• CRI-O v1.24.3
• Downloads
• Changelog since v1.24.2
  • Changes by Kind
  • Feature
  • Bug or Regression
  • Other (Cleanup or Flake)
  • Uncategorized
• Dependencies
  • Added
  • Changed
  • Removed

CRI-O v1.24.3

The release notes have been generated for the commit range
v1.24.2...v1.24.3 on Fri, 07 Oct 2022 18:10:27 UTC.

Downloads

Download one of our static release bundles via our Google Cloud Bucket:

• cri-o.amd64.v1.24.3.tar.gz
• cri-o.amd64.v1.24.3.tar.gz.sha256sum
• cri-o.arm64.v1.24.3.tar.gz
• cri-o.arm64.v1.24.3.tar.gz.sha256sum

Changelog since v1.24.2

Changes by Kind

Feature

• Add an option "add_inheritable_capabilities" which adds added capabilities to the inheritable list as well. As of CRI-O 1.24.0, CRI-O drops the inheritable capabilities to fix CVE-2022-27652 . However, this can cause regressions in workloads that attempt to pass capabilities to non-root users through inheritable capabilities. (#6236, @haircommander)
• Allow crio.runtime.runtimes configuration to be updated on reload. (#6248, @elezar)
• Allow for a reload to add additional runtimes and change the default runtime (#6056, @elezar)
• CRI-O now logs the stage of container or pod creation under system load. This allows users to find why their creation requests are stalling. (#5683, @haircommander)
• If $KUBENSMNT is defined in the environment, assume the file it points at is
  a bindmount to a mount namespace that CRI-O should join:
• If the environment variable is not set, take no action.
• If the environment variable is set and points at a valid mount
  namespace, CRI-O will join that mount namespace.
• If the environment variable is set but points at a missing file, or the file
  is not a valid mount namespace, CRI-O will print a warning but continue to
  run in the original mount namespace. (#5974, @lack)
• This adds minimal checkpoint/restore support to cri-o. The minimal support allows to checkpoint a container and restore it again. Optionally it can be restored in another pod. (#4199, @adrianreber)

Bug or Regression

• Added ImageName and SandboxName annotations to the sandbox (#6164, @littlejawa)
• Fix a bug where conmon_cgroup and monitor_path became out of sync (#6255, @haircommander)
• Fix a bug where a container is stuck in INIT because CRI-O believes it to be paused, and never updates the state (#6122, @haircommander)
• Fix a bug where exit files were never cleaned up from /run/crio/exits (#5508, @haircommander)
• Fix a bug where static pods cannot be created because they've already been created. (#6123, @haircommander)
• Fix a bug where the GID of the container is not specified in the AdditionalGids, leading to a low risk security vulnerability. For more information please see CVE-2022-2995. (#6159, @haircommander)
• Fix a bug where updating default_runtime would cause the runc entry in the runtimes table to be deleted (#6257, @haircommander)
• Fix an issue with leaked systemd scopes by always sending runc the --systemd-cgroup flag when using systemd cgroups (#6153, @haircommander)
• Fixed possible panic on attach when using runtime_type = "pod" if no stdin is being provided. (#6110, @saschagrunert)

Other (Cleanup or Flake)

• Fix some inconsistencies in the help text (#6217, @haircommander)
• Update runc to v1.1.4 in static binary bundle. (#6180, @saschagrunert)

Uncategorized

• Fix a bug where CRI-O would fail if Kubelet specified -1 for swap (which is a valid way of specifying unlimited) (#6139, @haircommander)

Dependencies

Added

Nothing has changed.

Changed

• github.com/containers/storage: v1.37.0 → v1.37.2

Removed

Nothing has changed.