set user in exec container
$ ctr t exec --exec-id e1 --user admin container id
uid=500(admin) gid=500(admin) groups=500(admin)
Signed-off-by: chuangxue <chenglong.lcl@alibaba-inc.com>
Signed-off-by: acetang <aceapril@126.com>
This fixes following warning message by changing the default runtime
to io.containerd.runc.v2 and does not require user to set the runtime
from command line anymore.
"WARN[2021-03-17T21:11:01.441207858Z] runtime v1 is deprecated since
containerd v1.4, consider using runtime v2"
Signed-off-by: Alakesh Haloi <alakeshh@amazon.com>
This enables cases where devices exist in a subdirectory of /dev,
particularly where those device names are not portable across machines,
which makes it problematic to specify from a runtime such as cri.
Added this to `ctr` as well so I could test that the code at least
works.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
`config_linux.go` and `config_windows.go` are identical.
`config_unsupported.go` is also almost identical but enables debug logs by default.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
The provides additional insight into how much time is being spent in
unpacking and is helpful in performance comparison for just this stage
without resorting to running under time command in linux for example.
Signed-off-by: Alakesh Haloi <alakeshh@amazon.com>
Previously we simply ignored any not found error when loading the
containerd config. This created unintuitive behavior:
- If the user specified a path that didn't exist via --config, we would
silently ignore the error.
- If a config specified an import that didn't exist, we would silently
ignore the error.
In either of these cases, it appears we would end up using a potentially
corrupted config, as it would contain any files that were merged into it
before the not found error was hit.
However, we can't just remove the check for !os.IsNotExist(err),
as we shouldn't throw an error when --config is not passed, but the
default config doesn't exist.
This change updates the logic to only attempt to load the config if
we know it exists, or the user passed --config.
Signed-off-by: Kevin Parsons <kevpar@microsoft.com>
btrfs plugin needs CGO support. However on riscv64, cgo
is only support on go1.16 (not released yet).
Instead of setting no_btrfs manually, adding a cgo tag tells
the compiler to skip it automatically.
Signed-off-by: Shengjing Zhu <zhsj@debian.org>
Go example:
```go
opts := []converter.Opt{
// convert Docker media types to OCI ones
converter.WithDocker2OCI(true),
// convert tar.gz layers to uncompressed tar layers
converter.WithLayerConvertFunc(uncompress.LayerConvertFunc),
}
srcRef := "example.com/foo:orig"
dstRef := "example.com/foo:converted"
dstImg, err = converter.Convert(ctx, client, dstRef, srcRef, opts...)
fmt.Println(dstImg.Target)
```
ctr example: `ctr images convert --oci --uncompress example.com/foo:orig example.com/foo:converted`
Go test: `go test -exec sudo -test.root -test.run TestConvert`
The implementation is from https://github.com/containerd/stargz-snapshotter/pull/224,
but eStargz-specific functions are not included in this PR.
eStargz converter can be specified by importing `estargz` package and using `WithLayerConvertFunc(estargz.LayerConvertFunc)` option.
This converter interface will be potentially useful for converting zstd and ocicrypt layers as well.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
If we print message when SIG_PIPE occuers in signal handler.
There is a loop {print->SIG_PIPE->print->SIG_PIPE...}, which consume
a lot of cpu time. So do not print message in this situaiton.
Signed-off-by: Liu Hua <weldonliu@tencent.com>
The additional []containerd.RemoteOpt is not used by ctr currently,
but planned to be used by nerdctl and also probably by stargz's ctr-remote.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Go 1.14 introduced a change to os.OpenFile (and syscall.Open) on Windows
that uses the permissions passed to determine if the file should be
created read-only or not. If the user-write bit (0200) is not set, then
FILE_ATTRIBUTE_READONLY is set on the underlying CreateFile call.
This is a significant change for any Windows code which created new
files and set the permissions to 0 (previously the permissions had no
affect, so some code didn't set them at all).
This change fixes the issue for the Windows service panic file. It will
now properly be created as a non-read-only file on Go 1.14+.
I have looked over the rest of the containerd code and didn't see other
places where this seems like an issue.
Signed-off-by: Kevin Parsons <kevpar@microsoft.com>
This allows filesystem-based ACLs for configuring access to the socket
of a shim.
Ported from Michael Crosby's similar patch for v2 shims.
Signed-off-by: Samuel Karp <skarp@amazon.com>
This allows filesystem based ACLs for configuring access to the socket of a
shim.
Co-authored-by: Samuel Karp <skarp@amazon.com>
Signed-off-by: Samuel Karp <skarp@amazon.com>
Signed-off-by: Michael Crosby <michael@thepasture.io>
Signed-off-by: Michael Crosby <michael.crosby@apple.com>
