Upgrade CRI-O to 1.16.3

platform/cri-o/BUILD.bazel

@@ -10,7 +10,7 @@ homeworld_deb(
     name = "package",
     bin = {
         "@com_github_cri_o_cri_o//cmd/crio": "/usr/bin/crio",
-        "@com_github_cri_o_cri_o//conmon": "/usr/libexec/crio/conmon",
+        "@com_github_containers_conmon//:conmon": "/usr/libexec/crio/conmon",
     },
     data = {
         ":crio.conf": "/etc/crio/crio.conf",

platform/cri-o/build.patch

@@ -1,6 +1,6 @@
 diff --git a/BUILD.bazel b/BUILD.bazel
 new file mode 100644
-index 0000000..bf0a685
+index 000000000..a79f430ae
 --- /dev/null
 +++ b/BUILD.bazel
 @@ -0,0 +1,15 @@
@@ -19,68 +19,8 @@ index 0000000..bf0a685
 +    cmd = "\"$(location //cmd/crio)\" --root=\"/nonexistent\" --runroot \"/nonexistent\" --storage-driver=\"\" --config=\"\" config >\"$@\"",
 +    visibility = ["//visibility:public"],
 +)
-diff --git a/conmon/BUILD.bazel b/conmon/BUILD.bazel
-new file mode 100644
-index 0000000..9b97598
---- /dev/null
-+++ b/conmon/BUILD.bazel
-@@ -0,0 +1,46 @@
-+# TODO: include -std=c99 in C builds
-+
-+genrule(
-+    name = "config.h-genrule",
-+    outs = [":conf/config.h"],
-+    tools = ["//cmd/crio-config"],
-+    cmd = """
-+        REL="$$(realpath "$(location //cmd/crio-config)")"
-+        cd \"$(@D)\"
-+        "$${REL}"
-+    """,
-+)
-+
-+cc_library(
-+    name = "glibinc",
-+    hdrs = [":glibobject-include/glibconfig.h"],
-+    includes = ["glibobject-include"],
-+    linkopts = ["-lglib-2.0"],
-+)
-+
-+cc_library(
-+    name = "configinc",
-+    hdrs = [":conf/config.h"],
-+    includes = ["conf"],
-+)
-+
-+cc_binary(
-+    name = "conmon",
-+    srcs = [
-+        ":conmon.c",
-+        ":cmsg.c",
-+        ":cmsg.h",
-+        ":utils.c",
-+        ":utils.h",
-+        ":ctr_logging.c",
-+        ":ctr_logging.h",
-+    ],
-+    # TODO: get these dynamically, not statically
-+    defines = [
-+        "VERSION='\"1.10.7-dev\"'",
-+        "GIT_COMMIT='\"210d46c717c5dcb6d11302723eb9d20575ee7a78\"'",
-+    ],
-+    deps = [":glibinc", ":configinc"],
-+    copts = ["-I/usr/include/glib-2.0"],
-+    visibility = ["//visibility:public"],
-+)
-diff --git a/conmon/glibobject-include b/conmon/glibobject-include
-new file mode 120000
-index 0000000..3638b19
---- /dev/null
-+++ b/conmon/glibobject-include
-@@ -0,0 +1 @@
-+/usr/lib/x86_64-linux-gnu/glib-2.0/include
-\ No newline at end of file
 diff --git a/vendor/github.com/containers/storage/pkg/devicemapper/BUILD.bazel b/vendor/github.com/containers/storage/pkg/devicemapper/BUILD.bazel
-index bd64ed0..a12b9f5 100644
+index c8f3bf6be..495ea30a4 100644
 --- a/vendor/github.com/containers/storage/pkg/devicemapper/BUILD.bazel
 +++ b/vendor/github.com/containers/storage/pkg/devicemapper/BUILD.bazel
 @@ -12,6 +12,7 @@ go_library(
@@ -92,7 +32,7 @@ index bd64ed0..a12b9f5 100644
      importpath = "github.com/containers/storage/pkg/devicemapper",
      visibility = ["//visibility:public"],
 diff --git a/vendor/github.com/seccomp/libseccomp-golang/BUILD.bazel b/vendor/github.com/seccomp/libseccomp-golang/BUILD.bazel
-index 3a0a989..9e0efbe 100644
+index 6cd7977bd..c51281f0d 100644
 --- a/vendor/github.com/seccomp/libseccomp-golang/BUILD.bazel
 +++ b/vendor/github.com/seccomp/libseccomp-golang/BUILD.bazel
 @@ -7,6 +7,7 @@ go_library(
@@ -103,20 +43,37 @@ index 3a0a989..9e0efbe 100644
      importmap = "github.com/cri-o/cri-o/vendor/github.com/seccomp/libseccomp-golang",
      importpath = "github.com/seccomp/libseccomp-golang",
      visibility = ["//visibility:public"],
---- a/vendor/k8s.io/apimachinery/pkg/util/sets/BUILD	2019-09-29 15:55:01.213000000 -0400
-+++ b/vendor/k8s.io/apimachinery/pkg/util/sets/BUILD	2019-09-29 15:36:54.915000000 -0400
+diff --git a/vendor/golang.org/x/crypto/ed25519/BUILD.bazel b/vendor/golang.org/x/crypto/ed25519/BUILD.bazel
+index 36055b042..1e3c1c9a5 100644
+--- a/vendor/golang.org/x/crypto/ed25519/BUILD.bazel
++++ b/vendor/golang.org/x/crypto/ed25519/BUILD.bazel
+@@ -2,10 +2,7 @@ load("@io_bazel_rules_go//go:def.bzl", "go_library")
+
+ go_library(
+     name = "go_default_library",
+-    srcs = [
+-        "ed25519.go",
+-        "ed25519_go113.go",
+-    ],
++    srcs = ["ed25519.go"],
+     importmap = "github.com/cri-o/cri-o/vendor/golang.org/x/crypto/ed25519",
+     importpath = "golang.org/x/crypto/ed25519",
+     visibility = ["//visibility:public"],
+diff --git a/vendor/k8s.io/apimachinery/pkg/util/sets/BUILD b/vendor/k8s.io/apimachinery/pkg/util/sets/BUILD
+index 4d61ac5ba..784db97c9 100644
+--- a/vendor/k8s.io/apimachinery/pkg/util/sets/BUILD
++++ b/vendor/k8s.io/apimachinery/pkg/util/sets/BUILD
 @@ -1,6 +1,5 @@
  package(default_visibility = ["//visibility:public"])
 
 -load("@io_k8s_repo_infra//defs:go.bzl", "go_genrule")
  load(
      "@io_bazel_rules_go//go:def.bzl",
      "go_library",
-@@ -19,35 +13,6 @@
-     importmap = "github.com/cri-o/cri-o/vendor/k8s.io/apimachinery/pkg/util/sets",
+@@ -21,35 +20,6 @@ go_library(
      importpath = "k8s.io/apimachinery/pkg/util/sets",
  )
--
+ 
 -# This rule makes all sorts of terrible assumptions that it's running inside k8s.io/kubernetes, even though it's part of k8s.io/apimachinery. :\
 -go_genrule(
 -    name = "set-gen",
@@ -145,22 +102,19 @@ index 3a0a989..9e0efbe 100644
 -        "//vendor/k8s.io/code-generator/cmd/set-gen",
 -    ],
 -)
- 
+-
  filegroup(
      name = "package-srcs",
---- a/vendor/golang.org/x/crypto/ed25519/BUILD.bazel	2019-09-29 15:57:46.980000000 -0400
-+++ b/vendor/golang.org/x/crypto/ed25519/BUILD.bazel	2019-09-29 15:36:54.862000000 -0400
-@@ -2,12 +2,9 @@
+     srcs = glob(["**"]),
+diff --git a/vendor/k8s.io/component-base/metrics/BUILD b/vendor/k8s.io/component-base/metrics/BUILD
+index 06398d377..9feb27b0c 100644
+--- a/vendor/k8s.io/component-base/metrics/BUILD
++++ b/vendor/k8s.io/component-base/metrics/BUILD
+@@ -4,7 +4,6 @@ load(
+     "@io_bazel_rules_go//go:def.bzl",
+     "go_library",
+ )
+-load("//staging/src/k8s.io/component-base/version:def.bzl", "version_x_defs")
 
  go_library(
      name = "go_default_library",
--    srcs = [
--        "ed25519.go",
--        "ed25519_go113.go",
--    ],
-+    srcs = ["ed25519.go"],
-     importmap = "github.com/cri-o/cri-o/vendor/golang.org/x/crypto/ed25519",
-     importpath = "golang.org/x/crypto/ed25519",
-     visibility = ["//visibility:public"],
-     deps = ["//vendor/golang.org/x/crypto/ed25519/internal/edwards25519:go_default_library"],
- )

platform/cri-o/conmon.patch

@@ -0,0 +1,38 @@
+diff --git a/BUILD.bazel b/BUILD.bazel
+new file mode 100644
+index 0000000..94a1f5c
+--- /dev/null
++++ b/BUILD.bazel
+@@ -0,0 +1,24 @@
++# TODO: include -std=c99 in C builds
++
++cc_library(
++    name = "glibinc",
++    hdrs = [":glibobject-include/glibconfig.h"],
++    includes = ["glibobject-include"],
++    linkopts = ["-lglib-2.0"],
++)
++
++cc_binary(
++    name = "conmon",
++    srcs = glob([
++		"src/*.c",
++		"src/*.h",
++    ]),
++    # TODO: get these dynamically, not statically
++    defines = [
++        "VERSION='\"2.0.16-dev\"'",
++        "GIT_COMMIT='\"e34c6d60f06d48d293e747d2b59e601137e650dd\"'",
++    ],
++    deps = [":glibinc"],
++    copts = ["-I/usr/include/glib-2.0"],
++    visibility = ["//visibility:public"],
++)
+diff --git a/glibobject-include b/glibobject-include
+new file mode 120000
+index 0000000..3638b19
+--- /dev/null
++++ b/glibobject-include
+@@ -0,0 +1 @@
++/usr/lib/x86_64-linux-gnu/glib-2.0/include
+\ No newline at end of file

platform/cri-o/crio.conf.in

@@ -1,4 +1,3 @@
-
 # The CRI-O configuration file specifies all of the available configuration
 # options and command-line flags for the crio(8) OCI Kubernetes Container Runtime
 # daemon, but in a TOML format that can be more easily modified and versioned.
@@ -32,21 +31,22 @@ storage_driver = ""
 storage_option = [
 ]
 
-# If set to false, in-memory locking will be used instead of file-based locking.
-# **Deprecated** this option will be removed in the future.
-file_locking = false
-
-# Path to the lock file.
-# **Deprecated** this option will be removed in the future.
-file_locking_path = "/run/crio.lock"
+# The default log directory where all logs will go unless directly specified by
+# the kubelet. The log directory specified must be an absolute directory.
+log_dir = "/var/log/crio/pods"
 
+# Location for CRI-O to lay down the version file
+version_file = "/var/lib/crio/version"
 
 # The crio.api table contains settings for the kubelet/gRPC interface.
 [crio.api]
 
 # Path to AF_LOCAL socket on which CRI-O will listen.
 listen = "/var/run/crio/crio.sock"
 
+# Host IP considered as the primary IP to use by CRI-O for things such as host network IP.
+host_ip = ""
+
 # IP address on which the stream server will listen.
 stream_address = "127.0.0.1"
 
@@ -62,11 +62,11 @@ stream_enable_tls = false
 stream_tls_cert = ""
 
 # Path to the key file used to serve the encrypted stream. This file can
-# change, and CRI-O will automatically pick up the changes within 5 minutes.
+# change and CRI-O will automatically pick up the changes within 5 minutes.
 stream_tls_key = ""
 
 # Path to the x509 CA(s) file used to verify and authenticate client
-# communication with the encrypted stream. This file can change, and CRI-O will
+# communication with the encrypted stream. This file can change and CRI-O will
 # automatically pick up the changes within 5 minutes.
 stream_tls_ca = ""
 
@@ -95,6 +95,7 @@ default_runtime = "runc"
 no_pivot = false
 
 # Path to the conmon binary, used for monitoring the OCI runtime.
+# Will be searched for using $PATH if empty.
 conmon = "/usr/libexec/crio/conmon"
 
 # Cgroup setting for conmon
@@ -116,7 +117,7 @@ seccomp_profile = ""
 
 # Used to change the name of the default AppArmor profile of CRI-O. The default
 # profile name is "crio-default-" followed by the version string of CRI-O.
-apparmor_profile = "crio-default-1.15.2"
+apparmor_profile = "crio-default-1.16.3"
 
 # Cgroup management implementation used for the runtime.
 cgroup_manager = "cgroupfs"
@@ -192,6 +193,9 @@ container_exits_dir = "/var/run/crio/exits"
 # Path to directory for container attach sockets.
 container_attach_socket_dir = "/var/run/crio"
 
+# The prefix to use for the source of the bind mounts.
+bind_mount_prefix = ""
+
 # If set to true, all containers will run in read-only mode.
 read_only = false
 
@@ -200,9 +204,6 @@ read_only = false
 # configuration reload.
 log_level = "error"
 
-# The default log directory where all logs will go unless directly specified by the kubelet
-log_dir = "/var/log/crio/pods"
-
 # The UID mappings for the user namespace of each container. A range is
 # specified in the form containerUID:HostUID:Size. Multiple ranges must be
 # separated by comma.
@@ -224,14 +225,44 @@ manage_network_ns_lifecycle = false
 # The "crio.runtime.runtimes" table defines a list of OCI compatible runtimes.
 # The runtime to use is picked based on the runtime_handler provided by the CRI.
 # If no runtime_handler is provided, the runtime will be picked based on the level
-# of trust of the workload.
+# of trust of the workload. Each entry in the table should follow the format:
+#
+#[crio.runtime.runtimes.runtime-handler]
+#  runtime_path = "/path/to/the/executable"
+#  runtime_type = "oci"
+#  runtime_root = "/path/to/the/root"
+#
+# Where:
+# - runtime-handler: name used to identify the runtime
+# - runtime_path (optional, string): absolute path to the runtime executable in
+#   the host filesystem. If omitted, the runtime-handler identifier should match
+#   the runtime executable name, and the runtime executable should be placed
+#   in $PATH.
+# - runtime_type (optional, string): type of runtime, one of: "oci", "vm". If
+#   omitted, an "oci" runtime is assumed.
+# - runtime_root (optional, string): root directory for storage of containers
+#   state.
+
 
 [crio.runtime.runtimes.runc]
 runtime_path = "/usr/bin/runc"
 runtime_type = "oci"
 runtime_root = "/run/runc"
 
 
+# Kata Containers is an OCI runtime, where containers are run inside lightweight
+# VMs. Kata provides additional isolation towards the host, minimizing the host attack
+# surface and mitigating the consequences of containers breakout.
+
+# Kata Containers with the default configured VMM
+#[crio.runtime.runtimes.kata-runtime]
+
+# Kata Containers with the QEMU VMM
+#[crio.runtime.runtimes.kata-qemu]
+
+# Kata Containers with the Firecracker VMM
+#[crio.runtime.runtimes.kata-fc]
+
 # The crio.image table contains settings pertaining to the management of OCI images.
 #
 # CRI-O reads its configured registries defaults from the system wide
@@ -258,7 +289,9 @@ pause_image = "homeworld.private/pause@{PAUSE_DIGEST}"
 pause_image_auth_file = ""
 
 # The command to run to have a container stay in the paused state.
-# This option supports live configuration reload.
+# When explicitly set to "", it will fallback to the entrypoint and command
+# specified in the pause image. When commented out, it will fallback to the
+# default: "/pause". This option supports live configuration reload.
 pause_command = "/pause"
 
 # Path to the file which decides what sort of policy we use when deciding
@@ -268,6 +301,11 @@ pause_command = "/pause"
 # refer to containers-policy.json(5) for more details.
 signature_policy = ""
 
+# List of registries to skip TLS verification for pulling images. Please
+# consider configuring the registries via /etc/containers/registries.conf before
+# changing them here.
+#insecure_registries = "[]"
+
 # Controls how image volumes are handled. The valid values are mkdir, bind and
 # ignore; the latter will ignore volumes entirely.
 image_volumes = "mkdir"
@@ -292,3 +330,12 @@ network_dir = "/etc/cni/net.d/"
 plugin_dirs = [
 	"/opt/cni/bin/",
 ]
+
+# A necessary configuration for Prometheus based metrics retrieval
+[crio.metrics]
+
+# Globally enable or disable metrics support.
+enable_metrics = false
+
+# The port on which the metrics server will listen.
+metrics_port = 9090