Cri-o stretches focus in 1.17 release


Cri-o, an implementation of the Kubernetes Container Runtime Interface based on the Open Container Initiative, has hit 1.17 – two months after the big K8s made the jump. 

Although the project is still in the incubation stage of the Cloud Native Computing Foundation’s graduation process, cri-o has been getting quite a bit of attention lately. Red Hat for example made the container engine the default in their OpenShift Container Platform, replacing Docker as the standard.

With the new release, users have the opportunity to add partial configuration files to a drop-in configuration directory. Those then get applied to the configuration in processing order, leaving the global config as the one with the lowest priority. Version 1.17 also extends the range of namespaces cri-o is able to manage from network only to IPC and UTS namespaces. 

The latter might come as a surprise to some, since the focus on the network namespace was often lauded as a feature, making the whole project more lightweight. Other user facing changes include a way to decrypt images, and a HUP reload feature for SystemRegistries.

To grant more insight into different systems, the project team added metrics for image pulls and the time needed to set up networks. There now also is a conmon monitoring loop to make sure the process, which for example handles logging for a container, doesn’t run into out of memory errors.

Under the hood a new runtime field to “restrict devices in privileged mode” as well as an option to set container environment variables before the user have been included.