------------------------------------------------------------------- Thu Sep 5 08:10:30 UTC 2019 - Sascha Grunert - Add patch for CVE-2019-10214. bsc#1144065 + CVE-2019-10214.patch ------------------------------------------------------------------- Tue May 21 09:04:25 UTC 2019 - Maximilian Meister - Update cri-o to v1.11.14 ------------------------------------------------------------------- Tue Dec 18 12:11:06 UTC 2018 - jmassaguerpla@suse.com - Update go requirements to >= go1.10.6 to fix * bsc#1118897 CVE-2018-16873 go#29230 cmd/go: remote command execution during "go get -u" * bsc#1118898 CVE-2018-16874 go#29231 cmd/go: directory traversal in "go get" via curly braces in import paths * bsc#1118899 CVE-2018-16875 go#29233 crypto/x509: CPU denial of service ------------------------------------------------------------------- Wed Nov 7 13:33:14 UTC 2018 - Valentin Rothberg - Set NOFILE and NPROC limit to 1048576 to align with Docker/containerd and the upstream unit file. Fix bsc#1112980 ------------------------------------------------------------------- Tue Jul 10 05:52:56 UTC 2018 - vrothberg@suse.com - Update cri-o to v1.10.6: * mask /proc/{acpi,keys} bsc#1100838 * fix race between container create and cadvisor asking for info ------------------------------------------------------------------- Mon Jul 2 06:03:24 UTC 2018 - vrothberg@suse.com - Update cri-o to v1.10.5: * Reduce amount of logs being printed by default * Update to latest ocicni ------------------------------------------------------------------- Wed Jun 27 05:42:58 UTC 2018 - vrothberg@suse.com - Update cri-o to v1.10.4: * network: Fix manage NetworkNS lifecycle * sandbox_run: fix selinux relabel sharing * container_create: more selinux relabel fixes * container_create: correctly relabel mounts when asked ------------------------------------------------------------------- Mon Jun 18 05:53:32 UTC 2018 - vrothberg@suse.com - Update cri-o to v1.10.3: * container_portforward: add support for short pod IDs * container_create: no privileged container if not privileged sandbox * container_create: always mount sysfs as rw for privileged containers * container_create: set rw for privileged containers * conmon: on a flush error discard the iov buffer ------------------------------------------------------------------- Fri Jun 15 08:35:42 UTC 2018 - vrothberg@suse.com - Update cri-o to v1.10.2: * various improvements to conmon * oci: avoid race on container stop * image: Let size be calculated dynamically * Add support for short IDs for exec and attach * Make network namespace lifecycle management optional * container_exec: Fix terminal setting for exec * oci: Force kill the container process only if nothing else worked * Add extra info to verbose requests to PodSandboxStatus * Make conmon and crio share the same constants * conmon: catch SIGTERM, SIGINT and SIQUIT * Invalidate cache by building fresh one and replacing previous all at once * Enable per pod PID namespace setting * Make the /opt/cni mount rw * conmon: add new option --version * oci: Copy-edits for waitContainerStop chControl comment * system container: add /var/tmp as RW * container_status: expose LogPath as requested by the CRI * container_create: only bind mount /etc/hosts if not provided by k8s * kubernetes: Simplify and freshen the required-files table * Report an warning when no stages are defined for a hook ------------------------------------------------------------------- Mon Jun 11 12:36:08 UTC 2018 - vrothberg@suse.com - Use actual tag for v1.9.13. Upstream missed to set a tag and the last revision mistakenly set it to v1.9.14-dev instead of v1.9.13. ------------------------------------------------------------------- Thu Jun 7 06:22:41 UTC 2018 - vrothberg@suse.com - Update cri-o to v1.9.13: * runtime_status: report correct network status * container_status: expose LogPath as requested by the CRI bsc#1095154 ------------------------------------------------------------------- Tue Jun 5 08:26:28 UTC 2018 - dcassany@suse.com - Refactor %license usage to a simpler form ------------------------------------------------------------------- Mon Jun 4 14:33:03 UTC 2018 - dcassany@suse.com - Make use of %license macro ------------------------------------------------------------------- Fri May 4 14:17:57 CEST 2018 - ndas@suse.de - use correct path for runc ------------------------------------------------------------------- Thu Apr 12 12:47:07 UTC 2018 - fcastelli@suse.com - Put cri-o deamon under the podruntime slice. This the recommended deployment to allow fine resource control on Kubernetes. bsc#1086185 ------------------------------------------------------------------- Wed Apr 11 06:44:34 UTC 2018 - vrothberg@suse.com - Update cri-o to v1.9.11: * oci: avoid race on container stop * server/sandbox_stop: Pass context through StopAllPodSandboxes * conmon: Add container ID to syslog * Add logging support for base condition in debug * Simplify filter block * Specifying a filter with no filtering expressions is now idempotent * Add methods for listing and fetching container stats * Implement the stats for the image_fs_info command * Return error for container exec ------------------------------------------------------------------- Thu Mar 15 15:21:50 UTC 2018 - vrothberg@suse.com - Require cni and cni-plugins to enable container networking. feature#crio ------------------------------------------------------------------- Thu Mar 15 06:43:33 UTC 2018 - vrothberg@suse.com - Update cri-o to v1.9.10: * conmon: Avoid strlen in logging path * conmon: Remove info logs * container_exec: Fix terminal setting for exec ------------------------------------------------------------------- Mon Mar 12 07:07:39 UTC 2018 - vrothberg@suse.com - Update cri-o to v1.9.9: * sandbox_stop: Call CNI stop before stopping pod infra container ------------------------------------------------------------------- Thu Mar 8 09:25:41 UTC 2018 - vrothberg@suse.com - Remove the crio-shutdown.service. It does not have any effect when shutting down crio and also isn't shipped on Fedora. - crio-shutdown.service ------------------------------------------------------------------- Mon Mar 5 12:50:03 UTC 2018 - vrothberg@suse.com - crio.conf: update default socket to /var/run/crio/crio.sock as suggested by upstream. ------------------------------------------------------------------- Mon Mar 5 10:10:16 UTC 2018 - vrothberg@suse.com - Update cri-o to v1.9.8: * system_containers: Update mounts * execsync: Set terminal to true when we pass -t to conmon * Make network namespace pinning optional * Add context to net ns symlink removal errors * Make the /opt/cni mount rw * sandbox_stop: close/remove the netns _after_ stopping the containers * sandbox net: set netns closed after actaully closing it ------------------------------------------------------------------- Mon Mar 5 10:07:54 UTC 2018 - vrothberg@suse.com - Configuration files should generally be tagged as %config(noreplace) in order to keep the modified config files and to avoid losing data when the package is being updated. ------------------------------------------------------------------- Sat Mar 3 13:38:57 UTC 2018 - vrothberg@suse.com - Remove empty filter rule from cri-o-rpmlintrc, which was mistakenly masking a few warnings, some of which have been fixed, others need to be filtered. conmon and pause are not compiled with -fpie anymore to align with what upstream does; linking fails when done properly. ------------------------------------------------------------------- Fri Mar 2 18:12:59 UTC 2018 - fcastelli@suse.com - Update minimum version of the Go compiler required ------------------------------------------------------------------- Fri Mar 2 18:07:54 UTC 2018 - fcastelli@suse.com - Add missing runtime dependencies: socat, iptables, iproute ------------------------------------------------------------------- Wed Feb 28 11:35:27 UTC 2018 - vrothberg@suse.com - Change the installation path of conmon and pause from /usr/lib/crio to /usr/lib/crio/bin in order to align with upstream requirements. - Update crio.conf to the reflect the new path of conmon and set the correct path of CNI plugins (i.e., /usr/lib/cni). ------------------------------------------------------------------- Tue Feb 20 15:27:01 UTC 2018 - vrothberg@suse.com - Update cri-o to v1.9.6: * vendor: update c/image to handle text/plain from registries Fixes cases where text/plain s1 schemes are mistakenly converted to MIME. ------------------------------------------------------------------- Sun Feb 18 12:42:18 UTC 2018 - jengelh@inai.de - Let description say what the package really does. ------------------------------------------------------------------- Fri Feb 16 11:52:12 UTC 2018 - vrothberg@suse.com - Update cri-o to v1.9.5: * system container: add /var/tmp as RW * container_create: correctly set user * imageService: cache information about images * image: Add lock around image cache access ------------------------------------------------------------------- Fri Feb 16 11:34:34 UTC 2018 - vrothberg@suse.com - Cleanup version-update related changelogs to only keep log entries of changes that are visible and important to the user, and the project. ------------------------------------------------------------------- Mon Feb 12 11:59:53 UTC 2018 - vrothberg@suse.com - Add requirements to libcontainers-{common,image,storage}. - Run spec-cleaner on cri-o.spec. ------------------------------------------------------------------- Mon Feb 12 06:43:30 UTC 2018 - vrothberg@suse.com - Update cri-o to v1.9.3: * Be more diligent about cleaning up failed-to-create containers * Use crictl instead of crioctl in image integration tests * Handle truncated IDs in imageService.ResolveNames() * Switch to ImageServer.UntagImage in RemoveImage handler * Return image references from the storage package * storage: API fixups ------------------------------------------------------------------- Fri Feb 9 14:30:49 UTC 2018 - vrothberg@suse.com - Use golang-packaging macro for binary stripping. - Use -buildmode=pie for compilation. - The update to 1.9.0+ removes the crioctl binary. The crictl binary from cri-tools should be used instead. - Update cri-o to v1.9.2: * sandbox: fix sandbox logPath when crio restarts * Adapt to recent containers/image API updates * container_create: only bind mount /etc/hosts if not provided by k8s * container_attach: Ensure ctl file is closed * lib,oci: drop stateLock when possible * container_exec: fix terminal true process json * container_create: fix apparmor from container config * container_create: correctly set image and kube envs * oci: do not append conmon env to container process * container_exec: use process file with runc exec * drop crioctl source code * conmon: Add support for partial/newline log tags * image_pull: fix image resolver * Add /proc/scsi to masked paths * replace crioctl with crictl * replace crioctl in e2e with crictl * Move crio default sock to /var/run/crio/crio.sock * container_create: set the seccomp profile in the container object ------------------------------------------------------------------- Mon Feb 5 06:36:55 UTC 2018 - vrothberg@suse.com - Fix libostree-devel %if condition for TW, Leap 15+ and SLES 15+. ------------------------------------------------------------------- Thu Feb 1 09:16:23 UTC 2018 - vrothberg@suse.com - Use `%fdupes %buildroot/%_prefix` since `fdupes %buildroot` is not allowedv because you cannot make hardlinks between certain partitions. ------------------------------------------------------------------- Wed Jan 31 11:40:32 UTC 2018 - vrothberg@suse.com - Source the cri-o-rpmlintrc the spec file. ------------------------------------------------------------------- Tue Jan 30 15:32:32 UTC 2018 - vrothberg@suse.com - Add cri-o package: CRI-O is meant to provide an integration path between OCI conformant runtimes and the kubelet. Specifically, it implements the Kubelet Container Runtime Interface (CRI) using OCI conformant runtimes. The scope of CRI-O is tied to the scope of the CRI.