github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity
1,778 Commits 3 Branches 2 Tags 112 MiB
8df431fc31
Commit Graph

161 Commits

Author SHA1 Message Date
Brandon Lum
8df431fc31 Defer multitenant key model to image auth discussion 
Signed-off-by: Brandon Lum <lumjjb@gmail.com>
 2020-02-24 20:45:57 +00:00
Brandon Lum
f0579c7b4d Implmented node key model for image encryption 
Signed-off-by: Brandon Lum <lumjjb@gmail.com>
 2020-02-24 20:45:57 +00:00
Lantao Liu
dc964de85f Add windows implmenetation 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-09-18 10:46:29 -07:00
Lantao Liu
50c73e6dc5 Move unix specific logic into _unix.go 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-09-03 16:23:42 -07:00
Lantao Liu
10acd8e769 Fix apparmor for privileged. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-08-19 16:28:45 -07:00
Alex Price
3353ab76d9 Add flag to overload default privileged host device behaviour 
This commit adds a flag to the runtime config that allows overloading of the default
privileged behaviour. When the flag is enabled on a runtime, host devices won't
be appended to the runtime spec if the container is run as privileged.

By default the flag is false to maintain the current behaviour of privileged.

Fixes #1213

Signed-off-by: Alex Price <aprice@atlassian.com>
 2019-08-08 12:16:42 +10:00
Lantao Liu
95bd02d28f
Merge pull request #1200 from jterry75/image_user 
Assign ImageSpec User if SecurityContext is not set
 2019-08-07 13:50:08 -07:00
Lantao Liu
8ea0cc90aa
Merge pull request #1221 from jterry75/log_g 
Switch to containerd/log package
 2019-08-07 13:49:33 -07:00
Justin Terry (VM)
bc2cff625b Assign ImageSpec User if SecurityContext is not set 
By default the SecurityContext for Container activation can contain a Username
UID, GID. The order of precedences is username, UID, GID. If none of these
options are specified as a last resort attempt to set the ImageSpec username.

Signed-off-by: Justin Terry (VM) <juterry@microsoft.com>
 2019-08-07 12:20:52 -07:00
Justin Terry (VM)
193918b702 Switch to containerd/log package 
Moves to the containerd/log package over logrus directly. This benefits the
traces because if using any log context such as OpenCensus on the entry gRPC
API all traces for that gRPC method will now contain the appropriate TraceID,
SpanID for easy correlation.

Signed-off-by: Justin Terry (VM) <juterry@microsoft.com>
 2019-08-07 12:18:18 -07:00
Lantao Liu
eae5fc360f Infer systemd cgroup based on path suffix. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-08-06 11:00:51 -07:00
Lantao Liu
f636fb0519
Merge pull request #1215 from Random-Liu/update-kubernetes 
Update kubernetes
 2019-08-01 10:28:25 -07:00
Lantao Liu
ba8788c6b9 Update kubernetes dependency to 1.15.0. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-07-31 23:52:03 -07:00
Lantao Liu
467f9e0e8a Fix proc mount support. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-07-31 17:11:15 -07:00
Lantao Liu
fe0cb22026 Do not cache image handler. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-07-24 15:38:18 -07:00
Cong Liu
fda2902f30 Validate log paths in sandbox and container config. 
Only compose full container log path if neither of the paths is empty. Otherwise container won't start properly.

Signed-off-by: Cong Liu <conliu@google.com>
 2019-05-14 13:46:52 -04:00
Michael Crosby
5eddc1a2cc Use container'd oci opts for spec generation 
This bumps the containerd and sys packages in CRI

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>

Remove runtime-tools

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>

Update tests for oci opts package

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
 2019-03-27 16:57:04 -04:00
Lantao Liu
238658719f Cleanup pod annotation test and only support tailing wildcard. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-03-25 12:54:34 -07:00
Harshal Patil
effd82227c Add support for passing sandbox annotations to runtime 
Signed-off-by: Harshal Patil <harshal.patil@in.ibm.com>
 2019-03-21 14:38:14 +05:30
Mike Brown
bf4e7a885c test filtering of container create masks when privileged 
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
 2019-03-14 08:17:56 -05:00
Lantao Liu
3691cb6550 Fix /etc/hostname backward compatibility issue for in-place upgrade. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-03-12 01:17:41 -07:00
Lantao Liu
0464298b1e Use clean path for map and comparison. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-03-03 21:19:50 -08:00
Lantao Liu
87dba924de Use the correct sandbox config. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-02-22 15:37:07 -08:00
Lantao Liu
b2cd840042
Merge pull request #1045 from Random-Liu/fix-env-performance-issue 
Fix env performance issue
 2019-02-12 11:03:33 -08:00
Lantao Liu
ec6dd37691 Add env cache. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-02-12 03:02:20 -08:00
Lantao Liu
89717d0b63 Don't log config at info level. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-02-12 02:07:53 -08:00
Lantao Liu
089d4fbfb8 Set /etc/hostname. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-02-12 00:18:00 -08:00
Lantao Liu
0fa8668aa4
Merge pull request #970 from AkihiroSuda/rootless 
support DisableCgroup, DisableApparmor, RestrictOOMScoreAdj
 2019-01-03 10:14:22 -08:00
Hui Zhu
3bfef01589 Fix the issue that pod or container config file without metadata will crash containerd 
Because RunPodSandbox and CreateContainer will access metadata
without check, pod or container config file without metadata will
crash containerd.

This patch add checks to handle the issue.

Fixes: #1009

Signed-off-by: Hui Zhu <teawater@hyper.sh>
 2019-01-03 11:02:10 +08:00
Akihiro Suda
cd8231ab2a support DisableCgroup, DisableApparmor, RestrictOOMScoreAdj 
Add following config for supporting "rootless" mode

* DisableCgroup: disable cgroup
* DisableApparmor: disable Apparmor
* RestrictOOMScoreAdj: restrict the lower bound of OOMScoreAdj

Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
 2019-01-03 05:12:04 +09:00
Lantao Liu
515ef02473 Remove container lifecycle image ref dependency. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-12-07 10:40:21 -08:00
Lantao Liu
1442425f92 Support runtime specific configurations. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-10-08 17:17:29 -07:00
Lantao Liu
ca3b806b5c Fix addition group ids. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-09-13 16:31:32 -07:00
Lantao Liu
fe0cd3672b
Merge pull request #865 from Random-Liu/cache-image-reference 
Cache image reference
 2018-09-10 16:21:57 -07:00
Lantao Liu
953d67d250 Create image reference cache. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-09-10 11:30:52 -07:00
Lantao Liu
f08a90ff64 Fix hostname env. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-09-10 10:58:17 -07:00
Lantao Liu
eb3d3cfc5e Revert "Add HOSTNAME to env by default for pod containers" 
This reverts commit 4c3e195db3.

Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-09-06 15:30:53 -07:00
Lantao Liu
db8500d10c
Merge pull request #892 from Random-Liu/fix-volume-mount-order 
Sort volume mount.
 2018-09-06 14:44:45 -07:00
Lantao Liu
67c0b3e5e2
Merge pull request #894 from Random-Liu/support-masked-readonly-paths 
Support masked readonly paths
 2018-09-05 10:32:40 -07:00
Phil Estes
4c3e195db3
Add HOSTNAME to env by default for pod containers 
To match expectations of users coming from Docker engine runtime, add
the HOSTNAME to the environment of new containers in a pod.

Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
 2018-09-05 12:04:40 -04:00
Lantao Liu
3e4cec8739 Add MaskedPaths and ReadonlyPaths support. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-09-04 23:49:16 -07:00
Lantao Liu
063f8158f8 Sort volume mount. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-09-04 22:43:37 -07:00
Filipe Brandenburger
01d77d44f5 Update github.com/opencontainers/runtime-tools to v0.6.0 
Also add new dependencies on github.com/xeipuuv/gojson* (brought up by
new runtime-tools) and adapt the containerd/cri code to replace the APIs
that were removed by runtime-tools.

In particular, add new helpers to handle the capabilities, since
runtime-tools now split them into separate sets of functions for each
capability set.

Replace g.Spec() with g.Config since g.Spec() has been deprecated in the
runtime-tools API.

Signed-off-by: Filipe Brandenburger <filbranden@google.com>
 2018-06-20 13:52:50 -07:00
Lantao Liu
53f1ab4145 Fix double /dev/shm mount. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-06-14 19:03:19 -07:00
Lantao Liu
b367f30097 Erase ambient capabilities. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-06-08 14:37:05 -07:00
Evan Hazlett
d7d2212324 vendor bump 
Signed-off-by: Evan Hazlett <ejhazlett@gmail.com>

containerd: linux -> runtime/linux

Signed-off-by: Evan Hazlett <ejhazlett@gmail.com>

fix utils to properly format vendor repo

Signed-off-by: Evan Hazlett <ejhazlett@gmail.com>

test fixup

Signed-off-by: Evan Hazlett <ejhazlett@gmail.com>
 2018-05-30 19:51:24 -04:00
Lantao Liu
a5d1332e8f Explicitly set rw for privileged container. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-05-07 15:13:14 -07:00
Lantao Liu
279fa853a6 Always mount sysfs as rw. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-04-26 18:58:26 -07:00
Lantao Liu
ed20174ce4 Add RunAsGroup support. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-03-30 22:26:07 +00:00
Mike Brown
94df315de8 adds volatile state directory to the fs plan for cntrs/pods/fifo 
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
 2018-03-24 00:05:52 +00:00