CRI-O v1.35.1 fixes critical systemd container issues with user namespaces and adds TLS configuration options for API servers.
breakingTest systemd workloads with user namespaces
A regression in v1.35.0 broke systemd containers when hostUsers: false is set. This patch fixes it, but if you're running v1.35.0, upgrade immediately and test any systemd workloads that use user namespace isolation to ensure they start properly.
enhancementConfigure TLS settings for production security
New TLS configuration options let you harden streaming and metrics server security. Add tls_min_version and tls_cipher_suites to your [crio.api] section to enforce TLS 1.3 and strong cipher suites in production environments.
enhancementVerify runc v1.4.0 compatibility
The update to runc v1.4.0 brings performance improvements and bug fixes. Test your container workloads, especially those using advanced features like cgroups v2 or checkpoint/restore, to ensure compatibility with the new runtime version.
主な変更 (5)
- Fixed systemd containers failing with 'Permission denied' errors when user namespaces are enabled
- Added TLS configuration options (tls_min_version, tls_cipher_suites) for streaming and metrics servers
- Improved OCI artifact pull fallback logic to skip retries on retryable errors
- Updated runc to v1.4.0 and multiple dependency versions for stability
- Enhanced TLS support with configurable TLS 1.2 (default) and TLS 1.3 options