linux/shim: reduce memory overhead by using ttrpc
By replacing grpc with ttrpc, we can reduce total memory runtime requirements and binary size. With minimal code changes, the shim can now be controlled by the much lightweight protocol, reducing the total memory required per container. When reviewing this change, take particular notice of the generated shim code. Signed-off-by: Stephen J Day <stephen.day@docker.com>
This commit is contained in:
Stephen J Day
@@ -1,20 +1,13 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"net"
|
||||
"os"
|
||||
"os/signal"
|
||||
|
||||
"google.golang.org/grpc"
|
||||
"google.golang.org/grpc/credentials"
|
||||
|
||||
"golang.org/x/net/context"
|
||||
"golang.org/x/sys/unix"
|
||||
|
||||
"github.com/containerd/containerd/reaper"
|
||||
"github.com/containerd/containerd/sys"
|
||||
runc "github.com/containerd/go-runc"
|
||||
"github.com/pkg/errors"
|
||||
"github.com/stevvooe/ttrpc"
|
||||
)
|
||||
|
||||
// setupSignals creates a new signal handler for all signals and sets the shim as a
|
||||
@@ -32,64 +25,6 @@ func setupSignals() (chan os.Signal, error) {
|
||||
return signals, nil
|
||||
}
|
||||
|
||||
func newServer() *grpc.Server {
|
||||
return grpc.NewServer(grpc.Creds(NewUnixSocketCredentials(0, 0)))
|
||||
}
|
||||
|
||||
type unixSocketCredentials struct {
|
||||
uid int
|
||||
gid int
|
||||
serverName string
|
||||
}
|
||||
|
||||
// NewUnixSocketCredentials returns TransportCredentials for a local unix socket
|
||||
func NewUnixSocketCredentials(uid, gid int) credentials.TransportCredentials {
|
||||
return &unixSocketCredentials{uid, gid, "locahost"}
|
||||
}
|
||||
|
||||
func (u *unixSocketCredentials) ClientHandshake(ctx context.Context, addr string, rawConn net.Conn) (net.Conn, credentials.AuthInfo, error) {
|
||||
return nil, nil, errors.New("ClientHandshake is not supported by unixSocketCredentials")
|
||||
}
|
||||
|
||||
func (u *unixSocketCredentials) ServerHandshake(c net.Conn) (net.Conn, credentials.AuthInfo, error) {
|
||||
uc, ok := c.(*net.UnixConn)
|
||||
if !ok {
|
||||
return nil, nil, errors.New("unixSocketCredentials only supports unix socket")
|
||||
}
|
||||
|
||||
f, err := uc.File()
|
||||
if err != nil {
|
||||
return nil, nil, errors.Wrap(err, "unixSocketCredentials: failed to retrieve connection underlying fd")
|
||||
}
|
||||
pcred, err := unix.GetsockoptUcred(int(f.Fd()), unix.SOL_SOCKET, unix.SO_PEERCRED)
|
||||
if err != nil {
|
||||
return nil, nil, errors.Wrap(err, "unixSocketCredentials: failed to retrieve socket peer credentials")
|
||||
}
|
||||
|
||||
if (u.uid != -1 && uint32(u.uid) != pcred.Uid) || (u.gid != -1 && uint32(u.gid) != pcred.Gid) {
|
||||
return nil, nil, errors.New("unixSocketCredentials: invalid credentials")
|
||||
}
|
||||
|
||||
return c, u, nil
|
||||
}
|
||||
|
||||
func (u *unixSocketCredentials) Info() credentials.ProtocolInfo {
|
||||
return credentials.ProtocolInfo{
|
||||
SecurityProtocol: "unix-socket-peer-creds",
|
||||
SecurityVersion: "1.0",
|
||||
ServerName: u.serverName,
|
||||
}
|
||||
}
|
||||
|
||||
func (u *unixSocketCredentials) Clone() credentials.TransportCredentials {
|
||||
return &unixSocketCredentials{u.uid, u.gid, u.serverName}
|
||||
}
|
||||
|
||||
func (u *unixSocketCredentials) OverrideServerName(serverName string) error {
|
||||
u.serverName = serverName
|
||||
return nil
|
||||
}
|
||||
|
||||
func (u *unixSocketCredentials) AuthType() string {
|
||||
return "unix-socket-peer-creds"
|
||||
func newServer() *ttrpc.Server {
|
||||
return ttrpc.NewServer()
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user