CRI-O v1.22.0
The release notes have been generated for the commit range
v1.21.0…d745cab on Thu, 14 Oct 2021 07:37:09 UTC.
Downloads
Download one of our static release bundles via our Google Cloud Bucket:
Changelog since v1.21.0
Changes by Kind
Dependency-Change
Deprecation
- The internal_wipe option is now true by default. Further, it is being deprecated, and will be unconditionally true in the future. (#5218, @haircommander)
API Change
- Update how the resources for a workload is specified. Now, to override a workload, the pod must have the annotation
$prefix/$ctr_name = {"$resource_type": "$resource_value"}
. The workloads feature has also been marked as experimental, which should have happened from the beginning. (#4787, @haircommander)
Feature
- Add support for “io.kubernetes.cri-o.TrySkipVolumeSELinuxLabel” annotation, which tells CRI-O to skip relabeling volumes if the top level is already correctly labeled
Skip SELinux volume relabeling for super privileged containers (
securityContext.seLinuxOptions.type = "spc_t"
). (#5403, @haircommander)
- Added
--metrics-collectors
/metrics_collectors
configuration to enable or disable certain metrics.
All metrics collectors are enabled per default. (#5061, @saschagrunert)
- Added
crio_image_pulls_layer_size
histogram metric to get insights about all pulled layer sizes. (#5059, @saschagrunert)
- Added build tags as well as AppArmor and seccomp status to
crio version
output. (#5135, @saschagrunert)
- Added generation of self-signed certificates for the secure metrics endpoint
if the provided cert and key paths are not available on disk. (#5012, @saschagrunert)
- Added secure metrics endpoint configuration options (#4805, @saschagrunert)
- Added structural logging of container ID, sandbox ID and process ID on container start. (#5134, @saschagrunert)
- Automatically reload metrics TLS certificate and key if any of those specified files change. (#4927, @saschagrunert)
- CNI plugins are now passed a K8S_POD_UID environment variable containing the pod UID this sandbox was started for. (#5026, @dcbw)
- Changed the logging behavior of klog messages to be included in the CRI-O logs.
The klog info verbositry is converted to CRI-O debug to lower the log verbosity. (#4973, @saschagrunert)
- Cri-o now does not limit the DNS search paths. (#5199, @gjkim42)
- Enable the “volatile” option for the overlay drivers when it is supported by the underlying kernel. (#4885, @giuseppe)
- Rootless: enable resource limit when cgroup v2 controllers are delegated. (#4528, @AkihiroSuda)
- Support
io.kubernetes.cri.blockio-class
container annotation for specifying blockio class.
Support blockio.resources.beta.kubernetes.io/pod
pod annotation for specifying the default blockio class to all containers in the pod.
Support blockio.resources.beta.kubernetes.io/container.NAME
pod annotation for specifying the blockio class of the NAME container in the pod.
Add blockio_config_file config file option (and corresponding –blockio-config-file for command line) for configuring blockio classes and their cgroups blockio controller parameters. (#4873, @askervin)
- Support
io.kubernetes.cri.rdt-class
container annotation for specifying RDT class.
Add rdt_config_file config file option (and corresponding –rdt-config-file for command line) for configuring the resctrl pseudo-filesystem. (#4830, @marquiz)
- The config field
drop_infra_ctr
is now true by default (#5113, @haircommander)
- The runtime_config_path option, which allows to specify the path of the runtime configuration file, is now supported by CRI-O. This is specific to the VM runtime type. (#5035, @fidencio)
- Validate certificate dates for TLS metrics endpoint (#4990, @saschagrunert)
Design
Bug or Regression
- Add support for
absent_mount_sources_to_reject
, which allows admins to configure paths that, when mounted into a container despite not existing on the host, causes a container creation request to fail. This is useful for paths like /etc/hostname
, which causes trouble as a directory, but possibly shouldn’t be created as a file either (in the case of a dynamic hostname). (#4844, @haircommander)
- Add symlink /proc/mounts on /etc/mtab to container (#5051, @QiWang19)
- Add the config field
internal_wipe
which moves the responsibility of wiping containers after a reboot and images after an upgrade from the external binary crio wipe
to the main crio server. This has a handful of advantages, the main one being crio is now better able to cleanup CNI resources after a reboot. (#4767, @haircommander)
- Allow users to customize conmon’s resources if a pod is in a workload. (#4907, @haircommander)
- CRI-O now logs when it is using cgroupv2 (#5183, @haircommander)
- Fix a bug in
internal_wipe
that would mean CNI resources would be leaked across reboots. (#4900, @haircommander)
- Fix a bug where CRI-O can’t work with runc 1.0.0-rc93 because of an incorrectly specified list of capabilities (#4828, @haircommander)
- Fix a bug where CRI-O would leak opened files for namespaces on a server restore (#4758, @haircommander)
- Fix a bug where
crio config
would print a string for privileged_without_host_devices
, not a boolean (#4827, @haircommander)
- Fix a bug where a container exec process received a little less time than the timeout provided (#5067, @haircommander)
- Fix a bug where an exec sync timeout would fail to cleanup the runtime exec process (#4999, @haircommander)
- Fix a bug where cAdvisor couldn’t read the disk usage of a pod with a dropped infra container (#5145, @haircommander)
- Fix a bug where duplicate requests would stall even if the pod or container was already created (#5052, @haircommander)
- Fix a bug where server startup was significantly slowed down by attempting to clean up CNI resources after a reboot. (#4929, @haircommander)
- Fix a performance regression with exec probes (#5136, @haircommander)
- Fix a segfault when CRI-O has takes more than 8 minutes to create a pod or container (#4834, @haircommander)
- Fix an RSS regression with exec sync requests (#5245, @haircommander)
- Fix an issue where a container started with a terminal fails on exec sync calls (#5107, @haircommander)
- Fix drop ALL and add back few caps behavior to not include the default configured capabilities (#4923, @mrunalp)
- Fix potential panic when reopening a container’s log (#5212, @haircommander)
- Fixed bug where it was not possible to run containers using the default or no seccomp profile on
seccomp disabled builds/machines (#4789, @saschagrunert)
- Fixed bug where runtime VM created containers never reach their
completed
state. (#4803, @saschagrunert)
- Fixed linkmode detection for on
en_US
systems crio version
(#5168, @saschagrunert)
- Fixed runtime panic for layers lockfile if its parent directory does not exist.
Added support for repositories in auth.json (#5076, @saschagrunert)
- Re-attempt setting up conmon’s cgroup if it fails on EAGAIN from dbus (#4921, @haircommander)
- Reduce the permission on the listen socket to 0660 (#4886, @haircommander)
- Reuse connection when connecting to dbus, as well as reattempt the connection if it fails temporarily (#4974, @haircommander)
- The privileged_without_host_devices flag can now be given a an additional parameter to configure a runtime (#5054, @littlejawa)
- Wait for CNI plugins to be ready before starting non-host-network pods, to allow pods that may run CNI plugins to start faster (#5046, @haircommander)
Other (Cleanup or Flake)
Uncategorized
- Add Particule as adopters (#4994, @ArchiFleKs)
- Add
--device-ownership-from-security-context
which allows an admin to specify devices be configured to be owned by the container user and group, rather than unconditionally being root. (#4620, @mythi)
- Added
internal/process/defunct_processes.go
and crio_processes_defunct
metric to collect the total number of defunct/zombie processes in a node. (#5082, @raisaat)
- Do not log on startup if Intel RDT is not supported. (#5298, @openshift-cherrypick-robot)
- Fix a PID leak in situations where conmon fails to be moved into the pod cgroup (#5295, @openshift-cherrypick-robot)
- Fix a bug where CRI-O waits forever on a conmon process that will not stop (#5309, @openshift-cherrypick-robot)
- Fix a bug where
inspectp
verbose output was incomplete for pods with a dropped infra container (#5315, @openshift-cherrypick-robot)
- Fix a bug where host network containers couldn’t read their cgroup hierarchy (#5365, @openshift-cherrypick-robot)
- Fixed missing quantile values in
container_runtime_crio_operations_latency_microseconds_total
metrics (#5259, @openshift-cherrypick-robot)
- Raise a warning when creating a bind mount on the container root (#4853, @giuseppe)
Dependencies
Added
- github.com/andybalholm/brotli: v1.0.0
- github.com/antihax/optional: v1.0.0
- github.com/benbjohnson/clock: v1.0.3
- github.com/bits-and-blooms/bitset: v1.2.0
- github.com/carolynvs/magex: v0.6.0
- github.com/certifi/gocertifi: 2c3bb06
- github.com/checkpoint-restore/go-criu/v5: v5.1.0
- github.com/cheggaaa/pb/v3: v3.0.5
- github.com/cncf/udpa/go: 5459f2c
- github.com/cncf/xds/go: fbca930
- github.com/cockroachdb/errors: v1.2.4
- github.com/cockroachdb/logtags: eb05cc2
- github.com/container-orchestrated-devices/container-device-interface: f99e8b6
- github.com/containerd/cri-containerd: v1.19.0
- github.com/coredns/caddy: v1.1.0
- github.com/coreos/stream-metadata-go: 70edb9e
- github.com/danieljoos/wincred: v1.1.0
- github.com/digitalocean/go-libvirt: e2a69bc
- github.com/digitalocean/go-qemu: 152a153
- github.com/disiqueira/gotree/v3: v3.0.2
- github.com/dsnet/compress: v0.0.1
- github.com/dsnet/golib: 1ea1667
- github.com/felixge/httpsnoop: v1.0.1
- github.com/frankban/quicktest: v1.11.3
- github.com/getsentry/raven-go: v0.2.0
- github.com/go-kit/log: v0.1.0
- github.com/go-task/slim-sprig: 348f09d
- github.com/gofrs/uuid: v4.0.0+incompatible
- github.com/google/go-intervals: v0.0.2
- github.com/google/licenseclassifier/v2: v2.0.0-alpha.1
- github.com/hashicorp/go-hclog: v0.9.2
- github.com/hashicorp/go-retryablehttp: v0.6.4
- github.com/intel/goresctrl: v0.1.0
- github.com/jinzhu/copier: v0.3.2
- github.com/josharian/intern: v1.0.0
- github.com/kr/fs: v0.1.0
- github.com/mholt/archiver/v3: v3.5.0
- github.com/moby/locker: v1.0.1
- github.com/nwaples/rardecode: v1.1.0
- github.com/pierrec/lz4/v4: v4.0.3
- github.com/pkg/sftp: v1.10.1
- github.com/robfig/cron/v3: v3.0.1
- github.com/songgao/water: 2b4b6d7
- github.com/spiegel-im-spiegel/errs: v1.0.2
- github.com/spiegel-im-spiegel/go-cvss: v0.4.0
- github.com/stoewer/go-strcase: v1.2.0
- github.com/vbauerster/mpb/v7: v7.0.3
- github.com/xanzy/go-gitlab: v0.43.0
- github.com/xi2/xz: 48954b6
- go.etcd.io/etcd/api/v3: v3.5.0
- go.etcd.io/etcd/client/pkg/v3: v3.5.0
- go.etcd.io/etcd/client/v2: v2.305.0
- go.etcd.io/etcd/client/v3: v3.5.0
- go.etcd.io/etcd/pkg/v3: v3.5.0
- go.etcd.io/etcd/raft/v3: v3.5.0
- go.etcd.io/etcd/server/v3: v3.5.0
- go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc: v0.20.0
- go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp: v0.20.0
- go.opentelemetry.io/contrib: v0.20.0
- go.opentelemetry.io/otel/exporters/otlp: v0.20.0
- go.opentelemetry.io/otel/metric: v0.20.0
- go.opentelemetry.io/otel/oteltest: v0.20.0
- go.opentelemetry.io/otel/sdk/export/metric: v0.20.0
- go.opentelemetry.io/otel/sdk/metric: v0.20.0
- go.opentelemetry.io/otel/sdk: v0.20.0
- go.opentelemetry.io/otel/trace: v0.20.0
- go.opentelemetry.io/otel: v0.20.0
- go.opentelemetry.io/proto/otlp: v0.7.0
- go.uber.org/goleak: v1.1.10
- k8s.io/kubernetes/staging/src/k8s.io/pod-security-admission: c2b5237
- sigs.k8s.io/release-utils: v0.3.0
- sigs.k8s.io/zeitgeist: v0.3.0
Changed
Removed
- github.com/Knetic/govaluate: 9aa4983
- github.com/Shopify/sarama: v1.19.0
- github.com/Shopify/toxiproxy: v2.1.4+incompatible
- github.com/VividCortex/gohistogram: v1.0.0
- github.com/afex/hystrix-go: fa1af6a
- github.com/agnivade/levenshtein: v1.0.1
- github.com/andreyvit/diff: c7f18ee
- github.com/apache/thrift: v0.13.0
- github.com/aryann/difflib: e206f87
- github.com/aws/aws-lambda-go: v1.13.3
- github.com/aws/aws-sdk-go-v2: v0.18.0
- github.com/bazelbuild/rules_go: v0.22.1
- github.com/bifurcation/mint: 93c51c6
- github.com/bombsimon/wsl/v2: v2.0.0
- github.com/caddyserver/caddy: v1.0.3
- github.com/casbin/casbin/v2: v2.1.2
- github.com/cenkalti/backoff: v2.2.1+incompatible
- github.com/checkpoint-restore/go-criu: bdb7599
- github.com/cheekybits/genny: 9127e81
- github.com/clbanning/x2j: 8252494
- github.com/codahale/hdrhistogram: 3a0bb77
- github.com/eapache/go-resiliency: v1.1.0
- github.com/eapache/go-xerial-snappy: 776d571
- github.com/eapache/queue: v1.1.0
- github.com/edsrzf/mmap-go: v1.0.0
- github.com/franela/goblin: c9ffbef
- github.com/franela/goreq: bcd34c9
- github.com/globalsign/mgo: eeefdec
- github.com/go-acme/lego: v2.5.0+incompatible
- github.com/go-bindata/go-bindata: v3.1.1+incompatible
- github.com/go-openapi/analysis: v0.19.5
- github.com/go-openapi/errors: v0.19.2
- github.com/go-openapi/loads: v0.19.4
- github.com/go-openapi/runtime: v0.19.4
- github.com/go-openapi/spec: v0.19.5
- github.com/go-openapi/strfmt: v0.19.5
- github.com/go-openapi/validate: v0.19.8
- github.com/gobuffalo/here: v0.6.0
- github.com/google/go-github/v29: v29.0.3
- github.com/gorilla/context: v1.1.1
- github.com/hashicorp/go-version: v1.2.0
- github.com/hudl/fargo: v1.3.0
- github.com/influxdata/influxdb1-client: 8bf82d3
- github.com/jamescun/tuntap: cb1fb27
- github.com/jimstudt/http-authentication: 3eca13d
- github.com/kylelemons/godebug: d65d576
- github.com/lightstep/lightstep-tracer-common/golang/gogo: bc2310a
- github.com/lightstep/lightstep-tracer-go: v0.18.1
- github.com/lucas-clemente/aes12: cd47fb3
- github.com/lucas-clemente/quic-clients: v0.1.0
- github.com/lucas-clemente/quic-go-certificates: d2f8652
- github.com/lucas-clemente/quic-go: v0.10.2
- github.com/markbates/pkger: v0.17.1
- github.com/marten-seemann/qtls: v0.2.3
- github.com/mholt/certmagic: 6a42ef9
- github.com/naoina/go-stringutil: v0.1.0
- github.com/naoina/toml: v0.1.1
- github.com/nats-io/jwt: v0.3.2
- github.com/nats-io/nats-server/v2: v2.1.2
- github.com/nats-io/nats.go: v1.9.1
- github.com/nats-io/nkeys: v0.1.3
- github.com/nats-io/nuid: v1.0.1
- github.com/oklog/oklog: v0.3.2
- github.com/oklog/run: v1.0.0
- github.com/op/go-logging: 970db52
- github.com/opentracing-contrib/go-observer: a52f234
- github.com/opentracing/basictracer-go: v1.0.0
- github.com/openzipkin-contrib/zipkin-go-opentracing: v0.4.5
- github.com/openzipkin/zipkin-go: v0.2.2
- github.com/pact-foundation/pact-go: v1.0.4
- github.com/performancecopilot/speed: v3.0.0+incompatible
- github.com/pierrec/lz4: v2.0.5+incompatible
- github.com/pkg/profile: v1.2.1
- github.com/rcrowley/go-metrics: 3113b84
- github.com/robfig/cron: v1.1.0
- github.com/samuel/go-zookeeper: 2cc03de
- github.com/sony/gobreaker: v0.4.1
- github.com/streadway/amqp: edfb901
- github.com/streadway/handy: d5acb31
- github.com/thecodeteam/goscaleio: v0.1.0
- github.com/tidwall/pretty: v1.0.0
- github.com/vektah/gqlparser: v1.1.2
- github.com/xlab/handysort: fb3537e
- go.etcd.io/etcd: dd1b699
- go.mongodb.org/mongo-driver: v1.1.2
- go.uber.org/tools: 2cfd321
- gopkg.in/cheggaaa/pb.v1: v1.0.25
- gopkg.in/mcuadros/go-syslog.v2: v2.2.1
- k8s.io/heapster: v1.2.0-beta.1
- sourcegraph.com/sourcegraph/appdash: ebfcffb
- vbom.ml/util: efcd4e0