From cace7b1ddbcd7305c56a2c8c0cdaa844a17b4988 Mon Sep 17 00:00:00 2001 From: krawthekrow Date: Fri, 24 Apr 2020 11:15:32 +0800 Subject: [PATCH] cri-o: upgrade to 1.16.3 This involves: - Separating out the conmon build (following the upstream change) and giving it its own bazel build file patch. - Removing the conmon tests since they require additional build dependencies that we don't need. - Regenerating the CRI-O build file patch. - Updating the CRI-O upstream config file. - Updating deps.bzl. --- platform/cri-o/BUILD.bazel | 2 +- platform/cri-o/build.patch | 118 +++++++++--------------------- platform/cri-o/conmon.patch | 38 ++++++++++ platform/cri-o/crio.conf.in | 79 ++++++++++++++++---- platform/cri-o/crio.conf.upstream | 84 ++++++++++++++++----- platform/cri-o/deps.bzl | 13 +++- 6 files changed, 216 insertions(+), 118 deletions(-) create mode 100644 platform/cri-o/conmon.patch mode change 100755 => 100644 platform/cri-o/crio.conf.in diff --git a/platform/cri-o/BUILD.bazel b/platform/cri-o/BUILD.bazel index c6b946d66..fb0dbb207 100644 --- a/platform/cri-o/BUILD.bazel +++ b/platform/cri-o/BUILD.bazel @@ -10,7 +10,7 @@ homeworld_deb( name = "package", bin = { "@com_github_cri_o_cri_o//cmd/crio": "/usr/bin/crio", - "@com_github_cri_o_cri_o//conmon": "/usr/libexec/crio/conmon", + "@com_github_containers_conmon//:conmon": "/usr/libexec/crio/conmon", }, data = { ":crio.conf": "/etc/crio/crio.conf", diff --git a/platform/cri-o/build.patch b/platform/cri-o/build.patch index c128297ce..72dc7ee35 100644 --- a/platform/cri-o/build.patch +++ b/platform/cri-o/build.patch @@ -1,6 +1,6 @@ diff --git a/BUILD.bazel b/BUILD.bazel new file mode 100644 -index 0000000..bf0a685 +index 000000000..a79f430ae --- /dev/null +++ b/BUILD.bazel @@ -0,0 +1,15 @@ @@ -19,68 +19,8 @@ index 0000000..bf0a685 + cmd = "\"$(location //cmd/crio)\" --root=\"/nonexistent\" --runroot \"/nonexistent\" --storage-driver=\"\" --config=\"\" config >\"$@\"", + visibility = ["//visibility:public"], +) -diff --git a/conmon/BUILD.bazel b/conmon/BUILD.bazel -new file mode 100644 -index 0000000..9b97598 ---- /dev/null -+++ b/conmon/BUILD.bazel -@@ -0,0 +1,46 @@ -+# TODO: include -std=c99 in C builds -+ -+genrule( -+ name = "config.h-genrule", -+ outs = [":conf/config.h"], -+ tools = ["//cmd/crio-config"], -+ cmd = """ -+ REL="$$(realpath "$(location //cmd/crio-config)")" -+ cd \"$(@D)\" -+ "$${REL}" -+ """, -+) -+ -+cc_library( -+ name = "glibinc", -+ hdrs = [":glibobject-include/glibconfig.h"], -+ includes = ["glibobject-include"], -+ linkopts = ["-lglib-2.0"], -+) -+ -+cc_library( -+ name = "configinc", -+ hdrs = [":conf/config.h"], -+ includes = ["conf"], -+) -+ -+cc_binary( -+ name = "conmon", -+ srcs = [ -+ ":conmon.c", -+ ":cmsg.c", -+ ":cmsg.h", -+ ":utils.c", -+ ":utils.h", -+ ":ctr_logging.c", -+ ":ctr_logging.h", -+ ], -+ # TODO: get these dynamically, not statically -+ defines = [ -+ "VERSION='\"1.10.7-dev\"'", -+ "GIT_COMMIT='\"210d46c717c5dcb6d11302723eb9d20575ee7a78\"'", -+ ], -+ deps = [":glibinc", ":configinc"], -+ copts = ["-I/usr/include/glib-2.0"], -+ visibility = ["//visibility:public"], -+) -diff --git a/conmon/glibobject-include b/conmon/glibobject-include -new file mode 120000 -index 0000000..3638b19 ---- /dev/null -+++ b/conmon/glibobject-include -@@ -0,0 +1 @@ -+/usr/lib/x86_64-linux-gnu/glib-2.0/include -\ No newline at end of file diff --git a/vendor/github.com/containers/storage/pkg/devicemapper/BUILD.bazel b/vendor/github.com/containers/storage/pkg/devicemapper/BUILD.bazel -index bd64ed0..a12b9f5 100644 +index c8f3bf6be..495ea30a4 100644 --- a/vendor/github.com/containers/storage/pkg/devicemapper/BUILD.bazel +++ b/vendor/github.com/containers/storage/pkg/devicemapper/BUILD.bazel @@ -12,6 +12,7 @@ go_library( @@ -92,7 +32,7 @@ index bd64ed0..a12b9f5 100644 importpath = "github.com/containers/storage/pkg/devicemapper", visibility = ["//visibility:public"], diff --git a/vendor/github.com/seccomp/libseccomp-golang/BUILD.bazel b/vendor/github.com/seccomp/libseccomp-golang/BUILD.bazel -index 3a0a989..9e0efbe 100644 +index 6cd7977bd..c51281f0d 100644 --- a/vendor/github.com/seccomp/libseccomp-golang/BUILD.bazel +++ b/vendor/github.com/seccomp/libseccomp-golang/BUILD.bazel @@ -7,6 +7,7 @@ go_library( @@ -103,8 +43,26 @@ index 3a0a989..9e0efbe 100644 importmap = "github.com/cri-o/cri-o/vendor/github.com/seccomp/libseccomp-golang", importpath = "github.com/seccomp/libseccomp-golang", visibility = ["//visibility:public"], ---- a/vendor/k8s.io/apimachinery/pkg/util/sets/BUILD 2019-09-29 15:55:01.213000000 -0400 -+++ b/vendor/k8s.io/apimachinery/pkg/util/sets/BUILD 2019-09-29 15:36:54.915000000 -0400 +diff --git a/vendor/golang.org/x/crypto/ed25519/BUILD.bazel b/vendor/golang.org/x/crypto/ed25519/BUILD.bazel +index 36055b042..1e3c1c9a5 100644 +--- a/vendor/golang.org/x/crypto/ed25519/BUILD.bazel ++++ b/vendor/golang.org/x/crypto/ed25519/BUILD.bazel +@@ -2,10 +2,7 @@ load("@io_bazel_rules_go//go:def.bzl", "go_library") + + go_library( + name = "go_default_library", +- srcs = [ +- "ed25519.go", +- "ed25519_go113.go", +- ], ++ srcs = ["ed25519.go"], + importmap = "github.com/cri-o/cri-o/vendor/golang.org/x/crypto/ed25519", + importpath = "golang.org/x/crypto/ed25519", + visibility = ["//visibility:public"], +diff --git a/vendor/k8s.io/apimachinery/pkg/util/sets/BUILD b/vendor/k8s.io/apimachinery/pkg/util/sets/BUILD +index 4d61ac5ba..784db97c9 100644 +--- a/vendor/k8s.io/apimachinery/pkg/util/sets/BUILD ++++ b/vendor/k8s.io/apimachinery/pkg/util/sets/BUILD @@ -1,6 +1,5 @@ package(default_visibility = ["//visibility:public"]) @@ -112,11 +70,10 @@ index 3a0a989..9e0efbe 100644 load( "@io_bazel_rules_go//go:def.bzl", "go_library", -@@ -19,35 +13,6 @@ - importmap = "github.com/cri-o/cri-o/vendor/k8s.io/apimachinery/pkg/util/sets", +@@ -21,35 +20,6 @@ go_library( importpath = "k8s.io/apimachinery/pkg/util/sets", ) -- + -# This rule makes all sorts of terrible assumptions that it's running inside k8s.io/kubernetes, even though it's part of k8s.io/apimachinery. :\ -go_genrule( - name = "set-gen", @@ -145,22 +102,19 @@ index 3a0a989..9e0efbe 100644 - "//vendor/k8s.io/code-generator/cmd/set-gen", - ], -) - +- filegroup( name = "package-srcs", ---- a/vendor/golang.org/x/crypto/ed25519/BUILD.bazel 2019-09-29 15:57:46.980000000 -0400 -+++ b/vendor/golang.org/x/crypto/ed25519/BUILD.bazel 2019-09-29 15:36:54.862000000 -0400 -@@ -2,12 +2,9 @@ + srcs = glob(["**"]), +diff --git a/vendor/k8s.io/component-base/metrics/BUILD b/vendor/k8s.io/component-base/metrics/BUILD +index 06398d377..9feb27b0c 100644 +--- a/vendor/k8s.io/component-base/metrics/BUILD ++++ b/vendor/k8s.io/component-base/metrics/BUILD +@@ -4,7 +4,6 @@ load( + "@io_bazel_rules_go//go:def.bzl", + "go_library", + ) +-load("//staging/src/k8s.io/component-base/version:def.bzl", "version_x_defs") go_library( name = "go_default_library", -- srcs = [ -- "ed25519.go", -- "ed25519_go113.go", -- ], -+ srcs = ["ed25519.go"], - importmap = "github.com/cri-o/cri-o/vendor/golang.org/x/crypto/ed25519", - importpath = "golang.org/x/crypto/ed25519", - visibility = ["//visibility:public"], - deps = ["//vendor/golang.org/x/crypto/ed25519/internal/edwards25519:go_default_library"], - ) diff --git a/platform/cri-o/conmon.patch b/platform/cri-o/conmon.patch new file mode 100644 index 000000000..fcc4eb5d4 --- /dev/null +++ b/platform/cri-o/conmon.patch @@ -0,0 +1,38 @@ +diff --git a/BUILD.bazel b/BUILD.bazel +new file mode 100644 +index 0000000..94a1f5c +--- /dev/null ++++ b/BUILD.bazel +@@ -0,0 +1,24 @@ ++# TODO: include -std=c99 in C builds ++ ++cc_library( ++ name = "glibinc", ++ hdrs = [":glibobject-include/glibconfig.h"], ++ includes = ["glibobject-include"], ++ linkopts = ["-lglib-2.0"], ++) ++ ++cc_binary( ++ name = "conmon", ++ srcs = glob([ ++ "src/*.c", ++ "src/*.h", ++ ]), ++ # TODO: get these dynamically, not statically ++ defines = [ ++ "VERSION='\"2.0.16-dev\"'", ++ "GIT_COMMIT='\"e34c6d60f06d48d293e747d2b59e601137e650dd\"'", ++ ], ++ deps = [":glibinc"], ++ copts = ["-I/usr/include/glib-2.0"], ++ visibility = ["//visibility:public"], ++) +diff --git a/glibobject-include b/glibobject-include +new file mode 120000 +index 0000000..3638b19 +--- /dev/null ++++ b/glibobject-include +@@ -0,0 +1 @@ ++/usr/lib/x86_64-linux-gnu/glib-2.0/include +\ No newline at end of file diff --git a/platform/cri-o/crio.conf.in b/platform/cri-o/crio.conf.in old mode 100755 new mode 100644 index 8bd3fe4aa..d03893784 --- a/platform/cri-o/crio.conf.in +++ b/platform/cri-o/crio.conf.in @@ -1,4 +1,3 @@ - # The CRI-O configuration file specifies all of the available configuration # options and command-line flags for the crio(8) OCI Kubernetes Container Runtime # daemon, but in a TOML format that can be more easily modified and versioned. @@ -32,14 +31,12 @@ storage_driver = "" storage_option = [ ] -# If set to false, in-memory locking will be used instead of file-based locking. -# **Deprecated** this option will be removed in the future. -file_locking = false - -# Path to the lock file. -# **Deprecated** this option will be removed in the future. -file_locking_path = "/run/crio.lock" +# The default log directory where all logs will go unless directly specified by +# the kubelet. The log directory specified must be an absolute directory. +log_dir = "/var/log/crio/pods" +# Location for CRI-O to lay down the version file +version_file = "/var/lib/crio/version" # The crio.api table contains settings for the kubelet/gRPC interface. [crio.api] @@ -47,6 +44,9 @@ file_locking_path = "/run/crio.lock" # Path to AF_LOCAL socket on which CRI-O will listen. listen = "/var/run/crio/crio.sock" +# Host IP considered as the primary IP to use by CRI-O for things such as host network IP. +host_ip = "" + # IP address on which the stream server will listen. stream_address = "127.0.0.1" @@ -62,11 +62,11 @@ stream_enable_tls = false stream_tls_cert = "" # Path to the key file used to serve the encrypted stream. This file can -# change, and CRI-O will automatically pick up the changes within 5 minutes. +# change and CRI-O will automatically pick up the changes within 5 minutes. stream_tls_key = "" # Path to the x509 CA(s) file used to verify and authenticate client -# communication with the encrypted stream. This file can change, and CRI-O will +# communication with the encrypted stream. This file can change and CRI-O will # automatically pick up the changes within 5 minutes. stream_tls_ca = "" @@ -95,6 +95,7 @@ default_runtime = "runc" no_pivot = false # Path to the conmon binary, used for monitoring the OCI runtime. +# Will be searched for using $PATH if empty. conmon = "/usr/libexec/crio/conmon" # Cgroup setting for conmon @@ -116,7 +117,7 @@ seccomp_profile = "" # Used to change the name of the default AppArmor profile of CRI-O. The default # profile name is "crio-default-" followed by the version string of CRI-O. -apparmor_profile = "crio-default-1.15.2" +apparmor_profile = "crio-default-1.16.3" # Cgroup management implementation used for the runtime. cgroup_manager = "cgroupfs" @@ -192,6 +193,9 @@ container_exits_dir = "/var/run/crio/exits" # Path to directory for container attach sockets. container_attach_socket_dir = "/var/run/crio" +# The prefix to use for the source of the bind mounts. +bind_mount_prefix = "" + # If set to true, all containers will run in read-only mode. read_only = false @@ -200,9 +204,6 @@ read_only = false # configuration reload. log_level = "error" -# The default log directory where all logs will go unless directly specified by the kubelet -log_dir = "/var/log/crio/pods" - # The UID mappings for the user namespace of each container. A range is # specified in the form containerUID:HostUID:Size. Multiple ranges must be # separated by comma. @@ -224,7 +225,24 @@ manage_network_ns_lifecycle = false # The "crio.runtime.runtimes" table defines a list of OCI compatible runtimes. # The runtime to use is picked based on the runtime_handler provided by the CRI. # If no runtime_handler is provided, the runtime will be picked based on the level -# of trust of the workload. +# of trust of the workload. Each entry in the table should follow the format: +# +#[crio.runtime.runtimes.runtime-handler] +# runtime_path = "/path/to/the/executable" +# runtime_type = "oci" +# runtime_root = "/path/to/the/root" +# +# Where: +# - runtime-handler: name used to identify the runtime +# - runtime_path (optional, string): absolute path to the runtime executable in +# the host filesystem. If omitted, the runtime-handler identifier should match +# the runtime executable name, and the runtime executable should be placed +# in $PATH. +# - runtime_type (optional, string): type of runtime, one of: "oci", "vm". If +# omitted, an "oci" runtime is assumed. +# - runtime_root (optional, string): root directory for storage of containers +# state. + [crio.runtime.runtimes.runc] runtime_path = "/usr/bin/runc" @@ -232,6 +250,19 @@ runtime_type = "oci" runtime_root = "/run/runc" +# Kata Containers is an OCI runtime, where containers are run inside lightweight +# VMs. Kata provides additional isolation towards the host, minimizing the host attack +# surface and mitigating the consequences of containers breakout. + +# Kata Containers with the default configured VMM +#[crio.runtime.runtimes.kata-runtime] + +# Kata Containers with the QEMU VMM +#[crio.runtime.runtimes.kata-qemu] + +# Kata Containers with the Firecracker VMM +#[crio.runtime.runtimes.kata-fc] + # The crio.image table contains settings pertaining to the management of OCI images. # # CRI-O reads its configured registries defaults from the system wide @@ -258,7 +289,9 @@ pause_image = "homeworld.private/pause@{PAUSE_DIGEST}" pause_image_auth_file = "" # The command to run to have a container stay in the paused state. -# This option supports live configuration reload. +# When explicitly set to "", it will fallback to the entrypoint and command +# specified in the pause image. When commented out, it will fallback to the +# default: "/pause". This option supports live configuration reload. pause_command = "/pause" # Path to the file which decides what sort of policy we use when deciding @@ -268,6 +301,11 @@ pause_command = "/pause" # refer to containers-policy.json(5) for more details. signature_policy = "" +# List of registries to skip TLS verification for pulling images. Please +# consider configuring the registries via /etc/containers/registries.conf before +# changing them here. +#insecure_registries = "[]" + # Controls how image volumes are handled. The valid values are mkdir, bind and # ignore; the latter will ignore volumes entirely. image_volumes = "mkdir" @@ -292,3 +330,12 @@ network_dir = "/etc/cni/net.d/" plugin_dirs = [ "/opt/cni/bin/", ] + +# A necessary configuration for Prometheus based metrics retrieval +[crio.metrics] + +# Globally enable or disable metrics support. +enable_metrics = false + +# The port on which the metrics server will listen. +metrics_port = 9090 diff --git a/platform/cri-o/crio.conf.upstream b/platform/cri-o/crio.conf.upstream index 10006caf9..b1582dfe1 100644 --- a/platform/cri-o/crio.conf.upstream +++ b/platform/cri-o/crio.conf.upstream @@ -1,4 +1,3 @@ - # The CRI-O configuration file specifies all of the available configuration # options and command-line flags for the crio(8) OCI Kubernetes Container Runtime # daemon, but in a TOML format that can be more easily modified and versioned. @@ -32,14 +31,12 @@ #storage_option = [ #] -# If set to false, in-memory locking will be used instead of file-based locking. -# **Deprecated** this option will be removed in the future. -file_locking = false - -# Path to the lock file. -# **Deprecated** this option will be removed in the future. -file_locking_path = "/run/crio.lock" +# The default log directory where all logs will go unless directly specified by +# the kubelet. The log directory specified must be an absolute directory. +log_dir = "/var/log/crio/pods" +# Location for CRI-O to lay down the version file +version_file = "/var/lib/crio/version" # The crio.api table contains settings for the kubelet/gRPC interface. [crio.api] @@ -47,6 +44,9 @@ file_locking_path = "/run/crio.lock" # Path to AF_LOCAL socket on which CRI-O will listen. listen = "/var/run/crio/crio.sock" +# Host IP considered as the primary IP to use by CRI-O for things such as host network IP. +host_ip = "" + # IP address on which the stream server will listen. stream_address = "127.0.0.1" @@ -62,11 +62,11 @@ stream_enable_tls = false stream_tls_cert = "" # Path to the key file used to serve the encrypted stream. This file can -# change, and CRI-O will automatically pick up the changes within 5 minutes. +# change and CRI-O will automatically pick up the changes within 5 minutes. stream_tls_key = "" # Path to the x509 CA(s) file used to verify and authenticate client -# communication with the encrypted stream. This file can change, and CRI-O will +# communication with the encrypted stream. This file can change and CRI-O will # automatically pick up the changes within 5 minutes. stream_tls_ca = "" @@ -95,10 +95,11 @@ default_runtime = "runc" no_pivot = false # Path to the conmon binary, used for monitoring the OCI runtime. -conmon = "/usr/local/libexec/crio/conmon" +# Will be searched for using $PATH if empty. +conmon = "" # Cgroup setting for conmon -conmon_cgroup = "pod" +conmon_cgroup = "system.slice" # Environment variable list for the conmon process, used for passing necessary # environment variables to conmon or the runtime. @@ -116,7 +117,7 @@ seccomp_profile = "" # Used to change the name of the default AppArmor profile of CRI-O. The default # profile name is "crio-default-" followed by the version string of CRI-O. -apparmor_profile = "crio-default-1.15.2" +apparmor_profile = "crio-default-1.16.3" # Cgroup management implementation used for the runtime. cgroup_manager = "cgroupfs" @@ -152,6 +153,7 @@ additional_devices = [ # Path to OCI hooks directories for automatically executed hooks. hooks_dir = [ + "/usr/share/containers/oci/hooks.d", ] # List of default mounts for each container. **Deprecated:** this option will @@ -192,6 +194,9 @@ container_exits_dir = "/var/run/crio/exits" # Path to directory for container attach sockets. container_attach_socket_dir = "/var/run/crio" +# The prefix to use for the source of the bind mounts. +bind_mount_prefix = "" + # If set to true, all containers will run in read-only mode. read_only = false @@ -200,9 +205,6 @@ read_only = false # configuration reload. log_level = "error" -# The default log directory where all logs will go unless directly specified by the kubelet -log_dir = "/var/log/crio/pods" - # The UID mappings for the user namespace of each container. A range is # specified in the form containerUID:HostUID:Size. Multiple ranges must be # separated by comma. @@ -224,7 +226,24 @@ manage_network_ns_lifecycle = false # The "crio.runtime.runtimes" table defines a list of OCI compatible runtimes. # The runtime to use is picked based on the runtime_handler provided by the CRI. # If no runtime_handler is provided, the runtime will be picked based on the level -# of trust of the workload. +# of trust of the workload. Each entry in the table should follow the format: +# +#[crio.runtime.runtimes.runtime-handler] +# runtime_path = "/path/to/the/executable" +# runtime_type = "oci" +# runtime_root = "/path/to/the/root" +# +# Where: +# - runtime-handler: name used to identify the runtime +# - runtime_path (optional, string): absolute path to the runtime executable in +# the host filesystem. If omitted, the runtime-handler identifier should match +# the runtime executable name, and the runtime executable should be placed +# in $PATH. +# - runtime_type (optional, string): type of runtime, one of: "oci", "vm". If +# omitted, an "oci" runtime is assumed. +# - runtime_root (optional, string): root directory for storage of containers +# state. + [crio.runtime.runtimes.runc] runtime_path = "" @@ -232,6 +251,19 @@ runtime_type = "oci" runtime_root = "/run/runc" +# Kata Containers is an OCI runtime, where containers are run inside lightweight +# VMs. Kata provides additional isolation towards the host, minimizing the host attack +# surface and mitigating the consequences of containers breakout. + +# Kata Containers with the default configured VMM +#[crio.runtime.runtimes.kata-runtime] + +# Kata Containers with the QEMU VMM +#[crio.runtime.runtimes.kata-qemu] + +# Kata Containers with the Firecracker VMM +#[crio.runtime.runtimes.kata-fc] + # The crio.image table contains settings pertaining to the management of OCI images. # # CRI-O reads its configured registries defaults from the system wide @@ -258,7 +290,9 @@ pause_image = "k8s.gcr.io/pause:3.1" pause_image_auth_file = "" # The command to run to have a container stay in the paused state. -# This option supports live configuration reload. +# When explicitly set to "", it will fallback to the entrypoint and command +# specified in the pause image. When commented out, it will fallback to the +# default: "/pause". This option supports live configuration reload. pause_command = "/pause" # Path to the file which decides what sort of policy we use when deciding @@ -268,6 +302,11 @@ pause_command = "/pause" # refer to containers-policy.json(5) for more details. signature_policy = "" +# List of registries to skip TLS verification for pulling images. Please +# consider configuring the registries via /etc/containers/registries.conf before +# changing them here. +#insecure_registries = "[]" + # Controls how image volumes are handled. The valid values are mkdir, bind and # ignore; the latter will ignore volumes entirely. image_volumes = "mkdir" @@ -292,3 +331,12 @@ network_dir = "/etc/cni/net.d/" plugin_dirs = [ "/opt/cni/bin/", ] + +# A necessary configuration for Prometheus based metrics retrieval +[crio.metrics] + +# Globally enable or disable metrics support. +enable_metrics = false + +# The port on which the metrics server will listen. +metrics_port = 9090 diff --git a/platform/cri-o/deps.bzl b/platform/cri-o/deps.bzl index f5c593a87..dcb768682 100644 --- a/platform/cri-o/deps.bzl +++ b/platform/cri-o/deps.bzl @@ -3,7 +3,7 @@ load("@bazel_gazelle//:deps.bzl", "go_repository") def cri_o_dependencies(): go_repository( name = "com_github_cri_o_cri_o", - commit = "b7316701c17ebc7901d10a716f15e66008c52525", # 1.15.2 + commit = "dd73a465144f71031728f0de8439ddda08c98119", # 1.16.3 importpath = "github.com/cri-o/cri-o", build_external = "vendored", build_file_proto_mode = "disable_global", @@ -13,3 +13,14 @@ def cri_o_dependencies(): ], patch_args = ["-p1"], ) + + go_repository( + name = "com_github_containers_conmon", + commit = "1bddbf7051a973f4a4fecf06faa0c48e82f1e9e1", # 2.0.15 + importpath = "github.com/containers/conmon", + build_file_generation = "off", + patches = [ + "//cri-o:conmon.patch", + ], + patch_args = ["-p1"], + )