github/containerd
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity
8,965 Commits 3 Branches 4 Tags
5ada2f74a7a6f9d4150789239e5192e23963963d
Commit Graph

910 Commits

Author SHA1 Message Date
Maksym Pavlenko
5ada2f74a7 Keep host order as defined in TOML file 
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
 2021-04-01 09:29:16 -07:00
Maksym Pavlenko
ddd4298a10 Migrate current TOML code to github.com/pelletier/go-toml 
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
 2021-03-25 13:13:33 -07:00
Derek McGowan
75a0c2b7d3 Merge pull request #5264 from mxpv/tests 
Run unit tests on CI for MacOS
 2021-03-25 09:46:25 -07:00
Fu, Wei
80fa9fe32a Merge pull request #5135 from AkihiroSuda/default-config-crypt 
add imgcrypt stream processors to the default config
 2021-03-25 14:31:38 +08:00
Maksym Pavlenko
4674ad7beb Ignore some tests on darwin 
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
 2021-03-24 22:40:22 -07:00
Maksym Pavlenko
181e2d4216 Merge pull request #5250 from dmcgowan/cri-fix-reference-ordering 
Fix reference ordering in CRI image store
 2021-03-23 14:45:16 -07:00
Sebastiaan van Stijn
708299ca40 Move RunningInUserNS() to its own package 
This allows using the utility without bringing whole of "sys" with it.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2021-03-23 11:29:53 +01:00
Derek McGowan
0886ceaea2 Fix reference ordering in CRI image store 
Currently image references end up being stored in a
random order due to the way maps are iterated through
in Go. This leads to inconsistent identifiers being
resolved when a single reference is needed to identify
an image and the ordering of the references is used for
the selection.

Sort references in a consistent and ranked manner,
from higher information formats to lower.

Note: A `name + tag` reference is considered higher
information than a `name + digest` reference since a
registry may be used to resolve the digest from a
`name + tag` reference.

Signed-off-by: Derek McGowan <derek@mcg.dev>
 2021-03-22 22:29:57 -07:00
Michael Crosby
e0c94bb269 Merge pull request #4708 from kzys/enable-criu 
Re-enable CRIU tests by not using overlayfs snapshotter
 2021-03-19 14:23:05 -04:00
Shiming Zhang
1410220d8f Fix error log when copy file 
Signed-off-by: Shiming Zhang <wzshiming@foxmail.com>
 2021-03-20 00:13:00 +08:00
Michael Crosby
3f98a6d2d3 Merge pull request #5211 from pacoxu/pause/3.5 
upgrade pause image to 3.5 for non-root
 2021-03-18 11:43:59 -04:00
Phil Estes
32a08f1a6a Merge pull request #4847 from cpuguy83/devices_by_dir 
Support adding devices by dir
 2021-03-17 09:41:02 -04:00
Kazuyoshi Kato
b520428b5a Fix CRIU 
- process.Init#io could be nil
- Make sure CreateTaskRequest#Options is not empty before unmarshaling

Signed-off-by: Kazuyoshi Kato <katokazu@amazon.com>
 2021-03-16 16:46:45 -07:00
pacoxu
ffff688663 upgrade pause image to 3.5 for non-root 
Signed-off-by: pacoxu <paco.xu@daocloud.io>
 2021-03-16 23:20:35 +08:00
Derek McGowan
2755ead927 Merge pull request #4978 from cpuguy83/certs_dir 
Add support for using a host registry dir in cri
 2021-03-15 13:47:03 -07:00
Brian Goff
7776e5ef2a Support adding devices by dir 
This enables cases where devices exist in a subdirectory of /dev,
particularly where those device names are not portable across machines,
which makes it problematic to specify from a runtime such as cri.

Added this to `ctr` as well so I could test that the code at least
works.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
 2021-03-15 16:42:23 +00:00
Akihiro Suda
ecb881e5e6 add imgcrypt stream processors to the default config 
Enable the following config by default:

```toml
version = 2

[plugins."io.containerd.grpc.v1.cri".image_decryption]
  key_model = "node"

[stream_processors]
  [stream_processors."io.containerd.ocicrypt.decoder.v1.tar.gzip"]
    accepts = ["application/vnd.oci.image.layer.v1.tar+gzip+encrypted"]
    returns = "application/vnd.oci.image.layer.v1.tar+gzip"
    path = "ctd-decoder"
    args = ["--decryption-keys-path", "/etc/containerd/ocicrypt/keys"]
    env = ["OCICRYPT_KEYPROVIDER_CONFIG=/etc/containerd/ocicrypt/ocicrypt_keyprovider.conf"]
  [stream_processors."io.containerd.ocicrypt.decoder.v1.tar"]
    accepts = ["application/vnd.oci.image.layer.v1.tar+encrypted"]
    returns = "application/vnd.oci.image.layer.v1.tar"
    path = "ctd-decoder"
    args = ["--decryption-keys-path", "/etc/containerd/ocicrypt/keys"]
    env = ["OCICRYPT_KEYPROVIDER_CONFIG=/etc/containerd/ocicrypt/ocicrypt_keyprovider.conf"]
```

Fix issue 5128

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2021-03-15 13:27:16 +09:00
Brian Goff
b0b6d9aa03 Add support for using a host registry dir in cri 
This will be used instead of the cri registry config in the main config
toml.

---

Also pulls in changes from containerd/cri@d0b4eecbb3

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
 2021-03-12 22:42:22 +00:00
Derek McGowan
8cf669ce34 Fix unsupported files exporting functions for apparmor and seccomp 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2021-03-12 08:47:05 -08:00
Derek McGowan
35eeb24a17 Fix exported comments enforcer in CI 
Add comments where missing and fix incorrect comments

Signed-off-by: Derek McGowan <derek@mcg.dev>
 2021-03-12 08:47:05 -08:00
Iceber Gu
f37ae8fc35 move to v3.4.1 for the pause image 
Signed-off-by: Iceber Gu <wei.cai-nat@daocloud.io>
 2021-03-07 15:21:20 +08:00
Iceber Gu
92ab1a63b0 cri: fix container status 
Signed-off-by: Iceber Gu <wei.cai-nat@daocloud.io>
 2021-03-05 00:00:10 +08:00
f00231050
591caece0c cri: check fsnotify watcher when receiving cni conf dir events 
carry: 612f5f9f44

Signed-off-by: Wei Fu <fuweid89@gmail.com>
 2021-03-03 16:46:41 +08:00
Phil Estes
8dbe53a2a9 Merge pull request #5070 from yoheiueda/empty-masked 
cri: set default masked/readonly paths to empty paths
 2021-02-25 15:38:45 -05:00
Akihiro Suda
7ee610edb5 drop dependency on github.com/syndtr/gocapability 
pkg/cap has the full list of the caps (for UT, originally),
so we can drop dependency on github.com/syndtr/gocapability

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2021-02-25 15:17:28 +09:00
Akihiro Suda
9822173354 cap: rename FromUint64 to FromBitmap 
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2021-02-25 15:02:10 +09:00
Yohei Ueda
07f1df4541 cri: set default masked/readonly paths to empty paths 
Fixes #5029.

Signed-off-by: Yohei Ueda <yohei@jp.ibm.com>
 2021-02-24 23:50:40 +09:00
Phil Estes
757be0a090 Merge pull request #5017 from AkihiroSuda/parse-cap 
oci.WithPrivileged: set the current caps, not the known caps
 2021-02-23 09:10:57 -05:00
Mike Brown
9173d3e929 Merge pull request #5021 from wzshiming/fix/signal_repeatedly 
Fix repeated sending signal
 2021-02-22 09:45:56 -06:00
Justin Terry (SF)
06e4e09567 cri: append envs from image config to empty slice to avoid env lost 
Signed-off-by: Justin Terry (SF) <juterry@microsoft.com>
 2021-02-18 16:39:28 -08:00
Phil Estes
c32ccdf8be Merge pull request #5024 from yadzhang/deepcopy-imageconfig 
cri: append envs from image config to empty slice to avoid env lost
 2021-02-18 12:51:51 -05:00
Akihiro Suda
746cef0bc2 Merge pull request #5044 from wzshiming/fix/empty-error-warpping 
Fix empty error warpping
 2021-02-18 13:47:13 +09:00
zhangyadong.0808
08318b1ab9 cri: append envs from image config to empty slice to avoid env lost 
Signed-off-by: Yadong Zhang <yadzhang@gmail.com>
 2021-02-18 11:37:41 +08:00
Shiming Zhang
59db8a10e0 Fix empty error warpping 
Signed-off-by: Shiming Zhang <wzshiming@foxmail.com>
 2021-02-18 11:06:59 +08:00
Shiming Zhang
dc6f5ef3b9 Fix repeated sending signal 
Signed-off-by: Shiming Zhang <wzshiming@foxmail.com>
 2021-02-17 21:33:49 +08:00
Michael Crosby
41e3057cc6 Merge pull request #5025 from jeremyje/win20h2 
Add references to Windows 20H2 test images.
 2021-02-12 11:58:49 -05:00
Lorenz Brun
36d0bc1f2b Allow moving netns directory into StateDir 
Signed-off-by: Lorenz Brun <lorenz@nexantic.com>
 2021-02-10 18:33:14 +01:00
Akihiro Suda
a2d1a8a865 oci.WithPrivileged: set the current caps, not the known caps 
This change is needed for running the latest containerd inside Docker
that is not aware of the recently added caps (BPF, PERFMON, CHECKPOINT_RESTORE).

Without this change, containerd inside Docker fails to run containers with
"apply caps: operation not permitted" error.

See kubernetes-sigs/kind 2058

NOTE: The caller process of this function is now assumed to be as
privileged as possible.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2021-02-10 17:14:17 +09:00
Michael Crosby
e874e2597e [cri] add pod annotations to CNI call 
Signed-off-by: Michael Crosby <michael@thepasture.io>
 2021-02-09 13:24:01 -05:00
Jeremy Edwards
1c81071d39 Add references to Windows 20H2 test images. 
Signed-off-by: Jeremy Edwards <1312331+jeremyje@users.noreply.github.com>
 2021-02-09 16:25:36 +00:00
Derek McGowan
b3f2402062 Merge pull request #5002 from crosbymichael/anno-image-name 
[cri] add image-name annotation
 2021-02-05 08:27:41 -08:00
Akihiro Suda
e908be5b58 Merge pull request #5001 from kzys/no-lint-upgrade 2021-02-06 00:40:38 +09:00
Kazuyoshi Kato
07db46ee23 lint: update nolint syntax for golangci-lint 
Newer golangci-lint needs explicit `//` separator. Otherwise it treats
the entire line (`staticcheck deprecated ... yet`) as a name.

https://golangci-lint.run/usage/false-positives/#nolint

Signed-off-by: Kazuyoshi Kato <katokazu@amazon.com>
 2021-02-04 11:59:55 -08:00
Sebastiaan van Stijn
04d061fa6a update runc to v1.0.0-rc93 
full diff: https://github.com/opencontainers/runc/compare/v1.0.0-rc92...v1.0.0-rc93

also removes dependency on libcontainer/configs

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2021-02-04 16:13:30 +01:00
Sebastiaan van Stijn
54cc3483ff pkg/cri/server: don't import libcontainer/configs 
Looks like this import was not needed for the test; simplified the test
by just using the device-path (a counter would work, but for debugging,
having the list of paths can be useful).

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2021-02-04 16:08:39 +01:00
Michael Crosby
99cb62f233 [cri] add image-name annotation 
For some tools having the actual image name in the annotations is helpful for
debugging and auditing the workload.

Signed-off-by: Michael Crosby <michael@thepasture.io>
 2021-02-04 07:05:11 -05:00
Lantao Liu
b5bf1fd5d8 Fix deprecated registry auth conversion. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2021-02-03 19:22:26 -08:00
Aditi Sharma
1423e9199d Update gogo/protobuf to v1.3.2 
bump version 1.3.2 for gogo/protobuf due to CVE-2021-3121 discovered
in gogo/protobuf version 1.3.1, CVE has been fixed in 1.3.2

Signed-off-by: Aditi Sharma <adi.sky17@gmail.com>
 2021-01-28 12:57:50 +00:00
Michael Crosby
591d7e2fb1 remove exec sync debug contents from logs 
This was dumping untrusted output to the debug logs from user containers.
We should not dump this type of information to reduce log sizes and any
information leaks from user containers.

Signed-off-by: Michael Crosby <michael@thepasture.io>
 2021-01-26 14:57:54 -05:00
Alban Crequy
28e4fb25f4 cri: add annotations for pod name and namespace 
cri-o has annotations for pod name, namespace and container name:
https://github.com/containers/podman/blob/master/pkg/annotations/annotations.go

But so far containerd had only the container name.

This patch will be useful for seccomp agents to have a different
behaviour depending on the pod (see runtime-spec PR 1074 and runc PR
2682). This should simplify the code in:
b2d423695d/pkg/kuberesolver/kuberesolver.go (L16-L27)

Signed-off-by: Alban Crequy <alban@kinvolk.io>
 2021-01-26 12:10:39 +01:00