CRI-O - v1.24.0
Security
CRI-O v1.24.0
The release notes have been generated for the commit range v1.23.0...v1.24.0 on Tue, 10 May 2022 01:50:50 UTC.
Downloads
Download one of our static release bundles via our Google Cloud Bucket:
- cri-o.amd64.v1.24.0.tar.gz
- cri-o.amd64.v1.24.0.tar.gz.sha256sum
- cri-o.arm64.v1.24.0.tar.gz
- cri-o.arm64.v1.24.0.tar.gz.sha256sum
Changelog since v1.23.0
Changes by Kind
Deprecation
- Deprecate
conmon
,conmon-cgroup
, andconmon-env
config options in favor of runtime handler specific fieldsmonitor-path
,monitor-cgroup
, andmonitor-env
(#5823, @haircommander) - Mark --pids-limit and --log-size-max options as deprecated, as well as set the default pids-limit to unlimited. Users should migrate to using the Kubelet's flags --pod-pids-limit and --container-log-max-size respectively. (#5831, @haircommander)
API Change
- Block containers without CAP_SYS_ADMIN on
unshare
syscall in the default seccomp profile, to better contain unprivileged container processes. (#5788, @haircommander) - Enable
--seccomp-use-default-when-empty
/seccomp_use_default_when_empty
by default.
This is a premature step before the graduation of theseccompDefault
feature planned for
Kubernetes v1.25. We now use theruntime/default
profile for every workload specifying
none (empty) in the pod manifest. (#5587, @saschagrunert) - Introduced the following metrics:
crio_operations_total, crio_operations_latency_seconds_total, crio_operations_latency_seconds,
crio_operations_errors_total, crio_image_pulls_bytes_total,
crio_image_pulls_skipped_bytes_total,
crio_image_pulls_success_total, crio_image_pulls_failure_total,
crio_image_layer_reuse_total, crio_containers_oom_count_total
while marking metric names that do not follow prometheus best practices as Deprecated in Prometheus metric help text. (#5487, @swghosh)
Feature
- Add
allowed_devices
field to config, allowing admins to specify which devices are allowed to be specified in the "io.kubernetes.cri-o.Devices" allowed_annotation. The default for this config field is [/dev/fuse] (#5551, @haircommander) - Add experimental support for conmonrs, a redesign of conmon in rust. It should not be used in production. (#5839, @haircommander)
- Add functionality to use taskset to spawn new commands cri-o runs. Now, if InfraCtrCPUSet is called, all newly spawned commands will be placed in the InfraCtrCPUSet (as it's expected to be set to the reserved CPU set that system commands should run on). (#5514, @haircommander)
- Add pause and unpause to the CRI-O HTTP API, allowing programs with access to the crio.sock to pause containers (#5797, @jwcesign)
- Automatically
chcon
andrestorecon
on get script for SELinux enabled distributions. (#5711, @saschagrunert) - Implement CDI device injection: extract the names of requested CDI devices and update
the OCI Spec according to the corresponding CDI device specifications. Please refer to
https://github.com/container-orchestrated-devices/container-device-interface for more
info about CDI. (#5571, @klihub) - Updated CNI plugins to v1.1.1. (#5766, @saschagrunert)
Bug or Regression
- Add
monitor_exec_cgroup
to the configuration's runtime handler struct. This allows an admin to specify which cgroup the monitor for exec sync requests runs in (defaults to that of CRI-O). (#5837, @donpenney) - Conmon now always writes its logs to syslog, instead of only when the cgroup manager is cgroupfs (#3773, @haircommander)
- Crio no longer requires the conntrack binary (#5811, @aojea)
- Fix CVE-2022-27652 by dropping and refusing to add any inheritable capabilities (#5769, @haircommander)
- Fix a bug where CRI-O would leak a log file if a container failed to be created and the pod hadn't yet been cleaned up. (#5800, @haircommander)
- Fix a bug where a pod given a host IPC or network namespace could configure sysctls on the host (#5610, @haircommander)
- Fix a bug where invalid default_sysctls could be specified, leading to an error like "Failed to configure sysctls after unshare: No such file or directory" (#5673, @haircommander)
- Fix a bug where memory swap values were specified even if the memory swap cgroup is not enabled (#5539, @haircommander)
- Fix a bug where situations of excessive load on nodes causes containers to never actually start (#5590, @haircommander)
- Fix a potential crash caused by a log message NULL-pointer dereference. (#5579, @klihub)
- Fix a segfault when multiple container stops come in for the same container (#5756, @haircommander)
- Fix an issue where protobuf panics when serializing ListContainer and ListPodSandbox calls (#5606, @haircommander)
- Fix bug where
ip a
reportsError: Peer netns reference is invalid
(#5529, @haircommander) - Fix crypto-profile bind within RHEL based containers. (#5555, @rphillips)
- Fix filesystem stats on zfs driver. (#5821, @cnfatal)
- Fix vm containers couldn't restore after cri-o restart (#5574, @gozssky)
- Fix zsh completion generation. (#5586, @klihub)
- Fixed
get
script pointing tomain
instead ofmaster
for retrieving the latest revision. (#5707, @saschagrunert) - Fixed
io.kubernetes.cri-o.TrySkipVolumeSELinuxLabel
annotation usage with the OpenShift MCS. (#5775, @manuelluis) - Fixed possible runtime panic on pod sandbox stats retrieval. (#5588, @saschagrunert)
- Forbid AppArmor profiles with the name
localhost/
. (#5655, @saschagrunert) - Internal pod and container creation timeouts now account for changes in
runtime-request-timeout
in the Kubelet (#5783, @haircommander) - Libcni: handle empty version when parsing version (https://github.com/containernetworking/cni/pull/893). Without this, Delete failed for empty-version configs, which was a regression from v0.8.0. (#5830, @aojea)
Other
- Changes default config output to comment default values instead of omitting them (#5007, @wgahnagl)
- Disable systemd-mode cgroup detection if /sys/fs/cgroup is bind mounted from the host (#5778, @harche)
- Fix 386 builds within CI (#5813, @rphillips)
- Inherits storage configs from storage.conf if crio config does not set. (#5520, @QiWang19)
- Update go to 1.17 in go.mod (#5577, @QiWang19)
- Updated default pause image to point to new location
registry.k8s.io/pause:3.6
(#5777, @ameukam)
Dependencies
Added
- capnproto.org/go/capnp/v3: 7329fad
- github.com/beevik/ntp: v0.3.0
- github.com/c-bata/go-prompt: v0.2.6
- github.com/containers/conmon-rs: 7d0ae00
- github.com/go-logr/stdr: v1.2.0
- github.com/gojuno/minimock/v3: v3.0.8
- github.com/google/go-tpm-tools: 1614c14
- github.com/google/go-tpm: 5d8a91d
- github.com/google/goexpect: 5b69886
- github.com/google/goterm: 555d40f
- github.com/hexdigest/gowrap: v1.1.8
- github.com/intel-go/cpuid: 2aa7292
- github.com/kaey/framebuffer: 7b38548
- github.com/kylelemons/godebug: v1.1.0
- github.com/mattn/go-tty: v0.0.3
- github.com/networkplumbing/go-nft: v0.2.0
- github.com/onsi/ginkgo/v2: v2.1.4
- github.com/orangecms/go-framebuffer: a0700d9
- github.com/pborman/getopt/v2: v2.1.0
- github.com/philhofer/fwd: v1.1.1
- github.com/pkg/term: v1.2.0-beta.2
- github.com/rck/unit: v0.0.3
- github.com/rekby/gpt: a930afb
- github.com/tinylib/msgp: v1.1.5
- github.com/twitchtv/twirp: v5.8.0+incompatible
- github.com/u-root/gobusybox/src: 4e2fbb8
- github.com/u-root/iscsinl: 84c3264
- github.com/u-root/uio: e40b768
- github.com/vtolstov/go-ioctl: 6be9cce
- pack.ag/tftp: 07909df
- src.elv.sh: fda6250
Changed
- github.com/BurntSushi/toml: v0.4.1 → v1.1.0
- github.com/anmitsu/go-shlex: 648efa6 → 38f4b40
- github.com/container-orchestrated-devices/container-device-interface: f99e8b6 → v0.3.2
- github.com/containernetworking/cni: v1.0.1 → v1.1.0
- github.com/containernetworking/plugins: v1.0.1 → v1.1.1
- github.com/containers/image/v5: v5.16.1 → v5.17.0
- github.com/cri-o/ocicni: b388448 → v0.3.1
- github.com/docker/docker: v20.10.9+incompatible → v20.10.11+incompatible
- github.com/frankban/quicktest: v1.11.3 → v1.13.1
- github.com/fsnotify/fsnotify: v1.5.1 → v1.5.4
- github.com/go-logr/logr: v1.2.0 → v1.2.1
- github.com/google/pprof: cbba55b → 94a9f03
- github.com/insomniacslk/dhcp: cc9239a → 7d93572
- github.com/kr/pretty: v0.2.1 → v0.3.0
- github.com/manifoldco/promptui: v0.8.0 → v0.9.0
- github.com/onsi/gomega: v1.17.0 → v1.19.0
- github.com/opencontainers/runc: v1.0.2 → v1.0.3
- github.com/pierrec/lz4/v4: v4.0.3 → v4.1.11
- github.com/rogpeppe/go-internal: v1.8.0 → 86f73c5
- github.com/u-root/u-root: v7.0.0+incompatible → d511ded
- github.com/vishvananda/netlink: e1a867c → 650dca9
- github.com/yuin/goldmark: v1.4.0 → v1.4.1
- go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc: v0.26.1 → v0.28.0
- go.opentelemetry.io/otel/trace: v1.2.0 → v1.3.0
- go.opentelemetry.io/otel: v1.2.0 → v1.3.0
- golang.org/x/crypto: 32db794 → 089bfa5
- golang.org/x/mod: v0.4.2 → 9b9b3d8
- golang.org/x/net: e898025 → 27dd868
- golang.org/x/sys: 751e447 → 33da011
- golang.org/x/term: 6886f2d → 03fcf44
- golang.org/x/tools: d4cc65f → v0.1.10
- google.golang.org/grpc: v1.42.0 → v1.43.0
- mvdan.cc/sh/v3: v3.3.1 → v3.4.3
Removed
Nothing has changed.
Security
Details
date
May 10, 2022, 6:43 a.m.
name
v1.24.0
type
Minor
official page
👇
Register or login to:
- 🔍View and search all CRI-O releases.
- 🛠️Create and share lists to track your tools.
- 🚨Setup notifications for major, security, feature or patch updates.
- 🚀Much more coming soon!