We are separating out the encryption code and have designed a few new
interfaces and APIs for processing content streams. This keep the core
clean of encryption code but enables not only encryption but support of
multiple content types ( custom media types ).
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
This commit adds a flag to the runtime config that allows overloading of the default
privileged behaviour. When the flag is enabled on a runtime, host devices won't
be appended to the runtime spec if the container is run as privileged.
By default the flag is false to maintain the current behaviour of privileged.
Fixes#1213
Signed-off-by: Alex Price <aprice@atlassian.com>
By default the SecurityContext for Container activation can contain a Username
UID, GID. The order of precedences is username, UID, GID. If none of these
options are specified as a last resort attempt to set the ImageSpec username.
Signed-off-by: Justin Terry (VM) <juterry@microsoft.com>
Moves to the containerd/log package over logrus directly. This benefits the
traces because if using any log context such as OpenCensus on the entry gRPC
API all traces for that gRPC method will now contain the appropriate TraceID,
SpanID for easy correlation.
Signed-off-by: Justin Terry (VM) <juterry@microsoft.com>
Use a Pipe() rather than a file to pass the passphrase to the command
line tool. Pass the file descriptor to read the passphrase from as fd '3'.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Rather than passing the passphrase via command line write it into
a temp. file and pass the name of the file using passphrase-file option.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
A call to ExecSync should only return if the client context was canceled or
exceeded. The Timeout parameter to ExecSyncRequest is now used to send SIGKILL
if the exec'd process does not exit within Timeout but all paths wait for the
exec to exit.
Signed-off-by: Justin Terry (VM) <juterry@microsoft.com>
A call to StopContainer should only return if the client context is canceled or
its deadline was exceeded. The Timeout parameter on StopContainerRequest is now
used as the time AFTER sending the stop signal before the SIGKILL is delivered.
The call will remain until the container has exited or the client context has
finished.
Signed-off-by: Justin Terry (VM) <juterry@microsoft.com>
A call to RunPodSandbox should only return timeout if the operation has timed
out because the clients context deadline was exceeded. On client cancelation
it should return gRPC Canceled otherwise it should block until the sandbox has
exited.
Signed-off-by: Justin Terry (VM) <juterry@microsoft.com>
