Releases: cri-o/cri-o
v1.33.2
CRI-O v1.33.2
The release notes have been generated for the commit range
v1.33.1...v1.33.2 on Wed, 02 Jul 2025 00:25:39 UTC.
Downloads
Download one of our static release bundles via our Google Cloud Bucket:
- cri-o.amd64.v1.33.2.tar.gz
- cri-o.arm64.v1.33.2.tar.gz
- cri-o.ppc64le.v1.33.2.tar.gz
- cri-o.s390x.v1.33.2.tar.gz
To verify the artifact signatures via cosign, run:
> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.v1.33.2.tar.gz \
--certificate-identity https://github.com/cri-o/cri-o/.github/workflows/test.yml@refs/tags/v1.33.2 \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-repository cri-o/cri-o \
--certificate-github-workflow-ref refs/tags/v1.33.2 \
--signature cri-o.amd64.v1.33.2.tar.gz.sig \
--certificate cri-o.amd64.v1.33.2.tar.gz.cert
To verify the bill of materials (SBOM) in SPDX format using the bom tool, run:
> tar xfz cri-o.amd64.v1.33.2.tar.gz
> bom validate -e cri-o.amd64.v1.33.2.tar.gz.spdx -d cri-o
Changelog since v1.33.1
Changes by Kind
Uncategorized
- Fix a bug where CRI-O did not respect cases where the kubelet instructed it to unmask /proc for containers (#9288, @openshift-cherrypick-robot)
Dependencies
Added
Nothing has changed.
Changed
Nothing has changed.
Removed
Nothing has changed.
v1.32.6
CRI-O v1.32.6
The release notes have been generated for the commit range
v1.32.5...v1.32.6 on Wed, 02 Jul 2025 00:25:35 UTC.
Downloads
Download one of our static release bundles via our Google Cloud Bucket:
- cri-o.amd64.v1.32.6.tar.gz
- cri-o.arm64.v1.32.6.tar.gz
- cri-o.ppc64le.v1.32.6.tar.gz
- cri-o.s390x.v1.32.6.tar.gz
To verify the artifact signatures via cosign, run:
> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.v1.32.6.tar.gz \
--certificate-identity https://github.com/cri-o/cri-o/.github/workflows/test.yml@refs/tags/v1.32.6 \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-repository cri-o/cri-o \
--certificate-github-workflow-ref refs/tags/v1.32.6 \
--signature cri-o.amd64.v1.32.6.tar.gz.sig \
--certificate cri-o.amd64.v1.32.6.tar.gz.cert
To verify the bill of materials (SBOM) in SPDX format using the bom tool, run:
> tar xfz cri-o.amd64.v1.32.6.tar.gz
> bom validate -e cri-o.amd64.v1.32.6.tar.gz.spdx -d cri-o
Changelog since v1.32.5
Changes by Kind
Bug or Regression
- Fix a potential deadlock when an infra container is taking a long time to exit and the sandbox's readiness is blocked on the infra container's opLock (#9224, @haircommander)
Dependencies
Added
Nothing has changed.
Changed
Nothing has changed.
Removed
Nothing has changed.
v1.31.10
CRI-O v1.31.10
The release notes have been generated for the commit range
v1.31.9...v1.31.10 on Wed, 02 Jul 2025 00:25:43 UTC.
Downloads
Download one of our static release bundles via our Google Cloud Bucket:
- cri-o.amd64.v1.31.10.tar.gz
- cri-o.arm64.v1.31.10.tar.gz
- cri-o.ppc64le.v1.31.10.tar.gz
- cri-o.s390x.v1.31.10.tar.gz
To verify the artifact signatures via cosign, run:
> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.v1.31.10.tar.gz \
--certificate-identity https://github.com/cri-o/cri-o/.github/workflows/test.yml@refs/tags/v1.31.10 \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-repository cri-o/cri-o \
--certificate-github-workflow-ref refs/tags/v1.31.10 \
--signature cri-o.amd64.v1.31.10.tar.gz.sig \
--certificate cri-o.amd64.v1.31.10.tar.gz.cert
To verify the bill of materials (SBOM) in SPDX format using the bom tool, run:
> tar xfz cri-o.amd64.v1.31.10.tar.gz
> bom validate -e cri-o.amd64.v1.31.10.tar.gz.spdx -d cri-o
Changelog since v1.31.9
Changes by Kind
Bug or Regression
- Fixed
make install
for building the man pages. (#9279, @saschagrunert)
Uncategorized
- Fix a potential deadlock when an infra container is taking a long time to exit and the sandbox's readiness is blocked on the infra container's opLock (#9291, @openshift-cherrypick-robot)
Dependencies
Added
Nothing has changed.
Changed
Nothing has changed.
Removed
Nothing has changed.
v1.32.5
CRI-O v1.32.5
The release notes have been generated for the commit range
v1.32.4...v1.32.5 on Wed, 04 Jun 2025 00:34:03 UTC.
Downloads
Download one of our static release bundles via our Google Cloud Bucket:
- cri-o.amd64.v1.32.5.tar.gz
- cri-o.arm64.v1.32.5.tar.gz
- cri-o.ppc64le.v1.32.5.tar.gz
- cri-o.s390x.v1.32.5.tar.gz
To verify the artifact signatures via cosign, run:
> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.v1.32.5.tar.gz \
--certificate-identity https://github.com/cri-o/cri-o/.github/workflows/test.yml@refs/tags/v1.32.5 \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-repository cri-o/cri-o \
--certificate-github-workflow-ref refs/tags/v1.32.5 \
--signature cri-o.amd64.v1.32.5.tar.gz.sig \
--certificate cri-o.amd64.v1.32.5.tar.gz.cert
To verify the bill of materials (SBOM) in SPDX format using the bom tool, run:
> tar xfz cri-o.amd64.v1.32.5.tar.gz
> bom validate -e cri-o.amd64.v1.32.5.tar.gz.spdx -d cri-o
Changelog since v1.32.4
Dependencies
Added
Nothing has changed.
Changed
Nothing has changed.
Removed
Nothing has changed.
v1.30.14
CRI-O v1.30.14
The release notes have been generated for the commit range
v1.30.13...v1.30.14 on Wed, 04 Jun 2025 00:34:05 UTC.
Downloads
Download one of our static release bundles via our Google Cloud Bucket:
- cri-o.amd64.v1.30.14.tar.gz
- cri-o.arm64.v1.30.14.tar.gz
- cri-o.ppc64le.v1.30.14.tar.gz
- cri-o.s390x.v1.30.14.tar.gz
To verify the artifact signatures via cosign, run:
> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.v1.30.14.tar.gz \
--certificate-identity https://github.com/cri-o/cri-o/.github/workflows/test.yml@refs/tags/v1.30.14 \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-repository cri-o/cri-o \
--certificate-github-workflow-ref refs/tags/v1.30.14 \
--signature cri-o.amd64.v1.30.14.tar.gz.sig \
--certificate cri-o.amd64.v1.30.14.tar.gz.cert
To verify the bill of materials (SBOM) in SPDX format using the bom tool, run:
> tar xfz cri-o.amd64.v1.30.14.tar.gz
> bom validate -e cri-o.amd64.v1.30.14.tar.gz.spdx -d cri-o
Changelog since v1.30.13
Changes by Kind
Uncategorized
- Disabled
pull-progress-timeout
per default. (#9144, @openshift-cherrypick-robot)
Dependencies
Added
Nothing has changed.
Changed
Nothing has changed.
Removed
Nothing has changed.
v1.33.1
CRI-O v1.33.1
The release notes have been generated for the commit range
v1.33.0...v1.33.1 on Tue, 03 Jun 2025 00:34:34 UTC.
Downloads
Download one of our static release bundles via our Google Cloud Bucket:
- cri-o.amd64.v1.33.1.tar.gz
- cri-o.arm64.v1.33.1.tar.gz
- cri-o.ppc64le.v1.33.1.tar.gz
- cri-o.s390x.v1.33.1.tar.gz
To verify the artifact signatures via cosign, run:
> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.v1.33.1.tar.gz \
--certificate-identity https://github.com/cri-o/cri-o/.github/workflows/test.yml@refs/tags/v1.33.1 \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-repository cri-o/cri-o \
--certificate-github-workflow-ref refs/tags/v1.33.1 \
--signature cri-o.amd64.v1.33.1.tar.gz.sig \
--certificate cri-o.amd64.v1.33.1.tar.gz.cert
To verify the bill of materials (SBOM) in SPDX format using the bom tool, run:
> tar xfz cri-o.amd64.v1.33.1.tar.gz
> bom validate -e cri-o.amd64.v1.33.1.tar.gz.spdx -d cri-o
Changelog since v1.33.0
Changes by Kind
Uncategorized
- Fix a potential deadlock when an infra container is taking a long time to exit and the sandbox's readiness is blocked on the infra container's opLock (#9214, @openshift-cherrypick-robot)
- Fixes a crash introduced in 1.33.0 when cleaning up a pod that uses HostPorts
on a system that has either just iptables (but not nftables) or just nftables
(but not iptables). (#9241, @openshift-cherrypick-robot)
Dependencies
Added
Nothing has changed.
Changed
Nothing has changed.
Removed
Nothing has changed.
v1.31.9
CRI-O v1.31.9
The release notes have been generated for the commit range
v1.31.8...v1.31.9 on Tue, 03 Jun 2025 00:34:33 UTC.
Downloads
Download one of our static release bundles via our Google Cloud Bucket:
- cri-o.amd64.v1.31.9.tar.gz
- cri-o.arm64.v1.31.9.tar.gz
- cri-o.ppc64le.v1.31.9.tar.gz
- cri-o.s390x.v1.31.9.tar.gz
To verify the artifact signatures via cosign, run:
> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.v1.31.9.tar.gz \
--certificate-identity https://github.com/cri-o/cri-o/.github/workflows/test.yml@refs/tags/v1.31.9 \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-repository cri-o/cri-o \
--certificate-github-workflow-ref refs/tags/v1.31.9 \
--signature cri-o.amd64.v1.31.9.tar.gz.sig \
--certificate cri-o.amd64.v1.31.9.tar.gz.cert
To verify the bill of materials (SBOM) in SPDX format using the bom tool, run:
> tar xfz cri-o.amd64.v1.31.9.tar.gz
> bom validate -e cri-o.amd64.v1.31.9.tar.gz.spdx -d cri-o
Changelog since v1.31.8
Changes by Kind
Uncategorized
- Disabled
pull-progress-timeout
per default. (#9143, @openshift-cherrypick-robot)
Dependencies
Added
Nothing has changed.
Changed
Nothing has changed.
Removed
Nothing has changed.
v1.33.0
CRI-O v1.33.0
The release notes have been generated for the commit range
v1.32.0...v1.33.0 on Fri, 16 May 2025 00:24:44 UTC.
Downloads
Download one of our static release bundles via our Google Cloud Bucket:
- cri-o.amd64.v1.33.0.tar.gz
- cri-o.arm64.v1.33.0.tar.gz
- cri-o.ppc64le.v1.33.0.tar.gz
- cri-o.s390x.v1.33.0.tar.gz
To verify the artifact signatures via cosign, run:
> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.v1.33.0.tar.gz \
--certificate-identity https://github.com/cri-o/cri-o/.github/workflows/test.yml@refs/tags/v1.33.0 \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-repository cri-o/cri-o \
--certificate-github-workflow-ref refs/tags/v1.33.0 \
--signature cri-o.amd64.v1.33.0.tar.gz.sig \
--certificate cri-o.amd64.v1.33.0.tar.gz.cert
To verify the bill of materials (SBOM) in SPDX format using the bom tool, run:
> tar xfz cri-o.amd64.v1.33.0.tar.gz
> bom validate -e cri-o.amd64.v1.33.0.tar.gz.spdx -d cri-o
Changelog since v1.32.0
Changes by Kind
Other
- Fix path traversal in CRI-O log handling (#8968, @sohankunkerkar)
Deprecation
- Explicit configuration for
LimitNOFILE
in the referencecrio.service
systemd service file is removed.
Warning: Administrators on platforms running versions less than systemd 240 should explicitly configure LimitNOFILE=1024:524288
or risk falling back to the kernel default of 4096
. (#8962, @saschagrunert)
API Change
- Added container stop signal feature (KEP-4960). (#9086, @bitoku)
- Disabled
pull-progress-timeout
per default. (#9130, @saschagrunert)
Feature
- Add option to enable/disable OCI Artifact mount. (#9147, @bitoku)
- Add support for OCI Artifact (#9062, @bitoku)
- Added OCI artifact store support. This means that CRI-O now stores artifacts per default in
/var/lib/containers/storage/artifacts
, which are handled as pinned images. The artifacts
are pullable usingcrictl pull
and will also show-up incrictl images
. It is also possible to
crictl inspecti
them as well as deleting them usingcrictl rmi
. (#8996, @saschagrunert) - Added image volume subpath support for Kubernetes v1.33 (kubernetes/enhancements#4639). (#9050, @saschagrunert)
- Added multi-architecture artifacts support. (#9194, @bitoku)
- Added new metric
container_spec_memory_limit_bytes
to display the memory limit of containers in bytes. (#9140, @bingikarthik) - Added option
--privileged-seccomp-profile
/privileged_seccomp_profile
to allow specifying a seccomp profile for privileged containers. (#9190, @saschagrunert) - Added runtime config block to the
StatusResponse
returned by the CRI Status endpoint. (#9129, @tariq1890) - Added support for OCI artifact mount sub paths. (#9159, @saschagrunert)
- Added support for handling CNAI models from OCI artifacts. (#9131, @saschagrunert)
- Experimental support for FreeBSD. (#7727, @dfr)
- Signature verification for image volumes (#9060, @xw19)
Bug or Regression
- Decouple CNI plugin initialization from CRI-O health checks. (#8911, @sohankunkerkar)
- Fix a panic when default_annotations are used (#8867, @haircommander)
- Fix artifact handling to retrieve artifact status using both the canonical name and the short name. (#9081, @bitoku)
- Fix log rotation failure during pod termination (#8868, @bitoku)
- Fixed bug to allow
conmon_cgroup
to be empty when cgroup manager iscgroupfs
. (#8888, @xw19) - Fixed context cancellation when image pull progress timeout is
0
(--pull-progress-timeout=0
/pull_progress_timeout=0
) (#8998, @saschagrunert) - Fixed log format from klog. (#8918, @bitoku)
- Prevent multiple crio wipes on reboot (#9059, @PannagaRao)
Other (Cleanup or Flake)
- Change log levels and formats for some iptables logs and klog related logs. (#8883, @bitoku)
- Changed runtime default masked paths for non privileged containers to:
- /proc/acpi
- /proc/asound
- /proc/interrupts
- /proc/kcore
- /proc/keys
- /proc/latency_stats
- /proc/sched_debug
- /proc/scsi
- /proc/timer_list
- /proc/timer_stats
- /sys/devices/system/cpu/cpu/thermal_throttle
- /sys/devices/virtual/powercap
- /sys/firmware
- /sys/fs/selinux (#9069, @saschagrunert)
- Hostports are now implemented using nftables rather than iptables.
cri-o now depends on thenft
binary being available (and
does not depend on the iptables binaries being available). (#8684, @danwinship) - Improve
sync.Map
iterators with an implicit call (#8871, @roman-kiselenko) - Increased
pull-progress-timeout
to default to30s
. (#9108, @saschagrunert) - Removed
exclude_graphdriver_devicemapper
build tag usage. (#8994, @saschagrunert) - Removed image status
info
log message for the response, we already provide that information in thedebug
logs. (#9034, @saschagrunert) - Require go 1.24 for build. (#9051, @saschagrunert)
- Update Packit configuration to remove reference to Fedora 39. (#8898, @buckaroogeek)
Dependencies
Added
- github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider: v0.14.0
- github.com/CloudNativeAI/model-spec: v0.0.4
- github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp: v1.26.0
- github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric: v0.49.0
- github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping: [v0.49.0](https://github.com/GoogleClo...
v1.32.4
CRI-O v1.32.4
The release notes have been generated for the commit range
v1.32.3...v1.32.4 on Fri, 02 May 2025 10:06:39 UTC.
Downloads
Download one of our static release bundles via our Google Cloud Bucket:
- cri-o.amd64.v1.32.4.tar.gz
- cri-o.arm64.v1.32.4.tar.gz
- cri-o.ppc64le.v1.32.4.tar.gz
- cri-o.s390x.v1.32.4.tar.gz
To verify the artifact signatures via cosign, run:
> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.v1.32.4.tar.gz \
--certificate-identity https://github.com/cri-o/cri-o/.github/workflows/test.yml@refs/tags/v1.32.4 \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-repository cri-o/cri-o \
--certificate-github-workflow-ref refs/tags/v1.32.4 \
--signature cri-o.amd64.v1.32.4.tar.gz.sig \
--certificate cri-o.amd64.v1.32.4.tar.gz.cert
To verify the bill of materials (SBOM) in SPDX format using the bom tool, run:
> tar xfz cri-o.amd64.v1.32.4.tar.gz
> bom validate -e cri-o.amd64.v1.32.4.tar.gz.spdx -d cri-o
Changelog since v1.32.3
Changes by Kind
Other (Cleanup or Flake)
- Disabled
pull-progress-timeout
per default. (#9133, @saschagrunert)
Dependencies
Added
Nothing has changed.
Changed
Nothing has changed.
Removed
Nothing has changed.
v1.31.8
CRI-O v1.31.8
The release notes have been generated for the commit range
v1.31.7...v1.31.8 on Fri, 02 May 2025 10:06:51 UTC.
Downloads
Download one of our static release bundles via our Google Cloud Bucket:
- cri-o.amd64.v1.31.8.tar.gz
- cri-o.arm64.v1.31.8.tar.gz
- cri-o.ppc64le.v1.31.8.tar.gz
- cri-o.s390x.v1.31.8.tar.gz
To verify the artifact signatures via cosign, run:
> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.v1.31.8.tar.gz \
--certificate-identity https://github.com/cri-o/cri-o/.github/workflows/test.yml@refs/tags/v1.31.8 \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-repository cri-o/cri-o \
--certificate-github-workflow-ref refs/tags/v1.31.8 \
--signature cri-o.amd64.v1.31.8.tar.gz.sig \
--certificate cri-o.amd64.v1.31.8.tar.gz.cert
To verify the bill of materials (SBOM) in SPDX format using the bom tool, run:
> tar xfz cri-o.amd64.v1.31.8.tar.gz
> bom validate -e cri-o.amd64.v1.31.8.tar.gz.spdx -d cri-o
Changelog since v1.31.7
Changes by Kind
Uncategorized
- Prevent multiple crio wipes on reboot (#9137, @PannagaRao)
Dependencies
Added
Nothing has changed.
Changed
Nothing has changed.
Removed
Nothing has changed.