containerd

Author	SHA1	Message	Date
Michael Crosby	aa2733c202	Merge pull request #6170 from olljanat/default-sysctls CRI: Support enable_unprivileged_icmp and enable_unprivileged_ports options	2021-11-18 11:37:23 -05:00
Olli Janatuinen	2a81c9f677	CRI: Support enable_unprivileged_icmp and enable_unprivileged_ports options Signed-off-by: Olli Janatuinen <olli.janatuinen@gmail.com>	2021-11-15 18:30:09 +02:00
Maksym Pavlenko	6870f3b1b8	Support custom runtime path when launching tasks Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>	2021-11-09 13:31:46 -08:00
Michael Crosby	55893b9be7	Add CNI conf based on runtime class Signed-off-by: Michael Crosby <michael@thepasture.io>	2021-09-17 19:05:06 +00:00
Michael Crosby	1efed43090	add ip_pref CNI options for primary pod ip This fixes the TODO of this function and also expands on how the primary pod ip is selected. This change allows the operator to prefer ipv4, ipv6, or retain the ordering provided by the return results of the CNI plugins. This makes it much more flexible for ops to configure containerd and how IPs are set on the pod. Signed-off-by: Michael Crosby <michael@thepasture.io>	2021-09-10 10:04:21 -04:00
Mike Brown	e00f87f1dc	Merge pull request #5927 from adelina-t/ws_2022_image_update Update Pause image in tests & config	2021-08-31 16:11:57 -05:00
Adelina Tuvenie	6d3d34b85d	Update Pause image in tests & config With the introduction of Windows Server 2022, some images have been updated to support WS2022 in their manifest list. This commit updates the test images accordingly. Signed-off-by: Adelina Tuvenie <atuvenie@cloudbasesolutions.com>	2021-08-31 19:42:57 +03:00
Mikko Ylinen	e0f8c04dad	cri: Devices ownership from SecurityContext CRI container runtimes mount devices (set via kubernetes device plugins) to containers by taking the host user/group IDs (uid/gid) to the corresponding container device. This triggers a problem when trying to run those containers with non-zero (root uid/gid = 0) uid/gid set via runAsUser/runAsGroup: the container process has no permission to use the device even when its gid is permissive to non-root users because the container user does not belong to that group. It is possible to workaround the problem by manually adding the device gid(s) to supplementalGroups. However, this is also problematic because the device gid(s) may have different values depending on the workers' distro/version in the cluster. This patch suggests to take RunAsUser/RunAsGroup set via SecurityContext as the device UID/GID, respectively. The feature must be enabled by setting device_ownership_from_security_context runtime config value to true (valid on Linux only). Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>	2021-08-30 09:30:00 +03:00
Akihiro Suda	d3aa7ee9f0	Run `go fmt` with Go 1.17 The new `go fmt` adds `//go:build` lines (https://golang.org/doc/go1.17#tools). Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>	2021-08-22 09:31:50 +09:00
Derek McGowan	6f027e38a8	Remove redundant build tags Remove build tags which are already implied by the name of the file. Ensures build tags are used consistently Signed-off-by: Derek McGowan <derek@mcg.dev>	2021-08-05 22:27:46 -07:00
Mike Brown	560e7d4799	fixing some doc links Signed-off-by: Mike Brown <brownwm@us.ibm.com>	2021-06-21 18:24:47 -05:00
Mike Brown	8a04bd0521	address recent runtimes config confusion Signed-off-by: Mike Brown <brownwm@us.ibm.com>	2021-04-12 15:33:38 -05:00
Mike Brown	e96d2a5d90	Revert "remove two very old no longer used runtime options" Signed-off-by: Mike Brown <brownwm@us.ibm.com>	2021-04-12 10:16:01 -05:00
Mike Brown	dd16b006e5	merge in the move to the new options type Signed-off-by: Mike Brown <brownwm@us.ibm.com>	2021-04-08 14:09:59 -05:00
Mike Brown	9144ce9677	shows our runc.v2 default options in the containerd default config Signed-off-by: Mike Brown <brownwm@us.ibm.com>	2021-04-08 14:09:59 -05:00
Aditi Sharma	4d4117415e	Change CRI config runtime options type Changing Runtime.Options type to map[string]interface{} to correctly marshal it from go to JSON. See issue: https://github.com/kubernetes-sigs/cri-tools/issues/728 Signed-off-by: Aditi Sharma <adi.sky17@gmail.com>	2021-04-08 15:11:33 +05:30
Mike Brown	d4be6aa8fa	rm mirror defaults; doc registry deprecations Signed-off-by: Mike Brown <brownwm@us.ibm.com>	2021-04-07 12:29:43 -05:00
Mike Brown	0186a329e9	remove two very old no longer used runtime options Signed-off-by: Mike Brown <brownwm@us.ibm.com>	2021-04-06 20:41:09 -05:00
Maksym Pavlenko	5ada2f74a7	Keep host order as defined in TOML file Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>	2021-04-01 09:29:16 -07:00
Maksym Pavlenko	ddd4298a10	Migrate current TOML code to github.com/pelletier/go-toml Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>	2021-03-25 13:13:33 -07:00
Fu, Wei	80fa9fe32a	Merge pull request #5135 from AkihiroSuda/default-config-crypt add imgcrypt stream processors to the default config	2021-03-25 14:31:38 +08:00
pacoxu	ffff688663	upgrade pause image to 3.5 for non-root Signed-off-by: pacoxu <paco.xu@daocloud.io>	2021-03-16 23:20:35 +08:00
Akihiro Suda	ecb881e5e6	add imgcrypt stream processors to the default config Enable the following config by default: ```toml version = 2 [plugins."io.containerd.grpc.v1.cri".image_decryption] key_model = "node" [stream_processors] [stream_processors."io.containerd.ocicrypt.decoder.v1.tar.gzip"] accepts = ["application/vnd.oci.image.layer.v1.tar+gzip+encrypted"] returns = "application/vnd.oci.image.layer.v1.tar+gzip" path = "ctd-decoder" args = ["--decryption-keys-path", "/etc/containerd/ocicrypt/keys"] env = ["OCICRYPT_KEYPROVIDER_CONFIG=/etc/containerd/ocicrypt/ocicrypt_keyprovider.conf"] [stream_processors."io.containerd.ocicrypt.decoder.v1.tar"] accepts = ["application/vnd.oci.image.layer.v1.tar+encrypted"] returns = "application/vnd.oci.image.layer.v1.tar" path = "ctd-decoder" args = ["--decryption-keys-path", "/etc/containerd/ocicrypt/keys"] env = ["OCICRYPT_KEYPROVIDER_CONFIG=/etc/containerd/ocicrypt/ocicrypt_keyprovider.conf"] ``` Fix issue 5128 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>	2021-03-15 13:27:16 +09:00
Brian Goff	b0b6d9aa03	Add support for using a host registry dir in cri This will be used instead of the cri registry config in the main config toml. --- Also pulls in changes from containerd/cri@d0b4eecbb3 Signed-off-by: Brian Goff <cpuguy83@gmail.com>	2021-03-12 22:42:22 +00:00
Iceber Gu	f37ae8fc35	move to v3.4.1 for the pause image Signed-off-by: Iceber Gu <wei.cai-nat@daocloud.io>	2021-03-07 15:21:20 +08:00
Michael Crosby	41e3057cc6	Merge pull request #5025 from jeremyje/win20h2 Add references to Windows 20H2 test images.	2021-02-12 11:58:49 -05:00
Lorenz Brun	36d0bc1f2b	Allow moving netns directory into StateDir Signed-off-by: Lorenz Brun <lorenz@nexantic.com>	2021-02-10 18:33:14 +01:00
Jeremy Edwards	1c81071d39	Add references to Windows 20H2 test images. Signed-off-by: Jeremy Edwards <1312331+jeremyje@users.noreply.github.com>	2021-02-09 16:25:36 +00:00
Lantao Liu	b5bf1fd5d8	Fix deprecated registry auth conversion. Signed-off-by: Lantao Liu <lantaol@google.com>	2021-02-03 19:22:26 -08:00
Gaurav Singh	071a185506	cri/config: fix range iterator issue in ValidatePluginConfig Go uses the same address variable while iterating in a range, so use a copy when using its address. Signed-off-by: Gaurav Singh <gaurav1086@gmail.com>	2020-12-04 17:37:09 -05:00
Derek McGowan	b2642458f9	Update make snapshot annotations disabled by default This experimental feature should not be enabled by default as it is not used by any default snapshotters. Signed-off-by: Derek McGowan <derek@mcg.dev>	2020-10-27 21:32:25 -07:00
Maksym Pavlenko	3508ddd3dd	Refactor CRI packages Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>	2020-10-07 14:45:57 -07:00
Derek McGowan	b22b627300	Move cri server packages under pkg/cri Organizes the cri related server packages under pkg/cri Signed-off-by: Derek McGowan <derek@mcg.dev>	2020-10-07 13:09:37 -07:00

33 Commits