github/containerd
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity
6,062 Commits 3 Branches 4 Tags
5ce70575020e855e03d4f0c3dc83e8a01f5ff151
Commit Graph

106 Commits

Author SHA1 Message Date
Lantao Liu
5ce7057502 Serve streaming on localhost by default to match k8s 1.11 default. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:09 -07:00
Lantao Liu
b553fdaf31 Remove crictl on GCE for all cases. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:09 -07:00
Lantao Liu
d8ce08fd92 Set stream server to serve on localhost on GCE. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:09 -07:00
Lantao Liu
1629bab7f9 Make max container log line size configurable through cloud init. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:09 -07:00
Lantao Liu
042378dcf1 Disable TLS streaming to work with new kubelet streaming proxy. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:09 -07:00
Bingshen Wang
37f2ecad97 Update cni.template 
Format the cni.template, use `space` instead of some `tab`. Avoid indent issue in text editor.

Signed-off-by: bingshen.wbs <bingshen.wbs@alibaba-inc.com>
 2020-08-11 09:15:09 -07:00
Lantao Liu
b58b6fef86 Disable restart plugin on GCE. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:08 -07:00
Lantao Liu
f938a166cd Fix kube-container-runtime-monitor. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:08 -07:00
Lantao Liu
91f8e61bd3 Use crictl installed in kube-up.sh 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:08 -07:00
Lantao Liu
5161f663e4 Add unix:// prefix for socket addresses used by CRI remote client. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:08 -07:00
Lantao Liu
1b995fcaf2 Add KUBE_CONTAINER_RUNTIME_NAME to fix fluentd support. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:08 -07:00
Lantao Liu
48457a254e Try using preloaded containerd if no version is specified. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:08 -07:00
Lantao Liu
c67a38b0b5 Add log level support. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:08 -07:00
Lantao Liu
4453aac005 Improve gce bootstrapping in various ways. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:08 -07:00
Lantao Liu
1bd3cdc572 Add cni config template support. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:07 -07:00
Lantao Liu
d520fac508 Enable TLS streaming in all the setup. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:07 -07:00
Lantao Liu
cdb4aec93a Use systemd service cgroup and oom score adj. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:07 -07:00
Lantao Liu
af8bd80689 Fix for kube-up.sh and update several documments. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:07 -07:00
Lantao Liu
005da4a9b9 Replace ctrcri with ctr cri. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:07 -07:00
Lantao Liu
0e2bd216ce Update GCE cluster bootstrapping and e2e test 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:07 -07:00
Lantao Liu
59e65e1f37 Enable container log rotation. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:07 -07:00
Lantao Liu
85b4e69c9f Do not block on stream server close. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:07 -07:00
Lantao Liu
2ea6584ca7 Add initial wait for health-monitor and use pkill -x. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:07 -07:00
Lantao Liu
56b7ef2c4d The ENV is finalized as KUBE_KUBELET_EXTRA_ARGS. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:06 -07:00
Mike Brown
24a3a0a068 change crictl sandboxes to pods; other references to sandboxes 
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
 2020-08-11 09:15:06 -07:00
Lantao Liu
8bc30e7a2e Update ocicni to main stream. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:06 -07:00
Lantao Liu
a010715584 Add a separate CLI for cri-containerd ctrcri. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:06 -07:00
Lantao Liu
a843a30645 Use registry-1.docker.io as backup 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:06 -07:00
Lantao Liu
ec649079a9 Put version into metadata so that version won't be changed across 
restart.

Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:06 -07:00
Lantao Liu
7cbc1c8dc3 Set registry mirror. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:06 -07:00
Lantao Liu
9f0816ac43 Configure container runtime cgroups for cgroup. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:06 -07:00
Lantao Liu
be72f47ec9 Add runtime cgroup and fix a cli panic. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:05 -07:00
Lantao Liu
680e21c430 Update all glog flags to log-level. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:05 -07:00
Lantao Liu
d50b9dd64c Update containerd to 6c7abf7c76c1973d4fb4b0bad51691de84869a51. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:05 -07:00
Lantao Liu
869ea6b0c8 Add document for kube-up.sh 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:05 -07:00
Lantao Liu
30cbfb62ec Add OS and arch in release tarball. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:05 -07:00
Lantao Liu
0512d1e0b2 Add cluster directory and health-monitor.sh. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:05 -07:00
Sebastiaan van Stijn
55c9eade39 Bump Golang 1.13.15 
full diff: https://github.com/golang/go/compare/go1.13.14...go1.13.15

go1.13.15 (released 2020/08/06) includes security fixes to the encoding/binary
package. See the Go 1.13.15 milestone on the issue tracker for details.

https://github.com/golang/go/issues?q=milestone%3AGo1.13.15+label%3ACherryPickApproved

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2020-08-08 15:07:28 +02:00
Sebastiaan van Stijn
089672fff4 Bump Golang 1.13.14 
full diff: https://github.com/golang/go/compare/go1.13.13...go1.13.14

go1.13.14 (released 2020/07/16) includes fixes to the compiler, vet, and the
database/sql, net/http, and reflect packages. See the Go 1.13.14 milestone on
the issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.13.14+label%3ACherryPickApproved

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2020-07-17 15:37:52 +02:00
Akihiro Suda
c520f819a2 Bump Go 1.13.13 
Includes security fixes to the `crypto/x509` and `net/http` packages.

https://github.com/golang/go/issues?q=milestone%3AGo1.13.13+label%3ACherryPickApproved

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2020-07-15 14:24:48 +09:00
Florian Schmaus
e977564a8b seccomp: allow 'rseq' syscall in default seccomp profile 
Restartable Sequences (rseq) are a kernel-based mechanism for fast
update operations on per-core data in user-space. Some libraries, like
the newest version of Google's TCMalloc, depend on it [1].

This also makes dockers default seccomp profile on par with systemd's,
which enabled 'rseq' in early 2019 [2].

1: https://google.github.io/tcmalloc/design.html
2: systemd/systemd@6fee3be

Signed-off-by: Florian Schmaus <flo@geekplace.eu>
 2020-06-26 17:10:05 +02:00
Wei Fu
e89500bcb0 Merge pull request #4333 from AkihiroSuda/golang-1.13.12 
Bump Golang 1.13.12
 2020-06-23 08:54:05 +08:00
Davanum Srinivas
2b0a994ccc explicitly fail apparmor when !linux 
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
 2020-06-22 12:54:09 -04:00
Akihiro Suda
1a83f9a638 Bump Golang 1.13.12 
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2020-06-22 16:49:31 +09:00
Michael Crosby
0f831093ce Update usage of whitelist in project 
Signed-off-by: Michael Crosby <michael@thepasture.io>
 2020-06-08 12:49:22 -05:00
Kenta Tada
03755821d2 seccomp: remove the unused query_module(2) 
query_module(2) is only in kernels before Linux 2.6.

Signed-off-by: Kenta Tada <Kenta.Tada@sony.com>
 2020-05-19 10:36:55 +09:00
Phil Estes
d7c4bda3b1 Merge pull request #4264 from thaJeztah/seccomp_allow_clock_adjtime 
seccomp: Whitelist `clock_adjtime`
 2020-05-18 09:36:08 -04:00
Stanislav Levin
5765991f2c seccomp: Whitelist clock_adjtime 
This only allows making the syscall. CAP_SYS_TIME is still required
for time adjustment (enforced by the kernel):

```
kernel/time/posix-timers.c:

1112 SYSCALL_DEFINE2(clock_adjtime, const clockid_t, which_clock,
1113                 struct __kernel_timex __user *, utx)
...
1121         err = do_clock_adjtime(which_clock, &ktx);

1100 int do_clock_adjtime(const clockid_t which_clock, struct __kernel_timex * ktx)
1101 {
...
1109         return kc->clock_adj(which_clock, ktx);

1299 static const struct k_clock clock_realtime = {
...
1304         .clock_adj              = posix_clock_realtime_adj,

188 static int posix_clock_realtime_adj(const clockid_t which_clock,
189                                     struct __kernel_timex *t)
190 {
191         return do_adjtimex(t);

kernel/time/timekeeping.c:

2312 int do_adjtimex(struct __kernel_timex *txc)
2313 {
...
2321         /* Validate the data before disabling interrupts */
2322         ret = timekeeping_validate_timex(txc);

2246 static int timekeeping_validate_timex(const struct __kernel_timex *txc)
2247 {
2248         if (txc->modes & ADJ_ADJTIME) {
...
2252                 if (!(txc->modes & ADJ_OFFSET_READONLY) &&
2253                     !capable(CAP_SYS_TIME))
2254                         return -EPERM;
2255         } else {
2256                 /* In order to modify anything, you gotta be super-user! */
2257                 if (txc->modes && !capable(CAP_SYS_TIME))
2258                         return -EPERM;

```

Fixes: moby/moby 40919
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2020-05-17 23:11:04 +02:00
Sebastiaan van Stijn
d07a71b97f Bump Golang 1.13.11 
full diff: https://github.com/golang/go/compare/go1.13.10...go1.13.11

go1.13.11 (released 2020/05/14) includes fixes to the compiler. See the Go 1.13.11
milestone on the issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.13.11+label%3ACherryPickApproved

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2020-05-16 14:57:04 +02:00
Sebastiaan van Stijn
7da1e13b5d Bump Golang 1.13.10 
go1.13.10 (released 2020/04/08) includes fixes to the go command, the runtime,
os/exec, and time packages. See the Go 1.13.10 milestone on the issue tracker
for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.13.10+label%3ACherryPickApproved

full diff: https://github.com/golang/go/compare/go1.13.9...go1.13.10

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2020-04-09 22:03:48 +02:00