github/containerd
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity
11,901 Commits 3 Branches 4 Tags
a9cbddd65d3eb1c5caa47c9fbc2c34ecce7c7d26
Commit Graph

1406 Commits

Author SHA1 Message Date
Wei Fu
a9cbddd65d *: fix typo and skip exec-io-drain-testcase in win 
Signed-off-by: Wei Fu <fuweid89@gmail.com>
 2023-03-02 21:57:43 +08:00
Wei Fu
04dfd6275e pkg/cri/sbserver: add timeout to drain exec io 
Signed-off-by: Wei Fu <fuweid89@gmail.com>
 2023-03-02 13:06:45 +08:00
Wei Fu
82c0f4ff86 pkg/cri/server: add timeout to drain exec io 
By default, the child processes spawned by exec process will inherit standard
io file descriptors. The shim server creates a pipe as data channel. Both exec
process and its children write data into the write end of the pipe. And the
shim server will read data from the pipe. If the write end is still open, the
shim server will continue to wait for data from pipe.

So, if the exec command is like `bash -c "sleep 365d &"`, the exec process is
bash and quit after create `sleep 365d`. But the `sleep 365d` will hold the
write end of the pipe for a year! It doesn't make senses that CRI plugin
should wait for it.

For this case, we should use timeout to drain exec process's io instead of
waiting for it.

Fixes: #7802

Signed-off-by: Wei Fu <fuweid89@gmail.com>
 2023-03-02 13:06:45 +08:00
Akihiro Suda
e0a05b56e5 Merge pull request #8152 from bart0sh/PR007-upgrade-CDI-to-0.5.4 
update CDI version to v0.5.4
 2023-02-28 09:22:30 +09:00
Mike Brown
d5425c4c41 Merge pull request #8140 from klihub/devel/update-nri-config 
pkg/nri: pull in latest NRI, update NRI configuration.
 2023-02-27 10:41:03 -06:00
Krisztian Litkey
310be5ce6e pkg/nri: update NRI configuration. 
Update NRI plugin configuration to match that of NRI. Remove
option for the eliminated NRI configuration file. Add option
to disable connections from externally launched plugins. Add
options to override default plugin registration and request
timeouts.

Signed-off-by: Krisztian Litkey <krisztian.litkey@intel.com>
 2023-02-26 19:56:31 +02:00
Tony Fang
8a47c6910f Add a leading space after the comment sign 
Fix coding standards

Signed-off-by: Tony Fang <nhfang@amazon.com>
 2023-02-26 17:49:15 +00:00
Tony Fang
f53417921d Add unit test to getSupportedPlatform 
Signed-off-by: Tony Fang <nhfang@amazon.com>
 2023-02-26 17:49:02 +00:00
Fu Wei
a18709442b Merge pull request #8062 from fangn2/config-options 
Add configuration options to local transfer service
 2023-02-26 00:11:43 +08:00
Tony Fang
47305392c6 Add configuration options to local transfer service 
Signed-off-by: Tony Fang <nhfang@amazon.com>
 2023-02-25 03:40:06 +00:00
Changwei Ge
bd0a2a9273 CRI: remove duplicated snapshotters code 
The snapshotter annotation definitions and related functions have been
public in the new packge snapshotter

Also remove a test for container image layer's annotation.

Signed-off-by: Changwei Ge <gechangwei@bytedance.com>
 2023-02-23 11:46:14 +08:00
Ed Bartosh
49abbe4f2b fix failing TestCDIInjections 
Signed-off-by: Ed Bartosh <eduard.bartosh@intel.com>
 2023-02-22 20:07:34 +02:00
Fu Wei
8cb00f45c9 Merge pull request #8143 from mxpv/log 
Add Fields type alias to log package
 2023-02-21 10:22:23 +08:00
Maksym Pavlenko
06e085c8b5 Add Fields type alias to log package 
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
 2023-02-20 17:29:08 -08:00
Daniel Lenar
a48dbefc15 Fix concurrent writes for UpdateContainerStats 
Signed-off-by: Daniel Lenar <dlenar@vailsys.com>
 2023-02-17 15:13:18 -06:00
Maksym Pavlenko
24cf85f5a3 Merge pull request #8103 from AkihiroSuda/go-1.20 
Go 1.20.1
 2023-02-15 20:09:28 -08:00
Derek McGowan
12a3162605 Merge pull request #8041 from yankay/fix-mistack-docs 
pkg/cri/config: fix Mirrors deprecation comment
 2023-02-15 15:25:04 -08:00
Derek McGowan
179f00c883 Merge pull request #8051 from yulng/goroutine 
fix: 'go routine' should be 'goroutine'
 2023-02-15 15:20:47 -08:00
Derek McGowan
aa6418fadd Merge pull request from GHSA-hmfx-3pcx-653p 
oci: fix additional GIDs
 2023-02-15 13:45:14 -08:00
Akihiro Suda
d8b68e3ccc Stop using math/rand.Read and rand.Seed (deprecated in Go 1.20) 
From golangci-lint:

> SA1019: rand.Read has been deprecated since Go 1.20 because it
>shouldn't be used: For almost all use cases, crypto/rand.Read is more
>appropriate. (staticcheck)

> SA1019: rand.Seed has been deprecated since Go 1.20 and an alternative
>has been available since Go 1.0: Programs that call Seed and then expect
>a specific sequence of results from the global random source (using
>functions such as Int) can be broken when a dependency changes how
>much it consumes from the global random source. To avoid such breakages,
>programs that need a specific result sequence should use
>NewRand(NewSource(seed)) to obtain a random generator that other
>packages cannot access. (staticcheck)

See also:

- https://pkg.go.dev/math/rand@go1.20#Read
- https://pkg.go.dev/math/rand@go1.20#Seed

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2023-02-16 03:50:23 +09:00
Akihiro Suda
a9ac5f9cb5 lint: remove //nolint:dupword that are no longer needed 
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2023-02-16 03:50:23 +09:00
Kazuyoshi Kato
fe5d1d3e7c Merge pull request #7954 from klihub/devel/sbserver-nri-integration 
pkg/cri/sbserver: experimental NRI integration for CRI.
 2023-02-15 10:42:25 -08:00
Zechun Chen
39bac0dbef error strings should not be capitalized 
Signed-off-by: Zechun Chen <zechun.chen@daocloud.io>
 2023-02-15 14:30:36 +08:00
Maksym Pavlenko
3548f59fd8 Merge pull request #8060 from dcantah/cri-annots-other 
CRI: Pass sandbox annotations to _other platforms
 2023-02-14 18:34:46 -08:00
Casey Callendrello
0166783c79 cni: pass in the cgroupPath capability argument 
There is a new CNI capability argument, cgroupPath, where runtimes can
pass cgroup paths to CNI plugins.

Implement that.

Signed-off-by: Casey Callendrello <cdc@isovalent.com>
 2023-02-14 16:49:29 +01:00
Akihiro Suda
4e2eb8ba4e Merge pull request #7964 from dmcgowan/transfer-image-store-references 
[transfer] update imagestore interface to support multiple references
 2023-02-14 11:22:27 +09:00
Derek McGowan
081601f521 Update imagestore interface to support multiple references 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2023-02-13 13:58:33 -08:00
Danny Canter
646bc3a94e CRI: Create DefaultCRIAnnotations helper 
All of the CRI sandbox and container specs all get assigned
almost the exact same default annotations (sandboxID, name, metadata,
container type etc.) so lets make a helper to return the right set for
a sandbox or regular workload container.

Signed-off-by: Danny Canter <danny@dcantah.dev>
 2023-02-13 13:05:01 -08:00
Danny Canter
5aab634e14 CRI: Pass sandbox annotations to _other platforms 
!windows and !linux weren't getting passed the sandbox annotations.

Signed-off-by: Danny Canter <danny@dcantah.dev>
 2023-02-13 13:03:51 -08:00
Maksym Pavlenko
2b24af8d13 Use options to pass PodSandboxConfig to shims 
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
 2023-02-13 12:36:20 -08:00
Krisztian Litkey
ebbcb57a4c pkg/cri/sbserver: experimental NRI integration for CRI. 
Hook the NRI service plugin into CRI sbserver request
processing.

Signed-off-by: Krisztian Litkey <krisztian.litkey@intel.com>
 2023-02-13 22:08:18 +02:00
Krisztian Litkey
8a1dca0f4a pkg/cri: split out NRI API from pkg/cri/server. 
Split out the criService-agnostic bits of nri-api* from
pkg/cri/server to pkg/cri/nri to allow sharing a single
implementation betwen the server and sbserver versions.
Rework the interfaces to not require access to package
internals.

Signed-off-by: Krisztian Litkey <krisztian.litkey@intel.com>
 2023-02-13 22:05:45 +02:00
Derek McGowan
edb8ebaf07 Merge pull request #8047 from ruiwen-zhao/send_nil 
Send container events with nil PodSandboxStatus
 2023-02-13 11:38:14 -08:00
Derek McGowan
164ac924f8 Merge pull request #7984 from aitumik/aitumik/add-host-network-tests 
test: add hostNetwork tests for both windows and linux
 2023-02-13 11:37:20 -08:00
Fu Wei
2654ece1d0 Merge pull request #8066 from fuweid/cleanup-blockio-init 
*: introduce wrapper pkgs for blockio and rdt
 2023-02-13 14:05:32 +08:00
Derek McGowan
c6cf6b2522 Merge pull request #8093 from mxpv/instrument 
Extract CRI instrument into separate package
 2023-02-12 21:45:13 -08:00
Maksym Pavlenko
750d18aced Extract CRI instrument package 
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
 2023-02-12 20:49:15 -08:00
Fu Wei
040fcf85f0 Merge pull request #8091 from dcantah/mirror-generic-toml-change 2023-02-12 11:23:34 +08:00
Wei Fu
60d04b0b0f pkg: rename {blockio,rdt}_default.go -> nonlinux.go 
Signed-off-by: Wei Fu <fuweid89@gmail.com>
 2023-02-12 08:35:17 +08:00
Akihiro Suda
b61988670c go.mod: github.com/containerd/typeurl/v2 v2.1.0 
Changes: https://github.com/containerd/typeurl/compare/7f6e6d160d67...v2.1.0

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2023-02-11 23:39:52 +09:00
Danny Canter
74b371b98a CRI: Mirror generic toml runtime config under server 
In https://github.com/containerd/containerd/pull/7764 it was made
so that generic runtime options in the containerd toml config file
would get passed to shims regardless of if containerd knew of the
type beforehand and could supply the struct. However, this was only
added for the sandbox server fork here and not the regular ol' CRI
server. This change just mirrors the parts that need to be plopped in
pkg/cri/server

Signed-off-by: Danny Canter <danny@dcantah.dev>
 2023-02-11 05:18:52 -08:00
ruiwen-zhao
51a8db233d Send container events with nil PodSandboxStatus 
Signed-off-by: ruiwen-zhao <ruiwen@google.com>
 2023-02-11 01:34:39 +00:00
ruiwen-zhao
27c8f4085c Move PLEG event generation back to sbserver to avoid missing pod sandbox status 
Signed-off-by: ruiwen-zhao <ruiwen@google.com>
 2023-02-11 01:34:33 +00:00
Fu Wei
cf7b705dcd Merge pull request #8086 from neersighted/apparmor_parser_regression 
Revert `apparmor_parser` regression
 2023-02-11 09:27:53 +08:00
Fu Wei
362ba2c743 Merge pull request #7981 from dmcgowan/sandbox-controller-interface-refactor 
[sandbox] refactor controller interface
 2023-02-11 09:22:36 +08:00
Nathan
7cf5560754 test: add hostNetwork tests for both windows and linux 
Signed-off-by: Nathan <aitumik@protonmail.com>
 2023-02-11 00:15:48 +03:00
Bjorn Neergaard
d33a43cc23 pkg/apparmor: clarify Godoc 
Signed-off-by: Bjorn Neergaard <bneergaard@mirantis.com>
 2023-02-10 10:23:59 -07:00
Bjorn Neergaard
a3265102d9 Revert "Don't check for apparmor_parser to be present" 
This reverts commit 1acca8bba3.

As stated in the Godoc, this function is intended to check for presence
of `apparmor_parser`. Changing this regressed the public API of
containerd, and directly contradicts the way that this function is
consumed inside of containerd itself:
* fdfdc9bfc0/pkg/apparmor/apparmor.go (L20)
* fdfdc9bfc0/pkg/cri/sbserver/helpers_linux.go (L85)
* fdfdc9bfc0/pkg/cri/server/helpers_linux.go (L144)

This has lead to a number of painful regressions and attempted fixes in
Moby:
* https://github.com/moby/moby/issues/44900
* https://github.com/moby/moby/pull/44902
* https://github.com/moby/moby/issues/44970

While reverting this late into the life of 1.6 and at the start of the
life of 1.7 is likely painful, I think this is ultimately the best path
to take, as containerd is subject to the same failure to start
containers with an AppArmor kernel when `apparmor_parser` is missing as
Moby.

Signed-off-by: Bjorn Neergaard <bneergaard@mirantis.com>
 2023-02-10 10:05:56 -07:00
Zechun Chen
b944b108df Clean up repeated package import 
Signed-off-by: Zechun Chen <zechun.chen@daocloud.io>
 2023-02-10 16:21:55 +08:00
Akihiro Suda
3eda46af12 oci: fix additional GIDs 
Test suite:
```yaml

---
apiVersion: v1
kind: Pod
metadata:
  name: test-no-option
  annotations:
    description: "Equivalent of `docker run` (no option)"
spec:
  restartPolicy: Never
  containers:
    - name: main
      image: ghcr.io/containerd/busybox:1.28
      args: ['sh', '-euxc',
             '[ "$(id)" = "uid=0(root) gid=0(root) groups=0(root),10(wheel)" ]']
---
apiVersion: v1
kind: Pod
metadata:
  name: test-group-add-1-group-add-1234
  annotations:
    description: "Equivalent of `docker run --group-add 1 --group-add 1234`"
spec:
  restartPolicy: Never
  containers:
    - name: main
      image: ghcr.io/containerd/busybox:1.28
      args: ['sh', '-euxc',
             '[ "$(id)" = "uid=0(root) gid=0(root) groups=0(root),1(daemon),10(wheel),1234" ]']
  securityContext:
    supplementalGroups: [1, 1234]
---
apiVersion: v1
kind: Pod
metadata:
  name: test-user-1234
  annotations:
    description: "Equivalent of `docker run --user 1234`"
spec:
  restartPolicy: Never
  containers:
    - name: main
      image: ghcr.io/containerd/busybox:1.28
      args: ['sh', '-euxc',
             '[ "$(id)" = "uid=1234 gid=0(root) groups=0(root)" ]']
  securityContext:
    runAsUser: 1234
---
apiVersion: v1
kind: Pod
metadata:
  name: test-user-1234-1234
  annotations:
    description: "Equivalent of `docker run --user 1234:1234`"
spec:
  restartPolicy: Never
  containers:
    - name: main
      image: ghcr.io/containerd/busybox:1.28
      args: ['sh', '-euxc',
             '[ "$(id)" = "uid=1234 gid=1234 groups=1234" ]']
  securityContext:
    runAsUser: 1234
    runAsGroup: 1234
---
apiVersion: v1
kind: Pod
metadata:
  name: test-user-1234-group-add-1234
  annotations:
    description: "Equivalent of `docker run --user 1234 --group-add 1234`"
spec:
  restartPolicy: Never
  containers:
    - name: main
      image: ghcr.io/containerd/busybox:1.28
      args: ['sh', '-euxc',
             '[ "$(id)" = "uid=1234 gid=0(root) groups=0(root),1234" ]']
  securityContext:
    runAsUser: 1234
    supplementalGroups: [1234]
```

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2023-02-10 15:53:00 +09:00