Merge pull request #5970 from afbjorklund/crio-v1.16.0

cri-o v1.16.0

deploy/iso/minikube-iso/package/conmon-master/conmon-master.hash

@@ -1,3 +1,4 @@
 # Locally computed
 sha256 4f978a59c6ee516f7e3febfb3b0360a17d1be2c283313e1aeb27adcb8c8f9166 dde3ccf93f01ce5a3e0f7a2c97053697cc3ed152.tar.gz
 sha256 75fad6e66b43c5039719edbd82ba072723aea6a9d4d8be4e7ac1c245a291ab1b 8455ce1ef385120deb827d0f0588c04357bad4c4.tar.gz
+sha256 6c9bf278ae6e125a39f1ae419e5bd314162a743f6587d70b1b6be095ac32b9af eb5fa88c26fde5ce1e3f8a1d2a8a9498b2d7dbe6.tar.gz

deploy/iso/minikube-iso/package/conmon-master/conmon-master.mk

@@ -4,27 +4,21 @@
 #
 ################################################################################
 
-# HEAD as of 2019-06-13
-CONMON_MASTER_VERSION = 8455ce1ef385120deb827d0f0588c04357bad4c4
+# HEAD as of 2019-11-11
+CONMON_MASTER_VERSION = eb5fa88c26fde5ce1e3f8a1d2a8a9498b2d7dbe6
 CONMON_MASTER_SITE = https://github.com/containers/conmon/archive
 CONMON_MASTER_SOURCE = $(CONMON_MASTER_VERSION).tar.gz
 CONMON_MASTER_LICENSE = Apache-2.0
 CONMON_MASTER_LICENSE_FILES = LICENSE
 
 CONMON_MASTER_DEPENDENCIES = host-pkgconf
 
-define CONMON_MASTER_PATCH_PKGCONFIG
-	sed -e 's/pkg-config/$$(PKG_CONFIG)/g' -i $(@D)/Makefile
-endef
-
-CONMON_MASTER_POST_PATCH_HOOKS += CONMON_MASTER_PATCH_PKGCONFIG
-
 define CONMON_MASTER_BUILD_CMDS
 	$(MAKE) $(TARGET_CONFIGURE_OPTS) -C $(@D) GIT_COMMIT=$(CONMON_MASTER_VERSION) PREFIX=/usr
 endef
 
 define CONMON_MASTER_INSTALL_TARGET_CMDS
-	# crio conmon is installed by the crio package, so don't install it here
+	$(INSTALL) -Dm755 $(@D)/bin/conmon $(TARGET_DIR)/usr/libexec/crio/conmon
 	$(INSTALL) -Dm755 $(@D)/bin/conmon $(TARGET_DIR)/usr/libexec/podman/conmon
 endef
 

deploy/iso/minikube-iso/package/crio-bin/crio-bin.hash

@@ -8,3 +8,4 @@ sha256 1f6f72b1f89d4286b2d5b54a48f4d5ed4c0c01065d484635dcb343a706feb743 v1.14.1.
 sha256 f7041a92e2d3a4c341be8df58f1076ba57ecb5daa02b6c65e652530c5f242739 v1.15.0.tar.gz
 sha256 6218a99877da9b9895e0088944731f5384803c15628d4b3c6b40ba1ddd39e052 v1.15.1.tar.gz
 sha256 70d4c746fe207422c78420dc4239768f485eea639a38c993c02872ec6305dd1d v1.15.2.tar.gz
+sha256 05f9614c4d5970b4662499b84c270b0ab953596ee863dcd09c9dc7a2d2f09789 v1.16.0.tar.gz

deploy/iso/minikube-iso/package/crio-bin/crio-bin.mk

@@ -4,14 +4,15 @@
 #
 ################################################################################
 
-CRIO_BIN_VERSION = v1.15.2
-CRIO_BIN_COMMIT = b7316701c17ebc7901d10a716f15e66008c52525
+CRIO_BIN_VERSION = v1.16.0
+CRIO_BIN_COMMIT = fa99ff4ae2aa45115bf3c6bb33db07191db2518e
 CRIO_BIN_SITE = https://github.com/cri-o/cri-o/archive
 CRIO_BIN_SOURCE = $(CRIO_BIN_VERSION).tar.gz
 CRIO_BIN_DEPENDENCIES = host-go libgpgme
 CRIO_BIN_GOPATH = $(@D)/_output
 CRIO_BIN_ENV = \
 	CGO_ENABLED=1 \
+	GO111MODULE=off \
 	GOPATH="$(CRIO_BIN_GOPATH)" \
 	GOBIN="$(CRIO_BIN_GOPATH)/bin" \
 	PATH=$(CRIO_BIN_GOPATH)/bin:$(BR_PATH)
@@ -25,8 +26,8 @@ endef
 define CRIO_BIN_CONFIGURE_CMDS
 	mkdir -p $(CRIO_BIN_GOPATH)/src/github.com/cri-o
 	ln -sf $(@D) $(CRIO_BIN_GOPATH)/src/github.com/cri-o/cri-o
-	# Copy pre-generated conmon/config.h - see <https://github.com/cri-o/cri-o/issues/2575>
-	cp $(CRIO_BIN_PKGDIR)/conmon-config.h $(@D)/conmon/config.h
+	# disable the "automatic" go module detection
+	sed -e 's/go help mod/false/' -i $(@D)/Makefile
 endef
 
 define CRIO_BIN_BUILD_CMDS
@@ -41,9 +42,6 @@ define CRIO_BIN_INSTALL_TARGET_CMDS
 	$(INSTALL) -Dm755 \
 		$(@D)/bin/crio \
 		$(TARGET_DIR)/usr/bin/crio
-	$(INSTALL) -Dm755 \
-		$(@D)/bin/conmon \
-		$(TARGET_DIR)/usr/libexec/crio/conmon
 	$(INSTALL) -Dm755 \
 		$(@D)/bin/pause \
 		$(TARGET_DIR)/usr/libexec/crio/pause
@@ -66,6 +64,9 @@ define CRIO_BIN_INSTALL_INIT_SYSTEMD
 	$(INSTALL) -Dm644 \
 		$(CRIO_BIN_PKGDIR)/crio.service \
 		$(TARGET_DIR)/usr/lib/systemd/system/crio.service
+	$(INSTALL) -Dm644 \
+		$(CRIO_BIN_PKGDIR)/crio-wipe.service \
+		$(TARGET_DIR)/usr/lib/systemd/system/crio-wipe.service
 	$(call link-service,crio.service)
 	$(call link-service,crio-shutdown.service)
 endef

deploy/iso/minikube-iso/package/crio-bin/crio-wipe.service

@@ -0,0 +1,18 @@
+[Unit]
+Description=CRI-O Auto Update Script
+Before=crio.service
+RequiresMountsFor=/var/lib/containers
+
+[Service]
+EnvironmentFile=-/etc/sysconfig/crio
+EnvironmentFile=-/etc/sysconfig/crio.minikube
+EnvironmentFile=/var/run/minikube/env
+ExecStart=/usr/bin/crio \
+          $CRIO_OPTIONS \
+          $CRIO_MINIKUBE_OPTIONS \
+		  wipe
+
+Type=oneshot
+
+[Install]
+WantedBy=multi-user.target

deploy/iso/minikube-iso/package/crio-bin/crio.conf

@@ -32,21 +32,22 @@ storage_driver = "overlay"
 #storage_option = [
 #]
 
-# If set to false, in-memory locking will be used instead of file-based locking.
-# **Deprecated** this option will be removed in the future.
-file_locking = false
-
-# Path to the lock file.
-# **Deprecated** this option will be removed in the future.
-file_locking_path = "/run/crio.lock"
+# The default log directory where all logs will go unless directly specified by
+# the kubelet. The log directory specified must be an absolute directory.
+log_dir = "/var/log/crio/pods"
 
+# Location for CRI-O to lay down the version file
+version_file = "/var/lib/crio/version"
 
 # The crio.api table contains settings for the kubelet/gRPC interface.
 [crio.api]
 
 # Path to AF_LOCAL socket on which CRI-O will listen.
 listen = "/var/run/crio/crio.sock"
 
+# Host IP considered as the primary IP to use by CRI-O for things such as host network IP.
+host_ip = ""
+
 # IP address on which the stream server will listen.
 stream_address = "127.0.0.1"
 
@@ -62,11 +63,11 @@ stream_enable_tls = false
 stream_tls_cert = ""
 
 # Path to the key file used to serve the encrypted stream. This file can
-# change, and CRI-O will automatically pick up the changes within 5 minutes.
+# change and CRI-O will automatically pick up the changes within 5 minutes.
 stream_tls_key = ""
 
 # Path to the x509 CA(s) file used to verify and authenticate client
-# communication with the encrypted stream. This file can change, and CRI-O will
+# communication with the encrypted stream. This file can change and CRI-O will
 # automatically pick up the changes within 5 minutes.
 stream_tls_ca = ""
 
@@ -95,6 +96,7 @@ default_runtime = "runc"
 no_pivot = false
 
 # Path to the conmon binary, used for monitoring the OCI runtime.
+# Will be searched for using $PATH if empty.
 conmon = "/usr/libexec/crio/conmon"
 
 # Cgroup setting for conmon
@@ -116,7 +118,7 @@ seccomp_profile = ""
 
 # Used to change the name of the default AppArmor profile of CRI-O. The default
 # profile name is "crio-default-" followed by the version string of CRI-O.
-apparmor_profile = "crio-default-1.15.1"
+apparmor_profile = "crio-default-1.16.0"
 
 # Cgroup management implementation used for the runtime.
 cgroup_manager = "cgroupfs"
@@ -192,6 +194,9 @@ container_exits_dir = "/var/run/crio/exits"
 # Path to directory for container attach sockets.
 container_attach_socket_dir = "/var/run/crio"
 
+# The prefix to use for the source of the bind mounts.
+bind_mount_prefix = ""
+
 # If set to true, all containers will run in read-only mode.
 read_only = false
 
@@ -200,9 +205,6 @@ read_only = false
 # configuration reload.
 log_level = "error"
 
-# The default log directory where all logs will go unless directly specified by the kubelet
-log_dir = "/var/log/crio/pods"
-
 # The UID mappings for the user namespace of each container. A range is
 # specified in the form containerUID:HostUID:Size. Multiple ranges must be
 # separated by comma.
@@ -224,14 +226,44 @@ manage_network_ns_lifecycle = false
 # The "crio.runtime.runtimes" table defines a list of OCI compatible runtimes.
 # The runtime to use is picked based on the runtime_handler provided by the CRI.
 # If no runtime_handler is provided, the runtime will be picked based on the level
-# of trust of the workload.
+# of trust of the workload. Each entry in the table should follow the format:
+#
+#[crio.runtime.runtimes.runtime-handler]
+#  runtime_path = "/path/to/the/executable"
+#  runtime_type = "oci"
+#  runtime_root = "/path/to/the/root"
+#
+# Where:
+# - runtime-handler: name used to identify the runtime
+# - runtime_path (optional, string): absolute path to the runtime executable in
+#   the host filesystem. If omitted, the runtime-handler identifier should match
+#   the runtime executable name, and the runtime executable should be placed
+#   in $PATH.
+# - runtime_type (optional, string): type of runtime, one of: "oci", "vm". If
+#   omitted, an "oci" runtime is assumed.
+# - runtime_root (optional, string): root directory for storage of containers
+#   state.
+
 
 [crio.runtime.runtimes.runc]
 runtime_path = "/usr/bin/runc"
 runtime_type = "oci"
 runtime_root = "/run/runc"
 
 
+# Kata Containers is an OCI runtime, where containers are run inside lightweight
+# VMs. Kata provides additional isolation towards the host, minimizing the host attack
+# surface and mitigating the consequences of containers breakout.
+
+# Kata Containers with the default configured VMM
+#[crio.runtime.runtimes.kata-runtime]
+
+# Kata Containers with the QEMU VMM
+#[crio.runtime.runtimes.kata-qemu]
+
+# Kata Containers with the Firecracker VMM
+#[crio.runtime.runtimes.kata-fc]
+
 # The crio.image table contains settings pertaining to the management of OCI images.
 #
 # CRI-O reads its configured registries defaults from the system wide
@@ -258,7 +290,9 @@ pause_image = "k8s.gcr.io/pause:3.1"
 pause_image_auth_file = ""
 
 # The command to run to have a container stay in the paused state.
-# This option supports live configuration reload.
+# When explicitly set to "", it will fallback to the entrypoint and command
+# specified in the pause image. When commented out, it will fallback to the
+# default: "/pause". This option supports live configuration reload.
 pause_command = "/pause"
 
 # Path to the file which decides what sort of policy we use when deciding
@@ -268,6 +302,11 @@ pause_command = "/pause"
 # refer to containers-policy.json(5) for more details.
 signature_policy = ""
 
+# List of registries to skip TLS verification for pulling images. Please
+# consider configuring the registries via /etc/containers/registries.conf before
+# changing them here.
+#insecure_registries = "[]"
+
 # Controls how image volumes are handled. The valid values are mkdir, bind and
 # ignore; the latter will ignore volumes entirely.
 image_volumes = "mkdir"
@@ -293,3 +332,12 @@ network_dir = "/etc/cni/net.d/"
 plugin_dirs = [
 	"/opt/cni/bin/",
 ]
+
+# A necessary configuration for Prometheus based metrics retrieval
+[crio.metrics]
+
+# Globally enable or disable metrics support.
+enable_metrics = true
+
+# The port on which the metrics server will listen.
+metrics_port = 9090