Hello community, here is the log from the commit of package cri-o for openSUSE:Factory checked in at 2018-09-05 13:45:09 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/cri-o (Old) and /work/SRC/openSUSE:Factory/.cri-o.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cri-o" Wed Sep 5 13:45:09 2018 rev:17 rq:630742 version:1.11.2 Changes: -------- --- /work/SRC/openSUSE:Factory/cri-o/cri-o.changes 2018-08-15 10:38:24.912293926 +0200 +++ /work/SRC/openSUSE:Factory/.cri-o.new/cri-o.changes 2018-09-05 13:45:10.673926359 +0200 @@ -1,0 +2,47 @@ +Tue Aug 21 10:15:15 UTC 2018 - rbr...@suse.com + +- cri-o-kubeadm-criconfig: correct conflicts with docker-kubic + +------------------------------------------------------------------- +Tue Aug 21 09:34:24 UTC 2018 - rbr...@suse.com + +- cri-o-kubeadm-criconfig: Remove /etc/kubernetes/runtime.conf, + replace with /etc/sysconfig/kublet + +------------------------------------------------------------------- +Mon Aug 20 08:19:09 UTC 2018 - vrothb...@suse.com + +- Update crio.conf to be as close to the default one as possible: + * Extend crio.conf with all previously missing options; crio.conf(5) isn't + mentioning all of them which soon will be fixed. + * Uncomment options to use /etc/containers/{registries,storage}.conf where + appropriate. + +- Remove Fix-AppArmor-build.patch as the build issue is fixed with v1.11.2. + +- Update cri-o to v1.11.2: + * Fix AppArmor build + * Image Volumes should be bind mounted as private + * container_create: Set a minimum memory limit + * Add log-level option to conmon and crio.conf + * server/container_create: error out if capability is unknown + +------------------------------------------------------------------- +Fri Aug 17 12:25:48 UTC 2018 - vrothb...@suse.com + +- Add "docker.io" to the registries list in the crio.conf to enable + pulling of unqualified images by default. + +------------------------------------------------------------------- +Thu Aug 16 11:52:43 UTC 2018 - rbr...@suse.com + +- ExcludeArch i586 (does not build, nor makes sense for that arch) + +------------------------------------------------------------------- +Tue Aug 14 16:38:53 UTC 2018 - rbr...@suse.com + +- Make crio default, docker as alternative runtime (boo#1104821) +- Configure kubernetes CRI runtime with $runtime-kubeadm-criconfig + packages + +------------------------------------------------------------------- Old: ---- Fix-AppArmor-build.patch cri-o-1.11.1.tar.xz New: ---- cri-o-1.11.2.tar.xz kubelet.env ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ cri-o.spec ++++++ --- /var/tmp/diff_new_pack.PKtmbJ/_old 2018-09-05 13:45:11.689927871 +0200 +++ /var/tmp/diff_new_pack.PKtmbJ/_new 2018-09-05 13:45:11.693927878 +0200 @@ -31,19 +31,19 @@ %define name_source2 sysconfig.crio %define name_source3 crio.conf Name: cri-o -Version: 1.11.1 +Version: 1.11.2 Release: 0 Summary: OCI-based implementation of Kubernetes Container Runtime Interface License: Apache-2.0 Group: System/Management Url: https://github.com/kubernetes-incubator/cri-o +ExcludeArch: i586 Source0: %{name}-%{version}.tar.xz Source1: %{name_source1} Source2: %{name_source2} Source3: %{name_source3} Source4: cri-o-rpmlintrc -# Upstream PR: https://github.com/kubernetes-incubator/cri-o/pull/1718 -Patch0: Fix-AppArmor-build.patch +Source5: kubelet.env BuildRequires: device-mapper-devel BuildRequires: fdupes BuildRequires: git-core @@ -66,6 +66,8 @@ Requires: libcontainers-storage Requires: runc >= 1.0.0~rc4 Requires: socat +# Provide generic cri-runtime dependency (needed by kubernetes) +Provides: cri-runtime # disable stripping of binaries %{go_nostrip} %if 0%{?with_libostree} @@ -78,9 +80,20 @@ Interface (CRI) using OCI conformant runtimes. The scope of CRI-O is tied to the scope of the CRI. +%package kubeadm-criconfig +Summary: CRI-O container runtime configuration for kubeadm +Group: System/Management +Requires: kubernetes-kubeadm +Requires(post): %fillup_prereq +Supplements: cri-o +Provides: kubernetes-kubeadm-criconfig +Conflicts: docker-kubic-kubeadm-criconfig + +%description kubeadm-criconfig +CRI-O container runtime configuration for kubeadm + %prep %setup -q -%patch0 -p1 %build # We can't use symlinks here because go-list gets confused by symlinks, so we @@ -131,6 +144,9 @@ %post %service_add_post %{name_source1} +%post kubeadm-criconfig +%fillup_only -n kubelet + %preun %service_del_preun %{name_source1} @@ -157,6 +173,8 @@ install -D -m 0644 %{SOURCE2} %{buildroot}%{_fillupdir}/%{name_source2} # Systemd install -D -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/%{name_source1} +# place kubelet.env in fillupdir +install -D -m 0644 %{SOURCE5} %{buildroot}%{_fillupdir}/sysconfig.kubelet # Symlinks to rc files install -d -m 0755 %{buildroot}%{_sbindir} ln -sf service %{buildroot}%{_sbindir}/rccrio @@ -187,4 +205,8 @@ %{_unitdir}/%{name_source1} %{_sbindir}/rccrio +%files kubeadm-criconfig +%defattr(-,root,root) +%{_fillupdir}/sysconfig.kubelet + %changelog ++++++ _service ++++++ --- /var/tmp/diff_new_pack.PKtmbJ/_old 2018-09-05 13:45:11.725927925 +0200 +++ /var/tmp/diff_new_pack.PKtmbJ/_new 2018-09-05 13:45:11.725927925 +0200 @@ -2,8 +2,8 @@ <service name="tar_scm" mode="disabled"> <param name="url">https://github.com/kubernetes-incubator/cri-o</param> <param name="scm">git</param> -<param name="versionformat">1.11.1</param> -<param name="revision">v1.11.1</param> +<param name="versionformat">1.11.2</param> +<param name="revision">v1.11.2</param> </service> <service name="recompress" mode="disabled"> <param name="file">cri-o-*.tar</param> ++++++ cri-o-1.11.1.tar.xz -> cri-o-1.11.2.tar.xz ++++++ ++++ 21319 lines of diff (skipped) ++++++ crio.conf ++++++ --- /var/tmp/diff_new_pack.PKtmbJ/_old 2018-09-05 13:45:13.553930648 +0200 +++ /var/tmp/diff_new_pack.PKtmbJ/_new 2018-09-05 13:45:13.553930648 +0200 @@ -1,22 +1,34 @@ - # The "crio" table contains all of the server options. [crio] +# CRI-O reads its storage defaults from the containers/storage configuration +# file, /etc/containers/storage.conf. Modify storage.conf if you want to +# change default storage for all tools that use containers/storage. If you +# want to modify just crio, you can change the storage configuration in this +# file. + # root is a path to the "root directory". CRIO stores all of its data, # including container images, in this directory. -root = "/var/lib/containers/storage" +#root = "/var/lib/containers/storage" # run is a path to the "run directory". CRIO stores all of its state # in this directory. -runroot = "/var/run/containers/storage" +#runroot = "/var/run/containers/storage" # storage_driver select which storage driver is used to manage storage # of images and containers. storage_driver = "btrfs" # storage_option is used to pass an option to the storage driver. -storage_option = [ -] +#storage_option = [ +#] + +# file_locking is whether file-based locking will be used instead of +# in-memory locking +file_locking = true + +# file_locking_path is the file used for file-based locking +file_locking_path = "/run/crio.lock" # The "crio.api" table contains settings for the kubelet/gRPC interface. [crio.api] @@ -30,9 +42,21 @@ # stream_port is the port on which the stream server will listen stream_port = "10010" -# file_locking is whether file-based locking will be used instead of -# in-memory locking -file_locking = true +# stream_enable_tls enables encrypted tls transport of the stream server +stream_enable_tls = false + +# stream_tls_cert is the x509 certificate file path used to serve the encrypted stream. +# This file can change, and CRIO will automatically pick up the changes within 5 minutes. +stream_tls_cert = "" + +# stream_tls_key is the key file path used to serve the encrypted stream. +# This file can change, and CRIO will automatically pick up the changes within 5 minutes. +stream_tls_key = "" + +# stream_tls_ca is the x509 CA(s) file used to verify and authenticate client +# communication with the tls encrypted stream. +# This file can change, and CRIO will automatically pick up the changes within 5 minutes. +stream_tls_ca = "" # The "crio.runtime" table contains settings pertaining to the OCI # runtime used and options for how to set up and manage the OCI runtime. @@ -89,31 +113,87 @@ # apparmor_profile is the apparmor profile name which is used as the # default for the runtime. -apparmor_profile = "crio-default" +# apparmor_profile = "crio-default" # cgroup_manager is the cgroup management implementation to be used # for the runtime. cgroup_manager = "cgroupfs" +# default_capabilities is the list of capabilities to add and can be modified here. +# If capabilities below is commented out, the default list of capabilities defined in the +# spec will be added. +# If capabilities is empty below, only the capabilities defined in the container json +# file by the user/kube will be added. +default_capabilities = [ + "CHOWN", + "DAC_OVERRIDE", + "FSETID", + "FOWNER", + "NET_RAW", + "SETGID", + "SETUID", + "SETPCAP", + "NET_BIND_SERVICE", + "SYS_CHROOT", + "KILL", +] + # hooks_dir_path is the oci hooks directory for automatically executed hooks hooks_dir_path = "/usr/share/containers/oci/hooks.d" # default_mounts is the mounts list to be mounted for the container when created +# deprecated, will be taken out in future versions, add default mounts to either +# /usr/share/containers/mounts.conf or /etc/containers/mounts.conf default_mounts = [ ] +# CRI-O reads its default mounts from the following two files: +# 1) /etc/containers/mounts.conf - this is the override file, where users can +# either add in their own default mounts, or override the default mounts shipped +# with the package. +# 2) /usr/share/containers/mounts.conf - this is the default file read for mounts. +# If you want CRI-O to read from a different, specific mounts file, you can change +# the default_mounts_file path right below. Note, if this is done, CRI-O will only add +# mounts it finds in this file. + +# default_mounts_file is the file path holding the default mounts to be mounted for the +# container when created. +# default_mounts_file = "" + # pids_limit is the number of processes allowed in a container pids_limit = 1024 -# enable using a shared PID namespace for containers in a pod -enable_shared_pid_namespace = false - # log_size_max is the max limit for the container log size in bytes. # Negative values indicate that no limit is imposed. log_size_max = -1 +# container_exits_dir is the directory in which container exit files are +# written to by conmon. +container_exits_dir = "/var/run/crio/exits" + +# container_attach_socket_dir is the location for container attach sockets. +container_attach_socket_dir = "/var/run/crio" + +# read-only indicates whether all containers will run in read-only mode +read_only = false + +# log_level changes the verbosity of the logs printed. +# Options are: error (default), fatal, panic, warn, info, and debug +log_level = "error" + # The "crio.image" table contains settings pertaining to the # management of OCI images. + +# uid_mappings specifies the UID mappings to have in the user namespace. +# A range is specified in the form containerUID:HostUID:Size. Multiple +# ranges are separed by comma. +uid_mappings = "" + +# gid_mappings specifies the GID mappings to have in the user namespace. +# A range is specified in the form containerGID:HostGID:Size. Multiple +# ranges are separed by comma. +gid_mappings = "" + [crio.image] # default_transport is the prefix we try prepending to an image name if the @@ -138,14 +218,21 @@ # The valid values are mkdir and ignore. image_volumes = "mkdir" +# CRI-O reads its configured registries defaults from the containers/image configuration +# file, /etc/containers/registries.conf. Modify registries.conf if you want to +# change default registries for all tools that use containers/image. If you +# want to modify just crio, you can change the registies configuration in this +# file. + # insecure_registries is used to skip TLS verification when pulling images. -insecure_registries = [ -] +# insecure_registries = [ +# ] # registries is used to specify a comma separated list of registries to be used # when pulling an unqualified image (e.g. fedora:rawhide). -registries = [ -] +#registries = [ +# "docker.io", +#] # The "crio.network" table contains settings pertaining to the # management of CNI plugins. ++++++ kubelet.env ++++++ KUBELET_EXTRA_ARGS="--container-runtime=remote --container-runtime-endpoint=unix:///var/run/crio/crio.sock --runtime-request-timeout=15m"