From c8266c03182a10ec61c9478f508f78497690d736 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Anders=20F=20Bj=C3=B6rklund?= Date: Sun, 14 Feb 2021 13:19:34 +0100 Subject: [PATCH] Upgrade crio to 1.20.0 --- .../package/crio-bin/crio-bin.hash | 2 + .../minikube-iso/package/crio-bin/crio-bin.mk | 4 +- .../minikube-iso/package/crio-bin/crio.conf | 41 +++++++++++++------ .../package/crio-bin/crio.conf.default | 41 +++++++++++++------ 4 files changed, 62 insertions(+), 26 deletions(-) diff --git a/deploy/iso/minikube-iso/package/crio-bin/crio-bin.hash b/deploy/iso/minikube-iso/package/crio-bin/crio-bin.hash index 93ddf49dab57..4fb4c559b86f 100644 --- a/deploy/iso/minikube-iso/package/crio-bin/crio-bin.hash +++ b/deploy/iso/minikube-iso/package/crio-bin/crio-bin.hash @@ -19,3 +19,5 @@ sha256 25dc558fbabc987bd58c7eab5230121b258a7b0eb34a49dc6595f1c6f3969116 v1.18.2. sha256 d5c6442e3990938badc966cdd1eb9ebe2fc11345452c233aa0d87ca38fbeed81 v1.18.3.tar.gz sha256 74a4e916acddc6cf47ab5752bdebb6732ce2c028505ef57b7edc21d2da9039b6 v1.18.4.tar.gz sha256 fc8a8e61375e3ce30563eeb0fd6534c4f48fc20300a72e6ff51cc99cb2703516 v1.19.0.tar.gz +sha256 6165c5b8212ea03be2a465403177318bfe25a54c3e8d66d720344643913a0223 v1.19.1.tar.gz +sha256 76fd7543bc92d4364a11060f43a5131893a76c6e6e9d6de3a6bb6292c110b631 v1.20.0.tar.gz diff --git a/deploy/iso/minikube-iso/package/crio-bin/crio-bin.mk b/deploy/iso/minikube-iso/package/crio-bin/crio-bin.mk index 0be531768752..41ec5044d203 100644 --- a/deploy/iso/minikube-iso/package/crio-bin/crio-bin.mk +++ b/deploy/iso/minikube-iso/package/crio-bin/crio-bin.mk @@ -4,8 +4,8 @@ # ################################################################################ -CRIO_BIN_VERSION = v1.19.0 -CRIO_BIN_COMMIT = 99c925bebdd9e392f2d575e25f2e6a1082e6c232 +CRIO_BIN_VERSION = v1.20.0 +CRIO_BIN_COMMIT = d388528dbed26b93c5bc1c89623607a1e597aa57 CRIO_BIN_SITE = https://github.com/cri-o/cri-o/archive CRIO_BIN_SOURCE = $(CRIO_BIN_VERSION).tar.gz CRIO_BIN_DEPENDENCIES = host-go libgpgme diff --git a/deploy/iso/minikube-iso/package/crio-bin/crio.conf b/deploy/iso/minikube-iso/package/crio-bin/crio.conf index a7e010c9ea51..fafaed67bc64 100644 --- a/deploy/iso/minikube-iso/package/crio-bin/crio.conf +++ b/deploy/iso/minikube-iso/package/crio-bin/crio.conf @@ -29,6 +29,7 @@ storage_driver = "overlay" # List to pass options to the storage driver. Please refer to # containers-storage.conf(5) to see all available storage options. #storage_option = [ +# "overlay.mountopt=nodev,metacopy=on", #] # The default log directory where all logs will go unless directly specified by @@ -92,11 +93,6 @@ grpc_max_recv_msg_size = 16777216 #default_ulimits = [ #] -# default_runtime is the _name_ of the OCI runtime to be used as the default. -# The name is matched against the runtimes map below. If this value is changed, -# the corresponding existing entry from the runtimes map below will be ignored. -default_runtime = "runc" - # If true, the runtime will not use pivot_root, but instead use MS_MOVE. no_pivot = false @@ -131,6 +127,12 @@ selinux = false # will be used. This option supports live configuration reload. seccomp_profile = "" +# Changes the meaning of an empty seccomp profile. By default +# (and according to CRI spec), an empty profile means unconfined. +# This option tells CRI-O to treat an empty profile as the default profile, +# which might increase security. +seccomp_use_default_when_empty = false + # Used to change the name of the default AppArmor profile of CRI-O. The default # profile name is "crio-default". This profile only takes effect if the user # does not specify a profile via the Kubernetes Pod's metadata annotation. If @@ -141,6 +143,9 @@ apparmor_profile = "crio-default" # Cgroup management implementation used for the runtime. cgroup_manager = "systemd" +# Specify whether the image pull must be performed in a separate cgroup. +separate_pull_cgroup = "" + # List of default capabilities for containers. If it is empty or commented out, # only the capabilities defined in the containers json file by the user/kube # will be added. @@ -174,11 +179,6 @@ hooks_dir = [ "/usr/share/containers/oci/hooks.d", ] -# List of default mounts for each container. **Deprecated:** this option will -# be removed in future versions in favor of default_mounts_file. -default_mounts = [ -] - # Path to the file specifying the defaults mounts for each container. The # format of the config is /SRC:/DST, one mount per line. Notice that CRI-O reads # its default mounts from the following two files: @@ -243,7 +243,8 @@ gid_mappings = "" ctr_stop_timeout = 30 # manage_ns_lifecycle determines whether we pin and remove namespaces -# and manage their lifecycle +# and manage their lifecycle. +# This option is being deprecated, and will be unconditionally true in the future. manage_ns_lifecycle = true # drop_infra_ctr determines whether CRI-O drops the infra container @@ -259,6 +260,11 @@ namespaces_dir = "/var/run" # pinns_path is the path to find the pinns binary, which is needed to manage namespace lifecycle pinns_path = "/usr/bin/pinns" +# default_runtime is the _name_ of the OCI runtime to be used as the default. +# The name is matched against the runtimes map below. If this value is changed, +# the corresponding existing entry from the runtimes map below will be ignored. +default_runtime = "runc" + # The "crio.runtime.runtimes" table defines a list of OCI compatible runtimes. # The runtime to use is picked based on the runtime_handler provided by the CRI. # If no runtime_handler is provided, the runtime will be picked based on the level @@ -268,7 +274,8 @@ pinns_path = "/usr/bin/pinns" # runtime_path = "/path/to/the/executable" # runtime_type = "oci" # runtime_root = "/path/to/the/root" -# +# privileged_without_host_devices = false +# allowed_annotations = [] # Where: # - runtime-handler: name used to identify the runtime # - runtime_path (optional, string): absolute path to the runtime executable in @@ -279,6 +286,14 @@ pinns_path = "/usr/bin/pinns" # omitted, an "oci" runtime is assumed. # - runtime_root (optional, string): root directory for storage of containers # state. +# - privileged_without_host_devices (optional, bool): an option for restricting +# host devices from being passed to privileged containers. +# - allowed_annotations (optional, array of strings): an option for specifying +# a list of experimental annotations that this runtime handler is allowed to process. +# The currently recognized values are: +# "io.kubernetes.cri-o.userns-mode" for configuring a user namespace for the pod. +# "io.kubernetes.cri-o.Devices" for configuring devices for the pod. +# "io.kubernetes.cri-o.ShmSize" for configuring the size of /dev/shm. [crio.runtime.runtimes.runc] @@ -287,6 +302,8 @@ runtime_type = "oci" runtime_root = "/run/runc" + + # crun is a fast and lightweight fully featured OCI runtime and C library for # running containers #[crio.runtime.runtimes.crun] diff --git a/deploy/iso/minikube-iso/package/crio-bin/crio.conf.default b/deploy/iso/minikube-iso/package/crio-bin/crio.conf.default index 9c22500d0b6c..25debfab9f33 100644 --- a/deploy/iso/minikube-iso/package/crio-bin/crio.conf.default +++ b/deploy/iso/minikube-iso/package/crio-bin/crio.conf.default @@ -29,6 +29,7 @@ # List to pass options to the storage driver. Please refer to # containers-storage.conf(5) to see all available storage options. #storage_option = [ +# "overlay.mountopt=nodev,metacopy=on", #] # The default log directory where all logs will go unless directly specified by @@ -92,11 +93,6 @@ grpc_max_recv_msg_size = 16777216 #default_ulimits = [ #] -# default_runtime is the _name_ of the OCI runtime to be used as the default. -# The name is matched against the runtimes map below. If this value is changed, -# the corresponding existing entry from the runtimes map below will be ignored. -default_runtime = "runc" - # If true, the runtime will not use pivot_root, but instead use MS_MOVE. no_pivot = false @@ -131,6 +127,12 @@ selinux = false # will be used. This option supports live configuration reload. seccomp_profile = "" +# Changes the meaning of an empty seccomp profile. By default +# (and according to CRI spec), an empty profile means unconfined. +# This option tells CRI-O to treat an empty profile as the default profile, +# which might increase security. +seccomp_use_default_when_empty = false + # Used to change the name of the default AppArmor profile of CRI-O. The default # profile name is "crio-default". This profile only takes effect if the user # does not specify a profile via the Kubernetes Pod's metadata annotation. If @@ -141,6 +143,9 @@ apparmor_profile = "crio-default" # Cgroup management implementation used for the runtime. cgroup_manager = "systemd" +# Specify whether the image pull must be performed in a separate cgroup. +separate_pull_cgroup = "" + # List of default capabilities for containers. If it is empty or commented out, # only the capabilities defined in the containers json file by the user/kube # will be added. @@ -174,11 +179,6 @@ hooks_dir = [ "/usr/share/containers/oci/hooks.d", ] -# List of default mounts for each container. **Deprecated:** this option will -# be removed in future versions in favor of default_mounts_file. -default_mounts = [ -] - # Path to the file specifying the defaults mounts for each container. The # format of the config is /SRC:/DST, one mount per line. Notice that CRI-O reads # its default mounts from the following two files: @@ -243,7 +243,8 @@ gid_mappings = "" ctr_stop_timeout = 30 # manage_ns_lifecycle determines whether we pin and remove namespaces -# and manage their lifecycle +# and manage their lifecycle. +# This option is being deprecated, and will be unconditionally true in the future. manage_ns_lifecycle = true # drop_infra_ctr determines whether CRI-O drops the infra container @@ -259,6 +260,11 @@ namespaces_dir = "/var/run" # pinns_path is the path to find the pinns binary, which is needed to manage namespace lifecycle pinns_path = "" +# default_runtime is the _name_ of the OCI runtime to be used as the default. +# The name is matched against the runtimes map below. If this value is changed, +# the corresponding existing entry from the runtimes map below will be ignored. +default_runtime = "runc" + # The "crio.runtime.runtimes" table defines a list of OCI compatible runtimes. # The runtime to use is picked based on the runtime_handler provided by the CRI. # If no runtime_handler is provided, the runtime will be picked based on the level @@ -268,7 +274,8 @@ pinns_path = "" # runtime_path = "/path/to/the/executable" # runtime_type = "oci" # runtime_root = "/path/to/the/root" -# +# privileged_without_host_devices = false +# allowed_annotations = [] # Where: # - runtime-handler: name used to identify the runtime # - runtime_path (optional, string): absolute path to the runtime executable in @@ -279,6 +286,14 @@ pinns_path = "" # omitted, an "oci" runtime is assumed. # - runtime_root (optional, string): root directory for storage of containers # state. +# - privileged_without_host_devices (optional, bool): an option for restricting +# host devices from being passed to privileged containers. +# - allowed_annotations (optional, array of strings): an option for specifying +# a list of experimental annotations that this runtime handler is allowed to process. +# The currently recognized values are: +# "io.kubernetes.cri-o.userns-mode" for configuring a user namespace for the pod. +# "io.kubernetes.cri-o.Devices" for configuring devices for the pod. +# "io.kubernetes.cri-o.ShmSize" for configuring the size of /dev/shm. [crio.runtime.runtimes.runc] @@ -287,6 +302,8 @@ runtime_type = "oci" runtime_root = "/run/runc" + + # crun is a fast and lightweight fully featured OCI runtime and C library for # running containers #[crio.runtime.runtimes.crun]