github/containerd
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity
13,424 Commits 3 Branches 4 Tags
66706958361fe41692c4b3bb770cd93ecb797b71
Commit Graph

98 Commits

Author SHA1 Message Date
Akihiro Suda
6670695836 Revert "cri: make read-only mounts recursively read-only" 
Revert PR 9713, as it appeared to break the compatibility too much
https://github.com/kubernetes/enhancements/pull/3858#issuecomment-1925441072

This reverts commit b2f254fff0.

> Conflicts:
>	internal/cri/opts/spec_linux_opts.go

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2024-02-04 01:17:14 +09:00
Samuel Karp
96bf529cbf Merge pull request #9742 from mxpv/envelope 
Move Message proto to types
 2024-02-03 06:32:01 +00:00
Derek McGowan
a896610da1 Merge pull request #9718 from jsturtevant/transfer-service-windows 
Add a default differ for Windows that matches the snapshotter when using transfer service
 2024-02-02 20:38:26 +00:00
Maksym Pavlenko
7f2d2c4f44 Move Message proto to types 
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
 2024-02-02 10:35:23 -08:00
Maksym Pavlenko
bbac058cf3 Move CRI from pkg/ to internal/ 
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
 2024-02-02 10:12:08 -08:00
Akihiro Suda
b2f254fff0 cri: make read-only mounts recursively read-only 
Prior to this commit, `readOnly` volumes were not recursively read-only and
could result in compromise of data;
e.g., even if `/mnt` was mounted as read-only, its submounts such as
`/mnt/usbstorage` were not read-only.

This commit utilizes runc's "rro" bind mount option to make read-only bind
mounts literally read-only. The "rro" bind mount options is implemented by
calling `mount_setattr(2)` with `MOUNT_ATTR_RDONLY` and `AT_RECURSIVE`.

The "rro" bind mount options requires kernel >= 5.12, with runc >= 1.1 or
a compatible runtime such as crun >= 1.4.

When the "rro" bind mount options is not available, containerd falls back
to the legacy non-recursive read-only mounts by default.

The behavior is configurable via `/etc/containerd/config.toml`:
```toml
version = 2
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
  # treat_ro_mounts_as_rro ("Enabled"|"IfPossible"|"Disabled")
  # treats read-only mounts as recursive read-only mounts.
  # An empty string means "IfPossible".
  # "Enabled" requires Linux kernel v5.12 or later.
  # This configuration does not apply to non-volume mounts such as "/sys/fs/cgroup".
  treat_ro_mounts_as_rro = ""
```

Replaces:
- kubernetes/enhancements issue 3857
- kubernetes/enhancements PR 3858

Note: this change does not affect non-CRI clients such as ctr, nerdctl, and Docker/Moby.
RRO mounts have been supported since nerdctl v0.14 (containerd/nerdctl PR 511)
and Docker v25 (moby/moby PR 45278).

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2024-02-01 09:39:36 +09:00
James Sturtevant
81409e9373 Add a default differ that matches the snapshotter 
Signed-off-by: James Sturtevant <jsturtevant@gmail.com>
 2024-01-30 14:34:58 -08:00
Derek McGowan
64b4778fc2 Add deprecation warnings to CRI image server configuration 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-01-28 23:14:59 -08:00
Derek McGowan
65b3922df7 Split streaming config from runtime config 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-01-28 23:14:59 -08:00
Derek McGowan
58ff9d368d Move cri plugin to plugins subpackage 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-01-28 20:57:19 -08:00
Derek McGowan
9795677fe9 Move cri base plugin to CRI runtime service 
Create new plugin type for CRI runtime and image services.

Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-01-28 20:57:18 -08:00
Derek McGowan
fb9b59a843 Switch to new errdefs package 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-01-25 22:18:45 -08:00
Maksym Pavlenko
7516bb915c Merge pull request #9442 from AkihiroSuda/runtime-info2 
api/services/instrospection: add PluginInfo
 2024-01-25 17:50:42 +00:00
Akihiro Suda
22d586e515 api/services/instrospection: add PluginInfo 
The new `PlunginInfo()` call can be used for instrospecting the details
of the runtime plugin.

```console
$ ctr plugins inspect-runtime --runtime=io.containerd.runc.v2 --runc-binary=runc
{
    "Name": "io.containerd.runc.v2",
    "Version": {
        "Version": "v2.0.0-beta.0-XX-gXXXXXXXXX.m",
        "Revision": "v2.0.0-beta.0-XX-gXXXXXXXXX.m"
    },
    "Options": {
        "binary_name": "runc"
    },
    "Features": {
        "ociVersionMin": "1.0.0",
        "ociVersionMax": "1.1.0-rc.2",
        ...,
    },
    "Annotations": null
}
```

The shim binary has to support `-info` flag, see `runtime/v2/README.md`

Replaces PR 8509 (`api/services/task: add RuntimeInfo()`)

Co-authored-by: Derek McGowan <derek@mcg.dev>
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2024-01-25 10:00:30 +09:00
Akihiro Suda
eb8981f352 mv contrib/seccomp/kernelversion pkg/kernelversion 
The package isn't really relevant to seccomp

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2024-01-24 19:03:53 +09:00
Derek McGowan
f2765617c5 Merge pull request #9662 from dmcgowan/replace-platform-package 
Use github.com/containerd/platforms package
 2024-01-23 19:50:25 +00:00
Derek McGowan
e79ec7a095 Remove deprecated platforms package 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-01-23 09:14:03 -08:00
Derek McGowan
cf6f439eb0 Fix transfer plugin unpack configuration 
Remove default unpack configuration to prevent duplication of
configuration from toml decoder appending to the default. When no unpack
configuration is provided, use the default.

Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-01-18 06:46:49 -08:00
Derek McGowan
dbc74db6a1 Move runtime to core/runtime 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-01-17 09:58:04 -08:00
Derek McGowan
764c907003 Move pkg/tomlext to internal/tomlext 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-01-17 09:57:37 -08:00
Derek McGowan
1c4be2d883 Move pkg/testutil to internal/testutil 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-01-17 09:57:28 -08:00
Derek McGowan
4ee6419fad Move pkg/randutil to internal/randutil 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-01-17 09:57:10 -08:00
Derek McGowan
e59f64792b Move oci to pkg/oci 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-01-17 09:55:48 -08:00
Derek McGowan
fa8cae99d1 Move namespaces to pkg/namespaces 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-01-17 09:55:39 -08:00
Derek McGowan
b76236bb45 Move labels to pkg/labels 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-01-17 09:55:30 -08:00
Derek McGowan
5e00f63ce7 Move gc to pkg/gc 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-01-17 09:55:12 -08:00
Derek McGowan
11114b0a9a Move gc/scheduler to plugins/gc 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-01-17 09:55:03 -08:00
Derek McGowan
c38f2ab724 Move filters to pkg/filters 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-01-17 09:54:54 -08:00
Derek McGowan
44a836c9b5 Move errdefs to pkg/errdefs 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-01-17 09:54:45 -08:00
Derek McGowan
70ed2696fa Move events to pkg/events 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-01-17 09:54:36 -08:00
Derek McGowan
b0c3d00e98 Move cio to pkg/cio 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-01-17 09:54:27 -08:00
Derek McGowan
8e14c39e80 Move archive to pkg/archive 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-01-17 09:54:18 -08:00
Derek McGowan
fcd39ccc53 Move snapshots to core/snapshots 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-01-17 09:54:09 -08:00
Derek McGowan
e0fe656daf Move snapshots/windows to plugins/snapshots/windows 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-01-17 09:54:00 -08:00
Derek McGowan
57bdbfba6a Move snapshots/overlay to plugins/snapshots/overlay 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-01-17 09:53:51 -08:00
Derek McGowan
9b8c558f9f Move snapshots/native to plugins/snapshots/native 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-01-17 09:53:42 -08:00
Derek McGowan
5c07d5d361 Move snapshots/lcow to plugins/snapshots/lcow 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-01-17 09:53:33 -08:00
Derek McGowan
8473322f0b Move snapshots/devmapper to plugins/snapshots/devmapper 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-01-17 09:53:24 -08:00
Derek McGowan
7dd96fe346 Move snapshots/btrfs to plugins/snapshots/btrfs 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-01-17 09:53:15 -08:00
Derek McGowan
2909f07f85 Move snapshots/blockfile to plugins/snapshots/blockfile 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-01-17 09:53:06 -08:00
Derek McGowan
92d2a5fc02 Move services to plugins/services 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-01-17 09:52:57 -08:00
Derek McGowan
ce41d1c90a Move services/server to cmd/containerd/server 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-01-17 09:52:48 -08:00
Derek McGowan
228ad5a5ca Move sandbox to core/sandbox 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-01-17 09:52:39 -08:00
Derek McGowan
d133019c9b Move runtime/restart/monitor to plugins/restart 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-01-17 09:52:30 -08:00
Derek McGowan
6e5408dcec Move mount to core/mount 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-01-17 09:52:12 -08:00
Derek McGowan
1a1e0e8c81 Move metadata to core/metadata 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-01-17 09:52:03 -08:00
Derek McGowan
18b3cbe4fa Move metadata/plugin to plugins/metadata 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-01-17 09:51:54 -08:00
Derek McGowan
f80760f9ff Move leases to core/leases 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-01-17 09:51:45 -08:00
Derek McGowan
cc6a5c9c69 Move leases/plugin to plugins/leases 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-01-17 09:51:35 -08:00
Derek McGowan
913edcd489 Move diff to core/diff 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2024-01-17 09:51:17 -08:00