Merge pull request #4703 from afbjorklund/crio-v1.15.0

Upgrade crio to 1.15.0

deploy/iso/minikube-iso/package/crio-bin/conmon-config.h

@@ -0,0 +1,9 @@
+
+#if !defined(CONFIG_H)
+#define CONFIG_H
+
+#define BUF_SIZE 8192
+#define STDIO_BUF_SIZE 8192
+#define DEFAULT_SOCKET_PATH "/var/run/crio"
+
+#endif // CONFIG_H

deploy/iso/minikube-iso/package/crio-bin/crio-bin.hash

@@ -5,3 +5,4 @@ sha256 92588998dbb79002c38f65f84602b5659f0d0ef1cd36b1a568a2e40269b66816 v1.13.0.
 sha256 48e7cf64a757d62a3edf214e1b93b74d99f090ca924f956ede2494a260eab2db v1.13.1.tar.gz
 sha256 7435c4745017f06c260973b049440d924efe65b0df008d14175dfb8f5e23b599 v1.14.0.tar.gz
 sha256 1f6f72b1f89d4286b2d5b54a48f4d5ed4c0c01065d484635dcb343a706feb743 v1.14.1.tar.gz
+sha256 f7041a92e2d3a4c341be8df58f1076ba57ecb5daa02b6c65e652530c5f242739 v1.15.0.tar.gz

deploy/iso/minikube-iso/package/crio-bin/crio-bin.mk

@@ -4,9 +4,9 @@
 #
 ################################################################################
 
-CRIO_BIN_VERSION = v1.14.1
-CRIO_BIN_COMMIT = b7644f67e6383cc862b3e37fb74fba334b0b2721
-CRIO_BIN_SITE = https://github.com/kubernetes-sigs/cri-o/archive
+CRIO_BIN_VERSION = v1.15.0
+CRIO_BIN_COMMIT = 485227d727401fa0472a449b5df3b0537e314ebb
+CRIO_BIN_SITE = https://github.com/cri-o/cri-o/archive
 CRIO_BIN_SOURCE = $(CRIO_BIN_VERSION).tar.gz
 CRIO_BIN_DEPENDENCIES = host-go libgpgme
 CRIO_BIN_GOPATH = $(@D)/_output
@@ -23,8 +23,10 @@ define CRIO_BIN_USERS
 endef
 
 define CRIO_BIN_CONFIGURE_CMDS
-	mkdir -p $(CRIO_BIN_GOPATH)/src/github.com/kubernetes-sigs
-	ln -sf $(@D) $(CRIO_BIN_GOPATH)/src/github.com/kubernetes-sigs/cri-o
+	mkdir -p $(CRIO_BIN_GOPATH)/src/github.com/cri-o
+	ln -sf $(@D) $(CRIO_BIN_GOPATH)/src/github.com/cri-o/cri-o
+	# Generate conmon/config.h with a simplified bin/crio-config
+	$(CRIO_BIN_ENV) $(MAKE) $(TARGET_CONFIGURE_OPTS) -C $(@D) BUILDTAGS="containers_image_ostree_stub exclude_graphdriver_btrfs exclude_graphdriver_devicemapper containers_image_openpgp" conmon/config.h
 endef
 
 define CRIO_BIN_BUILD_CMDS
@@ -45,9 +47,6 @@ define CRIO_BIN_INSTALL_TARGET_CMDS
 	$(INSTALL) -Dm755 \
 		$(@D)/bin/pause \
 		$(TARGET_DIR)/usr/libexec/crio/pause
-	$(INSTALL) -Dm644 \
-		$(@D)/seccomp.json \
-		$(TARGET_DIR)/etc/crio/seccomp.json
 	$(INSTALL) -Dm644 \
 		$(BR2_EXTERNAL_MINIKUBE_PATH)/package/crio-bin/crio.conf \
 		$(TARGET_DIR)/etc/crio/crio.conf

deploy/iso/minikube-iso/package/crio-bin/crio-bin.patch

@@ -0,0 +1,39 @@
+diff --git a/Makefile b/Makefile
+index de79f63..a9ea13b 100644
+--- a/Makefile
++++ b/Makefile
+@@ -136,7 +136,7 @@ crio.conf: bin/crio
+ release-note: ${RELEASE_TOOL}
+ 	${RELEASE_TOOL} -n $(release)
+ 
+-conmon/config.h: git-vars cmd/crio-config/config.go oci/oci.go
++conmon/config.h: cmd/crio-config/config.go oci/oci.go
+ 	$(GO) build $(LDFLAGS) -tags "$(BUILDTAGS)" -o bin/crio-config $(PROJECT)/cmd/crio-config
+ 	( cd conmon && $(CURDIR)/bin/crio-config )
+ 
+diff --git a/cmd/crio/main.go b/cmd/crio/main.go
+index 0bc347a..ab9969f 100644
+--- a/cmd/crio/main.go
++++ b/cmd/crio/main.go
+@@ -207,7 +207,7 @@ func mergeConfig(config *server.Config, ctx *cli.Context) (string, error) {
+ }
+ 
+ func writeCrioGoroutineStacks() {
+-	path := filepath.Join("/tmp", fmt.Sprintf("crio-goroutine-stacks-%s.log", strings.ReplaceAll(time.Now().Format(time.RFC3339), ":", "")))
++	path := filepath.Join("/tmp", fmt.Sprintf("crio-goroutine-stacks-%s.log", strings.Replace(time.Now().Format(time.RFC3339), ":", "", -1)))
+ 	if err := utils.WriteGoroutineStacksToFile(path); err != nil {
+ 		logrus.Warnf("Failed to write goroutine stacks: %s", err)
+ 	}
+diff --git a/oci/runtime_vm.go b/oci/runtime_vm.go
+index 57a1fde..64f853f 100644
+--- a/oci/runtime_vm.go
++++ b/oci/runtime_vm.go
+@@ -172,7 +172,7 @@ func (r *runtimeVM) startRuntimeDaemon(c *Container) error {
+ 	args = append(args, "start")
+ 
+ 	// Modify the runtime path so that it complies with v2 shim API
+-	newRuntimePath := strings.ReplaceAll(r.path, "-", ".")
++	newRuntimePath := strings.Replace(r.path, "-", ".", -1)
+ 
+ 	// Setup default namespace
+ 	r.ctx = namespaces.WithNamespace(r.ctx, namespaces.Default)

deploy/iso/minikube-iso/package/crio-bin/crio.conf

@@ -5,6 +5,11 @@
 #
 # Please refer to crio.conf(5) for details of all configuration options.
 
+# CRI-O supports partial configuration reload during runtime, which can be
+# done by sending SIGHUP to the running process. Currently supported options
+# are explicitly mentioned with: 'This option supports live configuration
+# reload'.
+
 # CRI-O reads its storage defaults from the containers-storage.conf(5) file
 # located at /etc/containers/storage.conf. Modify this storage configuration if
 # you want to change the system's defaults. If you want to modify storage just
@@ -28,9 +33,11 @@ storage_driver = "overlay"
 #]
 
 # If set to false, in-memory locking will be used instead of file-based locking.
-file_locking = true
+# **Deprecated** this option will be removed in the future.
+file_locking = false
 
 # Path to the lock file.
+# **Deprecated** this option will be removed in the future.
 file_locking_path = "/run/crio.lock"
 
 
@@ -90,6 +97,9 @@ no_pivot = true
 # Path to the conmon binary, used for monitoring the OCI runtime.
 conmon = "/usr/libexec/crio/conmon"
 
+# Cgroup setting for conmon
+conmon_cgroup = "pod"
+
 # Environment variable list for the conmon process, used for passing necessary
 # environment variables to conmon or the runtime.
 conmon_env = [
@@ -100,8 +110,9 @@ conmon_env = [
 selinux = false
 
 # Path to the seccomp.json profile which is used as the default seccomp profile
-# for the runtime.
-seccomp_profile = "/etc/crio/seccomp.json"
+# for the runtime. If not specified, then the internal default seccomp profile
+# will be used.
+seccomp_profile = ""
 
 # Used to change the name of the default AppArmor profile of CRI-O. The default
 # profile name is "crio-default-" followed by the version string of CRI-O.
@@ -185,9 +196,13 @@ container_attach_socket_dir = "/var/run/crio"
 read_only = false
 
 # Changes the verbosity of the logs based on the level it is set to. Options
-# are fatal, panic, error, warn, info, and debug.
+# are fatal, panic, error, warn, info, and debug. This option supports live
+# configuration reload.
 log_level = "error"
 
+# The default log directory where all logs will go unless directly specified by the kubelet
+log_dir = "/var/log/crio/pods"
+
 # The UID mappings for the user namespace of each container. A range is
 # specified in the form containerUID:HostUID:Size. Multiple ranges must be
 # separated by comma.
@@ -202,15 +217,19 @@ gid_mappings = ""
 # regarding the proper termination of the container.
 ctr_stop_timeout = 0
 
-  # The "crio.runtime.runtimes" table defines a list of OCI compatible runtimes.
-  # The runtime to use is picked based on the runtime_handler provided by the CRI.
-  # If no runtime_handler is provided, the runtime will be picked based on the level
-  # of trust of the workload.
-  
-  [crio.runtime.runtimes.runc]
-  runtime_path = "/usr/bin/runc"
-  runtime_type = "oci"
-  
+# ManageNetworkNSLifecycle determines whether we pin and remove network namespace
+# and manage its lifecycle.
+manage_network_ns_lifecycle = false
+
+# The "crio.runtime.runtimes" table defines a list of OCI compatible runtimes.
+# The runtime to use is picked based on the runtime_handler provided by the CRI.
+# If no runtime_handler is provided, the runtime will be picked based on the level
+# of trust of the workload.
+
+[crio.runtime.runtimes.runc]
+runtime_path = "/usr/bin/runc"
+runtime_type = "oci"
+runtime_root = "/run/runc"
 
 
 # The crio.image table contains settings pertaining to the management of OCI images.
@@ -225,14 +244,21 @@ ctr_stop_timeout = 0
 # Default transport for pulling images from a remote container storage.
 default_transport = "docker://"
 
+# The path to a file containing credentials necessary for pulling images from
+# secure registries. The file is similar to that of /var/lib/kubelet/config.json
+global_auth_file = ""
+
 # The image used to instantiate infra containers.
+# This option supports live configuration reload.
 pause_image = "k8s.gcr.io/pause:3.1"
 
-# If not empty, the path to a docker/config.json-like file containing credentials
-# necessary for pulling the image specified by pause_image above.
+# The path to a file containing credentials specific for pulling the pause_image from
+# above. The file is similar to that of /var/lib/kubelet/config.json
+# This option supports live configuration reload.
 pause_image_auth_file = ""
 
 # The command to run to have a container stay in the paused state.
+# This option supports live configuration reload.
 pause_command = "/pause"
 
 # Path to the file which decides what sort of policy we use when deciding
@@ -264,6 +290,6 @@ registries = [
 network_dir = "/etc/cni/net.d/"
 
 # Paths to directories where CNI plugin binaries are located.
-plugin_dir = [
+plugin_dirs = [
 	"/opt/cni/bin/",
 ]

deploy/iso/minikube-iso/package/crio-bin/crio.conf.default

@@ -5,6 +5,11 @@
 #
 # Please refer to crio.conf(5) for details of all configuration options.
 
+# CRI-O supports partial configuration reload during runtime, which can be
+# done by sending SIGHUP to the running process. Currently supported options
+# are explicitly mentioned with: 'This option supports live configuration
+# reload'.
+
 # CRI-O reads its storage defaults from the containers-storage.conf(5) file
 # located at /etc/containers/storage.conf. Modify this storage configuration if
 # you want to change the system's defaults. If you want to modify storage just
@@ -20,7 +25,7 @@
 
 # Storage driver used to manage the storage of images and containers. Please
 # refer to containers-storage.conf(5) to see all available storage drivers.
-#storage_driver = "overlay"
+#storage_driver = ""
 
 # List to pass options to the storage driver. Please refer to
 # containers-storage.conf(5) to see all available storage options.
@@ -28,9 +33,11 @@
 #]
 
 # If set to false, in-memory locking will be used instead of file-based locking.
-file_locking = true
+# **Deprecated** this option will be removed in the future.
+file_locking = false
 
 # Path to the lock file.
+# **Deprecated** this option will be removed in the future.
 file_locking_path = "/run/crio.lock"
 
 
@@ -90,6 +97,9 @@ no_pivot = false
 # Path to the conmon binary, used for monitoring the OCI runtime.
 conmon = "/usr/local/libexec/crio/conmon"
 
+# Cgroup setting for conmon
+conmon_cgroup = "pod"
+
 # Environment variable list for the conmon process, used for passing necessary
 # environment variables to conmon or the runtime.
 conmon_env = [
@@ -100,8 +110,9 @@ conmon_env = [
 selinux = false
 
 # Path to the seccomp.json profile which is used as the default seccomp profile
-# for the runtime.
-seccomp_profile = "/etc/crio/seccomp.json"
+# for the runtime. If not specified, then the internal default seccomp profile
+# will be used.
+seccomp_profile = ""
 
 # Used to change the name of the default AppArmor profile of CRI-O. The default
 # profile name is "crio-default-" followed by the version string of CRI-O.
@@ -185,9 +196,13 @@ container_attach_socket_dir = "/var/run/crio"
 read_only = false
 
 # Changes the verbosity of the logs based on the level it is set to. Options
-# are fatal, panic, error, warn, info, and debug.
+# are fatal, panic, error, warn, info, and debug. This option supports live
+# configuration reload.
 log_level = "error"
 
+# The default log directory where all logs will go unless directly specified by the kubelet
+log_dir = "/var/log/crio/pods"
+
 # The UID mappings for the user namespace of each container. A range is
 # specified in the form containerUID:HostUID:Size. Multiple ranges must be
 # separated by comma.
@@ -202,15 +217,19 @@ gid_mappings = ""
 # regarding the proper termination of the container.
 ctr_stop_timeout = 0
 
-  # The "crio.runtime.runtimes" table defines a list of OCI compatible runtimes.
-  # The runtime to use is picked based on the runtime_handler provided by the CRI.
-  # If no runtime_handler is provided, the runtime will be picked based on the level
-  # of trust of the workload.
-  
-  [crio.runtime.runtimes.runc]
-  runtime_path = "/usr/bin/runc"
-  runtime_type = "oci"
-  
+# ManageNetworkNSLifecycle determines whether we pin and remove network namespace
+# and manage its lifecycle.
+manage_network_ns_lifecycle = false
+
+# The "crio.runtime.runtimes" table defines a list of OCI compatible runtimes.
+# The runtime to use is picked based on the runtime_handler provided by the CRI.
+# If no runtime_handler is provided, the runtime will be picked based on the level
+# of trust of the workload.
+
+[crio.runtime.runtimes.runc]
+runtime_path = ""
+runtime_type = "oci"
+runtime_root = "/run/runc"
 
 
 # The crio.image table contains settings pertaining to the management of OCI images.
@@ -225,14 +244,21 @@ ctr_stop_timeout = 0
 # Default transport for pulling images from a remote container storage.
 default_transport = "docker://"
 
+# The path to a file containing credentials necessary for pulling images from
+# secure registries. The file is similar to that of /var/lib/kubelet/config.json
+global_auth_file = ""
+
 # The image used to instantiate infra containers.
+# This option supports live configuration reload.
 pause_image = "k8s.gcr.io/pause:3.1"
 
-# If not empty, the path to a docker/config.json-like file containing credentials
-# necessary for pulling the image specified by pause_image above.
+# The path to a file containing credentials specific for pulling the pause_image from
+# above. The file is similar to that of /var/lib/kubelet/config.json
+# This option supports live configuration reload.
 pause_image_auth_file = ""
 
 # The command to run to have a container stay in the paused state.
+# This option supports live configuration reload.
 pause_command = "/pause"
 
 # Path to the file which decides what sort of policy we use when deciding
@@ -263,6 +289,6 @@ image_volumes = "mkdir"
 network_dir = "/etc/cni/net.d/"
 
 # Paths to directories where CNI plugin binaries are located.
-plugin_dir = [
+plugin_dirs = [
 	"/opt/cni/bin/",
 ]