CRI-O - v1.24.0

Security

CRI-O v1.24.0

The release notes have been generated for the commit range v1.23.0...v1.24.0 on Tue, 10 May 2022 01:50:50 UTC.

Downloads

Download one of our static release bundles via our Google Cloud Bucket:

Changelog since v1.23.0

Changes by Kind

Deprecation

  • Deprecate conmon, conmon-cgroup, and conmon-env config options in favor of runtime handler specific fields monitor-path, monitor-cgroup, and monitor-env (#5823, @haircommander)
  • Mark --pids-limit and --log-size-max options as deprecated, as well as set the default pids-limit to unlimited. Users should migrate to using the Kubelet's flags --pod-pids-limit and --container-log-max-size respectively. (#5831, @haircommander)

API Change

  • Block containers without CAP_SYS_ADMIN on unshare syscall in the default seccomp profile, to better contain unprivileged container processes. (#5788, @haircommander)
  • Enable --seccomp-use-default-when-empty/seccomp_use_default_when_empty by default.
    This is a premature step before the graduation of the seccompDefault feature planned for
    Kubernetes v1.25. We now use the runtime/default profile for every workload specifying
    none (empty) in the pod manifest. (#5587, @saschagrunert)
  • Introduced the following metrics:
    crio_operations_total, crio_operations_latency_seconds_total, crio_operations_latency_seconds,
    crio_operations_errors_total, crio_image_pulls_bytes_total,
    crio_image_pulls_skipped_bytes_total,
    crio_image_pulls_success_total, crio_image_pulls_failure_total,
    crio_image_layer_reuse_total, crio_containers_oom_count_total
    while marking metric names that do not follow prometheus best practices as Deprecated in Prometheus metric help text. (#5487, @swghosh)

Feature

  • Add allowed_devices field to config, allowing admins to specify which devices are allowed to be specified in the "io.kubernetes.cri-o.Devices" allowed_annotation. The default for this config field is [/dev/fuse] (#5551, @haircommander)
  • Add experimental support for conmonrs, a redesign of conmon in rust. It should not be used in production. (#5839, @haircommander)
  • Add functionality to use taskset to spawn new commands cri-o runs. Now, if InfraCtrCPUSet is called, all newly spawned commands will be placed in the InfraCtrCPUSet (as it's expected to be set to the reserved CPU set that system commands should run on). (#5514, @haircommander)
  • Add pause and unpause to the CRI-O HTTP API, allowing programs with access to the crio.sock to pause containers (#5797, @jwcesign)
  • Automatically chcon and restorecon on get script for SELinux enabled distributions. (#5711, @saschagrunert)
  • Implement CDI device injection: extract the names of requested CDI devices and update
    the OCI Spec according to the corresponding CDI device specifications. Please refer to
    https://github.com/container-orchestrated-devices/container-device-interface for more
    info about CDI. (#5571, @klihub)
  • Updated CNI plugins to v1.1.1. (#5766, @saschagrunert)

Bug or Regression

  • Add monitor_exec_cgroup to the configuration's runtime handler struct. This allows an admin to specify which cgroup the monitor for exec sync requests runs in (defaults to that of CRI-O). (#5837, @donpenney)
  • Conmon now always writes its logs to syslog, instead of only when the cgroup manager is cgroupfs (#3773, @haircommander)
  • Crio no longer requires the conntrack binary (#5811, @aojea)
  • Fix CVE-2022-27652 by dropping and refusing to add any inheritable capabilities (#5769, @haircommander)
  • Fix a bug where CRI-O would leak a log file if a container failed to be created and the pod hadn't yet been cleaned up. (#5800, @haircommander)
  • Fix a bug where a pod given a host IPC or network namespace could configure sysctls on the host (#5610, @haircommander)
  • Fix a bug where invalid default_sysctls could be specified, leading to an error like "Failed to configure sysctls after unshare: No such file or directory" (#5673, @haircommander)
  • Fix a bug where memory swap values were specified even if the memory swap cgroup is not enabled (#5539, @haircommander)
  • Fix a bug where situations of excessive load on nodes causes containers to never actually start (#5590, @haircommander)
  • Fix a potential crash caused by a log message NULL-pointer dereference. (#5579, @klihub)
  • Fix a segfault when multiple container stops come in for the same container (#5756, @haircommander)
  • Fix an issue where protobuf panics when serializing ListContainer and ListPodSandbox calls (#5606, @haircommander)
  • Fix bug where ip a reports Error: Peer netns reference is invalid (#5529, @haircommander)
  • Fix crypto-profile bind within RHEL based containers. (#5555, @rphillips)
  • Fix filesystem stats on zfs driver. (#5821, @cnfatal)
  • Fix vm containers couldn't restore after cri-o restart (#5574, @gozssky)
  • Fix zsh completion generation. (#5586, @klihub)
  • Fixed get script pointing to main instead of master for retrieving the latest revision. (#5707, @saschagrunert)
  • Fixed io.kubernetes.cri-o.TrySkipVolumeSELinuxLabel annotation usage with the OpenShift MCS. (#5775, @manuelluis)
  • Fixed possible runtime panic on pod sandbox stats retrieval. (#5588, @saschagrunert)
  • Forbid AppArmor profiles with the name localhost/. (#5655, @saschagrunert)
  • Internal pod and container creation timeouts now account for changes in runtime-request-timeout in the Kubelet (#5783, @haircommander)
  • Libcni: handle empty version when parsing version (https://github.com/containernetworking/cni/pull/893). Without this, Delete failed for empty-version configs, which was a regression from v0.8.0. (#5830, @aojea)

Other

  • Changes default config output to comment default values instead of omitting them (#5007, @wgahnagl)
  • Disable systemd-mode cgroup detection if /sys/fs/cgroup is bind mounted from the host (#5778, @harche)
  • Fix 386 builds within CI (#5813, @rphillips)
  • Inherits storage configs from storage.conf if crio config does not set. (#5520, @QiWang19)
  • Update go to 1.17 in go.mod (#5577, @QiWang19)
  • Updated default pause image to point to new location registry.k8s.io/pause:3.6 (#5777, @ameukam)

Dependencies

Added

  • capnproto.org/go/capnp/v3: 7329fad
  • github.com/beevik/ntp: v0.3.0
  • github.com/c-bata/go-prompt: v0.2.6
  • github.com/containers/conmon-rs: 7d0ae00
  • github.com/go-logr/stdr: v1.2.0
  • github.com/gojuno/minimock/v3: v3.0.8
  • github.com/google/go-tpm-tools: 1614c14
  • github.com/google/go-tpm: 5d8a91d
  • github.com/google/goexpect: 5b69886
  • github.com/google/goterm: 555d40f
  • github.com/hexdigest/gowrap: v1.1.8
  • github.com/intel-go/cpuid: 2aa7292
  • github.com/kaey/framebuffer: 7b38548
  • github.com/kylelemons/godebug: v1.1.0
  • github.com/mattn/go-tty: v0.0.3
  • github.com/networkplumbing/go-nft: v0.2.0
  • github.com/onsi/ginkgo/v2: v2.1.4
  • github.com/orangecms/go-framebuffer: a0700d9
  • github.com/pborman/getopt/v2: v2.1.0
  • github.com/philhofer/fwd: v1.1.1
  • github.com/pkg/term: v1.2.0-beta.2
  • github.com/rck/unit: v0.0.3
  • github.com/rekby/gpt: a930afb
  • github.com/tinylib/msgp: v1.1.5
  • github.com/twitchtv/twirp: v5.8.0+incompatible
  • github.com/u-root/gobusybox/src: 4e2fbb8
  • github.com/u-root/iscsinl: 84c3264
  • github.com/u-root/uio: e40b768
  • github.com/vtolstov/go-ioctl: 6be9cce
  • pack.ag/tftp: 07909df
  • src.elv.sh: fda6250

Changed

Removed

Nothing has changed.

Details

date
May 10, 2022, 6:43 a.m.
name
v1.24.0
type
Minor
official page
https://github.com/cri-o/cri-o/releases/tag/v1.24.0
👇
Register or login to:
  • 🔍View and search all CRI-O releases.
  • 🛠️Create and share lists to track your tools.
  • 🚨Setup notifications for major, security, feature or patch updates.
  • 🚀Much more coming soon!
Continue with GitHub
Continue with Google
or