diff --git a/contrib/systemd/crio-wipe.service b/contrib/systemd/crio-wipe.service index 6763ce39ecb6..81c87745ce5f 100644 --- a/contrib/systemd/crio-wipe.service +++ b/contrib/systemd/crio-wipe.service @@ -1,11 +1,12 @@ [Unit] Description=CRI-O Auto Update Script Before=crio.service -RequiresMountsFor=/var/lib/containers +Wants=crio.service [Service] -EnvironmentFile=-/etc/sysconfig/crio -ExecStart=/usr/local/bin/crio \ +Type=oneshot +EnvironmentFile=-/etc/default/crio +ExecStart=/usr/bin/crio \ $CRIO_CONFIG_OPTIONS \ $CRIO_RUNTIME_OPTIONS \ $CRIO_STORAGE_OPTIONS \ @@ -13,7 +14,5 @@ ExecStart=/usr/local/bin/crio \ $CRIO_METRICS_OPTIONS \ wipe -Type=oneshot - [Install] WantedBy=multi-user.target diff --git a/contrib/systemd/crio.service b/contrib/systemd/crio.service index 041a84746cb2..042c17a97bd5 100644 --- a/contrib/systemd/crio.service +++ b/contrib/systemd/crio.service @@ -1,15 +1,14 @@ [Unit] Description=Container Runtime Interface for OCI (CRI-O) Documentation=https://github.com/cri-o/cri-o -Wants=network-online.target -Before=kubelet.service -After=network-online.target +After=network-online.target local-fs.target remote-fs.target time-sync.target +Wants=network-online.target local-fs.target remote-fs.target time-sync.target [Service] Type=notify -EnvironmentFile=-/etc/sysconfig/crio +EnvironmentFile=-/etc/default/crio Environment=GOTRACEBACK=crash -ExecStart=/usr/local/bin/crio \ +ExecStart=/usr/bin/crio \ $CRIO_CONFIG_OPTIONS \ $CRIO_RUNTIME_OPTIONS \ $CRIO_STORAGE_OPTIONS \ diff --git a/cri-o.spec b/cri-o.spec new file mode 100644 index 000000000000..ce77945f9f22 --- /dev/null +++ b/cri-o.spec @@ -0,0 +1,154 @@ +# Copyright 2023 Wong Hoi Sing Edison +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +%global debug_package %{nil} + +Name: cri-o +Epoch: 100 +Version: 1.27.1 +Release: 1%{?dist} +Summary: OCI-based implementation of Kubernetes Container Runtime Interface +License: Apache-2.0 +URL: https://github.com/cri-o/cri-o/tags +Source0: %{name}_%{version}.orig.tar.gz +BuildRequires: glib2-devel +BuildRequires: glibc-static +BuildRequires: golang-1.21 +BuildRequires: gpgme-devel +BuildRequires: libassuan-devel +BuildRequires: libgpg-error-devel +BuildRequires: libseccomp-devel +BuildRequires: make +BuildRequires: pkgconfig +BuildRequires: systemd-devel +BuildRequires: tzdata +Requires: conmon +Requires: conntrack-tools +Requires: containernetworking-plugins +Requires: containers-common +Requires: iproute +Requires: iptables +Requires: oci-runtime +Requires: socat +Requires: tzdata + +%description +CRI-O provides an integration path between OCI conformant runtimes and +the kubelet. Specifically, it implements the Kubelet Container Runtime +Interface (CRI) using OCI conformant runtimes. The scope of CRI-O is +tied to the scope of the CRI. + +%prep +%autosetup -T -c -n %{name}_%{version}-%{release} +tar -zx -f %{S:0} --strip-components=1 -C . + +%build +mkdir -p bin +set -ex && \ + export CGO_ENABLED=1 && \ + go build \ + -mod vendor -buildmode pie -v \ + -ldflags "-s -w" \ + -tags "netgo osusergo exclude_graphdriver_devicemapper exclude_graphdriver_btrfs containers_image_openpgp seccomp selinux" \ + -o ./bin/crio ./cmd/crio && \ + go build \ + -mod vendor -buildmode pie -v \ + -ldflags "-s -w" \ + -tags "netgo osusergo exclude_graphdriver_devicemapper exclude_graphdriver_btrfs containers_image_openpgp seccomp selinux" \ + -o ./bin/crio-status ./cmd/crio-status && \ + make bin/pinns +./bin/crio --config="" --config-dir "" \ + --apparmor-profile "crio-default" \ + --cni-config-dir "/etc/cni/net.d" \ + --cni-plugin-dir "/usr/local/libexec/cni" \ + --cni-plugin-dir "/usr/libexec/cni" \ + --cni-plugin-dir "/usr/local/lib/cni" \ + --cni-plugin-dir "/usr/lib/cni" \ + --cni-plugin-dir "/opt/cni/bin" \ + --conmon-cgroup "system.slice" \ + --conmon-env "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" \ + --conmon-env "TERM=xterm" \ + --decryption-keys-path "/etc/crio/keys" \ + --default-capabilities "AUDIT_WRITE" \ + --default-capabilities "CHOWN" \ + --default-capabilities "DAC_OVERRIDE" \ + --default-capabilities "FOWNER" \ + --default-capabilities "FSETID" \ + --default-capabilities "KILL" \ + --default-capabilities "MKNOD" \ + --default-capabilities "NET_BIND_SERVICE" \ + --default-capabilities "NET_RAW" \ + --default-capabilities "SETFCAP" \ + --default-capabilities "SETGID" \ + --default-capabilities "SETPCAP" \ + --default-capabilities "SETUID" \ + --default-capabilities "SYS_CHROOT" \ + --pause-image "registry.k8s.io/pause:3.9" \ + --root "/var/lib/containers/storage" \ + --runroot "/run/containers/storage" \ + --seccomp-profile "/usr/share/containers/seccomp.json" \ + --storage-driver "overlay" \ + --storage-opt "overlay.mount_program=/usr/bin/fuse-overlayfs" \ + --storage-opt "overlay.mountopt=nodev" \ + --version-file "/var/run/crio/version" \ + --version-file-persist "/var/run/crio/version" \ + config > crio.conf + +%install +install -Dpm755 -d %{buildroot}%{_sysconfdir}/cni/net.d +install -Dpm755 -d %{buildroot}%{_sysconfdir}/default +install -Dpm755 -d %{buildroot}%{_bindir} +install -Dpm644 -T contrib/cni/11-crio-ipv4-bridge.conflist %{buildroot}%{_sysconfdir}/cni/net.d/87-crio-bridge.conflist +install -Dpm644 -T contrib/sysconfig/crio %{buildroot}%{_sysconfdir}/default/crio +install -Dpm755 -t %{buildroot}%{_bindir}/ bin/crio +install -Dpm755 -t %{buildroot}%{_bindir}/ bin/crio-status +install -Dpm755 -t %{buildroot}%{_bindir}/ bin/pinns +DESTDIR=%{buildroot} \ +PREFIX=%{buildroot}%{_prefix} \ + make install.completions install.config-nobuild +PREFIX=%{buildroot}%{_prefix} \ + make install.systemd + +%files +%license LICENSE +%dir %{_sysconfdir}/cni +%dir %{_sysconfdir}/cni/net.d +%dir %{_sysconfdir}/crio +%dir %{_sysconfdir}/crio/crio.conf.d +%dir %{_sysconfdir}/default +%dir %{_datadir}/containers +%dir %{_datadir}/containers/oci +%dir %{_datadir}/containers/oci/hooks.d +%dir %{_datadir}/fish +%dir %{_datadir}/fish/completions +%dir %{_datadir}/oci-umount +%dir %{_datadir}/oci-umount/oci-umount.d +%{_bindir}/crio +%{_bindir}/crio-status +%{_bindir}/pinns +%{_datadir}/bash-completion/completions/crio +%{_datadir}/bash-completion/completions/crio-status +%{_datadir}/fish/completions/crio-status.fish +%{_datadir}/fish/completions/crio.fish +%{_datadir}/oci-umount/oci-umount.d/crio-umount.conf +%{_datadir}/zsh/site-functions/_crio +%{_datadir}/zsh/site-functions/_crio-status +%{_sysconfdir}/cni/net.d/87-crio-bridge.conflist +%{_sysconfdir}/crictl.yaml +%{_sysconfdir}/crio/crio.conf +%{_sysconfdir}/default/crio +%{_unitdir}/crio-wipe.service +%{_unitdir}/crio.service + +%changelog diff --git a/debian/.gitignore b/debian/.gitignore new file mode 100644 index 000000000000..bd22301323a6 --- /dev/null +++ b/debian/.gitignore @@ -0,0 +1,6 @@ +*.substvars +*debhelper* +.debhelper +cri-o +files +tmp diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 000000000000..49a3eb521b0e --- /dev/null +++ b/debian/changelog @@ -0,0 +1,5 @@ +cri-o (100:1.27.1-1) UNRELEASED; urgency=medium + + * https://github.com/cri-o/cri-o/releases/tag/v1.27.1 + + -- Wong Hoi Sing Edison Fri, 03 Nov 2023 11:28:39 +0800 diff --git a/debian/control b/debian/control new file mode 100644 index 000000000000..e081ec01aa44 --- /dev/null +++ b/debian/control @@ -0,0 +1,47 @@ +Source: cri-o +Section: devel +Priority: optional +Standards-Version: 4.5.0 +Maintainer: Wong Hoi Sing Edison +Homepage: https://github.com/cri-o/cri-o/tags +Vcs-Browser: https://github.com/alvistack/cri-o-cri-o +Vcs-Git: https://github.com/alvistack/cri-o-cri-o.git +Build-Depends: + debhelper, + debhelper-compat (= 10), + golang-1.21, + libapparmor-dev, + libassuan-dev, + libglib2.0-dev, + libgpg-error-dev, + libgpgme-dev, + libseccomp-dev, + libsystemd-dev, + tzdata, + +Package: cri-o +Architecture: amd64 +Description: OCI-based implementation of Kubernetes Container Runtime Interface + CRI-O provides an integration path between OCI conformant runtimes and + the kubelet. Specifically, it implements the Kubelet Container Runtime + Interface (CRI) using OCI conformant runtimes. The scope of CRI-O is + tied to the scope of the CRI. +Depends: + ${shlibs:Depends}, + ${misc:Depends}, + conmon, + conntrack, + containernetworking-plugins, + containers-common, + iproute2, + iptables, + libapparmor1, + libassuan0, + libglib2.0-0, + libgpg-error0, + libgpgme11, + libseccomp2, + libsystemd0, + oci-runtime, + socat, + tzdata, diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 000000000000..dcb9a2448599 --- /dev/null +++ b/debian/copyright @@ -0,0 +1,21 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ + +Files: debian/* +Copyright: 2023 Wong Hoi Sing Edison +License: Apache-2.0 + +License: Apache-2.0 + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + . + http://www.apache.org/licenses/LICENSE-2.0 + . + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + . + The complete text of the Apache version 2.0 license + can be found in "/usr/share/common-licenses/Apache-2.0". diff --git a/debian/cri-o.dirs b/debian/cri-o.dirs new file mode 100644 index 000000000000..572d3395c399 --- /dev/null +++ b/debian/cri-o.dirs @@ -0,0 +1,9 @@ +etc/cni +etc/cni/net.d +etc/crio +etc/crio/crio.conf.d +usr/share/containers +usr/share/containers/oci +usr/share/containers/oci/hooks.d +usr/share/oci-umount +usr/share/oci-umount/oci-umount.d diff --git a/debian/cri-o.install b/debian/cri-o.install new file mode 100644 index 000000000000..12a382a4869f --- /dev/null +++ b/debian/cri-o.install @@ -0,0 +1,16 @@ +etc/cni/net.d/87-crio-bridge.conflist +etc/crictl.yaml +etc/crio/crio.conf +etc/default/crio +lib/systemd/system/crio-wipe.service +lib/systemd/system/crio.service +usr/bin/crio +usr/bin/crio-status +usr/bin/pinns +usr/share/bash-completion/completions/crio +usr/share/bash-completion/completions/crio-status +usr/share/fish/completions/crio-status.fish +usr/share/fish/completions/crio.fish +usr/share/oci-umount/oci-umount.d/crio-umount.conf +usr/share/zsh/site-functions/_crio +usr/share/zsh/site-functions/_crio-status diff --git a/debian/cri-o.lintian-overrides b/debian/cri-o.lintian-overrides new file mode 100644 index 000000000000..8e17673e8da1 --- /dev/null +++ b/debian/cri-o.lintian-overrides @@ -0,0 +1,6 @@ +cri-o: copyright-without-copyright-notice +cri-o: hardening-no-pie +cri-o: initial-upload-closes-no-bugs +cri-o: no-manual-page +cri-o: statically-linked-binary +cri-o: zero-byte-file-in-doc-directory diff --git a/debian/rules b/debian/rules new file mode 100755 index 000000000000..e2d26a607925 --- /dev/null +++ b/debian/rules @@ -0,0 +1,77 @@ +#!/usr/bin/make -f + +SHELL := /bin/bash + +override_dh_auto_build: + mkdir -p bin + set -ex && \ + export CGO_ENABLED=1 && \ + go build \ + -mod vendor -buildmode pie -v \ + -ldflags "-s -w" \ + -tags "netgo osusergo exclude_graphdriver_devicemapper exclude_graphdriver_btrfs containers_image_openpgp seccomp apparmor" \ + -o ./bin/crio ./cmd/crio && \ + go build \ + -mod vendor -buildmode pie -v \ + -ldflags "-s -w" \ + -tags "netgo osusergo exclude_graphdriver_devicemapper exclude_graphdriver_btrfs containers_image_openpgp seccomp apparmor" \ + -o ./bin/crio-status ./cmd/crio-status && \ + make bin/pinns + ./bin/crio --config="" --config-dir "" \ + --apparmor-profile "crio-default" \ + --cni-config-dir "/etc/cni/net.d" \ + --cni-plugin-dir "/usr/local/libexec/cni" \ + --cni-plugin-dir "/usr/libexec/cni" \ + --cni-plugin-dir "/usr/local/lib/cni" \ + --cni-plugin-dir "/usr/lib/cni" \ + --cni-plugin-dir "/opt/cni/bin" \ + --conmon-cgroup "system.slice" \ + --conmon-env "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" \ + --conmon-env "TERM=xterm" \ + --decryption-keys-path "/etc/crio/keys" \ + --default-capabilities "AUDIT_WRITE" \ + --default-capabilities "CHOWN" \ + --default-capabilities "DAC_OVERRIDE" \ + --default-capabilities "FOWNER" \ + --default-capabilities "FSETID" \ + --default-capabilities "KILL" \ + --default-capabilities "MKNOD" \ + --default-capabilities "NET_BIND_SERVICE" \ + --default-capabilities "NET_RAW" \ + --default-capabilities "SETFCAP" \ + --default-capabilities "SETGID" \ + --default-capabilities "SETPCAP" \ + --default-capabilities "SETUID" \ + --default-capabilities "SYS_CHROOT" \ + --pause-image "registry.k8s.io/pause:3.9" \ + --root "/var/lib/containers/storage" \ + --runroot "/run/containers/storage" \ + --seccomp-profile "/usr/share/containers/seccomp.json" \ + --storage-driver "overlay" \ + --storage-opt "overlay.mount_program=/usr/bin/fuse-overlayfs" \ + --storage-opt "overlay.mountopt=nodev" \ + --version-file "/var/run/crio/version" \ + --version-file-persist "/var/run/crio/version" \ + config > crio.conf + +override_dh_auto_install: + install -Dpm755 -d debian/tmp/etc/cni/net.d + install -Dpm755 -d debian/tmp/etc/default + install -Dpm755 -d debian/tmp/usr/bin + install -Dpm644 -T contrib/cni/11-crio-ipv4-bridge.conflist debian/tmp/etc/cni/net.d/87-crio-bridge.conflist + install -Dpm755 -T contrib/sysconfig/crio debian/tmp/etc/default/crio + install -Dpm755 -t debian/tmp/usr/bin bin/crio + install -Dpm755 -t debian/tmp/usr/bin bin/crio-status + install -Dpm755 -t debian/tmp/usr/bin bin/pinns + DESTDIR=debian/tmp \ + PREFIX=debian/tmp/usr \ + make install.completions install.config-nobuild + PREFIX=debian/tmp \ + make install.systemd + +override_dh_auto_test: + +override_dh_auto_clean: + +%: + dh $@ diff --git a/debian/source/format b/debian/source/format new file mode 100644 index 000000000000..163aaf8d82b6 --- /dev/null +++ b/debian/source/format @@ -0,0 +1 @@ +3.0 (quilt) diff --git a/debian/source/lintian-overrides b/debian/source/lintian-overrides new file mode 100644 index 000000000000..8edca9b295c9 --- /dev/null +++ b/debian/source/lintian-overrides @@ -0,0 +1,2 @@ +cri-o source: file-without-copyright-information +cri-o source: no-debian-changes diff --git a/go.mod b/go.mod index 061f1e9c97a9..971810a784e4 100644 --- a/go.mod +++ b/go.mod @@ -20,7 +20,7 @@ require ( github.com/containernetworking/cni v1.1.2 github.com/containernetworking/plugins v1.2.0 github.com/containers/buildah v1.30.0 - github.com/containers/common v0.53.0 + github.com/containers/common v0.53.1-0.20231122050942-6c64d1accb28 github.com/containers/conmon v2.0.20+incompatible github.com/containers/conmon-rs v0.5.0 github.com/containers/image/v5 v5.25.0 @@ -276,3 +276,5 @@ replace ( k8s.io/pod-security-admission => k8s.io/kubernetes/staging/src/k8s.io/pod-security-admission v0.0.0-20230411170423-1b4df30b3cdf k8s.io/sample-apiserver => k8s.io/kubernetes/staging/src/k8s.io/sample-apiserver v0.0.0-20230411170423-1b4df30b3cdf ) + +replace github.com/containers/common v0.53.1-0.20231122050942-6c64d1accb28 => github.com/alvistack/containers-common v0.53.1-0.20231122050942-6c64d1accb28 diff --git a/go.sum b/go.sum index f203be4cd53a..d26899a6753c 100644 --- a/go.sum +++ b/go.sum @@ -124,6 +124,8 @@ github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRF github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho= github.com/alexflint/go-filemutex v0.0.0-20171022225611-72bdc8eae2ae/go.mod h1:CgnQgUtFrFz9mxFNtED3jI5tLDjKlOM+oUF/sTk6ps0= +github.com/alvistack/containers-common v0.53.1-0.20231122050942-6c64d1accb28 h1:mQQfbcB7TY5kLju3RGu2fwsLBHmMUu8MaHSpdgYCIzw= +github.com/alvistack/containers-common v0.53.1-0.20231122050942-6c64d1accb28/go.mod h1:pABPxJwlTE8oYk9/2BW0e0mumkuhJHIPsABHTGRXN3w= github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8= github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4= github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY= @@ -329,8 +331,6 @@ github.com/containernetworking/plugins v1.2.0 h1:SWgg3dQG1yzUo4d9iD8cwSVh1VqI+bP github.com/containernetworking/plugins v1.2.0/go.mod h1:/VjX4uHecW5vVimFa1wkG4s+r/s9qIfPdqlLF4TW8c4= github.com/containers/buildah v1.30.0 h1:mdp2COGKFFEZNEGP8VZ5ITuUFVNPFoH+iK2sSesNfTA= github.com/containers/buildah v1.30.0/go.mod h1:lyMLZIevpAa6zSzjRl7z4lFJMCMQLFjfo56YIefaB/U= -github.com/containers/common v0.53.0 h1:Ax814cLeX5VXSnkKUdxz762g+27fJj1st4UvKoXmkKs= -github.com/containers/common v0.53.0/go.mod h1:pABPxJwlTE8oYk9/2BW0e0mumkuhJHIPsABHTGRXN3w= github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg= github.com/containers/conmon v2.0.20+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I= github.com/containers/conmon-rs v0.5.0 h1:WN24G4Pv1VOoUBmXt2W5RflpIO0bFSIUUD8OvJ7Am+M= diff --git a/vendor/github.com/containers/common/pkg/apparmor/apparmor_linux.go b/vendor/github.com/containers/common/pkg/apparmor/apparmor_linux.go index 7ba63ba74471..435422c27de7 100644 --- a/vendor/github.com/containers/common/pkg/apparmor/apparmor_linux.go +++ b/vendor/github.com/containers/common/pkg/apparmor/apparmor_linux.go @@ -212,6 +212,11 @@ func parseAAParserVersion(output string) (int, error) { words := strings.Split(lines[0], " ") version := words[len(words)-1] + // trim "-beta1" suffix from version="3.0.0-beta1" if exists + version = strings.SplitN(version, "-", 2)[0] + // also trim "~..." suffix used historically (https://gitlab.com/apparmor/apparmor/-/commit/bca67d3d27d219d11ce8c9cc70612bd637f88c10) + version = strings.SplitN(version, "~", 2)[0] + // split by major minor version v := strings.Split(version, ".") if len(v) == 0 || len(v) > 3 { diff --git a/vendor/modules.txt b/vendor/modules.txt index 4da9334d7366..765120f46b15 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -251,7 +251,7 @@ github.com/containers/buildah/pkg/rusage github.com/containers/buildah/pkg/sshagent github.com/containers/buildah/pkg/util github.com/containers/buildah/util -# github.com/containers/common v0.53.0 +# github.com/containers/common v0.53.1-0.20231122050942-6c64d1accb28 => github.com/alvistack/containers-common v0.53.1-0.20231122050942-6c64d1accb28 ## explicit; go 1.18 github.com/containers/common/libimage github.com/containers/common/libimage/define