.4.0
- github.com/mitchellh/iochan: v1.0.0
- github.com/mmarkdown/mmark: v2.0.40+incompatible
- github.com/pascaldekloe/goe: 57f6aae
- github.com/pelletier/go-buffruneio: v0.2.0
- github.com/posener/complete: v1.1.1
- github.com/ryanuber/columnize: 9b3edd6
- github.com/sclevine/agouti: v3.0.0+incompatible
- github.com/sean-/seed: e2103e2
- github.com/src-d/gcfg: v1.4.0
- github.com/vdemeester/k8s-pkg-credentialprovider: v1.17.4
- github.com/willf/bitset: v1.1.11
- golang.org/dl: 82a15e2
- gopkg.in/src-d/go-billy.v4: v4.3.2
- gopkg.in/src-d/go-git-fixtures.v3: v3.5.0
- gopkg.in/src-d/go-git.v4: v4.13.1
- k8s.io/kubernetes/staging/src/k8s.io/component-helpers: 3321f00
- k8s.io/kubernetes/staging/src/k8s.io/controller-manager: 3321f00
- k8s.io/kubernetes/staging/src/k8s.io/mount-utils: 3321f00
- sigs.k8s.io/mdtoc: v1.0.1
- sigs.k8s.io/structured-merge-diff/v4: v4.0.2
Changed
Removed
- github.com/containers/libpod: v1.9.2
- github.com/etcd-io/bbolt: v1.3.3
- github.com/go-ini/ini: v1.9.0
- github.com/openshift/api: 7ab22a2
- github.com/theckman/go-flock: v0.7.1
- sigs.k8s.io/structured-merge-diff/v3: 43c19bb