Update cri to 4ea022f82a55c449bf15bfc62ac8b0de968d81be.

Signed-off-by: Lantao Liu <lantaol@google.com>

vendor/github.com/containerd/cri/pkg/config/config.go

@@ -85,8 +85,9 @@ type CniConfig struct {
 	NetworkPluginMaxConfNum int `toml:"max_conf_num" json:"maxConfNum"`
 	// NetworkPluginConfTemplate is the file path of golang template used to generate
 	// cni config.
-	// When it is set, containerd will get cidr from kubelet to replace {{.PodCIDR}} in
-	// the template, and write the config into NetworkPluginConfDir.
+	// When it is set, containerd will get cidr(s) from kubelet to replace {{.PodCIDR}},
+	// {{.PodCIDRRanges}} or {{.Routes}} in the template, and write the config into
+	// NetworkPluginConfDir.
 	// Ideally the cni config should be placed by system admin or cni daemon like calico,
 	// weaveworks etc. However, there are still users using kubenet
 	// (https://kubernetes.io/docs/concepts/cluster-administration/network-plugins/#kubenet)

vendor/github.com/containerd/cri/pkg/server/container_create.go

@@ -331,6 +331,7 @@ func (c *criService) generateContainerSpec(id string, sandboxID string, sandboxP
 		customopts.WithoutDefaultSecuritySettings,
 		customopts.WithRelativeRoot(relativeRootfsPath),
 		customopts.WithProcessArgs(config, imageConfig),
+		oci.WithDefaultPathEnv,
 		// this will be set based on the security context below
 		oci.WithNewPrivileges,
 	}

vendor/github.com/containerd/cri/pkg/server/sandbox_run.go

@@ -139,14 +139,13 @@ func (c *criService) RunPodSandbox(ctx context.Context, r *runtime.RunPodSandbox
 		// In this case however caching the IP will add a subtle performance enhancement by avoiding
 		// calls to network namespace of the pod to query the IP of the veth interface on every
 		// SandboxStatus request.
-		sandbox.IP, sandbox.CNIResult, err = c.setupPod(ctx, id, sandbox.NetNSPath, config)
-		if err != nil {
+		if err := c.setupPodNetwork(ctx, &sandbox); err != nil {
 			return nil, errors.Wrapf(err, "failed to setup network for sandbox %q", id)
 		}
 		defer func() {
 			if retErr != nil {
 				// Teardown network if an error is returned.
-				if err := c.teardownPod(ctx, id, sandbox.NetNSPath, config); err != nil {
+				if err := c.teardownPodNetwork(ctx, sandbox); err != nil {
 					log.G(ctx).WithError(err).Errorf("Failed to destroy network for sandbox %q", id)
 				}
 			}
@@ -544,10 +543,15 @@ func (c *criService) unmountSandboxFiles(id string, config *runtime.PodSandboxCo
 	return nil
 }
 
-// setupPod setups up the network for a pod
-func (c *criService) setupPod(ctx context.Context, id string, path string, config *runtime.PodSandboxConfig) (string, *cni.CNIResult, error) {
+// setupPodNetwork setups up the network for a pod
+func (c *criService) setupPodNetwork(ctx context.Context, sandbox *sandboxstore.Sandbox) error {
+	var (
+		id     = sandbox.ID
+		config = sandbox.Config
+		path   = sandbox.NetNSPath
+	)
 	if c.netPlugin == nil {
-		return "", nil, errors.New("cni config not initialized")
+		return errors.New("cni config not initialized")
 	}
 
 	labels := getPodCNILabels(id, config)
@@ -556,7 +560,7 @@ func (c *criService) setupPod(ctx context.Context, id string, path string, confi
 	// or an unreasonable valure see validateBandwidthIsReasonable()
 	bandWidth, err := toCNIBandWidth(config.Annotations)
 	if err != nil {
-		return "", nil, errors.Wrap(err, "failed to get bandwidth info from annotations")
+		return errors.Wrap(err, "failed to get bandwidth info from annotations")
 	}
 
 	result, err := c.netPlugin.Setup(ctx, id,
@@ -567,18 +571,20 @@ func (c *criService) setupPod(ctx context.Context, id string, path string, confi
 	)
 
 	if err != nil {
-		return "", nil, err
+		return err
 	}
 	logDebugCNIResult(ctx, id, result)
 	// Check if the default interface has IP config
 	if configs, ok := result.Interfaces[defaultIfName]; ok && len(configs.IPConfigs) > 0 {
-		return selectPodIP(configs.IPConfigs), result, nil
+		sandbox.IP, sandbox.AdditionalIPs = selectPodIPs(configs.IPConfigs)
+		sandbox.CNIResult = result
+		return nil
 	}
 	// If it comes here then the result was invalid so destroy the pod network and return error
-	if err := c.teardownPod(ctx, id, path, config); err != nil {
+	if err := c.teardownPodNetwork(ctx, *sandbox); err != nil {
 		log.G(ctx).WithError(err).Errorf("Failed to destroy network for sandbox %q", id)
 	}
-	return "", result, errors.Errorf("failed to find network info for sandbox %q", id)
+	return errors.Errorf("failed to find network info for sandbox %q", id)
 }
 
 // toCNIBandWidth converts CRI annotations to CNI bandwidth.
@@ -623,14 +629,28 @@ func toCNIPortMappings(criPortMappings []*runtime.PortMapping) []cni.PortMapping
 	return portMappings
 }
 
-// selectPodIP select an ip from the ip list. It prefers ipv4 more than ipv6.
-func selectPodIP(ipConfigs []*cni.IPConfig) string {
+// selectPodIPs select an ip from the ip list. It prefers ipv4 more than ipv6
+// and returns the additional ips
+// TODO(random-liu): Revisit the ip order in the ipv6 beta stage. (cri#1278)
+func selectPodIPs(ipConfigs []*cni.IPConfig) (string, []string) {
+	var (
+		additionalIPs []string
+		ip            string
+	)
 	for _, c := range ipConfigs {
-		if c.IP.To4() != nil {
-			return c.IP.String()
+		if c.IP.To4() != nil && ip == "" {
+			ip = c.IP.String()
+		} else {
+			additionalIPs = append(additionalIPs, c.IP.String())
 		}
 	}
-	return ipConfigs[0].IP.String()
+	if ip != "" {
+		return ip, additionalIPs
+	}
+	if len(ipConfigs) == 1 {
+		return additionalIPs[0], nil
+	}
+	return additionalIPs[0], additionalIPs[1:]
 }
 
 // untrustedWorkload returns true if the sandbox contains untrusted workload.

vendor/github.com/containerd/cri/pkg/server/sandbox_status.go

@@ -37,11 +37,11 @@ func (c *criService) PodSandboxStatus(ctx context.Context, r *runtime.PodSandbox
 		return nil, errors.Wrap(err, "an error occurred when try to find sandbox")
 	}
 
-	ip, err := c.getIP(sandbox)
+	ip, additionalIPs, err := c.getIPs(sandbox)
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to get sandbox ip")
 	}
-	status := toCRISandboxStatus(sandbox.Metadata, sandbox.Status.Get(), ip)
+	status := toCRISandboxStatus(sandbox.Metadata, sandbox.Status.Get(), ip, additionalIPs)
 	if status.GetCreatedAt() == 0 {
 		// CRI doesn't allow CreatedAt == 0.
 		info, err := sandbox.Container.Info(ctx)
@@ -66,38 +66,45 @@ func (c *criService) PodSandboxStatus(ctx context.Context, r *runtime.PodSandbox
 	}, nil
 }
 
-func (c *criService) getIP(sandbox sandboxstore.Sandbox) (string, error) {
+func (c *criService) getIPs(sandbox sandboxstore.Sandbox) (string, []string, error) {
 	config := sandbox.Config
 
 	if config.GetLinux().GetSecurityContext().GetNamespaceOptions().GetNetwork() == runtime.NamespaceMode_NODE {
 		// For sandboxes using the node network we are not
 		// responsible for reporting the IP.
-		return "", nil
+		return "", nil, nil
 	}
 
 	if closed, err := sandbox.NetNS.Closed(); err != nil {
-		return "", errors.Wrap(err, "check network namespace closed")
+		return "", nil, errors.Wrap(err, "check network namespace closed")
 	} else if closed {
-		return "", nil
+		return "", nil, nil
 	}
 
-	return sandbox.IP, nil
+	return sandbox.IP, sandbox.AdditionalIPs, nil
 }
 
 // toCRISandboxStatus converts sandbox metadata into CRI pod sandbox status.
-func toCRISandboxStatus(meta sandboxstore.Metadata, status sandboxstore.Status, ip string) *runtime.PodSandboxStatus {
+func toCRISandboxStatus(meta sandboxstore.Metadata, status sandboxstore.Status, ip string, additionalIPs []string) *runtime.PodSandboxStatus {
 	// Set sandbox state to NOTREADY by default.
 	state := runtime.PodSandboxState_SANDBOX_NOTREADY
 	if status.State == sandboxstore.StateReady {
 		state = runtime.PodSandboxState_SANDBOX_READY
 	}
 	nsOpts := meta.Config.GetLinux().GetSecurityContext().GetNamespaceOptions()
+	var ips []*runtime.PodIP
+	for _, additionalIP := range additionalIPs {
+		ips = append(ips, &runtime.PodIP{Ip: additionalIP})
+	}
 	return &runtime.PodSandboxStatus{
 		Id:        meta.ID,
 		Metadata:  meta.Config.GetMetadata(),
 		State:     state,
 		CreatedAt: status.CreatedAt.UnixNano(),
-		Network:   &runtime.PodSandboxNetworkStatus{Ip: ip},
+		Network: &runtime.PodSandboxNetworkStatus{
+			Ip:            ip,
+			AdditionalIps: ips,
+		},
 		Linux: &runtime.LinuxPodSandboxStatus{
 			Namespaces: &runtime.Namespace{
 				Options: &runtime.NamespaceOption{

vendor/github.com/containerd/cri/pkg/server/sandbox_stop.go

@@ -72,15 +72,14 @@ func (c *criService) StopPodSandbox(ctx context.Context, r *runtime.StopPodSandb
 
 	// Teardown network for sandbox.
 	if sandbox.NetNS != nil {
-		netNSPath := sandbox.NetNSPath
 		// Use empty netns path if netns is not available. This is defined in:
 		// https://github.com/containernetworking/cni/blob/v0.7.0-alpha1/SPEC.md
 		if closed, err := sandbox.NetNS.Closed(); err != nil {
 			return nil, errors.Wrap(err, "failed to check network namespace closed")
 		} else if closed {
-			netNSPath = ""
+			sandbox.NetNSPath = ""
 		}
-		if err := c.teardownPod(ctx, id, netNSPath, sandbox.Config); err != nil {
+		if err := c.teardownPodNetwork(ctx, sandbox); err != nil {
 			return nil, errors.Wrapf(err, "failed to destroy network for sandbox %q", id)
 		}
 		if err = sandbox.NetNS.Remove(); err != nil {
@@ -156,12 +155,17 @@ func (c *criService) waitSandboxStop(ctx context.Context, sandbox sandboxstore.S
 	}
 }
 
-// teardownPod removes the network from the pod
-func (c *criService) teardownPod(ctx context.Context, id string, path string, config *runtime.PodSandboxConfig) error {
+// teardownPodNetwork removes the network from the pod
+func (c *criService) teardownPodNetwork(ctx context.Context, sandbox sandboxstore.Sandbox) error {
 	if c.netPlugin == nil {
 		return errors.New("cni config not initialized")
 	}
 
+	var (
+		id     = sandbox.ID
+		path   = sandbox.NetNSPath
+		config = sandbox.Config
+	)
 	labels := getPodCNILabels(id, config)
 	return c.netPlugin.Remove(ctx, id,
 		path,

vendor/github.com/containerd/cri/pkg/server/update_runtime_config.go

@@ -17,8 +17,10 @@ limitations under the License.
 package server
 
 import (
+	"net"
 	"os"
 	"path/filepath"
+	"strings"
 	"text/template"
 
 	"github.com/containerd/containerd/log"
@@ -33,17 +35,36 @@ import (
 type cniConfigTemplate struct {
 	// PodCIDR is the cidr for pods on the node.
 	PodCIDR string
+	// PodCIDRRanges is the cidr ranges for pods on the node.
+	PodCIDRRanges []string
+	// Routes is a list of routes configured.
+	Routes []string
 }
 
-// cniConfigFileName is the name of cni config file generated by containerd.
-const cniConfigFileName = "10-containerd-net.conflist"
+const (
+	// cniConfigFileName is the name of cni config file generated by containerd.
+	cniConfigFileName = "10-containerd-net.conflist"
+	// zeroCIDRv6 is the null route for IPv6.
+	zeroCIDRv6 = "::/0"
+	// zeroCIDRv4 is the null route for IPv4.
+	zeroCIDRv4 = "0.0.0.0/0"
+)
 
 // UpdateRuntimeConfig updates the runtime config. Currently only handles podCIDR updates.
 func (c *criService) UpdateRuntimeConfig(ctx context.Context, r *runtime.UpdateRuntimeConfigRequest) (*runtime.UpdateRuntimeConfigResponse, error) {
-	podCIDR := r.GetRuntimeConfig().GetNetworkConfig().GetPodCidr()
-	if podCIDR == "" {
+	podCIDRs := r.GetRuntimeConfig().GetNetworkConfig().GetPodCidr()
+	if podCIDRs == "" {
 		return &runtime.UpdateRuntimeConfigResponse{}, nil
 	}
+	cidrs := strings.Split(podCIDRs, ",")
+	for i := range cidrs {
+		cidrs[i] = strings.TrimSpace(cidrs[i])
+	}
+	routes, err := getRoutes(cidrs)
+	if err != nil {
+		return nil, errors.Wrap(err, "get routes")
+	}
+
 	confTemplate := c.config.NetworkPluginConfTemplate
 	if confTemplate == "" {
 		log.G(ctx).Info("No cni config template is specified, wait for other system components to drop the config.")
@@ -71,8 +92,38 @@ func (c *criService) UpdateRuntimeConfig(ctx context.Context, r *runtime.UpdateR
 		return nil, errors.Wrapf(err, "failed to open cni config file %q", confFile)
 	}
 	defer f.Close()
-	if err := t.Execute(f, cniConfigTemplate{PodCIDR: podCIDR}); err != nil {
+	if err := t.Execute(f, cniConfigTemplate{
+		PodCIDR:       cidrs[0],
+		PodCIDRRanges: cidrs,
+		Routes:        routes,
+	}); err != nil {
 		return nil, errors.Wrapf(err, "failed to generate cni config file %q", confFile)
 	}
 	return &runtime.UpdateRuntimeConfigResponse{}, nil
 }
+
+// getRoutes generates required routes for the passed in cidrs.
+func getRoutes(cidrs []string) ([]string, error) {
+	var (
+		routes       []string
+		hasV4, hasV6 bool
+	)
+	for _, c := range cidrs {
+		_, cidr, err := net.ParseCIDR(c)
+		if err != nil {
+			return nil, err
+		}
+		if cidr.IP.To4() != nil {
+			hasV4 = true
+		} else {
+			hasV6 = true
+		}
+	}
+	if hasV4 {
+		routes = append(routes, zeroCIDRv4)
+	}
+	if hasV6 {
+		routes = append(routes, zeroCIDRv6)
+	}
+	return routes, nil
+}

vendor/github.com/containerd/cri/pkg/store/sandbox/metadata.go

@@ -55,6 +55,8 @@ type Metadata struct {
 	NetNSPath string
 	// IP of Pod if it is attached to non host network
 	IP string
+	// AdditionalIPs of the Pod if it is attached to non host network
+	AdditionalIPs []string
 	// RuntimeHandler is the runtime handler name of the pod.
 	RuntimeHandler string
 	// CNIresult resulting configuration for attached network namespace interfaces

vendor/github.com/containerd/cri/vendor.conf

@@ -36,41 +36,42 @@ github.com/docker/go-metrics 4ea375f7759c82740c893fc030bc37088d2ec098
 github.com/docker/go-events 9461782956ad83b30282bf90e31fa6a70c255ba9
 github.com/coreos/go-systemd v14
 github.com/containerd/typeurl a93fcdb778cd272c6e9b3028b2f42d813e785d40
-github.com/containerd/ttrpc 1fb3814edf44a76e0ccf503decf726d994919a9a
-github.com/containerd/go-runc 9007c2405372fe28918845901a3276c0915689a1
-github.com/containerd/fifo 3d5202aec260678c48179c56f40e6f38a095738c
-github.com/containerd/continuity bd77b46c8352f74eb12c85bdc01f4b90f69d66b4
-github.com/containerd/containerd a3a30635ef713b544ea7feff0d12a768fd1ed636
+github.com/containerd/ttrpc 92c8520ef9f86600c650dd540266a007bf03670f
+github.com/containerd/go-runc e029b79d8cda8374981c64eba71f28ec38e5526f
+github.com/containerd/fifo bda0ff6ed73c67bfb5e62bc9c697f146b7fd7f13
+github.com/containerd/continuity f2a389ac0a02ce21c09edd7344677a601970f41c
+github.com/containerd/containerd d4802a64f9737f02db3426751f380d97fc878dec
 github.com/containerd/console 0650fd9eeb50bab4fc99dceb9f2e14cf58f36e7f
 github.com/containerd/cgroups c4b9ac5c7601384c965b9646fc515884e091ebb9
 github.com/beorn7/perks 4c0e84591b9aa9e6dcfdf3e020114cd81f89d5f9
-github.com/Microsoft/hcsshim 8abdbb8205e4192c68b5f84c31197156f31be517
+github.com/Microsoft/hcsshim 9e921883ac929bbe515b39793ece99ce3a9d7706
 github.com/Microsoft/go-winio v0.4.14
 github.com/BurntSushi/toml v0.3.1
+github.com/imdario/mergo v0.3.7
 
 # kubernetes dependencies
 sigs.k8s.io/yaml v1.1.0
 k8s.io/utils c2654d5206da6b7b6ace12841e8f359bb89b443c
-k8s.io/kubernetes v1.15.0
-k8s.io/klog v0.3.1
-k8s.io/cri-api kubernetes-1.15.0
-k8s.io/client-go kubernetes-1.15.0
-k8s.io/api kubernetes-1.15.0
-k8s.io/apiserver kubernetes-1.15.0
-k8s.io/apimachinery kubernetes-1.15.0
-gopkg.in/yaml.v2 v2.2.1
+k8s.io/kubernetes v1.16.0-rc.2
+k8s.io/klog v0.4.0
+k8s.io/cri-api kubernetes-1.16.0-rc.2
+k8s.io/client-go kubernetes-1.16.0-rc.2
+k8s.io/api kubernetes-1.16.0-rc.2
+k8s.io/apiserver kubernetes-1.16.0-rc.2
+k8s.io/apimachinery kubernetes-1.16.0-rc.2
+gopkg.in/yaml.v2 v2.2.2
 gopkg.in/inf.v0 v0.9.0
-golang.org/x/time f51c12702a4d776e4c1fa9b0fabab841babae631
-golang.org/x/oauth2 9f3314589c9a9136388751d9adae6b0ed400978a
-golang.org/x/crypto 88737f569e3a9c7ab309cdc09a07fe7fc87233c3
-github.com/stretchr/testify v1.2.2
+golang.org/x/time 85acf8d2951cb2a3bde7632f9ff273ef0379bcbd
+golang.org/x/oauth2 0f29369cfe4552d0e4bcddc57cc75f4d7e672a33
+golang.org/x/crypto 5c40567a22f818bd14a1ea7245dad9f8ef0691aa
+github.com/stretchr/testify v1.3.0
 github.com/seccomp/libseccomp-golang v0.9.1
 github.com/pmezard/go-difflib v1.0.0
 github.com/modern-go/reflect2 1.0.1
 github.com/modern-go/concurrent 1.0.3
-github.com/json-iterator/go 1.1.5
-github.com/google/gofuzz 24818f796faf91cd76ec7bddd72458fbced7a6c1
-github.com/emicklei/go-restful v2.2.1
+github.com/json-iterator/go v1.1.7
+github.com/google/gofuzz v1.0.0
+github.com/emicklei/go-restful v2.9.5
 github.com/docker/spdystream 449fdfce4d962303d702fec724ef0ad181c92528
 github.com/davecgh/go-spew v1.1.1