• CRI-O v1.21.1
  • Downloads
  • Changelog since v1.21.0
    • Changes by Kind
      • Dependency-Change
      • Feature
      • Failing Test
      • Bug or Regression
      • Uncategorized
  • Dependencies
    • Added
    • Changed
    • Removed

CRI-O v1.21.1

The release notes have been generated for the commit range v1.21.0…f97bf4d on Fri, 16 Jul 2021 20:57:51 UTC.

Downloads

Download one of our static release bundles via our Google Cloud Bucket:

• cri-o.amd64.f97bf4d9b364e67ca3e97cae360ff1baa3e7b22c.tar.gz
• cri-o.arm64.f97bf4d9b364e67ca3e97cae360ff1baa3e7b22c.tar.gz

Changelog since v1.21.0

Changes by Kind

Dependency-Change

• Fix possible segfault when image is deleted by podman while CRI-O is listing images (#4932, @haircommander)

Feature

• CNI plugins are now passed a K8S_POD_UID environment variable containing the pod UID this sandbox was started for. (#5028, @dcbw)

Failing Test

• Updated static binary bundle crun version to v0.20 (#4961, @saschagrunert)

Bug or Regression

• Allow users to customize conmon’s resources if a pod is in a workload. (#4980, @haircommander)
• Fixed “layer not known” issue during image pull for corrupted layers.json files. (#5015, @saschagrunert)
• Reuse connection when connecting to dbus, as well as reattempt the connection if it fails temporarily (#4986, @haircommander)

Uncategorized

• Add support for absent_mount_sources_to_reject, which allows admins to configure paths that, when mounted into a container despite not existing on the host, causes a container creation request to fail. This is useful for paths like /etc/hostname, which causes trouble as a directory, but possibly shouldn’t be created as a file either (in the case of a dynamic hostname). (#4857, @openshift-cherrypick-robot)
• Add systemd After=crio.service to containers and conmon (#4816, @openshift-cherrypick-robot)
• Add the config field internal_wipe which moves the responsibility of wiping containers after a reboot and images after an upgrade from the external binary crio wipe to the main crio server. This has a handful of advantages, the main one being crio is now better able to cleanup CNI resources after a reboot. (#4884, @openshift-cherrypick-robot)
• ExecSync requests now don’t use conmon, instead calling the runtime directly, which reduces overhead. (#4962, @openshift-cherrypick-robot)
• Fix a bug in internal_wipe that would mean CNI resources would be leaked across reboots. (#4928, @openshift-cherrypick-robot)
• Fix a bug where CRI-O can’t work with runc 1.0.0-rc93 because of an incorrectly specified list of capabilities (#4831, @openshift-cherrypick-robot)
• Fix a bug where CRI-O would leak opened files for namespaces on a server restore (#4795, @openshift-cherrypick-robot)
• Fix a bug where crio config would print a string for privileged_without_host_devices, not a boolean (#4829, @openshift-cherrypick-robot)
• Fix a bug where an exec sync timeout would fail to cleanup the runtime exec process (#5002, @openshift-cherrypick-robot)
• Fix a bug where server startup was significantly slowed down by attempting to clean up CNI resources after a reboot. (#4934, @openshift-cherrypick-robot)
• Fix a segfault when CRI-O has takes more than 8 minutes to create a pod or container (#4846, @openshift-cherrypick-robot)
• Fix drop ALL and add back few caps behavior to not include the default configured capabilities (#4935, @openshift-cherrypick-robot)
• Fixed bug where it was not possible to run containers using the default or no seccomp profile on seccomp disabled builds/machines (#4819, @openshift-cherrypick-robot)
• Fixed bug where runtime VM created containers never reach their completed state. (#4812, @openshift-cherrypick-robot)
• Reduce the permission on the listen socket to 0660 (#4930, @openshift-cherrypick-robot)
• Update how the resources for a workload is specified. Now, to override a workload, the pod must have the annotation $prefix/$ctr_name = {"$resource_type": "$resource_value"}. The workloads feature has also been marked as experimental, which should have happened from the beginning. (#4811, @openshift-cherrypick-robot)
• Wait for CNI plugins to be ready before starting non-host-network pods, to allow pods that may run CNI plugins to start faster (#5084, @openshift-cherrypick-robot)

Dependencies

Added

• github.com/bits-and-blooms/bitset: v1.2.0
• github.com/checkpoint-restore/go-criu/v5: v5.0.0
• github.com/frankban/quicktest: v1.11.3
• github.com/google/go-intervals: v0.0.2
• github.com/moby/locker: v1.0.1

Changed

• github.com/Microsoft/go-winio: 6eac466 → v0.5.0
• github.com/Microsoft/hcsshim: v0.8.15 → v0.8.17
• github.com/cilium/ebpf: v0.2.0 → v0.5.0
• github.com/containerd/aufs: 20793ff → v1.0.0
• github.com/containerd/btrfs: 918d888 → v1.0.0
• github.com/containerd/cgroups: 8a68de5 → v1.0.1
• github.com/containerd/console: v1.0.1 → v1.0.2
• github.com/containerd/containerd: v1.5.0-beta.4 → v1.5.1
• github.com/containerd/continuity: 50096c9 → v0.1.0
• github.com/containerd/fifo: 115abcc → v1.0.0
• github.com/containerd/go-cni: v1.0.1 → v1.0.2
• github.com/containerd/go-runc: 16b287b → v1.0.0
• github.com/containerd/imgcrypt: 7ed62a5 → v1.1.1
• github.com/containerd/nri: dbaa18c → v0.1.0
• github.com/containerd/typeurl: v1.0.1 → v1.0.2
• github.com/containerd/zfs: dde8f0f → v1.0.0
• github.com/containers/image/v5: v5.11.0 → v5.11.1
• github.com/containers/ocicrypt: v1.1.0 → v1.1.1
• github.com/containers/storage: v1.28.1 → v1.32.3
• github.com/cri-o/ocicni: 541cf7c → 4ea5fb8
• github.com/golang/snappy: 2e65f85 → v0.0.3
• github.com/json-iterator/go: v1.1.10 → v1.1.11
• github.com/klauspost/compress: v1.11.13 → v1.13.1
• github.com/mattn/go-shellwords: v1.0.11 → v1.0.12
• github.com/opencontainers/runc: v1.0.0-rc93 → a95237f
• github.com/opencontainers/selinux: v1.8.0 → v1.8.2
• github.com/pelletier/go-toml: v1.2.0 → v1.8.1
• github.com/syndtr/gocapability: 42c35b4 → d983527
• golang.org/x/crypto: 5ea612d → 0c34fe9
• golang.org/x/sys: 47abb65 → d19ff85

Removed

Nothing has changed.