diff --git a/contrib/systemd/crio-wipe.service b/contrib/systemd/crio-wipe.service index 6763ce39ecb..81c87745ce5 100644 --- a/contrib/systemd/crio-wipe.service +++ b/contrib/systemd/crio-wipe.service @@ -1,11 +1,12 @@ [Unit] Description=CRI-O Auto Update Script Before=crio.service -RequiresMountsFor=/var/lib/containers +Wants=crio.service [Service] -EnvironmentFile=-/etc/sysconfig/crio -ExecStart=/usr/local/bin/crio \ +Type=oneshot +EnvironmentFile=-/etc/default/crio +ExecStart=/usr/bin/crio \ $CRIO_CONFIG_OPTIONS \ $CRIO_RUNTIME_OPTIONS \ $CRIO_STORAGE_OPTIONS \ @@ -13,7 +14,5 @@ ExecStart=/usr/local/bin/crio \ $CRIO_METRICS_OPTIONS \ wipe -Type=oneshot - [Install] WantedBy=multi-user.target diff --git a/contrib/systemd/crio.service b/contrib/systemd/crio.service index 041a84746cb..042c17a97bd 100644 --- a/contrib/systemd/crio.service +++ b/contrib/systemd/crio.service @@ -1,15 +1,14 @@ [Unit] Description=Container Runtime Interface for OCI (CRI-O) Documentation=https://github.com/cri-o/cri-o -Wants=network-online.target -Before=kubelet.service -After=network-online.target +After=network-online.target local-fs.target remote-fs.target time-sync.target +Wants=network-online.target local-fs.target remote-fs.target time-sync.target [Service] Type=notify -EnvironmentFile=-/etc/sysconfig/crio +EnvironmentFile=-/etc/default/crio Environment=GOTRACEBACK=crash -ExecStart=/usr/local/bin/crio \ +ExecStart=/usr/bin/crio \ $CRIO_CONFIG_OPTIONS \ $CRIO_RUNTIME_OPTIONS \ $CRIO_STORAGE_OPTIONS \ diff --git a/cri-o.spec b/cri-o.spec new file mode 100644 index 00000000000..c4e8fe6d139 --- /dev/null +++ b/cri-o.spec @@ -0,0 +1,154 @@ +# Copyright 2024 Wong Hoi Sing Edison +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +%global debug_package %{nil} + +%global source_date_epoch_from_changelog 0 + +Name: cri-o +Epoch: 100 +Version: 1.28.6 +Release: 1%{?dist} +Summary: OCI-based implementation of Kubernetes Container Runtime Interface +License: Apache-2.0 +URL: https://github.com/cri-o/cri-o/tags +Source0: %{name}_%{version}.orig.tar.gz +BuildRequires: glib2-devel +BuildRequires: glibc-static +BuildRequires: golang-1.22 +BuildRequires: gpgme-devel +BuildRequires: libassuan-devel +BuildRequires: libgpg-error-devel +BuildRequires: libseccomp-devel +BuildRequires: make +BuildRequires: pkgconfig +BuildRequires: systemd-devel +BuildRequires: tzdata +Requires: conmon +Requires: conntrack-tools +Requires: containernetworking-plugins +Requires: containers-common +Requires: iproute +Requires: iptables +Requires: oci-runtime +Requires: socat +Requires: tzdata + +%description +CRI-O provides an integration path between OCI conformant runtimes and +the kubelet. Specifically, it implements the Kubelet Container Runtime +Interface (CRI) using OCI conformant runtimes. The scope of CRI-O is +tied to the scope of the CRI. + +%prep +%autosetup -T -c -n %{name}_%{version}-%{release} +tar -zx -f %{S:0} --strip-components=1 -C . + +%build +mkdir -p bin +set -ex && \ + export CGO_ENABLED=1 && \ + go build \ + -mod vendor -buildmode pie -v \ + -ldflags "-s -w" \ + -tags "netgo osusergo exclude_graphdriver_devicemapper exclude_graphdriver_btrfs containers_image_openpgp seccomp selinux" \ + -o ./bin/crio ./cmd/crio && \ + go build \ + -mod vendor -buildmode pie -v \ + -ldflags "-s -w" \ + -tags "netgo osusergo exclude_graphdriver_devicemapper exclude_graphdriver_btrfs containers_image_openpgp seccomp selinux" \ + -o ./bin/crio-status ./cmd/crio-status && \ + make bin/pinns +./bin/crio --config="" --config-dir "" \ + --apparmor-profile "crio-default" \ + --cni-config-dir "/etc/cni/net.d" \ + --cni-plugin-dir "/usr/local/libexec/cni" \ + --cni-plugin-dir "/usr/libexec/cni" \ + --cni-plugin-dir "/usr/local/lib/cni" \ + --cni-plugin-dir "/usr/lib/cni" \ + --cni-plugin-dir "/opt/cni/bin" \ + --conmon-cgroup "system.slice" \ + --conmon-env "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" \ + --conmon-env "TERM=xterm" \ + --decryption-keys-path "/etc/crio/keys" \ + --default-capabilities "AUDIT_WRITE" \ + --default-capabilities "CHOWN" \ + --default-capabilities "DAC_OVERRIDE" \ + --default-capabilities "FOWNER" \ + --default-capabilities "FSETID" \ + --default-capabilities "KILL" \ + --default-capabilities "MKNOD" \ + --default-capabilities "NET_BIND_SERVICE" \ + --default-capabilities "NET_RAW" \ + --default-capabilities "SETFCAP" \ + --default-capabilities "SETGID" \ + --default-capabilities "SETPCAP" \ + --default-capabilities "SETUID" \ + --default-capabilities "SYS_CHROOT" \ + --pause-image "registry.k8s.io/pause:3.9" \ + --root "/var/lib/containers/storage" \ + --runroot "/run/containers/storage" \ + --seccomp-profile "/usr/share/containers/seccomp.json" \ + --storage-driver "overlay" \ + --storage-opt "overlay.mount_program=/usr/bin/fuse-overlayfs" \ + --storage-opt "overlay.mountopt=nodev" \ + --version-file "/var/run/crio/version" \ + --version-file-persist "/var/run/crio/version" \ + config > crio.conf + +%install +install -Dpm755 -d %{buildroot}%{_sysconfdir}/default +install -Dpm755 -d %{buildroot}%{_bindir} +install -Dpm644 -T contrib/sysconfig/crio %{buildroot}%{_sysconfdir}/default/crio +install -Dpm755 -t %{buildroot}%{_bindir}/ bin/crio +install -Dpm755 -t %{buildroot}%{_bindir}/ bin/crio-status +install -Dpm755 -t %{buildroot}%{_bindir}/ bin/pinns +DESTDIR=%{buildroot} \ +PREFIX=%{buildroot}%{_prefix} \ + make install.completions install.config-nobuild +PREFIX=%{buildroot}%{_prefix} \ + make install.systemd + +%files +%license LICENSE +%doc contrib/cni/10-crio-bridge.conflist +%doc contrib/cni/11-crio-ipv4-bridge.conflist +%doc contrib/cni/99-loopback.conflist +%dir %{_sysconfdir}/crio +%dir %{_sysconfdir}/crio/crio.conf.d +%dir %{_sysconfdir}/default +%dir %{_datadir}/containers +%dir %{_datadir}/containers/oci +%dir %{_datadir}/containers/oci/hooks.d +%dir %{_datadir}/fish +%dir %{_datadir}/fish/completions +%dir %{_datadir}/oci-umount +%dir %{_datadir}/oci-umount/oci-umount.d +%{_bindir}/crio +%{_bindir}/crio-status +%{_bindir}/pinns +%{_datadir}/bash-completion/completions/crio +%{_datadir}/bash-completion/completions/crio-status +%{_datadir}/fish/completions/crio-status.fish +%{_datadir}/fish/completions/crio.fish +%{_datadir}/oci-umount/oci-umount.d/crio-umount.conf +%{_datadir}/zsh/site-functions/_crio +%{_datadir}/zsh/site-functions/_crio-status +%{_sysconfdir}/crictl.yaml +%{_sysconfdir}/crio/crio.conf +%{_sysconfdir}/default/crio +%{_unitdir}/crio-wipe.service +%{_unitdir}/crio.service + +%changelog diff --git a/debian/.gitignore b/debian/.gitignore new file mode 100644 index 00000000000..bd22301323a --- /dev/null +++ b/debian/.gitignore @@ -0,0 +1,6 @@ +*.substvars +*debhelper* +.debhelper +cri-o +files +tmp diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 00000000000..a4d334cc478 --- /dev/null +++ b/debian/changelog @@ -0,0 +1,5 @@ +cri-o (100:1.28.6-1) UNRELEASED; urgency=medium + + * https://github.com/cri-o/cri-o/releases/tag/v1.28.6 + + -- Wong Hoi Sing Edison Tue, 30 Apr 2024 23:17:13 +0800 diff --git a/debian/control b/debian/control new file mode 100644 index 00000000000..f42aff8be01 --- /dev/null +++ b/debian/control @@ -0,0 +1,47 @@ +Source: cri-o +Section: devel +Priority: optional +Standards-Version: 4.5.0 +Maintainer: Wong Hoi Sing Edison +Homepage: https://github.com/cri-o/cri-o/tags +Vcs-Browser: https://github.com/alvistack/cri-o-cri-o +Vcs-Git: https://github.com/alvistack/cri-o-cri-o.git +Build-Depends: + debhelper, + debhelper-compat (= 10), + golang-1.22, + libapparmor-dev, + libassuan-dev, + libglib2.0-dev, + libgpg-error-dev, + libgpgme-dev, + libseccomp-dev, + libsystemd-dev, + tzdata, + +Package: cri-o +Architecture: amd64 +Description: OCI-based implementation of Kubernetes Container Runtime Interface + CRI-O provides an integration path between OCI conformant runtimes and + the kubelet. Specifically, it implements the Kubelet Container Runtime + Interface (CRI) using OCI conformant runtimes. The scope of CRI-O is + tied to the scope of the CRI. +Depends: + ${shlibs:Depends}, + ${misc:Depends}, + conmon, + conntrack, + containernetworking-plugins, + containers-common, + iproute2, + iptables, + libapparmor1, + libassuan0, + libglib2.0-0, + libgpg-error0, + libgpgme11, + libseccomp2, + libsystemd0, + oci-runtime, + socat, + tzdata, diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 00000000000..12900b4193c --- /dev/null +++ b/debian/copyright @@ -0,0 +1,21 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ + +Files: debian/* +Copyright: 2024 Wong Hoi Sing Edison +License: Apache-2.0 + +License: Apache-2.0 + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + . + http://www.apache.org/licenses/LICENSE-2.0 + . + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + . + The complete text of the Apache version 2.0 license + can be found in "/usr/share/common-licenses/Apache-2.0". diff --git a/debian/cri-o.dirs b/debian/cri-o.dirs new file mode 100644 index 00000000000..572d3395c39 --- /dev/null +++ b/debian/cri-o.dirs @@ -0,0 +1,9 @@ +etc/cni +etc/cni/net.d +etc/crio +etc/crio/crio.conf.d +usr/share/containers +usr/share/containers/oci +usr/share/containers/oci/hooks.d +usr/share/oci-umount +usr/share/oci-umount/oci-umount.d diff --git a/debian/cri-o.docs b/debian/cri-o.docs new file mode 100644 index 00000000000..231cdfde462 --- /dev/null +++ b/debian/cri-o.docs @@ -0,0 +1,3 @@ +contrib/cni/10-crio-bridge.conflist +contrib/cni/11-crio-ipv4-bridge.conflist +contrib/cni/99-loopback.conflist diff --git a/debian/cri-o.install b/debian/cri-o.install new file mode 100644 index 00000000000..22ebf7bf7e2 --- /dev/null +++ b/debian/cri-o.install @@ -0,0 +1,15 @@ +etc/crictl.yaml +etc/crio/crio.conf +etc/default/crio +lib/systemd/system/crio-wipe.service +lib/systemd/system/crio.service +usr/bin/crio +usr/bin/crio-status +usr/bin/pinns +usr/share/bash-completion/completions/crio +usr/share/bash-completion/completions/crio-status +usr/share/fish/completions/crio-status.fish +usr/share/fish/completions/crio.fish +usr/share/oci-umount/oci-umount.d/crio-umount.conf +usr/share/zsh/site-functions/_crio +usr/share/zsh/site-functions/_crio-status diff --git a/debian/cri-o.lintian-overrides b/debian/cri-o.lintian-overrides new file mode 100644 index 00000000000..8e17673e8da --- /dev/null +++ b/debian/cri-o.lintian-overrides @@ -0,0 +1,6 @@ +cri-o: copyright-without-copyright-notice +cri-o: hardening-no-pie +cri-o: initial-upload-closes-no-bugs +cri-o: no-manual-page +cri-o: statically-linked-binary +cri-o: zero-byte-file-in-doc-directory diff --git a/debian/rules b/debian/rules new file mode 100755 index 00000000000..0127b4526d4 --- /dev/null +++ b/debian/rules @@ -0,0 +1,75 @@ +#!/usr/bin/make -f + +SHELL := /bin/bash + +override_dh_auto_build: + mkdir -p bin + set -ex && \ + export CGO_ENABLED=1 && \ + go build \ + -mod vendor -buildmode pie -v \ + -ldflags "-s -w" \ + -tags "netgo osusergo exclude_graphdriver_devicemapper exclude_graphdriver_btrfs containers_image_openpgp seccomp apparmor" \ + -o ./bin/crio ./cmd/crio && \ + go build \ + -mod vendor -buildmode pie -v \ + -ldflags "-s -w" \ + -tags "netgo osusergo exclude_graphdriver_devicemapper exclude_graphdriver_btrfs containers_image_openpgp seccomp apparmor" \ + -o ./bin/crio-status ./cmd/crio-status && \ + make bin/pinns + ./bin/crio --config="" --config-dir "" \ + --apparmor-profile "crio-default" \ + --cni-config-dir "/etc/cni/net.d" \ + --cni-plugin-dir "/usr/local/libexec/cni" \ + --cni-plugin-dir "/usr/libexec/cni" \ + --cni-plugin-dir "/usr/local/lib/cni" \ + --cni-plugin-dir "/usr/lib/cni" \ + --cni-plugin-dir "/opt/cni/bin" \ + --conmon-cgroup "system.slice" \ + --conmon-env "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" \ + --conmon-env "TERM=xterm" \ + --decryption-keys-path "/etc/crio/keys" \ + --default-capabilities "AUDIT_WRITE" \ + --default-capabilities "CHOWN" \ + --default-capabilities "DAC_OVERRIDE" \ + --default-capabilities "FOWNER" \ + --default-capabilities "FSETID" \ + --default-capabilities "KILL" \ + --default-capabilities "MKNOD" \ + --default-capabilities "NET_BIND_SERVICE" \ + --default-capabilities "NET_RAW" \ + --default-capabilities "SETFCAP" \ + --default-capabilities "SETGID" \ + --default-capabilities "SETPCAP" \ + --default-capabilities "SETUID" \ + --default-capabilities "SYS_CHROOT" \ + --pause-image "registry.k8s.io/pause:3.9" \ + --root "/var/lib/containers/storage" \ + --runroot "/run/containers/storage" \ + --seccomp-profile "/usr/share/containers/seccomp.json" \ + --storage-driver "overlay" \ + --storage-opt "overlay.mount_program=/usr/bin/fuse-overlayfs" \ + --storage-opt "overlay.mountopt=nodev" \ + --version-file "/var/run/crio/version" \ + --version-file-persist "/var/run/crio/version" \ + config > crio.conf + +override_dh_auto_install: + install -Dpm755 -d debian/tmp/etc/default + install -Dpm755 -d debian/tmp/usr/bin + install -Dpm755 -T contrib/sysconfig/crio debian/tmp/etc/default/crio + install -Dpm755 -t debian/tmp/usr/bin bin/crio + install -Dpm755 -t debian/tmp/usr/bin bin/crio-status + install -Dpm755 -t debian/tmp/usr/bin bin/pinns + DESTDIR=debian/tmp \ + PREFIX=debian/tmp/usr \ + make install.completions install.config-nobuild + PREFIX=debian/tmp \ + make install.systemd + +override_dh_auto_test: + +override_dh_auto_clean: + +%: + dh $@ diff --git a/debian/source/format b/debian/source/format new file mode 100644 index 00000000000..163aaf8d82b --- /dev/null +++ b/debian/source/format @@ -0,0 +1 @@ +3.0 (quilt) diff --git a/debian/source/lintian-overrides b/debian/source/lintian-overrides new file mode 100644 index 00000000000..8edca9b295c --- /dev/null +++ b/debian/source/lintian-overrides @@ -0,0 +1,2 @@ +cri-o source: file-without-copyright-information +cri-o source: no-debian-changes diff --git a/vendor/github.com/containers/common/pkg/apparmor/apparmor_linux_template.go b/vendor/github.com/containers/common/pkg/apparmor/apparmor_linux_template.go index 667fa9f2655..8db05fda6cd 100644 --- a/vendor/github.com/containers/common/pkg/apparmor/apparmor_linux_template.go +++ b/vendor/github.com/containers/common/pkg/apparmor/apparmor_linux_template.go @@ -22,6 +22,10 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) { # Allow signals from privileged profiles and from within the same profile signal (receive) peer=unconfined, signal (send,receive) peer={{.Name}}, + # Allow certain signals from OCI runtimes (podman, runc and crun) + signal (receive) peer={/usr/bin/,/usr/sbin/,}runc, + signal (receive) peer={/usr/bin/,/usr/sbin/,}crun*, + signal (receive) set=(int, quit, kill, term) peer={/usr/bin/,/usr/sbin/,}podman, {{end}} deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir)