• CRI-O v1.22.5
  • Downloads
  • Changelog since v1.22.4
    • Changes by Kind
      • Feature
      • Bug or Regression
      • Uncategorized
  • Dependencies
    • Added
    • Changed
    • Removed

CRI-O v1.22.5

The release notes have been generated for the commit range v1.22.4…df6ec18 on Fri, 26 May 2023 03:14:01 UTC.

Downloads

Download one of our static release bundles via our Google Cloud Bucket:

• cri-o.amd64.df6ec184d7791cd26180702bea53683ca7a41ec0.tar.gz
• cri-o.arm64.df6ec184d7791cd26180702bea53683ca7a41ec0.tar.gz

Changelog since v1.22.4

Changes by Kind

Feature

• CRI-O now logs the stage of container or pod creation under system load. This allows users to find why their creation requests are stalling. (#6319, @haircommander)

Bug or Regression

• Fix a bug where ExecSync requests (exec probes) could use an arbitrary amount of memory and disk. Output from ExecSync requests is now limited to 16MB (the amount that exec output was limited to in the dockershim). Disk limiting requires conmon 2.1.2 to work. See https://github.com/cri-o/cri-o/security/advisories/GHSA-fcm2-6c3h-pg6j and CVE-2022-1708 for more information. (#5936, @haircommander)
• Fix a bug where child processes of containers in the host’s PID namespace appear to leak after the child exits (#5986, @haircommander)
• Fixed bug to restore /var/lib/containers/storage/overlay/backingFsBlockDev on XFS file systems. (#6423, @saschagrunert)

Uncategorized

• Adds debug log to identify when a relabel was not requested (#6967, @openshift-cherrypick-robot)
• Do not wipe images when the filename is empty. (#6612, @openshift-cherrypick-robot)
• Fix CVE-2022-27652 by dropping and refusing to add any inheritable capabilities (#5996, @openshift-cherrypick-robot)
• Fix a bug where CRI-O would leak a log file if a container failed to be created and the pod hadn’t yet been cleaned up. (#5825, @openshift-cherrypick-robot)
• Fix a bug where exit files were never cleaned up from /run/crio/exits (#6235, @openshift-cherrypick-robot)
• Fix a rare deadlock while communicating to systemd (RHBZ 2082344) (#6061, @openshift-cherrypick-robot)
• Internal pod and container creation timeouts now account for changes in runtime-request-timeout in the Kubelet (#5854, @openshift-cherrypick-robot)
• Revert fix for CVE-2022-27652 by re-adding inheritable capabilities. While there is a workaround, we believe this causes regression mid cycle with is contrary to CRI-O’s backporting policy. The risk of the CVE is low, and so there is little risk in reverting here. (#6172, @openshift-cherrypick-robot)
• Use default umask 0o022 if CRI-O runs under a different umask value. (#6052, @openshift-cherrypick-robot)

Dependencies

Added

Nothing has changed.

Changed

• github.com/containers/storage: v1.34.1 → v1.34.2

Removed

Nothing has changed.