Releases: cri-o/cri-o
Releases · cri-o/cri-o
v1.30.7
CRI-O v1.30.7
The release notes have been generated for the commit range
v1.30.6...v1.30.7 on Sat, 02 Nov 2024 00:20:57 UTC.
Downloads
Download one of our static release bundles via our Google Cloud Bucket:
- cri-o.amd64.v1.30.7.tar.gz
- cri-o.arm64.v1.30.7.tar.gz
- cri-o.ppc64le.v1.30.7.tar.gz
- cri-o.s390x.v1.30.7.tar.gz
To verify the artifact signatures via cosign, run:
> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.v1.30.7.tar.gz \
--certificate-identity https://github.com/cri-o/cri-o/.github/workflows/test.yml@refs/tags/v1.30.7 \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-repository cri-o/cri-o \
--certificate-github-workflow-ref refs/tags/v1.30.7 \
--signature cri-o.amd64.v1.30.7.tar.gz.sig \
--certificate cri-o.amd64.v1.30.7.tar.gz.certTo verify the bill of materials (SBOM) in SPDX format using the bom tool, run:
> tar xfz cri-o.amd64.v1.30.7.tar.gz
> bom validate -e cri-o.amd64.v1.30.7.tar.gz.spdx -d cri-oChangelog since v1.30.6
Changes by Kind
Uncategorized
- Fix a bug where an
allowed_annotationspecified twice (in either a workload or runtime) couldn't be used (#8712, @openshift-cherrypick-robot)
Dependencies
Added
Nothing has changed.
Changed
- github.com/containers/storage: v1.51.0 → dfcc633
- github.com/cyphar/filepath-securejoin: v0.2.4 → v0.3.1
- golang.org/x/sys: v0.18.0 → v0.21.0
Removed
Nothing has changed.
Contributors
openshift-cherrypick-robot
Assets 2
v1.29.10
CRI-O v1.29.10
The release notes have been generated for the commit range
v1.29.9...v1.29.10 on Sat, 02 Nov 2024 00:21:08 UTC.
Downloads
Download one of our static release bundles via our Google Cloud Bucket:
- cri-o.amd64.v1.29.10.tar.gz
- cri-o.arm64.v1.29.10.tar.gz
- cri-o.ppc64le.v1.29.10.tar.gz
- cri-o.s390x.v1.29.10.tar.gz
To verify the artifact signatures via cosign, run:
> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.v1.29.10.tar.gz \
--certificate-identity https://github.com/cri-o/cri-o/.github/workflows/test.yml@refs/tags/v1.29.10 \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-repository cri-o/cri-o \
--certificate-github-workflow-ref refs/tags/v1.29.10 \
--signature cri-o.amd64.v1.29.10.tar.gz.sig \
--certificate cri-o.amd64.v1.29.10.tar.gz.certTo verify the bill of materials (SBOM) in SPDX format using the bom tool, run:
> tar xfz cri-o.amd64.v1.29.10.tar.gz
> bom validate -e cri-o.amd64.v1.29.10.tar.gz.spdx -d cri-oChangelog since v1.29.9
Changes by Kind
Uncategorized
- Fix a bug where an
allowed_annotationspecified twice (in either a workload or runtime) couldn't be used (#8725, @openshift-cherrypick-robot)
Dependencies
Added
- github.com/moby/sys/user: v0.1.0
Changed
- github.com/containers/storage: v1.51.0 → 9811eb0
- github.com/cyphar/filepath-securejoin: v0.2.4 → v0.3.1
- github.com/stretchr/objx: v0.5.1 → v0.5.2
- github.com/stretchr/testify: v1.8.4 → v1.9.0
- golang.org/x/sys: v0.17.0 → v0.21.0
Removed
Nothing has changed.
Contributors
openshift-cherrypick-robot
Assets 2
v1.28.11
CRI-O v1.28.11
The release notes have been generated for the commit range
v1.28.10...v1.28.11 on Mon, 07 Oct 2024 08:35:15 UTC.
Downloads
Download one of our static release bundles via our Google Cloud Bucket:
- cri-o.amd64.v1.28.11.tar.gz
- cri-o.arm64.v1.28.11.tar.gz
- cri-o.ppc64le.v1.28.11.tar.gz
- cri-o.s390x.v1.28.11.tar.gz
To verify the artifact signatures via cosign, run:
> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.v1.28.11.tar.gz \
--certificate-identity https://github.com/cri-o/cri-o/.github/workflows/test.yml@refs/tags/v1.28.11 \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-repository cri-o/cri-o \
--certificate-github-workflow-ref refs/tags/v1.28.11 \
--signature cri-o.amd64.v1.28.11.tar.gz.sig \
--certificate cri-o.amd64.v1.28.11.tar.gz.certTo verify the bill of materials (SBOM) in SPDX format using the bom tool, run:
> tar xfz cri-o.amd64.v1.28.11.tar.gz
> bom validate -e cri-o.amd64.v1.28.11.tar.gz.spdx -d cri-oChangelog since v1.28.10
Changes by Kind
Uncategorized
- Fix a bug where the GID is not added to /etc/group when run_as_group is set (#8564, @kwilczynski)
- Fixed container stats label filtering. (#8576, @openshift-cherrypick-robot)
Dependencies
Added
Nothing has changed.
Changed
Nothing has changed.
Removed
Nothing has changed.
Contributors
kwilczynski and openshift-cherrypick-robot
Assets 2
v1.31.1
CRI-O v1.31.1
The release notes have been generated for the commit range
v1.31.0...v1.31.1 on Wed, 02 Oct 2024 00:21:05 UTC.
Downloads
Download one of our static release bundles via our Google Cloud Bucket:
- cri-o.amd64.v1.31.1.tar.gz
- cri-o.arm64.v1.31.1.tar.gz
- cri-o.ppc64le.v1.31.1.tar.gz
- cri-o.s390x.v1.31.1.tar.gz
To verify the artifact signatures via cosign, run:
> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.v1.31.1.tar.gz \
--certificate-identity https://github.com/cri-o/cri-o/.github/workflows/test.yml@refs/tags/v1.31.1 \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-repository cri-o/cri-o \
--certificate-github-workflow-ref refs/tags/v1.31.1 \
--signature cri-o.amd64.v1.31.1.tar.gz.sig \
--certificate cri-o.amd64.v1.31.1.tar.gz.certTo verify the bill of materials (SBOM) in SPDX format using the bom tool, run:
> tar xfz cri-o.amd64.v1.31.1.tar.gz
> bom validate -e cri-o.amd64.v1.31.1.tar.gz.spdx -d cri-oChangelog since v1.31.0
Changes by Kind
Uncategorized
- Fix a bug where signature checking failed if an image specified both a tag and a digest (#8618, @openshift-cherrypick-robot)
- Fixed evented pleg pod sandbox status timestamp to use a time in nanosecond resolution. (#8588, @openshift-cherrypick-robot)
Dependencies
Added
Nothing has changed.
Changed
Nothing has changed.
Removed
Nothing has changed.
Contributors
openshift-cherrypick-robot
Assets 2
v1.30.6
CRI-O v1.30.6
The release notes have been generated for the commit range
v1.30.5...v1.30.6 on Wed, 02 Oct 2024 00:20:57 UTC.
Downloads
Download one of our static release bundles via our Google Cloud Bucket:
- cri-o.amd64.v1.30.6.tar.gz
- cri-o.arm64.v1.30.6.tar.gz
- cri-o.ppc64le.v1.30.6.tar.gz
- cri-o.s390x.v1.30.6.tar.gz
To verify the artifact signatures via cosign, run:
> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.v1.30.6.tar.gz \
--certificate-identity https://github.com/cri-o/cri-o/.github/workflows/test.yml@refs/tags/v1.30.6 \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-repository cri-o/cri-o \
--certificate-github-workflow-ref refs/tags/v1.30.6 \
--signature cri-o.amd64.v1.30.6.tar.gz.sig \
--certificate cri-o.amd64.v1.30.6.tar.gz.certTo verify the bill of materials (SBOM) in SPDX format using the bom tool, run:
> tar xfz cri-o.amd64.v1.30.6.tar.gz
> bom validate -e cri-o.amd64.v1.30.6.tar.gz.spdx -d cri-oChangelog since v1.30.5
Changes by Kind
Uncategorized
- Config: add /dev/net/tun to default allowed devices (#8595, @openshift-cherrypick-robot)
- Fix a bug where the GID is not added to /etc/group when run_as_group is set (#8558, @openshift-cherrypick-robot)
- Fixed container stats label filtering. (#8574, @openshift-cherrypick-robot)
- Fixed evented pleg pod sandbox status timestamp to use a time in nanosecond resolution. (#8586, @openshift-cherrypick-robot)
- The default seccomp policy now blocks clone and clone3 system calls that can create a Linux namespace. This matches the default seccomp policy containerd uses. (#8568, @kwilczynski)
Dependencies
Added
Nothing has changed.
Changed
Nothing has changed.
Removed
Nothing has changed.
Contributors
kwilczynski and openshift-cherrypick-robot
Assets 2
v1.29.9
CRI-O v1.29.9
The release notes have been generated for the commit range
v1.29.8...v1.29.9 on Wed, 02 Oct 2024 00:20:56 UTC.
Downloads
Download one of our static release bundles via our Google Cloud Bucket:
- cri-o.amd64.v1.29.9.tar.gz
- cri-o.arm64.v1.29.9.tar.gz
- cri-o.ppc64le.v1.29.9.tar.gz
- cri-o.s390x.v1.29.9.tar.gz
To verify the artifact signatures via cosign, run:
> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.v1.29.9.tar.gz \
--certificate-identity https://github.com/cri-o/cri-o/.github/workflows/test.yml@refs/tags/v1.29.9 \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-repository cri-o/cri-o \
--certificate-github-workflow-ref refs/tags/v1.29.9 \
--signature cri-o.amd64.v1.29.9.tar.gz.sig \
--certificate cri-o.amd64.v1.29.9.tar.gz.certTo verify the bill of materials (SBOM) in SPDX format using the bom tool, run:
> tar xfz cri-o.amd64.v1.29.9.tar.gz
> bom validate -e cri-o.amd64.v1.29.9.tar.gz.spdx -d cri-oChangelog since v1.29.8
Changes by Kind
Uncategorized
- Fix a bug where the GID is not added to /etc/group when run_as_group is set (#8563, @kwilczynski)
- Fixed container stats label filtering. (#8575, @openshift-cherrypick-robot)
- Fixed evented pleg pod sandbox status timestamp to use a time in nanosecond resolution. (#8587, @openshift-cherrypick-robot)
- The default seccomp policy now blocks clone and clone3 system calls that can create a Linux namespace. This matches the default seccomp policy containerd uses. (#8569, @kwilczynski)
Dependencies
Added
Nothing has changed.
Changed
Nothing has changed.
Removed
Nothing has changed.
Contributors
kwilczynski and openshift-cherrypick-robot
Assets 2
v1.31.0
CRI-O v1.31.0
The release notes have been generated for the commit range
v1.30.0...v1.31.0 on Tue, 10 Sep 2024 02:46:14 UTC.
Downloads
Download one of our static release bundles via our Google Cloud Bucket:
- cri-o.amd64.v1.31.0.tar.gz
- cri-o.arm64.v1.31.0.tar.gz
- cri-o.ppc64le.v1.31.0.tar.gz
- cri-o.s390x.v1.31.0.tar.gz
To verify the artifact signatures via cosign, run:
> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.v1.31.0.tar.gz \
--certificate-identity https://github.com/cri-o/cri-o/.github/workflows/test.yml@refs/tags/v1.31.0 \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-repository cri-o/cri-o \
--certificate-github-workflow-ref refs/tags/v1.31.0 \
--signature cri-o.amd64.v1.31.0.tar.gz.sig \
--certificate cri-o.amd64.v1.31.0.tar.gz.certTo verify the bill of materials (SBOM) in SPDX format using the bom tool, run:
> tar xfz cri-o.amd64.v1.31.0.tar.gz
> bom validate -e cri-o.amd64.v1.31.0.tar.gz.spdx -d cri-oChangelog since v1.30.0
Changes by Kind
Dependency-Change
- Update pause image to 3.10. (#8382, @PannagaRao)
- Updated vendored conmon-rs libraries to v0.6.5. (#8451, @saschagrunert)
Other
- Move the tracing endpoint listener to use 127.0.0.1 as the new default. (#8495, @bitoku)
- Move the tracing profile listener to use 127.0.0.1 as the new default. (#8506, @bitoku)
Deprecation
- Remove
registriesconfig incrio.imageand--registryoption which have been already deprecated. (#8194, @bitoku) - Remove device mapper storage driver. (#8019, @kolyshkin)
API Change
- Removed
crio config --migrate-defaultscommand which has been deprecated in v1.28. (#8367, @saschagrunert)
Feature
- Add RuntimeStatus.features.supplemental_groups_policy field (KEP-3619) (#8386, @everpeace)
- Add
no_sync_logoption to disable fsync on container log rotation and container exit. This can improve performance at the cost of potential data loss on machine crashes. (#8363, @rtreffer) - Add fine-grained SupplementalGroups control for enhanced security (KEP-3619) (#8268, @sohankunkerkar)
- Added support for the Kubernetes OCI / image Volume Source (KEP-4639). (#8317, @saschagrunert)
- Config: add /dev/net/tun to default allowed devices (#8525, @haircommander)
- Respect image pull timeout set by RPC context to potentially abort an ongoing image pull. (#8266, @saschagrunert)
- Show runtime configuration in the CRI-O logs. (#7783, @LenkaSeg)
- Update the type of checks the internal repair feature performs on CRI-O's start-up following an unclean shutdown, enable the internal repair option by default, and add a new
crio checksub-command. (#8417, @kwilczynski) - Add support for validating signatures on container creation. Now, if there is a namespaced policy in the
signature_policy_dir, CRI-O will validate the signature defined insignature_policy_dir/NS.json for pods in namespaceNS(#8212, @harche) - Update
crunto be the default OCI runtime (#8549, @haircommander)
Design
- Remove a container after it fails to start, to prevent copies of it from piling up until it succeeds. (#8288, @haircommander)
Documentation
- Fixed version output formatting in
crio -h. (#8337, @saschagrunert) - Sorted
criosubcommands by name. (#8336, @saschagrunert) - Updated documentation to not mention legacy installation instructions any more. (#8359, @saschagrunert)
- Updated installation docs and move all binary related information to https://github.com/cri-o/packaging (#8383, @saschagrunert)
Bug or Regression
- Check for nil values when importing container definition for a given container checkpoint to be restored. (#8150, @kwilczynski)
- Enabled restoring container logs from a checkpoint. (#8290, @rst0git)
- Fix CVE-2024-5154 where a malicious container image could make a symlink of
/proc/mountson the host, out of the container's rootfs (#8225, @haircommander) - Fix a bug where a pod with a userns would fail to be created when
ping_group_rangesysctl was specified for it (and the max of that range was outside of the pods user namespace) (#8174, @haircommander) - Fix a bug where pinns wasn't setting the sysctls at the correct time when it was also pinning a user namespace (#8149, @haircommander)
- Fix a bug where the GID is not added to /etc/group when run_as_group is set (#8251, @PannagaRao)
- Fix memory leakage when sending a failing port-forward request (#8203, @bitoku)
- Fix the bug that cri-o stops watching container exits after it gets an fsnotify error (#8195, @bitoku)
- Fixed a bug where stopping a container would block all further stop attempts for the same container. (#8300, @sohankunkerkar)
- Fixed container stats label filtering. (#8240, @saschagrunert)
- Fixed container volume restore on CRI-O restart. (#8301, @saschagrunert)
- Fixed pod lifecycle regression where the exec PID's got killed before the actual container. (#8162, @saschagrunert)
- Reload config should remove pinned images when an empty list is provided (#8213, @roman-kiselenko)
- The default seccomp policy now blocks clone and clone3 system calls that can create a Linux namespace. This matches the default seccomp policy containerd uses. (#8514, @bitoku)
Other (Cleanup or Flake)
- Log exactly how configuration gets loaded into memory on
SIGHUPand CRI-O start. (#8452, @saschagrunert) - Log version only for main CRI-O command, not on others like
crio configorcrio status. (#8406, @saschagrunert) - Made
StopContainer,RemoveContainerandRemoveImageidempotent per CRI API definition:
https://github.com/kubernetes/cri...
Contributors
rtreffer, kwilczynski, and 11 other contributors
Assets 2
v1.30.5
CRI-O v1.30.5
The release notes have been generated for the commit range
v1.30.4...v1.30.5 on Tue, 03 Sep 2024 00:19:38 UTC.
Downloads
Download one of our static release bundles via our Google Cloud Bucket:
- cri-o.amd64.v1.30.5.tar.gz
- cri-o.arm64.v1.30.5.tar.gz
- cri-o.ppc64le.v1.30.5.tar.gz
- cri-o.s390x.v1.30.5.tar.gz
To verify the artifact signatures via cosign, run:
> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.v1.30.5.tar.gz \
--certificate-identity https://github.com/cri-o/cri-o/.github/workflows/test.yml@refs/tags/v1.30.5 \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-repository cri-o/cri-o \
--certificate-github-workflow-ref refs/tags/v1.30.5 \
--signature cri-o.amd64.v1.30.5.tar.gz.sig \
--certificate cri-o.amd64.v1.30.5.tar.gz.certTo verify the bill of materials (SBOM) in SPDX format using the bom tool, run:
> tar xfz cri-o.amd64.v1.30.5.tar.gz
> bom validate -e cri-o.amd64.v1.30.5.tar.gz.spdx -d cri-oChangelog since v1.30.4
Changes by Kind
Feature
- Update the type of checks the internal repair feature performs on CRI-O's start-up following an unclean shutdown, and add a new
crio checksub-command. (#8468, @kwilczynski)
Dependencies
Added
Nothing has changed.
Changed
Nothing has changed.
Removed
Nothing has changed.
Contributors
kwilczynski
Assets 2
v1.29.8
CRI-O v1.29.8
The release notes have been generated for the commit range
v1.29.7...v1.29.8 on Tue, 03 Sep 2024 00:19:39 UTC.
Downloads
Download one of our static release bundles via our Google Cloud Bucket:
- cri-o.amd64.v1.29.8.tar.gz
- cri-o.arm64.v1.29.8.tar.gz
- cri-o.ppc64le.v1.29.8.tar.gz
- cri-o.s390x.v1.29.8.tar.gz
To verify the artifact signatures via cosign, run:
> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.v1.29.8.tar.gz \
--certificate-identity https://github.com/cri-o/cri-o/.github/workflows/test.yml@refs/tags/v1.29.8 \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-repository cri-o/cri-o \
--certificate-github-workflow-ref refs/tags/v1.29.8 \
--signature cri-o.amd64.v1.29.8.tar.gz.sig \
--certificate cri-o.amd64.v1.29.8.tar.gz.certTo verify the bill of materials (SBOM) in SPDX format using the bom tool, run:
> tar xfz cri-o.amd64.v1.29.8.tar.gz
> bom validate -e cri-o.amd64.v1.29.8.tar.gz.spdx -d cri-oChangelog since v1.29.7
Dependencies
Added
Nothing has changed.
Changed
Nothing has changed.
Removed
Nothing has changed.
v1.28.10
CRI-O v1.28.10
The release notes have been generated for the commit range
v1.28.9...v1.28.10 on Tue, 03 Sep 2024 00:19:54 UTC.
Downloads
Download one of our static release bundles via our Google Cloud Bucket:
- cri-o.amd64.v1.28.10.tar.gz
- cri-o.arm64.v1.28.10.tar.gz
- cri-o.ppc64le.v1.28.10.tar.gz
- cri-o.s390x.v1.28.10.tar.gz
To verify the artifact signatures via cosign, run:
> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.v1.28.10.tar.gz \
--certificate-identity https://github.com/cri-o/cri-o/.github/workflows/test.yml@refs/tags/v1.28.10 \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-repository cri-o/cri-o \
--certificate-github-workflow-ref refs/tags/v1.28.10 \
--signature cri-o.amd64.v1.28.10.tar.gz.sig \
--certificate cri-o.amd64.v1.28.10.tar.gz.certTo verify the bill of materials (SBOM) in SPDX format using the bom tool, run:
> tar xfz cri-o.amd64.v1.28.10.tar.gz
> bom validate -e cri-o.amd64.v1.28.10.tar.gz.spdx -d cri-oChangelog since v1.28.9
Dependencies
Added
Nothing has changed.
Changed
Nothing has changed.
Removed
Nothing has changed.