Introduce a --cri flag, which will enable running container-stress using the CRI,
instead of containerd's task API.
In doing so, we introduce cri_worker, rename the existing worker to ctr_worker, and introduce
a worker interface that each of these implement.
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
"ctr s r" help suggests <pod-config.json> is taken as the first
parameter and the sandbox ID becomes next. However, only the latter
is read and used.
Add code that reads <pod-config.json> and passes it to Sanbox.
Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
Currently, ctr import will use loose matching as defined by
platforms.Only(), meaning in the case of platform linux/amd64 as in
issue#6441, importing will also match linux/386 platform on the
image-to-be-imported's index. However, that image-to-be-imported may not
have both the linux/amd64 and linux/386 platform contents, resulting in
a failure to unpack the image. This change makes that check strict such
that the requested platform to import for is the only platform content
imported. Both ctr pull and ctr export will treat the platform option as
strict, so this change makes ctr import consistent with those.
resolves#6441
Signed-off-by: Gavin Inglis <giinglis@amazon.com>
Schema 1 has been substantially deprecated since circa. 2017 in favor of Schema 2 introduced in Docker 1.10 (Feb 2016)
and its successor OCI Image Spec v1, but we have not officially deprecated Schema 1.
One of the reasons was that Quay did not support Schema 2 so far, but it is reported that Quay has been
supporting Schema 2 since Feb 2020 (moby/buildkit issue 409).
This PR deprecates pulling Schema 1 images but the feature will not be removed before containerd 2.0.
Pushing Schema 1 images was never implemented in containerd (and its consumers such as BuildKit).
Docker/Moby already disabled pushing Schema 1 images in Docker 20.10 (moby/moby PR 41295),
but Docker/Moby has not yet disabled pulling Schema 1 as containerd has not yet deprecated Schema 1.
(See the comments in moby/moby PR 42300.)
Docker/Moby is expected to disable pulling Schema 1 images in future after this deprecation.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
This patch adds support for a container annotation and two separate
pod annotations for controlling the blockio class of containers.
The container annotation can be used by a CRI client:
"io.kubernetes.cri.blockio-class"
Pod annotations specify the blockio class in the K8s pod spec level:
"blockio.resources.beta.kubernetes.io/pod"
(pod-wide default for all containers within)
"blockio.resources.beta.kubernetes.io/container.<container_name>"
(container-specific overrides)
Correspondingly, this patch adds support for --blockio-class and
--blockio-config-file to ctr, too.
This implementation follows the resource class annotation pattern
introduced in RDT and merged in commit 893701220.
Signed-off-by: Antti Kervinen <antti.kervinen@intel.com>
With google.golang.org/protobuf, proto-generated objects only have
ProtoReflect(). They don't have Marshal() anymore (see #6564).
Signed-off-by: Kazuyoshi Kato <katokazu@amazon.com>
This commit removes the following gogoproto extensions;
- gogoproto.nullable
- gogoproto.customename
- gogoproto.unmarshaller_all
- gogoproto.stringer_all
- gogoproto.sizer_all
- gogoproto.marshaler_all
- gogoproto.goproto_unregonized_all
- gogoproto.goproto_stringer_all
- gogoproto.goproto_getters_all
None of them are supported by Google's toolchain (see #6564).
Signed-off-by: Kazuyoshi Kato <katokazu@amazon.com>
Create lease plugin type to separate lease manager from services plugin.
This allows other service plugins to depend on the lease manager.
Signed-off-by: Derek McGowan <derek@mcg.dev>
This commit upgrades github.com/containerd/typeurl to use typeurl.Any.
The interface hides gogo/protobuf/types.Any from containerd's Go client.
Signed-off-by: Kazuyoshi Kato <katokazu@amazon.com>
runc option --criu is now ignored (with a warning), and the option will be
removed entirely in a future release. Users who need a non- standard criu
binary should rely on the standard way of looking up binaries in $PATH.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
when user executes ctr run --cni to start a container,it will call cni plugin to create network .But when user kills it,the network won’t be removed. if we run a container with same namespace and name again will trigger a bug. we should remove the network when user kills task if it enables cni plugin.
Fix:#6604
Signed-off-by: SongJiang Han <songjiang.dark@gmail.com>
Also fixes the issue that `ctr run` on Windows offered help for the
non-Windows implementation, but was silently ignored.
Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
addresses https://github.com/containerd/containerd/issues/6464
Return an error if a runtime provided is relative.
Add context to the usage for `ctr run --runtime` indicating that
absolute path to runtime binary must be provided.
Signed-off-by: Gavin Inglis <giinglis@amazon.com>
Adds the ability to override the default user
ContainerUser with a custom user if present in
the image or ContainerAdministrator if needed.
Signed-off-by: Justin Terry <jlterry@amazon.com>
This command will replace protobuf/plugin/fieldpath when we migrate
off from gogo/protobuf.
See #6564 for the detail.
Signed-off-by: Kazuyoshi Kato <katokazu@amazon.com>
For some runtimes, the container is not ready for exec until the
initial container task has been started (as opposed to just having the task created).
More specifically, running containerd-stress with --exec would break
with Kata Container shim, since the sandbox is not created until a
start is issued. By starting the container's primary task before adding
exec's, we can avoid:
```
error="cannot enter container exec-container-1, with err Sandbox not running, impossible to enter the container: unknown"
```
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
Unlike the other shims, containerd-shim did not have a -v (version) flag:
./bin/containerd-shim-runc-v1 -v
./bin/containerd-shim-runc-v1:
Version: v1.6.0-rc.1
Revision: ad771115b82a70cfd8018d72ae489c707e63de16.m
Go version: go1.17.2
./bin/containerd-shim -v
flag provided but not defined: -v
Usage of ./bin/containerd-shim:
This patch adds a `-v` flag to be consistent with the other shims. The code was
slightly refactored to match the implementation in the other shims, taking the
same approach as 77d53d2d23/runtime/v2/shim/shim.go (L240-L256)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This commit unifies the following sub commands alias for
deleting/removing.
- containers
- tasks
- contents
- leases
- images
- snapshots
Signed-off-by: Ning Li <lining2020x@163.com>
The command already contains logic for Windows container
metrics, we just need to enable the command.
Signed-off-by: Claudiu Belu <cbelu@cloudbasesolutions.com>
This change ignore errors during container runtime due to large
image labels and instead outputs warning. This is necessary as certain
image building tools like buildpacks may have large labels in the images
which need not be passed to the container.
Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com>
In linux 5.14 and hopefully some backports, core scheduling allows processes to
be co scheduled within the same domain on SMT enabled systems.
The containerd impl sets the core sched domain when launching a shim. This
allows a clean way for each shim(container/pod) to be in its own domain and any
additional containers, (v2 pods) be be launched with the same domain as well as
any exec'd process added to the container.
kernel docs: https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/core-scheduling.html
Signed-off-by: Michael Crosby <michael@thepasture.io>
This adds valuable logging data to the open telemetry traces.
When the trace is not recording we don't bother doing anything as it is
relatively expensive to convert logrus data to otel just due to the
nature of how logrus works.
The way this works is that we now set a context on the logrus.Entry that
gets passed around which the hook then uses to determine if there is an
active span to forward the logs to.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
The io/ioutil package has been deprecated as of Go 1.16, see
https://golang.org/doc/go1.16#ioutil. This commit replaces the existing
io/ioutil functions with their new definitions in io and os packages.
Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
Some cases can cause the server initialization to block (namely running
a 2nd containerd instance by accident against the same root dir). In
this case there is no way to quit the daemon except with `kill -9`.
This changes context things so that server init is done in a goroutine
and we wait on a channel for it to be ready while we also wait for a
ctx.Done(), which will be cancelled if there is a termination signal.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
It seems like the cwd flag isn't used anywhere for ctr tasks exec. This change
just sets the cwd field on the spec for the execed process if a new one was
asked for, otherwise it will continue using whatever was on the containers spec.
Signed-off-by: Daniel Canter <dcanter@microsoft.com>
Go 1.15.7 contained a security fix for CVE-2021-3115, which allowed arbitrary
code to be executed at build time when using cgo on Windows. This issue also
affects Unix users who have “.” listed explicitly in their PATH and are running
“go get” outside of a module or with module mode disabled.
This issue is not limited to the go command itself, and can also affect binaries
that use `os.Command`, `os.LookPath`, etc.
From the related blogpost (ttps://blog.golang.org/path-security):
> Are your own programs affected?
>
> If you use exec.LookPath or exec.Command in your own programs, you only need to
> be concerned if you (or your users) run your program in a directory with untrusted
> contents. If so, then a subprocess could be started using an executable from dot
> instead of from a system directory. (Again, using an executable from dot happens
> always on Windows and only with uncommon PATH settings on Unix.)
>
> If you are concerned, then we’ve published the more restricted variant of os/exec
> as golang.org/x/sys/execabs. You can use it in your program by simply replacing
This patch replaces all uses of `os/exec` with `golang.org/x/sys/execabs`. While
some uses of `os/exec` should not be problematic (e.g. part of tests), it is
probably good to be consistent, in case code gets moved around.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Remove build tags which are already implied by the name of the file.
Ensures build tags are used consistently
Signed-off-by: Derek McGowan <derek@mcg.dev>
Add basic intiialization of opentelemetry including minimum support to
be able to read open telemetry config from config.toml and initialize
exporter. Tracer is initialized and ready to be be used for creating
spans, sub spans etc. With no opentelemetry configuration enabled in
config file, this patch is a no-op.
Basic config stub to be added to use opentelemetry is to add following
in config.toml. We use otlp exporter with default port 4317.
[otel]
exporter_name = "otlp"
exporter_endpoint = "0.0.0.1:4317"
otel-collector binary needs to run listening at the same port.
Signed-off-by: Alakesh Haloi <alakeshh@amazon.com>
systemd uses SIGRTMIN+n signals, but containerd didn't support the signals
since Go's sys/unix doesn't support them.
This change introduces SIGRTMIN+n handling by utilizing moby/sys/signal.
Fixes#5402.
https://www.freedesktop.org/software/systemd/man/systemd.html#Signals
Signed-off-by: Kazuyoshi Kato <katokazu@amazon.com>
add '--snapshotter-labels' in ctr run and ctr c create
which can pass labels to snappshotter on preparing new
snapshot.
Pass command label to snapshotter can help it determine
which kind of writable snapshots should be provide.
For some snapshotter, such as overlaybd:
( https://github.com/alibaba/accelerated-container-image ),
it can provide 2 kind of writable snapshot (overlayfs dir or
blockdevice) by command label values.
Signed-off-by: Yifan Yuan <tuji.yyf@alibaba-inc.com>
FreeBSD mount options may have embedded = characters. For example,
devfs(5) supports the `ruleset` option which can be passed as
`ruleset=4` to indicate that ruleset 4 should be used.
Signed-off-by: Samuel Karp <me@samuelkarp.com>
Handle initial pty resize after the exec process has started and the pty
is available, consistent with the behavior of ctr run.
Signed-off-by: Samuel Karp <me@samuelkarp.com>
Use cio.WithStreams with explicit console device when --tty is passed,
consistent with how ctr run behaves.
Signed-off-by: Samuel Karp <me@samuelkarp.com>
According to the doc about `config.toml` of containerd:
```
If no version number is specified inside the config file then it is assumed to
be a version 1 config and parsed as such.
```
However, it's not true recently.
This will break the backward-compatibility in some environment.
This commit fixes this issue.
Signed-off-by: Kohei Tokunaga <ktokunaga.mail@gmail.com>
containerd-stress utility needs to be able to run with snapshotter
passed by user in cli in order to be able to stress test snapshotters.
This adds a cli option --snapshotter="<snapshotter-name>"
Signed-off-by: Alakesh Haloi <alakeshh@amazon.com>
set user in exec container
$ ctr t exec --exec-id e1 --user admin container id
uid=500(admin) gid=500(admin) groups=500(admin)
Signed-off-by: chuangxue <chenglong.lcl@alibaba-inc.com>
Signed-off-by: acetang <aceapril@126.com>
This fixes following warning message by changing the default runtime
to io.containerd.runc.v2 and does not require user to set the runtime
from command line anymore.
"WARN[2021-03-17T21:11:01.441207858Z] runtime v1 is deprecated since
containerd v1.4, consider using runtime v2"
Signed-off-by: Alakesh Haloi <alakeshh@amazon.com>
This enables cases where devices exist in a subdirectory of /dev,
particularly where those device names are not portable across machines,
which makes it problematic to specify from a runtime such as cri.
Added this to `ctr` as well so I could test that the code at least
works.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
