CRI-O - v1.24.4

Security

CRI-O v1.24.4

The release notes have been generated for the commit range
v1.24.3...v1.24.4 on Tue, 10 Jan 2023 16:24:52 UTC.

Downloads

Download one of our static release bundles via our Google Cloud Bucket:

Changelog since v1.24.3

Changes by Kind

Dependency-Change

  • Fixed bug to restore /var/lib/containers/storage/overlay/backingFsBlockDev on XFS file systems. (#6358, @saschagrunert)

Deprecation

  • Fix CVE-2022-4318 by failing to create container if it's passed a HOME environment variable with a newline (#6450, @haircommander)

API Change

  • Removed support for CRI v1alpha2, means that CRI-O now only supports v1. (#6347, @saschagrunert)

Feature

  • Added OTLP tracing support via conmon-rs. (#6293, @saschagrunert)
  • Added a new boolean configuration flag "--evented-pleg"(defaulted to "false") to enable the evented pleg mechanism in cri-o. The environment variable "EVENTED_PLEG" when set to "true" also enables the evented pleg in the cri-o. (#6404, @sairameshv)
  • Added logs and GRPC error codes to OpenTelemetry traces. (#6294, @saschagrunert)
  • Added seccomp notifier feature, which can be enabled by setting the annotation io.kubernetes.cri-o.seccompNotifierAction either to stop (for terminating the workload) or anything else to just create metrics or logs. This also includes the new metric crio_containers_seccomp_notifier_count_total. For more information on its usage, please refer to the crio.conf.5 man page. (#6120, @saschagrunert)
  • Added support to checkpoint and restore containers in pods without infrastructure containers. (#6379, @adrianreber)
  • More information available in tracing spans (#6343, @vrutkovs)

Documentation

  • Updated CLI and config documentation to show how to enable Open Telemetry trace sampling for every span. (#6324, @saschagrunert)

Bug or Regression

  • Fix a bug where internal/resourcestore.(*ResourceStore).SetStageForResource leaks memory (#6403, @haircommander)
  • Fix a segfault in crio config when runtime.workloads.resources is nil (#6192, @haircommander)
  • Fix conmonrs cgroup when infra container is dropped (#6416, @mrunalp)
  • Fixed wrong tracing key for hostname field (service.instance.idhost.name).
  • Added process.id to the traces. (#6326, @saschagrunert)
  • Update systemd unit restart policy to be on-failure (#6408, @haircommander)

Uncategorized

  • Add initial support for Node Resource Interface (NRI) v0.2.0. NRI allows vendors to customize container behavior and configuration using plugins. NRI plugins can register to various events in containers' lifecycle and make controlled changes to containers' configuration when these events occur. This feature is experimental and disabled by default. It can be enabled using the --enable-nri command line option or by setting enable_nri = true in the CRI-O configuration [crio.nri] table. The same table can be used to set other NRI-related configuration options. In addition to enabling NRI support in cri-o, an NRI configuration file also needs to be in place. The default location for this file is /etc/nri/nri.conf and it can be empty. (#5318, @klihub)
  • This introduces the ability to store checkpoint archives as OCI images and push the checkpoint images to a remote registry. Important to remember is that the checkpoint image contains all memory pages of the checkpoint and therefore might contain sensitive information (password, encryption keys, ...). (#6181, @adrianreber)

Dependencies

Added

Nothing has changed.

Changed

Removed

Nothing has changed.


Details

date
Jan. 10, 2023, 4:43 p.m.
name
v1.24.4
type
Patch
👇
Register or login to:
  • 🔍View and search all CRI-O releases.
  • 🛠️Create and share lists to track your tools.
  • 🚨Setup notifications for major, security, feature or patch updates.
  • 🚀Much more coming soon!
Continue with GitHub
Continue with Google
or