diff --git a/pkg/annotations/annotations.go b/pkg/annotations/annotations.go index 2178df138..d832d6966 100644 --- a/pkg/annotations/annotations.go +++ b/pkg/annotations/annotations.go @@ -44,4 +44,7 @@ const ( // UntrustedWorkload is the sandbox annotation for untrusted workload. Untrusted // workload can only run on dedicated runtime for untrusted workload. UntrustedWorkload = "io.kubernetes.cri.untrusted-workload" + + // containerName is the name of the container in the pod + ContainerName = "io.kubernetes.cri.container-name" ) diff --git a/pkg/server/container_create.go b/pkg/server/container_create.go index cfb5d6aad..b5da83d9c 100644 --- a/pkg/server/container_create.go +++ b/pkg/server/container_create.go @@ -68,6 +68,7 @@ func (c *criService) CreateContainer(ctx context.Context, r *runtime.CreateConta if metadata == nil { return nil, errors.New("container config must include metadata") } + containerName := metadata.Name name := makeContainerName(metadata, sandboxConfig.GetMetadata()) log.G(ctx).Debugf("Generated id %q for container %q", id, name) if err = c.containerNameIndex.Reserve(name, id); err != nil { @@ -147,7 +148,7 @@ func (c *criService) CreateContainer(ctx context.Context, r *runtime.CreateConta } log.G(ctx).Debugf("Use OCI runtime %+v for sandbox %q and container %q", ociRuntime, sandboxID, id) - spec, err := c.containerSpec(id, sandboxID, sandboxPid, sandbox.NetNSPath, config, sandboxConfig, + spec, err := c.containerSpec(id, sandboxID, sandboxPid, sandbox.NetNSPath, containerName, config, sandboxConfig, &image.ImageSpec.Config, append(mounts, volumeMounts...), ociRuntime) if err != nil { return nil, errors.Wrapf(err, "failed to generate container %q spec", id) diff --git a/pkg/server/container_create_test.go b/pkg/server/container_create_test.go index 3eb18f80f..599e26c8e 100644 --- a/pkg/server/container_create_test.go +++ b/pkg/server/container_create_test.go @@ -57,7 +57,8 @@ func TestGeneralContainerSpec(t *testing.T) { ociRuntime := config.Runtime{} c := newTestCRIService() testSandboxID := "sandbox-id" - spec, err := c.containerSpec(testID, testSandboxID, testPid, "", containerConfig, sandboxConfig, imageConfig, nil, ociRuntime) + testContainerName := "container-name" + spec, err := c.containerSpec(testID, testSandboxID, testPid, "", testContainerName, containerConfig, sandboxConfig, imageConfig, nil, ociRuntime) require.NoError(t, err) specCheck(t, testID, testSandboxID, testPid, spec) } @@ -65,6 +66,7 @@ func TestGeneralContainerSpec(t *testing.T) { func TestPodAnnotationPassthroughContainerSpec(t *testing.T) { testID := "test-id" testSandboxID := "sandbox-id" + testContainerName := "container-name" testPid := uint32(1234) for desc, test := range map[string]struct { @@ -120,7 +122,7 @@ func TestPodAnnotationPassthroughContainerSpec(t *testing.T) { ociRuntime := config.Runtime{ PodAnnotations: test.podAnnotations, } - spec, err := c.containerSpec(testID, testSandboxID, testPid, "", + spec, err := c.containerSpec(testID, testSandboxID, testPid, "", testContainerName, containerConfig, sandboxConfig, imageConfig, nil, ociRuntime) assert.NoError(t, err) assert.NotNil(t, spec) @@ -268,6 +270,7 @@ func TestVolumeMounts(t *testing.T) { func TestContainerAnnotationPassthroughContainerSpec(t *testing.T) { testID := "test-id" testSandboxID := "sandbox-id" + testContainerName := "container-name" testPid := uint32(1234) for desc, test := range map[string]struct { @@ -367,7 +370,7 @@ func TestContainerAnnotationPassthroughContainerSpec(t *testing.T) { PodAnnotations: test.podAnnotations, ContainerAnnotations: test.containerAnnotations, } - spec, err := c.containerSpec(testID, testSandboxID, testPid, "", + spec, err := c.containerSpec(testID, testSandboxID, testPid, "", testContainerName, containerConfig, sandboxConfig, imageConfig, nil, ociRuntime) assert.NoError(t, err) assert.NotNil(t, spec) diff --git a/pkg/server/container_create_unix.go b/pkg/server/container_create_unix.go index 4dba453b5..94c6045aa 100644 --- a/pkg/server/container_create_unix.go +++ b/pkg/server/container_create_unix.go @@ -104,7 +104,7 @@ func (c *criService) containerMounts(sandboxID string, config *runtime.Container return mounts } -func (c *criService) containerSpec(id string, sandboxID string, sandboxPid uint32, netNSPath string, +func (c *criService) containerSpec(id string, sandboxID string, sandboxPid uint32, netNSPath string, containerName string, config *runtime.ContainerConfig, sandboxConfig *runtime.PodSandboxConfig, imageConfig *imagespec.ImageConfig, extraMounts []*runtime.Mount, ociRuntime config.Runtime) (*runtimespec.Spec, error) { @@ -223,6 +223,7 @@ func (c *criService) containerSpec(id string, sandboxID string, sandboxPid uint3 customopts.WithSupplementalGroups(supplementalGroups), customopts.WithAnnotation(annotations.ContainerType, annotations.ContainerTypeContainer), customopts.WithAnnotation(annotations.SandboxID, sandboxID), + customopts.WithAnnotation(annotations.ContainerName, containerName), ) // cgroupns is used for hiding /sys/fs/cgroup from containers. // For compatibility, cgroupns is not used when running in cgroup v1 mode or in privileged. diff --git a/pkg/server/container_create_unix_test.go b/pkg/server/container_create_unix_test.go index f72bc48dd..162d2a09e 100644 --- a/pkg/server/container_create_unix_test.go +++ b/pkg/server/container_create_unix_test.go @@ -180,6 +180,7 @@ func getCreateContainerTestData() (*runtime.ContainerConfig, *runtime.PodSandbox func TestContainerCapabilities(t *testing.T) { testID := "test-id" testSandboxID := "sandbox-id" + testContainerName := "container-name" testPid := uint32(1234) for desc, test := range map[string]struct { capability *runtime.Capability @@ -229,7 +230,7 @@ func TestContainerCapabilities(t *testing.T) { c := newTestCRIService() containerConfig.Linux.SecurityContext.Capabilities = test.capability - spec, err := c.containerSpec(testID, testSandboxID, testPid, "", containerConfig, sandboxConfig, imageConfig, nil, ociRuntime) + spec, err := c.containerSpec(testID, testSandboxID, testPid, "", testContainerName, containerConfig, sandboxConfig, imageConfig, nil, ociRuntime) require.NoError(t, err) specCheck(t, testID, testSandboxID, testPid, spec) for _, include := range test.includes { @@ -251,13 +252,14 @@ func TestContainerCapabilities(t *testing.T) { func TestContainerSpecTty(t *testing.T) { testID := "test-id" testSandboxID := "sandbox-id" + testContainerName := "container-name" testPid := uint32(1234) containerConfig, sandboxConfig, imageConfig, specCheck := getCreateContainerTestData() ociRuntime := config.Runtime{} c := newTestCRIService() for _, tty := range []bool{true, false} { containerConfig.Tty = tty - spec, err := c.containerSpec(testID, testSandboxID, testPid, "", containerConfig, sandboxConfig, imageConfig, nil, ociRuntime) + spec, err := c.containerSpec(testID, testSandboxID, testPid, "", testContainerName, containerConfig, sandboxConfig, imageConfig, nil, ociRuntime) require.NoError(t, err) specCheck(t, testID, testSandboxID, testPid, spec) assert.Equal(t, tty, spec.Process.Terminal) @@ -272,6 +274,7 @@ func TestContainerSpecTty(t *testing.T) { func TestContainerSpecDefaultPath(t *testing.T) { testID := "test-id" testSandboxID := "sandbox-id" + testContainerName := "container-name" testPid := uint32(1234) expectedDefault := "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" containerConfig, sandboxConfig, imageConfig, specCheck := getCreateContainerTestData() @@ -283,7 +286,7 @@ func TestContainerSpecDefaultPath(t *testing.T) { imageConfig.Env = append(imageConfig.Env, pathenv) expected = pathenv } - spec, err := c.containerSpec(testID, testSandboxID, testPid, "", containerConfig, sandboxConfig, imageConfig, nil, ociRuntime) + spec, err := c.containerSpec(testID, testSandboxID, testPid, "", testContainerName, containerConfig, sandboxConfig, imageConfig, nil, ociRuntime) require.NoError(t, err) specCheck(t, testID, testSandboxID, testPid, spec) assert.Contains(t, spec.Process.Env, expected) @@ -293,13 +296,14 @@ func TestContainerSpecDefaultPath(t *testing.T) { func TestContainerSpecReadonlyRootfs(t *testing.T) { testID := "test-id" testSandboxID := "sandbox-id" + testContainerName := "container-name" testPid := uint32(1234) containerConfig, sandboxConfig, imageConfig, specCheck := getCreateContainerTestData() ociRuntime := config.Runtime{} c := newTestCRIService() for _, readonly := range []bool{true, false} { containerConfig.Linux.SecurityContext.ReadonlyRootfs = readonly - spec, err := c.containerSpec(testID, testSandboxID, testPid, "", containerConfig, sandboxConfig, imageConfig, nil, ociRuntime) + spec, err := c.containerSpec(testID, testSandboxID, testPid, "", testContainerName, containerConfig, sandboxConfig, imageConfig, nil, ociRuntime) require.NoError(t, err) specCheck(t, testID, testSandboxID, testPid, spec) assert.Equal(t, readonly, spec.Root.Readonly) @@ -309,6 +313,7 @@ func TestContainerSpecReadonlyRootfs(t *testing.T) { func TestContainerSpecWithExtraMounts(t *testing.T) { testID := "test-id" testSandboxID := "sandbox-id" + testContainerName := "container-name" testPid := uint32(1234) containerConfig, sandboxConfig, imageConfig, specCheck := getCreateContainerTestData() ociRuntime := config.Runtime{} @@ -337,7 +342,7 @@ func TestContainerSpecWithExtraMounts(t *testing.T) { Readonly: false, }, } - spec, err := c.containerSpec(testID, testSandboxID, testPid, "", containerConfig, sandboxConfig, imageConfig, extraMounts, ociRuntime) + spec, err := c.containerSpec(testID, testSandboxID, testPid, "", testContainerName, containerConfig, sandboxConfig, imageConfig, extraMounts, ociRuntime) require.NoError(t, err) specCheck(t, testID, testSandboxID, testPid, spec) var mounts, sysMounts, devMounts []runtimespec.Mount @@ -369,6 +374,7 @@ func TestContainerSpecWithExtraMounts(t *testing.T) { func TestContainerAndSandboxPrivileged(t *testing.T) { testID := "test-id" testSandboxID := "sandbox-id" + testContainerName := "container-name" testPid := uint32(1234) containerConfig, sandboxConfig, imageConfig, _ := getCreateContainerTestData() ociRuntime := config.Runtime{} @@ -404,7 +410,7 @@ func TestContainerAndSandboxPrivileged(t *testing.T) { sandboxConfig.Linux.SecurityContext = &runtime.LinuxSandboxSecurityContext{ Privileged: test.sandboxPrivileged, } - _, err := c.containerSpec(testID, testSandboxID, testPid, "", containerConfig, sandboxConfig, imageConfig, nil, ociRuntime) + _, err := c.containerSpec(testID, testSandboxID, testPid, "", testContainerName, containerConfig, sandboxConfig, imageConfig, nil, ociRuntime) if test.expectError { assert.Error(t, err) } else { @@ -568,6 +574,7 @@ func TestPrivilegedBindMount(t *testing.T) { testPid := uint32(1234) c := newTestCRIService() testSandboxID := "sandbox-id" + testContainerName := "container-name" containerConfig, sandboxConfig, imageConfig, _ := getCreateContainerTestData() ociRuntime := config.Runtime{} @@ -591,7 +598,7 @@ func TestPrivilegedBindMount(t *testing.T) { containerConfig.Linux.SecurityContext.Privileged = test.privileged sandboxConfig.Linux.SecurityContext.Privileged = test.privileged - spec, err := c.containerSpec(t.Name(), testSandboxID, testPid, "", containerConfig, sandboxConfig, imageConfig, nil, ociRuntime) + spec, err := c.containerSpec(t.Name(), testSandboxID, testPid, "", testContainerName, containerConfig, sandboxConfig, imageConfig, nil, ociRuntime) assert.NoError(t, err) if test.expectedSysFSRO { @@ -717,6 +724,7 @@ func TestPidNamespace(t *testing.T) { testID := "test-id" testPid := uint32(1234) testSandboxID := "sandbox-id" + testContainerName := "container-name" containerConfig, sandboxConfig, imageConfig, _ := getCreateContainerTestData() ociRuntime := config.Runtime{} c := newTestCRIService() @@ -747,7 +755,7 @@ func TestPidNamespace(t *testing.T) { } { t.Logf("TestCase %q", desc) containerConfig.Linux.SecurityContext.NamespaceOptions = &runtime.NamespaceOption{Pid: test.pidNS} - spec, err := c.containerSpec(testID, testSandboxID, testPid, "", containerConfig, sandboxConfig, imageConfig, nil, ociRuntime) + spec, err := c.containerSpec(testID, testSandboxID, testPid, "", testContainerName, containerConfig, sandboxConfig, imageConfig, nil, ociRuntime) require.NoError(t, err) assert.Contains(t, spec.Linux.Namespaces, test.expected) } @@ -757,11 +765,12 @@ func TestNoDefaultRunMount(t *testing.T) { testID := "test-id" testPid := uint32(1234) testSandboxID := "sandbox-id" + testContainerName := "container-name" containerConfig, sandboxConfig, imageConfig, _ := getCreateContainerTestData() ociRuntime := config.Runtime{} c := newTestCRIService() - spec, err := c.containerSpec(testID, testSandboxID, testPid, "", containerConfig, sandboxConfig, imageConfig, nil, ociRuntime) + spec, err := c.containerSpec(testID, testSandboxID, testPid, "", testContainerName, containerConfig, sandboxConfig, imageConfig, nil, ociRuntime) assert.NoError(t, err) for _, mount := range spec.Mounts { assert.NotEqual(t, "/run", mount.Destination) @@ -903,6 +912,7 @@ func TestGenerateApparmorSpecOpts(t *testing.T) { func TestMaskedAndReadonlyPaths(t *testing.T) { testID := "test-id" testSandboxID := "sandbox-id" + testContainerName := "container-name" testPid := uint32(1234) containerConfig, sandboxConfig, imageConfig, specCheck := getCreateContainerTestData() ociRuntime := config.Runtime{} @@ -977,7 +987,7 @@ func TestMaskedAndReadonlyPaths(t *testing.T) { sandboxConfig.Linux.SecurityContext = &runtime.LinuxSandboxSecurityContext{ Privileged: test.privileged, } - spec, err := c.containerSpec(testID, testSandboxID, testPid, "", containerConfig, sandboxConfig, imageConfig, nil, ociRuntime) + spec, err := c.containerSpec(testID, testSandboxID, testPid, "", testContainerName, containerConfig, sandboxConfig, imageConfig, nil, ociRuntime) require.NoError(t, err) if !test.privileged { // specCheck presumes an unprivileged container specCheck(t, testID, testSandboxID, testPid, spec) @@ -990,6 +1000,7 @@ func TestMaskedAndReadonlyPaths(t *testing.T) { func TestHostname(t *testing.T) { testID := "test-id" testSandboxID := "sandbox-id" + testContainerName := "container-name" testPid := uint32(1234) containerConfig, sandboxConfig, imageConfig, specCheck := getCreateContainerTestData() ociRuntime := config.Runtime{} @@ -1023,7 +1034,7 @@ func TestHostname(t *testing.T) { sandboxConfig.Linux.SecurityContext = &runtime.LinuxSandboxSecurityContext{ NamespaceOptions: &runtime.NamespaceOption{Network: test.networkNs}, } - spec, err := c.containerSpec(testID, testSandboxID, testPid, "", containerConfig, sandboxConfig, imageConfig, nil, ociRuntime) + spec, err := c.containerSpec(testID, testSandboxID, testPid, "", testContainerName, containerConfig, sandboxConfig, imageConfig, nil, ociRuntime) require.NoError(t, err) specCheck(t, testID, testSandboxID, testPid, spec) assert.Contains(t, spec.Process.Env, test.expectedEnv) @@ -1035,7 +1046,7 @@ func TestDisableCgroup(t *testing.T) { ociRuntime := config.Runtime{} c := newTestCRIService() c.config.DisableCgroup = true - spec, err := c.containerSpec("test-id", "sandbox-id", 1234, "", containerConfig, sandboxConfig, imageConfig, nil, ociRuntime) + spec, err := c.containerSpec("test-id", "sandbox-id", 1234, "", "container-name", containerConfig, sandboxConfig, imageConfig, nil, ociRuntime) require.NoError(t, err) t.Log("resource limit should not be set") @@ -1121,6 +1132,7 @@ func TestPrivilegedDevices(t *testing.T) { testPid := uint32(1234) c := newTestCRIService() testSandboxID := "sandbox-id" + testContainerName := "container-name" containerConfig, sandboxConfig, imageConfig, _ := getCreateContainerTestData() for desc, test := range map[string]struct { @@ -1157,7 +1169,7 @@ func TestPrivilegedDevices(t *testing.T) { ociRuntime := config.Runtime{ PrivilegedWithoutHostDevices: test.privilegedWithoutHostDevices, } - spec, err := c.containerSpec(t.Name(), testSandboxID, testPid, "", containerConfig, sandboxConfig, imageConfig, nil, ociRuntime) + spec, err := c.containerSpec(t.Name(), testSandboxID, testPid, "", testContainerName, containerConfig, sandboxConfig, imageConfig, nil, ociRuntime) assert.NoError(t, err) hostDevices, err := devices.HostDevices() diff --git a/pkg/server/container_create_windows.go b/pkg/server/container_create_windows.go index 799a5a039..ea25b64b3 100644 --- a/pkg/server/container_create_windows.go +++ b/pkg/server/container_create_windows.go @@ -34,7 +34,7 @@ func (c *criService) containerMounts(sandboxID string, config *runtime.Container return nil } -func (c *criService) containerSpec(id string, sandboxID string, sandboxPid uint32, netNSPath string, +func (c *criService) containerSpec(id string, sandboxID string, sandboxPid uint32, netNSPath string, containerName string, config *runtime.ContainerConfig, sandboxConfig *runtime.PodSandboxConfig, imageConfig *imagespec.ImageConfig, extraMounts []*runtime.Mount, ociRuntime config.Runtime) (*runtimespec.Spec, error) { specOpts := []oci.SpecOpts{ @@ -89,6 +89,7 @@ func (c *criService) containerSpec(id string, sandboxID string, sandboxPid uint3 specOpts = append(specOpts, customopts.WithAnnotation(annotations.ContainerType, annotations.ContainerTypeContainer), customopts.WithAnnotation(annotations.SandboxID, sandboxID), + customopts.WithAnnotation(annotations.ContainerName, containerName), ) return runtimeSpec(id, specOpts...) diff --git a/pkg/server/container_create_windows_test.go b/pkg/server/container_create_windows_test.go index 38b14fcf1..1786f84eb 100644 --- a/pkg/server/container_create_windows_test.go +++ b/pkg/server/container_create_windows_test.go @@ -127,12 +127,13 @@ func getCreateContainerTestData() (*runtime.ContainerConfig, *runtime.PodSandbox func TestContainerWindowsNetworkNamespace(t *testing.T) { testID := "test-id" testSandboxID := "sandbox-id" + testContainerName := "container-name" testPid := uint32(1234) nsPath := "test-cni" c := newTestCRIService() containerConfig, sandboxConfig, imageConfig, specCheck := getCreateContainerTestData() - spec, err := c.containerSpec(testID, testSandboxID, testPid, nsPath, containerConfig, sandboxConfig, imageConfig, nil, config.Runtime{}) + spec, err := c.containerSpec(testID, testSandboxID, testPid, nsPath, testContainerName, containerConfig, sandboxConfig, imageConfig, nil, config.Runtime{}) assert.NoError(t, err) assert.NotNil(t, spec) specCheck(t, testID, testSandboxID, testPid, spec) @@ -144,6 +145,7 @@ func TestContainerWindowsNetworkNamespace(t *testing.T) { func TestMountCleanPath(t *testing.T) { testID := "test-id" testSandboxID := "sandbox-id" + testContainerName := "container-name" testPid := uint32(1234) nsPath := "test-cni" c := newTestCRIService() @@ -153,7 +155,7 @@ func TestMountCleanPath(t *testing.T) { ContainerPath: "c:/test/container-path", HostPath: "c:/test/host-path", }) - spec, err := c.containerSpec(testID, testSandboxID, testPid, nsPath, containerConfig, sandboxConfig, imageConfig, nil, config.Runtime{}) + spec, err := c.containerSpec(testID, testSandboxID, testPid, nsPath, testContainerName, containerConfig, sandboxConfig, imageConfig, nil, config.Runtime{}) assert.NoError(t, err) assert.NotNil(t, spec) specCheck(t, testID, testSandboxID, testPid, spec)