linux/meta-virtualization.git/recipes-containers/cri-o, branch master

cri-o: update to v1.35.0

2026-03-18T03:32:54+00:00

Bumping cri-o to version v1.33.0-522-g8273bca37, which comprises the following commits: 5dd7bb4e3 Add libpathrs version to dependencies 2b23b4810 Add libpathrs-devel to github-actions 8d8d342a1 Add libpathrs-devel to Fedora packages for runc build d51616f2f fix: prevent panic on closed stopTimeoutChan in StopContainer 71e9babcd fix: handle ErrNotAnImage in RemoveImage for concurrent deletion idempotency 1d19f431c [docs] fix dead nixos link in install.md 73957f24e build(deps): bump the gomod group across 1 directory with 7 updates e43e31772 Fix metric label cardinality mismatches in CRI stats 1e19a7261 Skip OCI artifact fallback on transient network errors 7eb2cc18e Add EnsureNotContainerImage to prevent container images in artifact store aed9671d7 Return image ID from PullImage instead of repo digest a42bdf9de tutorials/CRI-O in kind: fix bash syntax error 1e2e17804 Bump golangci-lint to v2.10.1 c355bea81 Add OpenVEX report generation via govulncheck 9ca8e2c1a Bump go dependencies 020b30892 Fix the bug where cri-o doesn't emit any metrics when all is set. f1c0c7b6a Feature Request: Make TLS minimum version and cipher suites configurable for CRI-O server ddb1d632a Update setup-go 1294b3151 Temporarily pin conmon to pass CI. See https://github.com/containers/conmon/pull/629#issuecomment-3872984444 for details. 65b9fcc49 Bump development version to v1.36.0 ecacc4558 Mark v1.32 EOL 75877851a Some minor refactorings of `ociartifact` d1d77faec Refactor `ociartifact`: extract `datastore` package for artifact data handling 39ff6f590 Refactor `ociartifact` to simplify artifact creation using `NewArtifact` and remove redundant `buildArtifact` logic. ec12a7d5f bump c/common, c/storage 33f0e88da Disable swap setup on GitHub actions b414a1f93 Update nixpkgs 0f877a3e1 Update .coderabbit.yaml d56906b6d Create .coderabbit.yaml eccac32bd Revert "storage: Preserve knownRepoDigests order in ImageStatus" 4eabb00d3 server: update container state prior to NRI StopContainer event. 0f68aa8d0 test: Add regression test for user namespace cgroup delegation e826ac15c server: Always include UID/GID mappings for user namespace containers 19d319695 server,nri: pass extended container status to NRI. 03e4dffce build(deps): bump github.com/sigstore/fulcio from 1.8.3 to 1.8.5 8df271a03 server,nri: pass any POSIX rlimits to plugins. 23b10b8da server,nri: pass container user (uid, gids) to plugins. 7822ff1f1 checkpoint: clean up checkpoint dir on error 74af549f5 Remove `filepath-securejoin` replace and bump to 0.5.2 922d3edc8 Refactor container mount setup functions and improve SELinux label handling 396cce5f0 Replace cgmgr.CgroupStats to use cgroups.CgroupStats d9d10ea4c Rename DiskMetrics and FilesystemMetrics to DiskStats, FilesystemStats for consistency with other structs and cadvisor 9da43ec9c Move disk_metrics to the new stats package. d2d7d1f2c Rename stats to statsserver 5062a6a94 oci: fix lint 73848ccec runtimehandlerhooks: save whether irq balance enable was done a96dfe16a server: run post stop hooks before updating container status fa5afc5b3 refactor(memorystore): remove unused Size() method 4009c44e1 refactor: remove AddExecPID, use StartExecCmd eeab7a961 fix: make exec start atomic with PID registration a97e4b982 test: skip tests from kata containers e8d273b08 test: add integration tests for exec during graceful termination 8df026b11 test: add tests for exec during container lifecycle 35f7a3ca6 feat: allow exec to containers during graceful termination ec1c67a8c artifacts: fix unqualified search tests 610a868fa artifacts: mock libartifact store 6ca8533aa Drop unqualified-search-registries support for artifacts c33e3e81b test/nri: update linter deprecation annotation. 174d13446 server,nri: pass any linux RDT constraints to plugins. 25f32e0e6 server,nri: pass any linux net devices to plugins. db7314ca6 server,nri: pass any linux scheduler attributes to plugins. 9536cf92c server,nri: pass any linux I/O priority to plugins. b23a7d055 go.{mod,sum}: bump NRI deps to v0.11.0, re-vendor. 04f4754fa Update Golang download URL to use go.dev instead of storage.googleapis.com 4e2f7dbed Ensure `InitLabel` only sets process label when unset 29b33f11e Fix the bug where the ContainersStatuses.Image returned by the GetContainerEvents interface is nil 01b2c74d9 Follow up on PR 9634 to clean up redundant code. 68795ff36 Refactor cgroup manager integration: centralize pod and container cgroup manager retrieval logic with `GetPodAndContainerCgroupManagers` and standardize function naming for consistency. 0b1d77bdd Add exec cgroup for exec CPU affinity a2a04ad55 Refactor cgroup manager logic: centralize `LibctrManager` and `CrunContainerCgroupManager` in `cgmgr` while replacing duplicates. c979d5fdd Delegate setting shared CPUs in cgroup to container runtime. cf4aab91f Update release notes to use cosign bundle format 3cead51f9 Replace json-iterator/go with goccy/go-json 9270ed35b Refactor ociartifact handling to use libartifact types and store db0840561 go.{mod,sum} bump CDI deps to v1.1.0. 8212e1acd build(deps): bump github.com/sigstore/fulcio from 1.7.1 to 1.8.3 23b69a24b build(deps): bump the gomod group with 10 updates a7b222899 server: use totalTimeout for infra container stop 9d7aa99d0 OCPBUGS-62150: server: ignore /etc/passwd mount 11e4c1806 build(deps): bump the gomod group across 1 directory with 3 updates 1c09e085d Replace v1 annotation references with v2 5a0973db5 Pin Kubernetes to v0.35.0-rc.0 1a7db25c0 Add container pressure metrics to stats collection c42cf78c6 Remove SignalContainer functionality and related syscalls 97658ce1a build(deps): bump the gomod group with 7 updates 6bb8a380c Allow containers to use both host network and user namespace e46ab57b1 build(deps): bump golang.org/x/crypto from 0.43.0 to 0.45.0 c2ebfbac1 Migrate annotations to Kubernetes-recommended naming conventions ddfa9d3eb server: skip processing early if we get a nil adjustment from NRI. eb21f3b71 build(deps): bump the gomod group with compatibility fixes e03e84aae Fix incomplete config validation on sandbox restoration 35ce440e8 Make AGENTS.md generic and add git workflow nuance bbe6d7a4e Rename CLAUDE.md to AGENTS.md e71f96aed dbusmgr: use system dbus when running as UID 0 regardless of rootless detection 9e0b08c1d Add support for "all" in includedPodMetrics and validate its usage 3b932318f Fix the bug where includedPodMetrics are not respected in ListMetricDescriptors f830100c3 Add CLAUDE.md project context file 3233b94ea refactor: Reduce cyclomatic complexity in sandbox_run 07b0da920 refactor: Reduce cyclomatic complexity in sandbox_run 3dd90b8ab test: add integration tests for container_create_timeout configuration 52efdb362 test: add tests for ContainerCreateTimeout configurability 2d2024a0f Add documentation for container_create_timeout configuration option 7a2427285 Add context timeout to task.Create in runtime_vm.go 18d52e3e0 Make ContainerCreateTimeout configurable at runtime handler level 09625082c Improve returned error text at CreateContainer failure f76e3f9ea Migrate to container-libs f6bc16be2 storage: Preserve knownRepoDigests order in ImageStatus e200c2625 test: Switch more integration tests to use crun 20e6d1b47 Update golangci-lint to v2.6.2 and modernize configuration f22167af4 Update sigstore/cosign-installer to v4.0.0 99a55c8f5 Fix CVE-2025-58183: Update tar-split to v0.12.2 f49e8eb7b Disable runc integration tests due to AppArmor issue 9ece818fb metrics: add disk IO stats 822ce9db8 spec metrics: always report container_spec_memory_reservation_limit_bytes e7af6bd9b metrics: add container_start_time_seconds f470ad448 spec metrics: always report container_spec_memory_reservation_limit_bytes cf3eb39b7 metrics: add container_start_time_seconds 2d66de376 feat: extend oci runtime to collect and manage disk metrics 069114806 refactor: Reduce cyclomatic complexity in criocli 6ad526c7a metrics: update process metrics tests and refactor stats_linux.go a bit 7fda065ba Extend Disk Metrics for other filesystems d9694a420 Extended ContainerStats to include disk metrics 8b8028baa feat: Added Disk Metrics 7a179c8a6 refactor: Reduce cyclomatic complexity in container_create 6cbdc99cc Fix `patch-release` job by adding dependencies.yaml 58a1fc0f3 Tests for threads and sockets cbea27536 Refactor thread metrics aebf1d561 metrics: correct container metric metadata 76319d61c build(deps): bump the gomod group across 1 directory with 2 updates 927461f48 fix minor typos in README.md 897f1cdf2 Added container process metrics a3c41c499 container: take state lock when setting spec fe0a3281d metrics: add container spec metrics a748f3453 metrics: add container_last_seen 1fb90ef70 build(deps): bump k8s.io/kubelet from 0.35.0-alpha.1 to 0.35.0-alpha.2 5ecd5931b build(deps): bump k8s.io/cri-client 36475303d build(deps): bump the gomod group with 2 updates ed3fe40bf Add and apply gopls `modernize` linter fe4306b72 Pin github.com/cyphar/filepath-securejoin to v0.4.1 9a2f002d0 build(deps): bump github.com/cri-o/crio-credential-provider c2db50755 Close runtime connection on watchdog call 1e357f4d6 build(deps): bump sigs.k8s.io/release-sdk in the gomod group 93f920160 Remove support for `InsecureRegistries` in favor of `registries.conf` f10344e7c Mark v1.31 as EOL 2ec914d08 Packit: remove unmaintained branches c76a5286b lint b10d151c8 remove typo a760511c1 move log statement after fn call 6e4965b1d Fix lint CI by re-adding `nolints` 68c73a911 Clean up duplicate SignaturePolicyPath logic in image_pull.go 55c749ff4 build(deps): bump golang.org/x/net in the gomod group ce5edf28b build(deps): bump the gomod group with 2 updates 93121f41b Re-use public credential provider API a0c3b7723 build(deps): bump the gomod group across 1 directory with 4 updates d25f3a5d2 Update log formatting in interceptors to use %+v for better readability of structs ab0176bde HighPerformanceHooks: Nil pointer check for isContainerRequestWholeCPU 172635f02 HighPerformanceHooks: Add housekeeping CPU support for IRQ loadbalancing 7a780e492 Fix Generator initialization to properly initialize envMap 53b7f6bfb Remove github.com/grpc-ecosystem/go-grpc-middleware dependency 43ed9f965 Remove unused code from Makefile ff5900e74 Switch to go 1.25 d73c82b4d Actions: cancel parallel runs 0b1d84cbc Update nixpkgs 1080c5ea9 Fix lint cadcf4753 build(deps): bump the gomod group across 1 directory with 3 updates 85da8e038 Re-add the `--enable-fixed-path` removal for gpgme 719a3e65d Remove temporary auth files if used bc7f61ad4 Update third party dependencies 7a99e1d67 Consume additional pull auth if available 63212c48b temporarily downgrade crun version until container-selinux fix is released 02cd6750a server: Fix network cleanup failures when NetNS path is empty 16246ad1a Fix `ERROR! Invalid callback for stdout specified: debug` by removing stdout_callback ad1728396 Use ftpmirror.gnu.org instead of ftp.gnu.org because ftp.gnu.org is sometimes too slow. 78c966c13 HighPerformanceHooks: Defer irqSMPAffinityFile rollback 44af57fe0 Revert "Skip [FeatureGate:InPlacePodVerticalScaling]" 79cd6e3f1 Update development version 14abbfc21 build(deps): bump the gomod group across 1 directory with 9 updates 1f1746236 Update dependencies.yaml if required on release cut 03ec73d26 HighPerformanceHooks: Move IRQ balancing to PostStop hook 06c843730 HighPerformanceHooks: Add mock infra for command and system unit tests 1283afcfe HighPerformanceHooks: Make locks atomic for irq SMP affinity 8aeda9682 Update install.md - Add Dep for Ubuntu 24 Signed-off-by: Bruce Ashfield

cri-o: update to v1.34.1

2025-10-16T15:49:14+00:00

Bumping cri-o to version v1.34.1-9-g5780ac7b4, which comprises the following commits: 6d3fac06f Update log formatting in interceptors to use %+v for better readability of structs 83172bb4c Fix dependencies check 1c84c7c4b Re-add the `--enable-fixed-path` removal for gpgme 43f6eeeda version: bump to 1.34.1 7561efe0b HighPerformanceHooks: Defer irqSMPAffinityFile rollback c2eab18ba HighPerformanceHooks: Move IRQ balancing to PostStop hook 0790633e6 HighPerformanceHooks: Add mock infra for command and system unit tests e294f5435 HighPerformanceHooks: Make locks atomic for irq SMP affinity bbd9d0360 server: Fix network cleanup failures when NetNS path is empty a8b550ad0 config: configure shortname through configuration and enforce shortnames 7a4365cf5 Add crio.runtime.runtimes seccomp_profile to crio.conf.5 doc 9b922306b build(deps): bump the gomod group with 4 updates 5813011e0 build(deps): bump the gomod group with 2 updates 1c4060d8f Warn when CONTAINER_INCLUDED_POD_METRCIS (typo) is used. a0a44b5dd Add runtime handler seccomp profile fdda720ff build(deps): bump github.com/prometheus/client_golang in the gomod group 84ea2f8b6 build(deps): bump the gomod group with 2 updates 165d40bfa build(deps): bump the gomod group with 7 updates 15233a7de tests: add a unit test for log rotation d07b9575e Update nixpkgs c411cfa7b build(deps): bump github.com/onsi/ginkgo/v2 in the gomod group 47b7f11ff Update nixpkgs c5942f667 Update other deps fb2861507 build(deps): bump github.com/ulikunitz/xz from 0.5.12 to 0.5.14 fb183a27c runtime_vm: Implement the ReopenContainerLog function d1839c936 build(deps): bump the gomod group with 4 updates eb3004491 Use k8s 0.34.0 cc074af34 build(deps): bump the kubernetes group with 7 updates cf1c33f6e Remove thermal_throttle masked paths. d10c4e501 Use k8s rc instead of the next minor 558c5483c build(deps): bump the gomod group across 1 directory with 16 updates 9d999d519 Cleanup container user log message and trivial code 655c5f8fe docs: regenerate/update man pages. 2a71e8181 completions: regenerate completions. 64863ccbe nri: add configuration for the default validator. 7c5f1fe54 server: add type conversion functions removed from NRI. 831b8dd9b go.{mod,sum}: update NRI to v0.10.0. 21b03fda2 inspect: add hostnetwork information cc10ee3cd Add support for conmon-rs log driver and heaptrack config Signed-off-by: Bruce Ashfield

cri-o: correct SRC_URI and HOMEPAGE

2025-09-04T01:38:36+00:00

cri-o now resides under https://github.com/cri-o/cri-o. The old URL, https://github.com/kubernetes-sigs/cri-o, now redirects to https://github.com/cri-o/cri-o. Correct SRC_URI and HOMEPAGE to use https://github.com/cri-o/cri-o. Signed-off-by: Chen Qi Signed-off-by: Bruce Ashfield

crio: update to v1.33.0 -tip

2025-08-21T17:04:22+00:00

Bumping cri-o to version v1.33.0-167-g259e23fd4, which comprises the following commits: 21b03fda2 inspect: add hostnetwork information Signed-off-by: Bruce Ashfield

cri-o: update to v1.33.0

2025-07-07T15:42:27+00:00

Bumping cri-o to version v1.33.0-63-g87ce1c120, which comprises the following commits: b9bc2a2cd Upgrade netlink 8d0965635 Downgrade otelgrpc bc9516250 build(deps): bump the gomod group across 1 directory with 20 updates e90924e83 Revert "temporarily enable debug symbols" 6870ad334 test/ctr.bats: fix wrt new CPU units to weight conversion 2491f8124 Mark v1.30 as EOL ba6a88448 fix prettier 7cf556a6f update nixpkgs 4450e698d Bump go version to 1.24.3 f8084ff63 build(deps): bump github.com/go-chi/chi/v5 from 5.2.1 to 5.2.2 ab7d879dc temporarily enable debug symbols 1e751b490 fix deadlock when the container is in uninterruptible sleep cb2965f42 [revert] internal/oci: fix terminal resize race condition 0d449e00e internal/oci: fix terminal resize race condition 662474e9b fix verify command ebabdc929 unit tests fixup 85665a6fe code fixup 5944f40fc HighPerformanceHooks: Remove dead code ShouldCPUQuotaBeDisabled a22b5dad9 FreeBSD fixup ebee282d3 HighPerformanceHooks: Unit tests for Fix IRQ SMP affinity race c50e4e0de HighPerformanceHooks: Fix IRQ SMP affinity race conditions 239f9ee61 install: drop outdated flatcar installation instructions bfe3b83cf increase timeout of critests 5912f0483 change conmon install 25b3dfb58 UpdateContainerStatus: fix error logging 6062ff148 internal/hostport: fix linter warning b3f139431 Redo metaHostportManager construction, fix bug 801383af3 Improve iptables error handling when there's no iptables binary 0a0b33208 deps: bump to runc 1.3 3f4b82fa6 Finish switching to opencontainers/cgroups dc3d6b6ec pass down apparmor errors 608b8a0e9 Retry failed tests 290edee86 sandbox: use created/stopped instead of infra container for readiness 4996d1050 Extend checkpoint/restore test for container logs f52c04277 Add coverage report from integration tests 6b20443c5 Fix `OS_RPM_NAME="$(rpmspec -q --qf '%{name}\n' "${OS_RPM_SPECFILE}" | head -1)"` exited with status 141. error eea79c782 Switch to v1.34.0 as development version of `main` a51c99a2c Decrease actual version aa52c9329 Add option to allow seccomp profiles for privileged containers 4fc529bf8 Support multi architecture artifacts d94a8f37c Add signature verification for image volumes 15bbcca97 build(deps): bump github.com/opencontainers/cgroups in the gomod group d063f8293 Add v1.33 to supported versions 9b0142eb0 Update CNI plugins to v1.7.1 aecad95c3 Improve timeout integration tests f499c0a96 Make metaHostportManager handle iptables vs nftables 982c191d9 Add an nftables HostPortManager dda8739ea Move iptables HostPortManager code into its own file. beb362521 Move hostport conntrack cleanup to metaHostportManager dec4bda08 Move hostport IP family filtering to metaHostportManager b7731057a Remove hostport.PodPortMapping 5db94b36b Revert "Squash MetaHostPortManager into HostPortManager" 6fd9131eb New UpdatePodSandboxResources CRI API handler 1a9acebff Fix build 30d575118 build(deps): bump the gomod group across 1 directory with 25 updates 479a8070c Fix GitHub actions CI test setup 766a81efb Fix container_create_freebsd.go 9660da25e remove runDir b5f51739e remove storageRoot e042f84b2 Remove mountLabel 52b81926b Remove absentMountSourcesToReject 5c9803b19 Remove bindMountPrefix 569e8d3db Update nixpkgs 2ac913d18 Support artifact mount sub paths 6df6cfc6f Update linter and fix reports 87ee7a4af Support `artifactType` OCI artifacts 4ae753afe Fix lint CI dd38a1805 emit crio runtime config as part of CRI API's StatusResponse fd5db98e6 Add the option to disable/enable OCI Artifact mount 68fe1936b Remove unused imports bb9223fc0 Add container_spec_memory_limit_bytes metric 087e2ce46 build(deps): bump golang.org/x/net from 0.37.0 to 0.38.0 44d9073dd Disable pull-progress-timeout per default ab9acb6f9 Add support for CNAI models 9cc9b0763 Add README for CI playbooks and remove cri-tools task fe4378b38 .golangci.yml: remove gofmt 560bf28a1 .golangci.yml: remove some unused linters 7ddf15274 .golangci.yml: remove legacy preset from exclusions 8250128de internal/ociartifact: rename MarshalJSON -> ToJSON a904a4e0e test/mocks: regenerate 8c3ce800f Run make mockgen 310a66356 .golangci.yml: rm some unused exclusions c02c3a54d Run mockgen b5b96dfdf Refactor metrics descriptors 012b6cde5 Increase pull-progress-timeout to `30s` d3f7cb491 Update nixpkgs 6a4a3ee9b test 7c4fbadc4 Add container stop signal feature (KEP-4960) a1f07bc4b Fix build 3feb9ad31 build(deps): bump the gomod group across 1 directory with 6 updates a9a660579 Fix image status so that it can get artifact with canonical name and short name 6b244a90a Switch to golangci-lint v2 2fa08cfa2 Use `strings.SplitSeq` instead of `strings.Split` 704932bc3 fix schema v1 images not resolve to image ID error f554c58ea Address linter complaint 62aeb65ce Remove Krzysztof Wilczyński as maintainer 19adbe020 Set default masked paths f5d0ff28e crio wipe should remove storage only once per reboot e429f75ee OCPNODE-3016: support mount OCI artifact 64567e976 Fix comment location about error message f4cff283d build(deps): bump the gomod group with 2 updates fca4ea622 Add image volume subpath support db553b0be Use go version requirements from go.mod 2dc6d0831 Add lint-fix target 7f7d77ace build(deps): bump github.com/containerd/containerd from 1.7.26 to 1.7.27 109872da3 Cleanup: ensure image volume path 24452a56c build(deps): bump github.com/containers/common in the gomod group 29c662a5b build(deps): bump the kubernetes group with 6 updates ab6bc86b8 Fix release notes download location c2f55509f Update debug flag a0ffef29a build(deps): bump github.com/containers/image/v5 in the gomod group 25775fdb3 build(deps): bump the gomod group across 1 directory with 2 updates 662f8cab6 Require go 1.24 for build 512d33bc5 build(deps): bump the gomod group with 7 updates 00a7117dc Improve artifact error logs 9824edb9d build(deps): bump the gomod group with 5 updates 3f1398477 build(deps): bump the gomod group with 3 updates 3507a2a5b Update the release-notes tool to v0.18.0 9e69a709f Update conmon to v2.1.13 663066d99 build(deps): bump the gomod group across 1 directory with 2 updates 754a1ed24 Add OCI artifact support e69571c34 Drop image status log message b638954fe Switch to go 1.24 f46b83d3f build(deps): bump github.com/containerd/containerd in the gomod group 826ef8052 build(deps): bump the gomod group across 1 directory with 5 updates c3363e0c3 add --extra-experimental-features nix-command flag to build-static target dfc2778ee build(deps): bump github.com/go-jose/go-jose/v4 from 4.0.4 to 4.0.5 92fd877a0 Update golangci-lint config and fix reports 8c9fa54ba Add validate method for sandbox 32854c9d1 server: fix races in GetContainerEvents 6fdd6b3bc Updating install docs 0a81f1ef7 build(deps): bump the kubernetes group with 6 updates 8287e4159 server: don't dereference Config.Linux if it is nil 3c7337fb9 server: move createSandboxContainer and related functions to container_create.go 7cdfc7938 server: factor out adding /dev/shm mount e533ab281 server: factor out adding sysfs mounts 20b17df06 server: add no-op stub for makeOCIConfigurationRootless 5035c19a0 server: factor out creating the security context 286e7e24f internal/factory/container: add no-op stub for SpecAddDevices on FreeBSD 7f104e5da internal/factory/container: make SpecAddNamespaces platform-specific 68091febb internal/factory/container: make (*container).SelinuxLabel platform-specific 29a85ace4 internal/linklogs: add stub for freebsd 2f4bc00c2 internal/config/device: add stub for DevicesFromAnnotation 2efa5b35f Fix context cancellation when image pull progress timeout is `0` 10070a556 Fix build d9d5def74 build(deps): bump sigs.k8s.io/release-sdk in the kubernetes group 29e76f138 Remove `exclude_graphdriver_devicemapper` build tag a4c67cc6c Fix: If cgroup manager is cgroupfs then allow conmon_cgroup to be empty dcfb01965 build(deps): bump google.golang.org/protobuf in the gomod group 2193e6280 Update mocks 864e43306 build(deps): bump the gomod group across 1 directory with 8 updates a961ed207 Mark v1.29 as EOL 60c3697ac Fix typo in version_update_mask regex 77f2041ea Change nixpkgs update to monthly 4ceeaddaa Switch to golang native error joining and errgroup 0b6a04bea test: add test coverage for LinkLogs malicious paths 910f6e5d6 internal/linklogs: sanitize the directory path before using it d5ab7c46c build(deps): bump sigs.k8s.io/release-utils in the kubernetes group 6dbfcec98 Downgrade github.com/cyphar/filepath-securejoin b27a733c8 Remove `LimitNOFILE` from systemd service file ecd3b6dce build(deps): bump the gomod group across 1 directory with 8 updates 6b4fd0741 Add warning log for a process having an uninterruptible child. d19a9d641 Enable `wsl` and `nlreturn` linters 0979d3497 Integrate native GitHub arm64 runners a371ae1c3 Log error when failing to update container status from exit file 03472dd92 Enable linters and auto-fix 630b608f0 Add documentation hint how to handle the versions 6691836a5 Revert 'Add 1.33 to supported minor version' f67859446 watchdog: decouple CNI plugin initialization from CRI-O health checks e87f86c1b Switch to our log module for logging in iptables module 1b06fc09d Add `release-1.33` to active prerelease version 1f60a95cc internal/config/ociartifact/ociartifact: Do not hard-code 'sha256' in error message 6dc287d45 vendor: downgrade github.com/cyphar/filepath-securejoin to v0.3.6 db4ca1752 * : fix lint/vendor issues to update dependabot updates 16289cad3 Update nixpkgs 271146940 Fix klog-shim to close the bracket properly 1005e0e32 build(deps): bump the gomod group across 1 directory with 17 updates 05296551a Avoid using UpdateContainerStatus for ReopenContainerLog and add logs tests 1a6765b73 Makefile: introduce GO_TEST for more flexible configuration a9e7d29b3 Improve `sync.Map` iterators with an implicit call 807943105 Remove Fedora 39 content ddaed68a3 Makefile: fixes wrt crio.conf f5e6d6f7f Update nixpkgs to the latest HEAD commit 78c45f865 Update nix release to v2.24.11 458137a7a Update release-notes release to v0.17.11 3b94f59b1 Update gosec release to v2.21.4 a9aa6072f Update shfmt release to v3.10.0 fbc3ce557 Update golangci-lint release to v1.63.4 0fe4097af Update buildah release to v1.38.0 72f95429a Update bats release to v1.11.1 6da7ef28b Update containernetworking/plugins Go package release to v1.6.2 3f0f86965 Update multiple dependencies to newer releases 997e4fbd3 server: fix panic when default annotations are specified b473c6c04 Fetch latest containernetworking/plugins tag instead of v1.1.1 6e0df0924 Update CRI-O version and add checks Signed-off-by: Bruce Ashfield

cri-o: Add CONTAINER_DEFAULT_RUNTIME to run-ptest

2025-03-24T18:45:11+00:00

CRI-O version 1.31 and later defaults to crun instead of runc. This change cause ptests to fail if crun is not installed on the target system, as the test runner verifies the runtime's availability using 'command -v "$CONTAINER_DEFAULT_RUNTIME"'. Additionally, CRI-O specifies the runtime via the VIRTUAL-RUNTIME_container_runtime variable as a dependency. This commit explicitly sets the CONTAINER_DEFAULT_RUNTIME environment variable within the run-ptest script, based on the value of VIRTUAL-RUNTIME_container_runtime. This ensures ptests execute with the expected container runtime. Signed-off-by: Zhang Peng Signed-off-by: Bruce Ashfield

cri-o: update to v1.32.2

2025-03-11T06:06:26+00:00

Bumping cri-o to version v1.32.2, which comprises the following commits: e37e198e8 version: bump to 1.32.2 e681a34c8 go.{mod,sum}: bump CDI deps to v0.8.1. 85214c31b vendor: bump go-jose to 4.0.5 47566d01d Fix context cancellation when image pull progress timeout is `0` 1b98ce087 test: add test coverage for LinkLogs malicious paths d4a9f6bae internal/linklogs: sanitize the directory path before using it f168b6b39 version: bump to 1.32.1 5c8f66f8f Bump containers/storage 99ca98117 Avoid using UpdateContainerStatus for ReopenContainerLog and add logs tests 612f43a6d watchdog: decouple CNI plugin initialization from CRI-O health checks fffe6270d Cherry-pick changes from containers/image project 890c75c93 Cherry-pick changes from containers/storage project b57566b9c Update containernetworking/plugins Go package release to v1.6.2 6e44ed6d7 server: fix panic when default annotations are specified 0daeb208f Refactor man page variables in Makefile. a103688e7 config: add default_annotations 533b7d5e2 build(deps): bump actions/upload-artifact in the actions group d80af0f80 build(deps): bump crate-ci/typos in the actions group 986b386fc maintainers: promote Sohan and Krzysztof to approvers 10621f089 Update NRI to v0.9.0 34003b146 build(deps): bump the actions group across 1 directory with 2 updates 4409a15f6 Refactoring factory/container to remove references of snadbox 3576d0822 Update mocks b7d4c78d0 build(deps): bump the gomod group across 1 directory with 37 updates ea7cdad90 Require go 1.23 for build c5bdce024 Update golangci-lint to v1.62.2 and config 31b86eb6b Remove old golang build tags a5320071d Update nixpkgs c1a7989d9 build(deps): bump the actions group with 2 updates 08b9acb9a Don't pass seccomp section when it's disabled a89b991bd Don't start seccomp notifier watcher when seccomp is disabled d4a0b860e Update cni-plugins to v1.6.1 33dbcc12b Add systemd watchdog support 698025097 Update sandbox_run_linux.go 2329bd698 Update container_create.go 197f98bb8 Always clear env even when `monitor_env` is unset 634c733df Update sandbox_run_linux.go f448fea40 Update container_create.go a64119adf build(deps): bump crate-ci/typos in the actions group 80aa12b19 Use `monitor_env` for calling the OCI runtime 7de043007 Update sandbox_run_linux.go cad07030e Update container_create.go 7e48c71d6 build(deps): bump crate-ci/typos in the actions group 7c3290dea Allow to remove pod sandbox on netns removal 608c89e9c Fix container restore lint report 84ac370c9 build(deps): bump crate-ci/typos in the actions group 29a0b9429 Fix NRI CLI flags e5bddc646 Call network plugin GC on startup 7a29433e7 build(deps): bump codecov/codecov-action in the actions group 44429579c build(deps): bump codecov/codecov-action in the actions group 6ca411a93 RuntimeHandler inheritance bug-fix 72fa20e93 build(deps): bump codecov/codecov-action in the actions group 02e5817d2 Add `--pull-progress-timeout` / `pull_progress_timeout` option 8b8be22a7 Use `slices.Equal` instead of custom implementation 19ac18b4e Update golangci-lint to v1.62.0 4d79d6b75 build(deps): bump the actions group with 2 updates 76049febe RuntimeHandler inheritance e4bd1caee refactor cert 19efac249 vendor cni 0.4.3 426244c73 Make dual-stack hostport test reuse same test data as single-stack tests f812c5aae Update and fix nix packages 8462bc745 remove validation for TLSCA. 50fbdcc01 Further hostport unit test cleanup 7ea8faf1a Fix ids/IPs in hostport manager test cases 74598c4cd Improve HostPortManager unit tests checking 0ff4e7cc3 Split hostport test case data out of the actual test functions f62645f93 build(deps): bump crate-ci/typos in the actions group ee6d71d09 Use google.golang.org/protobuf instead of gogo 680efef80 build(deps): bump crate-ci/typos in the actions group 0470ab6ed Validate stream server TLS config on startup 429ef7c36 Only restore container if all bind mounts are defined f552e82b0 Convert `interface{}` to `any` 87d6b6076 Fix `typos` in CI 2c015a3ac Remove dead code in HostportManager 9c008e890 expose Pod assigned IPs to NRI plugins bf1c47b50 bump nri version to get PodIPs 595557cb8 build(deps): bump crate-ci/typos in the actions group f7116fbe5 build(deps): bump the actions group with 2 updates 30f48c5ba Disable actuated runners 30a262354 Move interceptors and metrics collector packages f50d181a1 Use context for logging in server d4c613d39 Switch to golang native context 20bc86cde Remove unused server metrics interceptor 09ac8a590 Centralize handling of CreateContainerRequest.PodSandboxId cdd37ebe4 Remove the option to load a sandbox ID from the snapshot image 431f66a9a Fail in CRImportCheckpoint earlier if we should be enforcing signatures 8031b6270 Consistently use someNameOf{The,This}Image for that kind of value 4302e0a63 go.{mod,sum}: update NRI deps and re-vendor. 28069c8f2 build(deps): bump crate-ci/typos in the actions group 48d45ccf5 build(deps): bump the actions group with 3 updates b6e9d6d68 Add `crio status heap` and `/debug/heap` endpoint a2e62f24d nix: don't build gpgme with `--enable-fixed-path` b13e45f4b pass cliContext instead of creating a new one 0d68102f8 Remove the first return value of PullImage 06993f4ba After pulling the pause image, use the canonical reference to look it up 4c164f5e3 Add a warning about assuming per-namespace policies are stricter b56ddca32 Add a comment warning against repeated lookups 3f9b09e44 Consistently use the UserRequestedImage for the lookup input fffc734c8 Simplify BROKEN pullImageOutputItem 0b184e47e Return a RegistryImageReference instead of reference.Canonical from PullImage a2e29ba09 Better document, and sometimes rename, parameters and return values c91de5884 Add a comment about possible future handling of complex situations. 899266bb2 Inline prepareReference into its only caller ca1b55010 Remove no longer used code 14f4c6482 Fix build on macOS d0a64e27b build(deps): bump crate-ci/typos in the actions group b280cb565 vendor: bump runc to v.1.2.0 722f70ca3 utils: use moby/sys/user 1b7a8dfd2 internal/dbusmgr: use moby/sys/userns 2665ada11 crio status: add `goroutines` subcommand dcc2a7587 build(deps): bump actions/cache from 4.1.1 to 4.1.2 in the actions group fbbc7bfd5 Refactor memory stores to use generics 3ef549868 Simplify container stop in sandbox 9e01a99ed Remove `skip_pod_runtime` build tag 83ba7fe9b Update zeitgeist to v0.5.4 509de1aba ci: bump cri-o spec version to be higher than any cri-o version running 82fe372c1 Update gomock to v0.5.0 a271b4a79 seccomp_unsupported.go: Fix lint issues 7849e3efc Re-allow building without seccomp installed 2a42045ad Use context timeout/deadline for container stop d1e817f14 Refactor sandbox label usage 937d24316 Refactoring factory/container to remove references of snadbox ba13b2bac upgrade runc to v.1.1.15 9254b36d5 Re-enable exit code matching in restore test d93ce4cc7 build(deps): bump actions/upload-artifact in the actions group a5ee1950a build(deps): bump the actions group with 2 updates 589720f14 contrib/test: avoid running setup tasks twice a7c46dd67 build(deps): bump the actions group across 1 directory with 8 updates 098ae5d66 Use `SignatureValidationFailed` CRI error for invalid signatures 69b4635b0 Mark `release-1.28` as EOL 5a1d62f8f Update nixpkgs d688986db build(deps): bump github.com/containers/common from 0.60.2 to 0.60.4 6a6f57011 config: fix validation of allowed annotations 236d336fb config: pass down PullOptions from the storage configuration eda8023ff test: fix empty pinned_images test c02f9bb21 tests: improve wait_for_log to allow multiple calls for the same message ddb79873d build(deps): bump peter-evans/create-pull-request in the actions group adf2ca5f4 Don't rely on vendored tools 44def2c87 build(deps): bump the actions group across 1 directory with 2 updates dea93eeb8 Bump release-notes to v0.17.8 4a2d29e65 image: serialize RegistryImageReferences when checking signatures c7a819d3e Update golangci-lint to v1.61.0 dc087b219 Update nixpkgs f030d3596 Update release and branching versions a73311497 build(deps): bump the actions group across 1 directory with 3 updates 333530298 Use go 1.23 for nix (static) builds 915393f96 Switch to `RFC3339Nano` log format d85ae5293 Make unit tests independent from third party binaries 8b2872139 Use nanosecond timestamp for evented pleg pod status 9910c39e1 Pin govulncheck to specific version to match Go version requirements 44e0241f8 Enable more crun integration tests 66c010968 refactoring: get some spec generation code out of createSandboxContainer() 0418b5d5c cleanup: refactoring createSandboxContainers() b0b584ac8 refactoring: create a container.SpecSetLinuxContainerResources() function 8ec1805e6 refactoring: create a container.SpecSetPrivileges() function Signed-off-by: Bruce Ashfield

cri-o: fix textrel QA issue

2025-01-17T19:17:10+00:00

Basically we pass "-buildmode=pie" to fix textrel QA issue. A new patch is added and submitted to upstream: 0001-Makefile-introduce-GO_TEST-for-more-flexible-configu.patch. With this new patch, the old patch, 0001-Add-trimpath-to-build-nri.test.patch, could be dropped. Signed-off-by: Chen Qi Signed-off-by: Bruce Ashfield

cri-o: fix already-stripped QA issue and clean up

2025-01-17T19:17:09+00:00

Set DEBUG=1 to avoid stripping. See https://github.com/cri-o/cri-o/blob/main/Makefile#L93 Set STRIP=true to avoid stripping bin/pinns. See https://github.com/cri-o/cri-o/blob/main/pinns/Makefile#L4 ALLOW_EMPTY:${PN} = "1" is not needed. Remove it. Signed-off-by: Chen Qi Signed-off-by: Bruce Ashfield

cri-o: update to v1.31.4-tip

2025-01-17T19:17:09+00:00

Bumping cri-o to version v1.31.4, which comprises the following commits: 8aa8c7e42 server: fix panic when default annotations are specified 88939baf2 version: bump to 1.31.4 284eb9327 config: add default_annotations 26bb3c96a Allow to remove pod sandbox on netns removal cf112c696 Disable actuated runners 0b449cebc version: bump to 1.31.3 ee2d73252 Fix container restore lint report 6aa6cbcb4 Only restore container if all bind mounts are defined 165504928 Add `--pull-progress-timeout` / `pull_progress_timeout` option d3f39eaa9 RuntimeHandler inheritance bug-fix c65eb63b1 RuntimeHandler inheritance c918a52d1 nix: don't build gpgme with `--enable-fixed-path` 677d91db3 version: bump to 1.31.2 f334f80c3 config: fix validation of allowed annotations e0fe09609 Cherry-pick changes from containers/storage/pull#2134 cae8a3ab5 Cherry-pick changes from containers/common/pull#2185 e9deb6cde version: bump to 1.31.1 b6226b8a3 config: pass down PullOptions from the storage configuration a673a7ca4 test: fix empty pinned_images test 7d4f035b5 tests: improve wait_for_log to allow multiple calls for the same message 2d27da0f3 image: serialize RegistryImageReferences when checking signatures 4b55a1107 Pin govulncheck to specific version to match Go version requirements abb6a439d Use nanosecond timestamp for evented pleg pod status fbd73b339 test: fix CR test by unsetting SIGNATURE_POLICY a379923f5 server/restore: mark signature validation incompatible with restore 1a9d36494 server: document difference between userRequestedImage/userSpecifiedImage 50075247a server: use imageID instead of a random digest 0dd7eaffe server: only check signatures if namespaced policy is defined ec8545d2d server: use cached restore value instead of recomputing 7a67eb72b store canonical ref differently 1444e69d9 test: fix crun-wasm test to handle requirement of user_specified_image 6edecf30e Image verificaiton for namespaced policies 9d3da707d Revert "contrib: temporarily move to crun 1.15 to fix CI" e54ea3407 Fix invalid syntax in test workflow fc262592f ci: run setup commands for e2e because they weren't done for some reason d24529f7d build(deps): bump the actions group with 2 updates efa1690c0 test: setup runtimes correctly so drop-ins work bfc509cd7 test: comment out ARM image digest as it's unused 45ee51d01 test: update memory limit tests to not be in image.bats 29803ef24 test: fix config test fe5bdeb3b gh actions: set crun instead of runc f174d5a3d oci: allow double delete 624b15b9c gh actions: spoof crun for unit tests on arm64 afe78eb68 config: refactor min memory handling a bit d2cb4e4ae config: update min memory to account for crun 5e21d495c config: default to crun c32f7b02a build(deps): bump crate-ci/typos in the actions group 2b8dfdf48 build(deps): bump github.com/opencontainers/runc in the gomod group 3fe3b4e81 build(deps): bump peter-evans/create-pull-request in the actions group d23951276 refactor seccomp f81fea25f Modify test case to verify blocking of clone 7d0d6ad49 Filter namespace creation args to clone in default seccomp policy cc8b071b1 build(deps): bump the gomod group across 1 directory with 3 updates f7fee64a7 build(deps): bump the actions group with 2 updates dd0cb08d8 Update golangci-lint to v1.60.3 for better go 1.23 compatibility 1f212dc7b Add Makefile help 9ad5c5aed Add additional bind mount to image volumes ff73a7a0b Fix Makefile `$PWD` when running using `sudo` 2c37d262f Make `prettier` target run in a privileged container 33fb00528 Fix lint b1bf40749 build(deps): bump google-github-actions/upload-cloud-storage 1beb59cb8 build(deps): bump the gomod group across 1 directory with 8 updates ba846966f config: add /dev/net/tun to default allowed devices 3ef7f9de4 build(deps): bump crate-ci/typos in the actions group f7e8682ef Add `{verify-}prettier` makefile targets 53d958fa3 Change default tracing endpoint to 127.0.0.1 9d1a5f437 build(deps): bump crate-ci/typos in the actions group 13e701563 build(deps): bump github.com/onsi/ginkgo/v2 in the gomod group e83973d7d Run prettier on supported files 8269859fd Make static build a GitHub action matrix 09bb40438 Change profile endpoint to 127.0.0.1 5f95cb5ce build(deps): bump the gomod group across 1 directory with 3 updates aa1ca0d47 build(deps): bump google-github-actions/auth in the actions group f83861120 build(deps): bump google-github-actions/upload-cloud-storage a8950ce30 Pass around more contexts in hooks and metrics 7472e56e9 Trigger `test` workflow after release branch fast forward 6fb6e8d16 Run the runtime RuntimeType validation first dff5305bb Avoid potential reallocs by pre-sizing some slices Signed-off-by: Bruce Ashfield