This makes diff archives to be reproducible.
The value is expected to be passed from CLI applications via the $SOUCE_DATE_EPOCH env var.
See https://reproducible-builds.org/docs/source-date-epoch/
for the $SOURCE_DATE_EPOCH specification.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Add a new ctr cli option, allowing the garbage collector to discard any
unpacked layers after importing an image. This new option is
incompatible with the no-unpack ctr import option.
Signed-off-by: James Jenkins <James.Jenkins@ibm.com>
For Kata Containers, starting a privileged container will fail
if passing all host devices to container due to the permission
issue, like the `privileged_without_host_devices` for CRI service,
add a `privileged-without-host-devices` to `ctr run` command will
disable passing all host devices to containers.
Signed-off-by: bin liu <liubin0329@gmail.com>
Added new runc shim binary in integration testing.
The shim is named by io.containerd.runc-fp.v1, which allows us to use
additional OCI annotation `io.containerd.runtime.v2.shim.failpoint.*` to
setup shim task API's failpoint. Since the shim can be shared with
multiple container, like what kubernetes pod does, the failpoint will be
initialized during setup the shim server. So, the following the
container's OCI failpoint's annotation will not work.
This commit also updates the ctr tool that we can use `--annotation` to
specify annotations when run container. For example:
```bash
➜ ctr run -d --runtime runc-fp.v1 \
--annotation "io.containerd.runtime.v2.shim.failpoint.Kill=1*error(sorry)" \
docker.io/library/alpine:latest testing sleep 1d
➜ ctr t ls
TASK PID STATUS
testing 147304 RUNNING
➜ ctr t kill -s SIGKILL testing
ctr: sorry: unknown
➜ ctr t kill -s SIGKILL testing
➜ sudo ctr t ls
TASK PID STATUS
testing 147304 STOPPED
```
The runc-fp.v1 shim is based on core runc.v2. We can use it to inject
failpoint during testing complicated or big transcation API, like
kubernetes PodRunPodsandbox.
Signed-off-by: Wei Fu <fuweid89@gmail.com>
"ctr s r" help suggests <pod-config.json> is taken as the first
parameter and the sandbox ID becomes next. However, only the latter
is read and used.
Add code that reads <pod-config.json> and passes it to Sanbox.
Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
Currently, ctr import will use loose matching as defined by
platforms.Only(), meaning in the case of platform linux/amd64 as in
issue#6441, importing will also match linux/386 platform on the
image-to-be-imported's index. However, that image-to-be-imported may not
have both the linux/amd64 and linux/386 platform contents, resulting in
a failure to unpack the image. This change makes that check strict such
that the requested platform to import for is the only platform content
imported. Both ctr pull and ctr export will treat the platform option as
strict, so this change makes ctr import consistent with those.
resolves#6441
Signed-off-by: Gavin Inglis <giinglis@amazon.com>
Schema 1 has been substantially deprecated since circa. 2017 in favor of Schema 2 introduced in Docker 1.10 (Feb 2016)
and its successor OCI Image Spec v1, but we have not officially deprecated Schema 1.
One of the reasons was that Quay did not support Schema 2 so far, but it is reported that Quay has been
supporting Schema 2 since Feb 2020 (moby/buildkit issue 409).
This PR deprecates pulling Schema 1 images but the feature will not be removed before containerd 2.0.
Pushing Schema 1 images was never implemented in containerd (and its consumers such as BuildKit).
Docker/Moby already disabled pushing Schema 1 images in Docker 20.10 (moby/moby PR 41295),
but Docker/Moby has not yet disabled pulling Schema 1 as containerd has not yet deprecated Schema 1.
(See the comments in moby/moby PR 42300.)
Docker/Moby is expected to disable pulling Schema 1 images in future after this deprecation.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
This patch adds support for a container annotation and two separate
pod annotations for controlling the blockio class of containers.
The container annotation can be used by a CRI client:
"io.kubernetes.cri.blockio-class"
Pod annotations specify the blockio class in the K8s pod spec level:
"blockio.resources.beta.kubernetes.io/pod"
(pod-wide default for all containers within)
"blockio.resources.beta.kubernetes.io/container.<container_name>"
(container-specific overrides)
Correspondingly, this patch adds support for --blockio-class and
--blockio-config-file to ctr, too.
This implementation follows the resource class annotation pattern
introduced in RDT and merged in commit 893701220.
Signed-off-by: Antti Kervinen <antti.kervinen@intel.com>
This commit removes the following gogoproto extensions;
- gogoproto.nullable
- gogoproto.customename
- gogoproto.unmarshaller_all
- gogoproto.stringer_all
- gogoproto.sizer_all
- gogoproto.marshaler_all
- gogoproto.goproto_unregonized_all
- gogoproto.goproto_stringer_all
- gogoproto.goproto_getters_all
None of them are supported by Google's toolchain (see #6564).
Signed-off-by: Kazuyoshi Kato <katokazu@amazon.com>
This commit upgrades github.com/containerd/typeurl to use typeurl.Any.
The interface hides gogo/protobuf/types.Any from containerd's Go client.
Signed-off-by: Kazuyoshi Kato <katokazu@amazon.com>
when user executes ctr run --cni to start a container,it will call cni plugin to create network .But when user kills it,the network won’t be removed. if we run a container with same namespace and name again will trigger a bug. we should remove the network when user kills task if it enables cni plugin.
Fix:#6604
Signed-off-by: SongJiang Han <songjiang.dark@gmail.com>
Also fixes the issue that `ctr run` on Windows offered help for the
non-Windows implementation, but was silently ignored.
Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
addresses https://github.com/containerd/containerd/issues/6464
Return an error if a runtime provided is relative.
Add context to the usage for `ctr run --runtime` indicating that
absolute path to runtime binary must be provided.
Signed-off-by: Gavin Inglis <giinglis@amazon.com>
Adds the ability to override the default user
ContainerUser with a custom user if present in
the image or ContainerAdministrator if needed.
Signed-off-by: Justin Terry <jlterry@amazon.com>
This commit unifies the following sub commands alias for
deleting/removing.
- containers
- tasks
- contents
- leases
- images
- snapshots
Signed-off-by: Ning Li <lining2020x@163.com>
The command already contains logic for Windows container
metrics, we just need to enable the command.
Signed-off-by: Claudiu Belu <cbelu@cloudbasesolutions.com>
This change ignore errors during container runtime due to large
image labels and instead outputs warning. This is necessary as certain
image building tools like buildpacks may have large labels in the images
which need not be passed to the container.
Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com>
The io/ioutil package has been deprecated as of Go 1.16, see
https://golang.org/doc/go1.16#ioutil. This commit replaces the existing
io/ioutil functions with their new definitions in io and os packages.
Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
It seems like the cwd flag isn't used anywhere for ctr tasks exec. This change
just sets the cwd field on the spec for the execed process if a new one was
asked for, otherwise it will continue using whatever was on the containers spec.
Signed-off-by: Daniel Canter <dcanter@microsoft.com>
Go 1.15.7 contained a security fix for CVE-2021-3115, which allowed arbitrary
code to be executed at build time when using cgo on Windows. This issue also
affects Unix users who have “.” listed explicitly in their PATH and are running
“go get” outside of a module or with module mode disabled.
This issue is not limited to the go command itself, and can also affect binaries
that use `os.Command`, `os.LookPath`, etc.
From the related blogpost (ttps://blog.golang.org/path-security):
> Are your own programs affected?
>
> If you use exec.LookPath or exec.Command in your own programs, you only need to
> be concerned if you (or your users) run your program in a directory with untrusted
> contents. If so, then a subprocess could be started using an executable from dot
> instead of from a system directory. (Again, using an executable from dot happens
> always on Windows and only with uncommon PATH settings on Unix.)
>
> If you are concerned, then we’ve published the more restricted variant of os/exec
> as golang.org/x/sys/execabs. You can use it in your program by simply replacing
This patch replaces all uses of `os/exec` with `golang.org/x/sys/execabs`. While
some uses of `os/exec` should not be problematic (e.g. part of tests), it is
probably good to be consistent, in case code gets moved around.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Remove build tags which are already implied by the name of the file.
Ensures build tags are used consistently
Signed-off-by: Derek McGowan <derek@mcg.dev>
systemd uses SIGRTMIN+n signals, but containerd didn't support the signals
since Go's sys/unix doesn't support them.
This change introduces SIGRTMIN+n handling by utilizing moby/sys/signal.
Fixes#5402.
https://www.freedesktop.org/software/systemd/man/systemd.html#Signals
Signed-off-by: Kazuyoshi Kato <katokazu@amazon.com>
add '--snapshotter-labels' in ctr run and ctr c create
which can pass labels to snappshotter on preparing new
snapshot.
Pass command label to snapshotter can help it determine
which kind of writable snapshots should be provide.
For some snapshotter, such as overlaybd:
( https://github.com/alibaba/accelerated-container-image ),
it can provide 2 kind of writable snapshot (overlayfs dir or
blockdevice) by command label values.
Signed-off-by: Yifan Yuan <tuji.yyf@alibaba-inc.com>
FreeBSD mount options may have embedded = characters. For example,
devfs(5) supports the `ruleset` option which can be passed as
`ruleset=4` to indicate that ruleset 4 should be used.
Signed-off-by: Samuel Karp <me@samuelkarp.com>
Handle initial pty resize after the exec process has started and the pty
is available, consistent with the behavior of ctr run.
Signed-off-by: Samuel Karp <me@samuelkarp.com>
Use cio.WithStreams with explicit console device when --tty is passed,
consistent with how ctr run behaves.
Signed-off-by: Samuel Karp <me@samuelkarp.com>
set user in exec container
$ ctr t exec --exec-id e1 --user admin container id
uid=500(admin) gid=500(admin) groups=500(admin)
Signed-off-by: chuangxue <chenglong.lcl@alibaba-inc.com>
Signed-off-by: acetang <aceapril@126.com>
This enables cases where devices exist in a subdirectory of /dev,
particularly where those device names are not portable across machines,
which makes it problematic to specify from a runtime such as cri.
Added this to `ctr` as well so I could test that the code at least
works.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
The provides additional insight into how much time is being spent in
unpacking and is helpful in performance comparison for just this stage
without resorting to running under time command in linux for example.
Signed-off-by: Alakesh Haloi <alakeshh@amazon.com>
Go example:
```go
opts := []converter.Opt{
// convert Docker media types to OCI ones
converter.WithDocker2OCI(true),
// convert tar.gz layers to uncompressed tar layers
converter.WithLayerConvertFunc(uncompress.LayerConvertFunc),
}
srcRef := "example.com/foo:orig"
dstRef := "example.com/foo:converted"
dstImg, err = converter.Convert(ctx, client, dstRef, srcRef, opts...)
fmt.Println(dstImg.Target)
```
ctr example: `ctr images convert --oci --uncompress example.com/foo:orig example.com/foo:converted`
Go test: `go test -exec sudo -test.root -test.run TestConvert`
The implementation is from https://github.com/containerd/stargz-snapshotter/pull/224,
but eStargz-specific functions are not included in this PR.
eStargz converter can be specified by importing `estargz` package and using `WithLayerConvertFunc(estargz.LayerConvertFunc)` option.
This converter interface will be potentially useful for converting zstd and ocicrypt layers as well.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
The additional []containerd.RemoteOpt is not used by ctr currently,
but planned to be used by nerdctl and also probably by stargz's ctr-remote.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
This allows filesystem based ACLs for configuring access to the socket of a
shim.
Co-authored-by: Samuel Karp <skarp@amazon.com>
Signed-off-by: Samuel Karp <skarp@amazon.com>
Signed-off-by: Michael Crosby <michael@thepasture.io>
Signed-off-by: Michael Crosby <michael.crosby@apple.com>
This adds linux cni support to `ctr run` via a `--cni` flag. This uses the
default configuration for CNI on `ctr` to configure the network namespace for a
container.
Signed-off-by: Michael Crosby <michael@thepasture.io>
Starting with go1.14, the go runtime hijacks SIGURG but with no way to
not send to other signal handlers.
In practice, we get this signal frequently.
I found this while testing out go1.15 with ctr and multiple execs with
only `echo hello`. When the process exits quickly, if the previous
commit is not applied, you end up with an error message that it couldn't
forward SIGURG to the container (due to the process being gone).
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Previously the signal loop can end up racing with the process exiting.
Intead of logging and continuing the loop, exit early.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
The flag was being silently ignored, and so no network setup was done,
and no notice given.
Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
We should never return a nil context because of the way this function is
typically used... e.g.
```
ctx, done, err := containerd.WithLease(ctx)
```
If there is an error `ctx` will be nil and any error handling may cause
an NPE if it tries to use `ctx`.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Moved registry host configuration to the config package
and allows support of loading configurations from a
directory when the hosts are being resolved.
Signed-off-by: Derek McGowan <derek@mcgstyle.net>
Add `remotes/certutil` functions for loading `ca.crt`, `client.cert`, and `client.key` into `tls.Config` from a directory like `/etc/docker/certs.d/<hostname>.
See https://docs.docker.com/engine/security/certificates/ .
Client applications including CRI plugin are expected to configure the resolver using these functions.
As an example, the `ctr` tool is extended to support `ctr images pull --certs-dir=/etc/docker/certs.d example.com/foo/bar:baz`.
Tested with Harbor 1.8.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
If runtime is not runc, it doesn't make sense to send runc Options
as container create options, which will confuse other runtimes and
it actually causes kata shimv2 to fail to unmarshal the requset.
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
