github/containerd
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity
11,759 Commits 3 Branches 4 Tags
cf7b705dcdadf95891b4e25a833a505e1d0e7718
Commit Graph

1358 Commits

Author SHA1 Message Date
Fu Wei
cf7b705dcd Merge pull request #8086 from neersighted/apparmor_parser_regression 
Revert `apparmor_parser` regression
 2023-02-11 09:27:53 +08:00
Fu Wei
362ba2c743 Merge pull request #7981 from dmcgowan/sandbox-controller-interface-refactor 
[sandbox] refactor controller interface
 2023-02-11 09:22:36 +08:00
Bjorn Neergaard
d33a43cc23 pkg/apparmor: clarify Godoc 
Signed-off-by: Bjorn Neergaard <bneergaard@mirantis.com>
 2023-02-10 10:23:59 -07:00
Bjorn Neergaard
a3265102d9 Revert "Don't check for apparmor_parser to be present" 
This reverts commit 1acca8bba3.

As stated in the Godoc, this function is intended to check for presence
of `apparmor_parser`. Changing this regressed the public API of
containerd, and directly contradicts the way that this function is
consumed inside of containerd itself:
* fdfdc9bfc0/pkg/apparmor/apparmor.go (L20)
* fdfdc9bfc0/pkg/cri/sbserver/helpers_linux.go (L85)
* fdfdc9bfc0/pkg/cri/server/helpers_linux.go (L144)

This has lead to a number of painful regressions and attempted fixes in
Moby:
* https://github.com/moby/moby/issues/44900
* https://github.com/moby/moby/pull/44902
* https://github.com/moby/moby/issues/44970

While reverting this late into the life of 1.6 and at the start of the
life of 1.7 is likely painful, I think this is ultimately the best path
to take, as containerd is subject to the same failure to start
containers with an AppArmor kernel when `apparmor_parser` is missing as
Moby.

Signed-off-by: Bjorn Neergaard <bneergaard@mirantis.com>
 2023-02-10 10:05:56 -07:00
Zechun Chen
b944b108df Clean up repeated package import 
Signed-off-by: Zechun Chen <zechun.chen@daocloud.io>
 2023-02-10 16:21:55 +08:00
Derek McGowan
b0e97c0f9b Use multierror for cleanup error 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2023-02-07 11:06:14 -08:00
Derek McGowan
a788f6c799 Move local sandbox controller under plugins package 
Add options to sandbox controller interface.
Update sandbox controller interface to fully utilize sandbox controller
interface.
Move grpc error conversion to service.

Signed-off-by: Derek McGowan <derek@mcg.dev>
 2023-02-06 22:04:45 -08:00
Derek McGowan
2717685dad Refactor sandbox controller interface 
Update the sandbox controller interface to use local types rather than
using the API types.

Signed-off-by: Derek McGowan <derek@mcg.dev>
 2023-02-06 21:39:30 -08:00
Maksym Pavlenko
1f35b03369 Fix sandbox exit monitor 
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
 2023-02-02 14:02:52 -08:00
Phil Estes
6116820aeb Merge pull request #8036 from ktock/remotesnlabel 
Export remote snapshotter label handler
 2023-02-02 11:53:43 -05:00
Kohei Tokunaga
dbf384a5a8 Export remote snapshotter label handler 
Signed-off-by: Kohei Tokunaga <ktokunaga.mail@gmail.com>
 2023-02-01 23:03:23 +09:00
Phil Estes
0181b103ea Merge pull request #8037 from AkihiroSuda/epoch-drop-timezone 
pkg/epoch: drop timezone
 2023-01-31 17:04:50 -05:00
Akihiro Suda
e551d734fb pkg/epoch: drop timezone 
For determinism of human-readable string representation.
e.g., "2023-01-10T12:34:56Z" vs "2023-01-10T21:34:56+09:00"

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2023-01-31 23:26:02 +09:00
Derek McGowan
287320d4de Merge pull request #7840 from hinshun/feature/mount-subdirectory 
Use mount.Target to specify subdirectory of rootfs mount
 2023-01-30 21:35:34 -08:00
Derek McGowan
ee0e22f01c Merge pull request #8020 from AkihiroSuda/mkdir-etc-cni-0755 
cri: mkdir /etc/cni with 0755, not 0700
 2023-01-30 10:21:30 -08:00
Akihiro Suda
b36b415526 cri: mkdir /etc/cni with 0755, not 0700 
/etc/cni has to be readable for non-root users (0755), because /etc/cni/tuning/allowlist.conf is used for rootless mode too.
This file was introduced in CNI plugins 1.2.0 (containernetworking/plugins PR 693), and its path is hard-coded.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2023-01-29 07:49:36 +09:00
Edgar Lee
34d5878185 Use mount.Target to specify subdirectory of rootfs mount 
- Add Target to mount.Mount.
- Add UnmountMounts to unmount a list of mounts in reverse order.
- Add UnmountRecursive to unmount deepest mount first for a given target, using
moby/sys/mountinfo.

Signed-off-by: Edgar Lee <edgarhinshunlee@gmail.com>
 2023-01-27 09:51:58 +08:00
Maksym Pavlenko
21fe0ceaad Move PLEG events for pause container to podsandbox 
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
 2023-01-25 19:28:48 -08:00
Sebastiaan van Stijn
4f39b164f3 pkg/cri: optimize slice initialization 
Some of this code was originally added in b7b1200dd3,
which likely meant to initialize the slice with a length to reduce allocations,
however, instead of initializing with a zero-length and a capacity, it
initialized the slice with a fixed length, which was corrected in commit
0c63c42f81.

This patch initializes the slice with a zero-length and expected capacity.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2023-01-24 20:46:20 +01:00
Maksym Pavlenko
f9f8455332 Backport #7393 to sbserver 
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
 2023-01-17 14:36:21 -08:00
Maksym Pavlenko
0cbfb3375f Backport #7661 to sbserver 
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
 2023-01-17 14:31:47 -08:00
Maksym Pavlenko
41eabf134a Backport #7685 to sbserver 
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
 2023-01-17 14:26:16 -08:00
Maksym Pavlenko
b0d7a96976 Backport unit test from #7882 to sbserver 
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
 2023-01-17 14:26:16 -08:00
Maksym Pavlenko
1ade777c24 Add basic spec and mounts for Darwin 
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
 2023-01-12 17:00:40 -08:00
Maksym Pavlenko
3c8469a782 Use Platform instead of generated API 
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
 2023-01-12 10:30:42 -08:00
Maksym Pavlenko
40be96efa9 Have separate spec builder for each platform 
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
 2023-01-11 13:12:25 -08:00
Maksym Pavlenko
fdfa3519a3 Remove unused params from platformSpec 
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
 2023-01-11 13:03:59 -08:00
Maksym Pavlenko
1c1d8fb057 Update OCI spec tests for generic platform 
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
 2023-01-11 13:03:59 -08:00
Maksym Pavlenko
f43d8924e4 Move most of OCI spec options to common builder 
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
 2023-01-11 13:03:59 -08:00
Maksym Pavlenko
21338d2777 Add stub to build common OCI spec 
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
 2023-01-11 13:03:59 -08:00
Maksym Pavlenko
f318e5630b Update sandbox API to return target platform 
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
 2023-01-11 13:03:59 -08:00
Maksym Pavlenko
dd22a3a806 Move WithMounts to specs 
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
 2023-01-11 13:03:59 -08:00
Maksym Pavlenko
0ae0399b16 Make OCI spec opts available on all platforms 
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
 2023-01-11 13:03:58 -08:00
Qasim Sarfraz
9c8c4508ec cri: Fix TestUpdateOCILinuxResource for host w/o swap controller 
Tested on Ubuntu 20.04 w/o swap controller:
```
$ stat -fc %T /sys/fs/cgroup/
tmpfs
$ la -la /sys/fs/cgroup/memory/memory.memsw.limit_in_bytes
ls: cannot access '/sys/fs/cgroup/memory/memory.memsw.limit_in_bytes': No such file or directory
$  go test -v ./pkg/cri/sbserver/ -run TestUpdateOCILinuxResource
=== RUN   TestUpdateOCILinuxResource
=== RUN   TestUpdateOCILinuxResource/should_be_able_to_patch_the_unified_map
=== RUN   TestUpdateOCILinuxResource/should_be_able_to_update_each_resource
=== RUN   TestUpdateOCILinuxResource/should_skip_empty_fields
=== RUN   TestUpdateOCILinuxResource/should_be_able_to_fill_empty_fields
--- PASS: TestUpdateOCILinuxResource (0.00s)
    --- PASS: TestUpdateOCILinuxResource/should_be_able_to_patch_the_unified_map (0.00s)
    --- PASS: TestUpdateOCILinuxResource/should_be_able_to_update_each_resource (0.00s)
    --- PASS: TestUpdateOCILinuxResource/should_skip_empty_fields (0.00s)
    --- PASS: TestUpdateOCILinuxResource/should_be_able_to_fill_empty_fields (0.00s)
PASS
ok      github.com/containerd/containerd/pkg/cri/sbserver       (cached)
$ go test -v ./pkg/cri/server/ -run TestUpdateOCILinuxResource
=== RUN   TestUpdateOCILinuxResource
=== RUN   TestUpdateOCILinuxResource/should_be_able_to_update_each_resource
=== RUN   TestUpdateOCILinuxResource/should_skip_empty_fields
=== RUN   TestUpdateOCILinuxResource/should_be_able_to_fill_empty_fields
=== RUN   TestUpdateOCILinuxResource/should_be_able_to_patch_the_unified_map
--- PASS: TestUpdateOCILinuxResource (0.00s)
    --- PASS: TestUpdateOCILinuxResource/should_be_able_to_update_each_resource (0.00s)
    --- PASS: TestUpdateOCILinuxResource/should_skip_empty_fields (0.00s)
    --- PASS: TestUpdateOCILinuxResource/should_be_able_to_fill_empty_fields (0.00s)
    --- PASS: TestUpdateOCILinuxResource/should_be_able_to_patch_the_unified_map (0.00s)
PASS
ok      github.com/containerd/containerd/pkg/cri/server (cached)
```

Signed-off-by: Qasim Sarfraz <qasimsarfraz@microsoft.com>
 2023-01-10 15:41:04 +01:00
Fu Wei
5fc727224e Merge pull request #7861 from dmcgowan/cleanup-context 
Add cleanup package for context management during cleanup
 2023-01-05 13:18:31 +08:00
Derek McGowan
b550526ccd Use cleanup.Background instead of context.Background for cleanup 
Use the cleanup context to re-use values from the original context

Signed-off-by: Derek McGowan <derek@mcg.dev>
 2023-01-04 11:22:24 -08:00
Maksym Pavlenko
06bfcd658c Enable dupword linter 
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
 2023-01-03 12:47:16 -08:00
Derek McGowan
f606c4eba7 Add cleanup package for context management during cleanup 
Provides a couple helper functions that provide a background context for
running cleanup jobs while preserving the original context values.
The new contexts will not inherit the errors or cancellations.

Signed-off-by: Derek McGowan <derek@mcg.dev>
 2023-01-03 12:30:26 -08:00
Akihiro Suda
4adf3fb3af Merge pull request #7906 from Iceber/use_label_uncompressed 
Use the const labels.LabelUncompressed
 2023-01-04 01:04:20 +09:00
Iceber Gu
778e8f2af4 Use the const labels.LabelUncompressed 
Signed-off-by: Iceber Gu <wei.cai-nat@daocloud.io>
 2023-01-03 18:29:21 +08:00
Danny Canter
3f0edb249b CRI: Comment cleanup/misc fixes 
Comments in initPlatform for Windows states that the options were
Linux specific. Additionally properly wrap an error after trying
to setup CDI on Linux.

Signed-off-by: Danny Canter <danny@dcantah.dev>
 2023-01-02 18:55:31 -08:00
xin.li
1753e5af7a Reused errdefs for error 
Signed-off-by: xin.li <xin.li@daocloud.io>
 2023-01-02 21:39:20 +08:00
Rodrigo Campos
72ef986222 cri: Simplify parseUsernsIDs() 
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
 2022-12-30 16:49:28 -03:00
Rodrigo Campos
4eed20fc31 cri: Verify userns container config is consisten with sandbox 
The sandbox and container both have the userns config. Lets make sure
they are the same, therefore consistent.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
 2022-12-30 15:07:54 -03:00
Rodrigo Campos
a44b356274 cri: Fix assert vs require in tests 
Currently we require that c.containerSpec() does not return an error
if test.err is not set.

However, if the require fails (i.e. it indeed returned an error) the
rest of the code is executed anyways. The rest of the code assumes it
did not return an error (so code assumes spec is not nil). This fails
miserably if it indeed returned an error, as spec is nil and go crashes
while running the unit tests.

Let's require it is not an error, so code does not continue to execute
if that fails and go doesn't crash.

In the test.err case is not harmful the bug of using assert, but let's
switch it to require too as that is what we really want.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
 2022-12-30 14:02:10 -03:00
Samuel Karp
b0b28f1d8e Merge pull request #7879 from fuweid/clean-build-tags 2022-12-30 00:22:03 -08:00
Rodrigo Campos
3b48fb5b59 cri: Shadow variables to avoid t.Parallel() issues 
This is a follow-up suggested by Fu Wei.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
 2022-12-29 18:16:20 -03:00
Mike Brown
66f186d42d Merge pull request #7679 from kinvolk/rata/userns-stateless-pods 
Add support for user namespaces in stateless pods (KEP-127)
 2022-12-29 14:08:24 -06:00
Wei Fu
6b7e237fc7 chore: use go fix to cleanup old +build buildtag 
Signed-off-by: Wei Fu <fuweid89@gmail.com>
 2022-12-29 14:25:14 +08:00
Derek McGowan
27f43506b4 Merge pull request #7872 from yanggangtony/cri-sbserver 
CRI sbserver: Prevent server reuse after Shutdown
 2022-12-27 15:54:29 -08:00