CRI-O - v1.24.3
Security
CRI-O v1.24.3
The release notes have been generated for the commit range
v1.24.2...v1.24.3 on Fri, 07 Oct 2022 18:10:27 UTC.
Downloads
Download one of our static release bundles via our Google Cloud Bucket:
- cri-o.amd64.v1.24.3.tar.gz
- cri-o.amd64.v1.24.3.tar.gz.sha256sum
- cri-o.arm64.v1.24.3.tar.gz
- cri-o.arm64.v1.24.3.tar.gz.sha256sum
Changelog since v1.24.2
Changes by Kind
Feature
- Add an option "add_inheritable_capabilities" which adds added capabilities to the inheritable list as well. As of CRI-O 1.24.0, CRI-O drops the inheritable capabilities to fix CVE-2022-27652 . However, this can cause regressions in workloads that attempt to pass capabilities to non-root users through inheritable capabilities. (#6236, @haircommander)
- Allow
crio.runtime.runtimes
configuration to be updated on reload. (#6248, @elezar) - Allow for a reload to add additional runtimes and change the default runtime (#6056, @elezar)
- CRI-O now logs the stage of container or pod creation under system load. This allows users to find why their creation requests are stalling. (#5683, @haircommander)
- If
$KUBENSMNT
is defined in the environment, assume the file it points at is
a bindmount to a mount namespace that CRI-O should join: - If the environment variable is not set, take no action.
- If the environment variable is set and points at a valid mount
namespace, CRI-O will join that mount namespace. - If the environment variable is set but points at a missing file, or the file
is not a valid mount namespace, CRI-O will print a warning but continue to
run in the original mount namespace. (#5974, @lack) - This adds minimal checkpoint/restore support to cri-o. The minimal support allows to checkpoint a container and restore it again. Optionally it can be restored in another pod. (#4199, @adrianreber)
Bug or Regression
- Added ImageName and SandboxName annotations to the sandbox (#6164, @littlejawa)
- Fix a bug where
conmon_cgroup
andmonitor_path
became out of sync (#6255, @haircommander) - Fix a bug where a container is stuck in INIT because CRI-O believes it to be paused, and never updates the state (#6122, @haircommander)
- Fix a bug where exit files were never cleaned up from
/run/crio/exits
(#5508, @haircommander) - Fix a bug where static pods cannot be created because they've already been created. (#6123, @haircommander)
- Fix a bug where the GID of the container is not specified in the AdditionalGids, leading to a low risk security vulnerability. For more information please see CVE-2022-2995. (#6159, @haircommander)
- Fix a bug where updating
default_runtime
would cause therunc
entry in the runtimes table to be deleted (#6257, @haircommander) - Fix an issue with leaked systemd scopes by always sending runc the
--systemd-cgroup
flag when using systemd cgroups (#6153, @haircommander) - Fixed possible panic on attach when using
runtime_type = "pod"
if no stdin is being provided. (#6110, @saschagrunert)
Other (Cleanup or Flake)
- Fix some inconsistencies in the help text (#6217, @haircommander)
- Update runc to v1.1.4 in static binary bundle. (#6180, @saschagrunert)
Uncategorized
- Fix a bug where CRI-O would fail if Kubelet specified
-1
for swap (which is a valid way of specifying unlimited) (#6139, @haircommander)
Dependencies
Added
Nothing has changed.
Changed
- github.com/containers/storage: v1.37.0 → v1.37.2
Removed
Nothing has changed.
Security
Details
date
Oct. 7, 2022, 6:42 p.m.
name
v1.24.3
type
Patch
official page
👇
Register or login to:
- 🔍View and search all CRI-O releases.
- 🛠️Create and share lists to track your tools.
- 🚨Setup notifications for major, security, feature or patch updates.
- 🚀Much more coming soon!