Inclavare Containers is an innovation of container runtime with the
novel approach for launching protected containers in hardware-assisted
Trusted Execution Environment (TEE) technology, aka Enclave, which can
prevent the untrusted entity, such as Cloud Service Provider (CSP), from
accessing the sensitive and confidential assets in use.
Signed-off-by: Zhiguang Jia <jia_zhiguang@126.com>
When multiple clients are pulling the same image, we may have this
lock error. Short-lived locks are probably fine, but long-lived locks
may indicate that containerd has some issues.
Signed-off-by: Kazuyoshi Kato <katokazu@amazon.com>
Specifically, all the functions above applyWindowsLayer are actually
used by the (generic) applyNaive code, while the functions below this
point are specific to applyWindowsLayer.
Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
applyFunc now takes an io.Reader instead of a tar.Reader because I'm
trying to mirror the API of the not-yet-exposed implementation of this
same behaviour in github.com/Microsoft/hcsshim/internal/ociwclayer,
with an eye to later moving to that implementation it is ever exposed.
Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
When a base runtime spec is being used, admins can configure defaults for the
spec so that default ulimits or other security related settings get applied for
all containers launched.
Signed-off-by: Michael Crosby <michael@thepasture.io>
If the shim has been killed and ttrpc connection has been
closed, the shimErr will not be nil. For this case, the event
subscriber, like moby/moby, might have received the exit or delete
events. Just in case, we should allow ttrpc-callback-on-close to
send the exit and delete events again. And the exit status will
depend on result of shimV2.Delete.
If not, the shim has been delivered the exit and delete events.
So we should remove the task record and prevent duplicate events from
ttrpc-callback-on-close.
Fix: #4769
Signed-off-by: Wei Fu <fuweid89@gmail.com>
For LCOW currently we copy (or create) the scratch.vhdx for every single snapshot
so there ends up being a sandbox.vhdx in every directory seemingly unnecessarily. With the default scratch
size of 20GB the size on disk is about 17MB so there's a 17MB overhead per layer plus the time to copy the
file with every snapshot. Only the final sandbox.vhdx is actually used so this would be a nice little
optimization.
For WCOW we essentially do the exact same except copy the blank vhdx from the base layer.
Signed-off-by: Daniel Canter <dcanter@microsoft.com>
Go 1.14 introduced a change to os.OpenFile (and syscall.Open) on Windows
that uses the permissions passed to determine if the file should be
created read-only or not. If the user-write bit (0200) is not set, then
FILE_ATTRIBUTE_READONLY is set on the underlying CreateFile call.
This is a significant change for any Windows code which created new
files and set the permissions to 0 (previously the permissions had no
affect, so some code didn't set them at all).
This change fixes the issue for the Windows service panic file. It will
now properly be created as a non-read-only file on Go 1.14+.
I have looked over the rest of the containerd code and didn't see other
places where this seems like an issue.
Signed-off-by: Kevin Parsons <kevpar@microsoft.com>
An image ref must be a scheme-less URI. A reference with scheme (such
as `http://`) must return ErrInvalid.
Signed-off-by: Kazuyoshi Kato <katokazu@amazon.com>
When running tests on any modern distro, this assumption will work. If
we need to make it work with kernels where we don't append this option
it will require some more involved changes.
Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
