diff --git a/deploy/iso/minikube-iso/package/conmon-master/conmon-master.hash b/deploy/iso/minikube-iso/package/conmon-master/conmon-master.hash index 14ed1bd8e9b9..7576ee3e24bf 100644 --- a/deploy/iso/minikube-iso/package/conmon-master/conmon-master.hash +++ b/deploy/iso/minikube-iso/package/conmon-master/conmon-master.hash @@ -1,3 +1,4 @@ # Locally computed sha256 4f978a59c6ee516f7e3febfb3b0360a17d1be2c283313e1aeb27adcb8c8f9166 dde3ccf93f01ce5a3e0f7a2c97053697cc3ed152.tar.gz sha256 75fad6e66b43c5039719edbd82ba072723aea6a9d4d8be4e7ac1c245a291ab1b 8455ce1ef385120deb827d0f0588c04357bad4c4.tar.gz +sha256 6c9bf278ae6e125a39f1ae419e5bd314162a743f6587d70b1b6be095ac32b9af eb5fa88c26fde5ce1e3f8a1d2a8a9498b2d7dbe6.tar.gz diff --git a/deploy/iso/minikube-iso/package/conmon-master/conmon-master.mk b/deploy/iso/minikube-iso/package/conmon-master/conmon-master.mk index 17bca7e61ea7..b45f8b306978 100644 --- a/deploy/iso/minikube-iso/package/conmon-master/conmon-master.mk +++ b/deploy/iso/minikube-iso/package/conmon-master/conmon-master.mk @@ -4,8 +4,8 @@ # ################################################################################ -# HEAD as of 2019-06-13 -CONMON_MASTER_VERSION = 8455ce1ef385120deb827d0f0588c04357bad4c4 +# HEAD as of 2019-11-11 +CONMON_MASTER_VERSION = eb5fa88c26fde5ce1e3f8a1d2a8a9498b2d7dbe6 CONMON_MASTER_SITE = https://github.com/containers/conmon/archive CONMON_MASTER_SOURCE = $(CONMON_MASTER_VERSION).tar.gz CONMON_MASTER_LICENSE = Apache-2.0 @@ -13,18 +13,12 @@ CONMON_MASTER_LICENSE_FILES = LICENSE CONMON_MASTER_DEPENDENCIES = host-pkgconf -define CONMON_MASTER_PATCH_PKGCONFIG - sed -e 's/pkg-config/$$(PKG_CONFIG)/g' -i $(@D)/Makefile -endef - -CONMON_MASTER_POST_PATCH_HOOKS += CONMON_MASTER_PATCH_PKGCONFIG - define CONMON_MASTER_BUILD_CMDS $(MAKE) $(TARGET_CONFIGURE_OPTS) -C $(@D) GIT_COMMIT=$(CONMON_MASTER_VERSION) PREFIX=/usr endef define CONMON_MASTER_INSTALL_TARGET_CMDS - # crio conmon is installed by the crio package, so don't install it here + $(INSTALL) -Dm755 $(@D)/bin/conmon $(TARGET_DIR)/usr/libexec/crio/conmon $(INSTALL) -Dm755 $(@D)/bin/conmon $(TARGET_DIR)/usr/libexec/podman/conmon endef diff --git a/deploy/iso/minikube-iso/package/crio-bin/crio-bin.hash b/deploy/iso/minikube-iso/package/crio-bin/crio-bin.hash index 7d9897ffd19d..9657fcbb3d45 100644 --- a/deploy/iso/minikube-iso/package/crio-bin/crio-bin.hash +++ b/deploy/iso/minikube-iso/package/crio-bin/crio-bin.hash @@ -8,3 +8,4 @@ sha256 1f6f72b1f89d4286b2d5b54a48f4d5ed4c0c01065d484635dcb343a706feb743 v1.14.1. sha256 f7041a92e2d3a4c341be8df58f1076ba57ecb5daa02b6c65e652530c5f242739 v1.15.0.tar.gz sha256 6218a99877da9b9895e0088944731f5384803c15628d4b3c6b40ba1ddd39e052 v1.15.1.tar.gz sha256 70d4c746fe207422c78420dc4239768f485eea639a38c993c02872ec6305dd1d v1.15.2.tar.gz +sha256 05f9614c4d5970b4662499b84c270b0ab953596ee863dcd09c9dc7a2d2f09789 v1.16.0.tar.gz diff --git a/deploy/iso/minikube-iso/package/crio-bin/crio-bin.mk b/deploy/iso/minikube-iso/package/crio-bin/crio-bin.mk index 9791804d383c..1447c603bc4a 100644 --- a/deploy/iso/minikube-iso/package/crio-bin/crio-bin.mk +++ b/deploy/iso/minikube-iso/package/crio-bin/crio-bin.mk @@ -4,14 +4,15 @@ # ################################################################################ -CRIO_BIN_VERSION = v1.15.2 -CRIO_BIN_COMMIT = b7316701c17ebc7901d10a716f15e66008c52525 +CRIO_BIN_VERSION = v1.16.0 +CRIO_BIN_COMMIT = fa99ff4ae2aa45115bf3c6bb33db07191db2518e CRIO_BIN_SITE = https://github.com/cri-o/cri-o/archive CRIO_BIN_SOURCE = $(CRIO_BIN_VERSION).tar.gz CRIO_BIN_DEPENDENCIES = host-go libgpgme CRIO_BIN_GOPATH = $(@D)/_output CRIO_BIN_ENV = \ CGO_ENABLED=1 \ + GO111MODULE=off \ GOPATH="$(CRIO_BIN_GOPATH)" \ GOBIN="$(CRIO_BIN_GOPATH)/bin" \ PATH=$(CRIO_BIN_GOPATH)/bin:$(BR_PATH) @@ -25,8 +26,8 @@ endef define CRIO_BIN_CONFIGURE_CMDS mkdir -p $(CRIO_BIN_GOPATH)/src/github.com/cri-o ln -sf $(@D) $(CRIO_BIN_GOPATH)/src/github.com/cri-o/cri-o - # Copy pre-generated conmon/config.h - see - cp $(CRIO_BIN_PKGDIR)/conmon-config.h $(@D)/conmon/config.h + # disable the "automatic" go module detection + sed -e 's/go help mod/false/' -i $(@D)/Makefile endef define CRIO_BIN_BUILD_CMDS @@ -41,9 +42,6 @@ define CRIO_BIN_INSTALL_TARGET_CMDS $(INSTALL) -Dm755 \ $(@D)/bin/crio \ $(TARGET_DIR)/usr/bin/crio - $(INSTALL) -Dm755 \ - $(@D)/bin/conmon \ - $(TARGET_DIR)/usr/libexec/crio/conmon $(INSTALL) -Dm755 \ $(@D)/bin/pause \ $(TARGET_DIR)/usr/libexec/crio/pause @@ -66,6 +64,9 @@ define CRIO_BIN_INSTALL_INIT_SYSTEMD $(INSTALL) -Dm644 \ $(CRIO_BIN_PKGDIR)/crio.service \ $(TARGET_DIR)/usr/lib/systemd/system/crio.service + $(INSTALL) -Dm644 \ + $(CRIO_BIN_PKGDIR)/crio-wipe.service \ + $(TARGET_DIR)/usr/lib/systemd/system/crio-wipe.service $(call link-service,crio.service) $(call link-service,crio-shutdown.service) endef diff --git a/deploy/iso/minikube-iso/package/crio-bin/crio-wipe.service b/deploy/iso/minikube-iso/package/crio-bin/crio-wipe.service new file mode 100644 index 000000000000..e962cecc3a45 --- /dev/null +++ b/deploy/iso/minikube-iso/package/crio-bin/crio-wipe.service @@ -0,0 +1,18 @@ +[Unit] +Description=CRI-O Auto Update Script +Before=crio.service +RequiresMountsFor=/var/lib/containers + +[Service] +EnvironmentFile=-/etc/sysconfig/crio +EnvironmentFile=-/etc/sysconfig/crio.minikube +EnvironmentFile=/var/run/minikube/env +ExecStart=/usr/bin/crio \ + $CRIO_OPTIONS \ + $CRIO_MINIKUBE_OPTIONS \ + wipe + +Type=oneshot + +[Install] +WantedBy=multi-user.target diff --git a/deploy/iso/minikube-iso/package/crio-bin/crio.conf b/deploy/iso/minikube-iso/package/crio-bin/crio.conf index 53042aa86f8d..e00070ed8005 100644 --- a/deploy/iso/minikube-iso/package/crio-bin/crio.conf +++ b/deploy/iso/minikube-iso/package/crio-bin/crio.conf @@ -32,14 +32,12 @@ storage_driver = "overlay" #storage_option = [ #] -# If set to false, in-memory locking will be used instead of file-based locking. -# **Deprecated** this option will be removed in the future. -file_locking = false - -# Path to the lock file. -# **Deprecated** this option will be removed in the future. -file_locking_path = "/run/crio.lock" +# The default log directory where all logs will go unless directly specified by +# the kubelet. The log directory specified must be an absolute directory. +log_dir = "/var/log/crio/pods" +# Location for CRI-O to lay down the version file +version_file = "/var/lib/crio/version" # The crio.api table contains settings for the kubelet/gRPC interface. [crio.api] @@ -47,6 +45,9 @@ file_locking_path = "/run/crio.lock" # Path to AF_LOCAL socket on which CRI-O will listen. listen = "/var/run/crio/crio.sock" +# Host IP considered as the primary IP to use by CRI-O for things such as host network IP. +host_ip = "" + # IP address on which the stream server will listen. stream_address = "127.0.0.1" @@ -62,11 +63,11 @@ stream_enable_tls = false stream_tls_cert = "" # Path to the key file used to serve the encrypted stream. This file can -# change, and CRI-O will automatically pick up the changes within 5 minutes. +# change and CRI-O will automatically pick up the changes within 5 minutes. stream_tls_key = "" # Path to the x509 CA(s) file used to verify and authenticate client -# communication with the encrypted stream. This file can change, and CRI-O will +# communication with the encrypted stream. This file can change and CRI-O will # automatically pick up the changes within 5 minutes. stream_tls_ca = "" @@ -95,6 +96,7 @@ default_runtime = "runc" no_pivot = false # Path to the conmon binary, used for monitoring the OCI runtime. +# Will be searched for using $PATH if empty. conmon = "/usr/libexec/crio/conmon" # Cgroup setting for conmon @@ -116,7 +118,7 @@ seccomp_profile = "" # Used to change the name of the default AppArmor profile of CRI-O. The default # profile name is "crio-default-" followed by the version string of CRI-O. -apparmor_profile = "crio-default-1.15.1" +apparmor_profile = "crio-default-1.16.0" # Cgroup management implementation used for the runtime. cgroup_manager = "cgroupfs" @@ -192,6 +194,9 @@ container_exits_dir = "/var/run/crio/exits" # Path to directory for container attach sockets. container_attach_socket_dir = "/var/run/crio" +# The prefix to use for the source of the bind mounts. +bind_mount_prefix = "" + # If set to true, all containers will run in read-only mode. read_only = false @@ -200,9 +205,6 @@ read_only = false # configuration reload. log_level = "error" -# The default log directory where all logs will go unless directly specified by the kubelet -log_dir = "/var/log/crio/pods" - # The UID mappings for the user namespace of each container. A range is # specified in the form containerUID:HostUID:Size. Multiple ranges must be # separated by comma. @@ -224,7 +226,24 @@ manage_network_ns_lifecycle = false # The "crio.runtime.runtimes" table defines a list of OCI compatible runtimes. # The runtime to use is picked based on the runtime_handler provided by the CRI. # If no runtime_handler is provided, the runtime will be picked based on the level -# of trust of the workload. +# of trust of the workload. Each entry in the table should follow the format: +# +#[crio.runtime.runtimes.runtime-handler] +# runtime_path = "/path/to/the/executable" +# runtime_type = "oci" +# runtime_root = "/path/to/the/root" +# +# Where: +# - runtime-handler: name used to identify the runtime +# - runtime_path (optional, string): absolute path to the runtime executable in +# the host filesystem. If omitted, the runtime-handler identifier should match +# the runtime executable name, and the runtime executable should be placed +# in $PATH. +# - runtime_type (optional, string): type of runtime, one of: "oci", "vm". If +# omitted, an "oci" runtime is assumed. +# - runtime_root (optional, string): root directory for storage of containers +# state. + [crio.runtime.runtimes.runc] runtime_path = "/usr/bin/runc" @@ -232,6 +251,19 @@ runtime_type = "oci" runtime_root = "/run/runc" +# Kata Containers is an OCI runtime, where containers are run inside lightweight +# VMs. Kata provides additional isolation towards the host, minimizing the host attack +# surface and mitigating the consequences of containers breakout. + +# Kata Containers with the default configured VMM +#[crio.runtime.runtimes.kata-runtime] + +# Kata Containers with the QEMU VMM +#[crio.runtime.runtimes.kata-qemu] + +# Kata Containers with the Firecracker VMM +#[crio.runtime.runtimes.kata-fc] + # The crio.image table contains settings pertaining to the management of OCI images. # # CRI-O reads its configured registries defaults from the system wide @@ -258,7 +290,9 @@ pause_image = "k8s.gcr.io/pause:3.1" pause_image_auth_file = "" # The command to run to have a container stay in the paused state. -# This option supports live configuration reload. +# When explicitly set to "", it will fallback to the entrypoint and command +# specified in the pause image. When commented out, it will fallback to the +# default: "/pause". This option supports live configuration reload. pause_command = "/pause" # Path to the file which decides what sort of policy we use when deciding @@ -268,6 +302,11 @@ pause_command = "/pause" # refer to containers-policy.json(5) for more details. signature_policy = "" +# List of registries to skip TLS verification for pulling images. Please +# consider configuring the registries via /etc/containers/registries.conf before +# changing them here. +#insecure_registries = "[]" + # Controls how image volumes are handled. The valid values are mkdir, bind and # ignore; the latter will ignore volumes entirely. image_volumes = "mkdir" @@ -293,3 +332,12 @@ network_dir = "/etc/cni/net.d/" plugin_dirs = [ "/opt/cni/bin/", ] + +# A necessary configuration for Prometheus based metrics retrieval +[crio.metrics] + +# Globally enable or disable metrics support. +enable_metrics = true + +# The port on which the metrics server will listen. +metrics_port = 9090 diff --git a/deploy/iso/minikube-iso/package/crio-bin/crio.conf.default b/deploy/iso/minikube-iso/package/crio-bin/crio.conf.default index fd7612c12a6a..ad0e609e14e9 100644 --- a/deploy/iso/minikube-iso/package/crio-bin/crio.conf.default +++ b/deploy/iso/minikube-iso/package/crio-bin/crio.conf.default @@ -1,4 +1,3 @@ - # The CRI-O configuration file specifies all of the available configuration # options and command-line flags for the crio(8) OCI Kubernetes Container Runtime # daemon, but in a TOML format that can be more easily modified and versioned. @@ -25,21 +24,19 @@ # Storage driver used to manage the storage of images and containers. Please # refer to containers-storage.conf(5) to see all available storage drivers. -#storage_driver = "overlay" +#storage_driver = "" # List to pass options to the storage driver. Please refer to # containers-storage.conf(5) to see all available storage options. #storage_option = [ #] -# If set to false, in-memory locking will be used instead of file-based locking. -# **Deprecated** this option will be removed in the future. -file_locking = false - -# Path to the lock file. -# **Deprecated** this option will be removed in the future. -file_locking_path = "/run/crio.lock" +# The default log directory where all logs will go unless directly specified by +# the kubelet. The log directory specified must be an absolute directory. +log_dir = "/var/log/crio/pods" +# Location for CRI-O to lay down the version file +version_file = "/var/lib/crio/version" # The crio.api table contains settings for the kubelet/gRPC interface. [crio.api] @@ -47,6 +44,9 @@ file_locking_path = "/run/crio.lock" # Path to AF_LOCAL socket on which CRI-O will listen. listen = "/var/run/crio/crio.sock" +# Host IP considered as the primary IP to use by CRI-O for things such as host network IP. +host_ip = "" + # IP address on which the stream server will listen. stream_address = "127.0.0.1" @@ -62,11 +62,11 @@ stream_enable_tls = false stream_tls_cert = "" # Path to the key file used to serve the encrypted stream. This file can -# change, and CRI-O will automatically pick up the changes within 5 minutes. +# change and CRI-O will automatically pick up the changes within 5 minutes. stream_tls_key = "" # Path to the x509 CA(s) file used to verify and authenticate client -# communication with the encrypted stream. This file can change, and CRI-O will +# communication with the encrypted stream. This file can change and CRI-O will # automatically pick up the changes within 5 minutes. stream_tls_ca = "" @@ -95,7 +95,8 @@ default_runtime = "runc" no_pivot = false # Path to the conmon binary, used for monitoring the OCI runtime. -conmon = "/usr/local/libexec/crio/conmon" +# Will be searched for using $PATH if empty. +conmon = "" # Cgroup setting for conmon conmon_cgroup = "pod" @@ -116,7 +117,7 @@ seccomp_profile = "" # Used to change the name of the default AppArmor profile of CRI-O. The default # profile name is "crio-default-" followed by the version string of CRI-O. -apparmor_profile = "crio-default-1.15.1" +apparmor_profile = "crio-default-1.16.0" # Cgroup management implementation used for the runtime. cgroup_manager = "cgroupfs" @@ -192,6 +193,9 @@ container_exits_dir = "/var/run/crio/exits" # Path to directory for container attach sockets. container_attach_socket_dir = "/var/run/crio" +# The prefix to use for the source of the bind mounts. +bind_mount_prefix = "" + # If set to true, all containers will run in read-only mode. read_only = false @@ -200,9 +204,6 @@ read_only = false # configuration reload. log_level = "error" -# The default log directory where all logs will go unless directly specified by the kubelet -log_dir = "/var/log/crio/pods" - # The UID mappings for the user namespace of each container. A range is # specified in the form containerUID:HostUID:Size. Multiple ranges must be # separated by comma. @@ -224,7 +225,24 @@ manage_network_ns_lifecycle = false # The "crio.runtime.runtimes" table defines a list of OCI compatible runtimes. # The runtime to use is picked based on the runtime_handler provided by the CRI. # If no runtime_handler is provided, the runtime will be picked based on the level -# of trust of the workload. +# of trust of the workload. Each entry in the table should follow the format: +# +#[crio.runtime.runtimes.runtime-handler] +# runtime_path = "/path/to/the/executable" +# runtime_type = "oci" +# runtime_root = "/path/to/the/root" +# +# Where: +# - runtime-handler: name used to identify the runtime +# - runtime_path (optional, string): absolute path to the runtime executable in +# the host filesystem. If omitted, the runtime-handler identifier should match +# the runtime executable name, and the runtime executable should be placed +# in $PATH. +# - runtime_type (optional, string): type of runtime, one of: "oci", "vm". If +# omitted, an "oci" runtime is assumed. +# - runtime_root (optional, string): root directory for storage of containers +# state. + [crio.runtime.runtimes.runc] runtime_path = "" @@ -232,6 +250,19 @@ runtime_type = "oci" runtime_root = "/run/runc" +# Kata Containers is an OCI runtime, where containers are run inside lightweight +# VMs. Kata provides additional isolation towards the host, minimizing the host attack +# surface and mitigating the consequences of containers breakout. + +# Kata Containers with the default configured VMM +#[crio.runtime.runtimes.kata-runtime] + +# Kata Containers with the QEMU VMM +#[crio.runtime.runtimes.kata-qemu] + +# Kata Containers with the Firecracker VMM +#[crio.runtime.runtimes.kata-fc] + # The crio.image table contains settings pertaining to the management of OCI images. # # CRI-O reads its configured registries defaults from the system wide @@ -258,7 +289,9 @@ pause_image = "k8s.gcr.io/pause:3.1" pause_image_auth_file = "" # The command to run to have a container stay in the paused state. -# This option supports live configuration reload. +# When explicitly set to "", it will fallback to the entrypoint and command +# specified in the pause image. When commented out, it will fallback to the +# default: "/pause". This option supports live configuration reload. pause_command = "/pause" # Path to the file which decides what sort of policy we use when deciding @@ -268,6 +301,11 @@ pause_command = "/pause" # refer to containers-policy.json(5) for more details. signature_policy = "" +# List of registries to skip TLS verification for pulling images. Please +# consider configuring the registries via /etc/containers/registries.conf before +# changing them here. +#insecure_registries = "[]" + # Controls how image volumes are handled. The valid values are mkdir, bind and # ignore; the latter will ignore volumes entirely. image_volumes = "mkdir" @@ -292,3 +330,12 @@ network_dir = "/etc/cni/net.d/" plugin_dirs = [ "/opt/cni/bin/", ] + +# A necessary configuration for Prometheus based metrics retrieval +[crio.metrics] + +# Globally enable or disable metrics support. +enable_metrics = false + +# The port on which the metrics server will listen. +metrics_port = 9090 diff --git a/deploy/iso/minikube-iso/package/crio-bin/crio.service b/deploy/iso/minikube-iso/package/crio-bin/crio.service index 3691e8de4e8c..30a794e597a3 100644 --- a/deploy/iso/minikube-iso/package/crio-bin/crio.service +++ b/deploy/iso/minikube-iso/package/crio-bin/crio.service @@ -1,8 +1,11 @@ [Unit] -Description=Open Container Initiative Daemon -Documentation=https://github.com/kubernetes-sigs/cri-o +Description=Container Runtime Interface for OCI (CRI-O) +Documentation=https://github.com/cri-o/cri-o +Wants=network-online.target After=network-online.target minikube-automount.service Requires=minikube-automount.service +After=crio-wipe.service +Requires=crio-wipe.service [Service] Type=notify