Windows HostProcess containers can run containerized workloads on a Windows host.
These containers operate as normal processes but have access to the host network
namespace, storage, and devices when given the appropriate user privileges.
HostProcess containers support the ability to run as one of the following Windows
service accounts: LocalSystem, LocalService, NetworkService.
Signed-off-by: Claudiu Belu <cbelu@cloudbasesolutions.com>
The cri-integration.sh script sets errexit option. This does not
work properly on Bash in Windows, espectially when the script is
piped to something else ( tee in this case ). In this particular
case, the problem arises from the fact that if the script exits
prematurely, it will not get a chance to call test_teardown and
thus clean the remaining containerd process, thus the whole
command will hang indefinetly.
Adding a simple trap on EXIT to call test_teardown will easily
fix this.
Signed-off-by: Adelina Tuvenie <atuvenie@cloudbasesolutions.com>
go1.16.7 (released 2021-08-05) includes a security fix to the net/http/httputil
package, as well as bug fixes to the compiler, the linker, the runtime, the go
command, and the net/http package. See the Go 1.16.7 milestone on the issue
tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.16.7+label%3ACherryPickApproved
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- ensure that the root go.mod and the module specific go.mod have the
same `require` and `replace` directives for different dependencies.
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
full diff: https://github.com/cpuguy83/go-md2man/compare/v2.0.0...v2.0.1
- Fix handling multiple definition descriptions
- Fix inline markup causing table cells to split
- Remove escaping tilde character (prevents tildes (`~`) from disappearing).
- Do not escape dash, underscore, and ampersand (prevents ampersands (`&`) from disappearing).
- Ignore unknown HTML tags to prevent noisy warnings
Note that this only updates the binaries we install. The vendor code also
includes go-md2man (as indirect dependency of urfave/cli). I don't think we use that
feature, so I did not add it to our go.mod
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The current release of gotestsum is missing timestamps in the junit
data, which makes it difficult to import in an external system later.
https://github.com/gotestyourself/gotestsum/commit/012a85e34a7ce5554057d512e55dcb
includes the necessary changes to add the timestamp for the test run to
the junit output.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
For Periodic Windows runs we installed the latest available golang version.
It seems 1.16.5 is creating problems with go.sum. We now introduce the
ability to install specific versions for required packages when preparing
the testing env.
Signed-off-by: Adelina Tuvenie <atuvenie@cloudbasesolutions.com>
On Windows, we were only killing the keepalive process, and the
containerd process would keep running.
keepalive and containerd have the same PGID, so we can use that information
to kill both of them.
Signed-off-by: Claudiu Belu <cbelu@cloudbasesolutions.com>
Currently, the cri-integration tests do not work on Windows due to various reasons.
One of the reasons is because all the tests are using Linux-specific images.
Previous commits refactored the image pulling / usage in the cri-integration tests,
making it easier to update, and easier to configure a custom registry to pull images
with Windows support.
For Windows runs, custom registries can be created, which will also contain Windows
images, and the cri-integration tests can be configured to use those registries by
specifying the "--repo-list" argument, a YAML file which will contain an alternative
mapping of the default registries. This is similar to how E2E tests are handled for
Windows runs in Kubernetes.
Some of the tests are Skipped, as they do not pass yet on Windows.
Windows does not collect inodes used stats, thus, the tests that were expecting non-zero
inodes stats were failing.
Signed-off-by: Claudiu Belu <cbelu@cloudbasesolutions.com>
Currently, the cri-integration tests do not work on Windows due to various reasons.
One of the reasons is because all the tests are using Linux-specific images. This
commit refactors the image pulling / usage in the cri-integration tests, making it
easier to update, and easier to configure the a custom registry to pull those images
from.
For Windows runs, custom registries can be created, which will also contain Windows
images, and the cri-integration tests can be configured to use those registries by
specifying the "--image-list" argument, a TOML file which will contain an alternative
mapping of the default images.
Signed-off-by: Claudiu Belu <cbelu@cloudbasesolutions.com>
This allows us to dig more details out of test runs and maintain a
better history.
For this we can use `gotestsum`, which is a utility that wraps `go test`
so that it outputs test2json (go's format) and output junit (a format
more easily imported into other systems).
The PR makes it possible to override the Makefile's use of `go test` to
use any other command tto executet the test. For CI we'll use `gotestsum
--`, where `gotestsum` expects everything after the `--` to be flags for
`go test`.
We then use environment variables to configure `gotestsum` (e.g.
`GOTESTSUM_JUNITFILE` is an env var accepted by `gotestsum`).
For cri tests, the test suite supports outputing test results to a
directory, these are in junit format already. The file is not named
properly just because the code that creates it (in ginkgo) is not
configured well. We can fix that upstream to give us a better name...
until then I'm keeping those results in a separate dir.
A second workflow is also added so the test results can be summed up and
a report added to the workflow run. The 2nd workflow is required for
this since PR runs do not have access to do some of this due to safety
reasons
(https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Both runc and containerd use BUILDTAGS to customize go build-tags.
When building containerd with custom build-tags, runc inherited
those, causing the default to be overwritten, e.g.;
make BUILDTAGS=no_btrfs cri-cni-release
(in script/setup/install-runc)
HEAD is now at 12644e61 VERSION: release 1.0.0~rc93
make[1]: Entering directory '/tmp/tmp.ZJzc2KtI0A/runc'
go build -trimpath "-mod=vendor" "-buildmode=pie" -tags "no_btrfs" -ldflags "-X main.gitCommit="12644e614e25b05da6fd08a38ffa0cfe1903fdec" -X main.version=1.0.0-rc93 " -o runc .
^^^^^^^^^^^^^^^^
This patch brings back the BUILDTAGS make-var in the runc-install
script, which fixates the buildtags to our defaults.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This moves the runc version to build to scripts/setup/runc-version,
which makes it easier for packagers to find the default version
to use.
The RUNC_VERSION environment variable can still be used to override
the version, which can be used (e.g.) to test against different versions
in our CI.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Now that the dependency on runc (libcontaienr) code has been reduced
considerably, it is probbaly ok to cut the version dependency between
libcontainer and the runc binary that is supported.
This patch separates the runc binary version from the version of
libcontainer that is defined in go.mod, and updates the documentation
accordingly.
The RUNC_COMMIT variable in the install-runc script is renamed to
RUNC_VERSION to encourage using tagged versions, and the Dockerfile
in contrib is updated to allow building with a custom version.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
From the runc v1.0.0-rc93 release notes:
> The "selinux" and "apparmor" buildtags have been removed, and now all runc
> builds will have SELinux and AppArmor support enabled. Note that "seccomp"
> is still optional (though we very highly recommend you enable it).
Also adding a note about kmem support.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
`go get -d` uses go modules by default in Go 1.16 and up, which results
in modules being fetched for the "latest" module version, after which we
tried to "git checkout" to `<VERSION>`.
For runc, this means that (possibly incorrectly), `go get` will download
runc `v0.1.1` (most recent non-"pre-release", which caused failures (e.g
the old `Sirupsen/logrus` being downloaded).
In addition, some of the dependencies we're installing use vendoring, and
thus would not require the modules to be downloaded (and vendored files
will be ignored when using `go get` with modules).
This patch switches several uses `go get -d` to use a regular
git clone, after which the desired version is checked out,
and the binaries are built.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Phil Estes <estesp@amazon.com>
Add installation scripts needed to generate CRI + CNI tar package on
release.
Update Github action release script to generate CRI release tarballs for
Linux and Windows.
Signed-off-by: Derek McGowan <derek@mcg.dev>
`vagrant up` will build and install containerd and all dependencies,
setting up proper SELinux contexts on the runc and containerd binaries.
The VM is configured to be SELinux Enforcing by default but this gets
changed during various CI passes via a matrix param to Disabled and
Permissive before running tests. I have an open PR to fix the
container-selinux policy for containerd at
https://github.com/containers/container-selinux/pull/98 which once
accepted we will want to update the CI matrix to use Enforcing mode
instead of Permissive.
All tests currently pass in SELinux permissive mode with containerd
configured with `enable_selinux=true`. To see which tests are failing
with SELinux enforcing and an already spun up VM:
`SELINUX=Enforcing vagrant up --provision-with=selinux,test-cri`
To test SELinux enforcing in a new VM:
`vagrant destroy -force; SELINUX=Enforcing vagrant up --provision-with=shell,selinux,test-cri`
The `selinux` shell provisioner, parameterized by the SELINUX envvar,
will configure the system as you would expect, with the side effect that
containerd is configured with `enable_selinux=true` via
`/etc/containerd/config.toml` for Permissive or Enforcing modes and
`enable_selinux=false` when SELINUX=Disabled.
Provided that virtualization is suported, this Vagrantfile and provisioners
make it easy to test containerd/cri for conformance under SELinux on
non-SELinux systems.
Signed-off-by: Jacob Blain Christen <jacob@rancher.com>
Signed-off-by: fahedouch <fahed.dorgaa@gmail.com>
omit sudo when EUID eqto 0
Signed-off-by: fahedouch <fahed.dorgaa@gmail.com>
omit sudo when EUID eqto 0
Signed-off-by: fahedouch <fahed.dorgaa@gmail.com>
omit sudo when EUID eqto 0
Signed-off-by: fahedouch <fahed.dorgaa@gmail.com>
use gosu to omit sudo in GA
Signed-off-by: fahedouch <fahed.dorgaa@gmail.com>
use gosu to omit sudo in GA
Signed-off-by: fahedouch <fahed.dorgaa@gmail.com>
set working-dir for <<Setup gosu>> step
Signed-off-by: fahedouch <fahed.dorgaa@gmail.com>
fix job permissions
Signed-off-by: fahedouch <fahed.dorgaa@gmail.com>
full diff: 61b7af7564...dc7afe8fbe
This commit includes moving up to the latest critools(1.18.0).
Signed-off-by: Kohei Tokunaga <ktokunaga.mail@gmail.com>
Integration tests were running with latest Go release rather than the
version used everywhere else. Also, we don't need to install protoc from
tarball and also apt-get the package for Ubuntu when used as a
dependency for criu build.
Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
When we call `go get -d -v
github.com/kubernetes-incubator/cri-tools/...` which repos has been
moved to `github.com/kubernetes-sigs/cri-tools`, `go get` will create
package `github.com/kubernetes-sigs/cri-tools`.
```
go get -d -v github.com/kubernetes-incubator/cri-tools/...
github.com/kubernetes-incubator/cri-tools (download)
github.com/kubernetes-sigs/cri-tools (download)
```
According to old version of `github.com/kubernetes-incubator/cri-tools`
Makefile, if there is no `github.com/kubernetes-sigs/cri-tools` package,
it will create softlink self to `github.com/kubernetes-sigs/cri-tools`.
But `go get` will create `github.com/kubernetes-sigs/cri-tools` and
there is no softlink. Therefore, the critools are always latest one, not
specific version.
So, use `github.com/kubernetes-sigs/cri-tools` will be better and save
traffic from `go get`.
Signed-off-by: Wei Fu <fuweid89@gmail.com>
* Only use bash where needed (scripts with pipes that use -o pipefail)
* Make string comparisons POSIX compatible
* Handle whitespace(s) in GOPATH
* Remove superfluous quotes in variable assignments
Change-Id: If1ea55f06f402ded646b5085d4837c0996f90fab
Signed-off-by: Joakim Roubert <joakimr@axis.com>
lib seccomp 2.4 has huge performance regressions.
This change pins to 2.3.3 where that is not an issue
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Attempt to fix CI is failing due to a regression in Go 1.10.6 / 1.11.3 (see https://github.com/golang/go/issues/29241)
```
package github.com/containernetworking/plugins/...: github.com/containernetworking/plugins/...: invalid import path: malformed import path "github.com/containernetworking/plugins/...": double dot
```
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Remove local copies of common containerd/project located scripts for
DCO, fileheader, and vendor checks.
Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
Adds initial manpages for ctr, containerd, and containerd config
commands, as well as the config.toml configuration file.
Adds targets to Makefile for generating and installing manpages.
Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
vendor/ must be removed first, otherwise files added to vendor/ that aren't added to
vendor.conf will not cause the validation to fail.
Signed-off-by: Daniel Nephin <dnephin@gmail.com>
Adds capability to build the manpages via the go-md2man utility to the
make framework for containerd
Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
Cleans up loop devices if part of the test or mount process fails.
Also increases btrfs default file size to 650MB to accommodate
minimum btrfs size on ppc64le and s390x
Signed-off-by: Christopher Jones <tophj@linux.vnet.ibm.com>
The DCO check is primarily only relevant as part of CI, so it
doesn't need to be in the Makefile. A contributor looking to
validate their commits can run script/validate/dco.
Signed-off-by: Daniel Nephin <dnephin@gmail.com>
