Releases: cri-o/cri-o
Releases · cri-o/cri-o
v1.32.0
CRI-O v1.32.0
The release notes have been generated for the commit range
v1.31.0...v1.32.0 on Thu, 19 Dec 2024 16:22:36 UTC.
Downloads
Download one of our static release bundles via our Google Cloud Bucket:
- cri-o.amd64.v1.32.0.tar.gz
- cri-o.arm64.v1.32.0.tar.gz
- cri-o.ppc64le.v1.32.0.tar.gz
- cri-o.s390x.v1.32.0.tar.gz
To verify the artifact signatures via cosign, run:
> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.v1.32.0.tar.gz \
--certificate-identity https://github.com/cri-o/cri-o/.github/workflows/test.yml@refs/tags/v1.32.0 \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-repository cri-o/cri-o \
--certificate-github-workflow-ref refs/tags/v1.32.0 \
--signature cri-o.amd64.v1.32.0.tar.gz.sig \
--certificate cri-o.amd64.v1.32.0.tar.gz.certTo verify the bill of materials (SBOM) in SPDX format using the bom tool, run:
> tar xfz cri-o.amd64.v1.32.0.tar.gz
> bom validate -e cri-o.amd64.v1.32.0.tar.gz.spdx -d cri-oChangelog since v1.31.0
Changes by Kind
Other
- Fixed building CRI-O without libseccomp. (#8686, @michalsieron)
Ci
- Use go 1.23 for nix (static) builds. (#8598, @saschagrunert)
Dependency-Change
Feature
- A runtime handler definition in the configuration file can use a new option
use_default_runtime. Setting it to true causes the values for runtime path, runtime type and runtime root to be inherited from the currently configured default runtime. (#8754, @MarSik) - Add
default_annotationsto the runtime handler configuration field, allowing admins to specify default annotations to pass to pods (#8829, @haircommander) - Added
--pull-progress-timeout/pull_progress_timeoutoption to fine-tune the timeout for making progress on image pull. (#8765, @saschagrunert) - Added crio status
goroutinessubcommand and/debug/goroutinesHTTP endpoint for printing the go routine stack. (#8697, @saschagrunert) - Added crio status
heapsubcommand and/debug/heapHTTP endpoint for creating memory heap dumps. (#8702, @saschagrunert) - Adding support for the systemd watchdog. For now it verifies that the CRI socket is reachable and the runtime reports ready status. (#8791, @saschagrunert)
- Call network plugin GC on startup to attempt cleaning up stale network
resources of pods that could not be restored (#8245, @jcaamano) - Nri plugins can obtain access to the assigned Pod IPs on the PodSandbox hooks (#8731, @aojea)
- Updated NRI to v0.9.0. (#8855, @saschagrunert)
- Use
SignatureValidationFailedCRI error for invalid signatures. (#8656, @saschagrunert) - Use the context timeout / deadline for stopping containers if provided. (#8678, @saschagrunert)
Bug or Regression
- Fix a bug where an
allowed_annotationspecified twice (in either a workload or runtime) couldn't be used (#8628, @haircommander) - Fix a bug where signature checking failed if an image specified both a tag and a digest (#8605, @haircommander)
- Fixed bug to always inherit
monitor_envwhen calling the OCI runtime. (#8808, @saschagrunert) - Fixed evented pleg pod sandbox status timestamp to use a time in nanosecond resolution. (#8582, @saschagrunert)
- Fixed gpgme/gnupg search path in static build binaries. (#8708, @saschagrunert)
- Fixed issue when sandbox removal is not possible due to stale or missing network namespace path. (#8785, @saschagrunert)
Other (Cleanup or Flake)
- Move factory/sandbox to lib/sandbox (#8610, @xw19)
- Require go 1.23 to build CRI-O. (#8597, @saschagrunert)
- Switched to use
RFC3339Nanotimestamp log format (2006-01-02T15:04:05.999999999Z07:00) (#8592, @saschagrunert) - Validate stream server TLS config on startup if TLS should be used. (#8744, @saschagrunert)
Uncategorized
Dependencies
Added
- chainguard.dev/sdk: v0.1.23
- cloud.google.com/go/auth/oauth2adapt: v0.2.4
- cloud.google.com/go/auth: v0.9.1
- cloud.google.com/go/bigtable: v1.29.0
- github.com/chainguard-dev/slogctx: v1.2.2
- github.com/checkpoint-restore/go-criu/v6: v6.3.0
- github.com/containerd/errdefs/pkg: v0.3.0
- github.com/go-logr/zapr: v1.3.0
- github.com/insomniacslk/dhcp: a3a4c1f
- github.com/josharian/native: v1.1.0
- github.com/knqyf263/go-plugin: d8d4205
- github.com/mdlayher/packet: v1.1.2
- github.com/moby/sys/capability: v0.3.0
- github.com/tetratelabs/wazero: v1.8.2
- github.com/u-root/uio: d2acac8
- k8s.io/cri-client: v0.31.4
- sigs.k8s.io/knftables: v0.0.18
Changed
- cel.dev/expr: v0.15.0 → v0.16.1
- chainguard.dev/go-grpc-kit: v0.17.2 → v0.17.5
- cloud.google.com/go/accessapproval: v1.7.5 → v1.7.12
- cloud.google.com/go/accesscontextmanager: v1.8.5 → v1.8.12
- cloud.google.com/go/aiplatform: v1.62.2 → v1.68.0
- cloud.google.com/go/analytics: v0.23.0 → v0.24.0
- cloud.google.com/go/apigateway: v1.6.5 → v1.6.12
- cloud.google.com/go/apigeeconnect: v1.6.5 → v1.6.12
- cloud.google.com/go/apigeeregistry: v0.8.3 → v0.8.10
- cloud.google.com/go/appengine: v1.8.5 → v1.8.12
- cloud.google.com/go/area120: v0.8.5 → v0.8.12
- cloud.google.com/go/artifactregistry: v1.14.7 → v1.14.14
- cloud.google.com/go/asset: v1.18.0 → v1.19.6
- cloud.google.com/go/assuredworkloads: v1.11.5 → v1.11.12
- cloud.google.com/go/auto...
Contributors
MarSik, saschagrunert, and 7 other contributors
Assets 2
v1.31.3
CRI-O v1.31.3
The release notes have been generated for the commit range
v1.31.2...v1.31.3 on Tue, 03 Dec 2024 00:23:41 UTC.
Downloads
Download one of our static release bundles via our Google Cloud Bucket:
- cri-o.amd64.v1.31.3.tar.gz
- cri-o.arm64.v1.31.3.tar.gz
- cri-o.ppc64le.v1.31.3.tar.gz
- cri-o.s390x.v1.31.3.tar.gz
To verify the artifact signatures via cosign, run:
> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.v1.31.3.tar.gz \
--certificate-identity https://github.com/cri-o/cri-o/.github/workflows/test.yml@refs/tags/v1.31.3 \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-repository cri-o/cri-o \
--certificate-github-workflow-ref refs/tags/v1.31.3 \
--signature cri-o.amd64.v1.31.3.tar.gz.sig \
--certificate cri-o.amd64.v1.31.3.tar.gz.certTo verify the bill of materials (SBOM) in SPDX format using the bom tool, run:
> tar xfz cri-o.amd64.v1.31.3.tar.gz
> bom validate -e cri-o.amd64.v1.31.3.tar.gz.spdx -d cri-oChangelog since v1.31.2
Changes by Kind
Uncategorized
- A runtime handler definition in the configuration file can use a new option
use_default_runtime. Setting it to true causes the values for runtime path, runtime type and runtime root to be inherited from the currently configured default runtime. (#8762, @openshift-cherrypick-robot) - Added
--pull-progress-timeout/pull_progress_timeoutoption to fine-tune the timeout for making progress on image pull. (#8776, @openshift-cherrypick-robot) - Fixed gpgme/gnupg search path in static build binaries. (#8745, @openshift-cherrypick-robot)
- Only restore container if all bind mounts are defined. (#8792, @kwilczynski)
Dependencies
Added
Nothing has changed.
Changed
Nothing has changed.
Removed
Nothing has changed.
Contributors
kwilczynski and openshift-cherrypick-robot
Assets 2
v1.30.8
CRI-O v1.30.8
The release notes have been generated for the commit range
v1.30.7...v1.30.8 on Tue, 03 Dec 2024 00:23:43 UTC.
Downloads
Download one of our static release bundles via our Google Cloud Bucket:
- cri-o.amd64.v1.30.8.tar.gz
- cri-o.arm64.v1.30.8.tar.gz
- cri-o.ppc64le.v1.30.8.tar.gz
- cri-o.s390x.v1.30.8.tar.gz
To verify the artifact signatures via cosign, run:
> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.v1.30.8.tar.gz \
--certificate-identity https://github.com/cri-o/cri-o/.github/workflows/test.yml@refs/tags/v1.30.8 \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-repository cri-o/cri-o \
--certificate-github-workflow-ref refs/tags/v1.30.8 \
--signature cri-o.amd64.v1.30.8.tar.gz.sig \
--certificate cri-o.amd64.v1.30.8.tar.gz.certTo verify the bill of materials (SBOM) in SPDX format using the bom tool, run:
> tar xfz cri-o.amd64.v1.30.8.tar.gz
> bom validate -e cri-o.amd64.v1.30.8.tar.gz.spdx -d cri-oChangelog since v1.30.7
Changes by Kind
Uncategorized
- Only restore container if all bind mounts are defined. (#8793, @kwilczynski)
Dependencies
Added
Nothing has changed.
Changed
Nothing has changed.
Removed
Nothing has changed.
Contributors
kwilczynski
Assets 2
v1.29.11
CRI-O v1.29.11
The release notes have been generated for the commit range
v1.29.10...v1.29.11 on Tue, 03 Dec 2024 00:23:49 UTC.
Downloads
Download one of our static release bundles via our Google Cloud Bucket:
- cri-o.amd64.v1.29.11.tar.gz
- cri-o.arm64.v1.29.11.tar.gz
- cri-o.ppc64le.v1.29.11.tar.gz
- cri-o.s390x.v1.29.11.tar.gz
To verify the artifact signatures via cosign, run:
> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.v1.29.11.tar.gz \
--certificate-identity https://github.com/cri-o/cri-o/.github/workflows/test.yml@refs/tags/v1.29.11 \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-repository cri-o/cri-o \
--certificate-github-workflow-ref refs/tags/v1.29.11 \
--signature cri-o.amd64.v1.29.11.tar.gz.sig \
--certificate cri-o.amd64.v1.29.11.tar.gz.certTo verify the bill of materials (SBOM) in SPDX format using the bom tool, run:
> tar xfz cri-o.amd64.v1.29.11.tar.gz
> bom validate -e cri-o.amd64.v1.29.11.tar.gz.spdx -d cri-oChangelog since v1.29.10
Changes by Kind
Uncategorized
- Only restore container if all bind mounts are defined. (#8795, @kwilczynski)
Dependencies
Added
Nothing has changed.
Changed
Nothing has changed.
Removed
Nothing has changed.
Contributors
kwilczynski
Assets 2
v1.31.2
CRI-O v1.31.2
The release notes have been generated for the commit range
v1.31.1...v1.31.2 on Sat, 02 Nov 2024 00:21:02 UTC.
Downloads
Download one of our static release bundles via our Google Cloud Bucket:
- cri-o.amd64.v1.31.2.tar.gz
- cri-o.arm64.v1.31.2.tar.gz
- cri-o.ppc64le.v1.31.2.tar.gz
- cri-o.s390x.v1.31.2.tar.gz
To verify the artifact signatures via cosign, run:
> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.v1.31.2.tar.gz \
--certificate-identity https://github.com/cri-o/cri-o/.github/workflows/test.yml@refs/tags/v1.31.2 \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-repository cri-o/cri-o \
--certificate-github-workflow-ref refs/tags/v1.31.2 \
--signature cri-o.amd64.v1.31.2.tar.gz.sig \
--certificate cri-o.amd64.v1.31.2.tar.gz.certTo verify the bill of materials (SBOM) in SPDX format using the bom tool, run:
> tar xfz cri-o.amd64.v1.31.2.tar.gz
> bom validate -e cri-o.amd64.v1.31.2.tar.gz.spdx -d cri-oChangelog since v1.31.1
Changes by Kind
Uncategorized
- Fix a bug where an
allowed_annotationspecified twice (in either a workload or runtime) couldn't be used (#8710, @openshift-cherrypick-robot)
Dependencies
Added
Nothing has changed.
Changed
- github.com/containers/storage: v1.55.0 → 02f1845
Removed
Nothing has changed.
Contributors
openshift-cherrypick-robot
Assets 2
v1.30.7
CRI-O v1.30.7
The release notes have been generated for the commit range
v1.30.6...v1.30.7 on Sat, 02 Nov 2024 00:20:57 UTC.
Downloads
Download one of our static release bundles via our Google Cloud Bucket:
- cri-o.amd64.v1.30.7.tar.gz
- cri-o.arm64.v1.30.7.tar.gz
- cri-o.ppc64le.v1.30.7.tar.gz
- cri-o.s390x.v1.30.7.tar.gz
To verify the artifact signatures via cosign, run:
> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.v1.30.7.tar.gz \
--certificate-identity https://github.com/cri-o/cri-o/.github/workflows/test.yml@refs/tags/v1.30.7 \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-repository cri-o/cri-o \
--certificate-github-workflow-ref refs/tags/v1.30.7 \
--signature cri-o.amd64.v1.30.7.tar.gz.sig \
--certificate cri-o.amd64.v1.30.7.tar.gz.certTo verify the bill of materials (SBOM) in SPDX format using the bom tool, run:
> tar xfz cri-o.amd64.v1.30.7.tar.gz
> bom validate -e cri-o.amd64.v1.30.7.tar.gz.spdx -d cri-oChangelog since v1.30.6
Changes by Kind
Uncategorized
- Fix a bug where an
allowed_annotationspecified twice (in either a workload or runtime) couldn't be used (#8712, @openshift-cherrypick-robot)
Dependencies
Added
Nothing has changed.
Changed
- github.com/containers/storage: v1.51.0 → dfcc633
- github.com/cyphar/filepath-securejoin: v0.2.4 → v0.3.1
- golang.org/x/sys: v0.18.0 → v0.21.0
Removed
Nothing has changed.
Contributors
openshift-cherrypick-robot
Assets 2
v1.29.10
CRI-O v1.29.10
The release notes have been generated for the commit range
v1.29.9...v1.29.10 on Sat, 02 Nov 2024 00:21:08 UTC.
Downloads
Download one of our static release bundles via our Google Cloud Bucket:
- cri-o.amd64.v1.29.10.tar.gz
- cri-o.arm64.v1.29.10.tar.gz
- cri-o.ppc64le.v1.29.10.tar.gz
- cri-o.s390x.v1.29.10.tar.gz
To verify the artifact signatures via cosign, run:
> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.v1.29.10.tar.gz \
--certificate-identity https://github.com/cri-o/cri-o/.github/workflows/test.yml@refs/tags/v1.29.10 \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-repository cri-o/cri-o \
--certificate-github-workflow-ref refs/tags/v1.29.10 \
--signature cri-o.amd64.v1.29.10.tar.gz.sig \
--certificate cri-o.amd64.v1.29.10.tar.gz.certTo verify the bill of materials (SBOM) in SPDX format using the bom tool, run:
> tar xfz cri-o.amd64.v1.29.10.tar.gz
> bom validate -e cri-o.amd64.v1.29.10.tar.gz.spdx -d cri-oChangelog since v1.29.9
Changes by Kind
Uncategorized
- Fix a bug where an
allowed_annotationspecified twice (in either a workload or runtime) couldn't be used (#8725, @openshift-cherrypick-robot)
Dependencies
Added
- github.com/moby/sys/user: v0.1.0
Changed
- github.com/containers/storage: v1.51.0 → 9811eb0
- github.com/cyphar/filepath-securejoin: v0.2.4 → v0.3.1
- github.com/stretchr/objx: v0.5.1 → v0.5.2
- github.com/stretchr/testify: v1.8.4 → v1.9.0
- golang.org/x/sys: v0.17.0 → v0.21.0
Removed
Nothing has changed.
Contributors
openshift-cherrypick-robot
Assets 2
v1.28.11
CRI-O v1.28.11
The release notes have been generated for the commit range
v1.28.10...v1.28.11 on Mon, 07 Oct 2024 08:35:15 UTC.
Downloads
Download one of our static release bundles via our Google Cloud Bucket:
- cri-o.amd64.v1.28.11.tar.gz
- cri-o.arm64.v1.28.11.tar.gz
- cri-o.ppc64le.v1.28.11.tar.gz
- cri-o.s390x.v1.28.11.tar.gz
To verify the artifact signatures via cosign, run:
> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.v1.28.11.tar.gz \
--certificate-identity https://github.com/cri-o/cri-o/.github/workflows/test.yml@refs/tags/v1.28.11 \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-repository cri-o/cri-o \
--certificate-github-workflow-ref refs/tags/v1.28.11 \
--signature cri-o.amd64.v1.28.11.tar.gz.sig \
--certificate cri-o.amd64.v1.28.11.tar.gz.certTo verify the bill of materials (SBOM) in SPDX format using the bom tool, run:
> tar xfz cri-o.amd64.v1.28.11.tar.gz
> bom validate -e cri-o.amd64.v1.28.11.tar.gz.spdx -d cri-oChangelog since v1.28.10
Changes by Kind
Uncategorized
- Fix a bug where the GID is not added to /etc/group when run_as_group is set (#8564, @kwilczynski)
- Fixed container stats label filtering. (#8576, @openshift-cherrypick-robot)
Dependencies
Added
Nothing has changed.
Changed
Nothing has changed.
Removed
Nothing has changed.
Contributors
kwilczynski and openshift-cherrypick-robot
Assets 2
v1.31.1
CRI-O v1.31.1
The release notes have been generated for the commit range
v1.31.0...v1.31.1 on Wed, 02 Oct 2024 00:21:05 UTC.
Downloads
Download one of our static release bundles via our Google Cloud Bucket:
- cri-o.amd64.v1.31.1.tar.gz
- cri-o.arm64.v1.31.1.tar.gz
- cri-o.ppc64le.v1.31.1.tar.gz
- cri-o.s390x.v1.31.1.tar.gz
To verify the artifact signatures via cosign, run:
> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.v1.31.1.tar.gz \
--certificate-identity https://github.com/cri-o/cri-o/.github/workflows/test.yml@refs/tags/v1.31.1 \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-repository cri-o/cri-o \
--certificate-github-workflow-ref refs/tags/v1.31.1 \
--signature cri-o.amd64.v1.31.1.tar.gz.sig \
--certificate cri-o.amd64.v1.31.1.tar.gz.certTo verify the bill of materials (SBOM) in SPDX format using the bom tool, run:
> tar xfz cri-o.amd64.v1.31.1.tar.gz
> bom validate -e cri-o.amd64.v1.31.1.tar.gz.spdx -d cri-oChangelog since v1.31.0
Changes by Kind
Uncategorized
- Fix a bug where signature checking failed if an image specified both a tag and a digest (#8618, @openshift-cherrypick-robot)
- Fixed evented pleg pod sandbox status timestamp to use a time in nanosecond resolution. (#8588, @openshift-cherrypick-robot)
Dependencies
Added
Nothing has changed.
Changed
Nothing has changed.
Removed
Nothing has changed.
Contributors
openshift-cherrypick-robot
Assets 2
v1.30.6
CRI-O v1.30.6
The release notes have been generated for the commit range
v1.30.5...v1.30.6 on Wed, 02 Oct 2024 00:20:57 UTC.
Downloads
Download one of our static release bundles via our Google Cloud Bucket:
- cri-o.amd64.v1.30.6.tar.gz
- cri-o.arm64.v1.30.6.tar.gz
- cri-o.ppc64le.v1.30.6.tar.gz
- cri-o.s390x.v1.30.6.tar.gz
To verify the artifact signatures via cosign, run:
> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.v1.30.6.tar.gz \
--certificate-identity https://github.com/cri-o/cri-o/.github/workflows/test.yml@refs/tags/v1.30.6 \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-repository cri-o/cri-o \
--certificate-github-workflow-ref refs/tags/v1.30.6 \
--signature cri-o.amd64.v1.30.6.tar.gz.sig \
--certificate cri-o.amd64.v1.30.6.tar.gz.certTo verify the bill of materials (SBOM) in SPDX format using the bom tool, run:
> tar xfz cri-o.amd64.v1.30.6.tar.gz
> bom validate -e cri-o.amd64.v1.30.6.tar.gz.spdx -d cri-oChangelog since v1.30.5
Changes by Kind
Uncategorized
- Config: add /dev/net/tun to default allowed devices (#8595, @openshift-cherrypick-robot)
- Fix a bug where the GID is not added to /etc/group when run_as_group is set (#8558, @openshift-cherrypick-robot)
- Fixed container stats label filtering. (#8574, @openshift-cherrypick-robot)
- Fixed evented pleg pod sandbox status timestamp to use a time in nanosecond resolution. (#8586, @openshift-cherrypick-robot)
- The default seccomp policy now blocks clone and clone3 system calls that can create a Linux namespace. This matches the default seccomp policy containerd uses. (#8568, @kwilczynski)
Dependencies
Added
Nothing has changed.
Changed
Nothing has changed.
Removed
Nothing has changed.
Contributors
kwilczynski and openshift-cherrypick-robot