Merge remote-tracking branch 'upstream/master'

integration/addition_gids_test.go

@@ -49,12 +49,8 @@ func TestAdditionalGids(t *testing.T) {
 		testImage     = GetImage(BusyBox)
 		containerName = "test-container"
 	)
-	t.Logf("Pull test image %q", testImage)
+
-	img, err := imageService.PullImage(&runtime.ImageSpec{Image: testImage}, nil, sbConfig)
+	EnsureImageExists(t, testImage)
-	require.NoError(t, err)
-	defer func() {
-		assert.NoError(t, imageService.RemoveImage(&runtime.ImageSpec{Image: img}))
-	}()
 
 	t.Log("Create a container to print id")
 	cnConfig := ContainerConfig(

integration/client/container_linux_test.go

@@ -55,7 +55,7 @@ import (
 	"golang.org/x/sys/unix"
 )
 
-const testUserNSImage = "mirror.gcr.io/library/alpine:latest"
+const testUserNSImage = "mirror.gcr.io/library/alpine:3.13"
 
 // TestRegressionIssue4769 verifies the number of task exit events.
 //

integration/common.go

@@ -21,10 +21,13 @@ package integration
 import (
 	"fmt"
 	"io/ioutil"
+	"testing"
 
 	"github.com/pelletier/go-toml"
 	"github.com/sirupsen/logrus"
+	"github.com/stretchr/testify/require"
 	cri "k8s.io/cri-api/pkg/apis"
+	runtime "k8s.io/cri-api/pkg/apis/runtime/v1alpha2"
 )
 
 // ImageList holds public image references
@@ -104,3 +107,20 @@ func initImageMap(imageList ImageList) map[int]string {
 func GetImage(image int) string {
 	return imageMap[image]
 }
+
+// EnsureImageExists pulls the given image, ensures that no error was encountered
+// while pulling it.
+func EnsureImageExists(t *testing.T, imageName string) string {
+	img, err := imageService.ImageStatus(&runtime.ImageSpec{Image: imageName})
+	require.NoError(t, err)
+	if img != nil {
+		t.Logf("Image %q already exists, not pulling.", imageName)
+		return img.Id
+	}
+
+	t.Logf("Pull test image %q", imageName)
+	imgID, err := imageService.PullImage(&runtime.ImageSpec{Image: imageName}, nil, nil)
+	require.NoError(t, err)
+
+	return imgID
+}

integration/container_log_test.go

@@ -52,12 +52,8 @@ func TestContainerLogWithoutTailingNewLine(t *testing.T) {
 		testImage     = GetImage(BusyBox)
 		containerName = "test-container"
 	)
-	t.Logf("Pull test image %q", testImage)
+
-	img, err := imageService.PullImage(&runtime.ImageSpec{Image: testImage}, nil, sbConfig)
+	EnsureImageExists(t, testImage)
-	require.NoError(t, err)
-	defer func() {
-		assert.NoError(t, imageService.RemoveImage(&runtime.ImageSpec{Image: img}))
-	}()
 
 	t.Log("Create a container with log path")
 	cnConfig := ContainerConfig(
@@ -112,12 +108,8 @@ func TestLongContainerLog(t *testing.T) {
 		testImage     = GetImage(BusyBox)
 		containerName = "test-container"
 	)
-	t.Logf("Pull test image %q", testImage)
+
-	img, err := imageService.PullImage(&runtime.ImageSpec{Image: testImage}, nil, sbConfig)
+	EnsureImageExists(t, testImage)
-	require.NoError(t, err)
-	defer func() {
-		assert.NoError(t, imageService.RemoveImage(&runtime.ImageSpec{Image: img}))
-	}()
 
 	t.Log("Create a container with log path")
 	config, err := CRIConfig()

integration/container_stop_test.go

@@ -46,12 +46,8 @@ func TestSharedPidMultiProcessContainerStop(t *testing.T) {
 				testImage     = GetImage(BusyBox)
 				containerName = "test-container"
 			)
-			t.Logf("Pull test image %q", testImage)
+
-			img, err := imageService.PullImage(&runtime.ImageSpec{Image: testImage}, nil, sbConfig)
+			EnsureImageExists(t, testImage)
-			require.NoError(t, err)
-			defer func() {
-				assert.NoError(t, imageService.RemoveImage(&runtime.ImageSpec{Image: img}))
-			}()
 
 			t.Log("Create a multi-process container")
 			cnConfig := ContainerConfig(
@@ -90,12 +86,8 @@ func TestContainerStopCancellation(t *testing.T) {
 		testImage     = GetImage(BusyBox)
 		containerName = "test-container"
 	)
-	t.Logf("Pull test image %q", testImage)
+
-	img, err := imageService.PullImage(&runtime.ImageSpec{Image: testImage}, nil, sbConfig)
+	EnsureImageExists(t, testImage)
-	require.NoError(t, err)
-	defer func() {
-		assert.NoError(t, imageService.RemoveImage(&runtime.ImageSpec{Image: img}))
-	}()
 
 	t.Log("Create a container which traps sigterm")
 	cnConfig := ContainerConfig(

integration/container_without_image_ref_test.go

@@ -41,12 +41,8 @@ func TestContainerLifecycleWithoutImageRef(t *testing.T) {
 		testImage     = GetImage(BusyBox)
 		containerName = "test-container"
 	)
-	t.Log("Pull test image")
+
-	img, err := imageService.PullImage(&runtime.ImageSpec{Image: testImage}, nil, sbConfig)
+	img := EnsureImageExists(t, testImage)
-	require.NoError(t, err)
-	defer func() {
-		assert.NoError(t, imageService.RemoveImage(&runtime.ImageSpec{Image: img}))
-	}()
 
 	t.Log("Create test container")
 	cnConfig := ContainerConfig(

integration/containerd_image_test.go

@@ -185,13 +185,8 @@ func TestContainerdImageInOtherNamespaces(t *testing.T) {
 	}
 	require.NoError(t, Consistently(checkImage, 100*time.Millisecond, time.Second))
 
-	sbConfig := PodSandboxConfig("sandbox", "test")
+	PodSandboxConfig("sandbox", "test")
-	t.Logf("pull the image into cri plugin")
+	EnsureImageExists(t, testImage)
-	id, err := imageService.PullImage(&runtime.ImageSpec{Image: testImage}, nil, sbConfig)
-	require.NoError(t, err)
-	defer func() {
-		assert.NoError(t, imageService.RemoveImage(&runtime.ImageSpec{Image: id}))
-	}()
 
 	t.Logf("cri plugin should see the image now")
 	img, err := imageService.ImageStatus(&runtime.ImageSpec{Image: testImage})

integration/imagefs_info_test.go

@@ -33,12 +33,8 @@ func TestImageFSInfo(t *testing.T) {
 	config := PodSandboxConfig("running-pod", "imagefs")
 
 	t.Logf("Pull an image to make sure image fs is not empty")
-	img, err := imageService.PullImage(&runtime.ImageSpec{Image: GetImage(BusyBox)}, nil, config)
+	EnsureImageExists(t, GetImage(BusyBox))
-	require.NoError(t, err)
+
-	defer func() {
-		err := imageService.RemoveImage(&runtime.ImageSpec{Image: img})
-		assert.NoError(t, err)
-	}()
 	t.Logf("Create a sandbox to make sure there is an active snapshot")
 	sb, err := runtimeService.RunPodSandbox(config, *runtimeHandler)
 	require.NoError(t, err)

integration/pod_dualstack_test.go

@@ -50,12 +50,8 @@ func TestPodDualStack(t *testing.T) {
 		testImage     = GetImage(BusyBox)
 		containerName = "test-container"
 	)
-	t.Logf("Pull test image %q", testImage)
+
-	img, err := imageService.PullImage(&runtime.ImageSpec{Image: testImage}, nil, sbConfig)
+	EnsureImageExists(t, testImage)
-	require.NoError(t, err)
-	defer func() {
-		assert.NoError(t, imageService.RemoveImage(&runtime.ImageSpec{Image: img}))
-	}()
 
 	t.Log("Create a container to print env")
 	cnConfig := ContainerConfig(

integration/pod_hostname_test.go

@@ -86,12 +86,8 @@ func TestPodHostname(t *testing.T) {
 				testImage     = GetImage(BusyBox)
 				containerName = "test-container"
 			)
-			t.Logf("Pull test image %q", testImage)
+
-			img, err := imageService.PullImage(&runtime.ImageSpec{Image: testImage}, nil, sbConfig)
+			EnsureImageExists(t, testImage)
-			require.NoError(t, err)
-			defer func() {
-				assert.NoError(t, imageService.RemoveImage(&runtime.ImageSpec{Image: img}))
-			}()
 
 			t.Log("Create a container to print env")
 			cnConfig := ContainerConfig(

integration/restart_test.go

@@ -135,11 +135,7 @@ func TestContainerdRestart(t *testing.T) {
 
 	t.Logf("Pull test images")
 	for _, image := range []string{GetImage(BusyBox), GetImage(Alpine)} {
-		img, err := imageService.PullImage(&runtime.ImageSpec{Image: image}, nil, nil)
+		EnsureImageExists(t, image)
-		require.NoError(t, err)
-		defer func() {
-			assert.NoError(t, imageService.RemoveImage(&runtime.ImageSpec{Image: img}))
-		}()
 	}
 	imagesBeforeRestart, err := imageService.ListImages(nil)
 	assert.NoError(t, err)

integration/truncindex_test.go

@@ -35,12 +35,9 @@ func TestTruncIndex(t *testing.T) {
 
 	t.Logf("Pull an image")
 	var appImage = GetImage(BusyBox)
-	imgID, err := imageService.PullImage(&runtimeapi.ImageSpec{Image: appImage}, nil, sbConfig)
+
-	require.NoError(t, err)
+	imgID := EnsureImageExists(t, appImage)
 	imgTruncID := genTruncIndex(imgID)
-	defer func() {
-		assert.NoError(t, imageService.RemoveImage(&runtimeapi.ImageSpec{Image: imgTruncID}))
-	}()
 
 	t.Logf("Get image status by truncindex, truncID: %s", imgTruncID)
 	res, err := imageService.ImageStatus(&runtimeapi.ImageSpec{Image: imgTruncID})

integration/volume_copy_up_test.go

@@ -26,7 +26,6 @@ import (
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	runtime "k8s.io/cri-api/pkg/apis/runtime/v1alpha2"
 )
 
 func TestVolumeCopyUp(t *testing.T) {
@@ -44,9 +43,7 @@ func TestVolumeCopyUp(t *testing.T) {
 		assert.NoError(t, runtimeService.RemovePodSandbox(sb))
 	}()
 
-	t.Logf("Pull test image")
+	EnsureImageExists(t, testImage)
-	_, err = imageService.PullImage(&runtime.ImageSpec{Image: testImage}, nil, sbConfig)
-	require.NoError(t, err)
 
 	t.Logf("Create a container with volume-copy-up test image")
 	cnConfig := ContainerConfig(
@@ -106,9 +103,7 @@ func TestVolumeOwnership(t *testing.T) {
 		assert.NoError(t, runtimeService.RemovePodSandbox(sb))
 	}()
 
-	t.Logf("Pull test image")
+	EnsureImageExists(t, testImage)
-	_, err = imageService.PullImage(&runtime.ImageSpec{Image: testImage}, nil, sbConfig)
-	require.NoError(t, err)
 
 	t.Logf("Create a container with volume-ownership test image")
 	cnConfig := ContainerConfig(

metadata/leases.go

@@ -33,22 +33,22 @@ import (
 	bolt "go.etcd.io/bbolt"
 )
 
-// LeaseManager manages the create/delete lifecycle of leases
+// leaseManager manages the create/delete lifecycle of leases
 // and also returns existing leases
-type LeaseManager struct {
+type leaseManager struct {
 	db *DB
 }
 
 // NewLeaseManager creates a new lease manager for managing leases using
 // the provided database transaction.
-func NewLeaseManager(db *DB) *LeaseManager {
+func NewLeaseManager(db *DB) leases.Manager {
-	return &LeaseManager{
+	return &leaseManager{
 		db: db,
 	}
 }
 
 // Create creates a new lease using the provided lease
-func (lm *LeaseManager) Create(ctx context.Context, opts ...leases.Opt) (leases.Lease, error) {
+func (lm *leaseManager) Create(ctx context.Context, opts ...leases.Opt) (leases.Lease, error) {
 	var l leases.Lease
 	for _, opt := range opts {
 		if err := opt(&l); err != nil {
@@ -102,7 +102,7 @@ func (lm *LeaseManager) Create(ctx context.Context, opts ...leases.Opt) (leases.
 }
 
 // Delete deletes the lease with the provided lease ID
-func (lm *LeaseManager) Delete(ctx context.Context, lease leases.Lease, _ ...leases.DeleteOpt) error {
+func (lm *leaseManager) Delete(ctx context.Context, lease leases.Lease, _ ...leases.DeleteOpt) error {
 	namespace, err := namespaces.NamespaceRequired(ctx)
 	if err != nil {
 		return err
@@ -127,7 +127,7 @@ func (lm *LeaseManager) Delete(ctx context.Context, lease leases.Lease, _ ...lea
 }
 
 // List lists all active leases
-func (lm *LeaseManager) List(ctx context.Context, fs ...string) ([]leases.Lease, error) {
+func (lm *leaseManager) List(ctx context.Context, fs ...string) ([]leases.Lease, error) {
 	namespace, err := namespaces.NamespaceRequired(ctx)
 	if err != nil {
 		return nil, err
@@ -183,7 +183,7 @@ func (lm *LeaseManager) List(ctx context.Context, fs ...string) ([]leases.Lease,
 }
 
 // AddResource references the resource by the provided lease.
-func (lm *LeaseManager) AddResource(ctx context.Context, lease leases.Lease, r leases.Resource) error {
+func (lm *leaseManager) AddResource(ctx context.Context, lease leases.Lease, r leases.Resource) error {
 	namespace, err := namespaces.NamespaceRequired(ctx)
 	if err != nil {
 		return err
@@ -212,7 +212,7 @@ func (lm *LeaseManager) AddResource(ctx context.Context, lease leases.Lease, r l
 }
 
 // DeleteResource dereferences the resource by the provided lease.
-func (lm *LeaseManager) DeleteResource(ctx context.Context, lease leases.Lease, r leases.Resource) error {
+func (lm *leaseManager) DeleteResource(ctx context.Context, lease leases.Lease, r leases.Resource) error {
 	namespace, err := namespaces.NamespaceRequired(ctx)
 	if err != nil {
 		return err
@@ -250,7 +250,7 @@ func (lm *LeaseManager) DeleteResource(ctx context.Context, lease leases.Lease,
 }
 
 // ListResources lists all the resources referenced by the lease.
-func (lm *LeaseManager) ListResources(ctx context.Context, lease leases.Lease) ([]leases.Resource, error) {
+func (lm *leaseManager) ListResources(ctx context.Context, lease leases.Lease) ([]leases.Resource, error) {
 	namespace, err := namespaces.NamespaceRequired(ctx)
 	if err != nil {
 		return nil, err

pkg/cri/server/image_pull.go

@@ -373,6 +373,9 @@ func (c *criService) registryHosts(ctx context.Context, auth *runtime.AuthConfig
 				if err != nil {
 					return nil, errors.Wrapf(err, "get TLSConfig for registry %q", e)
 				}
+			} else if isLocalHost(host) && u.Scheme == "http" {
+				// Skipping TLS verification for localhost
+				transport.TLSClientConfig.InsecureSkipVerify = true
 			}
 
 			// Make a copy of `auth`, so that different authorizers would not reference
@@ -406,15 +409,26 @@ func (c *criService) registryHosts(ctx context.Context, auth *runtime.AuthConfig
 
 // defaultScheme returns the default scheme for a registry host.
 func defaultScheme(host string) string {
-	if h, _, err := net.SplitHostPort(host); err == nil {
+	if isLocalHost(host) {
-		host = h
-	}
-	if host == "localhost" || host == "127.0.0.1" || host == "::1" {
 		return "http"
 	}
 	return "https"
 }
 
+// isLocalHost checks if the registry host is local.
+func isLocalHost(host string) bool {
+	if h, _, err := net.SplitHostPort(host); err == nil {
+		host = h
+	}
+
+	if host == "localhost" {
+		return true
+	}
+
+	ip := net.ParseIP(host)
+	return ip.IsLoopback()
+}
+
 // addDefaultScheme returns the endpoint with default scheme
 func addDefaultScheme(endpoint string) (string, error) {
 	if strings.Contains(endpoint, "://") {

plugin/plugin.go

@@ -171,15 +171,11 @@ func Register(r *Registration) {
 		panic(err)
 	}
 
-	var last bool
 	for _, requires := range r.Requires {
-		if requires == "*" {
+		if requires == "*" && len(r.Requires) != 1 {
-			last = true
+			panic(ErrInvalidRequires)
 		}
 	}
-	if last && len(r.Requires) != 1 {
-		panic(ErrInvalidRequires)
-	}
 
 	register.r = append(register.r, r)
 }