diff --git a/pkg/cri/config/config_windows.go b/pkg/cri/config/config_windows.go index 63bb2decd..5cda9babe 100644 --- a/pkg/cri/config/config_windows.go +++ b/pkg/cri/config/config_windows.go @@ -38,7 +38,6 @@ func DefaultConfig() PluginConfig { ContainerdConfig: ContainerdConfig{ Snapshotter: containerd.DefaultSnapshotter, DefaultRuntimeName: "runhcs-wcow-process", - NoPivot: false, Runtimes: map[string]Runtime{ "runhcs-wcow-process": { Type: "io.containerd.runhcs.v1", diff --git a/pkg/cri/sbserver/container_start.go b/pkg/cri/sbserver/container_start.go index bc893ea78..dd6413ce9 100644 --- a/pkg/cri/sbserver/container_start.go +++ b/pkg/cri/sbserver/container_start.go @@ -110,17 +110,12 @@ func (c *criService) StartContainer(ctx context.Context, r *runtime.StartContain return cntr.IO, nil } - ctrInfo, err := container.Info(ctx) - if err != nil { - return nil, fmt.Errorf("failed to get container info: %w", err) - } - ociRuntime, err := c.getSandboxRuntime(sandbox.Config, sandbox.Metadata.RuntimeHandler) if err != nil { return nil, fmt.Errorf("failed to get sandbox runtime: %w", err) } - taskOpts := c.taskOpts(ctrInfo.Runtime.Name) + var taskOpts []containerd.NewTaskOpts if ociRuntime.Path != "" { taskOpts = append(taskOpts, containerd.WithRuntimePath(ociRuntime.Path)) } diff --git a/pkg/cri/sbserver/podsandbox/sandbox_run.go b/pkg/cri/sbserver/podsandbox/sandbox_run.go index b7b00bdd0..af6cc7aec 100644 --- a/pkg/cri/sbserver/podsandbox/sandbox_run.go +++ b/pkg/cri/sbserver/podsandbox/sandbox_run.go @@ -212,7 +212,7 @@ func (c *Controller) Start(ctx context.Context, id string) (cin sandbox.Controll // Create sandbox task in containerd. log.G(ctx).Tracef("Create sandbox container (id=%q, name=%q).", id, metadata.Name) - taskOpts := c.taskOpts(ociRuntime.Type) + var taskOpts []containerd.NewTaskOpts if ociRuntime.Path != "" { taskOpts = append(taskOpts, containerd.WithRuntimePath(ociRuntime.Path)) } diff --git a/pkg/cri/sbserver/podsandbox/sandbox_run_linux.go b/pkg/cri/sbserver/podsandbox/sandbox_run_linux.go index 437d792ce..6c0ae002b 100644 --- a/pkg/cri/sbserver/podsandbox/sandbox_run_linux.go +++ b/pkg/cri/sbserver/podsandbox/sandbox_run_linux.go @@ -22,9 +22,7 @@ import ( "strconv" "strings" - "github.com/containerd/containerd" "github.com/containerd/containerd/oci" - "github.com/containerd/containerd/plugin" imagespec "github.com/opencontainers/image-spec/specs-go/v1" runtimespec "github.com/opencontainers/runtime-spec/specs-go" "github.com/opencontainers/selinux/go-selinux" @@ -325,19 +323,3 @@ func (c *Controller) cleanupSandboxFiles(id string, config *runtime.PodSandboxCo } return nil } - -// taskOpts generates task options for a (sandbox) container. -func (c *Controller) taskOpts(runtimeType string) []containerd.NewTaskOpts { - // TODO(random-liu): Remove this after shim v1 is deprecated. - var taskOpts []containerd.NewTaskOpts - - // c.config.NoPivot is only supported for RuntimeLinuxV1 = "io.containerd.runtime.v1.linux" legacy linux runtime - // and is not supported for RuntimeRuncV1 = "io.containerd.runc.v1" or RuntimeRuncV2 = "io.containerd.runc.v2" - // for RuncV1/2 no pivot is set under the containerd.runtimes.runc.options config see - // https://github.com/containerd/containerd/blob/v1.3.2/runtime/v2/runc/options/oci.pb.go#L26 - if c.config.NoPivot && runtimeType == plugin.RuntimeLinuxV1 { - taskOpts = append(taskOpts, containerd.WithNoPivotRoot) - } - - return taskOpts -} diff --git a/pkg/cri/sbserver/podsandbox/sandbox_run_other.go b/pkg/cri/sbserver/podsandbox/sandbox_run_other.go index 6cadc76d9..1a8d4d162 100644 --- a/pkg/cri/sbserver/podsandbox/sandbox_run_other.go +++ b/pkg/cri/sbserver/podsandbox/sandbox_run_other.go @@ -19,7 +19,6 @@ package podsandbox import ( - "github.com/containerd/containerd" "github.com/containerd/containerd/oci" "github.com/containerd/containerd/pkg/cri/annotations" imagespec "github.com/opencontainers/image-spec/specs-go/v1" @@ -49,8 +48,3 @@ func (c *Controller) setupSandboxFiles(id string, config *runtime.PodSandboxConf func (c *Controller) cleanupSandboxFiles(id string, config *runtime.PodSandboxConfig) error { return nil } - -// taskOpts generates task options for a (sandbox) container. -func (c *Controller) taskOpts(runtimeType string) []containerd.NewTaskOpts { - return []containerd.NewTaskOpts{} -} diff --git a/pkg/cri/sbserver/podsandbox/sandbox_run_test.go b/pkg/cri/sbserver/podsandbox/sandbox_run_test.go index defd61b0b..a3a43fd27 100644 --- a/pkg/cri/sbserver/podsandbox/sandbox_run_test.go +++ b/pkg/cri/sbserver/podsandbox/sandbox_run_test.go @@ -26,8 +26,6 @@ import ( "github.com/stretchr/testify/assert" runtime "k8s.io/cri-api/pkg/apis/runtime/v1" - "github.com/containerd/containerd/pkg/cri/annotations" - criconfig "github.com/containerd/containerd/pkg/cri/config" sandboxstore "github.com/containerd/containerd/pkg/cri/store/sandbox" ) @@ -207,166 +205,3 @@ func TestHostAccessingSandbox(t *testing.T) { }) } } - -func TestGetSandboxRuntime(t *testing.T) { - untrustedWorkloadRuntime := criconfig.Runtime{ - Type: "io.containerd.runtime.v1.linux", - Engine: "untrusted-workload-runtime", - Root: "", - } - - defaultRuntime := criconfig.Runtime{ - Type: "io.containerd.runtime.v1.linux", - Engine: "default-runtime", - Root: "", - } - - fooRuntime := criconfig.Runtime{ - Type: "io.containerd.runtime.v1.linux", - Engine: "foo-bar", - Root: "", - } - - for desc, test := range map[string]struct { - sandboxConfig *runtime.PodSandboxConfig - runtimeHandler string - runtimes map[string]criconfig.Runtime - expectErr bool - expectedRuntime criconfig.Runtime - }{ - "should return error if untrusted workload requires host access": { - sandboxConfig: &runtime.PodSandboxConfig{ - Linux: &runtime.LinuxPodSandboxConfig{ - SecurityContext: &runtime.LinuxSandboxSecurityContext{ - Privileged: false, - NamespaceOptions: &runtime.NamespaceOption{ - Network: runtime.NamespaceMode_NODE, - Pid: runtime.NamespaceMode_NODE, - Ipc: runtime.NamespaceMode_NODE, - }, - }, - }, - Annotations: map[string]string{ - annotations.UntrustedWorkload: "true", - }, - }, - runtimes: map[string]criconfig.Runtime{ - criconfig.RuntimeDefault: defaultRuntime, - criconfig.RuntimeUntrusted: untrustedWorkloadRuntime, - }, - expectErr: true, - }, - "should use untrusted workload runtime for untrusted workload": { - sandboxConfig: &runtime.PodSandboxConfig{ - Annotations: map[string]string{ - annotations.UntrustedWorkload: "true", - }, - }, - runtimes: map[string]criconfig.Runtime{ - criconfig.RuntimeDefault: defaultRuntime, - criconfig.RuntimeUntrusted: untrustedWorkloadRuntime, - }, - expectedRuntime: untrustedWorkloadRuntime, - }, - "should use default runtime for regular workload": { - sandboxConfig: &runtime.PodSandboxConfig{}, - runtimes: map[string]criconfig.Runtime{ - criconfig.RuntimeDefault: defaultRuntime, - }, - expectedRuntime: defaultRuntime, - }, - "should use default runtime for trusted workload": { - sandboxConfig: &runtime.PodSandboxConfig{ - Annotations: map[string]string{ - annotations.UntrustedWorkload: "false", - }, - }, - runtimes: map[string]criconfig.Runtime{ - criconfig.RuntimeDefault: defaultRuntime, - criconfig.RuntimeUntrusted: untrustedWorkloadRuntime, - }, - expectedRuntime: defaultRuntime, - }, - "should return error if untrusted workload runtime is required but not configured": { - sandboxConfig: &runtime.PodSandboxConfig{ - Annotations: map[string]string{ - annotations.UntrustedWorkload: "true", - }, - }, - runtimes: map[string]criconfig.Runtime{ - criconfig.RuntimeDefault: defaultRuntime, - }, - expectErr: true, - }, - "should use 'untrusted' runtime for untrusted workload": { - sandboxConfig: &runtime.PodSandboxConfig{ - Annotations: map[string]string{ - annotations.UntrustedWorkload: "true", - }, - }, - runtimes: map[string]criconfig.Runtime{ - criconfig.RuntimeDefault: defaultRuntime, - criconfig.RuntimeUntrusted: untrustedWorkloadRuntime, - }, - expectedRuntime: untrustedWorkloadRuntime, - }, - "should use 'untrusted' runtime for untrusted workload & handler": { - sandboxConfig: &runtime.PodSandboxConfig{ - Annotations: map[string]string{ - annotations.UntrustedWorkload: "true", - }, - }, - runtimeHandler: "untrusted", - runtimes: map[string]criconfig.Runtime{ - criconfig.RuntimeDefault: defaultRuntime, - criconfig.RuntimeUntrusted: untrustedWorkloadRuntime, - }, - expectedRuntime: untrustedWorkloadRuntime, - }, - "should return an error if untrusted annotation with conflicting handler": { - sandboxConfig: &runtime.PodSandboxConfig{ - Annotations: map[string]string{ - annotations.UntrustedWorkload: "true", - }, - }, - runtimeHandler: "foo", - runtimes: map[string]criconfig.Runtime{ - criconfig.RuntimeDefault: defaultRuntime, - criconfig.RuntimeUntrusted: untrustedWorkloadRuntime, - "foo": fooRuntime, - }, - expectErr: true, - }, - "should use correct runtime for a runtime handler": { - sandboxConfig: &runtime.PodSandboxConfig{}, - runtimeHandler: "foo", - runtimes: map[string]criconfig.Runtime{ - criconfig.RuntimeDefault: defaultRuntime, - criconfig.RuntimeUntrusted: untrustedWorkloadRuntime, - "foo": fooRuntime, - }, - expectedRuntime: fooRuntime, - }, - "should return error if runtime handler is required but not configured": { - sandboxConfig: &runtime.PodSandboxConfig{}, - runtimeHandler: "bar", - runtimes: map[string]criconfig.Runtime{ - criconfig.RuntimeDefault: defaultRuntime, - "foo": fooRuntime, - }, - expectErr: true, - }, - } { - t.Run(desc, func(t *testing.T) { - cri := newControllerService() - cri.config = criconfig.Config{ - PluginConfig: criconfig.DefaultConfig(), - } - cri.config.ContainerdConfig.DefaultRuntimeName = criconfig.RuntimeDefault - cri.config.ContainerdConfig.Runtimes = test.runtimes - r, err := cri.getSandboxRuntime(test.sandboxConfig, test.runtimeHandler) - assert.Equal(t, test.expectErr, err != nil) - assert.Equal(t, test.expectedRuntime, r) - }) - } -} diff --git a/pkg/cri/sbserver/podsandbox/sandbox_run_windows.go b/pkg/cri/sbserver/podsandbox/sandbox_run_windows.go index 48f6bd4e0..5e201030a 100644 --- a/pkg/cri/sbserver/podsandbox/sandbox_run_windows.go +++ b/pkg/cri/sbserver/podsandbox/sandbox_run_windows.go @@ -20,7 +20,6 @@ import ( "fmt" "strconv" - "github.com/containerd/containerd" "github.com/containerd/containerd/oci" imagespec "github.com/opencontainers/image-spec/specs-go/v1" runtimespec "github.com/opencontainers/runtime-spec/specs-go" @@ -102,8 +101,3 @@ func (c *Controller) setupSandboxFiles(id string, config *runtime.PodSandboxConf func (c *Controller) cleanupSandboxFiles(id string, config *runtime.PodSandboxConfig) error { return nil } - -// No task options needed for windows. -func (c *Controller) taskOpts(runtimeType string) []containerd.NewTaskOpts { - return nil -} diff --git a/pkg/cri/sbserver/sandbox_run_linux.go b/pkg/cri/sbserver/sandbox_run_linux.go deleted file mode 100644 index 62f5bf02d..000000000 --- a/pkg/cri/sbserver/sandbox_run_linux.go +++ /dev/null @@ -1,38 +0,0 @@ -/* - Copyright The containerd Authors. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. -*/ - -package sbserver - -import ( - "github.com/containerd/containerd" - "github.com/containerd/containerd/plugin" -) - -// taskOpts generates task options for a (sandbox) container. -func (c *criService) taskOpts(runtimeType string) []containerd.NewTaskOpts { - // TODO(random-liu): Remove this after shim v1 is deprecated. - var taskOpts []containerd.NewTaskOpts - - // c.config.NoPivot is only supported for RuntimeLinuxV1 = "io.containerd.runtime.v1.linux" legacy linux runtime - // and is not supported for RuntimeRuncV1 = "io.containerd.runc.v1" or RuntimeRuncV2 = "io.containerd.runc.v2" - // for RuncV1/2 no pivot is set under the containerd.runtimes.runc.options config see - // https://github.com/containerd/containerd/blob/v1.3.2/runtime/v2/runc/options/oci.pb.go#L26 - if c.config.NoPivot && runtimeType == plugin.RuntimeLinuxV1 { - taskOpts = append(taskOpts, containerd.WithNoPivotRoot) - } - - return taskOpts -} diff --git a/pkg/cri/sbserver/sandbox_run_other.go b/pkg/cri/sbserver/sandbox_run_other.go deleted file mode 100644 index fff065169..000000000 --- a/pkg/cri/sbserver/sandbox_run_other.go +++ /dev/null @@ -1,28 +0,0 @@ -//go:build !windows && !linux - -/* - Copyright The containerd Authors. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. -*/ - -package sbserver - -import ( - "github.com/containerd/containerd" -) - -// taskOpts generates task options for a (sandbox) container. -func (c *criService) taskOpts(runtimeType string) []containerd.NewTaskOpts { - return []containerd.NewTaskOpts{} -} diff --git a/pkg/cri/sbserver/sandbox_run_windows.go b/pkg/cri/sbserver/sandbox_run_windows.go deleted file mode 100644 index cbcda2a67..000000000 --- a/pkg/cri/sbserver/sandbox_run_windows.go +++ /dev/null @@ -1,26 +0,0 @@ -/* - Copyright The containerd Authors. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. -*/ - -package sbserver - -import ( - "github.com/containerd/containerd" -) - -// No task options needed for windows. -func (c *criService) taskOpts(runtimeType string) []containerd.NewTaskOpts { - return nil -} diff --git a/pkg/cri/server/container_start.go b/pkg/cri/server/container_start.go index 7dd2efbb3..d5a7b595e 100644 --- a/pkg/cri/server/container_start.go +++ b/pkg/cri/server/container_start.go @@ -110,17 +110,12 @@ func (c *criService) StartContainer(ctx context.Context, r *runtime.StartContain return cntr.IO, nil } - ctrInfo, err := container.Info(ctx) - if err != nil { - return nil, fmt.Errorf("failed to get container info: %w", err) - } - ociRuntime, err := c.getSandboxRuntime(sandbox.Config, sandbox.Metadata.RuntimeHandler) if err != nil { return nil, fmt.Errorf("failed to get sandbox runtime: %w", err) } - taskOpts := c.taskOpts(ctrInfo.Runtime.Name) + var taskOpts []containerd.NewTaskOpts if ociRuntime.Path != "" { taskOpts = append(taskOpts, containerd.WithRuntimePath(ociRuntime.Path)) } diff --git a/pkg/cri/server/helpers_test.go b/pkg/cri/server/helpers_test.go index ebe42cafe..e748a063b 100644 --- a/pkg/cri/server/helpers_test.go +++ b/pkg/cri/server/helpers_test.go @@ -236,7 +236,7 @@ systemd_cgroup = true require.NoError(t, err) err = tree.Unmarshal(&nilOptsConfig) require.NoError(t, err) - require.Len(t, nilOptsConfig.Runtimes, 3) + require.Len(t, nilOptsConfig.Runtimes, 1) tree, err = toml.Load(nonNilOpts) require.NoError(t, err) diff --git a/pkg/cri/server/sandbox_run.go b/pkg/cri/server/sandbox_run.go index ebe9facda..91126535d 100644 --- a/pkg/cri/server/sandbox_run.go +++ b/pkg/cri/server/sandbox_run.go @@ -352,7 +352,7 @@ func (c *criService) RunPodSandbox(ctx context.Context, r *runtime.RunPodSandbox log.G(ctx).Tracef("Create sandbox container (id=%q, name=%q).", id, name) - taskOpts := c.taskOpts(ociRuntime.Type) + var taskOpts []containerd.NewTaskOpts if ociRuntime.Path != "" { taskOpts = append(taskOpts, containerd.WithRuntimePath(ociRuntime.Path)) } diff --git a/pkg/cri/server/sandbox_run_linux.go b/pkg/cri/server/sandbox_run_linux.go index 381b38b89..a1a26af8f 100644 --- a/pkg/cri/server/sandbox_run_linux.go +++ b/pkg/cri/server/sandbox_run_linux.go @@ -22,9 +22,7 @@ import ( "strconv" "strings" - "github.com/containerd/containerd" "github.com/containerd/containerd/oci" - "github.com/containerd/containerd/plugin" "github.com/containerd/containerd/snapshots" imagespec "github.com/opencontainers/image-spec/specs-go/v1" runtimespec "github.com/opencontainers/runtime-spec/specs-go" @@ -344,22 +342,6 @@ func (c *criService) cleanupSandboxFiles(id string, config *runtime.PodSandboxCo return nil } -// taskOpts generates task options for a (sandbox) container. -func (c *criService) taskOpts(runtimeType string) []containerd.NewTaskOpts { - // TODO(random-liu): Remove this after shim v1 is deprecated. - var taskOpts []containerd.NewTaskOpts - - // c.config.NoPivot is only supported for RuntimeLinuxV1 = "io.containerd.runtime.v1.linux" legacy linux runtime - // and is not supported for RuntimeRuncV1 = "io.containerd.runc.v1" or RuntimeRuncV2 = "io.containerd.runc.v2" - // for RuncV1/2 no pivot is set under the containerd.runtimes.runc.options config see - // https://github.com/containerd/containerd/blob/v1.3.2/runtime/v2/runc/options/oci.pb.go#L26 - if c.config.NoPivot && runtimeType == plugin.RuntimeLinuxV1 { - taskOpts = append(taskOpts, containerd.WithNoPivotRoot) - } - - return taskOpts -} - func (c *criService) updateNetNamespacePath(spec *runtimespec.Spec, nsPath string) { for i := range spec.Linux.Namespaces { if spec.Linux.Namespaces[i].Type == runtimespec.NetworkNamespace { diff --git a/pkg/cri/server/sandbox_run_other.go b/pkg/cri/server/sandbox_run_other.go index 16faf6229..8fb7a3c9c 100644 --- a/pkg/cri/server/sandbox_run_other.go +++ b/pkg/cri/server/sandbox_run_other.go @@ -19,7 +19,6 @@ package server import ( - "github.com/containerd/containerd" "github.com/containerd/containerd/oci" "github.com/containerd/containerd/pkg/cri/annotations" "github.com/containerd/containerd/snapshots" @@ -51,11 +50,6 @@ func (c *criService) cleanupSandboxFiles(id string, config *runtime.PodSandboxCo return nil } -// taskOpts generates task options for a (sandbox) container. -func (c *criService) taskOpts(runtimeType string) []containerd.NewTaskOpts { - return []containerd.NewTaskOpts{} -} - func (c *criService) updateNetNamespacePath(spec *runtimespec.Spec, nsPath string) { } diff --git a/pkg/cri/server/sandbox_run_windows.go b/pkg/cri/server/sandbox_run_windows.go index 2fea7513a..4d523e4b6 100644 --- a/pkg/cri/server/sandbox_run_windows.go +++ b/pkg/cri/server/sandbox_run_windows.go @@ -20,7 +20,6 @@ import ( "fmt" "strconv" - "github.com/containerd/containerd" "github.com/containerd/containerd/oci" "github.com/containerd/containerd/snapshots" imagespec "github.com/opencontainers/image-spec/specs-go/v1" @@ -104,11 +103,6 @@ func (c *criService) cleanupSandboxFiles(id string, config *runtime.PodSandboxCo return nil } -// No task options needed for windows. -func (c *criService) taskOpts(runtimeType string) []containerd.NewTaskOpts { - return nil -} - func (c *criService) updateNetNamespacePath(spec *runtimespec.Spec, nsPath string) { spec.Windows.Network.NetworkNamespace = nsPath }