github/containerd
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity
9,654 Commits 3 Branches 4 Tags
d72d2794de51b21efe0bfd473398d535f44d01ef
Commit Graph

993 Commits

Author SHA1 Message Date
Brian Goff
b0b6d9aa03 Add support for using a host registry dir in cri 
This will be used instead of the cri registry config in the main config
toml.

---

Also pulls in changes from containerd/cri@d0b4eecbb3

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
 2021-03-12 22:42:22 +00:00
Derek McGowan
8cf669ce34 Fix unsupported files exporting functions for apparmor and seccomp 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2021-03-12 08:47:05 -08:00
Derek McGowan
35eeb24a17 Fix exported comments enforcer in CI 
Add comments where missing and fix incorrect comments

Signed-off-by: Derek McGowan <derek@mcg.dev>
 2021-03-12 08:47:05 -08:00
Iceber Gu
f37ae8fc35 move to v3.4.1 for the pause image 
Signed-off-by: Iceber Gu <wei.cai-nat@daocloud.io>
 2021-03-07 15:21:20 +08:00
Iceber Gu
92ab1a63b0 cri: fix container status 
Signed-off-by: Iceber Gu <wei.cai-nat@daocloud.io>
 2021-03-05 00:00:10 +08:00
f00231050
591caece0c cri: check fsnotify watcher when receiving cni conf dir events 
carry: 612f5f9f44

Signed-off-by: Wei Fu <fuweid89@gmail.com>
 2021-03-03 16:46:41 +08:00
Phil Estes
8dbe53a2a9 Merge pull request #5070 from yoheiueda/empty-masked 
cri: set default masked/readonly paths to empty paths
 2021-02-25 15:38:45 -05:00
Akihiro Suda
7ee610edb5 drop dependency on github.com/syndtr/gocapability 
pkg/cap has the full list of the caps (for UT, originally),
so we can drop dependency on github.com/syndtr/gocapability

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2021-02-25 15:17:28 +09:00
Akihiro Suda
9822173354 cap: rename FromUint64 to FromBitmap 
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2021-02-25 15:02:10 +09:00
Yohei Ueda
07f1df4541 cri: set default masked/readonly paths to empty paths 
Fixes #5029.

Signed-off-by: Yohei Ueda <yohei@jp.ibm.com>
 2021-02-24 23:50:40 +09:00
Phil Estes
757be0a090 Merge pull request #5017 from AkihiroSuda/parse-cap 
oci.WithPrivileged: set the current caps, not the known caps
 2021-02-23 09:10:57 -05:00
Mike Brown
9173d3e929 Merge pull request #5021 from wzshiming/fix/signal_repeatedly 
Fix repeated sending signal
 2021-02-22 09:45:56 -06:00
Justin Terry (SF)
06e4e09567 cri: append envs from image config to empty slice to avoid env lost 
Signed-off-by: Justin Terry (SF) <juterry@microsoft.com>
 2021-02-18 16:39:28 -08:00
Phil Estes
c32ccdf8be Merge pull request #5024 from yadzhang/deepcopy-imageconfig 
cri: append envs from image config to empty slice to avoid env lost
 2021-02-18 12:51:51 -05:00
Akihiro Suda
746cef0bc2 Merge pull request #5044 from wzshiming/fix/empty-error-warpping 
Fix empty error warpping
 2021-02-18 13:47:13 +09:00
zhangyadong.0808
08318b1ab9 cri: append envs from image config to empty slice to avoid env lost 
Signed-off-by: Yadong Zhang <yadzhang@gmail.com>
 2021-02-18 11:37:41 +08:00
Shiming Zhang
59db8a10e0 Fix empty error warpping 
Signed-off-by: Shiming Zhang <wzshiming@foxmail.com>
 2021-02-18 11:06:59 +08:00
Shiming Zhang
dc6f5ef3b9 Fix repeated sending signal 
Signed-off-by: Shiming Zhang <wzshiming@foxmail.com>
 2021-02-17 21:33:49 +08:00
Michael Crosby
41e3057cc6 Merge pull request #5025 from jeremyje/win20h2 
Add references to Windows 20H2 test images.
 2021-02-12 11:58:49 -05:00
Lorenz Brun
36d0bc1f2b Allow moving netns directory into StateDir 
Signed-off-by: Lorenz Brun <lorenz@nexantic.com>
 2021-02-10 18:33:14 +01:00
Akihiro Suda
a2d1a8a865 oci.WithPrivileged: set the current caps, not the known caps 
This change is needed for running the latest containerd inside Docker
that is not aware of the recently added caps (BPF, PERFMON, CHECKPOINT_RESTORE).

Without this change, containerd inside Docker fails to run containers with
"apply caps: operation not permitted" error.

See kubernetes-sigs/kind 2058

NOTE: The caller process of this function is now assumed to be as
privileged as possible.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2021-02-10 17:14:17 +09:00
Michael Crosby
e874e2597e [cri] add pod annotations to CNI call 
Signed-off-by: Michael Crosby <michael@thepasture.io>
 2021-02-09 13:24:01 -05:00
Jeremy Edwards
1c81071d39 Add references to Windows 20H2 test images. 
Signed-off-by: Jeremy Edwards <1312331+jeremyje@users.noreply.github.com>
 2021-02-09 16:25:36 +00:00
Derek McGowan
b3f2402062 Merge pull request #5002 from crosbymichael/anno-image-name 
[cri] add image-name annotation
 2021-02-05 08:27:41 -08:00
Akihiro Suda
e908be5b58 Merge pull request #5001 from kzys/no-lint-upgrade 2021-02-06 00:40:38 +09:00
Kazuyoshi Kato
07db46ee23 lint: update nolint syntax for golangci-lint 
Newer golangci-lint needs explicit `//` separator. Otherwise it treats
the entire line (`staticcheck deprecated ... yet`) as a name.

https://golangci-lint.run/usage/false-positives/#nolint

Signed-off-by: Kazuyoshi Kato <katokazu@amazon.com>
 2021-02-04 11:59:55 -08:00
Sebastiaan van Stijn
04d061fa6a update runc to v1.0.0-rc93 
full diff: https://github.com/opencontainers/runc/compare/v1.0.0-rc92...v1.0.0-rc93

also removes dependency on libcontainer/configs

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2021-02-04 16:13:30 +01:00
Sebastiaan van Stijn
54cc3483ff pkg/cri/server: don't import libcontainer/configs 
Looks like this import was not needed for the test; simplified the test
by just using the device-path (a counter would work, but for debugging,
having the list of paths can be useful).

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2021-02-04 16:08:39 +01:00
Michael Crosby
99cb62f233 [cri] add image-name annotation 
For some tools having the actual image name in the annotations is helpful for
debugging and auditing the workload.

Signed-off-by: Michael Crosby <michael@thepasture.io>
 2021-02-04 07:05:11 -05:00
Lantao Liu
b5bf1fd5d8 Fix deprecated registry auth conversion. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2021-02-03 19:22:26 -08:00
Aditi Sharma
1423e9199d Update gogo/protobuf to v1.3.2 
bump version 1.3.2 for gogo/protobuf due to CVE-2021-3121 discovered
in gogo/protobuf version 1.3.1, CVE has been fixed in 1.3.2

Signed-off-by: Aditi Sharma <adi.sky17@gmail.com>
 2021-01-28 12:57:50 +00:00
Michael Crosby
591d7e2fb1 remove exec sync debug contents from logs 
This was dumping untrusted output to the debug logs from user containers.
We should not dump this type of information to reduce log sizes and any
information leaks from user containers.

Signed-off-by: Michael Crosby <michael@thepasture.io>
 2021-01-26 14:57:54 -05:00
Alban Crequy
28e4fb25f4 cri: add annotations for pod name and namespace 
cri-o has annotations for pod name, namespace and container name:
https://github.com/containers/podman/blob/master/pkg/annotations/annotations.go

But so far containerd had only the container name.

This patch will be useful for seccomp agents to have a different
behaviour depending on the pod (see runtime-spec PR 1074 and runc PR
2682). This should simplify the code in:
b2d423695d/pkg/kuberesolver/kuberesolver.go (L16-L27)

Signed-off-by: Alban Crequy <alban@kinvolk.io>
 2021-01-26 12:10:39 +01:00
Wei Fu
e56de63099 cri: handle sandbox/container exit event separately 
The event monitor handles exit events one by one. If there is something
wrong about deleting task, it will slow down the terminating Pods. In
order to reduce the impact, the exit event watcher should handle exit
event separately. If it failed, the watcher should put it into backoff
queue and retry it.

Signed-off-by: Wei Fu <fuweid89@gmail.com>
 2021-01-24 13:43:38 +08:00
Shengjing Zhu
2818fdebaa Move runtimeoptions out of cri package 
Since it's a standard set of runtime opts, and used in ctr as well,
it could be moved out of cri.

Signed-off-by: Shengjing Zhu <zhsj@debian.org>
 2021-01-23 01:24:35 +08:00
Michael Crosby
a731039238 [cri] label etc files for selinux containers 
Signed-off-by: Michael Crosby <michael@thepasture.io>
 2021-01-19 13:42:09 -05:00
Mike Brown
550b4949cb Merge pull request #4700 from mikebrow/cri-security-profile-update 
CRI security profile update for CRI graduation
 2021-01-12 12:21:56 -06:00
Sebastiaan van Stijn
2374178c9b pkg/cri/server: optimizations in unmountRecursive() 
Use a PrefixFilter() to get only the mounts we're interested in,
which removes the need to manually filter mounts from the mountinfo
results.

Additional optimizations can be made, as:

> ... there's a little known fact that `umount(MNT_DETACH)` is actually
> recursive in Linux, IOW this function can be replaced with
> `unix.Umount(target, unix.MNT_DETACH)` (or `mount.UnmountAll(target, unix.MNT_DETACH)`
>  (provided that target itself is a mount point).

e8fb2c392f (r535450446)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2021-01-08 17:32:01 +01:00
Sebastiaan van Stijn
7572919201 mount: remove remaining uses of mount.Self() 
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2021-01-08 17:31:59 +01:00
Davanum Srinivas
1f5b84f27c [CRI] Reduce clutter of log entries during process execution 
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
 2021-01-06 13:09:03 -05:00
Shengjing Zhu
5988bfc1ef docs: Various typo found by codespell 
Signed-off-by: Shengjing Zhu <zhsj@debian.org>
 2020-12-22 13:22:16 +08:00
Michael Crosby
2e442ea485 [cri] ensure log dir is created 
containerd is responsible for creating the log but there is no code to ensure
that the log dir exists.  While kubelet should have created this there can be
times where this is not the case and this can cause stuck tasks.

Signed-off-by: Michael Crosby <michael@thepasture.io>
 2020-12-17 15:04:39 -05:00
Akihiro Suda
7e6e4c466f remove "selinux" build tag 
The build tag was removed in go-selinux v1.8.0: opencontainers/selinux#132

Related: remove "apparmor" build tag: 0a9147f3aa

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2020-12-15 20:05:25 +09:00
Akihiro Suda
0a9147f3aa remove "apparmor" build tag 
The "apparmor" build tag does not have any cgo dependency and can be removed safely.

Related: https://github.com/opencontainers/runc/issues/2704

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2020-12-08 19:22:39 +09:00
Mike Brown
6467c3374d refactor based on comments 
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
 2020-12-07 21:39:31 -06:00
Phil Estes
73a301c7a1 Merge pull request #4772 from gaurav1086/ValidatePluginConfig_fix_range_iterator_issue 
[cri/config] : fix range iterator issue in ValidatePluginConfig
 2020-12-07 12:42:07 -05:00
Phil Estes
efad13faaf Merge pull request #4811 from AkihiroSuda/expose-apparmor 
expose hostSupportsAppArmor()
 2020-12-07 08:22:16 -05:00
Akihiro Suda
55eda46b22 expose hostSupportsAppArmor() 
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2020-12-07 19:12:59 +09:00
Gaurav Singh
071a185506 cri/config: fix range iterator issue in ValidatePluginConfig 
Go uses the same address variable while iterating in a range,
so use a copy when using its address.

Signed-off-by: Gaurav Singh <gaurav1086@gmail.com>
 2020-12-04 17:37:09 -05:00
Mike Brown
b4727eafbe adding code to support seccomp apparmor securityprofile 
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
 2020-12-04 15:15:32 -06:00