Switch to new CRI-O package location

Use the new CRI-O package location as outlined in: https://github.com/cri-o/packaging?tab=readme-ov-file#project-layout We also have to update runc to the latest release. Signed-off-by: Sascha Grunert <[email protected]>
kubernetes-sigs · Feb 25, 2025 · 94ff799 · 94ff799
1 parent 184a7ca
commit 94ff799
Show file tree

Hide file tree

Showing 7 changed files with 20 additions and 20 deletions.
diff --git a/dependencies.yaml b/dependencies.yaml
@@ -138,7 +138,7 @@ dependencies:
       match: CRUN_VERSION
 
   - name: runc
-    version: v1.2.3
+    version: v1.2.5
     refPaths:
     - path: examples/baseprofile-runc.yaml
       match: name

diff --git a/examples/baseprofile-runc.yaml b/examples/baseprofile-runc.yaml
@@ -2,7 +2,7 @@
 apiVersion: security-profiles-operator.x-k8s.io/v1beta1
 kind: SeccompProfile
 metadata:
-  name: runc-v1.2.3
+  name: runc-v1.2.5
 spec:
   defaultAction: SCMP_ACT_ERRNO
   architectures:

diff --git a/hack/ci/Vagrantfile-debian b/hack/ci/Vagrantfile-debian
@@ -64,8 +64,8 @@ Vagrant.configure("2") do |config|
       KUBERNETES_VERSION=v1.32
       curl -fsSL https://pkgs.k8s.io/core:/stable:/$KUBERNETES_VERSION/deb/Release.key | gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg
       echo "deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/$KUBERNETES_VERSION/deb/ /" | tee /etc/apt/sources.list.d/kubernetes.list
-      curl -fsSL https://pkgs.k8s.io/addons:/cri-o:/prerelease:/main/deb/Release.key | gpg --dearmor -o /etc/apt/keyrings/cri-o-apt-keyring.gpg
-      echo "deb [signed-by=/etc/apt/keyrings/cri-o-apt-keyring.gpg] https://pkgs.k8s.io/addons:/cri-o:/prerelease:/main/deb/ /" | tee /etc/apt/sources.list.d/cri-o.list
+      curl -fsSL https://download.opensuse.org/repositories/isv:/cri-o:/prerelease:/main/deb/Release.key | gpg --dearmor -o /etc/apt/keyrings/cri-o-apt-keyring.gpg
+      echo "deb [signed-by=/etc/apt/keyrings/cri-o-apt-keyring.gpg] https://download.opensuse.org/repositories/isv:/cri-o:/prerelease:/main/deb/ /" | tee /etc/apt/sources.list.d/cri-o.list
       apt-get update
       apt-get install -y \
         cri-o \

diff --git a/hack/ci/Vagrantfile-fedora b/hack/ci/Vagrantfile-fedora
@@ -50,10 +50,10 @@ EOF
 cat <<EOF | tee /etc/yum.repos.d/cri-o.repo
 [cri-o]
 name=CRI-O
-baseurl=https://pkgs.k8s.io/addons:/cri-o:/prerelease:/main/rpm/
+baseurl=https://download.opensuse.org/repositories/isv:/cri-o:/prerelease:/main/rpm/
 enabled=1
 gpgcheck=1
-gpgkey=https://pkgs.k8s.io/addons:/cri-o:/prerelease:/main/rpm/repodata/repomd.xml.key
+gpgkey=https://download.opensuse.org/repositories/isv:/cri-o:/prerelease:/main/rpm/repodata/repomd.xml.key
 EOF
 
       dnf install -y \

diff --git a/hack/ci/Vagrantfile-ubuntu b/hack/ci/Vagrantfile-ubuntu
@@ -38,8 +38,8 @@ Vagrant.configure("2") do |config|
       KUBERNETES_VERSION=v1.32
       curl -fsSL https://pkgs.k8s.io/core:/stable:/$KUBERNETES_VERSION/deb/Release.key | gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg
       echo "deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/$KUBERNETES_VERSION/deb/ /" | tee /etc/apt/sources.list.d/kubernetes.list
-      curl -fsSL https://pkgs.k8s.io/addons:/cri-o:/prerelease:/main/deb/Release.key | gpg --dearmor -o /etc/apt/keyrings/cri-o-apt-keyring.gpg
-      echo "deb [signed-by=/etc/apt/keyrings/cri-o-apt-keyring.gpg] https://pkgs.k8s.io/addons:/cri-o:/prerelease:/main/deb/ /" | tee /etc/apt/sources.list.d/cri-o.list
+      curl -fsSL https://download.opensuse.org/repositories/isv:/cri-o:/prerelease:/main/deb/Release.key | gpg --dearmor -o /etc/apt/keyrings/cri-o-apt-keyring.gpg
+      echo "deb [signed-by=/etc/apt/keyrings/cri-o-apt-keyring.gpg] https://download.opensuse.org/repositories/isv:/cri-o:/prerelease:/main/deb/ /" | tee /etc/apt/sources.list.d/cri-o.list
       apt-get update
       apt-get install -y \
         build-essential \

diff --git a/installation-usage.md b/installation-usage.md
@@ -1228,7 +1228,7 @@ metadata:
   name: profile1
 spec:
   defaultAction: SCMP_ACT_ERRNO
-  baseProfileName: runc-v1.2.3
+  baseProfileName: runc-v1.2.5
   syscalls:
     - action: SCMP_ACT_ALLOW
       names:
@@ -1294,7 +1294,7 @@ metadata:
   name: profile1
 spec:
   defaultAction: SCMP_ACT_ERRNO
-  baseProfileName: oci://ghcr.io/security-profiles/runc:v1.2.3
+  baseProfileName: oci://ghcr.io/security-profiles/runc:v1.2.5
 ```
 
 The resulting profile `profile1` will then contain all base syscalls from the
@@ -1656,24 +1656,24 @@ The `spoc` client is able to pull security profiles from OCI artifact compatible
 registries. To do that, just run `spoc pull`:
 
 ```console
-> spoc pull ghcr.io/security-profiles/runc:v1.2.3
-16:32:29.795597 Pulling profile from: ghcr.io/security-profiles/runc:v1.2.3
+> spoc pull ghcr.io/security-profiles/runc:v1.2.5
+16:32:29.795597 Pulling profile from: ghcr.io/security-profiles/runc:v1.2.5
 16:32:29.795610 Verifying signature
 
-Verification for ghcr.io/security-profiles/runc:v1.2.3 --
+Verification for ghcr.io/security-profiles/runc:v1.2.5 --
 The following checks were performed on each of these signatures:
   - Existence of the claims in the transparency log was verified offline
   - The code-signing certificate was verified using trusted certificate authority certificates
 
 [{"critical":{"identity":{"docker-reference":"ghcr.io/security-profiles/runc"},…}}]
 16:32:33.208695 Creating file store in: /tmp/pull-3199397214
-16:32:33.208713 Verifying reference: ghcr.io/security-profiles/runc:v1.2.3
+16:32:33.208713 Verifying reference: ghcr.io/security-profiles/runc:v1.2.5
 16:32:33.208718 Creating repository for ghcr.io/security-profiles/runc
-16:32:33.208742 Using tag: v1.2.3
+16:32:33.208742 Using tag: v1.2.5
 16:32:33.208743 Copying profile from repository
 16:32:34.119652 Reading profile
 16:32:34.119677 Trying to unmarshal seccomp profile
-16:32:34.120114 Got SeccompProfile: runc-v1.2.3
+16:32:34.120114 Got SeccompProfile: runc-v1.2.5
 16:32:34.120119 Saving profile in: /tmp/profile.yaml
 ```
 
@@ -1801,15 +1801,15 @@ The Security Profiles Operator will try to pull the correct profile by using
 way, for example if a profile does not support any platform:
 
 ```
-> spoc pull ghcr.io/security-profiles/runc:v1.2.3
-11:07:14.788840 Pulling profile from: ghcr.io/security-profiles/runc:v1.2.3
+> spoc pull ghcr.io/security-profiles/runc:v1.2.5
+11:07:14.788840 Pulling profile from: ghcr.io/security-profiles/runc:v1.2.5
 11:07:14.788852 Verifying signature
 …
 11:07:17.559037 Copying profile from repository
 11:07:18.359152 Trying to read profile: profile-linux-amd64.yaml
 11:07:18.359209 Trying to read profile: profile.yaml
 11:07:18.359224 Trying to unmarshal seccomp profile
-11:07:18.359728 Got SeccompProfile: runc-v1.2.3
+11:07:18.359728 Got SeccompProfile: runc-v1.2.5
 11:07:18.359732 Saving profile in: /tmp/profile.yaml
 ```
 

diff --git a/test/tc_base_profiles_test.go b/test/tc_base_profiles_test.go
@@ -24,7 +24,7 @@ import (
 )
 
 const (
-	baseProfileNameRunc = "runc-v1.2.3"
+	baseProfileNameRunc = "runc-v1.2.5"
 	baseProfileNameCrun = "crun-v1.20"
 )
-Original file line number
+Diff line change
@@ Expand Up / @@ -24,7 +24,7 @@ import ( @@
     )
     const (
-    	baseProfileNameRunc = "runc-v1.2.3"
+    	baseProfileNameRunc = "runc-v1.2.5"
     	baseProfileNameCrun = "crun-v1.20"
     )
@@ Expand Down @@