Releases: cri-o/cri-o
v1.31.1
CRI-O v1.31.1
The release notes have been generated for the commit range
v1.31.0...v1.31.1 on Wed, 02 Oct 2024 00:21:05 UTC.
Downloads
Download one of our static release bundles via our Google Cloud Bucket:
- cri-o.amd64.v1.31.1.tar.gz
- cri-o.arm64.v1.31.1.tar.gz
- cri-o.ppc64le.v1.31.1.tar.gz
- cri-o.s390x.v1.31.1.tar.gz
To verify the artifact signatures via cosign, run:
> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.v1.31.1.tar.gz \
--certificate-identity https://github.com/cri-o/cri-o/.github/workflows/test.yml@refs/tags/v1.31.1 \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-repository cri-o/cri-o \
--certificate-github-workflow-ref refs/tags/v1.31.1 \
--signature cri-o.amd64.v1.31.1.tar.gz.sig \
--certificate cri-o.amd64.v1.31.1.tar.gz.cert
To verify the bill of materials (SBOM) in SPDX format using the bom tool, run:
> tar xfz cri-o.amd64.v1.31.1.tar.gz
> bom validate -e cri-o.amd64.v1.31.1.tar.gz.spdx -d cri-o
Changelog since v1.31.0
Changes by Kind
Uncategorized
- Fix a bug where signature checking failed if an image specified both a tag and a digest (#8618, @openshift-cherrypick-robot)
- Fixed evented pleg pod sandbox status timestamp to use a time in nanosecond resolution. (#8588, @openshift-cherrypick-robot)
Dependencies
Added
Nothing has changed.
Changed
Nothing has changed.
Removed
Nothing has changed.
v1.30.6
CRI-O v1.30.6
The release notes have been generated for the commit range
v1.30.5...v1.30.6 on Wed, 02 Oct 2024 00:20:57 UTC.
Downloads
Download one of our static release bundles via our Google Cloud Bucket:
- cri-o.amd64.v1.30.6.tar.gz
- cri-o.arm64.v1.30.6.tar.gz
- cri-o.ppc64le.v1.30.6.tar.gz
- cri-o.s390x.v1.30.6.tar.gz
To verify the artifact signatures via cosign, run:
> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.v1.30.6.tar.gz \
--certificate-identity https://github.com/cri-o/cri-o/.github/workflows/test.yml@refs/tags/v1.30.6 \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-repository cri-o/cri-o \
--certificate-github-workflow-ref refs/tags/v1.30.6 \
--signature cri-o.amd64.v1.30.6.tar.gz.sig \
--certificate cri-o.amd64.v1.30.6.tar.gz.cert
To verify the bill of materials (SBOM) in SPDX format using the bom tool, run:
> tar xfz cri-o.amd64.v1.30.6.tar.gz
> bom validate -e cri-o.amd64.v1.30.6.tar.gz.spdx -d cri-o
Changelog since v1.30.5
Changes by Kind
Uncategorized
- Config: add /dev/net/tun to default allowed devices (#8595, @openshift-cherrypick-robot)
- Fix a bug where the GID is not added to /etc/group when run_as_group is set (#8558, @openshift-cherrypick-robot)
- Fixed container stats label filtering. (#8574, @openshift-cherrypick-robot)
- Fixed evented pleg pod sandbox status timestamp to use a time in nanosecond resolution. (#8586, @openshift-cherrypick-robot)
- The default seccomp policy now blocks clone and clone3 system calls that can create a Linux namespace. This matches the default seccomp policy containerd uses. (#8568, @kwilczynski)
Dependencies
Added
Nothing has changed.
Changed
Nothing has changed.
Removed
Nothing has changed.
v1.29.9
CRI-O v1.29.9
The release notes have been generated for the commit range
v1.29.8...v1.29.9 on Wed, 02 Oct 2024 00:20:56 UTC.
Downloads
Download one of our static release bundles via our Google Cloud Bucket:
- cri-o.amd64.v1.29.9.tar.gz
- cri-o.arm64.v1.29.9.tar.gz
- cri-o.ppc64le.v1.29.9.tar.gz
- cri-o.s390x.v1.29.9.tar.gz
To verify the artifact signatures via cosign, run:
> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.v1.29.9.tar.gz \
--certificate-identity https://github.com/cri-o/cri-o/.github/workflows/test.yml@refs/tags/v1.29.9 \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-repository cri-o/cri-o \
--certificate-github-workflow-ref refs/tags/v1.29.9 \
--signature cri-o.amd64.v1.29.9.tar.gz.sig \
--certificate cri-o.amd64.v1.29.9.tar.gz.cert
To verify the bill of materials (SBOM) in SPDX format using the bom tool, run:
> tar xfz cri-o.amd64.v1.29.9.tar.gz
> bom validate -e cri-o.amd64.v1.29.9.tar.gz.spdx -d cri-o
Changelog since v1.29.8
Changes by Kind
Uncategorized
- Fix a bug where the GID is not added to /etc/group when run_as_group is set (#8563, @kwilczynski)
- Fixed container stats label filtering. (#8575, @openshift-cherrypick-robot)
- Fixed evented pleg pod sandbox status timestamp to use a time in nanosecond resolution. (#8587, @openshift-cherrypick-robot)
- The default seccomp policy now blocks clone and clone3 system calls that can create a Linux namespace. This matches the default seccomp policy containerd uses. (#8569, @kwilczynski)
Dependencies
Added
Nothing has changed.
Changed
Nothing has changed.
Removed
Nothing has changed.
v1.31.0
CRI-O v1.31.0
The release notes have been generated for the commit range
v1.30.0...v1.31.0 on Tue, 10 Sep 2024 02:46:14 UTC.
Downloads
Download one of our static release bundles via our Google Cloud Bucket:
- cri-o.amd64.v1.31.0.tar.gz
- cri-o.arm64.v1.31.0.tar.gz
- cri-o.ppc64le.v1.31.0.tar.gz
- cri-o.s390x.v1.31.0.tar.gz
To verify the artifact signatures via cosign, run:
> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.v1.31.0.tar.gz \
--certificate-identity https://github.com/cri-o/cri-o/.github/workflows/test.yml@refs/tags/v1.31.0 \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-repository cri-o/cri-o \
--certificate-github-workflow-ref refs/tags/v1.31.0 \
--signature cri-o.amd64.v1.31.0.tar.gz.sig \
--certificate cri-o.amd64.v1.31.0.tar.gz.cert
To verify the bill of materials (SBOM) in SPDX format using the bom tool, run:
> tar xfz cri-o.amd64.v1.31.0.tar.gz
> bom validate -e cri-o.amd64.v1.31.0.tar.gz.spdx -d cri-o
Changelog since v1.30.0
Changes by Kind
Dependency-Change
- Update pause image to 3.10. (#8382, @PannagaRao)
- Updated vendored conmon-rs libraries to v0.6.5. (#8451, @saschagrunert)
Other
- Move the tracing endpoint listener to use 127.0.0.1 as the new default. (#8495, @bitoku)
- Move the tracing profile listener to use 127.0.0.1 as the new default. (#8506, @bitoku)
Deprecation
- Remove
registries
config incrio.image
and--registry
option which have been already deprecated. (#8194, @bitoku) - Remove device mapper storage driver. (#8019, @kolyshkin)
API Change
- Removed
crio config --migrate-defaults
command which has been deprecated in v1.28. (#8367, @saschagrunert)
Feature
- Add RuntimeStatus.features.supplemental_groups_policy field (KEP-3619) (#8386, @everpeace)
- Add
no_sync_log
option to disable fsync on container log rotation and container exit. This can improve performance at the cost of potential data loss on machine crashes. (#8363, @rtreffer) - Add fine-grained SupplementalGroups control for enhanced security (KEP-3619) (#8268, @sohankunkerkar)
- Added support for the Kubernetes OCI / image Volume Source (KEP-4639). (#8317, @saschagrunert)
- Config: add /dev/net/tun to default allowed devices (#8525, @haircommander)
- Respect image pull timeout set by RPC context to potentially abort an ongoing image pull. (#8266, @saschagrunert)
- Show runtime configuration in the CRI-O logs. (#7783, @LenkaSeg)
- Update the type of checks the internal repair feature performs on CRI-O's start-up following an unclean shutdown, enable the internal repair option by default, and add a new
crio check
sub-command. (#8417, @kwilczynski) - Add support for validating signatures on container creation. Now, if there is a namespaced policy in the
signature_policy_dir
, CRI-O will validate the signature defined insignature_policy_dir
/NS
.json for pods in namespaceNS
(#8212, @harche) - Update
crun
to be the default OCI runtime (#8549, @haircommander)
Design
- Remove a container after it fails to start, to prevent copies of it from piling up until it succeeds. (#8288, @haircommander)
Documentation
- Fixed version output formatting in
crio -h
. (#8337, @saschagrunert) - Sorted
crio
subcommands by name. (#8336, @saschagrunert) - Updated documentation to not mention legacy installation instructions any more. (#8359, @saschagrunert)
- Updated installation docs and move all binary related information to https://github.com/cri-o/packaging (#8383, @saschagrunert)
Bug or Regression
- Check for nil values when importing container definition for a given container checkpoint to be restored. (#8150, @kwilczynski)
- Enabled restoring container logs from a checkpoint. (#8290, @rst0git)
- Fix CVE-2024-5154 where a malicious container image could make a symlink of
/proc/mounts
on the host, out of the container's rootfs (#8225, @haircommander) - Fix a bug where a pod with a userns would fail to be created when
ping_group_range
sysctl was specified for it (and the max of that range was outside of the pods user namespace) (#8174, @haircommander) - Fix a bug where pinns wasn't setting the sysctls at the correct time when it was also pinning a user namespace (#8149, @haircommander)
- Fix a bug where the GID is not added to /etc/group when run_as_group is set (#8251, @PannagaRao)
- Fix memory leakage when sending a failing port-forward request (#8203, @bitoku)
- Fix the bug that cri-o stops watching container exits after it gets an fsnotify error (#8195, @bitoku)
- Fixed a bug where stopping a container would block all further stop attempts for the same container. (#8300, @sohankunkerkar)
- Fixed container stats label filtering. (#8240, @saschagrunert)
- Fixed container volume restore on CRI-O restart. (#8301, @saschagrunert)
- Fixed pod lifecycle regression where the exec PID's got killed before the actual container. (#8162, @saschagrunert)
- Reload config should remove pinned images when an empty list is provided (#8213, @roman-kiselenko)
- The default seccomp policy now blocks clone and clone3 system calls that can create a Linux namespace. This matches the default seccomp policy containerd uses. (#8514, @bitoku)
Other (Cleanup or Flake)
- Log exactly how configuration gets loaded into memory on
SIGHUP
and CRI-O start. (#8452, @saschagrunert) - Log version only for main CRI-O command, not on others like
crio config
orcrio status
. (#8406, @saschagrunert) - Made
StopContainer
,RemoveContainer
andRemoveImage
idempotent per CRI API definition:
https://github.com/kubernetes/cri...
v1.30.5
CRI-O v1.30.5
The release notes have been generated for the commit range
v1.30.4...v1.30.5 on Tue, 03 Sep 2024 00:19:38 UTC.
Downloads
Download one of our static release bundles via our Google Cloud Bucket:
- cri-o.amd64.v1.30.5.tar.gz
- cri-o.arm64.v1.30.5.tar.gz
- cri-o.ppc64le.v1.30.5.tar.gz
- cri-o.s390x.v1.30.5.tar.gz
To verify the artifact signatures via cosign, run:
> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.v1.30.5.tar.gz \
--certificate-identity https://github.com/cri-o/cri-o/.github/workflows/test.yml@refs/tags/v1.30.5 \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-repository cri-o/cri-o \
--certificate-github-workflow-ref refs/tags/v1.30.5 \
--signature cri-o.amd64.v1.30.5.tar.gz.sig \
--certificate cri-o.amd64.v1.30.5.tar.gz.cert
To verify the bill of materials (SBOM) in SPDX format using the bom tool, run:
> tar xfz cri-o.amd64.v1.30.5.tar.gz
> bom validate -e cri-o.amd64.v1.30.5.tar.gz.spdx -d cri-o
Changelog since v1.30.4
Changes by Kind
Feature
- Update the type of checks the internal repair feature performs on CRI-O's start-up following an unclean shutdown, and add a new
crio check
sub-command. (#8468, @kwilczynski)
Dependencies
Added
Nothing has changed.
Changed
Nothing has changed.
Removed
Nothing has changed.
v1.29.8
CRI-O v1.29.8
The release notes have been generated for the commit range
v1.29.7...v1.29.8 on Tue, 03 Sep 2024 00:19:39 UTC.
Downloads
Download one of our static release bundles via our Google Cloud Bucket:
- cri-o.amd64.v1.29.8.tar.gz
- cri-o.arm64.v1.29.8.tar.gz
- cri-o.ppc64le.v1.29.8.tar.gz
- cri-o.s390x.v1.29.8.tar.gz
To verify the artifact signatures via cosign, run:
> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.v1.29.8.tar.gz \
--certificate-identity https://github.com/cri-o/cri-o/.github/workflows/test.yml@refs/tags/v1.29.8 \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-repository cri-o/cri-o \
--certificate-github-workflow-ref refs/tags/v1.29.8 \
--signature cri-o.amd64.v1.29.8.tar.gz.sig \
--certificate cri-o.amd64.v1.29.8.tar.gz.cert
To verify the bill of materials (SBOM) in SPDX format using the bom tool, run:
> tar xfz cri-o.amd64.v1.29.8.tar.gz
> bom validate -e cri-o.amd64.v1.29.8.tar.gz.spdx -d cri-o
Changelog since v1.29.7
Dependencies
Added
Nothing has changed.
Changed
Nothing has changed.
Removed
Nothing has changed.
v1.28.10
CRI-O v1.28.10
The release notes have been generated for the commit range
v1.28.9...v1.28.10 on Tue, 03 Sep 2024 00:19:54 UTC.
Downloads
Download one of our static release bundles via our Google Cloud Bucket:
- cri-o.amd64.v1.28.10.tar.gz
- cri-o.arm64.v1.28.10.tar.gz
- cri-o.ppc64le.v1.28.10.tar.gz
- cri-o.s390x.v1.28.10.tar.gz
To verify the artifact signatures via cosign, run:
> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.v1.28.10.tar.gz \
--certificate-identity https://github.com/cri-o/cri-o/.github/workflows/test.yml@refs/tags/v1.28.10 \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-repository cri-o/cri-o \
--certificate-github-workflow-ref refs/tags/v1.28.10 \
--signature cri-o.amd64.v1.28.10.tar.gz.sig \
--certificate cri-o.amd64.v1.28.10.tar.gz.cert
To verify the bill of materials (SBOM) in SPDX format using the bom tool, run:
> tar xfz cri-o.amd64.v1.28.10.tar.gz
> bom validate -e cri-o.amd64.v1.28.10.tar.gz.spdx -d cri-o
Changelog since v1.28.9
Dependencies
Added
Nothing has changed.
Changed
Nothing has changed.
Removed
Nothing has changed.
v1.30.4
CRI-O v1.30.4
The release notes have been generated for the commit range
v1.30.3...v1.30.4 on Fri, 02 Aug 2024 00:18:37 UTC.
Downloads
Download one of our static release bundles via our Google Cloud Bucket:
- cri-o.amd64.v1.30.4.tar.gz
- cri-o.arm64.v1.30.4.tar.gz
- cri-o.ppc64le.v1.30.4.tar.gz
- cri-o.s390x.v1.30.4.tar.gz
To verify the artifact signatures via cosign, run:
> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.v1.30.4.tar.gz \
--certificate-identity https://github.com/cri-o/cri-o/.github/workflows/test.yml@refs/tags/v1.30.4 \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-repository cri-o/cri-o \
--certificate-github-workflow-ref refs/tags/v1.30.4 \
--signature cri-o.amd64.v1.30.4.tar.gz.sig \
--certificate cri-o.amd64.v1.30.4.tar.gz.cert
To verify the bill of materials (SBOM) in SPDX format using the bom tool, run:
> tar xfz cri-o.amd64.v1.30.4.tar.gz
> bom validate -e cri-o.amd64.v1.30.4.tar.gz.spdx -d cri-o
Changelog since v1.30.3
Changes by Kind
Uncategorized
- Fixed a bug where stopping a container would block all further stop attempts for the same container. (#8392, @sohankunkerkar)
- Reduced "Failed to get pid for pod infra container" NRI message for spoofed containers and lowering the verbosity to
DEBUG
. (#8435, @openshift-cherrypick-robot)
Dependencies
Added
Nothing has changed.
Changed
Nothing has changed.
Removed
Nothing has changed.
v1.29.7
CRI-O v1.29.7
The release notes have been generated for the commit range
v1.29.6...v1.29.7 on Fri, 02 Aug 2024 07:22:51 UTC.
Downloads
Download one of our static release bundles via our Google Cloud Bucket:
- cri-o.amd64.v1.29.7.tar.gz
- cri-o.arm64.v1.29.7.tar.gz
- cri-o.ppc64le.v1.29.7.tar.gz
- cri-o.s390x.v1.29.7.tar.gz
To verify the artifact signatures via cosign, run:
> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.v1.29.7.tar.gz \
--certificate-identity https://github.com/cri-o/cri-o/.github/workflows/test.yml@refs/tags/v1.29.7 \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-repository cri-o/cri-o \
--certificate-github-workflow-ref refs/tags/v1.29.7 \
--signature cri-o.amd64.v1.29.7.tar.gz.sig \
--certificate cri-o.amd64.v1.29.7.tar.gz.cert
To verify the bill of materials (SBOM) in SPDX format using the bom tool, run:
> tar xfz cri-o.amd64.v1.29.7.tar.gz
> bom validate -e cri-o.amd64.v1.29.7.tar.gz.spdx -d cri-o
Changelog since v1.29.6
Changes by Kind
Uncategorized
- Fixed a bug where stopping a container would block all further stop attempts for the same container. (#8393, @sohankunkerkar)
- Reload config should remove pinned images when an empty list is provided (#8325, @sohankunkerkar)
Dependencies
Added
Nothing has changed.
Changed
Nothing has changed.
Removed
Nothing has changed.
v1.28.9
CRI-O v1.28.9
The release notes have been generated for the commit range
v1.28.8...v1.28.9 on Fri, 02 Aug 2024 07:22:55 UTC.
Downloads
Download one of our static release bundles via our Google Cloud Bucket:
- cri-o.amd64.v1.28.9.tar.gz
- cri-o.arm64.v1.28.9.tar.gz
- cri-o.ppc64le.v1.28.9.tar.gz
- cri-o.s390x.v1.28.9.tar.gz
To verify the artifact signatures via cosign, run:
> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.v1.28.9.tar.gz \
--certificate-identity https://github.com/cri-o/cri-o/.github/workflows/test.yml@refs/tags/v1.28.9 \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-repository cri-o/cri-o \
--certificate-github-workflow-ref refs/tags/v1.28.9 \
--signature cri-o.amd64.v1.28.9.tar.gz.sig \
--certificate cri-o.amd64.v1.28.9.tar.gz.cert
To verify the bill of materials (SBOM) in SPDX format using the bom tool, run:
> tar xfz cri-o.amd64.v1.28.9.tar.gz
> bom validate -e cri-o.amd64.v1.28.9.tar.gz.spdx -d cri-o
Changelog since v1.28.8
Changes by Kind
Uncategorized
- Fixed a bug where stopping a container would block all further stop attempts for the same container. (#8394, @sohankunkerkar)
Dependencies
Added
Nothing has changed.
Changed
Nothing has changed.
Removed
Nothing has changed.