On newer COS M97 images, cgroupv2 is enabled out of the box. It is
enabled using default systemd configuration and does not have
`systemd.unified_cgroup_hierarchy` present `/proc/cmdline`. As a result, the
check for manual cgroupv2 enablement should be improved to not only check
`/proc/cmdline`, but also to see if it's enabled on the system using `stat
-fc %T /sys/fs/cgroup/`
Signed-off-by: David Porter <porterdavid@google.com>
This system call is only available on 32- and 64-bit PowerPC, it is used
by modern programming language implementations to implement coroutine
features through userspace context switches.
moby [1] and systemd nspawn [2] already whitelist this system call so it
makes sense to whitelist it in containerd as well.
[1]: https://github.com/moby/moby/pull/43092
[2]: https://github.com/systemd/systemd/pull/9487
Signed-off-by: Sören Tempel <soeren+git@soeren-tempel.net>
Enabling this option effectively causes RDT class of a container to be a
soft requirement. If RDT support has not been enabled the RDT class
setting will not have any effect.
Signed-off-by: Markus Lehtonen <markus.lehtonen@intel.com>
Use goresctrl for parsing container and pod annotations related to RDT.
In practice, from the users' point of view, this patchs adds support for
a container annotation and two separate pod annotations for controlling
the RDT class of containers.
Container annotation can be used by a CRI client:
"io.kubernetes.cri.rdt-class"
Pod annotations for specifying the RDT class in the K8s pod spec level:
"rdt.resources.beta.kubernetes.io/pod"
(pod-wide default for all containers within)
"rdt.resources.beta.kubernetes.io/container.<container_name>"
(container-specific overrides)
Annotations are intended as an intermediate step before the CRI API
supports RDT.
Signed-off-by: Markus Lehtonen <markus.lehtonen@intel.com>
Add support for configuring the Linux resctrl pseudo-filesystem with
goresctrl library. The functionality is integrated in the
"io.containerd.service.v1.tasks-service" plugin.
Signed-off-by: Markus Lehtonen <markus.lehtonen@intel.com>
Use the syscall method instead of repeating the type conversions for
the syscall.Stat_t Atim/Atimespec members. This also allows to drop the
//nolint: unconvert comments.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
Adds an equivalent TestSandboxRemoveWithoutIPLeakage for Windows, in which
we assert that the IPs are not leaked when a Pod's HNS namespace dissapears
and the Pod is deleted afterwards.
Signed-off-by: Claudiu Belu <cbelu@cloudbasesolutions.com>
This patch makes the Windows Integration GitHub workflow conditionally
execute the CI artifact upload to GCP on successful runs iff the GitHub
secrets containing the GCP access info are defined.
Signed-off-by: Nashwan Azhari <nazhari@cloudbasesolutions.com>
Seems $(PWD) if the shell is powershell may not be inherited properly
as it ends up being an empty string. The result of this is that using
mingw's make with powershell is that $(PWD)/bin ends up being /bin and the
windows shim will get placed there. make install afterwards will try to find
the shim at $pwd/bin and fail.
Changing to CURDIR https://www.gnu.org/software/make/manual/make.html#index-CURDIR
seems to be a solution here as it's not inherited by the environment and
is set by make itself so should work across any type of shell.
Signed-off-by: Daniel Canter <dcanter@microsoft.com>
The "notready-sandbox" array will only have a CONTAINER_CREATED
and a CONTAINER_EXITED in the sandbox. So there will be no running
task to send a Kill() to. This means that on Windows, it will always
return an ErrorNotFound.
Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
