alvistack/v1.29.7

    git clean -xdf
    go get capnproto.org/go/capnp/v3@v3.0.1-alpha.2
    go mod tidy
    go mod download
    go mod vendor
    tar zcvf ../cri-o_1.29.7.orig.tar.gz --exclude=.git .
    debuild -uc -us
    cp cri-o.spec ../cri-o_1.29.7-1.spec
    cp debian/patches/*.patch /osc/home\:alvistack/cri-o-cri-o-1.29.7/
    cp ../cri-o*1.29.7*.{gz,xz,spec,dsc} /osc/home\:alvistack/cri-o-cri-o-1.29.7/
    rm -rf ../cri-o*1.29.7*.*

See containers/common#2004

Signed-off-by: Wong Hoi Sing Edison <hswong3i@pantarei-design.com>

contrib/systemd/crio-wipe.service

@@ -1,19 +1,18 @@
 [Unit]
 Description=CRI-O Auto Update Script
 Before=crio.service
-RequiresMountsFor=/var/lib/containers
+Wants=crio.service
 
 [Service]
-EnvironmentFile=-/etc/sysconfig/crio
-ExecStart=/usr/local/bin/crio \
+Type=oneshot
+EnvironmentFile=-/etc/default/crio
+ExecStart=/usr/bin/crio \
           $CRIO_CONFIG_OPTIONS \
           $CRIO_RUNTIME_OPTIONS \
           $CRIO_STORAGE_OPTIONS \
           $CRIO_NETWORK_OPTIONS \
           $CRIO_METRICS_OPTIONS \
           wipe
 
-Type=oneshot
-
 [Install]
 WantedBy=multi-user.target

contrib/systemd/crio.service

@@ -1,15 +1,14 @@
 [Unit]
 Description=Container Runtime Interface for OCI (CRI-O)
 Documentation=https://github.com/cri-o/cri-o
-Wants=network-online.target
-Before=kubelet.service
-After=network-online.target
+After=network-online.target local-fs.target remote-fs.target time-sync.target
+Wants=network-online.target local-fs.target remote-fs.target time-sync.target
 
 [Service]
 Type=notify
-EnvironmentFile=-/etc/sysconfig/crio
+EnvironmentFile=-/etc/default/crio
 Environment=GOTRACEBACK=crash
-ExecStart=/usr/local/bin/crio \
+ExecStart=/usr/bin/crio \
           $CRIO_CONFIG_OPTIONS \
           $CRIO_RUNTIME_OPTIONS \
           $CRIO_STORAGE_OPTIONS \

cri-o.spec

@@ -0,0 +1,146 @@
+# Copyright 2024 Wong Hoi Sing Edison <hswong3i@pantarei-design.com>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+%global debug_package %{nil}
+
+%global source_date_epoch_from_changelog 0
+
+Name: cri-o
+Epoch: 100
+Version: 1.29.7
+Release: 1%{?dist}
+Summary: OCI-based implementation of Kubernetes Container Runtime Interface
+License: Apache-2.0
+URL: https://github.com/cri-o/cri-o/tags
+Source0: %{name}_%{version}.orig.tar.gz
+Patch0001: 0001-2004-update-apparmor-1898.patch
+BuildRequires: glib2-devel
+BuildRequires: glibc-static
+BuildRequires: golang-1.23
+BuildRequires: gpgme-devel
+BuildRequires: libassuan-devel
+BuildRequires: libgpg-error-devel
+BuildRequires: libseccomp-devel
+BuildRequires: make
+BuildRequires: pkgconfig
+BuildRequires: systemd-devel
+BuildRequires: tzdata
+Requires: conmon
+Requires: conntrack-tools
+Requires: containernetworking-plugins
+Requires: containers-common
+Requires: iproute
+Requires: iptables
+Requires: oci-runtime
+Requires: socat
+Requires: tzdata
+
+%description
+CRI-O provides an integration path between OCI conformant runtimes and
+the kubelet. Specifically, it implements the Kubelet Container Runtime
+Interface (CRI) using OCI conformant runtimes. The scope of CRI-O is
+tied to the scope of the CRI.
+
+%prep
+%setup -T -c -n %{name}_%{version}-%{release}
+tar -zx -f %{S:0} --strip-components=1 -C .
+%autopatch -p1
+
+%build
+mkdir -p bin
+set -ex && \
+    export CGO_ENABLED=1 && \
+    go build \
+        -mod vendor -buildmode pie -v \
+        -ldflags "-s -w" \
+        -tags "netgo osusergo exclude_graphdriver_devicemapper exclude_graphdriver_btrfs containers_image_openpgp seccomp selinux" \
+        -o ./bin/crio ./cmd/crio && \
+    make bin/pinns
+./bin/crio --config="" --config-dir "" \
+    --apparmor-profile "crio-default" \
+    --cni-config-dir "/etc/cni/net.d" \
+    --cni-plugin-dir "/usr/local/libexec/cni" \
+    --cni-plugin-dir "/usr/libexec/cni" \
+    --cni-plugin-dir "/usr/local/lib/cni" \
+    --cni-plugin-dir "/usr/lib/cni" \
+    --cni-plugin-dir "/opt/cni/bin" \
+    --conmon-cgroup "system.slice" \
+    --conmon-env "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" \
+    --conmon-env "TERM=xterm" \
+    --decryption-keys-path "/etc/crio/keys" \
+    --default-capabilities "AUDIT_WRITE" \
+    --default-capabilities "CHOWN" \
+    --default-capabilities "DAC_OVERRIDE" \
+    --default-capabilities "FOWNER" \
+    --default-capabilities "FSETID" \
+    --default-capabilities "KILL" \
+    --default-capabilities "MKNOD" \
+    --default-capabilities "NET_BIND_SERVICE" \
+    --default-capabilities "NET_RAW" \
+    --default-capabilities "SETFCAP" \
+    --default-capabilities "SETGID" \
+    --default-capabilities "SETPCAP" \
+    --default-capabilities "SETUID" \
+    --default-capabilities "SYS_CHROOT" \
+    --pause-image "registry.k8s.io/pause:3.10" \
+    --root "/var/lib/containers/storage" \
+    --runroot "/run/containers/storage" \
+    --seccomp-profile "/usr/share/containers/seccomp.json" \
+    --storage-driver "overlay" \
+    --storage-opt "overlay.mount_program=/usr/bin/fuse-overlayfs" \
+    --storage-opt "overlay.mountopt=nodev" \
+    --version-file "/var/run/crio/version" \
+    --version-file-persist "/var/run/crio/version" \
+    config > crio.conf
+
+%install
+install -Dpm755 -d %{buildroot}%{_sysconfdir}/default
+install -Dpm755 -d %{buildroot}%{_bindir}
+install -Dpm644 -T contrib/sysconfig/crio %{buildroot}%{_sysconfdir}/default/crio
+install -Dpm755 -t %{buildroot}%{_bindir}/ bin/crio
+install -Dpm755 -t %{buildroot}%{_bindir}/ bin/pinns
+DESTDIR=%{buildroot} \
+PREFIX=%{buildroot}%{_prefix} \
+    make install.completions install.config-nobuild
+PREFIX=%{buildroot}%{_prefix} \
+        make install.systemd
+
+%files
+%license LICENSE
+%doc contrib/cni/10-crio-bridge.conflist
+%doc contrib/cni/11-crio-ipv4-bridge.conflist
+%doc contrib/cni/99-loopback.conflist
+%dir %{_sysconfdir}/crio
+%dir %{_sysconfdir}/crio/crio.conf.d
+%dir %{_sysconfdir}/default
+%dir %{_datadir}/containers
+%dir %{_datadir}/containers/oci
+%dir %{_datadir}/containers/oci/hooks.d
+%dir %{_datadir}/fish
+%dir %{_datadir}/fish/completions
+%dir %{_datadir}/oci-umount
+%dir %{_datadir}/oci-umount/oci-umount.d
+%{_bindir}/crio
+%{_bindir}/pinns
+%{_datadir}/bash-completion/completions/crio
+%{_datadir}/fish/completions/crio.fish
+%{_datadir}/oci-umount/oci-umount.d/crio-umount.conf
+%{_datadir}/zsh/site-functions/_crio
+%{_sysconfdir}/crictl.yaml
+%{_sysconfdir}/crio/crio.conf
+%{_sysconfdir}/default/crio
+%{_unitdir}/crio-wipe.service
+%{_unitdir}/crio.service
+
+%changelog

debian/.gitignore

@@ -0,0 +1,6 @@
+*.substvars
+*debhelper*
+.debhelper
+cri-o
+files
+tmp

debian/changelog

@@ -0,0 +1,5 @@
+cri-o (100:1.29.7-1) UNRELEASED; urgency=medium
+
+  * https://github.com/cri-o/cri-o/releases/tag/v1.29.7
+
+ -- Wong Hoi Sing Edison <hswong3i@pantarei-design.com>  Thu, 08 Aug 2024 12:31:22 +0900

debian/control

@@ -0,0 +1,47 @@
+Source: cri-o
+Section: devel
+Priority: optional
+Standards-Version: 4.5.0
+Maintainer: Wong Hoi Sing Edison <hswong3i@pantarei-design.com>
+Homepage: https://github.com/cri-o/cri-o/tags
+Vcs-Browser: https://github.com/alvistack/cri-o-cri-o
+Vcs-Git: https://github.com/alvistack/cri-o-cri-o.git
+Build-Depends:
+ debhelper,
+ debhelper-compat (= 10),
+ golang-1.23,
+ libapparmor-dev,
+ libassuan-dev,
+ libglib2.0-dev,
+ libgpg-error-dev,
+ libgpgme-dev,
+ libseccomp-dev,
+ libsystemd-dev,
+ tzdata,
+
+Package: cri-o
+Architecture: amd64
+Description: OCI-based implementation of Kubernetes Container Runtime Interface
+ CRI-O provides an integration path between OCI conformant runtimes and
+ the kubelet. Specifically, it implements the Kubelet Container Runtime
+ Interface (CRI) using OCI conformant runtimes. The scope of CRI-O is
+ tied to the scope of the CRI.
+Depends:
+ ${shlibs:Depends},
+ ${misc:Depends},
+ conmon,
+ conntrack,
+ containernetworking-plugins,
+ containers-common,
+ iproute2,
+ iptables,
+ libapparmor1,
+ libassuan0,
+ libglib2.0-0,
+ libgpg-error0,
+ libgpgme11,
+ libseccomp2,
+ libsystemd0,
+ oci-runtime,
+ socat,
+ tzdata,

debian/copyright

@@ -0,0 +1,21 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+
+Files: debian/*
+Copyright: 2024 Wong Hoi Sing Edison <hswong3i@pantarei-design.com>
+License: Apache-2.0
+
+License: Apache-2.0
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+ .
+ http://www.apache.org/licenses/LICENSE-2.0
+ .
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ .
+ The complete text of the Apache version 2.0 license
+ can be found in "/usr/share/common-licenses/Apache-2.0".

debian/cri-o.dirs

@@ -0,0 +1,9 @@
+etc/cni
+etc/cni/net.d
+etc/crio
+etc/crio/crio.conf.d
+usr/share/containers
+usr/share/containers/oci
+usr/share/containers/oci/hooks.d
+usr/share/oci-umount
+usr/share/oci-umount/oci-umount.d

debian/cri-o.docs

@@ -0,0 +1,3 @@
+contrib/cni/10-crio-bridge.conflist
+contrib/cni/11-crio-ipv4-bridge.conflist
+contrib/cni/99-loopback.conflist

debian/cri-o.install

@@ -0,0 +1,11 @@
+etc/crictl.yaml
+etc/crio/crio.conf
+etc/default/crio
+lib/systemd/system/crio-wipe.service
+lib/systemd/system/crio.service
+usr/bin/crio
+usr/bin/pinns
+usr/share/bash-completion/completions/crio
+usr/share/fish/completions/crio.fish
+usr/share/oci-umount/oci-umount.d/crio-umount.conf
+usr/share/zsh/site-functions/_crio

debian/cri-o.lintian-overrides

@@ -0,0 +1,6 @@
+cri-o: copyright-without-copyright-notice
+cri-o: hardening-no-pie
+cri-o: initial-upload-closes-no-bugs
+cri-o: no-manual-page
+cri-o: statically-linked-binary
+cri-o: zero-byte-file-in-doc-directory

debian/patches/0001-2004-update-apparmor-1898.patch

@@ -0,0 +1,15 @@
+diff --git a/vendor/github.com/containers/common/pkg/apparmor/apparmor_linux_template.go b/vendor/github.com/containers/common/pkg/apparmor/apparmor_linux_template.go
+index 667fa9f26..8db05fda6 100644
+--- a/vendor/github.com/containers/common/pkg/apparmor/apparmor_linux_template.go
++++ b/vendor/github.com/containers/common/pkg/apparmor/apparmor_linux_template.go
+@@ -22,6 +22,10 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
+   # Allow signals from privileged profiles and from within the same profile
+   signal (receive) peer=unconfined,
+   signal (send,receive) peer={{.Name}},
++  # Allow certain signals from OCI runtimes (podman, runc and crun)
++  signal (receive) peer={/usr/bin/,/usr/sbin/,}runc,
++  signal (receive) peer={/usr/bin/,/usr/sbin/,}crun*,
++  signal (receive) set=(int, quit, kill, term) peer={/usr/bin/,/usr/sbin/,}podman,
+ {{end}}
+
+   deny @{PROC}/* w,   # deny write for all files directly in /proc (not in a subdir)

debian/patches/series

@@ -0,0 +1 @@
+0001-2004-update-apparmor-1898.patch

debian/rules

@@ -0,0 +1,69 @@
+#!/usr/bin/make -f
+
+SHELL := /bin/bash
+
+override_dh_auto_build:
+	mkdir -p bin
+	set -ex && \
+		export CGO_ENABLED=1 && \
+		go build \
+			-mod vendor -buildmode pie -v \
+			-ldflags "-s -w" \
+			-tags "netgo osusergo exclude_graphdriver_devicemapper exclude_graphdriver_btrfs containers_image_openpgp seccomp apparmor" \
+			-o ./bin/crio ./cmd/crio && \
+		make bin/pinns
+	./bin/crio --config="" --config-dir "" \
+		--apparmor-profile "crio-default" \
+		--cni-config-dir "/etc/cni/net.d" \
+		--cni-plugin-dir "/usr/local/libexec/cni" \
+		--cni-plugin-dir "/usr/libexec/cni" \
+		--cni-plugin-dir "/usr/local/lib/cni" \
+		--cni-plugin-dir "/usr/lib/cni" \
+		--cni-plugin-dir "/opt/cni/bin" \
+		--conmon-cgroup "system.slice" \
+		--conmon-env "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" \
+		--conmon-env "TERM=xterm" \
+		--decryption-keys-path "/etc/crio/keys" \
+		--default-capabilities "AUDIT_WRITE" \
+		--default-capabilities "CHOWN" \
+		--default-capabilities "DAC_OVERRIDE" \
+		--default-capabilities "FOWNER" \
+		--default-capabilities "FSETID" \
+		--default-capabilities "KILL" \
+		--default-capabilities "MKNOD" \
+		--default-capabilities "NET_BIND_SERVICE" \
+		--default-capabilities "NET_RAW" \
+		--default-capabilities "SETFCAP" \
+		--default-capabilities "SETGID" \
+		--default-capabilities "SETPCAP" \
+		--default-capabilities "SETUID" \
+		--default-capabilities "SYS_CHROOT" \
+		--pause-image "registry.k8s.io/pause:3.10" \
+		--root "/var/lib/containers/storage" \
+		--runroot "/run/containers/storage" \
+		--seccomp-profile "/usr/share/containers/seccomp.json" \
+		--storage-driver "overlay" \
+		--storage-opt "overlay.mount_program=/usr/bin/fuse-overlayfs" \
+		--storage-opt "overlay.mountopt=nodev" \
+		--version-file "/var/run/crio/version" \
+		--version-file-persist "/var/run/crio/version" \
+		config > crio.conf
+
+override_dh_auto_install:
+	install -Dpm755 -d debian/tmp/etc/default
+	install -Dpm755 -d debian/tmp/usr/bin
+	install -Dpm755 -T contrib/sysconfig/crio debian/tmp/etc/default/crio
+	install -Dpm755 -t debian/tmp/usr/bin bin/crio
+	install -Dpm755 -t debian/tmp/usr/bin bin/pinns
+	DESTDIR=debian/tmp \
+	PREFIX=debian/tmp/usr \
+		make install.completions install.config-nobuild
+	PREFIX=debian/tmp \
+		make install.systemd
+
+override_dh_auto_test:
+
+override_dh_auto_clean:
+
+%:
+	dh $@

debian/source/format

@@ -0,0 +1 @@
+3.0 (quilt)

debian/source/lintian-overrides

@@ -0,0 +1,2 @@
+cri-o source: file-without-copyright-information
+cri-o source: no-debian-changes