The command already contains logic for Windows container
metrics, we just need to enable the command.
Signed-off-by: Claudiu Belu <cbelu@cloudbasesolutions.com>
This change ignore errors during container runtime due to large
image labels and instead outputs warning. This is necessary as certain
image building tools like buildpacks may have large labels in the images
which need not be passed to the container.
Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com>
In linux 5.14 and hopefully some backports, core scheduling allows processes to
be co scheduled within the same domain on SMT enabled systems.
The containerd impl sets the core sched domain when launching a shim. This
allows a clean way for each shim(container/pod) to be in its own domain and any
additional containers, (v2 pods) be be launched with the same domain as well as
any exec'd process added to the container.
kernel docs: https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/core-scheduling.html
Signed-off-by: Michael Crosby <michael@thepasture.io>
This adds valuable logging data to the open telemetry traces.
When the trace is not recording we don't bother doing anything as it is
relatively expensive to convert logrus data to otel just due to the
nature of how logrus works.
The way this works is that we now set a context on the logrus.Entry that
gets passed around which the hook then uses to determine if there is an
active span to forward the logs to.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
The io/ioutil package has been deprecated as of Go 1.16, see
https://golang.org/doc/go1.16#ioutil. This commit replaces the existing
io/ioutil functions with their new definitions in io and os packages.
Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
Some cases can cause the server initialization to block (namely running
a 2nd containerd instance by accident against the same root dir). In
this case there is no way to quit the daemon except with `kill -9`.
This changes context things so that server init is done in a goroutine
and we wait on a channel for it to be ready while we also wait for a
ctx.Done(), which will be cancelled if there is a termination signal.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
It seems like the cwd flag isn't used anywhere for ctr tasks exec. This change
just sets the cwd field on the spec for the execed process if a new one was
asked for, otherwise it will continue using whatever was on the containers spec.
Signed-off-by: Daniel Canter <dcanter@microsoft.com>
Go 1.15.7 contained a security fix for CVE-2021-3115, which allowed arbitrary
code to be executed at build time when using cgo on Windows. This issue also
affects Unix users who have “.” listed explicitly in their PATH and are running
“go get” outside of a module or with module mode disabled.
This issue is not limited to the go command itself, and can also affect binaries
that use `os.Command`, `os.LookPath`, etc.
From the related blogpost (ttps://blog.golang.org/path-security):
> Are your own programs affected?
>
> If you use exec.LookPath or exec.Command in your own programs, you only need to
> be concerned if you (or your users) run your program in a directory with untrusted
> contents. If so, then a subprocess could be started using an executable from dot
> instead of from a system directory. (Again, using an executable from dot happens
> always on Windows and only with uncommon PATH settings on Unix.)
>
> If you are concerned, then we’ve published the more restricted variant of os/exec
> as golang.org/x/sys/execabs. You can use it in your program by simply replacing
This patch replaces all uses of `os/exec` with `golang.org/x/sys/execabs`. While
some uses of `os/exec` should not be problematic (e.g. part of tests), it is
probably good to be consistent, in case code gets moved around.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Remove build tags which are already implied by the name of the file.
Ensures build tags are used consistently
Signed-off-by: Derek McGowan <derek@mcg.dev>
Add basic intiialization of opentelemetry including minimum support to
be able to read open telemetry config from config.toml and initialize
exporter. Tracer is initialized and ready to be be used for creating
spans, sub spans etc. With no opentelemetry configuration enabled in
config file, this patch is a no-op.
Basic config stub to be added to use opentelemetry is to add following
in config.toml. We use otlp exporter with default port 4317.
[otel]
exporter_name = "otlp"
exporter_endpoint = "0.0.0.1:4317"
otel-collector binary needs to run listening at the same port.
Signed-off-by: Alakesh Haloi <alakeshh@amazon.com>
systemd uses SIGRTMIN+n signals, but containerd didn't support the signals
since Go's sys/unix doesn't support them.
This change introduces SIGRTMIN+n handling by utilizing moby/sys/signal.
Fixes#5402.
https://www.freedesktop.org/software/systemd/man/systemd.html#Signals
Signed-off-by: Kazuyoshi Kato <katokazu@amazon.com>
add '--snapshotter-labels' in ctr run and ctr c create
which can pass labels to snappshotter on preparing new
snapshot.
Pass command label to snapshotter can help it determine
which kind of writable snapshots should be provide.
For some snapshotter, such as overlaybd:
( https://github.com/alibaba/accelerated-container-image ),
it can provide 2 kind of writable snapshot (overlayfs dir or
blockdevice) by command label values.
Signed-off-by: Yifan Yuan <tuji.yyf@alibaba-inc.com>
FreeBSD mount options may have embedded = characters. For example,
devfs(5) supports the `ruleset` option which can be passed as
`ruleset=4` to indicate that ruleset 4 should be used.
Signed-off-by: Samuel Karp <me@samuelkarp.com>
Handle initial pty resize after the exec process has started and the pty
is available, consistent with the behavior of ctr run.
Signed-off-by: Samuel Karp <me@samuelkarp.com>
Use cio.WithStreams with explicit console device when --tty is passed,
consistent with how ctr run behaves.
Signed-off-by: Samuel Karp <me@samuelkarp.com>
According to the doc about `config.toml` of containerd:
```
If no version number is specified inside the config file then it is assumed to
be a version 1 config and parsed as such.
```
However, it's not true recently.
This will break the backward-compatibility in some environment.
This commit fixes this issue.
Signed-off-by: Kohei Tokunaga <ktokunaga.mail@gmail.com>
containerd-stress utility needs to be able to run with snapshotter
passed by user in cli in order to be able to stress test snapshotters.
This adds a cli option --snapshotter="<snapshotter-name>"
Signed-off-by: Alakesh Haloi <alakeshh@amazon.com>
set user in exec container
$ ctr t exec --exec-id e1 --user admin container id
uid=500(admin) gid=500(admin) groups=500(admin)
Signed-off-by: chuangxue <chenglong.lcl@alibaba-inc.com>
Signed-off-by: acetang <aceapril@126.com>
This fixes following warning message by changing the default runtime
to io.containerd.runc.v2 and does not require user to set the runtime
from command line anymore.
"WARN[2021-03-17T21:11:01.441207858Z] runtime v1 is deprecated since
containerd v1.4, consider using runtime v2"
Signed-off-by: Alakesh Haloi <alakeshh@amazon.com>
This enables cases where devices exist in a subdirectory of /dev,
particularly where those device names are not portable across machines,
which makes it problematic to specify from a runtime such as cri.
Added this to `ctr` as well so I could test that the code at least
works.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
`config_linux.go` and `config_windows.go` are identical.
`config_unsupported.go` is also almost identical but enables debug logs by default.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
The provides additional insight into how much time is being spent in
unpacking and is helpful in performance comparison for just this stage
without resorting to running under time command in linux for example.
Signed-off-by: Alakesh Haloi <alakeshh@amazon.com>
Previously we simply ignored any not found error when loading the
containerd config. This created unintuitive behavior:
- If the user specified a path that didn't exist via --config, we would
silently ignore the error.
- If a config specified an import that didn't exist, we would silently
ignore the error.
In either of these cases, it appears we would end up using a potentially
corrupted config, as it would contain any files that were merged into it
before the not found error was hit.
However, we can't just remove the check for !os.IsNotExist(err),
as we shouldn't throw an error when --config is not passed, but the
default config doesn't exist.
This change updates the logic to only attempt to load the config if
we know it exists, or the user passed --config.
Signed-off-by: Kevin Parsons <kevpar@microsoft.com>
btrfs plugin needs CGO support. However on riscv64, cgo
is only support on go1.16 (not released yet).
Instead of setting no_btrfs manually, adding a cgo tag tells
the compiler to skip it automatically.
Signed-off-by: Shengjing Zhu <zhsj@debian.org>
Go example:
```go
opts := []converter.Opt{
// convert Docker media types to OCI ones
converter.WithDocker2OCI(true),
// convert tar.gz layers to uncompressed tar layers
converter.WithLayerConvertFunc(uncompress.LayerConvertFunc),
}
srcRef := "example.com/foo:orig"
dstRef := "example.com/foo:converted"
dstImg, err = converter.Convert(ctx, client, dstRef, srcRef, opts...)
fmt.Println(dstImg.Target)
```
ctr example: `ctr images convert --oci --uncompress example.com/foo:orig example.com/foo:converted`
Go test: `go test -exec sudo -test.root -test.run TestConvert`
The implementation is from https://github.com/containerd/stargz-snapshotter/pull/224,
but eStargz-specific functions are not included in this PR.
eStargz converter can be specified by importing `estargz` package and using `WithLayerConvertFunc(estargz.LayerConvertFunc)` option.
This converter interface will be potentially useful for converting zstd and ocicrypt layers as well.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
If we print message when SIG_PIPE occuers in signal handler.
There is a loop {print->SIG_PIPE->print->SIG_PIPE...}, which consume
a lot of cpu time. So do not print message in this situaiton.
Signed-off-by: Liu Hua <weldonliu@tencent.com>
The additional []containerd.RemoteOpt is not used by ctr currently,
but planned to be used by nerdctl and also probably by stargz's ctr-remote.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Go 1.14 introduced a change to os.OpenFile (and syscall.Open) on Windows
that uses the permissions passed to determine if the file should be
created read-only or not. If the user-write bit (0200) is not set, then
FILE_ATTRIBUTE_READONLY is set on the underlying CreateFile call.
This is a significant change for any Windows code which created new
files and set the permissions to 0 (previously the permissions had no
affect, so some code didn't set them at all).
This change fixes the issue for the Windows service panic file. It will
now properly be created as a non-read-only file on Go 1.14+.
I have looked over the rest of the containerd code and didn't see other
places where this seems like an issue.
Signed-off-by: Kevin Parsons <kevpar@microsoft.com>
This allows filesystem-based ACLs for configuring access to the socket
of a shim.
Ported from Michael Crosby's similar patch for v2 shims.
Signed-off-by: Samuel Karp <skarp@amazon.com>
This allows filesystem based ACLs for configuring access to the socket of a
shim.
Co-authored-by: Samuel Karp <skarp@amazon.com>
Signed-off-by: Samuel Karp <skarp@amazon.com>
Signed-off-by: Michael Crosby <michael@thepasture.io>
Signed-off-by: Michael Crosby <michael.crosby@apple.com>
This adds linux cni support to `ctr run` via a `--cni` flag. This uses the
default configuration for CNI on `ctr` to configure the network namespace for a
container.
Signed-off-by: Michael Crosby <michael@thepasture.io>
Starting with go1.14, the go runtime hijacks SIGURG but with no way to
not send to other signal handlers.
In practice, we get this signal frequently.
I found this while testing out go1.15 with ctr and multiple execs with
only `echo hello`. When the process exits quickly, if the previous
commit is not applied, you end up with an error message that it couldn't
forward SIGURG to the container (due to the process being gone).
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Previously the signal loop can end up racing with the process exiting.
Intead of logging and continuing the loop, exit early.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Put the overlay plugin in a separate package to allow the overlay package to be
used without needing to import and initialize the plugin.
Signed-off-by: Derek McGowan <derek@mcg.dev>
The flag was being silently ignored, and so no network setup was done,
and no notice given.
Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
We should never return a nil context because of the way this function is
typically used... e.g.
```
ctx, done, err := containerd.WithLease(ctx)
```
If there is an error `ctx` will be nil and any error handling may cause
an NPE if it tries to use `ctx`.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
I missed this in my previous change: the ctr man page is also
in Section 8, because it's considered an administrative tool,
and containerd-config is related to containerd so updating these
as well.
This commit also fixes naming of the generated files, which was
hard-coded to .1.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Moved registry host configuration to the config package
and allows support of loading configurations from a
directory when the hosts are being resolved.
Signed-off-by: Derek McGowan <derek@mcgstyle.net>
Add `remotes/certutil` functions for loading `ca.crt`, `client.cert`, and `client.key` into `tls.Config` from a directory like `/etc/docker/certs.d/<hostname>.
See https://docs.docker.com/engine/security/certificates/ .
Client applications including CRI plugin are expected to configure the resolver using these functions.
As an example, the `ctr` tool is extended to support `ctr images pull --certs-dir=/etc/docker/certs.d example.com/foo/bar:baz`.
Tested with Harbor 1.8.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
If runtime is not runc, it doesn't make sense to send runc Options
as container create options, which will confuse other runtimes and
it actually causes kata shimv2 to fail to unmarshal the requset.
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
The builtins_cri_linux.go file only being included for _linux builds which
means that the builds for Windows do not contain the CRI plugin. This can
be disabled for either platform with the no_cri tag.
Signed-off-by: Justin Terry (SF) <juterry@microsoft.com>
Errors like `"type with url %s: not found"` are typical for non-builtin
event types, and should not resultin exiting `ctr`.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
* --uidmap support for one remapping
* --gidmap support for one remapping
* create IoUid and IoGid options for getNewTaskOpts
Signed-off-by: Jie Hao Liao <liaojh1998@gmail.com>
* only shim v2 runc v2 ("io.containerd.runc.v2") is supported
* only PID metrics is implemented. Others should be implemented in separate PRs.
* lots of code duplication in v1 metrics and v2 metrics. Dedupe should be separate PR.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
This prepares us to be able to update docker/docker vendoring to a
recent commit.
Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
Seems to be that docs/man/ctr.1.md and docs/man/containerd.1.md were
removed in #3637 and were not updated correctly in the Makefile, leading
to build failures like:
+ make man
make: *** No rule to make target `man/ctr.1', needed by `man'. Stop.
Changes the gen-manpages command to be specific on which manpages are to
be generated.
Signed-off-by: Eli Uriegas <eli.uriegas@docker.com>
This change includes a cri master bump and a cgroup bump for windows support
with cgroup stats and reusing the cgroup metric types.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
The climan package has a command that can be registered with any urfav
cli app to generate man pages.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
The cgroup dependency brings in quite a lot only for WithNamespaceCgroupDeletion,
which is a namespaces.DeleteOpt.
Signed-off-by: Tibor Vass <tibor@docker.com>
- Add `all-manifests` option to both `ctr content fetch` and `ctr
images pull`. By default it is false.
- This option ties to `AppendDistributionSourceLabel` in client.
Signed-off-by: Yu Yi <yiyu@google.com>
Previously the TTRPC address was generated as "<GRPC address>.ttrpc".
This change now allows explicit configuration of the TTRPC address, with
the default still being the old format if no value is specified.
As part of this change, a new configuration section is added for TTRPC
listener options.
Signed-off-by: Kevin Parsons <kevpar@microsoft.com>
EventLog is very old and provides a poor experience. We have supported
ETW for logging for a while, which is much better. We have also
observed an issue where EventLog keeps containerd.exe open, preventing
containerd from being upgraded to a new version. Due to all of this,
it makes sense to remove the old EventLog hook in favor of using ETW
logging on Windows as the primary diagnostic experience.
Signed-off-by: Kevin Parsons <kevpar@microsoft.com>
This adds a singleton `timeout` package that will allow services and user
to configure timeouts in the daemon. When a service wants to use a
timeout, it should declare a const and register it's default value
inside an `init()` function for that package. When the default config
is generated, we can use the `timeout` package to provide the available
timeout keys so that a user knows that they can configure.
These show up in the config as follows:
```toml
[timeouts]
"io.containerd.timeout.shim.cleanup" = 5
"io.containerd.timeout.shim.load" = 5
"io.containerd.timeout.shim.shutdown" = 3
"io.containerd.timeout.task.state" = 2
```
Timeouts in the config are specified in seconds.
Timeouts are very hard to get right and giving this power to the user to
configure things is a huge improvement. Machines can be faster and
slower and depending on the CPU or load of the machine, a timeout may
need to be adjusted.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
We are separating out the encryption code and have designed a few new
interfaces and APIs for processing content streams. This keep the core
clean of encryption code but enables not only encryption but support of
multiple content types ( custom media types ).
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Closes#1862
This adds a new rpc to the introspection service to provide server
information with a generated UUID that is done on demand and the os and
arch of the server.
ctr output:
```bash
> sudo ctr version
Client:
Version: v1.2.0-802-g57821695.m
Revision: 578216950de9c1c188708369e2a31ac6c494dfee.m
Server:
Version: v1.2.0-802-g57821695.m
Revision: 578216950de9c1c188708369e2a31ac6c494dfee.m
UUID: 92e982a9-f13e-4a2c-9032-e69b27fed454
OS: linux
ARCH: amd64
```
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Creating a console for containerd causes it to be inherited by any child
processes, which gives us performance and reliability improvements. See
comment in code for more information.
Another option considered here would be to invoke each child process
with the DETACHED_PROCESS flag. This would save us the containerd
console allocation. The difficulty of this approach would be ensuring
that all process invocation points have had this flag added, and that
any future invocations also use the flag.
Signed-off-by: Kevin Parsons <kevpar@microsoft.com>
This change moves from specific, global errors to the errdefs errors.
This makes it easy to handle certain classes of errors while still
adding context to the failure.
Signed-off-by: Stephen Day <stephen.day@getcruise.com>
Adds a subcommand for tagging images managed by containerd.
Usage:
ctr images tag docker.io/library/alpine:latest docker.io/library/alpine:new
Comes with a --force flag to allow you to gracefully overwrite image references
that already exist.
Signed-off-by: Eli Uriegas <eli.uriegas@docker.com>
This also refactors the lcow and windows
snapshotters to use go-winio's utility functions for checking the
filesystem type.
Signed-off-by: Eric Hotinger <ehotinger@gmail.com>
Closes#3305
This adds an opt and a `--cgroup,-c` flag to `ctr namespaces rm` to
remove the cgroup that is commonly created with runtimes.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Previously we waited for 60 seconds after the service faults to restart
it. However, there isn't much benefit to waiting this long. We expect
15 seconds to be a more reasonable delay.
Signed-off-by: Kevin Parsons <kevpar@microsoft.com>
make ctr shim command easy to use for user, shim socket is generated
through sha256, and it can not get directly, change socket flag to id
command, generated socket in code.
It also avoid fail to connect shim v2, since shim v2 have multiple
containers, `ctr shim --socket state` should specify container id, or
get error `rpc error: code = NotFound desc = container not created: not
found`
Signed-off-by: Ace-Tang <aceapril@126.com>
