Hello community, here is the log from the commit of package cri-o for openSUSE:Factory checked in at 2020-04-28 22:29:38 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/cri-o (Old) and /work/SRC/openSUSE:Factory/.cri-o.new.2738 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cri-o" Tue Apr 28 22:29:38 2020 rev:49 rq:798305 version:1.18.0 Changes: -------- --- /work/SRC/openSUSE:Factory/cri-o/cri-o.changes 2020-04-18 00:30:45.934093952 +0200 +++ /work/SRC/openSUSE:Factory/.cri-o.new.2738/cri-o.changes 2020-04-28 22:29:41.325453555 +0200 @@ -1,0 +2,93 @@ +Mon Apr 27 14:41:13 UTC 2020 - Ralf Haferkamp <rha...@suse.com> + +- Restore calls to %service_* macros that were accidently removed + with the last change + +------------------------------------------------------------------- +Tue Apr 23 13:59:08 UTC 2020 - Sascha Grunert <sgrun...@suse.com> + +- Remove crio-wipe.service and crio-shutdown.service +- Update to version 1.18.0: + - Deprecation + - Drop support for golang < v1.13 + - API Change + - Removed version from default AppArmor profile name in config + - CRI-O now runs containers without NET_RAW and SYS_CHROOT + capabilities by default. This can result in permission denied + errors when the container tries to do something that would + require either of these capabilities. For instance, using + `ping` requires NET_RAW, unless the container is given the + sysctl `net.ipv4.ip_forward`. Further, if you have a + container that runs buildah or configures RPMs, they may fail + without SYS_CHROOT. Ultimately, the dropped capabilities are + worth it, as the majority of containers don't need them. The + fewer capabilities CRI-O gives out by default, the more + secure it is by default. + - When pinning namespaces, CRI-O now pins to + /var/run/$NS_NAMEns/$RAND_ID instead of + /var/run/crio/ns/$RAND_ID/$NS_NAME for better compatibility + with third party networking plugins + - Feature + - Add `crio config -m/--migrate` option which supports + migrating a v1.17.0 configuration file to the latest version. + - Add available image labels to image status info + - Add cgroup namespace unsharing to pinns + - Add live configuration reload to AppArmor profile option + - Add live configuration reload to seccomp profile option + - Add log context to container stats to improve logging + - Added `--cni-default-network`/`cni_default_network` option to + specify the CNI network to select. The default value is + `crio`, but this option can be explicitly set to `""` to + pickup the first network found in + `--cni-config-dir`/`network_dir`. + - Added `conmon`, `runc` and `cni-plugins` to the static + release bundle + - Added `linkmode` (dynamic or static) output to `crio version` + subcommand + - Added gRPC method names to log entries to increase + trace-ablity + - Added live reload to `decryption_keys_path` + - Added pinns binary to static bundle + - Improve `crio --version` / `version` output to show more + details + - Provide the possibility to set the default config path via + `make DEFAULTS_PATH=<PATH>` + - Take local images into account when pulling images prefixed + with `localhost/` + - Added support for drop-in registries.conf configuration + files. Please refer to the registries.conf.d documentation + (https://github.com/containers/image/blob/master/docs/containers-registries.conf.d.5.md) + for further details. + - If a specified or the default hooks directory is not + available, then we warn the user but do not fail any more. + - Documentation + - Update documentation that the lowest possible value for the + ctr_stop_timeout is 30seconds. We also move the validation of + this fact into the config validation part of the library. + - Added man page for crio.conf.d(5) + - Other (Bug, Cleanup or Flake) + - Empty sandbox labels are now serialized into proper JSON (`null`) + - Fixed CRI-O to fail to start when `runc` is no configured + runtime and the `runc` binary is not in `$PATH` + - Fixed SIGHUP reload for drop-in configuration files + - Provide the latest release bundle via a Google Cloud Storage + Bucket at: + https://console.cloud.google.com/storage/browser/k8s-conform-cri-o/artifacts + - Removed annoying logs coming directly from lower level + runtimes like runc + - Removed the musl libc build target from the static binary + bundle in favor of the existing glibc variant + - Removed warning about non-absolute container log paths when + creating a container + - CRI-O's version can be overriden at buildtime with + `VERSION=my.version.number make bin/crio` + - ContainerStatus no longer waits for a container operation + (such as start or stop) to finish. + - Fix bug resulting in false reports of OOM + - Fixed SIGHUP reload behavior for unqualified search + registries + - Return grpc code NotFound when we can't find a container or + pod + - Systemd unit file: drop crio-wipe.service as a requirement + +------------------------------------------------------------------- Old: ---- cri-o-1.17.3.tar.xz crio-shutdown.service crio-wipe.service New: ---- cri-o-1.18.0.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ cri-o.spec ++++++ --- /var/tmp/diff_new_pack.pAvyyj/_old 2020-04-28 22:29:42.289455354 +0200 +++ /var/tmp/diff_new_pack.pAvyyj/_new 2020-04-28 22:29:42.293455361 +0200 @@ -24,7 +24,7 @@ %define project github.com/cri-o/cri-o # Define macros for further referenced sources Name: cri-o -Version: 1.17.3 +Version: 1.18.0 Release: 0 Summary: OCI-based implementation of Kubernetes Container Runtime Interface License: Apache-2.0 @@ -36,8 +36,6 @@ Source3: crio.conf Source4: cri-o-rpmlintrc Source5: kubelet.env -Source6: crio-wipe.service -Source7: crio-shutdown.service BuildRequires: device-mapper-devel BuildRequires: fdupes BuildRequires: glib2-devel-static @@ -48,7 +46,8 @@ BuildRequires: libbtrfs-devel BuildRequires: libgpgme-devel BuildRequires: libseccomp-devel -BuildRequires: golang(API) >= 1.12 +BuildRequires: golang(API) = 1.13 +BuildRequires: go >= 1.13 BuildRequires: sed Requires: patterns-base-apparmor Requires: conntrack-tools @@ -106,10 +105,10 @@ make %pre -%service_add_pre crio.service crio-wipe.service crio-shutdown.service +%service_add_pre crio.service %post -%service_add_post crio.service crio-wipe.service crio-shutdown.service +%service_add_post crio.service # This is the additional directory where cri-o is going to look up for CNI # plugins installed by DaemonSets running on Kubernetes (i.e. Cilium). mkdir -p /opt/cni/bin @@ -118,10 +117,10 @@ %fillup_only -n kubelet %preun -%service_del_preun crio.service crio-wipe.service crio-shutdown.service +%service_del_preun crio.service %postun -%service_del_postun crio.service crio-wipe.service crio-shutdown.service +%service_del_postun crio.service %install cd $HOME/go/src/%{project} @@ -149,8 +148,6 @@ install -D -m 0644 %{SOURCE2} %{buildroot}%{_fillupdir}/sysconfig.crio # Systemd install -D -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/crio.service -install -D -m 0644 %{SOURCE6} %{buildroot}%{_unitdir}/crio-wipe.service -install -D -m 0644 %{SOURCE7} %{buildroot}%{_unitdir}/crio-shutdown.service # place kubelet.env in fillupdir install -D -m 0644 %{SOURCE5} %{buildroot}%{_fillupdir}/sysconfig.kubelet # Symlinks to rc files @@ -191,8 +188,6 @@ %{_fillupdir}/sysconfig.crio # Systemd %{_unitdir}/crio.service -%{_unitdir}/crio-wipe.service -%{_unitdir}/crio-shutdown.service %{_sbindir}/rccrio %files kubeadm-criconfig ++++++ _service ++++++ --- /var/tmp/diff_new_pack.pAvyyj/_old 2020-04-28 22:29:42.341455450 +0200 +++ /var/tmp/diff_new_pack.pAvyyj/_new 2020-04-28 22:29:42.341455450 +0200 @@ -2,8 +2,8 @@ <service name="tar_scm" mode="disabled"> <param name="url">https://github.com/cri-o/cri-o</param> <param name="scm">git</param> - <param name="versionformat">1.17.3</param> - <param name="revision">v1.17.3</param> + <param name="versionformat">1.18.0</param> + <param name="revision">v1.18.0</param> <param name="changesgenerate">enable</param> </service> <service name="recompress" mode="disabled"> ++++++ cri-o-1.17.3.tar.xz -> cri-o-1.18.0.tar.xz ++++++ /work/SRC/openSUSE:Factory/cri-o/cri-o-1.17.3.tar.xz /work/SRC/openSUSE:Factory/.cri-o.new.2738/cri-o-1.18.0.tar.xz differ: char 25, line 1 ++++++ crio.conf ++++++ --- /var/tmp/diff_new_pack.pAvyyj/_old 2020-04-28 22:29:42.405455570 +0200 +++ /var/tmp/diff_new_pack.pAvyyj/_new 2020-04-28 22:29:42.405455570 +0200 @@ -47,7 +47,8 @@ # IP address on which the stream server will listen. stream_address = "127.0.0.1" -# The port on which the stream server will listen. +# The port on which the stream server will listen. If the port is set to "0", then +# CRI-O will allocate a random free port number. stream_port = "0" # Enable encrypted TLS transport of the stream server. @@ -92,7 +93,7 @@ no_pivot = false # decryption_keys_path is the path where the keys required for -# image decryption are stored. +# image decryption are stored. This option supports live configuration reload. decryption_keys_path = "/etc/crio/keys/" # Path to the conmon binary, used for monitoring the OCI runtime. @@ -108,17 +109,26 @@ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", ] +# Additional environment variables to set for all the +# containers. These are overridden if set in the +# container image spec or in the container runtime configuration. +default_env = [ +] + # If true, SELinux will be used for pod separation on the host. selinux = false # Path to the seccomp.json profile which is used as the default seccomp profile # for the runtime. If not specified, then the internal default seccomp profile -# will be used. +# will be used. This option supports live configuration reload. seccomp_profile = "" # Used to change the name of the default AppArmor profile of CRI-O. The default -# profile name is "crio-default-" followed by the version string of CRI-O. -# apparmor_profile = "crio-default-1.17.0" +# profile name is "crio-default". This profile only takes effect if the user +# does not specify a profile via the Kubernetes Pod's metadata annotation. If +# the profile is set to "unconfined", then this equals to disabling AppArmor. +# This option supports live configuration reload. +# apparmor_profile = "crio-default" # Cgroup management implementation used for the runtime. cgroup_manager = "systemd" @@ -131,12 +141,10 @@ "DAC_OVERRIDE", "FSETID", "FOWNER", - "NET_RAW", "SETGID", "SETUID", "SETPCAP", "NET_BIND_SERVICE", - "SYS_CHROOT", "KILL", ] @@ -152,7 +160,8 @@ additional_devices = [ ] -# Path to OCI hooks directories for automatically executed hooks. +# Path to OCI hooks directories for automatically executed hooks. If one of the +# directories does not exist, then CRI-O will automatically skip them. hooks_dir = [ "/usr/share/containers/oci/hooks.d" ] @@ -204,7 +213,7 @@ # Changes the verbosity of the logs based on the level it is set to. Options # are fatal, panic, error, warn, info, debug and trace. This option supports # live configuration reload. -log_level = "error" +log_level = "info" # Filter the log messages by the provided regular expression. # This option supports live configuration reload. @@ -221,8 +230,9 @@ gid_mappings = "" # The minimal amount of time in seconds to wait before issuing a timeout -# regarding the proper termination of the container. -ctr_stop_timeout = 0 +# regarding the proper termination of the container. The lowest possible +# value is 30s, whereas lower values are not considered by CRI-O. +ctr_stop_timeout = 30 # **DEPRECATED** this option is being replaced by manage_ns_lifecycle, which is described below. # manage_network_ns_lifecycle = false @@ -233,7 +243,7 @@ # The directory where the state of the managed namespaces gets tracked. # Only used when manage_ns_lifecycle is true. -namespaces_dir = "/var/run/crio/ns" +namespaces_dir = "/var/run" # pinns_path is the path to find the pinns binary, which is needed to manage namespace lifecycle pinns_path = "" @@ -335,6 +345,10 @@ # CNI plugins. [crio.network] +# The default CNI network name to be selected. If not set or "", then +# CRI-O will pick-up the first one found in network_dir. +# cni_default_network = "" + # Path to the directory where CNI configuration files are located. network_dir = "/etc/cni/net.d/" ++++++ crio.service ++++++ --- /var/tmp/diff_new_pack.pAvyyj/_old 2020-04-28 22:29:42.429455615 +0200 +++ /var/tmp/diff_new_pack.pAvyyj/_new 2020-04-28 22:29:42.429455615 +0200 @@ -4,8 +4,6 @@ After=network.target After=lwm2-monitor.service After=SuSEfirewall2.service -After=crio-wipe.service -Requires=crio-wipe.service [Service] Type=notify
