Releases: cri-o/cri-o
v1.35.0
CRI-O v1.35.0
The release notes have been generated for the commit range
v1.34.0...v1.35.0 on Tue, 23 Dec 2025 14:19:02 UTC.
Downloads
Download one of our static release bundles via our Google Cloud Bucket:
- cri-o.amd64.v1.35.0.tar.gz
- cri-o.arm64.v1.35.0.tar.gz
- cri-o.ppc64le.v1.35.0.tar.gz
- cri-o.s390x.v1.35.0.tar.gz
To verify the artifact signatures via cosign, run:
> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.v1.35.0.tar.gz \
--certificate-identity https://github.com/cri-o/packaging/.github/workflows/obs.yml@refs/heads/main \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-repository cri-o/packaging \
--certificate-github-workflow-ref refs/heads/main \
--bundle cri-o.amd64.v1.35.0.tar.gz.bundleTo verify the bill of materials (SBOM) in SPDX format using the bom tool, run:
> tar xfz cri-o.amd64.v1.35.0.tar.gz
> bom validate -e cri-o.amd64.v1.35.0.tar.gz.spdx -d cri-oChangelog since v1.34.0
Urgent Upgrade Notes
- Add container_spec* and container_last_seen metrics
Action required: container_spec_memory_limit_bytes has moved from the memory
metrics category to the new spec category. Update your CRI-O configuration to include
spec in included_pod_metrics if you rely on this metric. (#9531, @haircommander)
Changes by Kind
Dependency-Change
Ci
- Require go 1.25 for building CRI-O. (#9489, @saschagrunert)
Other
Deprecation
Feature
- Add DiskIO metrics to collected container metrics (#9571, @haircommander)
- Add
container_start_time_secondsmetric, nested under thespecmetrics family (#9567, @haircommander) - Added PSI metrics for containers (#9608, @bitoku)
- Added
container_create_timeoutoption to control timeout duration of container creation (#9499, @snir911) - Added disk metrics (
container_fs_inodes_free,container_fs_inodes_total,container_fs_limit_bytes,container_fs_usage_bytes) (#9344, @R3hankhan123) - Added new metric container_file_descriptors to expose the number of open file descriptors for each container from CRI-O metrics (#9329, @sreeram-venkitesh)
- Added support for the namespaced pull secret credential provider. (#9463, @saschagrunert)
- Allow containers to use both host network and user namespace. (#9634, @HirazawaUi)
- CRI-O annotations migrated to Kubernetes-recommended naming:
io.kubernetes.cri-o.*→*.crio.io
(e.g.,io.kubernetes.cri-o.userns-mode→userns-mode.crio.io).
Full backward compatibility maintained - V2 format takes precedence when both present.
All annotations consolidated in pkg/annotations/v2 package.
See ANNOTATION_MIGRATION.md for migration guide. (#9537, @saschagrunert) - This commit introduces a new
housekeepingvalue for theirq-load-balancing.crio.ioannotation.
When housekeeping is set:
- The housekeeping CPU set is injected into the container's environment variables as
OPENSHIFT_HOUSEKEEPING_CPUS - IRQ SMP affinity bits are not disabled on the housekeeping CPUs when adding a new container
- The housekeeping CPUs are chosen as the first CPU within each container plus its thread siblings (#9223, @andreaskaris)
Documentation
- Fixed release description to use cosigns new bundle format. (#9655, @saschagrunert)
Failing Test
- Fixed pod sandbox stop timeout allocation to properly distribute deadline between container and infra container stops, preventing timeout failures on slower systems. (#9643, @saschagrunert)
Bug or Regression
- Fix Exec CPU affinity doesn't work when CPU load balancing is disabled. (#9647, @bitoku)
- Fix a bug in high performance hook irq smp affinity disabling where a late container deletion could cause other containers to have their irq smp affinity messed up. (#9613, @haircommander)
- Fix a bug where CRI metrics had the incorrect metadata. Now, instead of the metrics being populated with the sandbox metadata, they are populated with the container metadata. (#9535, @haircommander)
- Fix the bug where the
ContainersStatuses.Imagereturned by theGetContainerEventsis nil. (#9663, @HirazawaUi) - Fixed CVE-2025-58183: Updated tar-split to v0.12.2 to fix unbounded memory allocation vulnerability when parsing malicious container images with GNU sparse tar files. (#9589, @saschagrunert)
- Fixed a bug where includedPodMetrics are not respected in ListMetricDescriptors (#9565, @bitoku)
- Fixed memory leak with CRI connection when using the systemd watchdog feature. (#9448, @saschagrunert)
- Fixed static build gpgme issue resulting in an "Invalid crypto engine" error on various platforms. (#9479, @saschagrunert)
- LoadSandbox now validates critical metadata fields (name, namespace, uid) to prevent restoring sandboxes with corrupt configurations. (#9633, @saschagrunert)
- Respect user specified selinux label for systemd or init container. (#9666, @bitoku)
- Server: Fix network cleanup failures when NetNS path is empty (#9410, @sohankunkerkar)
Other (Cleanup or Flake)
- Artifacts now require fully-qualified names or configured short-name aliases. Unqualified-search-registries are no longer supported for artifacts. (#9639, @R3hankhan123)
- Changed GRPC debug log format to be more informative (#9501, @bitoku)
- Use system dbus when running as UID 0 regardless of rootless detection (#9626, @sohankunkerkar)
Uncategorized
- Cleaned up duplicate signature policy path logic in server image pull (#9509, @gouthamhusky)
- Fixed kubectl exec and crictl exec commands hanging when accessing containers in the Terminating state. These commands now work correctly throughout the container shutdown period. (#9614, @willianpaixao)
Dependencies
Added
- github.com/Masterminds/goutils: v1.1.1
- github.com/Masterminds/sprig/v3: v3.3.0
- github.com/cri-o/crio-credential-provider: v0.1.2
- github.com/gkampitakis/ciinfo: v0.3.2
- github.com/gkampitakis/go-diff: v1.3.2
- github.com/gkampitakis/go-snaps: v0.5.15
- github.com/go-openapi/swag/cmdutils: v0.24.0
- github.com/go-openapi/swag/conv: [v0.24.0](https://github.com/go-o...
Contributors
Assets 2
v1.34.3
CRI-O v1.34.3
The release notes have been generated for the commit range
v1.34.2...v1.34.3 on Tue, 02 Dec 2025 00:25:30 UTC.
Downloads
Download one of our static release bundles via our Google Cloud Bucket:
- cri-o.amd64.v1.34.3.tar.gz
- cri-o.arm64.v1.34.3.tar.gz
- cri-o.ppc64le.v1.34.3.tar.gz
- cri-o.s390x.v1.34.3.tar.gz
To verify the artifact signatures via cosign, run:
> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.v1.34.3.tar.gz \
--certificate-identity https://github.com/cri-o/packaging/.github/workflows/obs.yml@refs/heads/main \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-repository cri-o/packaging \
--certificate-github-workflow-ref refs/heads/main \
--signature cri-o.amd64.v1.34.3.tar.gz.sig \
--certificate cri-o.amd64.v1.34.3.tar.gz.certTo verify the bill of materials (SBOM) in SPDX format using the bom tool, run:
> tar xfz cri-o.amd64.v1.34.3.tar.gz
> bom validate -e cri-o.amd64.v1.34.3.tar.gz.spdx -d cri-oChangelog since v1.34.2
Changes by Kind
Feature
- Add support for the credential provider: https://github.com/cri-o/crio-credential-provider (#9512, @saschagrunert)
Bug or Regression
- Fixed CVE-2025-58183: Updated tar-split to v0.12.2 to fix unbounded memory allocation vulnerability when parsing malicious container images with GNU sparse tar files. (#9590, @saschagrunert)
Uncategorized
- This commit introduces a new
housekeepingvalue for theirq-load-balancing.crio.ioannotation.
When housekeeping is set:
- The housekeeping CPU set is injected into the container's environment variables as
OPENSHIFT_HOUSEKEEPING_CPUS - IRQ SMP affinity bits are not disabled on the housekeeping CPUs when adding a new container
- The housekeeping CPUs are chosen as the first CPU within each container plus its thread siblings (#9564, @openshift-cherrypick-robot)
Dependencies
Added
- github.com/cri-o/crio-credential-provider: v0.1.1
- github.com/joho/godotenv: v1.5.1
- go.podman.io/image/v5: v5.37.0
- go.podman.io/storage: v1.60.0
Changed
- github.com/containers/storage: v1.59.1 → 606f1e4
- github.com/golang-jwt/jwt/v5: v5.2.2 → v5.3.0
- github.com/vbatts/tar-split: v0.12.1 → v0.12.2
- k8s.io/api: v0.34.0 → v0.34.1
- k8s.io/apimachinery: v0.34.0 → v0.34.1
- k8s.io/apiserver: v0.34.0 → v0.34.1
- k8s.io/client-go: v0.34.0 → v0.34.1
- k8s.io/component-base: v0.34.0 → v0.34.1
- k8s.io/cri-api: v0.34.0 → v0.34.1
- k8s.io/kms: v0.34.0 → v0.34.1
- k8s.io/kubelet: v0.34.0 → v0.34.1
Removed
Nothing has changed.
Contributors
Assets 2
v1.33.7
CRI-O v1.33.7
The release notes have been generated for the commit range
v1.33.6...v1.33.7 on Tue, 02 Dec 2025 00:25:28 UTC.
Downloads
Download one of our static release bundles via our Google Cloud Bucket:
- cri-o.amd64.v1.33.7.tar.gz
- cri-o.arm64.v1.33.7.tar.gz
- cri-o.ppc64le.v1.33.7.tar.gz
- cri-o.s390x.v1.33.7.tar.gz
To verify the artifact signatures via cosign, run:
> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.v1.33.7.tar.gz \
--certificate-identity https://github.com/cri-o/cri-o/.github/workflows/test.yml@refs/tags/v1.33.7 \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-repository cri-o/cri-o \
--certificate-github-workflow-ref refs/tags/v1.33.7 \
--signature cri-o.amd64.v1.33.7.tar.gz.sig \
--certificate cri-o.amd64.v1.33.7.tar.gz.certTo verify the bill of materials (SBOM) in SPDX format using the bom tool, run:
> tar xfz cri-o.amd64.v1.33.7.tar.gz
> bom validate -e cri-o.amd64.v1.33.7.tar.gz.spdx -d cri-oChangelog since v1.33.6
Changes by Kind
Bug or Regression
- Fixed CVE-2025-58183: Updated tar-split to v0.12.2 to fix unbounded memory allocation vulnerability when parsing malicious container images with GNU sparse tar files. (#9591, @saschagrunert)
Dependencies
Added
Nothing has changed.
Changed
Nothing has changed.
Removed
Nothing has changed.
Contributors
Assets 2
v1.32.11
CRI-O v1.32.11
The release notes have been generated for the commit range
v1.32.10...v1.32.11 on Tue, 02 Dec 2025 00:25:32 UTC.
Downloads
Download one of our static release bundles via our Google Cloud Bucket:
- cri-o.amd64.v1.32.11.tar.gz
- cri-o.arm64.v1.32.11.tar.gz
- cri-o.ppc64le.v1.32.11.tar.gz
- cri-o.s390x.v1.32.11.tar.gz
To verify the artifact signatures via cosign, run:
> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.v1.32.11.tar.gz \
--certificate-identity https://github.com/cri-o/cri-o/.github/workflows/test.yml@refs/tags/v1.32.11 \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-repository cri-o/cri-o \
--certificate-github-workflow-ref refs/tags/v1.32.11 \
--signature cri-o.amd64.v1.32.11.tar.gz.sig \
--certificate cri-o.amd64.v1.32.11.tar.gz.certTo verify the bill of materials (SBOM) in SPDX format using the bom tool, run:
> tar xfz cri-o.amd64.v1.32.11.tar.gz
> bom validate -e cri-o.amd64.v1.32.11.tar.gz.spdx -d cri-oChangelog since v1.32.10
Changes by Kind
Bug or Regression
- Fixed CVE-2025-58183: Updated tar-split to v0.12.2 to fix unbounded memory allocation vulnerability when parsing malicious container images with GNU sparse tar files. (#9592, @saschagrunert)
Uncategorized
- Server: Fix network cleanup failures when NetNS path is empty (#9617, @openshift-cherrypick-robot)
Dependencies
Added
Nothing has changed.
Changed
Nothing has changed.
Removed
Nothing has changed.
Contributors
Assets 2
v1.34.2
CRI-O v1.34.2
The release notes have been generated for the commit range
v1.34.1...v1.34.2 on Tue, 11 Nov 2025 11:56:19 UTC.
Downloads
Download one of our static release bundles via our Google Cloud Bucket:
- cri-o.amd64.v1.34.2.tar.gz
- cri-o.arm64.v1.34.2.tar.gz
- cri-o.ppc64le.v1.34.2.tar.gz
- cri-o.s390x.v1.34.2.tar.gz
To verify the artifact signatures via cosign, run:
> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.v1.34.2.tar.gz \
--certificate-identity https://github.com/cri-o/packaging/.github/workflows/obs.yml@refs/heads/main \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-repository cri-o/packaging \
--certificate-github-workflow-ref refs/heads/main \
--signature cri-o.amd64.v1.34.2.tar.gz.sig \
--certificate cri-o.amd64.v1.34.2.tar.gz.certTo verify the bill of materials (SBOM) in SPDX format using the bom tool, run:
> tar xfz cri-o.amd64.v1.34.2.tar.gz
> bom validate -e cri-o.amd64.v1.34.2.tar.gz.spdx -d cri-oChangelog since v1.34.1
Changes by Kind
Uncategorized
- Changed GRPC debug log format to be more informative (#9503, @openshift-cherrypick-robot)
Dependencies
Added
Nothing has changed.
Changed
Nothing has changed.
Removed
Nothing has changed.
Contributors
Assets 2
v1.33.6
CRI-O v1.33.6
The release notes have been generated for the commit range
v1.33.5...v1.33.6 on Tue, 11 Nov 2025 00:25:26 UTC.
Downloads
Download one of our static release bundles via our Google Cloud Bucket:
- cri-o.amd64.v1.33.6.tar.gz
- cri-o.arm64.v1.33.6.tar.gz
- cri-o.ppc64le.v1.33.6.tar.gz
- cri-o.s390x.v1.33.6.tar.gz
To verify the artifact signatures via cosign, run:
> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.v1.33.6.tar.gz \
--certificate-identity https://github.com/cri-o/cri-o/.github/workflows/test.yml@refs/tags/v1.33.6 \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-repository cri-o/cri-o \
--certificate-github-workflow-ref refs/tags/v1.33.6 \
--signature cri-o.amd64.v1.33.6.tar.gz.sig \
--certificate cri-o.amd64.v1.33.6.tar.gz.certTo verify the bill of materials (SBOM) in SPDX format using the bom tool, run:
> tar xfz cri-o.amd64.v1.33.6.tar.gz
> bom validate -e cri-o.amd64.v1.33.6.tar.gz.spdx -d cri-oChangelog since v1.33.5
Dependencies
Added
Nothing has changed.
Changed
Nothing has changed.
Removed
Nothing has changed.
v1.32.10
CRI-O v1.32.10
The release notes have been generated for the commit range
v1.32.9...v1.32.10 on Tue, 11 Nov 2025 00:25:23 UTC.
Downloads
Download one of our static release bundles via our Google Cloud Bucket:
- cri-o.amd64.v1.32.10.tar.gz
- cri-o.arm64.v1.32.10.tar.gz
- cri-o.ppc64le.v1.32.10.tar.gz
- cri-o.s390x.v1.32.10.tar.gz
To verify the artifact signatures via cosign, run:
> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.v1.32.10.tar.gz \
--certificate-identity https://github.com/cri-o/cri-o/.github/workflows/test.yml@refs/tags/v1.32.10 \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-repository cri-o/cri-o \
--certificate-github-workflow-ref refs/tags/v1.32.10 \
--signature cri-o.amd64.v1.32.10.tar.gz.sig \
--certificate cri-o.amd64.v1.32.10.tar.gz.certTo verify the bill of materials (SBOM) in SPDX format using the bom tool, run:
> tar xfz cri-o.amd64.v1.32.10.tar.gz
> bom validate -e cri-o.amd64.v1.32.10.tar.gz.spdx -d cri-oChangelog since v1.32.9
Dependencies
Added
Nothing has changed.
Changed
Nothing has changed.
Removed
Nothing has changed.
v1.34.1
CRI-O v1.34.1
The release notes have been generated for the commit range
v1.34.0...v1.34.1 on Thu, 02 Oct 2025 00:23:21 UTC.
Downloads
Download one of our static release bundles via our Google Cloud Bucket:
- cri-o.amd64.v1.34.1.tar.gz
- cri-o.arm64.v1.34.1.tar.gz
- cri-o.ppc64le.v1.34.1.tar.gz
- cri-o.s390x.v1.34.1.tar.gz
To verify the artifact signatures via cosign, run:
> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.v1.34.1.tar.gz \
--certificate-identity https://github.com/cri-o/packaging/.github/workflows/obs.yml@refs/heads/main \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-repository cri-o/packaging \
--certificate-github-workflow-ref refs/heads/main \
--signature cri-o.amd64.v1.34.1.tar.gz.sig \
--certificate cri-o.amd64.v1.34.1.tar.gz.certTo verify the bill of materials (SBOM) in SPDX format using the bom tool, run:
> tar xfz cri-o.amd64.v1.34.1.tar.gz
> bom validate -e cri-o.amd64.v1.34.1.tar.gz.spdx -d cri-oChangelog since v1.34.0
Changes by Kind
Uncategorized
- Fixed static build gpgme issue resulting in an "Invalid crypto engine" error on various platforms. (#9487, @openshift-cherrypick-robot)
- Server: Fix network cleanup failures when NetNS path is empty (#9471, @openshift-cherrypick-robot)
Dependencies
Added
Nothing has changed.
Changed
Nothing has changed.
Removed
Nothing has changed.
Contributors
Assets 2
v1.33.5
CRI-O v1.33.5
The release notes have been generated for the commit range
v1.33.4...v1.33.5 on Thu, 02 Oct 2025 00:22:24 UTC.
Downloads
Download one of our static release bundles via our Google Cloud Bucket:
- cri-o.amd64.v1.33.5.tar.gz
- cri-o.arm64.v1.33.5.tar.gz
- cri-o.ppc64le.v1.33.5.tar.gz
- cri-o.s390x.v1.33.5.tar.gz
To verify the artifact signatures via cosign, run:
> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.v1.33.5.tar.gz \
--certificate-identity https://github.com/cri-o/cri-o/.github/workflows/test.yml@refs/tags/v1.33.5 \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-repository cri-o/cri-o \
--certificate-github-workflow-ref refs/tags/v1.33.5 \
--signature cri-o.amd64.v1.33.5.tar.gz.sig \
--certificate cri-o.amd64.v1.33.5.tar.gz.certTo verify the bill of materials (SBOM) in SPDX format using the bom tool, run:
> tar xfz cri-o.amd64.v1.33.5.tar.gz
> bom validate -e cri-o.amd64.v1.33.5.tar.gz.spdx -d cri-oChangelog since v1.33.4
Changes by Kind
Bug or Regression
- Fix log rotation not working for containers running with the kata-containers runtime (#9452, @littlejawa)
Uncategorized
- Server: Fix network cleanup failures when NetNS path is empty (#9472, @openshift-cherrypick-robot)
Dependencies
Added
Nothing has changed.
Changed
Nothing has changed.
Removed
Nothing has changed.
Contributors
Assets 2
v1.32.9
CRI-O v1.32.9
The release notes have been generated for the commit range
v1.32.8...v1.32.9 on Thu, 02 Oct 2025 00:22:23 UTC.
Downloads
Download one of our static release bundles via our Google Cloud Bucket:
- cri-o.amd64.v1.32.9.tar.gz
- cri-o.arm64.v1.32.9.tar.gz
- cri-o.ppc64le.v1.32.9.tar.gz
- cri-o.s390x.v1.32.9.tar.gz
To verify the artifact signatures via cosign, run:
> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.v1.32.9.tar.gz \
--certificate-identity https://github.com/cri-o/cri-o/.github/workflows/test.yml@refs/tags/v1.32.9 \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-repository cri-o/cri-o \
--certificate-github-workflow-ref refs/tags/v1.32.9 \
--signature cri-o.amd64.v1.32.9.tar.gz.sig \
--certificate cri-o.amd64.v1.32.9.tar.gz.certTo verify the bill of materials (SBOM) in SPDX format using the bom tool, run:
> tar xfz cri-o.amd64.v1.32.9.tar.gz
> bom validate -e cri-o.amd64.v1.32.9.tar.gz.spdx -d cri-oChangelog since v1.32.8
Changes by Kind
Bug or Regression
- Fix log rotation not working for containers running with the kata-containers runtime (#9451, @littlejawa)
Dependencies
Added
Nothing has changed.
Changed
Nothing has changed.
Removed
Nothing has changed.