Packages changed: container-selinux (2.158.0 -> 2.160.1) cri-o (1.20.2 -> 1.21.0) dnf (4.6.1 -> 4.7.0) grub2 kernel-source (5.11.15 -> 5.11.16) kexec-tools (2.0.20 -> 2.0.21) kubernetes (1.20.2 -> 1.21.0) kubernetes1.20 (1.20.2 -> 1.20.6) libgcrypt (1.9.2 -> 1.9.3) lvm2 lvm2-device-mapper patterns-microos python-M2Crypto python-MarkupSafe python-jsonpatch (1.28 -> 1.31) rook (1.5.7+git4.gae949004e -> 1.5.10+git4.g309ad2f64) suse-module-tools (15.4.0 -> 15.4.1) === Details === ==== container-selinux ==== Version update (2.158.0 -> 2.160.1) - Fix container runtime binary labels (bsc#1185030). You need to relable at least /usr/sbin if you're affected ==== cri-o ==== Version update (1.20.2 -> 1.21.0) Subpackages: cri-o-kubeadm-criconfig - Update to version 1.21.0: * bump to v1.21.0 * config: drop registries field as it is no longer supported * Revert "test: drop unneeded sed statement" * WIP: add debug print * test: drop unneeded sed statement * config: fix template insecure_registries field * config: drop commented config lines * build(deps): bump google.golang.org/grpc from 1.36.1 to 1.37.0 * Bump OpenShift CI cri-tools version and fix build path * build(deps): bump github.com/containers/image/v5 from 5.10.5 to 5.11.0 * Bump cri-tools to v1.21.0 * Update Kubernetes to v1.21.0 * Add container out of memory metrics * [CLI] "crio config" only prints the fields that are differet than the default. * Set short name mode to permissive * docs-validation: update to handle workloads * Fix unnecessary conversion lint report * add tests for workloads * integrate with server * config: update workloads structure * Clarify release cadence and version skew * Add correct start time to initial log output * Add support for workload settings * refactor handling of allowed_annotations * Do not push main binary into cachix cache * resourcestore: introduce ResourceCleaner * Use internal logging when context available * build(deps): bump github.com/coreos/go-systemd/v22 from 22.3.0 to 22.3.1 * server: remove dead code * sandbox: use defined CRI type for NamespaceOption * config: remove dead code * oci: remove dead code * lib: remove dead code * build(deps): bump github.com/containers/podman/v3 * build(deps): bump k8s.io/client-go from 0.20.1 to 0.20.5 * update pause image to 3.5 for non-root * build(deps): bump github.com/soheilhy/cmux from 0.1.4 to 0.1.5 * build(deps): bump google.golang.org/grpc from 1.34.0 to 1.36.1 * build(deps): bump github.com/containers/buildah from 1.19.8 to 1.20.0 * build(deps): bump github.com/prometheus/client_golang * build(deps): bump github.com/godbus/dbus/v5 from 5.0.3 to 5.0.4 * build(deps): bump k8s.io/cri-api from 0.20.1 to 0.20.5 * build(deps): bump github.com/containers/podman/v3 * build(deps): bump k8s.io/kubernetes from 1.13.0 to 1.20.5 * crio-wipe: only clear storage if CleanShutdownFile is supported * Add static bundle node e2e tests to GitHub actions * Reload the main config file when reloading configs * crio wipe: only completely wipe storage after a reboot * Bump static binary dependency versions * Add dependabot config file * runtimeVM: Fix shimv2 binary name construction * config,runtimeVM: Improve runtime_path validation * oci_test: Add basic coverage to "RuntimeType()" * oci_test: Add basic coverage to "privileged_without_host_devices" * oci_test: Leave invalidRuntime on its own line * tweak scope dependencies * Do not return `` placeholders for images any more * Fix invalid libcontainer GetExecUser call * Update dependencies * config: Don't fail if the non default runtime doesn't pass validation * Remove check for CI env variable for release-notes and dependencies * cgmgr: add CreateSandboxCgroup method * inspect: send container PID for dropped infra sandbox * oci: specify sbox id when creating spoofed container * Run GitHub actions on release branches * Update bats to v1.3.0 (#4661) * use happy-eyeballs for port-forwarding * fix mock issues * fix lint issues * install: drop support matrix and update instructions * do not store context in runtime vm * Fix lint GitHub action * pkg/container: take process args * Use and publish version marker for CRI-O * Add GitHub API pages support to `get` script * add libbtrfs-dev to unit tests * Revert "server: use IsAlive() more" * Fix GitHub actions cache key * Bug 1881694: Add pull source as info level log * test: use latest conmon * runtime_vm: Create the global fifo inside the runtime root path * stats: fix log spam * Support CRI seccomp security profiles * oci: add unit tests for stop timeouts * oci: don't update stop timeout if it's earlier than old one * oci: update timeout even if we're ignoring kill * oci: don't wait too long on a long stop * oci: check process is still around with kill * Add integration test for started/finished container time * fix: Don't set `image-endpoint` in crictl config * feat: Add CLI option to set registries.conf.d path * Add allowed io.containers.trace-syscall annotation to static bundle * Make `get` script independent from `make` * test: correct the env variable for dropping the infra container * Add metric to grab latency of individual cri calls * Fix `get` script commit SHA retrieval * Add arm64 static build to GitHub actions * Fix GitHub actions workflow syntax * Updates yq commnands for yq v4 * gh-actions: also run on release branches * pkg/sandbox: add InitInfraContainer endpoint * test: reconfigure how runtimes are passed in * test: add runtime() function * sandbox/container: drop context * test: drop workaround for crun * pkg/sandbox: cleanup unused funcs/files * fix doc log_level adding trace option * Fix oci container update config * Update e2e-aws logic for 4.8 * nsmgr: take Initalize method * Switch to go 1.16 for GitHub actions and remove scripts/build-test-image * config: remove and create the correct dir * Update nix pin with `make nixpkgs` * server: mount cgroup with rslave * crio wipe: ensure a clean shutdown * Move integration tests to GitHub actions * Run release-notes GitHub action after dependencies * Bumps github.com/containers/ocicrypt from 1.0.3 to 1.1.0. * config/node: refactor checking for CollectMode * Fix GitHub actions checkout permissions * change binary version to 1.21.0-dev * Set conmon scope KillSignal to SIGPIPE * Move repo modification jobs to GitHub actions * bump protobuf to 1.3.2 * Log container stop timeout * ResourceStore: add close method * Allow seccomp hook tracing for separate containers * ResourceStore: extend tests to test WatcherForResource * ResourceStore: update tests to all run * ResourceStore: update docs for WatcherForResource * ResourceStore: don't segfault * server: support setting raw unified cgroupv2 settings * vendor: update runtime-specs * cgroup: implement fix for swap memcg on cgroup v2 * server: leave swap mem limit unset if not supported * test: skip ServiceAccountIssuerDiscovery test * hostport manager clean up host ports * allows stream timeout to be set from config * config: pre-create pinns directories * Bump containers image to v5.10.1 * Move unit tests to GitHub actions * Move go1.14 and 386 builds to GitHub actions * set kubelet node IP * Fix validate-completions GitHub action * Add integration test for pprof over unix socket * Add a flag for enabling profile over unix socket * Lookup echo command for unit tests * Move static build to GitHub actions * pinns: Fixup 'pwarn' output to match 'pwarnf' output * pinns: Don't put errno in the exit message for argument checks * nsmgr: use host option * nsmgr: Use config struct for NewPodNamespaces * pinns: support pinning host ns * Remove implicit GitHub action `name` fields * Move docs and completions validation to GitHub actions * Bump golangci-lint to v1.35.2 * Make config tests work rootless * Make rootless namespace unit test execution work * config: fix template to show infra_ctr_cpus option * Do not log file path on ioutil.ReadFile * fixes version_test.go * Close the stdin/tty on server start to avoid shortname prompts * docs: fix http link * docs: update kubeadm tutorial * Fix `make lint` * Return runtime API version based on protocol * Update compatibility matrix to mention v1.20 * add method comment * restore irqbalance config only on system restart * add blurb in doc and more informative name for unit tests * add is-enabled check for irqbalance service * fix unit tests * add unit tests * fix bash/zsh completions * fix the docs validation * handle irqbalance service * runtime_vm: set finished time when containers stop * nsmgr: fix/add calls to GetNamespace * managed namespaces: move to dedicated package * Provide integration test for infra-ctr-cpuset feature * Set CPUs for the infra containers during the creation * Add shell completion for infra-containers-cpu flag * Add new infra-containers-cpus to the CLI and config file * refine `registries` deprecation message * Circle CI: install test/registries.conf * crio.8.md: runroot defaults to /run/containers/storage * support short-name aliases * pull: do check for blocked registries * config: deprecate registries * Rollback gocapability vendor bump * vendor: bump containers/storage to v1.24.4 * Update nix pin with `make nixpkgs` * contrib/test/int: add Kata Containers runtime support * contrib/test/int: enforce linking in parallel build process * contrib/test/int: build parallel from sources in CentOS * contrib/test/int: allow to skip user namespace testing * contrib/test/int: allow to configure test timeout * Capitalize Kubernetes * modify the error url of podctl * Add Digital Science to adopters * crio.service: Request to be run before kubelet.service * pinns: make binary not always static * server: use IsAlive() more * Support CRI v1 and v1alpha2 at the same time * drop support for ManageNSLifecycle * test/timeout.bats: increase timeout to fix flakes * release-notes: fix flags * test/timeout.bats: fix comments * int/resourcestore: fix comment about Put * test/image.bats: simplify some loops * test/helpers.bats: simplify cleanup_* * contrib/test/int: rm node-e2e test * contrib/test/int: fix iptables rule * critest: add unix:// prefix * critest.yml: don't skip test on RHEL * test: add timeout.bats * bump network creation timeout to 5 minutes * resourcecache: add watcher idiom * server: use ResourceCache instead of dropping progress * Add unit tests for ResourceCache * Introduce ResourceCache * moves shmsize to a handler allowed annotation * image pull: close progress chan * test/ctr.bats: fix a "ctr execsync" flake * Fix the functions' name in completions * make: drop link to crio.service * test: rm "run ctr with image with Config.Volumes" * test: add no-pull-on-run=true * test/devices.bats: fix "additional device permissions" case * test/devices.bats: rm unneeded run * test/devices.bats: skip earlier * Bandwidht CNI plugin reserved an upper limit on burst,in which banned include boundary. See: https://github.com/containernetworking/plugins/blob/v0.8.7/plugins/meta/bandwidth/main.go#L113 - Drop config-fix-tz.patch as upstream dependency was patched ==== dnf ==== Version update (4.6.1 -> 4.7.0) - Update to version 4.7.0 + Improve repo config path ordering to fix a comps merging issue (rh#1928181) + Keep reason when package is removed (rh#1921063) + Improve mechanism for application of security filters (rh#1918475) + [doc] Add description for new API + [API] Add new method for reset of security filters + [doc] Improve documentation for Hotfix repositories + [doc] fix: "makecache" command downloads only enabled repositories + Use libdnf.utils.checksum_{check,value} + [doc] Add info that maximum parallel downloads is 20 + Increase loglevel in case of invalid config options + [doc] installonly_limit documentation follows behavior + Prevent traceback (catch ValueError) if pkg is from cmdline + Add documentation for config option sslverifystatus (rh#1814383) + Check for specific key string when verifing signatures (rh#1915990) + Use rpmkeys binary to verify package signature (rh#1915990) + Bugs fixed (rh#1916783) + Preserve file mode during log rotation (rh#1910084) ==== grub2 ==== Subpackages: grub2-i386-pc grub2-snapper-plugin grub2-x86_64-efi - Fix obsolete syslog in systemd unit file and updating to use journal as StandardOutput (bsc#1185149) * grub2-once.service ==== kernel-source ==== Version update (5.11.15 -> 5.11.16) - Revert "rpm/kernel-binary.spec.in: Fix dependency of kernel-*-devel package (bsc#1184514)" This turned out to be a bad idea: the kernel-$flavor-devel package must be usable without kernel-$flavor, e.g. at the build of a KMP. And this change brought superfluous installation of kernel-preempt when a system had kernel-syms (bsc#1185113). - commit d771304 - rpm/check-for-config-changes: add AS_HAS_* to ignores arch/arm64/Kconfig defines a lot of these. So far our current compilers seem to support them all. But it can quickly change with SLE later. - commit a4d8194 - Linux 5.11.16 (bsc#1012628). - bpf: Move sanitize_val_alu out of op switch (bsc#1012628). - bpf: Improve verifier error messages for users (bsc#1012628). - bpf: Rework ptr_limit into alu_limit and add common error path (bsc#1012628). - ARM: 9071/1: uprobes: Don't hook on thumb instructions (bsc#1012628). - bpf: Move off_reg into sanitize_ptr_alu (bsc#1012628). - bpf: Ensure off_reg has no mixed signed bounds for all types (bsc#1012628). - r8169: don't advertise pause in jumbo mode (bsc#1012628). - r8169: tweak max read request size for newer chips also in jumbo mtu mode (bsc#1012628). - kasan: remove redundant config option (bsc#1012628). - kasan: fix hwasan build for gcc (bsc#1012628). - KVM: VMX: Don't use vcpu->run->internal.ndata as an array index (bsc#1012628). - KVM: VMX: Convert vcpu_vmx.exit_reason to a union (bsc#1012628). - bpf: Use correct permission flag for mixed signed bounds arithmetic (bsc#1012628). - arm64: dts: allwinner: h6: beelink-gs1: Remove ext. 32 kHz osc reference (bsc#1012628). - arm64: dts: allwinner: Fix SD card CD GPIO for SOPine systems (bsc#1012628). - ARM: OMAP2+: Fix uninitialized sr_inst (bsc#1012628). - ARM: footbridge: fix PCI interrupt mapping (bsc#1012628). - ARM: 9069/1: NOMMU: Fix conversion for_each_membock() to for_each_mem_range() (bsc#1012628). - ARM: 9063/1: mm: reduce maximum number of CPUs if DEBUG_KMAP_LOCAL is enabled (bsc#1012628). - ARM: OMAP2+: Fix warning for omap_init_time_of() (bsc#1012628). - gro: ensure frag0 meets IP header alignment (bsc#1012628). - ch_ktls: do not send snd_una update to TCB in middle (bsc#1012628). - ch_ktls: tcb close causes tls connection failure (bsc#1012628). - ch_ktls: fix device connection close (bsc#1012628). - ch_ktls: Fix kernel panic (bsc#1012628). - ibmvnic: remove duplicate napi_schedule call in open function (bsc#1012628). - ibmvnic: remove duplicate napi_schedule call in do_reset function (bsc#1012628). - ibmvnic: avoid calling napi_disable() twice (bsc#1012628). - ia64: tools: remove inclusion of ia64-specific version of errno.h header (bsc#1012628). - ia64: remove duplicate entries in generic_defconfig (bsc#1012628). - ethtool: pause: make sure we init driver stats (bsc#1012628). - i40e: fix the panic when running bpf in xdpdrv mode (bsc#1012628). - ibmvnic: correctly use dev_consume/free_skb_irq (bsc#1012628). - net: Make tcp_allowed_congestion_control readonly in non-init netns (bsc#1012628). - mm: ptdump: fix build failure (bsc#1012628). - net: ip6_tunnel: Unregister catch-all devices (bsc#1012628). - net: sit: Unregister catch-all devices (bsc#1012628). - net: phy: marvell: fix detection of PHY on Topaz switches (bsc#1012628). - net: davicom: Fix regulator not turned off on failed probe (bsc#1012628). - net/mlx5e: Fix setting of RS FEC mode (bsc#1012628). - netfilter: nftables: clone set element expression template (bsc#1012628). - netfilter: nft_limit: avoid possible divide error in nft_limit_init (bsc#1012628). - net/mlx5e: fix ingress_ifindex check in mlx5e_flower_parse_meta (bsc#1012628). - net: macb: fix the restore of cmp registers (bsc#1012628). - drm/i915/display/vlv_dsi: Do not skip panel_pwr_cycle_delay when disabling the panel (bsc#1012628). - libbpf: Fix potential NULL pointer dereference (bsc#1012628). - netfilter: arp_tables: add pre_exit hook for table unregister (bsc#1012628). - netfilter: bridge: add pre_exit hooks for ebtable unregistration (bsc#1012628). - libnvdimm/region: Fix nvdimm_has_flush() to handle ND_REGION_ASYNC (bsc#1012628). - ice: Fix potential infinite loop when using u8 loop counter (bsc#1012628). - netfilter: conntrack: do not print icmpv6 as unknown via /proc (bsc#1012628). - netfilter: flowtable: fix NAT IPv6 offload mangling (bsc#1012628). - ixgbe: fix unbalanced device enable/disable in suspend/resume (bsc#1012628). - ixgbe: Fix NULL pointer dereference in ethtool loopback test (bsc#1012628). - drm/vmwgfx: Make sure we unpin no longer needed buffers (bsc#1012628). - scsi: libsas: Reset num_scatter if libata marks qc as NODATA (bsc#1012628). - riscv: Fix spelling mistake "SPARSEMEM" to "SPARSMEM" (bsc#1012628). - vfio/pci: Add missing range check in vfio_pci_mmap (bsc#1012628). - arm64: alternatives: Move length validation in alternative_{insn, endif} (bsc#1012628). - arm64: mte: Ensure TIF_MTE_ASYNC_FAULT is set atomically (bsc#1012628). - Update config files. - arm64: fix inline asm in load_unaligned_zeropad() (bsc#1012628). - drm/i915: Don't zero out the Y plane's watermarks (bsc#1012628). - readdir: make sure to verify directory entry for legacy interfaces too (bsc#1012628). - dm verity fec: fix misaligned RS roots IO (bsc#1012628). - HID: wacom: set EV_KEY and EV_ABS only for non-HID_GENERIC type of devices (bsc#1012628). - Input: i8042 - fix Pegatron C15B ID entry (bsc#1012628). - Input: s6sy761 - fix coordinate read bit shift (bsc#1012628). - net/sctp: fix race condition in sctp_destroy_sock (bsc#1012628). - lib: fix kconfig dependency on ARCH_WANT_FRAME_POINTERS (bsc#1012628). - virt_wifi: Return micros for BSS TSF values (bsc#1012628). - mac80211: clear sta->fast_rx when STA removed from 4-addr VLAN (bsc#1012628). - drm/amd/display: Add missing mask for DCN3 (bsc#1012628). - pcnet32: Use pci_resource_len to validate PCI resource (bsc#1012628). - net: ieee802154: forbid monitor for add llsec seclevel (bsc#1012628). - net: ieee802154: stop dump llsec seclevels for monitors (bsc#1012628). - net: ieee802154: forbid monitor for del llsec devkey (bsc#1012628). - net: ieee802154: forbid monitor for add llsec devkey (bsc#1012628). - net: ieee802154: stop dump llsec devkeys for monitors (bsc#1012628). - net: ieee802154: forbid monitor for del llsec dev (bsc#1012628). - net: ieee802154: forbid monitor for add llsec dev (bsc#1012628). - net: ieee802154: stop dump llsec devs for monitors (bsc#1012628). - net: ieee802154: forbid monitor for del llsec key (bsc#1012628). - net: ieee802154: forbid monitor for add llsec key (bsc#1012628). - net: ieee802154: stop dump llsec keys for monitors (bsc#1012628). - iwlwifi: add support for Qu with AX201 device (bsc#1012628). - scsi: scsi_transport_srp: Don't block target in SRP_PORT_LOST state (bsc#1012628). - ASoC: fsl_esai: Fix TDM slot setup for I2S mode (bsc#1012628). - drm/msm: Fix a5xx/a6xx timestamps (bsc#1012628). - ARM: omap1: fix building with clang IAS (bsc#1012628). - ARM: keystone: fix integer overflow warning (bsc#1012628). - powerpc/signal32: Fix Oops on sigreturn with unmapped VDSO (bsc#1012628). - neighbour: Disregard DEAD dst in neigh_update (bsc#1012628). - bpf: Take module reference for trampoline in module (bsc#1012628). - gpu/xen: Fix a use after free in xen_drm_drv_init (bsc#1012628). - net: axienet: allow setups without MDIO (bsc#1012628). - ASoC: max98373: Added 30ms turn on/off time delay (bsc#1012628). - ASoC: max98373: Changed amp shutdown register as volatile (bsc#1012628). - xfrm: BEET mode doesn't support fragments for inner packets (bsc#1012628). - iwlwifi: Fix softirq/hardirq disabling in iwl_pcie_enqueue_hcmd() (bsc#1012628). - arc: kernel: Return -EFAULT if copy_to_user() fails (bsc#1012628). - lockdep: Add a missing initialization hint to the "INFO: Trying to register non-static key" message (bsc#1012628). - remoteproc: pru: Fix loading of GNU Binutils ELF (bsc#1012628). - ARM: dts: Fix moving mmc devices with aliases for omap4 & 5 (bsc#1012628). - ARM: dts: Drop duplicate sha2md5_fck to fix clk_disable race (bsc#1012628). - ACPI: x86: Call acpi_boot_table_init() after acpi_table_upgrade() (bsc#1012628). - dmaengine: idxd: fix wq cleanup of WQCFG registers (bsc#1012628). - dmaengine: idxd: clear MSIX permission entry on shutdown (bsc#1012628). - dmaengine: plx_dma: add a missing put_device() on error path (bsc#1012628). - dmaengine: Fix a double free in dma_async_device_register (bsc#1012628). - dmaengine: dw: Make it dependent to HAS_IOMEM (bsc#1012628). - dmaengine: idxd: fix wq size store permission state (bsc#1012628). - dmaengine: idxd: fix opcap sysfs attribute output (bsc#1012628). - dmaengine: idxd: fix delta_rec and crc size field for completion record (bsc#1012628). - dmaengine: idxd: Fix clobbering of SWERR overflow bit on writeback (bsc#1012628). - gpio: sysfs: Obey valid_mask (bsc#1012628). - Input: nspire-keypad - enable interrupts only when opened (bsc#1012628). - mtd: rawnand: mtk: Fix WAITRDY break condition and timeout (bsc#1012628). - AMD_SFH: Add DMI quirk table for BIOS-es which don't set the activestatus bits (bsc#1012628). - AMD_SFH: Add sensor_mask module parameter (bsc#1012628). - AMD_SFH: Removed unused activecontrolstatus member from the amd_mp2_dev struct (bsc#1012628). - commit d57ad55 ==== kexec-tools ==== Version update (2.0.20 -> 2.0.21) - kexec-tools-remove-duplicate-ramdisk-definition.patch: Remove duplicate definition of ramdisk (fix ppc build). - Bump version to 2.0.21 - Drop patches from upstream git: * kexec-tools-add-variant-helper-functions.patch * kexec-tools-arm64-kexec-allocate-memory-space-avoiding-reserved-regions.patch * kexec-tools-arm64-kdump-deal-with-resource-entries-in-proc-iomem.patch * kexec-tools-build-multiboot2-for-i386.patch * kexec-tools-fix-kexec_file_load-error-handling.patch * kexec-tools-reset-getopt-before-falling-back-to-legacy.patch * kexec-tools-s390-Reset-kernel-command-line-on-syscal.patch * kexec-tools-Remove-duplicated-variable-declarations.patch - Hardening: Link as PIE (bsc#1185020). ==== kubernetes ==== Version update (1.20.2 -> 1.21.0) Subpackages: kubernetes-client kubernetes-kubeadm kubernetes-kubelet - Remove BuildRequires for Go, bump kubernetes to 1.21.0 and 1.20.5 - add BuildRequires for go >= 1.15.5, to align with kubernetes1.20 package ==== kubernetes1.20 ==== Version update (1.20.2 -> 1.20.6) - Update to version 1.20.6: * azure: fix node public IP not able to fetch issues from IMDS * Fix test now that empty struct are tracked in mangaed fields * make generated_files * Update bazel and dependencies. * Update to use cliflag.NamedFlagSets * Address comments. * Update NodeIPAM wrapper * Delete build file based on latest changes. * Update extension mechanism and related sample. * Address review comments * Address review comments * Modify integration test to fill CCM test gap * Update test * Move initialize cloud provider with client builder reference inside controller start func * Separate example func and add README.md * Separate func * Add demonstration of wiring nodeIPAMController config object * Remove cloud provider name as input parameter. * Fix flag passing in CCM. * Use apply to create objects in TestApplyStatus * Stop skipping APIService in apply test * Stop clearing OpenAPIConfig for kube-aggregator * Declare TCP default for service port protocol * Add ability to skip OpenAPI handler installation * do not tag user created public IPs * apf: fix test flake * update gogo/protobuf to v1.3.2 * Fixed describe ingress causing SEGFAULT * Update sigs.k8s.io/structured-merge-diff to v4.0.3 * Stop probing a pod during graceful shutdown * apf: handle error from PollImmediateUntil * staging/publishing: Set default go version to go1.15.10 * webhook config manager: HasSynced returns true when the manager is synced with existing webhookconfig objects at startup * update metadata-concealment to 1.6 for removing legacy checking * slice mirroring controller mirror annotations * additional subnet configuration for AWS ELB * Revert "Automated cherry pick of #97417: fix azure file secret not found issue" * Use the correct volum handle format for GCE regional PD. * Increasing maximum number of ports allowed in EndpointSlice * Support > 5 ports in L4 ILB. * build: Update to k/repo-infra@v0.1.5 (supports go1.15.10) * Use go-runner:v2.3.1-go1.15.10-buster.0 image (built on go1.15.10) * Update to go1.15.10 * Update CHANGELOG/CHANGELOG-1.20.md for v1.20.5 * fix a bug where only service with less than 100 ports can have GCE load balancer * bazel * deepcopy statefulsets * full deepcopy on munged pod spec * remove pod toleration toleration seconds mutation * add markers for inspected validation mutation hits * move secret mutation from validation to prepareforupdate * remove unnecessary mutations in validation * tweak validation to avoid mutation * For LoadBalancer Service type don't create a HNS policy for empty or invalid external loadbalancer IP * Moving docker options to daemon.json * e2e fix: loosen configmap to 10 in resource quota * api-server add --lease-max-object-count * apiserver add metric etcd_lease_object_counts * apiserver add --lease-reuse-duration-seconds to config lease reuse duration * Bump Cluster Autoscaler to v1.20.0 - Rebase opensuse-version-checks.patch - Update to version 1.20.5: * Updating EndpointSliceMirroring controller to wait for cache to be updated * Updating EndpointSlice controller to wait for cache to be updated * Add tests for populated volumes * Fix comment on getPodVolumeSubpathListFromDisk * Fix tests to test for new behavior * Add warnings after cleanup back * Automatically remove orphaned pod's dangling volumes * Count pod overhead as an entity's resource usage * Ensure only one LoadBalancer rule is created when HA mode is enabled * Fix issue in checking domain socket for plugin watcher * Use Lstat in plugin watcher to avoid Windows problem * Skip visiting empty secret and configmap names * Number of sockets is assumed to be same as NUMA nodes * disables APF if the aggregated apiserver cannot locate the core kube-apiserver * Fix repeatedly aquire the inhibit lock * Sync node status during kubelet node shutdown * remove executable permission bits * Upgrading vendored dependencies * Upgrading cAdvisor to 0.38.8 * Update CHANGELOG/CHANGELOG-1.20.md for v1.20.4 * build/OWNERS: Add Dan and Sascha as reviewers * OWNERS(CHANGELOG): Move reviewers/approvers to CHANGELOG/ dir * Bump konnectivity-client to v0.0.15 in release-1.20 * Storage e2e: Remove pd csi driver installation in GKE * Update CHANGELOG/CHANGELOG-1.20.md for v1.20.3 * kube-cross: update image to use v1.15.8-legacy-1 * [go1.15] build: Update to k/repo-infra@v0.1.4 (supports go1.15.8) * Use go-runner:buster-v2.3.1 image (built on go1.15.8) * staging/publishing: Set default go version to go1.15.8 * Update to go1.15.8 * Fix dbus shutdown events not continuing if they are not valid * Revert "make hostPort match test linuxonly" * Revert "conformance changes" * kube-proxy: clear conntrack entries after rules are in place * Use -LiteralPath instead of -Path * Escape the special character in vsphere windows path * Include unit test * Adjust defer to correctly call * do not remove volume dir when saveVolumeData fails * kubeadm: drop explicit constant override in version test * kubeadm: get k8s CI version markers from k8s infra bucket * dockershim hostport respect IPFamily * dockershim hostport manager use HostIP * Balance nodes in scheduling e2e * e2e: Pod should avoid nodes that have avoidPod annotation: clean remaining pods * Cherry pick of #98254:Fix the kube-scheduler binary's description of the --config parameter is inaccurate * fix kube-scheduler cannot send event because the Note field is too large * Fix nil pointer dereference in disruption controller * Update region_pd e2e test to support PV have GA topology * Recover CSI volumes from dangling attachments * IsVolumeAttachedToNode() renamed to GetAttachState(), and returns 3 states instead of combining "uncertain" and "detached" into "false" * Fixes Attach Detach Controller reconciler race reading ActualStateOfWorld and operation pending states; fixes reconciler_test mock detach to account for multiple attaches on a node * Fix translation of Cinder storage classess to CSI * OWNERS(CHANGELOG): Add release-engineering-reviewers as reviewers * OWNERS(CHANGELOG): Add release-engineering-reviewers as approvers * Resolve IP addresses of host-only in filtered dialer * Deflake ingress updates * make podTopologyHints protected by lock * ignore cgroup driver check in windows node upgrade * OWNERS(sig-release): Add CHANGELOG aliases * OWNERS(build-image): Add Release Managers as reviewers * OWNERS(releng): Sync Release Managers * OWNERS(sig-release): Remove SIG Release approvers alias * aggregate errors when putting vmss * fix azure file migration issue * kubelet: Fix mirrorPodTerminationMap leak * kubelet: Delete static pods gracefully * kubeadm: change the default image repository for CI images from gcr.io/kubernetes-ci-images to gcr.io/k8s-staging-ci-images * kubelet logs print 'kubelet nodes sync' frequently * reduce buckets for etcd_request_duration_seconds * Merge pull request #96876 from howieyuen/no-execute-taint-missing * cleanup subnet in frontend ip configs * conformance changes * make hostPort match test linuxonly * Clean up namespaced children of missing virtual parents with incorrectly cluster-scoped nodes * Add unit test for child scope mismatch with missing parent * vendor: update cAdvisor to v0.38.7 * Use volumeHandle as PV name when translating EBS inline volume * Update CHANGELOG/CHANGELOG-1.20.md for v1.20.2 * kubectl-convert import known versions * Revert "Merge pull request #92817 from kmala/kubelet" * WIP: node sync at least once * fixes nil panic for nil delegated auth options * Lower the frequency of volume plugin deprecation warning * handle webhook authenticator and authorizer error * fix the panic when kubelet registers if a node object already exists with no Status.Capacity or Status.Allocatable * Avoid checking the entire backend service URL for FR equality. * Use non privileged ports ==== libgcrypt ==== Version update (1.9.2 -> 1.9.3) - libgcrypt 1.9.3: * Bug fixes: - Fix build problems on i386 using gcc-4.7. - Fix checksum calculation in OCB decryption for AES on s390. - Fix a regression in gcry_mpi_ec_add related to certain usages of curve 25519. - Fix a symbol not found problem on Apple M1. - Fix for Apple iOS getentropy peculiarity. - Make keygrip computation work for compressed points. * Performance: - Add x86_64 VAES/AVX2 accelerated implementation of Camellia. - Add x86_64 VAES/AVX2 accelerated implementation of AES. - Add VPMSUMD acceleration for GCM mode on PPC. * Internal changes. - Harden MPI conditional code against EM leakage. - Harden Elgamal by introducing exponent blinding. ==== lvm2 ==== Subpackages: liblvm2cmd2_03 - Honor lvm.conf event_activation=0 on "pvscan --cache -aay" (bsc#1185190) + bug-1185190_01-pvscan-support-disabled-event_activation.patch + bug-1185190_02-config-improve-description-for-event_activation.patch - LVM cannot be disabled on boot (bsc#1184687) + bug-1184687_Add-nolvm-for-kernel-cmdline.patch - Update patch for avoiding apply warning message + bug-1012973_simplify-special-case-for-md-in-69-dm-lvm-metadata.patch - Add metadata-based autoactivation property for VG and LV (bsc#1178680) + bug-1178680_add-metadata-based-autoactivation-property-for-VG-an.patch ==== lvm2-device-mapper ==== Subpackages: device-mapper libdevmapper-event1_03 libdevmapper1_03 - Honor lvm.conf event_activation=0 on "pvscan --cache -aay" (bsc#1185190) + bug-1185190_01-pvscan-support-disabled-event_activation.patch + bug-1185190_02-config-improve-description-for-event_activation.patch - LVM cannot be disabled on boot (bsc#1184687) + bug-1184687_Add-nolvm-for-kernel-cmdline.patch - Update patch for avoiding apply warning message + bug-1012973_simplify-special-case-for-md-in-69-dm-lvm-metadata.patch - Add metadata-based autoactivation property for VG and LV (bsc#1178680) + bug-1178680_add-metadata-based-autoactivation-property-for-VG-an.patch ==== patterns-microos ==== Subpackages: patterns-microos-alt_onlyDVD patterns-microos-apparmor patterns-microos-base patterns-microos-base-microdnf patterns-microos-base-packagekit patterns-microos-base-zypper patterns-microos-basesystem patterns-microos-cloud patterns-microos-cockpit patterns-microos-defaults patterns-microos-hardware patterns-microos-ima_evm patterns-microos-onlyDVD patterns-microos-selinux patterns-microos-sssd_ldap - Suggest libdnf-repo-config-zypp explicitly - Fix dependency on systemd-icon-branding-openSUSE - Use only kernel-firmware-all instead of kernel-firmware to avoid duplicate firmware on the DVD - spice-vdagent is available on all archs - hyper-v and open-vm-tools are available on AArch64 as well - A fresh install does not have xdg-open & friends. Fix by adding xdg-utils - while there, fix the comment, as they're common tools, but not necessarily useful only "during initial setup" - Add packages to the desktop commons pattern: systemd-icons-branding-openSUSE (to list the MicroOS logo on the Gnome Settings About page) - Add packages to the DVD: - instead of adding firmware-all, add specific firmware packages for common hardware (or at least, for hardware for which we have bugs open, see bsc#1184767 and bsc#1184403) - Add some packages in the DVD: - Spice guest driver so graphics works properly out of the box, when installing in VMs (mostly for desktops) - firmwares so that (wireless mostly, bot also wired) networking works in the installer and on the installed system ==== python-M2Crypto ==== - Add no-need-parameterized.patch ... we don't need run-time requirement of parameterized package (bsc#1185150). ==== python-MarkupSafe ==== - allow tests to be disabled (still on by default) ==== python-jsonpatch ==== Version update (1.28 -> 1.31) - update to 1.31: * Add support for preserving Unicode charaters * remove pypy build ==== rook ==== Version update (1.5.7+git4.gae949004e -> 1.5.10+git4.g309ad2f64) - Update to v1.5.8 * Ceph * Update Ceph-CSI to v3.2.1 (#7506) * Use latest Ceph API for setting dashboard and rgw credentials (#7641) * Redact secret info from reconcile diffs in debug logs (#7630) * Continue to get available devices if failed to get a device info (#7608) * Include RGW pods in list for rescheduling from failed node (#7537) * Enforce pg_auto_scaler on rgw pools (#7513) * Prevent voluntary mon drain while another mon is failing over (#7442) * Avoid restarting all encrypted OSDs on cluster growth (#7489) * Set secret type on external cluster script (#7473) * Fix init container "expand-encrypted-bluefs" for encrypted OSDs (#7466) * Fail pool creation if the sub failure domain is the same as the failure domain (#7284) * Set default backend for vault and remove temp key for encrypted OSDs (#7454) ==== suse-module-tools ==== Version update (15.4.0 -> 15.4.1) - Update to version 15.4.1: * dm-crypt requires essiv in SLE15 SP3 (boo#1183063 bsc#1184134 ltc#192244).