CRI-O v1.23.0

CRI-O v1.23.0

The release notes have been generated for the commit range v1.22.0…3be57f5 on Thu, 24 Feb 2022 19:06:51 UTC.

Downloads

Download one of our static release bundles via our Google Cloud Bucket:

Changelog since v1.22.0

Changes by Kind

Dependency-Change

Bumps pause image to 3.6 (#5310, @wgahnagl)

Other

Added annotation ‘io.kubernetes.cri-o.cgroup2-rw(=”true”)’ that mounts /sys/fs/cgroup as writable fs when using cgroups v2 (#5277, @ajwock)
Introduce the following metrics: crio_operations_total, crio_operations_latency_seconds_total, crio_operations_latency_seconds, crio_operations_errors_total, crio_image_pulls_bytes_total, crio_image_pulls_skipped_bytes_total, crio_image_pulls_success_total, crio_image_pulls_failure_total, crio_image_layer_reuse_total, crio_containers_oom_count_total while marking metric names that do not follow prometheus best practices as Deprecated in Prometheus metric help text. (#5487, @swghosh)

API Change

Drop support for v1alpha2 Container Runtime Interface (CRI) and require v1. (#5471, @saschagrunert)

Feature

Add allowed_devices field to config, allowing admins to specify which devices are allowed to be specified in the “io.kubernetes.cri-o.Devices” allowed_annotation. The default for this config field is [/dev/fuse] (#5551, @haircommander)
Add a [crio.stats] table to the config for configuring all things stats-related. Add ability (with config field StatsCollectionPeriod) to calculate and save stats for pods and containers, rather than return them on demand. Add support for {,List}PodSandboxStats, which allows the kubelet to take advantage of the PodAndContainerStatsFromCRI feature gate–one that is set to be alpha in 1.23. (#5427, @haircommander)
Add functionality to use taskset to spawn new commands cri-o runs. Now, if InfraCtrCPUSet is called, all newly spawned commands will be placed in the InfraCtrCPUSet (as it’s expected to be set to the reserved CPU set that system commands should run on). (#5514, @haircommander)
Add support for “io.kubernetes.cri-o.TrySkipVolumeSELinuxLabel” annotation, which tells CRI-O to skip relabeling volumes if the top level is already correctly labeled (#5373, @haircommander)
Add support for CNI plugins v1.0.1 (#5380, @saschagrunert)
Add support for TARGET namespace mode, which enables support for ephemeral containers. (#5440, @haircommander)
Add support for minimum_mappable_{u,g}id which relaxes the requirement on sc.RunAs{User,Group}. If set, the RunAs{User,Group} value and any explicitly-mapped host IDs are only required to be at or above the configured values. (#5462, @nalind)
Add support for swap CRI field, allowing a container’s memory swap limit to be configured by the Kubelet. Add support for unified CRI field, allowing a container’s cgroupv2 specific files to be configured by the Kubelet (#5207, @haircommander)
Added --profile-cpu and --profile-mem CLI flags to write pprof profiles to a file when CRI-O exists. (#5268, @saschagrunert)
Adds support for allowed_annotations for workloads. The field functions the same as allowed_annotations in runtime handlers, and is meant to replace the runtime handler variant. Deprecate allowed_annotations in runtime handlers. (#5358, @haircommander)
Containers now have a /run/.containerenv file to help applications identify that they are running inside a container. (#5463, @pjbgf)
Now, if infra_ctr_cpuset is configured, conmon is put in the same cpuset (#5414, @haircommander)
Skip SELinux volume relabeling for super privileged containers (securityContext.seLinuxOptions.type = "spc_t"). (#5386, @saschagrunert)
The option to export OpenTelemetry trace data has been added. This is experimental and not enabled by default. To enable tracing, configure the tracing section of the crio configuration file. (#4883, @sallyom)

Documentation

Fixed crio_image_pulls_layer_size_ metric name in tutorials/metrics.md (#5278, @saschagrunert)
Improve runtime handler documentation to mention “runtime handler” in favor of the internal “runtime_handler” variable. (#5395, @saschagrunert)
Improved some error messages related to user namespaces. (#5494, @frasertweedale)

Bug or Regression

Allow for both runtime class and workload level allowed annotations. Now, if a container or pod has both specified, the list will be merged. (#5465, @haircommander)
Chown the stdin pipe to the user running in the container, so accessing /dev/stdin from an exec session works with crun (#5391, @giuseppe)
Conmon now always writes its logs to syslog, instead of only when the cgroup manager is cgroupfs (#3773, @haircommander)
Fix a PID leak in situations where conmon fails to be moved into the pod cgroup (#5283, @haircommander)
Fix a bug where CRI-O waits forever on a conmon process that will not stop (#5306, @haircommander)
Fix a bug where CRI-O would never shutdown if the networking plugin wasn’t configured correctly (#5284, @haircommander)
Fix a bug where inspectp verbose output was incomplete for pods with a dropped infra container (#5313, @haircommander)
Fix a bug where a pod given a host IPC or network namespace could configure sysctls on the host (#5610, @haircommander)
Fix a bug where host network containers couldn’t read their cgroup hierarchy (#5244, @haircommander)
Fix a bug where invalid default_sysctls could be specified, leading to an error like “Failed to configure sysctls after unshare: No such file or directory” (#5673, @haircommander)
Fix a bug where memory swap values were specified even if the memory swap cgroup is not enabled (#5539, @haircommander)
Fix a bug where situations of excessive load on nodes causes containers to never actually start (#5590, @haircommander)
Fix a potential crash caused by a log message NULL-pointer dereference. (#5579, @klihub)
Fix an RSS regression with exec sync requests (#5245, @haircommander)
Fix an issue where protobuf panics when serializing ListContainer and ListPodSandbox calls (#5606, @haircommander)
Fix bug where ip a reports Error: Peer netns reference is invalid (#5529, @haircommander)
Fix crypto-profile bind within RHEL based containers. (#5555, @rphillips)
Fix vm containers couldn’t restore after cri-o restart (#5574, @gozssky)
Fix zsh completion generation. (#5586, @klihub)
Fixed contrib/metrics-exporter/cluster.yaml for kubectl create. (#5286, @saschagrunert)
Fixed missing quantile values in container_runtime_crio_operations_latency_microseconds_total metrics (#5258, @saschagrunert)
Fixed possible runtime panic on pod sandbox stats retrieval. (#5588, @saschagrunert)
Fixed superfluous response.WriteHeader error in HTTP endpoint (#5405, @saschagrunert)
Forbid AppArmor profiles with the name localhost/. (#5655, @saschagrunert)
Merge storage_option from drop-in files to sttorage_option from storage.conf (#5423, @QiWang19)
Move namespace cleanup from sandbox stop to sandbox remove. This allows veth entries in the network namespaces of pods to be cleaned up earlier (#5336, @haircommander)

Other (Cleanup or Flake)

Do not log on startup if Intel RDT is not supported. (#5293, @saschagrunert)

Uncategorized

Allow CRI-O to parse > SIGRTMIN signals (#5366, @haircommander)
Changes default config output to comment default values instead of omitting them (#5007, @wgahnagl)
Fix a case where conmon children are sometimes leaked (#5500, @haircommander)
Inherits storage configs from storage.conf if crio config does not set. (#5520, @QiWang19)
Specify runtime table format in the error message (#5452, @QiWang19)
Update go to 1.17 in go.mod (#5577, @QiWang19)

Dependencies

Added

github.com/antlr/antlr4/runtime/Go/antlr: b48c857
github.com/dtylman/scp: f3000a3
github.com/getkin/kin-openapi: v0.76.0
github.com/go-logr/stdr: v1.2.0
github.com/go-logr/zapr: v1.2.0
github.com/google/cel-go: v0.9.0
github.com/google/cel-spec: v0.6.0
github.com/sclevine/agouti: v3.0.0+incompatible
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc: v1.2.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace: v1.2.0
sigs.k8s.io/json: c049b76

Changed

github.com/GoogleCloudPlatform/k8s-cloud-provider: 7901bc8 → ea6160c
github.com/Microsoft/go-winio: v0.5.0 → v0.5.1
github.com/Microsoft/hcsshim: v0.8.20 → v0.8.23
github.com/alexflint/go-filemutex: 72bdc8e → v1.1.0
github.com/benbjohnson/clock: v1.0.3 → v1.1.0
github.com/buger/jsonparser: f4dd9f5 → v1.1.1
github.com/cenkalti/backoff/v4: v4.1.0 → v4.1.1
github.com/cespare/xxhash/v2: v2.1.1 → v2.1.2
github.com/checkpoint-restore/checkpointctl: a2024f5 → c31748b
github.com/cncf/udpa/go: 5459f2c → 04548b0
github.com/cncf/xds/go: fbca930 → cb28da3
github.com/containerd/cgroups: v1.0.1 → v1.0.2
github.com/containerd/containerd: v1.5.5 → v1.5.8
github.com/containerd/stargz-snapshotter/estargz: 2b97b58 → v0.9.0
github.com/containerd/ttrpc: v1.0.2 → v1.1.0
github.com/containernetworking/cni: v0.8.1 → v1.0.1
github.com/containernetworking/plugins: v0.9.1 → v1.0.1
github.com/containers/buildah: v1.22.3 → v1.23.1
github.com/containers/common: v0.43.2 → 161e078
github.com/containers/image/v5: v5.15.2 → v5.17.0
github.com/containers/podman/v3: v3.3.0 → 8bcc086
github.com/containers/psgo: v1.5.2 → v1.7.1
github.com/containers/storage: v1.34.1 → v1.37.0
github.com/coredns/corefile-migration: v1.0.12 → v1.0.14
github.com/coreos/go-iptables: v0.5.0 → v0.6.0
github.com/creack/pty: v1.1.15 → v1.1.17
github.com/cri-o/ocicni: 4ea5fb8 → b388448
github.com/docker/docker: v20.10.8+incompatible → v20.10.11+incompatible
github.com/envoyproxy/go-control-plane: 63b5d3c → cf90f65
github.com/evanphx/json-patch: v4.11.0+incompatible → v4.12.0+incompatible
github.com/fsnotify/fsnotify: v1.4.9 → v1.5.1
github.com/fsouza/go-dockerclient: v1.7.3 → v1.7.4
github.com/go-logr/logr: v0.4.0 → v1.2.1
github.com/godbus/dbus/v5: v5.0.4 → v5.0.6
github.com/golang/glog: 23def4e → v1.0.0
github.com/google/cadvisor: v0.39.2 → v0.43.0
github.com/intel/goresctrl: v0.1.0 → v0.2.0
github.com/j-keck/arping: 2cf9dc6 → v1.0.2
github.com/json-iterator/go: v1.1.11 → v1.1.12
github.com/klauspost/compress: v1.13.4 → v1.13.6
github.com/manifoldco/promptui: v0.8.0 → v0.9.0
github.com/mattn/go-isatty: v0.0.12 → v0.0.14
github.com/mitchellh/mapstructure: v1.4.1 → v1.4.2
github.com/moby/term: 9d4ed18 → 3f7ff69
github.com/modern-go/reflect2: v1.0.1 → v1.0.2
github.com/onsi/ginkgo: v1.16.4 → v1.16.5
github.com/onsi/gomega: v1.16.0 → v1.17.0
github.com/opencontainers/image-spec: 083f635 → 5ad6f50
github.com/opencontainers/runc: v1.0.2 → v1.0.3
github.com/opencontainers/selinux: v1.8.4 → v1.9.1
github.com/prometheus/common: v0.29.0 → v0.30.0
github.com/prometheus/procfs: v0.6.0 → v0.7.3
github.com/rootless-containers/rootlesskit: v0.14.4 → v0.14.5
github.com/safchain/ethtool: 42ed695 → 9aa261d
github.com/urfave/cli: v1.22.2 → v1.22.4
github.com/vbatts/tar-split: v0.11.1 → v0.11.2
github.com/vbauerster/mpb/v7: v7.0.3 → v7.1.5
github.com/vishvananda/netlink: d40f988 → e1a867c
github.com/vishvananda/netns: db3c7e5 → 2eb08e3
github.com/yuin/goldmark: v1.3.5 → v1.4.0
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc: v0.20.0 → v0.28.0
go.opentelemetry.io/otel/sdk: v0.20.0 → v1.2.0
go.opentelemetry.io/otel/trace: v0.20.0 → v1.3.0
go.opentelemetry.io/otel: v0.20.0 → v1.3.0
go.opentelemetry.io/proto/otlp: v0.7.0 → v0.10.0
go.uber.org/zap: v1.17.0 → v1.19.0
golang.org/x/crypto: 0c34fe9 → 32db794
golang.org/x/net: abc4532 → d4b1ae0
golang.org/x/oauth2: f6687ab → 2bc19b1
golang.org/x/sys: 0f9fa26 → 2c5d950
golang.org/x/text: v0.3.6 → v0.3.7
golang.org/x/tools: v0.1.2 → d4cc65f
google.golang.org/api: v0.44.0 → v0.46.0
google.golang.org/grpc: v1.40.0 → v1.43.0
google.golang.org/protobuf: v1.26.0 → v1.27.1
k8s.io/gengo: b6c5ce2 → 485abfe
k8s.io/klog/v2: v2.10.0 → v2.30.0
k8s.io/kube-openapi: 9528897 → e816edb
k8s.io/kubernetes/staging/src/k8s.io/api: c2b5237 → ab69524
k8s.io/kubernetes/staging/src/k8s.io/apiextensions-apiserver: c2b5237 → ab69524
k8s.io/kubernetes/staging/src/k8s.io/apimachinery: c2b5237 → ab69524
k8s.io/kubernetes/staging/src/k8s.io/apiserver: c2b5237 → ab69524
k8s.io/kubernetes/staging/src/k8s.io/cli-runtime: c2b5237 → ab69524
k8s.io/kubernetes/staging/src/k8s.io/client-go: c2b5237 → ab69524
k8s.io/kubernetes/staging/src/k8s.io/cloud-provider: c2b5237 → ab69524
k8s.io/kubernetes/staging/src/k8s.io/cluster-bootstrap: c2b5237 → ab69524
k8s.io/kubernetes/staging/src/k8s.io/code-generator: c2b5237 → ab69524
k8s.io/kubernetes/staging/src/k8s.io/component-base: c2b5237 → ab69524
k8s.io/kubernetes/staging/src/k8s.io/component-helpers: c2b5237 → ab69524
k8s.io/kubernetes/staging/src/k8s.io/controller-manager: c2b5237 → ab69524
k8s.io/kubernetes/staging/src/k8s.io/cri-api: c2b5237 → 9005160
k8s.io/kubernetes/staging/src/k8s.io/csi-translation-lib: c2b5237 → ab69524
k8s.io/kubernetes/staging/src/k8s.io/kube-aggregator: c2b5237 → ab69524
k8s.io/kubernetes/staging/src/k8s.io/kube-controller-manager: c2b5237 → ab69524
k8s.io/kubernetes/staging/src/k8s.io/kube-proxy: c2b5237 → ab69524
k8s.io/kubernetes/staging/src/k8s.io/kube-scheduler: c2b5237 → ab69524
k8s.io/kubernetes/staging/src/k8s.io/kubectl: c2b5237 → ab69524
k8s.io/kubernetes/staging/src/k8s.io/kubelet: c2b5237 → ab69524
k8s.io/kubernetes/staging/src/k8s.io/legacy-cloud-providers: c2b5237 → ab69524
k8s.io/kubernetes/staging/src/k8s.io/metrics: c2b5237 → ab69524
k8s.io/kubernetes/staging/src/k8s.io/mount-utils: c2b5237 → ab69524
k8s.io/kubernetes/staging/src/k8s.io/pod-security-admission: c2b5237 → ab69524
k8s.io/kubernetes/staging/src/k8s.io/sample-apiserver: c2b5237 → ab69524
k8s.io/kubernetes: v1.22.0 → v1.23.0
k8s.io/system-validators: v1.5.0 → v1.6.0
k8s.io/utils: 4b05e18 → cb0fa31
sigs.k8s.io/apiserver-network-proxy/konnectivity-client: v0.0.22 → v0.0.25
sigs.k8s.io/kustomize/api: v0.8.11 → v0.10.1
sigs.k8s.io/kustomize/cmd/config: v0.9.13 → v0.10.2
sigs.k8s.io/kustomize/kustomize/v4: v4.2.0 → v4.4.1
sigs.k8s.io/kustomize/kyaml: v0.11.0 → v0.13.0
sigs.k8s.io/yaml: v1.2.0 → v1.3.0

Removed

Nothing has changed.