Please note that this mail was generated by a script. The described changes are computed based on the x86_64 DVD. The full online repo contains too many changes to be listed here. Please check the known defects of this snapshot before upgrading: https://openqa.opensuse.org/tests/overview?distri=kubic&groupid=1&version=Tu... https://bugzilla.opensuse.org/buglist.cgi?product=openSUSE%20Tumbleweed&comp... Please do not reply to this email to report issues, rather file a bug on bugzilla.opensuse.org. For more information on filing bugs please see https://en.opensuse.org/openSUSE:Submitting_bug_reports Packages changed: busybox-links cri-o (1.22.0 -> 1.23.2) cri-tools (1.22.0 -> 1.23.0) grep kubernetes (1.23.0 -> 1.23.4) kubernetes1.22 (1.22.4 -> 1.22.7) kubernetes1.23 (1.23.0 -> 1.23.4) p11-kit (0.23.22 -> 0.24.1) === Details === ==== busybox-links ==== Subpackages: busybox-coreutils busybox-gawk busybox-grep busybox-gzip busybox-sed busybox-xz - replace copy from buildroot's gzip with a reimplementation that is not GPLv3 (jsc#PM-3301) ==== cri-o ==== Version update (1.22.0 -> 1.23.2) Subpackages: cri-o-kubeadm-criconfig - Update to version 1.23.2: * config/sysctl: fail if there is a + in the value * Revert "config/sysctl: fail if there is a + in the value" * bump to version 1.23.2 * config/sysctl: fail if there is a + in the value * config/sysctls: validate against invalid spaces * server: stop deleting pod from idIndex if already gone * [1.23] ci: use kubernetes 1.23, cri-tools 1.23 * contrib/test/int/build/kubernetes: rm deprecated RunAsGroup * hack/build-rpms.sh: fix yum-builddep failures * image: use imageCache value for ImageStatus() * oci: fix a leaked goroutine * Reuse createContainerIO in CreateContainer * Fix vm containers couldn't restore after CRI-O restart * release-notes: add args for checksum fields * Updated format * Generate checksum files for artifacts * bump to v1.23.1 * test: add test for skipped sysctls * server: skip sysctls that would affect the host * server: don't set memory swap when it's not enabled * deep copy List{PodSandbox,Container} structs * ci: use main branch for conmon * server: fix race with kubelet * Fix runtime panic on pod sandbox stats retrieval * ci: use main version of runc * openshift e2e: bump ci image * server: fix a potential NULL-pointer dereference. * pass the main mount point to fix crypto profiles binding * test: update tests for allowed_devices * config: add AllowedDevices option * server: drop duplicate log message * test: add test ensuring a stopped pod is restored * sandbox stop: remove namespaces * restore: handle removed namespaces * Partially revert "restore: restore stop before managing namespace" * restore: ensure containers are wiped on reboot * use cmdrunner singleton * conmonmgr: refactor for new CommandRunner * cmdrunner: update mocks and add target to makefile * config: prepend commands with taskset if InfraCtrCPUSet is configured * cmdrunner: add tests for prepended commands * cmdrunner: create singleton * Use timeout for conmon cgroup move * Fixed a problem where metricImagePullsBytesTotal was getting updated twice and on second call getting incorrect labels * vendor: bump c/image to 5.17.0 * Add new metrics that match Prometheus best practices and reduce cardinality * add metrics with new names that match naming best practices * use _total for all counters * use base unit seconds, bytes * metrics that do not follow best practices have been marked deprecated, these can be removed in a future release, it is to ensure non-breaking change for couple of releases * unit test: fix relative log test * unit tests: update pinns path in case it isn't found in PATH * test: skip target tests for userns * test: add test for target namespace * add support for target PID namespaces * test: give testunit sudo * oci: add managed pidns to container object * pkg/container: take container namespace configuration * nsmgrtest: take some namespace related test code * nsmgr: add function to pin existing namespace * nsmgr: take (and rename) NamespacePathFromProc * pkg/sandbox: take config initialization * Bump Kubernetes to v1.23.0 * set user.max_user_namespaces in case it's not * lint: bump cyclo complexity * gh-actions/contrib: setup sub{g,u}id * docs: add tutorial for setting up user namespaces * oci: put conmon in infra ctr cpuset if it is in the pod cgroup * test: add tests for user namespace annotations * test: move workload creation function to helpers * cni manager: catch server shutdown * server: notify user when network isn't ready yet * stop using hardcoded "pod" const * oci: always reap conmon zombies * clarify some error messages * Drop intermediate CRI types * Relabel containerenv files * Add minimum_mappable_(u|g)id settings * Fix runtime panic on stats server shutdown * restore: restore stop before managing namespace * server: add {,List}SandboxStats * server: refactor sandbox list * server: use stats server to get container stats * container server: use stats server * stats: add stats server * config: add StatsCollectionPeriod field * cgmgr: move most of stats handling to cgmgr * oci: make changes in preparation for moving stats functionality: * server: stub {List,}PodSandboxStats * server/cri: add PodSandboxStats support * vendor: bump cri-api * server/cri: refactor to make stats processing unified * pkg/config: use iota * Add go 1.17+ go:build tags * Remove redundant build tags * Add containerenv file to containers This file indicates that the current environment is inside a container environment. The same technique is used by podman and docker. The same file name/path as podman was used, as it is vendor agnostic. * build(deps): bump github.com/containerd/containerd from 1.5.7 to 1.5.8 * config: merge runtime and workload allowed annotations * Updates kubeadm.md: The cgroup property is removed in [kubeadm-config.v1beta3](https://kubernetes.io/docs/reference/config-api/kubeadm-config.v1beta3/) * build(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc * Specify runtime table format in the error message * build(deps): bump github.com/containerd/ttrpc from 1.0.2 to 1.1.0 * server: fix segfault when using cgroupv2 * gh-actions: add sed for kube e2e * release-notes: update to main * build(deps): bump github.com/onsi/gomega from 1.16.0 to 1.17.0 * build(deps): bump go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc * Bug 2012838: fix override storage options from storage.conf * oci: fix deadlock in container stop code * build(deps): bump google.golang.org/grpc from 1.41.0 to 1.42.0 * oci: always close chControl * oci: make some channels buffered * build(deps): bump go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc * build(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc * build(deps): bump github.com/godbus/dbus/v5 from 5.0.5 to 5.0.6 * Add annotation that makes /sys/fs/cgroup writable * Add support for CNI plugins v1.0.1 * bump(deps-opentelemetry) * pin go.opentelemetry grpc/otelgrpc v0.25.0 * opentelemetry: add gRPC tracing * build(deps): bump k8s.io/klog/v2 from 2.20.0 to 2.30.0 * build(deps): bump github.com/go-logr/logr from 1.1.0 to 1.2.0 * version: bump to 1.23.0 * build(deps): bump github.com/containers/podman/v3 from 3.3.1 to 3.4.1 * build(deps): bump github.com/containers/common from 0.43.2 to 0.46.0 * test: drop swap disable playbook * server: add support for CRI unified field * server: implement swap support * server/cri: add support for 1.22 features * test: bump cri-tools version * scripts: pin cri-tools version * server: reduce needless copying for sb.NamespaceOptions * oci: refactor internal structure to use CRI type * oci: use server CRI metadata type for containers * sandbox: refactor internal structure to use CRI type * sandbox: save createdAt as a int64 * build(deps): bump github.com/containerd/cgroups from 1.0.1 to 1.0.2 * build(deps): bump github.com/creack/pty from 1.1.16 to 1.1.17 * build(deps): bump github.com/Microsoft/go-winio from 0.5.0 to 0.5.1 * Bump Kubernetes to v1.22.2 * sandbox: use server CRI metadata type * docs: emphasize deprecation notice * update documentation for workloads * add allowed annotations to workloads * Log HTTP response writer message instead an error * oci: use c/common signal parsing function * Skip volume relabel for super privileged containers * oci: chown stdin pipe to user in the container * test: fix selinux test failures * build(deps): bump github.com/onsi/ginkgo from 1.16.4 to 1.16.5 * Fix runtime handler docs * build(deps): bump github.com/containers/image/v5 from 5.15.2 to 5.16.1 * scripts: fix release branch forward script * server: FilterDisallowedAnnotations of containers earlier * server: conditionally relabel volumes given annotation * build(deps): bump github.com/containers/storage from 1.36.0 to 1.37.0 * test: refactor allowed_annotation tests * server: reduce args in addOCIBindMounts * build(deps): bump github.com/opencontainers/selinux from 1.8.5 to 1.9.1 * test: add label for openshift e2e in dockerfile * build(deps): bump github.com/containerd/containerd from 1.5.5 to 1.5.7 * test: skip certificate check for downloading parallel * Remove usge of deprecated apt-key in Ubuntu install * Fix install.md links * build(deps): bump google.golang.org/grpc from 1.40.0 to 1.41.0 * use a more appropriate console with code block * build(deps): bump k8s.io/api from 0.22.1 to 0.22.2 * build(deps): bump k8s.io/cri-api from 0.22.1 to 0.22.2 * build(deps): bump sigs.k8s.io/yaml from 1.2.0 to 1.3.0 * build(deps): bump github.com/creack/pty from 1.1.15 to 1.1.16 * build(deps): bump k8s.io/apimachinery from 0.22.1 to 0.22.2 * fix node e2e * build(deps): bump github.com/intel/goresctrl from 0.1.0 to 0.2.0 * bump crio commit used by node e2e installer * server: mount cgroup if hostNetwork * server: use container level host network setting * server: don't recalculate hostnet * Fix typo in install.md * Remove one of the explanations for `bind_mount_prefix` because it is duplicated. * node e2e: keep infra container * add unit test for the `server/sandbox_remove`. * test: fix journald test for new conmon * fix shfmt * update `install.md` for debian and ubuntu * build(deps): bump github.com/json-iterator/go from 1.1.11 to 1.1.12 * build(deps): bump k8s.io/client-go from 0.22.1 to 0.22.2 * fix shfmt * server: set spec when dropping infra * Update 'master' branch links to 'main' * bumps pause image to 3.6 * server: don't wait forever on conmon cgroup move fail * build(deps): bump github.com/containers/storage from 1.34.1 to 1.36.0 * Remove bashism in sh script * Do not log if Intel RDT is not supported * build(deps): bump github.com/godbus/dbus/v5 from 5.0.4 to 5.0.5 * Fix cluster.yaml for kubectl create * call cmd.Wait() in all cases we call Start() * oci: call wait on conmon if cgroup move fails * build(deps): bump github.com/go-logr/logr from 1.0.0 to 1.1.0 * Fix `crio_image_pulls_layer_size_` metrics docs * Adapt to klog incompatible changes * build(deps): bump k8s.io/klog/v2 from 2.10.0 to 2.20.0 * Add `--profile-cpu` and `--profile-mem` options * build(deps): bump github.com/containers/podman/v3 from 3.3.0 to 3.3.1 * server: remove ineffective `updateLock`. * Fix missing quantile in `latency_microseconds_total` metrics * Update crio commit for node e2e * build(deps): bump github.com/fsnotify/fsnotify from 1.4.9 to 1.5.1 * Bump runc binary to 1.0.2 * Switch to go1.17 for CI * fix debian 10 build doc * test/testdata/sandbox_config.json: fix the dns_config * adds updating instructions to install.md ==== cri-tools ==== Version update (1.22.0 -> 1.23.0) - Update to version 1.23.0: * Bump docs to v1.23.0 * Bump github.com/opencontainers/selinux from 1.9.1 to 1.10.0 * Bump github.com/opencontainers/runc from 1.0.2 to 1.0.3 * Bump github.com/docker/docker * Bump google.golang.org/grpc from 1.42.0 to 1.43.0 * 1.5.9 * Use same grpc max message size as Kubelet * Add support for cri-dockerd * Add support for specifying custom test container images. * Fix cri-dockerd CI runs * Fix Containerd main branch CI for Windows * fix ci for dockershim-critest * Update Windows images for ltsc2022 * images: use k8s-staging-test-infra/gcb-docker-gcloud * Bump github.com/onsi/gomega from 1.16.0 to 1.17.0 * Refactor fish completion * Rename bash and zsh completion functions * Add zsh compinit tag * Bump google.golang.org/grpc from 1.41.0 to 1.42.0 * Bump github.com/docker/docker * Bump github.com/onsi/ginkgo from 1.16.4 to 1.16.5 * Add release publishing workflow * Bump github.com/opencontainers/selinux from 1.8.5 to 1.9.1 * Add SHA512 sum for release files * Bump github.com/docker/docker * Bump google.golang.org/grpc from 1.40.0 to 1.41.0 * Bump sigs.k8s.io/yaml from 1.2.0 to 1.3.0 * Bump k8s.io/api from 0.22.1 to 0.22.2 * Bump k8s.io/cri-api from 0.22.1 to 0.22.2 * Bump k8s.io/apimachinery from 0.22.1 to 0.22.2 * Bump k8s.io/client-go from 0.22.1 to 0.22.2 * Bump k8s.io/kubectl from 0.22.1 to 0.22.2 * Updates E2E test images registry * Bump github.com/opencontainers/selinux from 1.8.4 to 1.8.5 * Switch to go1.17 for CI * Bump github.com/opencontainers/runc from 1.0.1 to 1.0.2 * Added dropping/adding `ALL` capabilities case to critest * Bump github.com/onsi/gomega from 1.15.0 to 1.16.0 * Bump k8s.io/cri-api from 0.22.0 to 0.22.1 * Bump k8s.io/client-go from 0.22.0 to 0.22.1 * Bump k8s.io/api from 0.22.0 to 0.22.1 * Bump k8s.io/apimachinery from 0.22.0 to 0.22.1 * Bump k8s.io/kubectl from 0.22.0 to 0.22.1 * Bump google.golang.org/grpc from 1.39.1 to 1.40.0 * Bump github.com/onsi/gomega from 1.14.0 to 1.15.0 * Bump github.com/opencontainers/selinux from 1.8.3 to 1.8.4 * Bump google.golang.org/grpc from 1.39.0 to 1.39.1 ==== grep ==== - Make profiling deterministic (bsc#1040589) ==== kubernetes ==== Version update (1.23.0 -> 1.23.4) Subpackages: kubernetes-client kubernetes-kubeadm kubernetes-kubelet - Bump kubernetes-* to 1.23.4, *-minus1 to 1.22.7 ==== kubernetes1.22 ==== Version update (1.22.4 -> 1.22.7) - Update to version 1.22.7: * Update Go to 1.16.14 * add namespace in azurefile volumeid * fix: azurefile volumeid conflict in csi migration * Execute sync before taking the snapshot * Mark device as uncertain if unmount device succeeds * Set max results if its not set * Update CHANGELOG/CHANGELOG-1.22.md for v1.22.6 * Update k/utils to v0.0.0-20211116205334-6203023598ed * [go] update to Go 1.16.13 * Enabling kube-proxy metrics on windows kernel mode * fix: ignore the case when comparing azure tags in service annotation * fix: remove outdated ipv4 route when the corresponding node is deleted * fix: delete non existing disk issue * fix containers order after applying * generated: ./hack/update-vendor.sh * upgrade sigs.k8s.io/structured-merge-diff/v4 to v4.2.1 * fix: azuredisk parameter lowercase translation issue * fix: do not delete the lb that does not exist * removed unnecessary log line * Fix header mutation race in timeout filter * use node informer to check volumes attachment status before backoff * When volume is not marked in-use, do not backoff * kubeadm: remove the restriction that the ca.crt can only contain one certificate * flake fix: remove the error handler for cronjob integration test * vendor: bump cAdvisor to v0.39.3 * Fix the leak of vSphere client sessions * fix nil pointer in create secret commands * client-go: Clear the ResourceVersionMatch on paged list calls * Update GCE manifest to use konnectivity 0.0.27 * Update to apiserver-network-proxy v0.0.27 * add gce loadbalancer no-op finalizer and existingFwdRule tests * disable gce service handling if has rbs forwarding rule * add ELBRbsFinalizer * add gce elb rbs opt-in annotation * Improving performance of EndpointSlice controller metrics cache * fix the error when cleaning up jobs for cronjob * Update CHANGELOG/CHANGELOG-1.22.md for v1.22.5 * Add test to confirm containers won't start * Check for failed sandbox and failed workload containers * mount-utils: Detect potential stale file handle * [go1.16] Update to go1.16.12 * Skip creating HNS loadbalancer with empty endpoints * dependencies: Update golang.org/x/net to v0.0.0-20211209124913-491a49abca63 * kubeadm: avoid requiring a CA key during kubeconfig expiration checks * kubeadm: print the CA of kubeconfig files in "check expiration" * kubeadm: validate local etcd certficates during expiration checks * kubelet: set failed phase during graceful shutdown * [go1.16] Update to go1.16.11 * fix: ignore the case when updating tags * Ensure deletion of pods in queues and cache * kubelet: Rejected pods should be filtered from admission * kube-scheduler: Increase the duration to expire an assumed pod * Skip check for all topology labels when using system default spreading * workqueue: fix leak in queue preventing objects from being GCed * Fix workqueue memory leak * Ignore 'wait: no child processes' error when calling mount/umount * Reduce calls to docker from dockershim for stats * Update CHANGELOG/CHANGELOG-1.22.md for v1.22.4 * Add warning about using unsupported CRON_TZ * Fix flake caused by sampling signal counter too early. * Ensure there is one running static pod with the same full name * NodeConformance: Respect grace period when updating static pod * Fix concurrent map writes error in kube-apiserver * e2e: node: release-1.22: backport findKubeletServiceName * node: e2e: add test for the checkpoint recovery * devicemanager: checkpoint: support pre-1.20 data * fix: remove VMSS and VMSS instances from SLB backend pool only when necessary * fix: leave the probe path empty for TCP probes * fix: skip instance not found when decoupling vmss from lb ==== kubernetes1.23 ==== Version update (1.23.0 -> 1.23.4) Subpackages: kubernetes1.23-client kubernetes1.23-client-common kubernetes1.23-kubeadm kubernetes1.23-kubelet kubernetes1.23-kubelet-common - Update to version 1.23.4: * Update Go to 1.17.7 * Use serializable struct for x-kubernetes-validations in openapi * Make JSON schema round tripping test more strict * ignore CRI PodSandboxNetworkStatus for host network pods * set secondary address on host-network pods * Deeply copy JSONSchemaProps.XValidations. * Ensure the execHostnameTest() compares hostnames * Revert "Fix comparison between FQDN and hostname" * service REST: Call Decorator(old) on update path * add namespace in azurefile volumeid * fix: azurefile volumeid conflict in csi migration * Mark device as uncertain if unmount device succeeds * Update CHANGELOG/CHANGELOG-1.23.md for v1.23.3 * kubelet: fix podstatus not containing pod full name * Fix bug with node restriction blocking pvc.status.resizestatus change * Fix regression pruning array fields with x-kubernetes-preserve-unknown-fields: true * Set max results if its not set * Update CHANGELOG/CHANGELOG-1.23.md for v1.23.2 * Update k/utils to v0.0.0-20211116205334-6203023598ed * [go] update to Go 1.17.6 * fix: remove outdated ipv4 route when the corresponding node is deleted * fix: delete non existing disk issue * Revert "Automated cherry pick of #107554: Correct the feature gate string for RBD migration." * fix containers order after applying * generated: ./hack/update-vendor.sh * upgrade sigs.k8s.io/structured-merge-diff/v4 to v4.2.1 * Execute sync before taking the snapshot * Correct the feature gate string for RBD migration. * fix: azuredisk parameter lowercase translation issue * removed unnecessary log line * kubectl: add integration test for result reporting * cli: let kubectl handle error printing * cli: avoid logging command line errors in more cases * Fix header mutation race in timeout filter * clear pod's .status.nominatedNodeName when necessary * use node informer to check volumes attachment status before backoff * When volume is not marked in-use, do not backoff * kubeadm: remove the restriction that the ca.crt can only contain one certificate * flake fix: remove the error handler for cronjob integration test * Fix the leak of vSphere client sessions * fix nil pointer in create secret commands * Fix order of commands in the snapshot tests for persistent volumes * client-go: Clear the ResourceVersionMatch on paged list calls * Improving performance of EndpointSlice controller metrics cache * fix the error when cleaning up jobs for cronjob * Update CHANGELOG to add missing release notes. * apf: ensure exempt request notes the classification * Enabling kube-proxy metrics on windows kernel mode * Update CHANGELOG/CHANGELOG-1.23.md for v1.23.1 * add gce loadbalancer no-op finalizer and existingFwdRule tests * disable gce service handling if has rbs forwarding rule * add ELBRbsFinalizer * add gce elb rbs opt-in annotation * cherry pick of knp 0.0.27 * Remove JSON logging performance regression * Re-introduce removed kubectl --dry-run values. * Point flowcontrol users at v1beta2 * [go1.17] Update to go1.17.5 * dependencies: Update golang.org/x/net to v0.0.0-20211209124913-491a49abca63 * mount-utils: Detect potential stale file handle * Skip creating HNS loadbalancer with empty endpoints * Add regression test for CPUManager distribute NUMA algorithm * Add unit test for CPUManager distribute NUMA algorithm verifying fixes * Fix accounting bug in CPUManager distribute NUMA policy * Fix error handling in CPUManager distribute NUMA tests * Add a sum() helper to the CPUManager cpuassignment logic * Allow the map.Values() function in the CPUManager to take a set of keys * Fix CPUManager algo to calculate min NUMA nodes needed for distribution * Fix unit tests following bug fix in CPUManager for map functions (2/2) * Fix unit tests following bug fix in CPUManager for map functions (1/2) * Fix bug in CPUManager map.Keys() and map.Values() implementations * Ensure we balance across *all* NUMA nodes in NUMA distribution algo * Short-circuit CPUManager distribute NUMA algo for unusable cpuGroupSize * Round the CPUManager mean and stddev calculations to the nearest 1000th * updated deprecation messages from 1.23 to 1.24 * kubelet: set failed phase during graceful shutdown * kubeadm: avoid requiring a CA key during kubeconfig expiration checks * kubeadm: print the CA of kubeconfig files in "check expiration" * kubeadm: validate local etcd certficates during expiration checks * publishing-bot/doc: add component-helpers to the readme * publishing-bot/rules: remove non existing component-helpers branch 1.19 from the rules * Changelog: mention kube-scheduler bits deprication * rbd: initialize ceph monitors slice with an empty value. * Direct v2betaX users to migrate to HPA v2 * DelegateFSGroupToCSIDriver e2e: skip tests with chgrp * Update CHANGELOG/CHANGELOG-1.23.md for v1.23.0 * [go1.17] Update to go1.17.4 ==== p11-kit ==== Version update (0.23.22 -> 0.24.1) Subpackages: libp11-kit0 p11-kit-tools - make sure p11-kit components have matching versions (boo#1196812) - Update to version 0.24.1: * rpc: Support protocol version negotiation. * proxy: Support copying attribute array recursively. * Link libp11-kit so that it cannot unload. * Translation improvements. * Build fixes. - Update to version 0.24.0: * Use inclusive language on certificate distrust. Note: This changes the directory and attribute names to distrust certain CAs to "blocklist". * Fix issues spotted by coverity and ASan. * Integrate gettext with tools more tightly. * rpc: Forbid use of array of attributes. * Build fixes. - Change dirs from blacklist to blocklist ref upstream changes.