Now that we have a security page on the website with the Cure53 security
audit downloadable from there, update the README to point there and remove
the PDF from our docs/ directory.
Signed-off-by: Phil Estes <estesp@amazon.com>
Update instructions for enabling NRI. Remove the now
unnecessary step of creating an NRI configuration file.
Add a note about the shared default NRI socket path
preventing two NRI-enabled runtimes to be run with the
default configuration on a single node.
Remove a leftover/half sentence that slipped through in
an earlier commit.
Signed-off-by: Krisztian Litkey <krisztian.litkey@intel.com>
`*` was left out and therefore the `/bin` directory is also copied over, while the following commands assume the files are copied to `containerd`
Signed-off-by: Anthony Nandaa <profnandaa@gmail.com>
- Add Target to mount.Mount.
- Add UnmountMounts to unmount a list of mounts in reverse order.
- Add UnmountRecursive to unmount deepest mount first for a given target, using
moby/sys/mountinfo.
Signed-off-by: Edgar Lee <edgarhinshunlee@gmail.com>
Signed-off-by: Swagat Bora <sbora@amazon.com>
Add spans around image unpack operations
Use image.ref to denote image name and image.id for the image config digest
Add top-level spand and record errors in the CRI instrumentation service
This PR updates the url for the kata containers reference about
how to use kata containers and containerd for untrusted workloads.
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
Referencing the raw link to the containerd.service may enhance the developer experience by enabling those following the docs to use the raw link directly to `wget` or `curl` the file without additional navigation.
Signed-off-by: Kyle L Frisbie <KyleFrisbie@users.noreply.github.com>
Updated some documentation for devmapper snapshotter plugin.
Made consistent use of "thin-pool", "Device Mapper" when referring to
the volume management framework, and "devmapper" when referring to the
snapshotter plugin itself.
Also added some additional resources / reorg.
Signed-off-by: Gavin Inglis <giinglis@amazon.com>
since containerd doesn't have GenerateSpec method any longer, spec has to be generated with WithNewSpec.
Signed-off-by: Yakul Garg <2000yeshu@gmail.com>
This patch adds support for a container annotation and two separate
pod annotations for controlling the blockio class of containers.
The container annotation can be used by a CRI client:
"io.kubernetes.cri.blockio-class"
Pod annotations specify the blockio class in the K8s pod spec level:
"blockio.resources.beta.kubernetes.io/pod"
(pod-wide default for all containers within)
"blockio.resources.beta.kubernetes.io/container.<container_name>"
(container-specific overrides)
Correspondingly, this patch adds support for --blockio-class and
--blockio-config-file to ctr, too.
This implementation follows the resource class annotation pattern
introduced in RDT and merged in commit 893701220.
Signed-off-by: Antti Kervinen <antti.kervinen@intel.com>
To clarify that end users do not need to read these docs, and that these
docs do not need to be updated
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
The previous documentation was too much forcusing on the Go API and not useful
for users who are not interested in implementing their own containerd client.
It was also recommending the deprecated way (cri-containerd-*.tar.gz) to install
containerd and its dependencies.
The new documentation recommends the current official way to install containerd,
and provides several links for end users.
This will replace the content of https://containerd.io/docs/getting-started/
after merging the containerd/containerd.io PR 120.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Enabling this option effectively causes RDT class of a container to be a
soft requirement. If RDT support has not been enabled the RDT class
setting will not have any effect.
Signed-off-by: Markus Lehtonen <markus.lehtonen@intel.com>
Add support for configuring the Linux resctrl pseudo-filesystem with
goresctrl library. The functionality is integrated in the
"io.containerd.service.v1.tasks-service" plugin.
Signed-off-by: Markus Lehtonen <markus.lehtonen@intel.com>
This commit adds a flag that enable all devices whitelisting when
privileged_without_host_devices is already enabled.
Fixes#5679
Signed-off-by: Dat Nguyen <dnguyen7@atlassian.com>
This fixes the TODO of this function and also expands on how the primary pod ip
is selected. This change allows the operator to prefer ipv4, ipv6, or retain the
ordering provided by the return results of the CNI plugins.
This makes it much more flexible for ops to configure containerd and how IPs are
set on the pod.
Signed-off-by: Michael Crosby <michael@thepasture.io>
With the introduction of Windows Server 2022, some images have been updated
to support WS2022 in their manifest list. This commit updates the test images
accordingly.
Signed-off-by: Adelina Tuvenie <atuvenie@cloudbasesolutions.com>
Adds shared content labels to namespaces allowing content to be shared
between namespaces if that namespace is specifically tagged as being
sharable by adding the `containerd.io/namespace/sharable` label to the
namespace.
Signed-off-by: Cody Roseborough <cdr@amazon.com>
Adds support for mirrors which are non-compliant with the
OCI distribution specification but have previously mirrored
content with a namespace prefix after the API root `/v2`.
Signed-off-by: Derek McGowan <derek@mcg.dev>
