Hello community,

here is the log from the commit of package cri-o for openSUSE:Factory checked 
in at 2018-03-06 10:47:36
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/cri-o (Old)
 and      /work/SRC/openSUSE:Factory/.cri-o.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "cri-o"

Tue Mar  6 10:47:36 2018 rev:3 rq:582930 version:1.9.8

Changes:
--------
--- /work/SRC/openSUSE:Factory/cri-o/cri-o.changes      2018-02-22 
15:02:27.553975389 +0100
+++ /work/SRC/openSUSE:Factory/.cri-o.new/cri-o.changes 2018-03-06 
10:47:37.327559846 +0100
@@ -1,0 +2,53 @@
+Mon Mar  5 12:50:03 UTC 2018 - vrothb...@suse.com
+
+- crio.conf: update default socket to /var/run/crio/crio.sock as suggested
+  by upstream.
+
+-------------------------------------------------------------------
+Mon Mar  5 10:10:16 UTC 2018 - vrothb...@suse.com
+
+- Update cri-o to v1.9.8:
+  * system_containers: Update mounts
+  * execsync: Set terminal to true when we pass -t to conmon
+  * Make network namespace pinning optional
+  * Add context to net ns symlink removal errors
+  * Make the /opt/cni mount rw
+  * sandbox_stop: close/remove the netns _after_ stopping the containers
+  * sandbox net: set netns closed after actaully closing it
+
+-------------------------------------------------------------------
+Mon Mar  5 10:07:54 UTC 2018 - vrothb...@suse.com
+
+- Configuration files should generally be tagged as %config(noreplace) in order
+  to keep the modified config files and to avoid losing data when the package
+  is being updated.
+
+-------------------------------------------------------------------
+Sat Mar  3 13:38:57 UTC 2018 - vrothb...@suse.com
+
+- Remove empty filter rule from cri-o-rpmlintrc, which was mistakenly
+  masking a few warnings, some of which have been fixed, others need
+  to be filtered.  conmon and pause are not compiled with -fpie anymore
+  to align with what upstream does; linking fails when done properly.
+
+-------------------------------------------------------------------
+Fri Mar  2 18:12:59 UTC 2018 - fcaste...@suse.com
+
+- Update minimum version of the Go compiler required
+
+-------------------------------------------------------------------
+Fri Mar  2 18:07:54 UTC 2018 - fcaste...@suse.com
+
+- Add missing runtime dependencies: socat, iptables, iproute
+
+-------------------------------------------------------------------
+Wed Feb 28 11:35:27 UTC 2018 - vrothb...@suse.com
+
+- Change the installation path of conmon and pause from
+  /usr/lib/crio to /usr/lib/crio/bin in order to align with upstream
+  requirements.
+
+- Update crio.conf to the reflect the new path of conmon and set the correct
+  path of CNI plugins (i.e., /usr/lib/cni).
+
+-------------------------------------------------------------------

Old:
----
  cri-o-1.9.6.tar.xz
  crio.sysconfig

New:
----
  cri-o-1.9.8.tar.xz
  sysconfig.crio

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ cri-o.spec ++++++
--- /var/tmp/diff_new_pack.xIwUIM/_old  2018-03-06 10:47:39.851468672 +0100
+++ /var/tmp/diff_new_pack.xIwUIM/_new  2018-03-06 10:47:39.851468672 +0100
@@ -16,6 +16,11 @@
 #
 
 
+#Compat macro for new _fillupdir macro introduced in Nov 2017
+%if ! %{defined _fillupdir}
+  %define _fillupdir /var/adm/fillup-templates
+%endif
+
 %define project github.com/kubernetes-incubator/cri-o
 # Build with libostree-devel in Tumbleweed, Leap 15+ and SLES 15+
 %if 0%{?suse_version} >= 1500
@@ -24,10 +29,10 @@
 # Define macros for further referenced sources
 %define        name_source1 crio.service
 %define        name_source2 crio-shutdown.service
-%define        name_source3 crio
+%define        name_source3 sysconfig.crio
 %define        name_source4 crio.conf
 Name:           cri-o
-Version:        1.9.6
+Version:        1.9.8
 Release:        0
 Summary:        OCI-based implementation of Kubernetes Container Runtime 
Interface
 License:        Apache-2.0
@@ -36,7 +41,7 @@
 Source0:        %{name}-%{version}.tar.xz
 Source1:        %{name_source1}
 Source2:        %{name_source2}
-Source3:        %{name_source3}.sysconfig
+Source3:        %{name_source3}
 Source4:        %{name_source4}
 Source5:        cri-o-rpmlintrc
 BuildRequires:  device-mapper-devel
@@ -51,11 +56,14 @@
 BuildRequires:  libbtrfs-devel
 BuildRequires:  libgpgme-devel
 BuildRequires:  libseccomp-devel
-BuildRequires:  golang(API) >= 1.7
+BuildRequires:  golang(API) >= 1.8
+Requires:       iproute2
+Requires:       iptables
 Requires:       libcontainers-common
 Requires:       libcontainers-image
 Requires:       libcontainers-storage
 Requires:       runc >= 1.0.0~rc4
+Requires:       socat
 # disable stripping of binaries
 %{go_nostrip}
 %if 0%{?with_libostree}
@@ -93,10 +101,10 @@
          %{project}/cmd/crio
 
 # Build conmon
-CFLAGS="-fpie" make -C conmon
+make conmon
 
 # Build pause
-CFLAGS="-fpie" make -C pause
+make pause
 
 # Build manpages
 make %{?_smp_mflags} docs
@@ -115,24 +123,25 @@
 go test -buildmode=pie -tags "$BUILDTAGS" $PKG_LIST
 
 %pre
-%service_add_pre %{name_source1}
+%service_add_pre %{name_source1} %{name_source2}
 
 %post
-%service_add_post %{name_source1}
+%service_add_post %{name_source1} %{name_source2}
 
 %preun
-%service_del_preun %{name_source1}
+%service_del_preun %{name_source1} %{name_source2}
 
 %postun
-%service_del_postun %{name_source1}
+%service_del_postun %{name_source1} %{name_source2}
 
 %install
 cd $HOME/go/src/%{project}
 
 # Binaries
 install -D -m 0755 bin/crio    %{buildroot}/%{_bindir}/crio
-install -D -m 0755 bin/conmon  %{buildroot}/%{_libexecdir}/crio/conmon
-install -D -m 0755 bin/pause   %{buildroot}/%{_libexecdir}/crio/pause
+install -d %{buildroot}/%{_libexecdir}/crio/bin
+install -D -m 0755 bin/conmon  %{buildroot}/%{_libexecdir}/crio/bin/conmon
+install -D -m 0755 bin/pause   %{buildroot}/%{_libexecdir}/crio/bin/pause
 # Manpages
 install -d %{buildroot}/%{_mandir}/man5
 install -d %{buildroot}/%{_mandir}/man8
@@ -143,10 +152,14 @@
 install -D -m 0644 seccomp.json     
%{buildroot}/%{_sysconfdir}/crio/seccomp.json
 install -D -m 0644 crio-umount.conf 
%{buildroot}/%{_datadir}/oci-umount/oci-umount.d/cri-umount.conf
 install -D -m 0644 crictl.yaml      %{buildroot}/%{_sysconfdir}/crictl.yaml
-install -D -m 0644 %{SOURCE3}       
%{buildroot}/%{_sysconfdir}/sysconfig/%{name_source3}
+install -D -m 0644 %{SOURCE3}       %{buildroot}%{_fillupdir}/%{name_source3}
 # Systemd
 install -D -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/%{name_source1}
 install -D -m 0644 %{SOURCE2} %{buildroot}%{_unitdir}/%{name_source2}
+# Symlinks to rc files
+install -d -m 0755 %{buildroot}%{_sbindir}
+ln -sf service %{buildroot}%{_sbindir}/rccrio
+ln -sf service %{buildroot}%{_sbindir}/rccrio-shutdown
 
 %fdupes %{buildroot}/%{_prefix}
 
@@ -154,22 +167,25 @@
 # Binaries
 %{_bindir}/crio
 %dir %{_libexecdir}/crio
-%{_libexecdir}/crio/conmon
-%{_libexecdir}/crio/pause
+%dir %{_libexecdir}/crio/bin
+%{_libexecdir}/crio/bin/conmon
+%{_libexecdir}/crio/bin/pause
 # Manpages
 %{_mandir}/man5/crio.conf.5*
 %{_mandir}/man8/crio.8*
 # Configs
 %dir %{_sysconfdir}/crio
-%config %{_sysconfdir}/crio/%{name_source4}
+%config(noreplace) %{_sysconfdir}/crio/%{name_source4}
 %config %{_sysconfdir}/crio/seccomp.json
 %dir %{_datadir}/oci-umount
 %dir %{_datadir}/oci-umount/oci-umount.d
-%config %{_datadir}/oci-umount/oci-umount.d/cri-umount.conf
-%config %{_sysconfdir}/crictl.yaml
-%{_sysconfdir}/sysconfig/%{name_source3}
+%{_datadir}/oci-umount/oci-umount.d/cri-umount.conf
+%config(noreplace) %{_sysconfdir}/crictl.yaml
+%{_fillupdir}/%{name_source3}
 # Systemd
 %{_unitdir}/%{name_source1}
 %{_unitdir}/%{name_source2}
+%{_sbindir}/rccrio
+%{_sbindir}/rccrio-shutdown
 
 %changelog

++++++ _service ++++++
--- /var/tmp/diff_new_pack.xIwUIM/_old  2018-03-06 10:47:39.883467516 +0100
+++ /var/tmp/diff_new_pack.xIwUIM/_new  2018-03-06 10:47:39.883467516 +0100
@@ -2,8 +2,8 @@
 <service name="tar_scm" mode="disabled">
 <param name="url">https://github.com/kubernetes-incubator/cri-o</param>
 <param name="scm">git</param>
-<param name="versionformat">1.9.6</param>
-<param name="revision">v1.9.6</param>
+<param name="versionformat">1.9.8</param>
+<param name="revision">v1.9.8</param>
 </service>
 <service name="recompress" mode="disabled">
 <param name="file">cri-o-*.tar</param>

++++++ cri-o-1.9.6.tar.xz -> cri-o-1.9.8.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/cri-o-1.9.6/contrib/system_containers/centos/config.json.template 
new/cri-o-1.9.8/contrib/system_containers/centos/config.json.template
--- old/cri-o-1.9.6/contrib/system_containers/centos/config.json.template       
2018-02-20 10:50:14.000000000 +0100
+++ new/cri-o-1.9.8/contrib/system_containers/centos/config.json.template       
2018-03-01 18:42:03.000000000 +0100
@@ -268,7 +268,7 @@
             "destination": "/etc",
             "options": [
                 "rbind",
-                "rprivate",
+                "rslave",
                 "rw",
                 "mode=755"
             ],
@@ -313,7 +313,7 @@
             "options": [
                 "rbind",
                 "rw",
-                "rprivate",
+                "rslave",
                 "mode=755"
             ],
             "source": "/mnt",
@@ -352,10 +352,20 @@
             "type": "bind"
         },
         {
+            "destination": "/var",
+            "options": [
+                "rbind",
+                "rslave",
+                "rw"
+            ],
+            "source": "/var",
+            "type": "bind"
+        },
+        {
             "destination": "/var/lib",
             "options": [
                 "rbind",
-                "rprivate",
+                "rslave",
                 "rw"
             ],
             "source": "${STATE_DIRECTORY}",
@@ -392,14 +402,14 @@
             "type": "bind"
         },
         {
-            "destination": "/opt/cni",
+            "destination": "/opt",
             "options": [
                 "rbind",
-                "rprivate",
-                "ro",
+                "rslave",
+                "rw",
                 "mode=755"
             ],
-            "source": "${OPT_CNI}",
+            "source": "/opt",
             "type": "bind"
         },
         {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/cri-o-1.9.6/contrib/system_containers/centos/manifest.json 
new/cri-o-1.9.8/contrib/system_containers/centos/manifest.json
--- old/cri-o-1.9.6/contrib/system_containers/centos/manifest.json      
2018-02-20 10:50:14.000000000 +0100
+++ new/cri-o-1.9.8/contrib/system_containers/centos/manifest.json      
2018-03-01 18:42:03.000000000 +0100
@@ -2,7 +2,6 @@
     "version": "1.0",
     "defaultValues": {
         "LOG_LEVEL" : "info",
-        "OPT_CNI" : "/opt/cni",
         "VAR_LIB_CONTAINERS_STORAGE" : "/var/lib/containers/storage",
         "VAR_LIB_ORIGIN" : "/var/lib/origin",
         "VAR_LIB_KUBE" : "/var/lib/kubelet",
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/cri-o-1.9.6/contrib/system_containers/fedora/config.json.template 
new/cri-o-1.9.8/contrib/system_containers/fedora/config.json.template
--- old/cri-o-1.9.6/contrib/system_containers/fedora/config.json.template       
2018-02-20 10:50:14.000000000 +0100
+++ new/cri-o-1.9.8/contrib/system_containers/fedora/config.json.template       
2018-03-01 18:42:03.000000000 +0100
@@ -273,7 +273,7 @@
             "destination": "/etc",
             "options": [
                 "rbind",
-                "rprivate",
+                "rslave",
                 "rw",
                 "mode=755"
             ],
@@ -318,7 +318,7 @@
             "options": [
                 "rbind",
                 "rw",
-                "rprivate",
+                "rslave",
                 "mode=755"
             ],
             "source": "/mnt",
@@ -357,10 +357,20 @@
             "type": "bind"
         },
         {
+            "destination": "/var",
+            "options": [
+                "rbind",
+                "rslave",
+                "rw"
+            ],
+            "source": "/var",
+            "type": "bind"
+        },
+        {
             "destination": "/var/lib",
             "options": [
                 "rbind",
-                "rprivate",
+                "rslave",
                 "rw"
             ],
             "source": "${STATE_DIRECTORY}",
@@ -397,14 +407,14 @@
             "type": "bind"
         },
         {
-            "destination": "/opt/cni",
+            "destination": "/opt",
             "options": [
                 "rbind",
                 "rprivate",
-                "ro",
+                "rw",
                 "mode=755"
             ],
-            "source": "${OPT_CNI}",
+            "source": "/opt",
             "type": "bind"
         },
         {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/cri-o-1.9.6/contrib/system_containers/fedora/manifest.json 
new/cri-o-1.9.8/contrib/system_containers/fedora/manifest.json
--- old/cri-o-1.9.6/contrib/system_containers/fedora/manifest.json      
2018-02-20 10:50:14.000000000 +0100
+++ new/cri-o-1.9.8/contrib/system_containers/fedora/manifest.json      
2018-03-01 18:42:03.000000000 +0100
@@ -2,7 +2,6 @@
     "version": "1.0",
     "defaultValues": {
         "LOG_LEVEL" : "info",
-        "OPT_CNI" : "/opt/cni",
         "VAR_LIB_CONTAINERS_STORAGE" : "/var/lib/containers/storage",
         "VAR_LIB_ORIGIN" : "/var/lib/origin",
         "VAR_LIB_KUBE" : "/var/lib/kubelet",
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/cri-o-1.9.6/contrib/system_containers/rhel/config.json.template 
new/cri-o-1.9.8/contrib/system_containers/rhel/config.json.template
--- old/cri-o-1.9.6/contrib/system_containers/rhel/config.json.template 
2018-02-20 10:50:14.000000000 +0100
+++ new/cri-o-1.9.8/contrib/system_containers/rhel/config.json.template 
2018-03-01 18:42:03.000000000 +0100
@@ -263,7 +263,7 @@
       "destination": "/etc",
       "options": [
         "rbind",
-        "rprivate",
+        "rslave",
         "rw",
         "mode=755"
       ],
@@ -308,7 +308,7 @@
       "options": [
         "rbind",
         "rw",
-        "rprivate",
+        "rslave",
         "mode=755"
       ],
       "source": "/mnt",
@@ -347,10 +347,20 @@
       "type": "bind"
     },
     {
+      "destination": "/var",
+      "options": [
+        "rbind",
+        "rslave",
+        "rw"
+      ],
+      "source": "/var",
+      "type": "bind"
+    },
+    {
       "destination": "/var/lib",
       "options": [
         "rbind",
-        "rprivate",
+        "rslave",
         "rw"
       ],
       "source": "${STATE_DIRECTORY}",
@@ -387,14 +397,14 @@
       "type": "bind"
     },
     {
-      "destination": "/opt/cni",
+      "destination": "/opt",
       "options": [
         "rbind",
-        "rprivate",
-        "ro",
+        "rslave",
+        "rw",
         "mode=755"
       ],
-      "source": "${OPT_CNI}",
+      "source": "/opt",
       "type": "bind"
     },
     {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/cri-o-1.9.6/contrib/system_containers/rhel/manifest.json 
new/cri-o-1.9.8/contrib/system_containers/rhel/manifest.json
--- old/cri-o-1.9.6/contrib/system_containers/rhel/manifest.json        
2018-02-20 10:50:14.000000000 +0100
+++ new/cri-o-1.9.8/contrib/system_containers/rhel/manifest.json        
2018-03-01 18:42:03.000000000 +0100
@@ -2,7 +2,6 @@
   "version": "1.0",
   "defaultValues": {
     "LOG_LEVEL": "info",
-    "OPT_CNI": "/opt/cni",
     "VAR_LIB_CONTAINERS_STORAGE": "/var/lib/containers/storage",
     "VAR_LIB_ORIGIN": "/var/lib/origin",
     "VAR_LIB_KUBE": "/var/lib/kubelet",
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/cri-o-1.9.6/lib/config.go 
new/cri-o-1.9.8/lib/config.go
--- old/cri-o-1.9.6/lib/config.go       2018-02-20 10:50:14.000000000 +0100
+++ new/cri-o-1.9.8/lib/config.go       2018-03-01 18:42:03.000000000 +0100
@@ -168,6 +168,10 @@
        // ContainerExitsDir is the directory in which container exit files are
        // written to by conmon.
        ContainerExitsDir string `toml:"container_exits_dir"`
+
+       // ManageNetworkNSLifecycle determines whether we pin and remove 
network namespace
+       // and manage its lifecycle
+       ManageNetworkNSLifecycle bool `toml:"manage_network_ns_lifecycle"`
 }
 
 // ImageConfig represents the "crio.image" TOML config table.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/cri-o-1.9.6/lib/container_server.go 
new/cri-o-1.9.8/lib/container_server.go
--- old/cri-o-1.9.6/lib/container_server.go     2018-02-20 10:50:14.000000000 
+0100
+++ new/cri-o-1.9.8/lib/container_server.go     2018-03-01 18:42:03.000000000 
+0100
@@ -318,8 +318,6 @@
                return err
        }
 
-       ip := m.Annotations[annotations.IP]
-
        processLabel, mountLabel, err := 
label.InitLabels(label.DupSecOpt(m.Process.SelinuxLabel))
        if err != nil {
                return err
@@ -334,25 +332,27 @@
 
        privileged := isTrue(m.Annotations[annotations.PrivilegedRuntime])
        trusted := isTrue(m.Annotations[annotations.TrustedSandbox])
+       hostNetwork := isTrue(m.Annotations[annotations.HostNetwork])
 
-       sb, err := sandbox.New(id, m.Annotations[annotations.Namespace], name, 
m.Annotations[annotations.KubeName], 
filepath.Dir(m.Annotations[annotations.LogPath]), labels, kubeAnnotations, 
processLabel, mountLabel, &metadata, m.Annotations[annotations.ShmPath], 
m.Annotations[annotations.CgroupParent], privileged, trusted, 
m.Annotations[annotations.ResolvPath], m.Annotations[annotations.HostName], nil)
+       sb, err := sandbox.New(id, m.Annotations[annotations.Namespace], name, 
m.Annotations[annotations.KubeName], 
filepath.Dir(m.Annotations[annotations.LogPath]), labels, kubeAnnotations, 
processLabel, mountLabel, &metadata, m.Annotations[annotations.ShmPath], 
m.Annotations[annotations.CgroupParent], privileged, trusted, 
m.Annotations[annotations.ResolvPath], m.Annotations[annotations.HostName], 
nil, hostNetwork)
        if err != nil {
                return err
        }
        sb.AddHostnamePath(m.Annotations[annotations.HostnamePath])
-       sb.AddIP(ip)
        sb.SetSeccompProfilePath(spp)
 
        // We add a netNS only if we can load a permanent one.
        // Otherwise, the sandbox will live in the host namespace.
-       netNsPath, err := configNetNsPath(m)
-       if err == nil {
-               nsErr := sb.NetNsJoin(netNsPath, sb.Name())
-               // If we can't load the networking namespace
-               // because it's closed, we just set the sb netns
-               // pointer to nil. Otherwise we return an error.
-               if nsErr != nil && nsErr != sandbox.ErrClosedNetNS {
-                       return nsErr
+       if c.config.ManageNetworkNSLifecycle {
+               netNsPath, err := configNetNsPath(m)
+               if err == nil {
+                       nsErr := sb.NetNsJoin(netNsPath, sb.Name())
+                       // If we can't load the networking namespace
+                       // because it's closed, we just set the sb netns
+                       // pointer to nil. Otherwise we return an error.
+                       if nsErr != nil && nsErr != sandbox.ErrClosedNetNS {
+                               return nsErr
+                       }
                }
        }
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/cri-o-1.9.6/lib/sandbox/sandbox.go 
new/cri-o-1.9.8/lib/sandbox/sandbox.go
--- old/cri-o-1.9.6/lib/sandbox/sandbox.go      2018-02-20 10:50:14.000000000 
+0100
+++ new/cri-o-1.9.8/lib/sandbox/sandbox.go      2018-03-01 18:42:03.000000000 
+0100
@@ -59,10 +59,14 @@
 
 func (ns *NetNs) symlinkRemove() error {
        if err := ns.symlink.Close(); err != nil {
-               return err
+               return fmt.Errorf("failed to close net ns symlink: %v", err)
+       }
+
+       if err := os.RemoveAll(ns.symlink.Name()); err != nil {
+               return fmt.Errorf("failed to remove net ns symlink: %v", err)
        }
 
-       return os.RemoveAll(ns.symlink.Name())
+       return nil
 }
 
 func isSymbolicLink(path string) (bool, error) {
@@ -151,6 +155,7 @@
        cgroupParent   string
        privileged     bool
        trusted        bool
+       hostNetwork    bool
        resolvPath     string
        hostnamePath   string
        hostname       string
@@ -184,7 +189,7 @@
 // New creates and populates a new pod sandbox
 // New sandboxes have no containers, no infra container, and no network 
namespaces associated with them
 // An infra container must be attached before the sandbox is added to the state
-func New(id, namespace, name, kubeName, logDir string, labels, annotations 
map[string]string, processLabel, mountLabel string, metadata 
*pb.PodSandboxMetadata, shmPath, cgroupParent string, privileged, trusted bool, 
resolvPath, hostname string, portMappings []*hostport.PortMapping) (*Sandbox, 
error) {
+func New(id, namespace, name, kubeName, logDir string, labels, annotations 
map[string]string, processLabel, mountLabel string, metadata 
*pb.PodSandboxMetadata, shmPath, cgroupParent string, privileged, trusted bool, 
resolvPath, hostname string, portMappings []*hostport.PortMapping, hostNetwork 
bool) (*Sandbox, error) {
        sb := new(Sandbox)
        sb.id = id
        sb.namespace = namespace
@@ -205,6 +210,7 @@
        sb.hostname = hostname
        sb.portMappings = portMappings
        sb.created = time.Now()
+       sb.hostNetwork = hostNetwork
 
        return sb, nil
 }
@@ -311,6 +317,11 @@
        return s.trusted
 }
 
+// HostNetwork returns whether the sandbox runs in the host network namespace
+func (s *Sandbox) HostNetwork() bool {
+       return s.hostNetwork
+}
+
 // ResolvPath returns the resolv path for the sandbox
 func (s *Sandbox) ResolvPath() string {
        return s.resolvPath
@@ -384,6 +395,9 @@
 // If the sandbox uses the host namespace, nil is returned
 func (s *Sandbox) NetNsPath() string {
        if s.netns == nil {
+               if s.infraContainer != nil {
+                       return fmt.Sprintf("/proc/%v/ns/net", 
s.infraContainer.State().Pid)
+               }
                return ""
        }
 
@@ -473,6 +487,8 @@
                return err
        }
 
+       s.netns.closed = true
+
        if s.netns.restored {
                // we got namespaces in the form of
                // /var/run/netns/cni-0d08effa-06eb-a963-f51a-e2b0eceffc5d
@@ -493,6 +509,5 @@
                }
        }
 
-       s.netns.closed = true
        return nil
 }
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/cri-o-1.9.6/oci/oci.go new/cri-o-1.9.8/oci/oci.go
--- old/cri-o-1.9.6/oci/oci.go  2018-02-20 10:50:14.000000000 +0100
+++ new/cri-o-1.9.8/oci/oci.go  2018-03-01 18:42:03.000000000 +0100
@@ -438,7 +438,7 @@
        args = append(args, "-l", logPath)
        args = append(args, "--socket-dir-path", ContainerAttachSocketDir)
 
-       processFile, err := PrepareProcessExec(c, command, false)
+       processFile, err := PrepareProcessExec(c, command, c.terminal)
        if err != nil {
                return nil, ExecSyncError{
                        ExitCode: -1,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/cri-o-1.9.6/pkg/annotations/annotations.go 
new/cri-o-1.9.8/pkg/annotations/annotations.go
--- old/cri-o-1.9.6/pkg/annotations/annotations.go      2018-02-20 
10:50:14.000000000 +0100
+++ new/cri-o-1.9.8/pkg/annotations/annotations.go      2018-03-01 
18:42:03.000000000 +0100
@@ -64,6 +64,9 @@
        // HostnamePath is the path to /etc/hostname to bind mount annotation
        HostnamePath = "io.kubernetes.cri-o.HostnamePath"
 
+       // HostNetwork indicates whether the host network namespace is used or 
not
+       HostNetwork = "io.kubernetes.cri-o.HostNetwork"
+
        // SandboxID is the sandbox ID annotation
        SandboxID = "io.kubernetes.cri-o.SandboxID"
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/cri-o-1.9.6/server/container_create.go 
new/cri-o-1.9.8/server/container_create.go
--- old/cri-o-1.9.6/server/container_create.go  2018-02-20 10:50:14.000000000 
+0100
+++ new/cri-o-1.9.8/server/container_create.go  2018-03-01 18:42:03.000000000 
+0100
@@ -102,6 +102,7 @@
                if mount.Readonly {
                        options = []string{"ro"}
                }
+
                options = append(options, "rbind")
 
                // mount propagation
@@ -939,12 +940,6 @@
        }
 
        netNsPath := sb.NetNsPath()
-       if netNsPath == "" {
-               // The sandbox does not have a permanent namespace,
-               // it's on the host one.
-               netNsPath = fmt.Sprintf("/proc/%d/ns/net", podInfraState.Pid)
-       }
-
        if err := 
specgen.AddOrReplaceLinuxNamespace(string(rspec.NetworkNamespace), netNsPath); 
err != nil {
                return nil, err
        }
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/cri-o-1.9.6/server/sandbox_network.go 
new/cri-o-1.9.8/server/sandbox_network.go
--- old/cri-o-1.9.6/server/sandbox_network.go   2018-02-20 10:50:14.000000000 
+0100
+++ new/cri-o-1.9.8/server/sandbox_network.go   2018-03-01 18:42:03.000000000 
+0100
@@ -11,8 +11,8 @@
 
 // networkStart sets up the sandbox's network and returns the pod IP on success
 // or an error
-func (s *Server) networkStart(hostNetwork bool, sb *sandbox.Sandbox) (string, 
error) {
-       if hostNetwork {
+func (s *Server) networkStart(sb *sandbox.Sandbox) (string, error) {
+       if sb.HostNetwork() {
                return s.BindAddress(), nil
        }
 
@@ -46,10 +46,25 @@
        return ip, nil
 }
 
+// GetSandboxIP retrieves the IP address for the sandbox
+func (s *Server) GetSandboxIP(sb *sandbox.Sandbox) (string, error) {
+       if sb.HostNetwork() {
+               return s.BindAddress(), nil
+       }
+
+       podNetwork := newPodNetwork(sb)
+       ip, err := s.netPlugin.GetPodNetworkStatus(podNetwork)
+       if err != nil {
+               return "", fmt.Errorf("failed to get network status for pod 
sandbox %s(%s): %v", sb.Name(), sb.ID(), err)
+       }
+
+       return ip, nil
+}
+
 // networkStop cleans up and removes a pod's network.  It is best-effort and
 // must call the network plugin even if the network namespace is already gone
-func (s *Server) networkStop(hostNetwork bool, sb *sandbox.Sandbox) error {
-       if !hostNetwork {
+func (s *Server) networkStop(sb *sandbox.Sandbox) error {
+       if !sb.HostNetwork() {
                if err := s.hostportManager.Remove(sb.ID(), 
&hostport.PodPortMapping{
                        Name:         sb.Name(),
                        PortMappings: sb.PortMappings(),
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/cri-o-1.9.6/server/sandbox_run.go 
new/cri-o-1.9.8/server/sandbox_run.go
--- old/cri-o-1.9.6/server/sandbox_run.go       2018-02-20 10:50:14.000000000 
+0100
+++ new/cri-o-1.9.8/server/sandbox_run.go       2018-03-01 18:42:03.000000000 
+0100
@@ -342,6 +342,7 @@
        g.AddAnnotation(annotations.ShmPath, shmPath)
        g.AddAnnotation(annotations.PrivilegedRuntime, fmt.Sprintf("%v", 
privileged))
        g.AddAnnotation(annotations.TrustedSandbox, fmt.Sprintf("%v", trusted))
+       g.AddAnnotation(annotations.HostNetwork, fmt.Sprintf("%v", hostNetwork))
        g.AddAnnotation(annotations.ResolvPath, resolvPath)
        g.AddAnnotation(annotations.HostName, hostname)
        g.AddAnnotation(annotations.KubeName, kubeName)
@@ -378,7 +379,7 @@
        }
        g.AddAnnotation(annotations.CgroupParent, cgroupParent)
 
-       sb, err := sandbox.New(id, namespace, name, kubeName, logDir, labels, 
kubeAnnotations, processLabel, mountLabel, metadata, shmPath, cgroupParent, 
privileged, trusted, resolvPath, hostname, portMappings)
+       sb, err := sandbox.New(id, namespace, name, kubeName, logDir, labels, 
kubeAnnotations, processLabel, mountLabel, metadata, shmPath, cgroupParent, 
privileged, trusted, resolvPath, hostname, portMappings, hostNetwork)
        if err != nil {
                return nil, err
        }
@@ -427,25 +428,27 @@
                        return nil, err
                }
        } else {
-               // Create the sandbox network namespace
-               if err = sb.NetNsCreate(); err != nil {
-                       return nil, err
-               }
-
-               defer func() {
-                       if err == nil {
-                               return
+               if s.config.Config.ManageNetworkNSLifecycle {
+                       // Create the sandbox network namespace
+                       if err = sb.NetNsCreate(); err != nil {
+                               return nil, err
                        }
 
-                       if netnsErr := sb.NetNsRemove(); netnsErr != nil {
-                               logrus.Warnf("Failed to remove networking 
namespace: %v", netnsErr)
-                       }
-               }()
+                       defer func() {
+                               if err == nil {
+                                       return
+                               }
+
+                               if netnsErr := sb.NetNsRemove(); netnsErr != 
nil {
+                                       logrus.Warnf("Failed to remove 
networking namespace: %v", netnsErr)
+                               }
+                       }()
 
-               // Pass the created namespace path to the runtime
-               err = 
g.AddOrReplaceLinuxNamespace(string(runtimespec.NetworkNamespace), 
sb.NetNsPath())
-               if err != nil {
-                       return nil, err
+                       // Pass the created namespace path to the runtime
+                       err = 
g.AddOrReplaceLinuxNamespace(string(runtimespec.NetworkNamespace), 
sb.NetNsPath())
+                       if err != nil {
+                               return nil, err
+                       }
                }
        }
 
@@ -496,18 +499,17 @@
        sb.SetInfraContainer(container)
 
        var ip string
-       ip, err = s.networkStart(hostNetwork, sb)
-       if err != nil {
-               return nil, err
-       }
-       defer func() {
+       if s.config.Config.ManageNetworkNSLifecycle {
+               ip, err = s.networkStart(sb)
                if err != nil {
-                       s.networkStop(hostNetwork, sb)
+                       return nil, err
                }
-       }()
-
-       g.AddAnnotation(annotations.IP, ip)
-       sb.AddIP(ip)
+               defer func() {
+                       if err != nil {
+                               s.networkStop(sb)
+                       }
+               }()
+       }
 
        spp := 
req.GetConfig().GetLinux().GetSecurityContext().GetSeccompProfilePath()
        g.AddAnnotation(annotations.SeccompProfilePath, spp)
@@ -534,6 +536,19 @@
 
        s.ContainerStateToDisk(container)
 
+       if !s.config.Config.ManageNetworkNSLifecycle {
+               ip, err = s.networkStart(sb)
+               if err != nil {
+                       return nil, err
+               }
+               defer func() {
+                       if err != nil {
+                               s.networkStop(sb)
+                       }
+               }()
+       }
+       sb.AddIP(ip)
+
        resp = &pb.RunPodSandboxResponse{PodSandboxId: id}
        logrus.Debugf("RunPodSandboxResponse: %+v", resp)
        return resp, nil
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/cri-o-1.9.6/server/sandbox_stop.go 
new/cri-o-1.9.8/server/sandbox_stop.go
--- old/cri-o-1.9.6/server/sandbox_stop.go      2018-02-20 10:50:14.000000000 
+0100
+++ new/cri-o-1.9.8/server/sandbox_stop.go      2018-03-01 18:42:03.000000000 
+0100
@@ -49,13 +49,6 @@
                return resp, nil
        }
 
-       // Clean up sandbox networking and close its network namespace.
-       hostNetwork := sb.NetNsPath() == ""
-       s.networkStop(hostNetwork, sb)
-       if err := sb.NetNsRemove(); err != nil {
-               return nil, err
-       }
-
        podInfraContainer := sb.InfraContainer()
        containers := sb.Containers().List()
        containers = append(containers, podInfraContainer)
@@ -77,6 +70,14 @@
                s.ContainerStateToDisk(c)
        }
 
+       // Clean up sandbox networking and close its network namespace.
+       s.networkStop(sb)
+       if s.config.Config.ManageNetworkNSLifecycle {
+               if err := sb.NetNsRemove(); err != nil {
+                       return nil, err
+               }
+       }
+
        if err := label.ReleaseLabel(sb.ProcessLabel()); err != nil {
                return nil, err
        }
@@ -97,6 +98,7 @@
                        }
                }
        }
+
        if err := s.StorageRuntimeServer().StopContainer(sb.ID()); err != nil 
&& errors.Cause(err) != storage.ErrContainerUnknown {
                logrus.Warnf("failed to stop sandbox container in pod sandbox 
%s: %v", sb.ID(), err)
        }
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/cri-o-1.9.6/server/server.go 
new/cri-o-1.9.8/server/server.go
--- old/cri-o-1.9.6/server/server.go    2018-02-20 10:50:14.000000000 +0100
+++ new/cri-o-1.9.8/server/server.go    2018-03-01 18:42:03.000000000 +0100
@@ -125,6 +125,14 @@
                        logrus.Warnf("could not restore container %s: %v", 
containerID, err)
                }
        }
+       // Restore sandbox IPs
+       for _, sb := range s.ListSandboxes() {
+               ip, err := s.GetSandboxIP(sb)
+               if err != nil {
+                       logrus.Warnf("could not restore sandbox IP for %v: %v", 
sb.ID(), err)
+               }
+               sb.AddIP(ip)
+       }
 }
 
 // Update makes changes to the server's state (lists of pods and containers) to
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/cri-o-1.9.6/version/version.go 
new/cri-o-1.9.8/version/version.go
--- old/cri-o-1.9.6/version/version.go  2018-02-20 10:50:14.000000000 +0100
+++ new/cri-o-1.9.8/version/version.go  2018-03-01 18:42:03.000000000 +0100
@@ -1,4 +1,4 @@
 package version
 
 // Version is the version of the build.
-const Version = "1.9.6"
+const Version = "1.9.8"

++++++ cri-o-rpmlintrc ++++++
--- /var/tmp/diff_new_pack.xIwUIM/_old  2018-03-06 10:47:41.511408708 +0100
+++ /var/tmp/diff_new_pack.xIwUIM/_new  2018-03-06 10:47:41.511408708 +0100
@@ -1,2 +1,6 @@
-addFilter ("")
-addFilter ("cri-o.x86_64: W: statically-linked-binary /usr/lib/crio/pause")
+addFilter (".* W: explicit-lib-dependency libcontainers-common")
+addFilter (".* W: explicit-lib-dependency libcontainers-image")
+addFilter (".* W: explicit-lib-dependency libcontainers-storage")
+addFilter (".* W: statically-linked-binary /usr/lib/crio/bin/pause")
+addFilter (".* W: position-independent-executable-suggested 
/usr/lib/crio/bin/conmon")
+addFilter (".* W: position-independent-executable-suggested 
/usr/lib/crio/bin/pause")

++++++ crio.conf ++++++
--- /var/tmp/diff_new_pack.xIwUIM/_old  2018-03-06 10:47:41.563406829 +0100
+++ /var/tmp/diff_new_pack.xIwUIM/_new  2018-03-06 10:47:41.563406829 +0100
@@ -18,12 +18,11 @@
 storage_option = [
 ]
 
-# The "crio.api" table contains settings for the kubelet/gRPC
-# interface (which is also used by crioctl).
+# The "crio.api" table contains settings for the kubelet/gRPC interface.
 [crio.api]
 
 # listen is the path to the AF_LOCAL socket on which crio will listen.
-listen = "/var/run/crio.sock"
+listen = "/var/run/crio/crio.sock"
 
 # stream_address is the IP address on which the stream server will listen
 stream_address = ""
@@ -71,7 +70,7 @@
 no_pivot = false
 
 # conmon is the path to conmon binary, used for managing the runtime.
-conmon = "/usr/lib/crio/conmon"
+conmon = "/usr/lib/crio/bin/conmon"
 
 # conmon_env is the environment variable list for conmon process,
 # used for passing necessary environment variable to conmon or runtime.
@@ -157,4 +156,4 @@
 network_dir = "/etc/cni/net.d/"
 
 # plugin_dir is is where CNI plugin binaries are stored.
-plugin_dir = "/opt/cni/bin/"
+plugin_dir = "/usr/lib/cni"

++++++ sysconfig.crio ++++++
## Path           : System/Management
## Description    : Extra cli switches for crio daemon
## Type           : string
## Default        : ""
## ServiceRestart : crio
#
CRIO_OPTIONS=""

Reply via email to