github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity
12,912 Commits 3 Branches 2 Tags 112 MiB
dc7dba9c20
Commit Graph

1646 Commits

Author SHA1 Message Date
Derek McGowan
2755ead927
Merge pull request #4978 from cpuguy83/certs_dir 
Add support for using a host registry dir in cri
 2021-03-15 13:47:03 -07:00
Brian Goff
7776e5ef2a Support adding devices by dir 
This enables cases where devices exist in a subdirectory of /dev,
particularly where those device names are not portable across machines,
which makes it problematic to specify from a runtime such as cri.

Added this to `ctr` as well so I could test that the code at least
works.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
 2021-03-15 16:42:23 +00:00
Akihiro Suda
ecb881e5e6
add imgcrypt stream processors to the default config 
Enable the following config by default:

```toml
version = 2

[plugins."io.containerd.grpc.v1.cri".image_decryption]
  key_model = "node"

[stream_processors]
  [stream_processors."io.containerd.ocicrypt.decoder.v1.tar.gzip"]
    accepts = ["application/vnd.oci.image.layer.v1.tar+gzip+encrypted"]
    returns = "application/vnd.oci.image.layer.v1.tar+gzip"
    path = "ctd-decoder"
    args = ["--decryption-keys-path", "/etc/containerd/ocicrypt/keys"]
    env = ["OCICRYPT_KEYPROVIDER_CONFIG=/etc/containerd/ocicrypt/ocicrypt_keyprovider.conf"]
  [stream_processors."io.containerd.ocicrypt.decoder.v1.tar"]
    accepts = ["application/vnd.oci.image.layer.v1.tar+encrypted"]
    returns = "application/vnd.oci.image.layer.v1.tar"
    path = "ctd-decoder"
    args = ["--decryption-keys-path", "/etc/containerd/ocicrypt/keys"]
    env = ["OCICRYPT_KEYPROVIDER_CONFIG=/etc/containerd/ocicrypt/ocicrypt_keyprovider.conf"]
```

Fix issue 5128

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2021-03-15 13:27:16 +09:00
Brian Goff
b0b6d9aa03 Add support for using a host registry dir in cri 
This will be used instead of the cri registry config in the main config
toml.

---

Also pulls in changes from containerd/cri@d0b4eecbb3

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
 2021-03-12 22:42:22 +00:00
Derek McGowan
8cf669ce34
Fix unsupported files exporting functions for apparmor and seccomp 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2021-03-12 08:47:05 -08:00
Derek McGowan
35eeb24a17
Fix exported comments enforcer in CI 
Add comments where missing and fix incorrect comments

Signed-off-by: Derek McGowan <derek@mcg.dev>
 2021-03-12 08:47:05 -08:00
Iceber Gu
f37ae8fc35
move to v3.4.1 for the pause image 
Signed-off-by: Iceber Gu <wei.cai-nat@daocloud.io>
 2021-03-07 15:21:20 +08:00
Iceber Gu
92ab1a63b0 cri: fix container status 
Signed-off-by: Iceber Gu <wei.cai-nat@daocloud.io>
 2021-03-05 00:00:10 +08:00
f00231050
591caece0c cri: check fsnotify watcher when receiving cni conf dir events 
carry: 612f5f9f44

Signed-off-by: Wei Fu <fuweid89@gmail.com>
 2021-03-03 16:46:41 +08:00
Phil Estes
8dbe53a2a9
Merge pull request #5070 from yoheiueda/empty-masked 
cri: set default masked/readonly paths to empty paths
 2021-02-25 15:38:45 -05:00
Akihiro Suda
7ee610edb5
drop dependency on github.com/syndtr/gocapability 
pkg/cap has the full list of the caps (for UT, originally),
so we can drop dependency on github.com/syndtr/gocapability

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2021-02-25 15:17:28 +09:00
Akihiro Suda
9822173354
cap: rename FromUint64 to FromBitmap 
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2021-02-25 15:02:10 +09:00
Yohei Ueda
07f1df4541
cri: set default masked/readonly paths to empty paths 
Fixes #5029.

Signed-off-by: Yohei Ueda <yohei@jp.ibm.com>
 2021-02-24 23:50:40 +09:00
Phil Estes
757be0a090
Merge pull request #5017 from AkihiroSuda/parse-cap 
oci.WithPrivileged: set the current caps, not the known caps
 2021-02-23 09:10:57 -05:00
Mike Brown
9173d3e929
Merge pull request #5021 from wzshiming/fix/signal_repeatedly 
Fix repeated sending signal
 2021-02-22 09:45:56 -06:00
Justin Terry (SF)
06e4e09567 cri: append envs from image config to empty slice to avoid env lost 
Signed-off-by: Justin Terry (SF) <juterry@microsoft.com>
 2021-02-18 16:39:28 -08:00
Phil Estes
c32ccdf8be
Merge pull request #5024 from yadzhang/deepcopy-imageconfig 
cri: append envs from image config to empty slice to avoid env lost
 2021-02-18 12:51:51 -05:00
Akihiro Suda
746cef0bc2
Merge pull request #5044 from wzshiming/fix/empty-error-warpping 
Fix empty error warpping
 2021-02-18 13:47:13 +09:00
zhangyadong.0808
08318b1ab9 cri: append envs from image config to empty slice to avoid env lost 
Signed-off-by: Yadong Zhang <yadzhang@gmail.com>
 2021-02-18 11:37:41 +08:00
Shiming Zhang
59db8a10e0 Fix empty error warpping 
Signed-off-by: Shiming Zhang <wzshiming@foxmail.com>
 2021-02-18 11:06:59 +08:00
Shiming Zhang
dc6f5ef3b9 Fix repeated sending signal 
Signed-off-by: Shiming Zhang <wzshiming@foxmail.com>
 2021-02-17 21:33:49 +08:00
Michael Crosby
41e3057cc6
Merge pull request #5025 from jeremyje/win20h2 
Add references to Windows 20H2 test images.
 2021-02-12 11:58:49 -05:00
Lorenz Brun
36d0bc1f2b Allow moving netns directory into StateDir 
Signed-off-by: Lorenz Brun <lorenz@nexantic.com>
 2021-02-10 18:33:14 +01:00
Akihiro Suda
a2d1a8a865
oci.WithPrivileged: set the current caps, not the known caps 
This change is needed for running the latest containerd inside Docker
that is not aware of the recently added caps (BPF, PERFMON, CHECKPOINT_RESTORE).

Without this change, containerd inside Docker fails to run containers with
"apply caps: operation not permitted" error.

See kubernetes-sigs/kind 2058

NOTE: The caller process of this function is now assumed to be as
privileged as possible.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2021-02-10 17:14:17 +09:00
Michael Crosby
e874e2597e [cri] add pod annotations to CNI call 
Signed-off-by: Michael Crosby <michael@thepasture.io>
 2021-02-09 13:24:01 -05:00
Jeremy Edwards
1c81071d39 Add references to Windows 20H2 test images. 
Signed-off-by: Jeremy Edwards <1312331+jeremyje@users.noreply.github.com>
 2021-02-09 16:25:36 +00:00
Derek McGowan
b3f2402062
Merge pull request #5002 from crosbymichael/anno-image-name 
[cri] add image-name annotation
 2021-02-05 08:27:41 -08:00
Akihiro Suda
e908be5b58
Merge pull request #5001 from kzys/no-lint-upgrade 2021-02-06 00:40:38 +09:00
Kazuyoshi Kato
07db46ee23 lint: update nolint syntax for golangci-lint 
Newer golangci-lint needs explicit `//` separator. Otherwise it treats
the entire line (`staticcheck deprecated ... yet`) as a name.

https://golangci-lint.run/usage/false-positives/#nolint

Signed-off-by: Kazuyoshi Kato <katokazu@amazon.com>
 2021-02-04 11:59:55 -08:00
Sebastiaan van Stijn
04d061fa6a
update runc to v1.0.0-rc93 
full diff: https://github.com/opencontainers/runc/compare/v1.0.0-rc92...v1.0.0-rc93

also removes dependency on libcontainer/configs

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2021-02-04 16:13:30 +01:00
Sebastiaan van Stijn
54cc3483ff
pkg/cri/server: don't import libcontainer/configs 
Looks like this import was not needed for the test; simplified the test
by just using the device-path (a counter would work, but for debugging,
having the list of paths can be useful).

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2021-02-04 16:08:39 +01:00
Michael Crosby
99cb62f233 [cri] add image-name annotation 
For some tools having the actual image name in the annotations is helpful for
debugging and auditing the workload.

Signed-off-by: Michael Crosby <michael@thepasture.io>
 2021-02-04 07:05:11 -05:00
Lantao Liu
b5bf1fd5d8 Fix deprecated registry auth conversion. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2021-02-03 19:22:26 -08:00
Aditi Sharma
1423e9199d Update gogo/protobuf to v1.3.2 
bump version 1.3.2 for gogo/protobuf due to CVE-2021-3121 discovered
in gogo/protobuf version 1.3.1, CVE has been fixed in 1.3.2

Signed-off-by: Aditi Sharma <adi.sky17@gmail.com>
 2021-01-28 12:57:50 +00:00
Michael Crosby
591d7e2fb1 remove exec sync debug contents from logs 
This was dumping untrusted output to the debug logs from user containers.
We should not dump this type of information to reduce log sizes and any
information leaks from user containers.

Signed-off-by: Michael Crosby <michael@thepasture.io>
 2021-01-26 14:57:54 -05:00
Alban Crequy
28e4fb25f4 cri: add annotations for pod name and namespace 
cri-o has annotations for pod name, namespace and container name:
https://github.com/containers/podman/blob/master/pkg/annotations/annotations.go

But so far containerd had only the container name.

This patch will be useful for seccomp agents to have a different
behaviour depending on the pod (see runtime-spec PR 1074 and runc PR
2682). This should simplify the code in:
b2d423695d/pkg/kuberesolver/kuberesolver.go (L16-L27)

Signed-off-by: Alban Crequy <alban@kinvolk.io>
 2021-01-26 12:10:39 +01:00
Wei Fu
e56de63099 cri: handle sandbox/container exit event separately 
The event monitor handles exit events one by one. If there is something
wrong about deleting task, it will slow down the terminating Pods. In
order to reduce the impact, the exit event watcher should handle exit
event separately. If it failed, the watcher should put it into backoff
queue and retry it.

Signed-off-by: Wei Fu <fuweid89@gmail.com>
 2021-01-24 13:43:38 +08:00
Shengjing Zhu
2818fdebaa Move runtimeoptions out of cri package 
Since it's a standard set of runtime opts, and used in ctr as well,
it could be moved out of cri.

Signed-off-by: Shengjing Zhu <zhsj@debian.org>
 2021-01-23 01:24:35 +08:00
Michael Crosby
a731039238 [cri] label etc files for selinux containers 
Signed-off-by: Michael Crosby <michael@thepasture.io>
 2021-01-19 13:42:09 -05:00
Mike Brown
550b4949cb
Merge pull request #4700 from mikebrow/cri-security-profile-update 
CRI security profile update for CRI graduation
 2021-01-12 12:21:56 -06:00
Sebastiaan van Stijn
2374178c9b
pkg/cri/server: optimizations in unmountRecursive() 
Use a PrefixFilter() to get only the mounts we're interested in,
which removes the need to manually filter mounts from the mountinfo
results.

Additional optimizations can be made, as:

> ... there's a little known fact that `umount(MNT_DETACH)` is actually
> recursive in Linux, IOW this function can be replaced with
> `unix.Umount(target, unix.MNT_DETACH)` (or `mount.UnmountAll(target, unix.MNT_DETACH)`
>  (provided that target itself is a mount point).

e8fb2c392f (r535450446)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2021-01-08 17:32:01 +01:00
Sebastiaan van Stijn
7572919201
mount: remove remaining uses of mount.Self() 
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2021-01-08 17:31:59 +01:00
Davanum Srinivas
1f5b84f27c
[CRI] Reduce clutter of log entries during process execution 
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
 2021-01-06 13:09:03 -05:00
Shengjing Zhu
5988bfc1ef docs: Various typo found by codespell 
Signed-off-by: Shengjing Zhu <zhsj@debian.org>
 2020-12-22 13:22:16 +08:00
Michael Crosby
2e442ea485 [cri] ensure log dir is created 
containerd is responsible for creating the log but there is no code to ensure
that the log dir exists.  While kubelet should have created this there can be
times where this is not the case and this can cause stuck tasks.

Signed-off-by: Michael Crosby <michael@thepasture.io>
 2020-12-17 15:04:39 -05:00
Akihiro Suda
7e6e4c466f
remove "selinux" build tag 
The build tag was removed in go-selinux v1.8.0: opencontainers/selinux#132

Related: remove "apparmor" build tag: 0a9147f3aa

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2020-12-15 20:05:25 +09:00
Akihiro Suda
0a9147f3aa
remove "apparmor" build tag 
The "apparmor" build tag does not have any cgo dependency and can be removed safely.

Related: https://github.com/opencontainers/runc/issues/2704

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2020-12-08 19:22:39 +09:00
Mike Brown
6467c3374d refactor based on comments 
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
 2020-12-07 21:39:31 -06:00
Phil Estes
73a301c7a1
Merge pull request #4772 from gaurav1086/ValidatePluginConfig_fix_range_iterator_issue 
[cri/config] : fix range iterator issue in ValidatePluginConfig
 2020-12-07 12:42:07 -05:00
Phil Estes
efad13faaf
Merge pull request #4811 from AkihiroSuda/expose-apparmor 
expose hostSupportsAppArmor()
 2020-12-07 08:22:16 -05:00
Akihiro Suda
55eda46b22
expose hostSupportsAppArmor() 
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2020-12-07 19:12:59 +09:00
Gaurav Singh
071a185506 cri/config: fix range iterator issue in ValidatePluginConfig 
Go uses the same address variable while iterating in a range,
so use a copy when using its address.

Signed-off-by: Gaurav Singh <gaurav1086@gmail.com>
 2020-12-04 17:37:09 -05:00
Mike Brown
b4727eafbe adding code to support seccomp apparmor securityprofile 
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
 2020-12-04 15:15:32 -06:00
Michael Crosby
3d358c9df3 [cri] don't clear base security settings 
When a base runtime spec is being used, admins can configure defaults for the
spec so that default ulimits or other security related settings get applied for
all containers launched.

Signed-off-by: Michael Crosby <michael@thepasture.io>
 2020-12-02 06:51:37 -05:00
Shengjing Zhu
fe767f95c7 Fix package name in cri runtimeoptions protobuf 
Signed-off-by: Shengjing Zhu <zhsj@debian.org>
 2020-11-22 16:15:34 +08:00
Maksym Pavlenko
2837fb35a7
Merge pull request #4715 from thaJeztah/remove_libcontainer_apparmor 
pkg/cri/server: remove dependency on libcontainer/apparmor, libcontainer/utils
 2020-11-18 14:34:48 -08:00
Sebastiaan van Stijn
eba94a15c8
pkg/cri/server: remove dependency on libcontainer/apparmor, libcontainer/utils 
recent versions of libcontainer/apparmor simplified the AppArmor
check to only check if the host supports AppArmor, but no longer
checks if apparmor_parser is installed, or if we're running
docker-in-docker;

bfb4ea1b1b

> The `apparmor_parser` binary is not really required for a system to run
> AppArmor from a runc perspective. How to apply the profile is more in
> the responsibility of higher level runtimes like Podman and Docker,
> which may do the binary check on their own.

This patch copies the logic from libcontainer/apparmor, and
restores the additional checks.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2020-11-12 15:42:25 +01:00
Jacob Blain Christen
a1e7dd939d cri: selinuxrelabel=false for /dev/shm w/ host ipc 
This is a followup to #4699 that addresses an oversight that could cause
the CRI to relabel the host /dev/shm, which should be a no-op in most
cases. Additionally, fixes unit tests to make correct assertions for
/dev/shm relabeling.

Discovered while applying the changes for #4699 to containerd/cri 1.4:
https://github.com/containerd/cri/pull/1605

Signed-off-by: Jacob Blain Christen <jacob@rancher.com>
 2020-11-11 15:22:17 -07:00
Jacob Blain Christen
e8d8ae3b97 cri: selinux relabel /dev/shm 
Address an issue originally seen in the k3s 1.3 and 1.4 forks of containerd/cri, https://github.com/rancher/k3s/issues/2240

Even with updated container-selinux policy, container-local /dev/shm
will get mounted with container_runtime_tmpfs_t because it is a tmpfs
created by the runtime and not the container (thus, container_runtime_t
transition rules apply). The relabel mitigates such, allowing envoy
proxy to work correctly (and other programs that wish to write to their
/dev/shm) under selinux.

Tested locally with:
- SELINUX=Enforcing vagrant up --provision-with=shell,selinux,test-integration
- SELINUX=Enforcing CRITEST_ARGS=--ginkgo.skip='HostIpc is true' vagrant up --provision-with=shell,selinux,test-cri
- SELINUX=Permissive CRITEST_ARGS=--ginkgo.focus='HostIpc is true' vagrant up --provision-with=shell,selinux,test-cri

Signed-off-by: Jacob Blain Christen <jacob@rancher.com>
 2020-11-06 12:05:17 -07:00
Sebastiaan van Stijn
1146098421
replace pkg/symlink with moby/sys/symlink 
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2020-10-30 00:05:15 +01:00
Derek McGowan
5184bccea3
Merge pull request #4631 from dims/copy-a-few-packages-from-moby/moby 
Copy pkg/symlink and pkg/truncindex from moby/moby
 2020-10-29 09:13:30 -07:00
Wei Fu
f2e8fda82b
Merge pull request #4665 from dmcgowan/update-default-snapshot-annotations 
Update make snapshot annotations disabled by default
 2020-10-28 21:12:02 +08:00
Derek McGowan
b2642458f9
Update make snapshot annotations disabled by default 
This experimental feature should not be enabled by default as
it is not used by any default snapshotters.

Signed-off-by: Derek McGowan <derek@mcg.dev>
 2020-10-27 21:32:25 -07:00
Akihiro Suda
8ff2707a3c
Merge pull request #4610 from shahzzzam/samashah/add-annotations 
Add manifest digest annotation for snapshotters
 2020-10-28 13:11:49 +09:00
zhuangqh
30c9addd6c fix: always set unknown to false when handling exit event 
Signed-off-by: jerryzhuang <zhuangqhc@gmail.com>
 2020-10-27 10:50:15 +08:00
Davanum Srinivas
a9cb22309a
Copy pkg/symlink and pkg/truncindex from moby/moby 
moby/moby SHA : 9c15e82f19b0ad3c5fe8617a8ec2dddc6639f40a

github.com/docker/docker/pkg/truncindex/truncindex.go -> pkg/cri/store/truncindex/truncindex.go
github.com/docker/docker/pkg/symlink/LICENSE.APACHE -> pkg/symlink/LICENSE.APACHE
github.com/docker/docker/pkg/symlink/LICENSE.BSD -> pkg/symlink/LICENSE.BSD
github.com/docker/docker/pkg/symlink/README.md -> pkg/symlink/README.md
github.com/docker/docker/pkg/symlink/fs.go -> pkg/symlink/fs.go
github.com/docker/docker/pkg/symlink/fs_unix.go -> pkg/symlink/fs_unix.go
github.com/docker/docker/pkg/symlink/fs_windows.go -> pkg/symlink/fs_windows.go

Signed-off-by: Davanum Srinivas <davanum@gmail.com>
 2020-10-15 08:36:35 -04:00
Daniel Canter
cdb2f9c66f Filter snapshotter labels passed to WithNewSnapshot 
Made a change yesterday that passed through snapshotter labels into the wrapper of
WithNewSnapshot, but it passed the entirety of the annotations into the snapshotter.
This change just filters the set that we care about down to snapshotter specific
labels.

Will probably be future changes to add some more labels for LCOW/WCOW and the corresponding
behavior for these new labels.

Signed-off-by: Daniel Canter <dcanter@microsoft.com>
 2020-10-15 04:49:39 -07:00
Phil Estes
9b70de01d6
Merge pull request #4630 from dcantah/pass-snapshotter-opt 
Cri - Pass snapshotter labels into customopts.WithNewSnapshot
 2020-10-14 10:54:06 -04:00
Daniel Canter
9a1f6ea4dc Cri - Pass snapshotter labels into customopts.WithNewSnapshot 
Previously there wwasn't a way to pass any labels to snapshotters as the wrapper
around WithNewSnapshot didn't have a parm to pass them in.

Signed-off-by: Daniel Canter <dcanter@microsoft.com>
 2020-10-14 04:14:03 -07:00
Daniel Canter
d74225b588 Fix comment in RemovePodSandbox 
Signed-off-by: Daniel Canter <dcanter@microsoft.com>
 2020-10-12 17:59:08 -07:00
zhangjianming
116902cd21 fix no-pivot not working in io.containerd.runtime.v1.linux 
Signed-off-by: zhangjianming <zhang.jianming7@zte.com.cn>
 2020-10-12 09:39:59 +08:00
Maksym Pavlenko
3d02441a79 Refactor pkg packages 
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
 2020-10-08 17:30:17 -07:00
Akihiro Suda
915263f269
Merge pull request #4502 from akshat-kmr/master 
Add logging binary support when terminal is true
 2020-10-08 12:14:39 +09:00
Samarth Shah
5fc721370d Add manifest digest annotation for snapshotters 
Signed-off-by: Samarth Shah <samarthmshah@gmail.com>
 2020-10-07 23:12:01 +00:00
Maksym Pavlenko
3508ddd3dd Refactor CRI packages 
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
 2020-10-07 14:45:57 -07:00
Derek McGowan
b22b627300
Move cri server packages under pkg/cri 
Organizes the cri related server packages under pkg/cri

Signed-off-by: Derek McGowan <derek@mcg.dev>
 2020-10-07 13:09:37 -07:00
Derek McGowan
1c60ae7f87
Use local version of cri packages 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2020-10-07 10:59:40 -07:00
Derek McGowan
e7a350176a
Merge containerd/cri into containerd/containerd 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2020-10-07 10:58:39 -07:00
Derek McGowan
0820015314 Prepare cri for merge to containerd 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2020-10-07 10:58:39 -07:00
Michael Crosby
a0b3b4e4da
Merge pull request #1593 from moolen/fix/add-nri-labels 
Add missing sandbox labels when invoking nri
 2020-10-07 13:17:06 -04:00
Derek McGowan
07c98d0bf1 Fix lint in Unix environments 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2020-10-05 17:46:01 -07:00
Moritz Johner
f87302ab20 Add missing sandbox labels when invoking nri plugins 
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
 2020-10-03 23:30:09 +02:00
Derek McGowan
a3c0e8859c Align lint checks with containerd 
Signed-off-by: Derek McGowan <derek@mcg.dev>
 2020-09-30 23:17:46 -07:00
Derek McGowan
83e6efc6fc Use tabs in protofile indentation 
This is enforced as part of containerd's fmt checks

Signed-off-by: Derek McGowan <derek@mcg.dev>
 2020-09-30 21:50:33 -07:00
Mike Brown
2e3bebb297
Merge pull request #1583 from thaJeztah/simplify_ensure_removeall_windows 
pkg/server: make ensureRemoveAll() an alias for os.RemoveAll() on Windows
 2020-09-28 14:26:18 -05:00
Mike Brown
b1ee4c0d7b
Merge pull request #1570 from yoheiueda/masked 
Set masked and readonly paths based on default Unix spec
 2020-09-24 15:45:58 -05:00
Sebastiaan van Stijn
e2928124d1
pkg/server: make ensureRemoveAll() an alias for os.RemoveAll() on Windows 
The tricks performed by ensureRemoveAll only make sense for Linux and
other Unices, so separate it out, and make ensureRemoveAll for Windows
just an alias of os.RemoveAll.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2020-09-22 10:11:46 +02:00
ktock
e571fd864f Limit value size of additional annotation for avoiding unpack failure 
In containerd, there is a size limit for label size (4096 chars).
Currently if an image has many layers (> (4096-39)/72 > 56),
`containerd.io/snapshot/cri.image-layers` will hit the limit of label size and
the unpack will fail.
This commit fixes this by limiting the size of the annotation.

Signed-off-by: Kohei Tokunaga <ktokunaga.mail@gmail.com>
 2020-09-15 22:47:28 +09:00
Yohei Ueda
b582da4438
Set masked and readonly paths based on default Unix spec 
The default values of masked and readonly paths are defined
in populateDefaultUnixSpec, and are used when a sandbox is
created.  It is not, however, used for new containers.  If
a container definition does not contain a security context
specifying masked/readonly paths, a container created from
it does not have masked and readonly paths.

This patch applies the default values to masked and
readonly paths of a new container, when any specific values
are not specified.

Fixes #1569

Signed-off-by: Yohei Ueda <yohei@jp.ibm.com>
 2020-09-09 23:13:05 +09:00
Michael Crosby
d715d00906 Handle KVM based runtimes with selinux 
Signed-off-by: Michael Crosby <michael@thepasture.io>
 2020-08-26 21:38:03 -04:00
Akshat Kumar
7a9fbec5fb Add logging binary support when terminal is true 
Currently the shims only support starting the logging binary process if the
io.Creator Config does not specify Terminal: true. This means that the program
using containerd will only be able to specify FIFO io when Terminal: true,
rather than allowing the shim to fork the logging binary process. Hence,
containerd consumers face an inconsistent behavior regarding logging binary
management depending on the Terminal option.

Allowing the shim to fork the logging binary process will introduce consistency
between the running container and the logging process. Otherwise, the logging
process may die if its parent process dies whereas the container will keep
running, resulting in the loss of container logs.

Signed-off-by: Akshat Kumar <kshtku@amazon.com>
 2020-08-25 17:28:29 -07:00
Derek McGowan
56a89cda34
Merge pull request #1552 from crosbymichael/nri 
Add experimental NRI injection points
 2020-08-24 13:58:11 -07:00
Antonio Ojea
1403a391c3 bump cni dependencies 
Signed-off-by: Antonio Ojea <aojea@redhat.com>
 2020-08-21 18:00:20 +02:00
Michael Crosby
63f89eb954 Update server with nri injection points 
This allows development with container to be done for NRI without the need for
custom builds.

This is an experimental feature and is not enabled unless a user has a global
`/etc/nri/conf.json` config setup with plugins on the system.  No NRI code will
be executed if this config file does not exist.

Signed-off-by: Michael Crosby <michael@thepasture.io>
 2020-08-20 08:10:09 -04:00
Akihiro Suda
7332e2ad2e
remove libseccomp cgo dependency 
The CRI plugin was depending on libseccomp cgo dependency via
libseccomp-golang via libcontainer.

https://github.com/seccomp/libseccomp-golang/blob/v0.9.1/seccomp_internal.go#L17

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2020-07-30 18:51:23 +09:00
Mike Brown
8a2d1cc802 adds support for pod id lookup for filter 
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
 2020-07-29 15:23:22 -05:00
ktock
c80660b82b Allow GC to discard content after successful pull and unpack 
This commit adds a config flag for allowing GC to clean layer contents up after
unpacking these contents completed, which leads to deduplication of layer
contents between the snapshotter and the contnet store.

Signed-off-by: Kohei Tokunaga <ktokunaga.mail@gmail.com>
 2020-07-28 09:05:47 +09:00
Michael Crosby
5f5d954b6a add selinux category range to config 
This allows an admin to set the upper bounds on the category range for selinux
labels.  This can be useful when handling allocation of PVs or other volume
types that need to be shared with selinux enabled on the hosts and volumes.

Signed-off-by: Michael Crosby <michael@thepasture.io>
 2020-07-20 16:02:07 -04:00
Akihiro Suda
707d2c49d1
allow disabling hugepages 
This helps with running rootless mode + cgroup v2 + systemd without hugetlb delegation.
Systemd does not (and will not, perhaps) support hugetlb delegation as of systemd v245. https://github.com/systemd/systemd/
issues/14662

From 502bc5427e/src/patches/containerd/0001-DIRTY-VENDOR-cri-allow-disabling-hugepages.patch

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2020-07-16 11:46:25 +09:00
James Sturtevant
2bb0b19c4b Update to latest pause image for windows 
Signed-off-by: James Sturtevant <jstur@microsoft.com>
 2020-07-15 11:45:21 -07:00
Mike Brown
4b3974c4e9 show runc options tag 
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
 2020-07-10 16:33:36 -05:00
Abhishek Kulkarni
287c52d1c6 Forcibly stop running containers before removal 
Signed-off-by: Abhishek Kulkarni <abd.kulkarni@gmail.com>
 2020-07-04 15:49:00 -05:00
Akihiro Suda
fb208d015a
vendor runc v1.0.0-rc91 
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2020-07-03 14:03:21 +09:00
Akihiro Suda
fe6833a9a4
config: TolerateMissingHugePagesCgroupController -> TolerateMissingHugetlbController 
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2020-07-02 13:49:42 +09:00
Akihiro Suda
b69d7bdc5f
config: fix TOML tag for TolerateMissingHugePagesCgroupController 
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2020-07-02 13:38:19 +09:00
Mike Brown
c2191fddd7
Merge pull request #1513 from brianpursley/state-name 
Change "failed to stop sandbox" error message to use state name instead of numeric value
 2020-06-27 16:08:27 -05:00
Brian Pursley
aa04fc9d53 Change "failed to stop sandbox" error message to use state name instead of numeric value 
Signed-off-by: Brian Pursley <bpursley@cinlogic.com>
 2020-06-27 16:45:08 -04:00
Kevin Parsons
210561a8e3 Support named pipe mounts for Windows containers 
Adds support to mount named pipes into Windows containers. This support
already exists in hcsshim, so this change just passes them through
correctly in cri. Named pipe mounts must start with "\\.\pipe\".

Signed-off-by: Kevin Parsons <kevpar@microsoft.com>
 2020-06-25 12:01:08 -07:00
Mike Brown
f5c7ac9272 fix for image pull linter change 
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
 2020-06-24 18:10:31 -05:00
Davanum Srinivas
3ee62de2bf
remove unused method 
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
 2020-06-22 15:03:47 -04:00
Davanum Srinivas
cbb7c28f19
Add copyright headers 
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
 2020-06-22 14:49:13 -04:00
Davanum Srinivas
e2072b71cc
Copy kubernetes/pkg/util/bandwidth 
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
 2020-06-22 14:48:25 -04:00
Davanum Srinivas
2909022a6e
Make local copy of kubelet/cri/streaming 
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
 2020-06-22 13:54:34 -04:00
Davanum Srinivas
41f184f15b
Update vendor.conf to kubernetes 1.19.0-beta.2 
update streaming import path
switch remote package path

Signed-off-by: Davanum Srinivas <davanum@gmail.com>
 2020-06-22 08:44:49 -04:00
Michael Crosby
6164822714
Merge pull request #1508 from janosi/sctp-hostport 
Remove the protocol filter from the HostPort management
 2020-06-15 14:48:37 -04:00
Mike Brown
b661ad711e
Merge pull request #1504 from lorenz/ignore-image-defined-volumes 
Add option for ignoring volumes defined in images
 2020-06-14 11:52:48 -05:00
Mike Brown
26dc5b9772
Merge pull request #1505 from dcantah/windows-cred-spec 
Add GMSA credential spec passing
 2020-06-14 11:52:33 -05:00
Laszlo Janosi
479dfbac45
Remove the protocol filter from the portMappings constructor. 
Reason: originally it was introduced to prevent the loading of the SCTP kernel module on the nodes. But iptables chain creation alone does not load the kernel module. The module would be loaded if an SCTP socket was created, but neither cri nor the portmap CNI plugin starts managing SCTP sockets if hostPort / portmappings are defined.
Signed-off-by: Laszlo Janosi <laszlo.janosi@ibm.com>
 2020-06-14 15:48:00 +00:00
Kenta Tada
730b7a932e Change the type of PdeathSignal 
Use x/sys as same as runtime/v1/linux/runtime.go

Signed-off-by: Kenta Tada <Kenta.Tada@sony.com>
 2020-06-11 11:35:51 +09:00
Daniel Canter
9620b2e1da Add GMSA Credential Spec passing 
Signed-off-by: Daniel Canter <dcanter@microsoft.com>
 2020-06-10 11:15:07 -07:00
Lorenz Brun
5a1d49b063 Add option for ignoring volumes defined in images 
Signed-off-by: Lorenz Brun <lorenz@brun.one>
 2020-06-09 21:02:47 +02:00
Brian Goff
c694c63176 Add config for registry http headers 
This adds a configuration knob for adding request headers to all
registry requests. It is not namespaced to a registry.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
 2020-06-08 18:56:15 -07:00
Gaurav Singh
7213cd89d6 Process I/O: Fix goroutine leak 
Signed-off-by: Gaurav Singh <gaurav1086@gmail.com>
 2020-06-07 17:38:36 -04:00
Davanum Srinivas
d7ce093d63
Tolerate missing HugeTLB cgroups controller 
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
 2020-06-01 12:07:32 -04:00
Akihiro Suda
2f601013e6 cgroup2: implement containerd.events.TaskOOM event 
How to test (from https://github.com/opencontainers/runc/pull/2352#issuecomment-620834524):
  (host)$ sudo swapoff -a
  (host)$ sudo ctr run -t --rm --memory-limit $((1024*1024*32)) docker.io/library/alpine:latest foo
  (container)$ sh -c 'VAR=$(seq 1 100000000)'

An event `/tasks/oom {"container_id":"foo"}` will be displayed in `ctr events`.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2020-06-01 14:00:13 +09:00
Maksym Pavlenko
17c61e36cb Fix cgroups path for base OCI spec 
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
 2020-05-29 11:40:12 -07:00
Maksym Pavlenko
8d54f39753 Allow specify base OCI runtime spec 
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
 2020-05-28 13:39:31 -07:00
Michael Crosby
72edf3016d Use new SELinux APIs 
This moves most of the API calls off of the `labels` package onto the root
selinux package.  This is the newer API for most selinux operations.

Signed-off-by: Michael Crosby <michael@thepasture.io>
 2020-05-26 15:18:46 -04:00
Darren Shepherd
24209b91bf Add MCS label support 
Carry of #1246

Signed-off-by: Darren Shepherd <darren@rancher.com>
Signed-off-by: Michael Crosby <michael@thepasture.io>
 2020-05-20 13:59:51 -05:00
Sascha Grunert
e2cedb9469
Increase port-forward timeout to 1s to fix e2e test 
We encountered two failing end-to-end tests after the adoption of
https://github.com/containerd/cri/pull/1470 in
https://github.com/cri-o/cri-o/pull/3749:

```
Summarizing 2 Failures:
[Fail] [sig-cli] Kubectl Port forwarding With a server listening on 0.0.0.0 that expects a client request [It] should support a client that connects,
sends DATA, and disconnects
test/e2e/kubectl/portforward.go:343

[Fail] [sig-cli] Kubectl Port forwarding With a server listening on localhost that expects a client request [It] should support a client that connects
, sends DATA, and disconnects
test/e2e/kubectl/portforward.go:343
```

Increasing the timeout to 1s fixes the issue.

Signed-off-by: Sascha Grunert <sgrunert@suse.com>
 2020-05-12 12:43:14 +02:00
Derek McGowan
21ad9c4e21 Use digestset from go-digest 
Removes docker/distribution dependency

Signed-off-by: Derek McGowan <derek@mcg.dev>
 2020-05-11 14:17:34 -07:00
payall4u
b437938d2f
Transfer error to ErrNotFound when kill a not exist container, also add 
test case.

Signed-off-by: payall4u <404977848@qq.com>

Add integration test case

Signed-off-by: payall4u <404977848@qq.com>
 2020-05-11 21:53:43 +08:00
Wei Fu
8252e54f93
Merge pull request #1472 from mxpv/profile 
Add config flag to default empty seccomp profile
 2020-05-11 10:16:00 +08:00
Mike Brown
bd0a76565a
Merge pull request #1469 from thaJeztah/remove_libcontainer_system 
Remove dependency on libcontainer/system
 2020-05-10 19:33:17 -05:00
Derek McGowan
dbedcf8706
Merge pull request #1449 from mikebrow/make-http-with-tlsconfig-a-warning 
removes the error when tls is configured for https but http is tried first
 2020-05-10 16:09:41 -07:00
Sebastiaan van Stijn
0e1b7bdb59
Remove dependency on libcontainer/system 
This swaps the RunningInUserNS() function that we're using
from libcontainer/system with the one in containerd/sys.

This removes the dependency on libcontainer/system, given
these were the only functions we're using from that package.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2020-05-10 21:58:16 +02:00
Maksym Pavlenko
674fe72aa8 Update docs for unset seccomp profile 
Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
 2020-05-10 10:46:58 -07:00
Sebastiaan van Stijn
c96373f6d5
newTransport(): remove deprecated DualStack option 
The `DualStack` option was deprecated in Go 1.12, and is now enabled by default
(through commit github.com/golang/go@efc185029bf770894defe63cec2c72a4c84b2ee9).

> The Dialer.DualStack field is now meaningless and documented as deprecated.
>
> To disable fallback, set FallbackDelay to a negative value.

The default `FallbackDelay` is 300ms; to make this more explicit, this patch
sets `FallbackDelay` to the default value.

Note that Docker Hub currently does not support IPv6 (DNS for registry-1.docker.io
has no AAAA records, so we should not hit the 300ms delay).

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2020-05-10 12:39:10 +02:00
Antonio Ojea
11a78d9d0f
don't use socat for port forwarding 
use goroutines to copy the data from the stream to the TCP
connection, and viceversa, removing the socat dependency.

Quoting Lantao Liu, the logic is as follow:

When one side (either pod side or user side) of portforward
is closed, we should stop port forwarding.

When one side is closed, the io.Copy use that side as source will close,
but the io.Copy use that side as dest won't.

Signed-off-by: Antonio Ojea <antonio.ojea.garcia@gmail.com>
 2020-05-09 00:54:30 +02:00
Maksym Pavlenko
38f19f991e Add config flag to default empty seccomp profile 
This changes adds `default_seccomp_profile` config switch to apply default seccomp profile when not provided by k8s.a

Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
 2020-05-08 13:24:38 -07:00
Wei Fu
48e797c77f RunPodSandbox: destroy network if fails or invalid 
Should destroy the pod network if fails to setup or return invalid
net interface, especially multiple CNI configurations.

Signed-off-by: Wei Fu <fuweid89@gmail.com>
 2020-05-01 12:07:33 +08:00
ktock
ca661c8dc9 Pass chained layer digests to snapshotter for parallel snapshot preparation 
Currently, CRI plugin passes each layer digest to remote snapshotters
sequentially, which leads to sequential snapshots preparation. But it costs
extra time especially for remote snapshotters which need to connect to the
remote backend store (e.g. registries) for checking the snapshot existence on
each preparation.

This commit solves this problem by introducing new label
`containerd.io/snapshot/cri.chain` for passing all layer digests in an image to
snapshotters and by allowing them to prepare these snapshots in parallel, which
leads to speed up the preparation.

Signed-off-by: Kohei Tokunaga <ktokunaga.mail@gmail.com>
 2020-04-28 15:03:08 +09:00
Mike Brown
4ea4ca99c7
Merge pull request #1455 from 6WIND/master 
fix incomplete host device for PrivilegedWithoutHostDevices
 2020-04-26 22:28:20 -05:00
Mike Brown
776c125e4f move up to latest critools; add apparmor profile check 
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
 2020-04-26 16:16:48 -05:00
Mike Brown
1b60224e2e use containerd/project header test 
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
 2020-04-22 19:35:37 -05:00
Thibaut Collet
98f8ec4995 fix incomplete host device for PrivilegedWithoutHostDevices 
For a privilege pods with PrivilegedWithoutHostDevices set to true
host device specified in the config are not provided (whereas it is done for
non privilege pods or privilege pods with PrivilegedWithoutHostDevices set
to false as all devices are included).

Add them in this case.

Fixes: 3353ab76d9 ("Add flag to overload default privileged host device behaviour")
Signed-off-by: Thibaut Collet <thibaut.collet@6wind.com>
 2020-04-22 18:20:36 +02:00
Mike Brown
9d37687a95
Merge pull request #1436 from chethanah/add-container-name-annot 
Support for additional OCI annotations: 'container-name'
 2020-04-19 13:19:47 -05:00
Maksym Pavlenko
917e7646ae Add binary IO tests 
Signed-off-by: Maksym Pavlenko <makpav@amazon.com>
 2020-04-17 16:50:43 -07:00
Maksym Pavlenko
9175401b28 Cleanup binary IO resources on error 
Signed-off-by: Maksym Pavlenko <makpav@amazon.com>
 2020-04-17 15:56:21 -07:00
Maksym Pavlenko
0dc7c85956 Don't use timeout package when stopping shim logger 
containerd loads timeout values from config.toml and populated those
values to `timeout` package at launch. So when using `timeout` package
from shim, there are default values and config file is ignored.
So use a hardcoded value for binary IO.

Signed-off-by: Maksym Pavlenko <makpav@amazon.com>
 2020-04-17 15:06:18 -07:00
yang yang
d07f7f167a add default scheme if endpoint no scheme 
Signed-off-by: yang yang <yang8518296@163.com>
 2020-04-17 23:33:28 +08:00
Mike Brown
27f911d663 removes the error when tls is configured for https but http is tried first 
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
 2020-04-16 13:23:56 -05:00
ktock
c1b7bcf395 Enable to pass additional handler on pull for stargz-based remote snapshots 
Throughout container lifecycle, pulling image is one of the time-consuming
steps. Recently, containerd community started to tackle this issue with
stargz-based remote snapshots, as a non-core
subproject(https://github.com/containerd/stargz-snapshotter).

This snapshotter is implemented as a standard proxy plugin but it requires the
client to pass some additional information (image ref and layer digest) for each
pull operation to query layer contents on the registry. Stargz snapshotter
project provides an image handler to do this and stargz snapshot users need to
pass this handler to containerd client.

This commit enables to use stargz-based remote snapshots through CRI by passing
the handler to containerd client on pull operation.

Signed-off-by: Kohei Tokunaga <ktokunaga.mail@gmail.com>
 2020-04-16 20:53:52 +09:00
Chethan Suresh
7fc8652e32 Add OCI annotations for container name 
Along with type(Sandbox or Container) and Sandbox name annotations
provide support for additional annotation:
  - Container name

This will help us perform per container operation by comparing it
with pass through annotations (eg. pod metadata annotations from K8s)

Signed-off-by: Chethan Suresh <Chethan.Suresh@sony.com>
 2020-04-16 07:14:58 +05:30
Shengjing Zhu
4263229a7b Replace docker/distribution/reference with containerd/reference/docker 
Since https://github.com/containerd/containerd/pull/3728
The docker/distribution/reference package is copied into containerd core

Signed-off-by: Shengjing Zhu <i@zhsj.me>
 2020-04-16 03:29:58 +08:00
Mike Brown
d531dc492a
Merge pull request #1405 from fuweid/me-async-load-cnicnf 
reload cni network config if has fs change events
 2020-04-15 13:57:32 -05:00
Mike Brown
aa9b1885b5 fixes bad unit tests when selinux is enabled 
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
 2020-04-15 12:28:11 -05:00
Maksym Pavlenko
0caa233158 Rework shim logger shutdown process 
Signed-off-by: Maksym Pavlenko <makpav@amazon.com>
 2020-04-07 12:42:04 -07:00
Wei Fu
4ce334aa49 reload cni network config if has fs change events 
With go RWMutex design, no goroutine should expect to be able to
acquire a read lock until the read lock has been released, if one
goroutine call lock.

The original design is to reload cni network config on every single
Status CRI gRPC call. If one RunPodSandbox request holds read lock
to allocate IP for too long, all other RunPodSandbox/StopPodSandbox
requests will wait for the RunPodSandbox request to release read lock.
And the Status CRI call will fail and kubelet becomes NOTReady.

Reload cni network config at every single Status CRI call is not
necessary and also brings NOTReady situation. To lower the possibility
of NOTReady, CRI will reload cni network config if there is any valid fs
change events from the cni network config dir.

Signed-off-by: Wei Fu <fuweid89@gmail.com>
 2020-04-03 12:28:58 +08:00
Phil Estes
0c78dacbc5
Move isFifo from process/io to sys/ and make public 
Make "IsFifo" a public function for use by other parts of containerd
codebase.

Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
 2020-03-25 10:44:17 -04:00
Li Yuxuan
cb0140063e Fix goroutine leak when exec/attach 
The resize chan is never closed when doing exec/attach now. What's more,
`resize` is a recieved only chan so it can not be closed. Use ctx to
exit the goroutine in `handleResizing` properly.

Signed-off-by: Li Yuxuan <liyuxuan04@baidu.com>
 2020-03-24 10:42:54 +08:00
Sebastiaan van Stijn
e093a0ee08
Use local "ensureRemoveAll" instead of docker/pkg/system 
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2020-03-12 20:21:14 +01:00
lifubang
488d6194f2 fix dial error when clean up a dead shim 
Signed-off-by: lifubang <lifubang@acmcoder.com>
 2020-03-12 10:57:55 +08:00
Akihiro Suda
fa72e2f693 cgroup2: do not unshare cgroup namespace for privileged 
Conforms to the latest KEP:
0e409b4749/keps/sig-node/20191118-cgroups-v2.md (cgroup-namespace)

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2020-03-09 01:49:04 +09:00
Sebastiaan van Stijn
f2edc6f164
vendor: update gotest.tools v3.0.2 
full diff: https://github.com/gotestyourself/gotest.tools/compare/v2.3.0...v3.0.2

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2020-02-28 17:47:20 +01:00
Brandon Lum
8d5a8355d0 Updated docs and code for default nil behavior 
Signed-off-by: Brandon Lum <lumjjb@gmail.com>
 2020-02-27 23:42:03 +00:00
Kiril Vladimiroff
4dd75be2b9
Unify dialer implementations 
Instead of having several dialer implementations, leave only one in
`pkg/dialer` and call it from `pkg/ttrpcutil`, `runtime/v(1|2)/shim`
which had their own

Closes #3471.

Signed-off-by: Kiril Vladimiroff <kiril@vladimiroff.org>
 2020-02-26 23:29:04 +02:00
Brandon Lum
ffcef9dc32 Addressed nits 
Signed-off-by: Brandon Lum <lumjjb@gmail.com>
 2020-02-24 20:45:57 +00:00
Brandon Lum
8df431fc31 Defer multitenant key model to image auth discussion 
Signed-off-by: Brandon Lum <lumjjb@gmail.com>
 2020-02-24 20:45:57 +00:00
Brandon Lum
c43a7588f6 Refactor encrypted opts and added unit test 
Signed-off-by: Brandon Lum <lumjjb@gmail.com>
 2020-02-24 20:45:57 +00:00
Brandon Lum
f0579c7b4d Implmented node key model for image encryption 
Signed-off-by: Brandon Lum <lumjjb@gmail.com>
 2020-02-24 20:45:57 +00:00
Mike Brown
f4b3cdb892
Merge pull request #1399 from mikebrow/pause-image-update 
move to v3.2 for the pause image
 2020-02-20 10:45:16 -06:00
Mike Brown
c9ed98462d move to v3.2 for the pause image 
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
 2020-02-14 12:55:52 -06:00
Mike Brown
cf0e0a1e2c
Merge pull request #1332 from bg-chun/update_cri_for_hugepages 
update cri-plugin to parse hugepages limit
 2020-02-12 10:05:01 -06:00
Byonggon Chun
c02c24847f update cri-plugin to parse hugepages limit from CRI message 
Signed-off-by: Byonggon Chun <bg.chun@samsung.com>
 2020-02-06 15:28:24 +09:00
Justin Terry (VM)
a8cc66b37a Fix store error serialization to gRPC status codes 
The pkg/store errors are duplicated errors of NotFound and AlreadyExist from
containerd's errdefs package and thus do not properly serialize when running
errdefs.ToGRPC on them. CRI runs this function on every return from a CRI
method so the conversion fails if there is a cache miss from the store caches
for containers or sandboxes. This change verifies that the errors are properly
converted to their gRPC values.

Signed-off-by: Justin Terry (VM) <juterry@microsoft.com>
 2020-02-05 18:32:45 -08:00
Akihiro Suda
2d28b60046 vendor kubernetes 1.17.1 
Corresponds to https://github.com/kubernetes/kubernetes/blob/v1.17.1/go.mod

note: `k8snet.ChooseBindAddress()` was renamed to `k8snet.ResolveBindAddress()` in afa0b808f8

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2020-01-22 02:06:50 +09:00
Akihiro Suda
5e5960f2bc
Merge pull request #1376 from Zyqsempai/add-cgroups-v2-metrics 
Cgroupv2: Added CPU, Memory metrics
 2020-01-21 23:21:09 +09:00
Boris Popovschi
6b8846cdf8 vendor updated + added cgroupv2 metrics 
Signed-off-by: Boris Popovschi <zyqsempai@mail.ru>
 2020-01-17 11:55:06 +02:00
Akihiro Suda
71740399e0 cgroup2: unshare cgroup namespace for containers 
In cgroup v1 container implementations, cgroupns is not used by default because
it was not available in the kernel until kernel 4.6 (May 2016), and the default
behavior will not change on cgroup v1 environments, because changing the
default will break compatibility and surprise users.

For cgroup v2, implementations are going to unshare cgroupns by default
so as to hide /sys/fs/cgroup from containers.

* Discussion: https://github.com/containers/libpod/issues/4363
* Podman PR (merged): https://github.com/containers/libpod/pull/4374
* Moby PR: https://github.com/moby/moby/pull/40174

This PR enables cgroupns for containers, but pod sandboxes are untouched
because probably there is no need to do.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2020-01-09 14:58:30 +09:00
Akihiro Suda
aaddaa2732 bump up the default runtime to "io.containerd.runc.v2" 
The former default runtime "io.containerd.runc.v1" won't support new features
like support for cgroup v2: containerd/containerd#3726

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2019-12-16 11:53:58 +09:00
Lantao Liu
0c2d3b718d Fix privileged devices. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-12-09 17:43:06 -08:00
Lantao Liu
78708b20c7
Merge pull request #1351 from Random-Liu/better-unknown-state-handling 
Better handle unknown state.
 2019-12-09 10:34:57 -08:00
Lantao Liu
facbaa0e79 Better handle unknown state. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-12-06 10:56:27 -08:00
bpopovschi
5d7bd738e4 Use containerD WithHostDevices 
Signed-off-by: bpopovschi <zyqsempai@mail.ru>
 2019-12-04 11:34:46 +02:00
Lantao Liu
a6b6097c90 Fix container pid. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-12-02 01:02:22 -08:00
Lantao Liu
444f02a89e
Merge pull request #1344 from darfux/add-resolvconf-to-sandbox-container 
Provide resolvConf to sandbox container's mounts
 2019-12-01 21:25:19 -08:00
Li Yuxuan
dbc1fb37d0 Provide resolvConf to sandbox container's mounts 
As https://github.com/kata-containers/runtime/issues/1603 discussed,
kata relies on such mount spec to setup resolv.conf for pod VM properly.

Signed-off-by: Li Yuxuan <liyuxuan04@baidu.com>
 2019-11-28 12:05:05 +08:00
Lantao Liu
ab6701bd11 Add insecure_skip_verify option. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-11-26 13:25:52 -08:00
Lantao Liu
5c2f33bd0d Cleanup path for windows mount 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-11-15 18:52:11 +00:00
Erik Wilson
7cc3938717 Set default scheme in registryEndpoints for host 
Signed-off-by: Erik Wilson <Erik.E.Wilson@gmail.com>
 2019-10-31 10:30:17 -07:00
Lantao Liu
65b9c31805 Use http for localhost, 127.0.0.1 and ::1 by default. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-10-28 19:07:43 -07:00
Lantao Liu
d95e21c89b Add container compute stats support. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-10-25 14:32:02 -07:00
Michael Crosby
f8cca26f3c Handle large output in v2 shim with TTY 
Reized the I/O buffers to align with the size of the kernel buffers with fifos
and move the close aspect of the console to key off of the stdin closing.

Fixes #3738

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
 2019-10-11 15:42:05 -04:00
Lantao Liu
2ce0bb0926 Update code for latest containerd. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-10-09 18:05:20 -07:00
Lantao Liu
18be6e3714 Use cached state instead of runc state. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-10-03 10:53:13 -07:00
Lantao Liu
358d672160 Add hostname CRI validation and unit test. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-09-25 16:11:27 -07:00
Lantao Liu
7fba77f238
Merge pull request #1298 from Random-Liu/set-sandbox-cpu-shares 
Set default sandbox container cpu shares on windows.
 2019-09-25 11:05:43 -07:00
Lantao Liu
2eba67a7ee
Merge pull request #1287 from crosbymichael/cgroups 
Use type alias from containerd for cgroup metric types
 2019-09-24 17:34:49 -07:00
Lantao Liu
f3ef10e9a2 Set default sandbox container cpu shares on windows. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-09-24 17:03:11 -07:00
Justin Terry (VM)
ed7873ef1e Forward SandboxConfig.Hostname to Workload container activation 
1. For Windows the Hostname property is not inherited from the sandbox and must
be passed for the Workload container activations as well.

Signed-off-by: Justin Terry (VM) <juterry@microsoft.com>
 2019-09-24 10:21:17 -07:00
Lantao Liu
bad68a8270
Merge pull request #1284 from liyanhui1228/win_portforward 
Add windows port forward support
 2019-09-23 22:17:08 -07:00
Angela Li
dc413bd6d6 Add windows portforward support 
Signed-off-by: Angela Li <yanhuil@google.com>
 2019-09-23 17:36:43 -07:00
Michael Crosby
0a21292225 Check for more kill error types 
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
 2019-09-23 15:36:34 -04:00
Michael Crosby
c8c7c54a6e Use typealias for containerd metrics 
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
 2019-09-20 16:01:48 -04:00
Lantao Liu
470776c903
Merge pull request #1274 from Random-Liu/dualstack 
Add DualStack support
 2019-09-19 21:32:26 -07:00
Lantao Liu
c1ece0c801 Address comment. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-09-19 14:05:28 -07:00
Lantao Liu
b431316edd
Merge pull request #1280 from estesp/add-default-path-env 
Add back default UNIX env to container config
 2019-09-19 11:41:03 -07:00
Phil Estes
161abf8f5b
Fix golangci-lint findings 
Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
 2019-09-19 09:38:40 -04:00
Phil Estes
229eb19bd6
Add back default UNIX env to container config 
Due to changes to the defaults in containerd, the CRI path to creating a
container OCI config needs to add back in the default UNIX $PATH (and
any other defaults) as that is the expected behavior from other
runtimes.

Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
 2019-09-19 09:00:25 -04:00
Antonio Ojea
fcd6bf318b Report Additional POD IPs 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-09-18 17:21:37 -07:00
Lantao Liu
dc964de85f Add windows implmenetation 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-09-18 10:46:29 -07:00
Lantao Liu
bbcf564745 Add windows image platform comparer 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-09-18 10:46:28 -07:00
Lantao Liu
c6cb25c158 Open/create log file with FILE_SHARE_DELETE on windows 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-09-18 10:46:28 -07:00
Michael Crosby
5a656cacb4 Move manpage gen to separate binary 
This moves the man page generation to a separate binary

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
 2019-09-12 14:19:00 -04:00
Michael Crosby
f3a5b8c0a9 Add command to generate man pages 
The climan package has a command that can be registered with any urfav
cli app to generate man pages.

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
 2019-09-11 15:31:02 -04:00
Mike Brown
738179542a add a test case for container_annotations 
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
 2019-09-10 11:28:59 +03:00
Ed Bartosh
05a9028969 Use container annotations when creating containers 
Signed-off-by: Ed Bartosh <eduard.bartosh@intel.com>
 2019-09-10 11:28:59 +03:00
Ed Bartosh
e28689657a Add ContatinerAnnotations to the Runtime and config 
Signed-off-by: Ed Bartosh <eduard.bartosh@intel.com>
 2019-09-10 11:28:51 +03:00
Lantao Liu
115b7664d9 Clarify some exec behavior. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-09-03 16:52:23 -07:00
Lantao Liu
50c73e6dc5 Move unix specific logic into _unix.go 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-09-03 16:23:42 -07:00
Lantao Liu
c6203ec13b Fix panic for task in unknown state. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-09-03 14:56:15 -07:00
Lantao Liu
2d03ccf5dd FDQN is a typo, and we don't support trailing dot in FQDN. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-08-30 13:31:04 -07:00
Nishchay
f41675d234
fix: support empty auth config for anonymous registry 
- empty username means caller wants to use no credentials, typically for anonymous registry
- Fixes https://github.com/containerd/cri/issues/1249

Signed-off-by: Nishchay Kumar <mrawesomenix@gmail.com>
 2019-08-28 10:24:31 -07:00
Lantao Liu
28aef2fe38 Support CNI DNS capabilities. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-08-22 14:29:04 -07:00
Lantao Liu
10acd8e769 Fix apparmor for privileged. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-08-19 16:28:45 -07:00
Michael Crosby
3995efc7c1 Update cni and go-cni to the v0.7.1 release 
Closes #1236

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
 2019-08-14 16:19:37 +00:00
Lantao Liu
81ca274c6f Add wildcard mirror support. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-08-13 12:02:57 -07:00
Michael Crosby
2e8ea9fd6b Allow timeouts to be configured in config 
This adds a singleton `timeout` package that will allow services and user
to configure timeouts in the daemon.  When a service wants to use a
timeout, it should declare a const and register it's default value
inside an `init()` function for that package.  When the default config
is generated, we can use the `timeout` package to provide the available
timeout keys so that a user knows that they can configure.

These show up in the config as follows:

```toml
[timeouts]
  "io.containerd.timeout.shim.cleanup" = 5
  "io.containerd.timeout.shim.load" = 5
  "io.containerd.timeout.shim.shutdown" = 3
  "io.containerd.timeout.task.state" = 2

```

Timeouts in the config are specified in seconds.

Timeouts are very hard to get right and giving this power to the user to
configure things is a huge improvement.  Machines can be faster and
slower and depending on the CPU or load of the machine, a timeout may
need to be adjusted.

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
 2019-08-13 17:36:32 +00:00
Lantao Liu
8021850e91
Merge pull request #1233 from AkihiroSuda/allow-ca-without-client-certs 
allow non-mutual TLS
 2019-08-11 17:07:57 -07:00
Lantao Liu
fd6c732cd7
Merge pull request #1232 from Random-Liu/avoid-schema1-roundtrip 
Remove extra roundtrip for checking schema1.
 2019-08-10 10:25:46 -07:00
Akihiro Suda
28e492fce0 allow non-mutual TLS 
Previously, client keypair had needed to be specified even when unused.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2019-08-10 21:48:03 +09:00
Lantao Liu
d64fa3b6b8 Remove extra roundtrip for checking schema1. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-08-09 18:47:40 -07:00
Lantao Liu
005f9f7378 Consider endpoint path when checking default host. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-08-09 18:22:08 -07:00
Lantao Liu
2fd69f0b78 Move config validation into pkg/config and add unit test. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-08-09 14:39:30 -07:00
Lantao Liu
53e94c6753 Use containerd registry mirror library. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-08-09 14:39:30 -07:00
Michael Crosby
d085d9b464 Remove encryption code from containerd core 
We are separating out the encryption code and have designed a few new
interfaces and APIs for processing content streams.  This keep the core
clean of encryption code but enables not only encryption but support of
multiple content types ( custom media types ).

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
 2019-08-09 15:01:16 +00:00
Alex Price
3353ab76d9 Add flag to overload default privileged host device behaviour 
This commit adds a flag to the runtime config that allows overloading of the default
privileged behaviour. When the flag is enabled on a runtime, host devices won't
be appended to the runtime spec if the container is run as privileged.

By default the flag is false to maintain the current behaviour of privileged.

Fixes #1213

Signed-off-by: Alex Price <aprice@atlassian.com>
 2019-08-08 12:16:42 +10:00
Lantao Liu
95bd02d28f
Merge pull request #1200 from jterry75/image_user 
Assign ImageSpec User if SecurityContext is not set
 2019-08-07 13:50:08 -07:00
Lantao Liu
8ea0cc90aa
Merge pull request #1221 from jterry75/log_g 
Switch to containerd/log package
 2019-08-07 13:49:33 -07:00
Justin Terry (VM)
bc2cff625b Assign ImageSpec User if SecurityContext is not set 
By default the SecurityContext for Container activation can contain a Username
UID, GID. The order of precedences is username, UID, GID. If none of these
options are specified as a last resort attempt to set the ImageSpec username.

Signed-off-by: Justin Terry (VM) <juterry@microsoft.com>
 2019-08-07 12:20:52 -07:00
Justin Terry (VM)
193918b702 Switch to containerd/log package 
Moves to the containerd/log package over logrus directly. This benefits the
traces because if using any log context such as OpenCensus on the entry gRPC
API all traces for that gRPC method will now contain the appropriate TraceID,
SpanID for easy correlation.

Signed-off-by: Justin Terry (VM) <juterry@microsoft.com>
 2019-08-07 12:18:18 -07:00
Lantao Liu
eae5fc360f Infer systemd cgroup based on path suffix. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-08-06 11:00:51 -07:00
Lantao Liu
871a8b89c8 Do not deprecate no_pivot yet. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-08-05 15:12:50 -07:00
Lantao Liu
986d04aec1 Add test for disable_proc_mount. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-08-02 11:22:34 -07:00
Phil Estes
f0821348b4
Merge pull request #3475 from stefanberger/gpg2-passphrase-via-file 
ECI: gpg: Pass the passphrase to the gpg2 tool using a pipe
 2019-08-02 13:59:17 -04:00
Lantao Liu
b74653b821 Print warning message for deprecated options. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-08-02 01:10:11 -07:00
Lantao Liu
f636fb0519
Merge pull request #1215 from Random-Liu/update-kubernetes 
Update kubernetes
 2019-08-01 10:28:25 -07:00
Lantao Liu
ba8788c6b9 Update kubernetes dependency to 1.15.0. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-07-31 23:52:03 -07:00
Lantao Liu
467f9e0e8a Fix proc mount support. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-07-31 17:11:15 -07:00
Stefan Berger
5cf79913e4 gpg: Use a Pipe() rather than a file 
Use a Pipe() rather than a file to pass the passphrase to the command
line tool. Pass the file descriptor to read the passphrase from as fd '3'.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
 2019-07-31 16:07:25 -04:00
Stefan Berger
6a25128791 gpg: Pass the passphrase to the gpg2 tool using a file 
Rather than passing the passphrase via command line write it into
a temp. file and pass the name of the file using passphrase-file option.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
 2019-07-31 16:07:25 -04:00
Kevin Parsons
b16e7c5de1 Update pkg/ttrpcutil with improved pipe dial logic 
Signed-off-by: Kevin Parsons <kevpar@microsoft.com>
 2019-07-30 18:46:36 -07:00
Mike Brown
b23e2cf9d1
Merge pull request #1212 from mrIncompetent/return-annotations-bandwith-error 
Return actual error when fetching the bandwidth info from annotation fails
 2019-07-29 13:39:51 -05:00
Henrik Schmidt
9aec38164d Return actual error when fetching the bandwidth info from annotation fails 
Signed-off-by: mrIncompetent <henrik@henrik-schmidt.de>
 2019-07-28 09:47:31 +02:00
Lantao Liu
c78caf902d Add max concurrent downloads support. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-07-26 18:15:17 -07:00
Lantao Liu
d3cacff8e1 Move context cancel into defer. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-07-25 15:00:43 -07:00
Lantao Liu
74d2b6947c
Merge pull request #1152 from jterry75/deadline_exceeded 
Return gRPC codes.DeadlineExceeded for all timeout operations
 2019-07-25 14:58:29 -07:00
Mike Brown
d2986eb5aa
Merge pull request #1187 from alculquicondor/feature/tcp 
Add option to register on TCP server
 2019-07-25 16:36:05 -05:00
Aldo Culquicondor
4b43303203 Add option to register on TCP server 
Signed-off-by: Aldo Culquicondor <acondor@google.com>
 2019-07-25 09:42:49 -04:00
Brandon Lum
3d1fa69694 Implemented constructors for both encryption and decryption 
Signed-off-by: Brandon Lum <lumjjb@gmail.com>
 2019-07-24 22:19:39 -04:00
Brandon Lum
05a2b63e84 Create CryptoConfig constructors in place of dcparameters 
Signed-off-by: Brandon Lum <lumjjb@gmail.com>
 2019-07-24 21:51:47 -04:00
Lantao Liu
fe0cb22026 Do not cache image handler. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-07-24 15:38:18 -07:00
Stefan Berger
364de4c35d Wrap creation of CryptoConfig in constructors 
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
 2019-07-23 19:53:23 -04:00
Derek McGowan
dde436e65b Crypto library movement and changes to content helper interfaces 
Signed-off-by: Derek McGowan <derek@mcgstyle.net>
 2019-07-17 15:21:29 -04:00
Justin Terry (VM)
7b0c78bacd ExecSync should block unless client context is canceled 
A call to ExecSync should only return if the client context was canceled or
exceeded. The Timeout parameter to ExecSyncRequest is now used to send SIGKILL
if the exec'd process does not exit within Timeout but all paths wait for the
exec to exit.

Signed-off-by: Justin Terry (VM) <juterry@microsoft.com>
 2019-07-16 09:47:55 -07:00
Justin Terry (VM)
71cecedc44 StopContainer should block unless client context is canceled 
A call to StopContainer should only return if the client context is canceled or
its deadline was exceeded. The Timeout parameter on StopContainerRequest is now
used as the time AFTER sending the stop signal before the SIGKILL is delivered.
The call will remain until the container has exited or the client context has
finished.

Signed-off-by: Justin Terry (VM) <juterry@microsoft.com>
 2019-07-16 09:44:23 -07:00
Justin Terry (VM)
d7c3ecd0fb RunPodSandbox should block unless client context is canceled 
A call to RunPodSandbox should only return timeout if the operation has timed
out because the clients context deadline was exceeded. On client cancelation
it should return gRPC Canceled otherwise it should block until the sandbox has
exited.

Signed-off-by: Justin Terry (VM) <juterry@microsoft.com>
 2019-07-16 09:35:56 -07:00
Maksym Pavlenko
ef7f46eb7b Fix linter errors 
Signed-off-by: Maksym Pavlenko <makpav@amazon.com>
 2019-07-14 20:49:40 -07:00
Michael Crosby
6601b406b7 Refactor runtime code for code sharing 
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
 2019-07-08 11:47:53 -04:00
Justin Terry (VM)
cfeb2fed81 Return gRPC errors from instrumetedService 
Signed-off-by: Justin Terry (VM) <juterry@microsoft.com>
 2019-06-19 10:11:18 -07:00
Lantao Liu
bb020275cb
Merge pull request #1170 from Random-Liu/remove-ctr-cri-load 
Remove ctr cri load
 2019-06-12 14:41:49 -07:00
Lantao Liu
4a417fb083
Merge pull request #1171 from Random-Liu/add-http-proxy-support 
Fix http proxy ENV when TLS is enabled.
 2019-06-12 14:40:58 -07:00
Lantao Liu
322cd48965 Remove load image support 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-06-12 11:14:11 -07:00
Lantao Liu
55e5ce0e95 Fix http client when TLS is enabled. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-06-12 11:09:53 -07:00
Lantao Liu
78b4a39f5b
Merge pull request #1163 from Random-Liu/config-v2 
Use the new v2 config
 2019-06-12 10:29:11 -07:00
Lantao Liu
b3f733f0ad
Merge pull request #1166 from mikebrow/doc-cni-maxnum 
doc update for cni max num
 2019-06-11 10:55:28 -07:00
Mike Brown
3ba04c01cc doc update for cni max num 
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
 2019-06-11 08:35:22 -05:00
Lantao Liu
150232325e Use v2 config. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-06-10 20:51:18 -07:00
Lantao Liu
66d1870d25 Add cri managed image label when pulling the image. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-06-10 15:13:38 -07:00
Lantao Liu
53c71e2b10
Merge pull request #1155 from kuramal/cni_plugin_conf_file_max_num 
add cni plugin config file max num config
 2019-06-10 10:14:35 -07:00
Mike Brown
bc3b49efdf
Merge pull request #1160 from Random-Liu/remove-unused-todo 
Remove an unused TODO.
 2019-06-10 16:21:42 +02:00
kuramal
b022de5f37 add cni plugin config file max num config, set go-cni to commit 22460c0 
Signed-off-by: kuramal <linxxnil@126.com>
 2019-06-10 12:14:35 +08:00
Lantao Liu
770621fe7a
Merge pull request #1158 from mikebrow/cni-debug-update 
adds cni config data to the cri status/info
 2019-06-07 16:46:04 -07:00
Lantao Liu
09f83a337f Remove an unused TODO. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-06-07 15:42:04 -07:00
Vlad Ungureanu
60a58af376 Add TLS auth registry support 
Signed-off-by: Vlad Ungureanu <ungureanuvladvictor@gmail.com>
 2019-06-06 14:55:53 -07:00
Mike Brown
b87c0d74a5 adds cni config data to the cri status/info 
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
 2019-06-05 16:39:45 -05:00
Justin Terry (VM)
b8ea1fa177 Minor typo in toCNIBandWidth 
Signed-off-by: Justin Terry (VM) <juterry@microsoft.com>
 2019-05-30 11:51:10 -07:00
Lantao Liu
35e9f39991
Merge pull request #1151 from johscheuer/add-bandwidth-capability 
Initial support for traffic shaping
 2019-05-30 10:28:06 -07:00
Johannes M. Scheuermann
5e2e7c6f7d Correct Egress limits and remove unnecessary check 
Signed-off-by: Johannes M. Scheuermann <joh.scheuer@gmail.com>
 2019-05-30 11:44:05 +02:00
Johannes M. Scheuermann
4f0948eed5 Remove capitalized letter in error message 
Signed-off-by: Johannes M. Scheuermann <joh.scheuer@gmail.com>
 2019-05-29 08:20:21 +02:00
Lantao Liu
d257c16dbc Make sure exec process is killed when context is canceled. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-05-28 12:25:03 -07:00
Justin Terry (VM)
f544955e4a Update parseDNSOptions maxDNSSearches in error message 
Minor correctness. We should use the value of the const in the error message
instead of hard coding it in the string so if maxDNSSearches ever changes so
does the error.

Signed-off-by: Justin Terry (VM) <juterry@microsoft.com>
 2019-05-24 14:42:56 -07:00
Johannes M. Scheuermann
0d439c3474 Implement bandwidth capabilties 
Signed-off-by: Johannes M. Scheuermann <joh.scheuer@gmail.com>
 2019-05-24 10:29:52 +02:00
Johannes M. Scheuermann
42eb3c49af Initial support for traffic shaping 
Signed-off-by: Johannes M. Scheuermann <joh.scheuer@gmail.com>
 2019-05-24 09:01:02 +02:00
Derek McGowan
25daa7355c
Merge pull request #3192 from thaJeztah/bump_grpc_1.19.1 
bump google.golang.org/grpc v1.20.1
 2019-05-22 11:58:52 -07:00
Maksym Pavlenko
7f79fbb245 Move ttrpc client to pkg/ttrpcutil 
Signed-off-by: Maksym Pavlenko <makpav@amazon.com>
 2019-05-20 16:44:49 -07:00
Lantao Liu
6e14e01307
Merge pull request #1148 from congliu01/log 
Override container log path to empty if either of sandbox log directory or container log path is empty.
 2019-05-14 15:50:20 -07:00
Cong Liu
fda2902f30 Validate log paths in sandbox and container config. 
Only compose full container log path if neither of the paths is empty. Otherwise container won't start properly.

Signed-off-by: Cong Liu <conliu@google.com>
 2019-05-14 13:46:52 -04:00
Lantao Liu
ebce49f0ea
Merge pull request #1145 from jterry75/fix_typo 
Fix typo in WithoutRunMount
 2019-05-12 23:55:06 -07:00
Justin Terry (VM)
8ba5c02f8f Fix typo in WithoutRunMount 
Signed-off-by: Justin Terry (VM) <juterry@microsoft.com>
 2019-05-10 13:30:22 -07:00
Lantao Liu
179ca59478
Merge pull request #1147 from jterry75/unix_to_syscall_signal 
Move from unix to syscall package for SIG* signals
 2019-05-10 13:14:10 -07:00
Justin Terry (VM)
c1468cdeec Move from unix to syscall package for SIG* signals 
To support cross compilation for SIG* signals perfer the syscall package over
the unix package.

Signed-off-by: Justin Terry (VM) <juterry@microsoft.com>
 2019-05-10 11:50:45 -07:00
Justin Terry (VM)
bc445d7595 Forward sandbox config to PullImage request 
Signed-off-by: Justin Terry (VM) <juterry@microsoft.com>
 2019-05-10 11:35:09 -07:00
Lantao Liu
4037806184 Log failed registry mirror attempt in debug. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-05-08 23:56:29 -07:00
Sebastiaan van Stijn
2ed8e60fa1
bump google.golang.org/grpc v1.20.1 
full diff: https://github.com/grpc/grpc-go/compare/v1.12.2...v1.20.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2019-05-05 12:39:23 -07:00
Lantao Liu
ba4a04ae70 Add DefaultRuntimeName option. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-04-18 11:18:25 -07:00
Lantao Liu
a5c5d55c90
Merge pull request #1133 from Random-Liu/use-wait 
Use wait instead of `TaskExit`.
 2019-04-18 11:10:21 -07:00
Lantao Liu
d1f9611cb0 Use wait instead of TaskExit. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-04-18 00:18:26 -07:00
Lantao Liu
e425bd019a Update go-cni to 891c2a41e18144b2d7921f971d6c9789a68046b2. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-04-10 12:07:59 -07:00
Lantao Liu
fae4f79060 Enable runc.v2 as the default runtime in test. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-04-03 18:47:25 -07:00
Lantao Liu
b23b406fed
Merge pull request #1102 from Random-Liu/uts-namespace-and-fix-array 
Uts namespace and fix array
 2019-04-01 09:22:37 -07:00
Sebastiaan van Stijn
7b397f0322
bump opencontainers/selinux to v1.2 
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2019-03-29 01:33:35 +01:00
Lantao Liu
4b4182cf59 Do not assume there is no duplicated elements in arrays. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-03-28 13:05:55 -07:00
Lantao Liu
9bd49c98c6 No UTS namespace for hostnetwork. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-03-27 15:07:36 -07:00
Lantao Liu
8777224600
Merge pull request #1099 from Random-Liu/do-not-kill-if-cancelled 
Do not SIGKILL container if container stop is cancelled.
 2019-03-27 14:55:18 -07:00
Michael Crosby
5eddc1a2cc Use container'd oci opts for spec generation 
This bumps the containerd and sys packages in CRI

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>

Remove runtime-tools

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>

Update tests for oci opts package

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
 2019-03-27 16:57:04 -04:00
Lantao Liu
1a0228d520 Do not SIGKILL container if container stop is cancelled. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-03-27 00:49:41 -07:00
Lantao Liu
238658719f Cleanup pod annotation test and only support tailing wildcard. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-03-25 12:54:34 -07:00
Harshal Patil
effd82227c Add support for passing sandbox annotations to runtime 
Signed-off-by: Harshal Patil <harshal.patil@in.ibm.com>
 2019-03-21 14:38:14 +05:30
Mike Brown
bf4e7a885c test filtering of container create masks when privileged 
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
 2019-03-14 08:17:56 -05:00
Lantao Liu
3691cb6550 Fix /etc/hostname backward compatibility issue for in-place upgrade. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-03-12 01:17:41 -07:00
Lantao Liu
25442a865c
Merge pull request #1080 from zhsj/rm-partial-docker 
Use ParseSignal and AtomicWriteFile functions from containerd
 2019-03-08 10:53:05 -08:00
Lantao Liu
8a0bd84b9a
Merge pull request #1056 from Random-Liu/add-sandbox-log-dir-annotation 
Add an OCI annotation for sandbox log directory.
 2019-03-08 01:32:38 -08:00
Shengjing Zhu
c6729fe0c4 Use ParseSignal and AtomicWriteFile functions from containerd 
Containerd has its own ParseSignal and AtomicWriteFile implementation.
So there's no need to use these function from github.com/docker/docker.

Signed-off-by: Shengjing Zhu <i@zhsj.me>
 2019-03-08 00:51:04 +08:00
Lantao Liu
9eabcf525e Add an OCI annotation for sandbox log directory. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-03-06 16:43:36 -08:00
Lantao Liu
0464298b1e Use clean path for map and comparison. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-03-03 21:19:50 -08:00
Lantao Liu
210e80289b
Merge pull request #1055 from Random-Liu/use-right-sandbox-config 
Use the correct sandbox config.
 2019-02-28 13:02:39 -08:00
Lantao Liu
f2f90f6b00
Merge pull request #1060 from Random-Liu/support-stream-idle-timeout 
Support stream idle timeout.
 2019-02-28 10:28:27 -08:00
Lantao Liu
8222da7768 Support stream idle timeout. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-02-28 01:30:01 -08:00
haiyanmeng
9dea9d39f5
Add RuntimeHandler into PodSandbox and PodSandboxStatus 
The upstream CRI change: https://github.com/kubernetes/kubernetes/pull/73833

Signed-off-by: Haiyan Meng <haiyanmeng@google.com>
 2019-02-27 16:49:35 -08:00
Lantao Liu
87dba924de Use the correct sandbox config. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-02-22 15:37:07 -08:00
Lantao Liu
b2cd840042
Merge pull request #1045 from Random-Liu/fix-env-performance-issue 
Fix env performance issue
 2019-02-12 11:03:33 -08:00
Lantao Liu
877c1cadc1 Include default envs from containerd. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-02-12 10:29:45 -08:00
Lantao Liu
9e2ce3494d
Merge pull request #1042 from Random-Liu/etc-hostname 
Set /etc/hostname.
 2019-02-12 10:15:11 -08:00
Lantao Liu
ec6dd37691 Add env cache. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-02-12 03:02:20 -08:00
Lantao Liu
89717d0b63 Don't log config at info level. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-02-12 02:07:53 -08:00
Lantao Liu
089d4fbfb8 Set /etc/hostname. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-02-12 00:18:00 -08:00
Sebastiaan van Stijn
51affb8839
Replace util.NormalizeImageRef with reference.ParseDockerRef 
Using the utility caused other project to have containerd/cri
as a dependency, only for this utility. The new `reference.ParseDockerRef`
function does the same (it's a copy of this function).

Tests were kept for now, but could be removed in future.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2019-02-07 13:22:58 +01:00
Lantao Liu
83af4dad87 Support unknown state for sandbox and container 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-02-05 11:56:24 -08:00
Lantao Liu
4dc6f6d0b5 Add state machine for sandbox and container 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-02-05 11:56:24 -08:00
Lantao Liu
bfd25c80b4 Change StateUnknown to StateInit 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-02-04 11:24:49 -08:00
Iskander (Alex) Sharipov
dfebb404cb
remove excessive []byte(s) conversion 
`copy` permits using to mix `[]byte` and `string` arguments without
explicit conversion. I removed explicit conversion to make the code simpler.

Signed-off-by: Iskander Sharipov <quasilyte@gmail.com>
 2019-01-28 19:50:28 +03:00
Lantao Liu
4dd6735020
Merge pull request #1029 from Random-Liu/add-runtime-config-api 
Add a generic runtime options api.
 2019-01-24 17:36:20 -08:00
Lantao Liu
bf00de33a5
Merge pull request #1025 from JoeWrightss/patch-4 
Fix some typos in comment
 2019-01-24 11:17:33 -08:00
Lantao Liu
d9914c8dbd Always fallback to the new runtime options. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-01-24 00:59:02 -08:00
Lantao Liu
42aba00a31 Add runtime config api. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-01-24 00:59:02 -08:00
Lantao Liu
556b219450 Fix lint error. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-01-23 18:14:34 -08:00
Lantao Liu
50ac40097e Fix the log ending newline handling. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-01-23 17:23:13 -08:00
Wei Fu
132ee9b826 fix: linter issue 
megacheck, gosimple and unused has been deprecated and subsumed by
staticcheck. And staticcheck also has been upgraded. we need to update
code for the linter issue.

close: #2945

Signed-off-by: Wei Fu <fuweid89@gmail.com>
 2019-01-23 22:54:51 +08:00
zhoulin xie
ae1b7ac4fd Fix some typos in comment 
Signed-off-by: zhoulin xie <zhoulin.xie@daocloud.io>
 2019-01-17 15:50:46 +08:00
Lantao Liu
b1ad4ee9b6 Add unit test for DisableCgroup, RestrictOOMScoreAdj. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2019-01-03 10:47:34 -08:00
Lantao Liu
0fa8668aa4
Merge pull request #970 from AkihiroSuda/rootless 
support DisableCgroup, DisableApparmor, RestrictOOMScoreAdj
 2019-01-03 10:14:22 -08:00
Lantao Liu
1fbd06479e
Merge pull request #1010 from teawater/fix_crash 
Fix the issue that pod or container config file without metadata will…
 2019-01-03 10:10:26 -08:00
Hui Zhu
3bfef01589 Fix the issue that pod or container config file without metadata will crash containerd 
Because RunPodSandbox and CreateContainer will access metadata
without check, pod or container config file without metadata will
crash containerd.

This patch add checks to handle the issue.

Fixes: #1009

Signed-off-by: Hui Zhu <teawater@hyper.sh>
 2019-01-03 11:02:10 +08:00
Akihiro Suda
cd8231ab2a support DisableCgroup, DisableApparmor, RestrictOOMScoreAdj 
Add following config for supporting "rootless" mode

* DisableCgroup: disable cgroup
* DisableApparmor: disable Apparmor
* RestrictOOMScoreAdj: restrict the lower bound of OOMScoreAdj

Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
 2019-01-03 05:12:04 +09:00
Lantao Liu
4b4b2abb2e
Merge pull request #1000 from Random-Liu/teardown-network-after-stop 
Teardown sandbox network after stop.
 2019-01-02 10:04:56 -08:00
JoeWrightss
55fb3b9fce Fix return error message 
Signed-off-by: JoeWrightss <zhoulin.xie@daocloud.io>
 2018-12-30 18:08:04 +08:00
Lantao Liu
fbab182e5e Teardown sandbox network after stop. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-12-14 15:52:17 -08:00
Mike Brown
cd3d5c7992
Merge pull request #993 from JoeWrightss/patch-2 
Fix some typo errors
 2018-12-11 07:49:27 -08:00
JoeWrightss
d53bcba991 Fix some typo errors 
Signed-off-by: JoeWrightss <zhoulin.xie@daocloud.io>
 2018-12-11 22:13:03 +08:00
Lantao Liu
ec6a1eab11
Merge pull request #991 from Random-Liu/remove-container-lifecycle-image-dependency 
Remove container lifecycle image dependency
 2018-12-07 17:03:57 -08:00
Lantao Liu
515ef02473 Remove container lifecycle image ref dependency. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-12-07 10:40:21 -08:00
JoeWrightss
37085692e2 fix spelling error: contaner -> container 
Signed-off-by: JoeWrightss <zhoulin.xie@daocloud.io>
 2018-12-07 22:56:09 +08:00
Lantao Liu
db0c4dea24
Merge pull request #984 from mikebrow/ignore-exits-with-no-id 
filter events for non k8s.io namespaces
 2018-12-05 00:10:41 -08:00
Mike Brown
b59dd55966 filter namespace 
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
 2018-12-04 16:51:24 -06:00
Lantao Liu
de967051d4 Fix kill when shared pid namespace. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-12-04 01:53:09 -08:00
Mike Brown
f8e89f71a9 adds cni results to verbose pod info 
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
 2018-11-26 15:57:00 -06:00
Lantao Liu
80554f4a85
Merge pull request #973 from Random-Liu/use-event-id 
Use the `ID` field of `TaskExit` event.
 2018-11-12 17:02:34 -08:00
Lantao Liu
7f1f4e7a14 Remove invalid TODO comment. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-11-12 14:34:36 -08:00
Lantao Liu
d4c825f905 Use the ID field of TaskExit event. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-11-12 14:30:27 -08:00
Lantao Liu
459e481808 Update code for golang 1.11 gofmt. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-11-07 16:08:58 -08:00
Mike Brown
1b3ff7462e removes authconfit from info log 
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
 2018-10-29 21:17:15 -05:00
Lantao Liu
c1740d8291 Manage mount lifecycle and remove cached state 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-10-24 11:00:25 -07:00
Starnop
22a8777a9e refactor: setup network after get Sandbox runtime 
Signed-off-by: Starnop <starnop@163.com>
 2018-10-17 16:35:45 +08:00
Lantao Liu
84775d2c10 Add integration test. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-10-11 10:32:19 -07:00
Lantao Liu
c39f63eaf4 Teardown pod network even if the network namespace is closed 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-10-10 13:10:18 -07:00
Lantao Liu
70da14e4b3
Merge pull request #943 from Random-Liu/support-per-runtime-config 
Support runtime specific configurations.
 2018-10-09 08:09:12 -07:00
Lantao Liu
1442425f92 Support runtime specific configurations. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-10-08 17:17:29 -07:00
Lantao Liu
3e4cf68a3f Use Authorizer. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-10-08 15:16:15 -07:00
JulienBalestra
27f33cd4d6
cni result: add a debug message 
Signed-off-by: JulienBalestra <julien.balestra@datadoghq.com>
 2018-10-03 17:19:51 +02:00
Akihiro Suda
5349fa31df remove pkg/testutil/loopback_linux.go and use continuity/testutil/loopback 
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
 2018-10-02 13:12:25 +09:00
Lantao Liu
db68300a5a Manage unmanaged images in k8s.io namespace 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-09-27 11:19:11 -07:00
Lantao Liu
963a01735b Add timeout for container/sandbox recover and event monitor. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-09-26 15:23:15 -07:00
Lantao Liu
4b45e16a4b Show runtime handler in sandbox debug info. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-09-16 21:27:51 -07:00
Lantao Liu
ca3b806b5c Fix addition group ids. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-09-13 16:31:32 -07:00
Lantao Liu
f540c2a74d Skip sctp protocol hostport mapping. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-09-11 16:32:15 -07:00
Lantao Liu
fe0cd3672b
Merge pull request #865 from Random-Liu/cache-image-reference 
Cache image reference
 2018-09-10 16:21:57 -07:00
Lantao Liu
953d67d250 Create image reference cache. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-09-10 11:30:52 -07:00
Lantao Liu
f08a90ff64 Fix hostname env. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-09-10 10:58:17 -07:00
Lantao Liu
cfdf872493
Merge pull request #891 from tallclair/runtimehandler 
Add RuntimeHandler support
 2018-09-10 10:09:57 -07:00
Lantao Liu
eb3d3cfc5e Revert "Add HOSTNAME to env by default for pod containers" 
This reverts commit 4c3e195db3.

Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-09-06 15:30:53 -07:00
Lantao Liu
db8500d10c
Merge pull request #892 from Random-Liu/fix-volume-mount-order 
Sort volume mount.
 2018-09-06 14:44:45 -07:00
Tim Allclair
e7189a25c3
Add RuntimeHandler support 
Signed-off-by: Tim Allclair <tallclair@google.com>
 2018-09-05 17:27:35 -07:00
Lantao Liu
67c0b3e5e2
Merge pull request #894 from Random-Liu/support-masked-readonly-paths 
Support masked readonly paths
 2018-09-05 10:32:40 -07:00
Phil Estes
4c3e195db3
Add HOSTNAME to env by default for pod containers 
To match expectations of users coming from Docker engine runtime, add
the HOSTNAME to the environment of new containers in a pod.

Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
 2018-09-05 12:04:40 -04:00
Lantao Liu
3e4cec8739 Add MaskedPaths and ReadonlyPaths support. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-09-04 23:49:16 -07:00
Lantao Liu
063f8158f8 Sort volume mount. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-09-04 22:43:37 -07:00
Lantao Liu
49877571e9
Merge pull request #886 from DataDog/JulienBalestra/tls-stream 
stream: can use user certificates
 2018-09-03 23:35:18 -07:00
JulienBalestra
dffd0dfa0e
streaming: tls conf validation to func with tests 
Signed-off-by: JulienBalestra <julien.balestra@datadoghq.com>
 2018-08-30 15:10:48 +02:00
JulienBalestra
859003a940
stream: struct for x509 key pair, update the docs, error management 
Signed-off-by: JulienBalestra <julien.balestra@datadoghq.com>
 2018-08-28 17:22:11 +02:00
JulienBalestra
b82b524260
stream: can use user certificates 
Signed-off-by: JulienBalestra <julien.balestra@datadoghq.com>
 2018-08-27 19:26:14 +02:00
Lantao Liu
bca304ff3e Fix an issue that container/sandbox can't be stopped. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-08-24 18:54:08 -07:00
Lantao Liu
58eb04550d
Merge pull request #873 from miaoyq/verify-selinux-level 
Verify selinux level format
 2018-08-13 18:57:01 -07:00
Yanqiang Miao
a87bda08c0 update selinux to b6fa367 
Signed-off-by: Yanqiang Miao <miao.yanqiang@zte.com.cn>
 2018-08-14 08:33:43 +08:00
Yanqiang Miao
415727cd9f verify selinux level format 
Signed-off-by: Yanqiang Miao <miao.yanqiang@zte.com.cn>
 2018-08-14 08:33:34 +08:00
Lantao Liu
6379fd0346 Update containerd to b9eeaa1ce8. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-08-09 01:53:44 -07:00
Lantao Liu
e1a37e8797 Unpack image during import. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-07-26 07:48:41 +00:00
Lantao Liu
a0cfc8c1d2
Merge pull request #857 from egernst/untrusted-priv 
sandbox: separate host accessing workload and privileged
 2018-07-24 12:11:41 -07:00
Eric Ernst
9a01272dc2 sandbox: separate host accessing workload and privileged 
VM isolated runtimes can support privileged workloads. In this
scenario, access to the guest VM is provided instead of the host.
Based on this, allow untrusted runtimes to run privileged workloads.

If the workload is specifically asking for node PID/IPC/network, etc.,
then continue to require the trusted runtime.

This commit repurposes the hostPrivilegedSandbox utility function to
only check for node namespace checking.

Fixes: #855

Signed-off-by: Eric Ernst <eric.ernst@intel.com>
 2018-07-22 16:51:22 -07:00
Lantao Liu
b3d6f16383 Serve streaming on localhost by default to match k8s 1.11 default. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-07-21 01:10:45 +00:00
yanxuean
7065dd81f9 support no_pivot option for runc 
Signed-off-by: yanxuean <yan.xuean@zte.com.cn>
 2018-07-20 08:46:50 +08:00
Lantao Liu
7beac6fcc1
Merge pull request #849 from dmcgowan/remove-stringid 
Replace stringid call with simple random reader
 2018-07-12 18:32:28 -07:00
Derek McGowan
cce0a46c8a
Seed random on ctr and containerd startup 
Signed-off-by: Derek McGowan <derek@mcgstyle.net>
 2018-07-12 17:51:55 -07:00
Derek McGowan
1984e451d5 Replace stringid with simple rand reader 
Signed-off-by: Derek McGowan <derek@mcgstyle.net>
 2018-07-12 16:40:45 -07:00
Lantao Liu
e4ad68098e Remove pkg/containerd/resolver package. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-07-09 19:08:48 -07:00
Lantao Liu
952e53bf58 Add registry auth config, and use docker resolver in containerd. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-07-09 19:08:48 -07:00
Lantao Liu
4eb4a29577
Merge pull request #825 from abhi/cni_config 
Change to keep in sync with latest cni config
 2018-06-21 16:14:31 -07:00
Abhinandan Prativadi
263b0b99d0 Change to keep in sync with latest cni config 
This commit contains change to pick the latest cni config
from the configured CNIConfDir.
With this change any changes made to the cni config file will
be picked up on the kubelet's runtime status check call.
Ofcourse this would lead to undefined behavior when the cni config
change is made in parallel during pod creation. However its
reasonable to assume that the operator is aware of the need to
drain the nodes of pods before making cni configuration change.
The behavior is currently not defined in kubernetes. However
I see that similar approach being adopted in the upstream kubernetes
with dockershim. Keeping the behavior consistent for now.

Signed-off-by: Abhinandan Prativadi <abhi@docker.com>
 2018-06-21 20:43:38 +00:00
Filipe Brandenburger
01d77d44f5 Update github.com/opencontainers/runtime-tools to v0.6.0 
Also add new dependencies on github.com/xeipuuv/gojson* (brought up by
new runtime-tools) and adapt the containerd/cri code to replace the APIs
that were removed by runtime-tools.

In particular, add new helpers to handle the capabilities, since
runtime-tools now split them into separate sets of functions for each
capability set.

Replace g.Spec() with g.Config since g.Spec() has been deprecated in the
runtime-tools API.

Signed-off-by: Filipe Brandenburger <filbranden@google.com>
 2018-06-20 13:52:50 -07:00
Lantao Liu
b60e456bd9 Fix snapshotter nil panic. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-06-20 00:43:44 +00:00
Lantao Liu
e3d57d240f
Merge pull request #761 from Random-Liu/add-log-max-size 
Add log max size
 2018-06-15 15:56:04 -07:00
Lantao Liu
53f1ab4145 Fix double /dev/shm mount. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-06-14 19:03:19 -07:00
Lantao Liu
405f57f8e0 Add max_container_log_size 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-06-14 14:24:17 -07:00
Lantao Liu
46d621e4ac Support Cmd for sandbox container. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-06-12 14:38:55 -07:00
Lantao Liu
b7aac6396d
Merge pull request #811 from Random-Liu/fix-volume-ownership 
Fix empty volume ownership.
 2018-06-11 10:42:04 -07:00
Lantao Liu
c55776377f Fix empty volume ownership. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-06-11 08:40:35 +00:00
Lantao Liu
c9216531ce Revert "Use pod ip instead of localhost in pod netns for portforward." 
This reverts commit dd886bc281.

Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-06-11 07:35:32 +00:00
Lantao Liu
d7abb5b489
Merge pull request #807 from Random-Liu/log-task-exit-event 
Log task exit event.
 2018-06-08 20:07:04 -07:00
Lantao Liu
5a1105c614
Merge pull request #808 from Random-Liu/erase-ambient-caps 
Erase ambient capabilities.
 2018-06-08 20:06:34 -07:00
Lantao Liu
dd886bc281 Use pod ip instead of localhost in pod netns for portforward. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-06-08 18:26:06 -07:00
Lantao Liu
b367f30097 Erase ambient capabilities. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-06-08 14:37:05 -07:00
Vincent Demeester
832b05ae67
Update tests to use gotest.tools angel 
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
 2018-06-08 21:02:01 +02:00
Lantao Liu
e4e2585431 Log task exit event. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-06-08 08:33:12 +00:00
Lantao Liu
83e6b65566 Select ipv4 first if there is one. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-06-05 18:25:03 +00:00
Lantao Liu
0faff1c22f Fix ctr cri timeout. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-06-05 01:24:28 +00:00
Akihiro Suda
097249054d vendor containerd (#2135) 
For containerd/containerd#2135

Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
 2018-06-02 23:10:59 +09:00
Lantao Liu
578b34f112
Merge pull request #794 from Random-Liu/panic-for-cri-start-failure 
Generate fatal error when cri plugin fail to start.
 2018-05-31 13:21:16 -07:00
Lantao Liu
b870ee7942 Generate fatal error when cri plugin fail to start. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-05-31 10:49:11 -07:00
Lantao Liu
b68fb075d4
Merge pull request #793 from Random-Liu/port-containerd-fix-#2364 
Port docker resolver fix #2364.
 2018-05-31 01:03:00 -07:00
Lantao Liu
0fae42b9b8 Port docker resolver fix #2364. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-05-30 17:25:46 -07:00
Evan Hazlett
d7d2212324 vendor bump 
Signed-off-by: Evan Hazlett <ejhazlett@gmail.com>

containerd: linux -> runtime/linux

Signed-off-by: Evan Hazlett <ejhazlett@gmail.com>

fix utils to properly format vendor repo

Signed-off-by: Evan Hazlett <ejhazlett@gmail.com>

test fixup

Signed-off-by: Evan Hazlett <ejhazlett@gmail.com>
 2018-05-30 19:51:24 -04:00
Wei Fu
e28b77c08c Remove useless error-check in createImageReference 
Signed-off-by: Wei Fu <fhfuwei@163.com>
 2018-05-25 10:23:13 +08:00
Lantao Liu
60b0d08a6f Use containerd.WithPullUnpack. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-05-23 12:39:14 -07:00
Michael Crosby
009ba4d797 Move testutils to pkg 
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
 2018-05-22 17:08:38 -04:00
Michael Crosby
927517de36 Move dialer to pkg 
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
 2018-05-22 13:32:25 -04:00
Michael Crosby
ae4b78d1cc Move progress into pkg 
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
 2018-05-22 13:32:25 -04:00
Ricardo Aravena
f79e0171ca
Minor typo 
Signed-off-by: Ricardo Aravena <raravena80@gmail.com>
 2018-05-15 09:11:48 -07:00
Lantao Liu
5d29598a6d Fix workingset memory calculation. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-05-11 15:17:16 -07:00
Lantao Liu
a5d1332e8f Explicitly set rw for privileged container. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-05-07 15:13:14 -07:00
Lantao Liu
5f4035ae2f
Merge pull request #754 from kolyshkin/mount 
os.Unmount: do not consult mountinfo
 2018-04-30 14:41:57 -07:00
Kir Kolyshkin
daeab40b45 os.Unmount: do not consult mountinfo, drop flags 
1. Currently, Unmount() call takes a burden to parse the whole nine yards
of /proc/self/mountinfo to figure out whether the given mount point is
mounted or not (and returns an error in case parsing fails somehow).

Instead, let's just call umount() and ignore EINVAL, which results
in the same behavior, but much better performance.

This also introduces a slight change: in case target does not exist,
the appropriate error (ENOENT) is returned -- document that.

2. As Unmount() is always used with MNT_DETACH flag, let's drop the
flags argument. This way, the only reason of EINVAL returned from
umount(2) can only be "target is not mounted".

3. While at it, remove the 'containerdmount' alias from the package.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
 2018-04-30 12:54:10 -07:00
Lantao Liu
279fa853a6 Always mount sysfs as rw. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-04-26 18:58:26 -07:00
Lantao Liu
daa9f6008c
Merge pull request #743 from Random-Liu/fix-sandbox-stop-race 
Fix sandbox stop race condition.
 2018-04-18 13:28:54 -07:00
Lantao Liu
856534c846 Fix sandbox stop race condition. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-04-18 10:12:33 -07:00
Lantao Liu
5cb4744f27 Fix portforward for host network. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-04-17 08:24:44 +00:00
Lantao Liu
69b3f3aeac Add socat back. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-04-11 01:53:24 +00:00
Lantao Liu
b09489de96
Merge pull request #727 from Random-Liu/fix-symlink-layer 
Support symlink layer in image import.
 2018-04-10 18:32:29 -07:00
Lantao Liu
9f85c48e4c Support symlink layer in image import. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-04-10 22:08:45 +00:00
Lantao Liu
3d0706c4e5
Merge pull request #691 from abhi/socat 
Getting rid of nsenter and socat
 2018-04-09 15:34:44 -07:00
abhi
02b952ec17 Getting rid of socat 
Signed-off-by: abhi <abhi@docker.com>
 2018-04-09 14:31:44 -07:00
Lantao Liu
304045491c
Merge pull request #725 from Random-Liu/fix-resolver-race 
Fix resolver race
 2018-04-09 13:10:44 -07:00
Lantao Liu
a68530c1e8 Port containerd fix #2276 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-04-09 18:36:06 +00:00
Lantao Liu
d8a3c5f254 Address comments. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-04-09 18:15:09 +00:00
Lantao Liu
b2099c2061 Add cni config template support. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-04-07 06:34:45 +00:00
abhi
aeef99a76e Using netns to perform socat 
This commit removes the usage of nsenter and uses netns
to perform socat operation.

Signed-off-by: abhi <abhi@docker.com>
 2018-04-05 13:28:00 -07:00
Mike Brown
c7793564fc switches from not CA signed to self CA signed for streaming TLS 
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
 2018-04-02 17:50:12 -05:00
Mike Brown
2f9f721b63 adds a new flag to enable TLS support insecure for now 
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
 2018-04-02 12:27:55 -05:00
Lantao Liu
ed20174ce4 Add RunAsGroup support. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-03-30 22:26:07 +00:00
Lantao Liu
be43ad09da Fix a log output. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-03-28 21:31:44 +00:00
Lantao Liu
277edb2d3b Fix event monitor panic. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-03-27 01:41:35 +00:00
Lantao Liu
f0655ecfe0 Use pause image from new source. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-03-26 07:11:41 +00:00
Lantao Liu
356a41c424
Merge pull request #697 from Random-Liu/fs-layout-change 
adds volatile state directory to the fs plan for cntrs/pods/fifo
 2018-03-23 19:24:19 -07:00
Lantao Liu
f4c9ef2647 Add symlink follow into unmount util. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-03-24 01:25:31 +00:00
Mike Brown
94df315de8 adds volatile state directory to the fs plan for cntrs/pods/fifo 
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
 2018-03-24 00:05:52 +00:00
Lantao Liu
aa83a7a0aa Change for new containerd. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-03-23 23:03:16 +00:00
Lantao Liu
c6fecb2115
Merge pull request #688 from Random-Liu/cleanup-kata-code 
Address comments for privileged runtime code.
 2018-03-22 23:01:31 -07:00
Lantao Liu
ca67f94ee0 Address comments for privileged runtime code. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-03-23 02:17:46 +00:00
Lantao Liu
55d512b98c Make const private. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-03-23 00:48:50 +00:00
Lantao Liu
5ae4de1cc2
Merge pull request #681 from mikebrow/tls-config 
adds tls certificate to tls config
 2018-03-22 17:34:04 -07:00
Mike Brown
89adb74414 adds tls certificate to tls config 
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
 2018-03-22 09:42:31 -05:00
Nitesh Konkar
6a542c596b Bump pause container to multi-arch gcr.io/google-containers/pause:3.1 
Signed-off-by: Nitesh Konkar <niteshkonkar@in.ibm.com>
 2018-03-22 05:44:12 +00:00
Lantao Liu
9177cb16bc Remove omitempty from config json. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-03-21 07:28:25 +00:00
Jose Carlos Venegas Munoz
bdc5eee544 test: Add unit tests for privileged runtime functions 
- Add unit test for privilegedSandbox

- Add unit test  for getRuntime

Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
 2018-03-20 18:04:23 -06:00
Jose Carlos Venegas Munoz
ca16bd601a runtime: Add trusted runtime option 
Some CRI compatible runtimes may not support provileged operations.
Specifically hypervisor based runtimes (like kata-containers, cc-runtime
and runv) do not support privileged operations like:

- Provide access to the host namespaces
- Create fully privileged containers with access to host devices

Hypervisor based runtimes create container workloads within virtual machines.
When a running host privileged containers using them,
they wont provide support to requested the privileged opertations.

This commits add the new options to define two runtimes:

Trusted runtime : Used when a privileged container is requested.
Default runtime : for non-privileged workloads.

A container that belongs to a privileged pod will inherent this property
an will be created with the trusted runtime.

- Add options to define trusted runtime
- Add logic to decide if a sanbox is trusted
- Export annotation containers below to a trusted sandbox

Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
 2018-03-20 13:56:49 -06:00
Lantao Liu
387da59ee5 Rename all variables to remove "cricontainerd". 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-03-19 21:59:32 +00:00
Lantao Liu
e1fe1abff0 Use github.com/pkg/errors 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-03-17 02:24:38 +00:00
abhi
2bdf428eb7 Removing DAD config and updating plugins to v0.7.0 
Signed-off-by: abhi <abhi@docker.com>
 2018-03-16 14:46:46 -07:00
Lantao Liu
1dcbf4f742
Merge pull request #663 from abhi/cni 
Moving to use go-cni library from containerd
 2018-03-15 17:53:50 -07:00
Lantao Liu
5e5a5f50d1
Merge pull request #671 from Random-Liu/ctrcri-to-ctr-cri 
Ctrcri to ctr cri
 2018-03-15 17:14:59 -07:00
abhi
003bbd4292 Modifying fake cni plugin 
Signed-off-by: abhi <abhi@docker.com>
 2018-03-15 17:05:33 -07:00
Lantao Liu
7e67d96b9b Replace ctrcri with ctr cri. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-03-15 23:22:00 +00:00
Lantao Liu
d389af83a9 Cleanup event backoff. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-03-15 18:49:36 +00:00
yanxuean
c751847350 Handle containerd event reliably 
fix #434

Signed-off-by: yanxuean <yan.xuean@zte.com.cn>
 2018-03-15 17:14:02 +08:00
yanxuean
7583bce4ab some comments 
Signed-off-by: yanxuean <yan.xuean@zte.com.cn>
 2018-03-15 15:55:54 +08:00
abhi
92110e1d74 Moving to use go-cni library from containerd 
This fix aims to use the cni library form containerd.
The library avoid usage of nsenter.

Signed-off-by: abhi <abhi@docker.com>
 2018-03-14 19:25:54 -07:00
Mike Brown
d4e7154625 move links for cri-containerd to cri 
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
 2018-03-13 17:06:26 -05:00
Lantao Liu
f0a500a390 Use direct function call. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-03-13 04:51:19 +00:00
Lantao Liu
80b2f751d3
Merge pull request #654 from stevvooe/simplify-stopch 
pkg/store: use a sync.Once to synchronize channel close
 2018-03-09 15:29:32 -08:00
Lantao Liu
e20c6eb8a8
Merge pull request #558 from Random-Liu/report-containerd-version 
Report containerd version instead of cri-containerd version.
 2018-03-09 15:25:32 -08:00
Stephen J Day
4ed26f3116
pkg/store: use a sync.Once to synchronize channel close 
Signed-off-by: Stephen J Day <stephen.day@docker.com>
 2018-03-09 14:43:16 -08:00
Abhinandan Prativadi
1f28f8d2fe
Merge pull request #650 from Random-Liu/fix-resolver 
Handles 401 in resolver.
 2018-03-07 10:59:43 -08:00
Lantao Liu
40c8372f0e Handles 401 in resolver. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-03-07 07:35:02 +00:00
Lantao Liu
f01c6d73a6 Fix cleanup context. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-03-07 07:05:27 +00:00
Lantao Liu
d3b112a989
Merge pull request #639 from Random-Liu/remove-standalone-mode 
Remove standalone mode
 2018-03-05 17:23:06 -08:00
Lantao Liu
ceb540d823 Fix potential panic. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-03-05 22:09:58 +00:00
Lantao Liu
d1e9960180 Remove standalone mode 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-03-05 21:45:20 +00:00
Lantao Liu
36b4c05354 Report containerd version instead of cri-containerd version. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-03-01 01:26:37 +00:00
Lantao Liu
f5390d01d6 Fix a potential panic 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-02-22 03:17:16 +00:00
Lantao Liu
6d538ccbf6 Do not block on stream server close. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-02-14 08:41:29 +00:00
Lantao Liu
a8264ec035 Support reopening container log. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-02-13 17:57:45 +00:00
Lantao Liu
6900cbdada Use mountpoint as image fs identifier. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-02-09 07:46:49 +00:00
Mike Brown
6e1c57ec01 update runc vendor and containerd 
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
 2018-02-08 19:01:48 -06:00
Lantao Liu
46fc92f65f Use new namespace mode and support shared pid namespace. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-02-08 03:10:57 +00:00
Lantao Liu
605b4a7b6a Update imports 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-02-08 02:45:44 +00:00
Lantao Liu
047df7aca6
Merge pull request #602 from mikebrow/critools-install-minor-update 
update critools
 2018-02-07 18:44:37 -08:00
Mike Brown
edb2b2379d change crictl sandboxes to pods; other references to sandboxes 
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
 2018-02-07 17:23:59 -06:00
Lantao Liu
8925ef90be Use trace support in containerd. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-02-07 19:17:26 +00:00
Lantao Liu
2b8800df2b
Merge pull request #592 from Random-Liu/fix-registry-mirror 
Fix registry mirror.
 2018-02-02 15:37:29 -08:00
Lantao Liu
92995e29e5 Fix registry mirror. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-02-02 22:52:36 +00:00
Lantao Liu
d113c16802 Update ocicni to my fork. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-02-02 19:45:26 +00:00
Lantao Liu
7ddd9255b6 Add golang version in Status info. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-02-01 20:10:39 +00:00
Abhinandan Prativadi
8094fe69d4
Merge pull request #531 from abhi/registry-mirror 
Adding Registry Mirror support
 2018-01-31 13:01:25 -08:00
abhi
f3ccd85891 Adding Registry Mirror support 
This commit aims to add registy mirror support similar to
docker. The UI is similar to docker where user can
provide mirror urls and the image resolves against the provided
mirrors before fetching from default docker regitry mirror url.

Signed-off-by: abhi <abhi@docker.com>
 2018-01-31 10:47:34 -08:00
yason
6931a69881 add filter for containerd event 
Signed-off-by: yanxuean <yan.xuean@zte.com.cn>
 2018-01-30 14:13:22 +08:00
Lantao Liu
4dfd8250fd Fix a privileged check. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-01-27 02:25:52 +00:00
Yanqiang Miao
61c1fdb098 Use channel to propagate the stop info of sandbox 
Signed-off-by: Yanqiang Miao <miao.yanqiang@zte.com.cn>
 2018-01-26 16:58:13 +08:00
Lantao Liu
f401662123
Merge pull request #571 from Random-Liu/do-not-list-task 
Avoid containerd access as much as possible.
 2018-01-25 16:13:43 -08:00
Lantao Liu
df58d6825d Avoid containerd access as much as possible. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-01-25 23:36:00 +00:00
Lantao Liu
e7f2a74a84 Add runtime cgroup and fix a cli panic. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-01-25 22:32:57 +00:00
Yanqiang Miao
c663d2423e Use channel to pass the stop info instead of polling for container stop 
Signed-off-by: Yanqiang Miao <miao.yanqiang@zte.com.cn>
 2018-01-25 11:07:54 +08:00
Lantao Liu
635e5747c0 Update containerd and leverage plugin graceful stop. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-01-23 22:46:46 +00:00
Lantao Liu
2b6f084f36 Disable IPv6 dad by default. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-01-22 23:54:16 +00:00
Lantao Liu
4e9ca399e1 Use containerd plugin config. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-01-19 02:25:03 +00:00
Lantao Liu
7d18d61674 Move cgroup and oom score setting to cmd. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-01-19 01:35:36 +00:00
Lantao Liu
74d8880032
Merge pull request #552 from Random-Liu/use-containerd-grpc-server 
Use containerd grpc server
 2018-01-18 12:36:05 -08:00
Lantao Liu
62e6921145 Use containerd grpc server 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-01-18 18:51:18 +00:00
Lantao Liu
6fadb7f5e9 Minor code cleanup. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-01-18 07:31:16 +00:00
Lantao Liu
3d68005c04 Replace glog with logrus 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-01-17 21:57:31 +00:00
Lantao Liu
383a89b948 Add flags and utils for logrus 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-01-17 21:57:31 +00:00
Jose Carlos Venegas Munoz
b383b0261a Annotations: Provide container metadata for VM based runtimes 
For hypervisor-based container runtimes (like Kata Containers, Clear Containers
or runv) a pod will be created in a VM and then create containers within the VM.

When a runtime is requested for container commands like create and start, both
the instal "pause" container and next containers need to be added to the pod
namespace (same VM).

A runtime does not know if it needs to create/start a VM or if it needs to add a
container to an already running VM pod.

This patch adds a way to provide this information through container annotations.
When starting a container or a sandbox, 2 annotations are added:

- type (Container or Sandbox)
- sandbox name

This allow to a VM based runtime to decide if they need to create a pod VM or
container within the VM pod.

Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
 2018-01-17 09:57:20 -06:00
Lantao Liu
cdb1bf0946 Use new cio package. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-01-12 22:35:24 +00:00
Lantao Liu
8782f18d50 Add integration test for volume copy up. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-01-11 19:10:52 +00:00
Lantao Liu
54b3b4e0b0 Use graphdriver/copy instead of chrootarchive 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-01-11 19:10:11 +00:00
Lantao Liu
025ffe551f Rename kubernetes-incubator/cri-containerd to containerd/cri-containerd. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-01-10 22:35:33 +00:00
Lantao Liu
5bfa5e451a
Merge pull request #528 from cpuguy83/skip_selinux_test 
Minor cleanup on selinux test
 2018-01-09 16:30:41 -08:00
Brian Goff
2a07847d67 Use t.Run() instead of t.Log() for subtest log 
Signed-off-by: Brian Goff <brian.goff@docker.com>
 2018-01-09 15:45:13 -05:00
Brian Goff
96484eb3e7 Use t.Skip() when selinux is not enabled 
Signed-off-by: Brian Goff <brian.goff@docker.com>
 2018-01-09 15:43:56 -05:00
Lantao Liu
dca05358dc Add flag to skip imagefs uuid related logic. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-01-08 18:41:13 +00:00
Lantao Liu
aee7a366f3
Merge pull request #525 from abhi/cniip 
Caching IP allocated by CNI plugin
 2018-01-05 00:27:48 -08:00
abhi
f1dbc0b375 Caching IP allocated by CNI plugin 
Signed-off-by: abhi <abhi@docker.com>
 2018-01-04 20:00:55 -08:00
Lantao Liu
31bc964195 Enable HostSpecific option in runtime-tools generator. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-01-03 19:04:47 +00:00
Lantao Liu
cebe1b39f7 Remove default rlimits. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2018-01-02 18:53:01 +00:00
Lantao Liu
b701b0e496 Add our own DeepCopy. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-12-16 00:23:14 +00:00
Lantao Liu
737efe70a7
Merge pull request #493 from Random-Liu/minor-cleanup 
Minor cleanup.
 2017-12-12 23:30:47 -08:00
Lantao Liu
e4753edf0a Minor cleanup. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-12-13 03:15:01 +00:00
yason
6c9a837b7a cleanup some comment for removeImage 
Signed-off-by: yason <yan.xuean@zte.com.cn>
 2017-12-13 10:07:52 +08:00
Lantao Liu
a9c7237e67
Merge pull request #470 from mikebrow/debug-image 
adding info map for verbose image status
 2017-12-12 15:09:57 -08:00
Mike Brown
31223fd5b1 adds oci image spec to image info placed into imagestore 
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
 2017-12-12 15:58:07 -06:00
Lantao Liu
cbda4256cd
Merge pull request #487 from yanxuean/image-improve 
improve image
 2017-12-12 11:58:43 -08:00
Mike Brown
03ac989644 adding info map for verbose image status 
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
 2017-12-12 13:44:08 -06:00
Lantao Liu
c9b279bb79
Merge pull request #479 from Random-Liu/improve-container-sandbox-status 
Improve container sandbox status
 2017-12-12 11:42:51 -08:00
yason
5f6d9a5fcc reliably remove image when content missing 
Signed-off-by: yason <yan.xuean@zte.com.cn>
 2017-12-12 18:44:59 +08:00
yason
4762b3e273 remove taskService and imageStoreService 
Signed-off-by: yason <yan.xuean@zte.com.cn>
 2017-12-12 16:51:22 +08:00
Lantao Liu
f4c572fba7 Add restart test for sandbox recovery. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-12-11 21:21:08 +00:00
Lantao Liu
dd017e6e6c Move less important function to the end. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-12-11 18:45:57 +00:00
Lantao Liu
b25b06577e Improve container and sandbox status. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-12-11 18:45:56 +00:00
yason
41c8763e2b improve calling for content 
Signed-off-by: yason <yan.xuean@zte.com.cn>
 2017-12-11 15:28:10 +08:00
Mike Brown
220411b73b adding info map for verbose pod status 
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
 2017-12-05 19:40:39 -06:00
Lantao Liu
11eb24c26f
Merge pull request #475 from Random-Liu/order-container-status-fields 
Use one big info struct before we change info to an array.
 2017-12-05 14:37:36 -08:00
Lantao Liu
85b943eb47 Use one big info struct before we change info to an array. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-12-05 21:37:12 +00:00
Lantao Liu
266e49a3bf
Merge pull request #471 from yanxuean/improve-unmount 
Improve unmount for snapshot
 2017-12-05 09:54:05 -08:00
yason
2a25cf7c1f sync Unmount for snapshot 
best effort to remove temp dir for snapshot

Signed-off-by: yason <yan.xuean@zte.com.cn>
 2017-12-05 19:05:32 +08:00
Lantao Liu
572e354a2d Revert debug code. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-12-05 07:40:11 +00:00
Lantao Liu
562eb725c7
Merge pull request #458 from mikebrow/boilerplate-update 
fixes for boilerplate
 2017-12-04 10:03:41 -08:00
Mike Brown
bd6d530290
Merge pull request #463 from Random-Liu/dump-rootfs 
Check and dump rootfs.
 2017-12-03 09:23:04 -06:00
Lantao Liu
a23bdf25d8 Check and dump rootfs. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-12-03 11:39:54 +00:00
abhi
43c05efb22 Revert: Setting containerd shim cgroup same as pod cgroup 
Signed-off-by: abhi <abhi@docker.com>
 2017-12-01 16:03:38 -08:00
Mike Brown
009e40f280 correct some boilerplates 
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
 2017-12-01 16:56:25 -06:00
Lantao Liu
181d7d5076 Move shim cgroup opts to pkg/containerd/opts. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-12-01 19:18:26 +00:00
abhi
0d6774f4af Setting containerd shim cgroup same as pod cgroup 
Signed-off-by: abhi <abhi@docker.com>
 2017-12-01 08:33:50 -08:00
Lantao Liu
0db6e04ba1
Merge pull request #447 from Random-Liu/update-containerd 
Update containerd to fix long exec issue.
 2017-11-30 12:58:24 -08:00
Lantao Liu
5ed43ea1a3 Update containerd to fix long exec issue. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-11-30 19:24:14 +00:00
Lantao Liu
dc7066d23f
Merge pull request #445 from mikebrow/debug-container 
adding some verbose debug
 2017-11-30 11:15:34 -08:00
Mike Brown
33b93fb1d0 adding some verbose debug 
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
 2017-11-30 09:51:03 -06:00
Lantao Liu
200ba370a3
Merge pull request #438 from yanxuean/import-lease 
add lease for importer
 2017-11-29 10:18:37 -08:00
yanxuean
089df25492 add lease for importer 
fix #389

Signed-off-by: yanxuean <yan.xuean@zte.com.cn>
 2017-11-29 14:02:54 +08:00
Lantao Liu
5f0fba4204 Update containerd and add synchronous image deletion. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-11-28 22:44:25 +00:00
Mike Brown
4934098e27
Merge pull request #440 from dnephin/use-oci-package 
Use containerd.oci package
 2017-11-28 16:41:26 -06:00
Daniel Nephin
85d3bf0660 Use SpecOpts from new oci package 
Signed-off-by: Daniel Nephin <dnephin@gmail.com>
 2017-11-28 15:30:11 -05:00
Brian Goff
f6fe36d17a Remove explicit unpack on all container creates 
This only performs an unpack if there is an error when creating the
container snapshot (and only if it's a "not found' error) since it should
already be unpacked.

Signed-off-by: Brian Goff <brian.goff@docker.com>
 2017-11-28 14:28:20 -05:00
Lantao Liu
4b4714eaca
Merge pull request #432 from mikebrow/vet-fixes 
fixing vet errors
 2017-11-27 12:03:30 -08:00
Lantao Liu
80c7d18703
Merge pull request #431 from Random-Liu/update-containerd 
Update containerd
 2017-11-27 12:03:18 -08:00
Lantao Liu
1b05f088b5
Merge pull request #375 from yanxuean/image-trunc 
support get image by truncindex
 2017-11-27 11:36:58 -08:00
yanxuean
50cb8a0571 update containerd for refactor 
fix #423

Signed-off-by: yanxuean <yan.xuean@zte.com.cn>
 2017-11-27 19:24:14 +00:00
Mike Brown
983994dc87 fixing vet errors 
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
 2017-11-27 13:13:21 -06:00
yanxuean
b4ebf2d7a7 improve localResolve 
Signed-off-by: yanxuean <yan.xuean@zte.com.cn>
 2017-11-23 10:56:12 +08:00
yanxuean
cbe7f0dd5a use docker.digestSet store image truncid 
Signed-off-by: yanxuean <yan.xuean@zte.com.cn>
 2017-11-23 10:55:59 +08:00
Lantao Liu
6104fcba3c
Merge pull request #421 from Random-Liu/add-new-cri-log-support 
Add new cri log support
 2017-11-21 13:09:57 -08:00
Lantao Liu
48726ecd27 Add support for CRI partial log. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-11-21 19:24:12 +00:00
Lantao Liu
76268ea242 Do not remove sandbox when netns is not closed. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-11-21 01:22:19 +00:00
Lantao Liu
3f80fe06ef Add simple unit test. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-11-16 23:04:33 +00:00
Lantao Liu
03aca5e82b Fix data race. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-11-14 05:35:44 +00:00
Lantao Liu
57f37ca66e Print full container spec for debugging. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-11-13 23:36:12 +00:00
Lantao Liu
01493463db Fix streaming deadlock. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-11-13 05:51:14 +00:00
Lantao Liu
3557cffbbb Fix container exec 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-11-10 21:03:29 +00:00
Lantao Liu
e41b6d3c24 Refactor container io code 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-11-10 21:03:29 +00:00
Lantao Liu
c4931c8409 Keep stdin open instead of opening when use it. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-11-09 09:28:30 +00:00
Lantao Liu
2433ae7539
Merge pull request #393 from abhi/labels 
Adding kube pod and container labels to containerd
 2017-11-07 23:39:20 -08:00
abhi
cd5886d647 Adding kube pod and container labels to containerd 
Currently we have the pod and container labels part of
containerd metadata extensions. However for third party users
like cadvisor that depend on standard kube labels will need
to be aware of the way metadata is stored in containerd to
fetch the labels.

Signed-off-by: abhi <abhi@docker.com>
 2017-11-07 22:19:19 -08:00
Lantao Liu
affc6e93a8
Merge pull request #397 from yanxuean/trunc-for-list 
Add truncindex for filter in List and Stat
 2017-11-07 00:41:03 -08:00
yanxuean
12bbbc0edc add unit test for listcontainer and listpodsandbox 
Signed-off-by: yanxuean <yan.xuean@zte.com.cn>
 2017-11-07 15:57:29 +08:00
Lantao Liu
75e97dd168 Reverse the wrong logic for tty. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-11-07 02:03:44 +00:00
Lantao Liu
b9d4eda403
Merge pull request #401 from Random-Liu/add-comment 
Add comment for #398.
 2017-11-06 14:09:50 -08:00
Lantao Liu
68e74dc16a
Merge pull request #394 from Random-Liu/fix-container-streaming 
Various fixes for container streaming.
 2017-11-06 14:09:30 -08:00
Lantao Liu
6f97764171 Add comment for #398. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-11-06 20:54:50 +00:00
Lantao Liu
eec818e6ab Various fixes for container streaming. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-11-06 20:50:50 +00:00
Lantao Liu
e363c218d6
Merge pull request #395 from Random-Liu/fix-image-in-container-status 
Return image tag as image spec.
 2017-11-06 10:55:37 -08:00
Justin Cormack
913836474b Remove comment about whether other paths should be read only with ro root 
Since https://github.com/moby/moby/pull/35344 we clarified that this behaviour
was a mistake, and the read only flag should just apply to the actual rootfs,
so it corresponds to the OCI read-only option. Other mounts may be able to be
adjusted by re-specifying them or other means but this is unrelated.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
 2017-11-06 14:21:16 +00:00
yanxuean
6234337459 Add truncindex for filter in List and Stat 
fix #344
Signed-off-by: yanxuean <yan.xuean@zte.com.cn>
 2017-11-06 16:47:43 +08:00
Lantao Liu
050ee1de95 Return image tag as image spec. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-11-06 06:05:49 +00:00
Lantao Liu
74abfe349d Add crictl config. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-11-06 05:28:58 +00:00
Lantao Liu
9f2de2cd02
Merge pull request #382 from miaoyq/return-config 
"Status" function return cri-containerd config in json format
 2017-11-02 20:41:31 -07:00
Lantao Liu
e19e043a4c
Merge pull request #386 from Random-Liu/fix-spammy-cni-log 
Get rid of spammy CNI log.
 2017-11-02 20:40:50 -07:00
Yanqiang Miao
9b71208be9 "Status" function return cri-containerd config in json format 
Signed-off-by: Yanqiang Miao <miao.yanqiang@zte.com.cn>
 2017-11-03 09:23:05 +08:00
Lantao Liu
73c2cb5632 Fix spammy CNI log. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-11-03 01:08:07 +00:00
Mike Brown
df6f4a3655 adds help for load command (#383) 
* adds help for load command

Signed-off-by: Mike Brown <brownwm@us.ibm.com>

* vendor restrom/dedent

Signed-off-by: Mike Brown <brownwm@us.ibm.com>
 2017-11-02 15:38:24 -07:00
Lantao Liu
8679d10733
Merge pull request #380 from Random-Liu/fix-deadlock 
Do not call `Usage` inside `Walk`.
 2017-11-01 22:04:10 +01:00
Lantao Liu
2453c03daa Do not call Usage inside Walk. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-11-01 18:11:11 +00:00
Lantao Liu
2cb1572667
Merge pull request #379 from yanxuean/unpack 
Use image.IsUnpacked
 2017-11-01 07:50:12 +01:00
yanxuean
9027a02e8e Use image.IsUnpacked 
fix #361
Signed-off-by: yanxuean <yan.xuean@zte.com.cn>
 2017-11-01 13:51:25 +08:00
Lantao Liu
4eaaee380f Fix removing state recover. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-10-31 20:03:58 +00:00
Lantao Liu
4e6e1cab0d Add the missing container log path in container status. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-10-30 06:03:52 +00:00
Lantao Liu
1d14c11dcb
Merge pull request #368 from Random-Liu/not-log-output 
Do not log container output in error log.
 2017-10-28 05:50:14 +02:00
Lantao Liu
f2fa351a1f Do not log container output in error log. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-10-28 02:16:43 +00:00
Lantao Liu
6cded68bac
Merge pull request #360 from Random-Liu/add-image-load 
Add image load
 2017-10-28 00:43:20 +02:00
Lantao Liu
25fdf72692 Add image load. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-10-27 21:51:04 +00:00
Lantao Liu
32806fa375 Fix a log line and also set containerd log level to debug in node e2e. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-10-27 07:21:37 +00:00
Lantao Liu
f10cc58362 Revert "Put containerd-shim into pod cgroup" 
This reverts commit e9cf1d5909.

Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-10-27 05:33:55 +00:00
Lantao Liu
5e74cba0f0 Add log of generated id for debugging. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-10-27 00:11:16 +00:00
Lantao Liu
6c6b337e87 Merge pull request #358 from Random-Liu/unpack-when-creation 
Also unpack image during creation.
 2017-10-26 22:44:07 +02:00
Lantao Liu
acc3f74d5c Also unpack image during creation. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-10-26 17:57:53 +00:00
Yanqiang Miao
e9cf1d5909 Put containerd-shim into pod cgroup 
Signed-off-by: Yanqiang Miao <miao.yanqiang@zte.com.cn>
 2017-10-26 10:17:12 +08:00
Lantao Liu
698f0ea2ae Merge pull request #345 from yanxuean/imagereadiness 
check image readiness when recover
 2017-10-23 16:09:14 +02:00
yanxuean
9d06ac0e2b check image readiness when recover 
fix #303

Signed-off-by: yanxuean <yan.xuean@zte.com.cn>
 2017-10-23 19:21:39 +08:00
Ian Campbell
d75e0882c4 typo: subtract not substract. 
Signed-off-by: Ian Campbell <ijc@docker.com>
 2017-10-13 09:50:17 +01:00
yanxuean
3887b0a1a0 Add a flag to set OOMScore 
fix #337
Signed-off-by: yanxuean <yan.xuean@zte.com.cn>
 2017-10-12 16:43:35 +08:00
Lantao Liu
885024f987 Merge pull request #295 from miaoyq/use-mount-lookup 
Get the mountInfo by 'LookupMount' in containerd
 2017-10-11 21:05:39 -07:00
Lantao Liu
61d598d00f Merge pull request #235 from yanxuean/truncindex 
Add Truncindex for container, sandbox and image
 2017-10-11 21:03:16 -07:00
Yanqiang Miao
c65921b16a Get the mountInfo by 'LookupMount' in containerd 
Signed-off-by: Yanqiang Miao <miao.yanqiang@zte.com.cn>
 2017-10-12 11:09:24 +08:00
yanxuean
5ee3423820 add truncindex 
fix #222

Signed-off-by: yanxuean <yan.xuean@zte.com.cn>
 2017-10-12 10:32:20 +08:00
Lantao Liu
e4b818ff41 Merge pull request #342 from Random-Liu/update-kubernetes-containerd 
Update kubernetes and containerd.
 2017-10-11 00:23:24 -07:00
Lantao Liu
bde8b0517e Update kubernetes and containerd. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-10-11 06:16:19 +00:00
Lantao Liu
6cb3d27ed3 Use device number to find uuid 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-10-09 06:10:43 +00:00
Lantao Liu
09d7d652e6 Change Version to return cri-containerd version instead. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-10-07 00:47:51 +00:00
Lantao Liu
e78c85f76b Use new container update function 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-10-06 17:57:26 +00:00
Lantao Liu
3a5ec1cf6e Merge pull request #328 from Random-Liu/fix-container-stats-panic 
Fix container stats panic.
 2017-10-04 21:45:19 -07:00
Lantao Liu
94b68ae662 Fix container stats panic. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-10-05 02:18:19 +00:00
Lantao Liu
0bcc95e4a1 Skip not exist image volume directory. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-10-04 22:43:24 +00:00
Lantao Liu
23b8330b44 Merge pull request #322 from miaoyq/fix-314 
Update kubernetes version to the PR#52395 and support `unconfined` apparmor
 2017-10-04 10:49:56 -07:00
Yanqiang Miao
9f656cdda4 Support unconfined apparmor 
Signed-off-by: Yanqiang Miao <miao.yanqiang@zte.com.cn>
 2017-10-04 09:50:27 +08:00
Lantao Liu
a81a47bf9b Fix update container resources 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-10-03 06:03:39 +00:00
Lantao Liu
a7b78d7622 Merge pull request #297 from ijc/use-stat-for-device-uuid-comparison 
Use stat_t.st_rdev to compare block devices
 2017-09-28 11:30:34 -07:00
Abhinandan Prativadi
1784b073bc Merge pull request #301 from Random-Liu/fix-container-stats 
Fix container stats.
 2017-09-28 06:02:42 -07:00
Lantao Liu
de6287d626 Fix container stats. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-09-28 05:49:44 +00:00
Lantao Liu
d6e04d871e Merge pull request #300 from Random-Liu/improve-some-error-message 
Better format several errors
 2017-09-27 22:47:15 -07:00
Lantao Liu
517f697f62 Better format several errors 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-09-28 01:15:06 +00:00
Lantao Liu
e723a5018b Merge pull request #293 from Random-Liu/cleanup-container-metrics 
Fix and cleanup container metrics
 2017-09-27 17:17:46 -07:00
Lantao Liu
97b6e82d98 Fix and cleanup container metrics 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-09-27 23:43:00 +00:00
Ian Campbell
11714fb6a3 Use stat_t.st_rdev to compare block devices 
I implemented /dev/disk/by-uuid on my platform but using absolute links (where
udev typically uses relative) which broke the code in `os.DeviceUUID`.

Rather than just patch that up directly instead stat both the target and
candidate devices and pick one with matching major:minor in st_rdev. This saves
manually building paths to resolve symlinks and I think should be more robust
overall.

I also removed the initial stat of /dev/disk/by-uuid, I believe
`ioutil.Readdir` will correctly return an error if the path does not exist.

Signed-off-by: Ian Campbell <ijc@docker.com>
 2017-09-27 16:17:57 +01:00
Abhinandan Prativadi
66693196ac Setting timestamp for cpu and memory stats in nano seconds 
Signed-off-by: Abhinandan Prativadi <abhi@docker.com>
 2017-09-27 07:06:25 -07:00
Lantao Liu
0e6e593481 Merge pull request #275 from mikebrow/config-for-containerd 
Adds support for configuring the containerd runtime engine
 2017-09-26 20:04:13 -07:00
Mike Brown
d8a3c6b018 adds support for configuring the containerd runtime engine 
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
 2017-09-26 20:22:51 -05:00
Lantao Liu
e7a5001c3e Merge pull request #265 from abhinandanpb/metrics 
Adding container metrics support
 2017-09-26 13:57:17 -07:00
Abhinandan Prativadi
d0298944eb Adding container metrics 
Signed-off-by: Abhinandan Prativadi <abhi@docker.com>
 2017-09-26 12:03:08 -07:00
Lantao Liu
cd57d063c5 Add systemd cgroup support. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-09-26 06:44:30 +00:00
Lantao Liu
4231473df3 Address comments 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-09-25 23:09:44 +00:00
Lantao Liu
21233b22be Check seccomp enable and add unit test for seccomp/apparmor. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-09-25 23:09:26 +00:00
Lantao Liu
491400c892 Add ImageFsInfo support 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-09-25 21:02:29 +00:00
Lantao Liu
6363207315 Merge pull request #272 from Random-Liu/improve-selinux-apparmor-support 
Improve apparmor and selinux support.
 2017-09-22 15:09:59 -07:00
Lantao Liu
dd967cde8c Improve apparmor and selinux support. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-09-22 20:46:31 +00:00
Lantao Liu
1fd8c2ffc3 Merge pull request #270 from Random-Liu/fix-checkpoint-recovery 
Fix checkpoint recovery.
 2017-09-22 00:48:00 -07:00
Lantao Liu
10df5f71a7 Merge pull request #212 from miaoyq/related-selinux 
Add build tags and Improve the test case of selinux
 2017-09-21 21:07:53 -07:00
Yanqiang Miao
7096027d21 Add build tags and Improve the test case of selinux 
- Add build tags
- Fixes a bug because of my negligence
- Improve the test case of selinux

Signed-off-by: Yanqiang Miao <miao.yanqiang@zte.com.cn>

test
 2017-09-22 11:39:32 +08:00
Mike Brown
78a925f57b vendor for new seccomp helpers 
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
 2017-09-21 17:37:50 -05:00
Mike Brown
c0a2d152d9 adds seccomp support 
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
 2017-09-21 17:22:11 -05:00
Lantao Liu
ce9d27bd94 Fix checkpoint recovery. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-09-21 21:10:38 +00:00
Lantao Liu
e132f9c1ea Should register container/sandbox name after restart. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-09-21 21:06:24 +00:00
Lantao Liu
9015b6ec68 Merge pull request #209 from Random-Liu/checkpoint-recovery 
Checkpoint recovery
 2017-09-21 11:32:49 -07:00
Lantao Liu
cc1b0b6709 Add restart recovery logic. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-09-21 17:59:46 +00:00
Lantao Liu
90d6e44c22 Merge pull request #267 from Random-Liu/fix-apparmor 
Fix apparmor empty case.
 2017-09-20 21:53:28 -07:00
Lantao Liu
dd3421c3c7 Fix apparmor empty case. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-09-21 04:07:39 +00:00
Lantao Liu
5dbba596e6 Merge pull request #260 from yanxuean/use-containerd-extension 
Switch to containerd extension
 2017-09-20 10:36:57 -07:00
yanxuean
e1a7a0ea76 Switch to containerd extension 
fix #251

Signed-off-by: yanxuean <yan.xuean@zte.com.cn>
 2017-09-21 00:15:10 +08:00
Lantao Liu
a2dbc6ec1c Merge pull request #261 from ijc/volume-copyup 
Implement volume copy up.
 2017-09-20 02:30:36 -07:00
Lantao Liu
9c533dca14 Merge pull request #262 from ijc/sandbox-getip-improvements 
Do not attempt to retrieve IP from host network namespace
 2017-09-20 02:22:07 -07:00
Ian Campbell
9c3c38d9ab Do not attempt to retrieve IP from host network namespace 
Since sandboxes which use the host network have no network namespace path this
would result in an invalid invocation of nsenter.

Rework the fetching of the sandbox to take this into account and also avoid
trying to get an IP when the network plugin is not yet ready.

Fixes #245.

Signed-off-by: Ian Campbell <ijc@docker.com>
 2017-09-20 09:53:56 +01:00
Ian Campbell
8c6ba35038 Implement volume copy up. 
This pulls in and uses github.com/docker/docker/pkg/chrootarchive for the
actual copy up which is some battle hardened code to unpack avoiding things
like symlink traversal security issues.

However it does pull in a pretty huge pile of vendoring, including
github.com/docker/docker/pkg/reexec which we must then call at startup. It's
not immediately clear that this tradeoff is the correct one.

Signed-off-by: Ian Campbell <ijc@docker.com>
 2017-09-20 09:52:27 +01:00
Lantao Liu
45f98a0b39 Fix one line of log, we are writing not reading. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-09-19 18:53:45 +00:00
Lantao Liu
437131299b Merge pull request #230 from miaoyq/ensure-mount-shared-slave 
Ensure the mount point is propagated
 2017-09-19 00:56:27 -07:00
Yanqiang Miao
49eb38a5d4 Ensure the mount point is propagated 
mount with `rshared`, the host path should be shared.
mount with `rslave`, the host pash should be shared or slave.

Signed-off-by: Yanqiang Miao <miao.yanqiang@zte.com.cn>
 2017-09-19 14:21:21 +08:00
Lantao Liu
06a305d7ea Merge pull request #255 from Random-Liu/use-config-in-service 
Use config in service.
 2017-09-17 22:37:06 -07:00
Lantao Liu
8a03d551da Merge pull request #252 from abhinandanpb/rshared 
Setting rootfs mount propagation if the mount type is rshared/shared
 2017-09-17 12:23:39 -07:00
Abhinandan Prativadi
abba4e22f6 Setting rootfspropagation if the mount type shared or slave 
This is needed by runc to mount volume for containers that expect
biderectional file updates or host to container updates.

Signed-off-by: Abhinandan Prativadi <abhi@docker.com>
 2017-09-17 09:59:45 -07:00
Lantao Liu
71b0d0a043 Use config in service. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-09-17 06:46:40 +00:00
Lantao Liu
cd27050425 Add image volume support. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-09-15 11:25:55 +01:00
Ian Campbell
e0079125d2 Move resolveSymbolicLink to OS package and stub out for tests 
Signed-off-by: Ian Campbell <ijc@docker.com>
 2017-09-15 11:25:45 +01:00
Ian Campbell
56539bd3a4 Require generateContainerSpec passes during tests and abort if not 
This is achieved by switching `assert.NoError` to `require.NoError` in several
places.

Otherwise the test code will continue and dereference a nil spec, leading to a
panic which obscures the real failure.

Signed-off-by: Ian Campbell <ijc@docker.com>
 2017-09-15 11:06:25 +01:00
Lantao Liu
1fadb5e573 Follow symlink for mount host path. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-09-12 07:12:03 +00:00
Lantao Liu
6cd0f77c4e Create host path is mount source does not exist. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-09-12 00:58:34 +00:00
Lantao Liu
9558ff2001 Merge pull request #233 from Random-Liu/remove-run-mount 
Remove `/run` mount for backward compatibility with docker.
 2017-09-09 13:55:33 -07:00
Lantao Liu
0bfcdd39ab Remove /run mount for backward compatibility with docker. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-09-09 07:34:00 +00:00
Lantao Liu
b074388460 Update containerd to v1.0.0-beta.0 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-09-09 04:46:02 +00:00
Lantao Liu
c4846745d6 Use WithNewSnapshot for sandbox container. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-09-09 03:59:58 +00:00
Lantao Liu
7a75a91578 Merge pull request #225 from Random-Liu/update-ocicni 
Update ocicni to 73f1309d6bc5c3eac78c1382408921cd771ff22e
 2017-09-06 21:04:45 -07:00
Lantao Liu
3e4b4234c6 Merge pull request #218 from miaoyq/fixes-185 
Update kubernetes version and support mount propagation
 2017-09-06 21:03:56 -07:00
Yanqiang Miao
9da460ec0a Support mount propagation 
fixex #185

Signed-off-by: Yanqiang Miao <miao.yanqiang@zte.com.cn>
 2017-09-07 08:58:20 +08:00
Lantao Liu
f36ef46b35 Use new ocicni. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-09-07 00:14:12 +00:00
Lantao Liu
2b6302d91d Remove an addressed TODO. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-09-06 23:29:27 +00:00
Lantao Liu
34319e025f Merge pull request #221 from ijc/writeable-rootfs-snapshot 
Always use a writeable snapshot as the rootfs.
 2017-09-06 15:10:28 -07:00
Ian Campbell
0161764ef5 Always use a writeable snapshot as the rootfs. 
This will be made readonly by runc based on spec.Root.Readonly (which we
already set correctly) but defering until then gives runc the chance to make
any missing mount points as it processes the spec.Mount array.

This is necessary because many container images lack mount points for things
like the /etc/hosts which we want to overbind. This is not noticed with e.g.
Docker because it automatically creates an additional layer containing those.
This is something we may want to do here as well eventually but for now using a
writeable snapshot is both necessary and sufficient.

The same does not apply to the sandbox since we never modify its rootfs or want
to mount anything in it etc, add a comment to clarify.

Fixes #220.

Signed-off-by: Ian Campbell <ijc@docker.com>
 2017-09-06 22:20:14 +01:00
Lantao Liu
e06c2c59e0 Merge pull request #179 from Random-Liu/checkpoint-container-status 
Checkpoint container status onto disk.
 2017-09-06 13:51:38 -07:00
Lantao Liu
8569fa366e Merge pull request #215 from Random-Liu/add-capability-all 
Add "ALL" capabilities support.
 2017-09-05 18:14:36 -07:00
Lantao Liu
d02ecc4673 Add "ALL" capabilities support. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-09-06 00:05:08 +00:00
Mike Brown
8a21e3f3c8 Merge pull request #206 from Random-Liu/ensure-remove-all 
Use EnsureRemoveAll
 2017-09-05 18:43:45 -05:00
Ian Campbell
1dea8fdfc4 Handle environment variables which containe spaces 
This avoids errors such as:

    spec: invalid environment variable "JAVA_OPTS=-Djava.security.egd=file:/dev/urandom"

use SplitN(2) to get the envvar name and value while allowing the value to
contain `=`.

Add some variables to the test data which have one or more `=` in the value.
Since this makes the resulting list of variables to check rather long split the
check in two and check the container config and image config derived values
independently.

Signed-off-by: Ian Campbell <ijc@docker.com>
 2017-09-05 23:06:07 +01:00
Lantao Liu
adfabdaa35 Use EnsureRemoveAll 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-09-05 20:29:18 +00:00
Jamie Zhuang
915f5b0aea Make sandbox container image configurable 
Signed-off-by: Jamie Zhuang <lanchongyizu@gmail.com>
 2017-09-03 02:53:17 -04:00
Lantao Liu
c3cb1cfde8 Revert "Setting containerd shim cgroup same as pod cgroup" 
This reverts commit 59008c608e.

Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-09-02 04:20:55 +00:00
Lantao Liu
aa3635c75a Merge pull request #183 from Random-Liu/cri-containerd-exit-with-containerd 
Cri containerd exits with containerd
 2017-09-01 16:39:38 -07:00
Lantao Liu
c3e8c69aff Let cri-containerd exit with containerd 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-09-01 23:14:04 +00:00
Mike Brown
4f442de959 adds support for AppArmor 
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
 2017-09-01 18:08:34 -05:00
Lantao Liu
4f449cec5f Merge pull request #202 from Random-Liu/fix-image-repo-digest 
Fix repo digest for schema 1 image.
 2017-09-01 16:01:05 -07:00
Lantao Liu
7121d251b0 Return image repo digest in container status. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-09-01 20:58:15 +00:00
Lantao Liu
5057c2d4fb Merge pull request #197 from Random-Liu/not-remove-out-dated-tag 
Do not remove out dated image tag.
 2017-09-01 00:48:37 -07:00
Lantao Liu
cfb5513a54 Fix repo digest for schema 1 image. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-09-01 07:18:02 +00:00
Lantao Liu
73bb6e3283 Do not remove out dated image tag. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-09-01 07:09:13 +00:00
Lantao Liu
9c49624174 Merge pull request #157 from miaoyq/apply-selinux-opt 
Support selinux options/label
 2017-08-31 16:30:30 -07:00
Abhinandan Prativadi
59008c608e Setting containerd shim cgroup same as pod cgroup 
Signed-off-by: Abhinandan Prativadi <abhi@docker.com>
 2017-08-31 15:16:51 -07:00
Yanqiang Miao
0c3304e006 Support selinux options/label 
Support selinux optios/label

Signed-off-by: Yanqiang Miao <miao.yanqiang@zte.com.cn>
 2017-08-31 19:20:12 +08:00
Lantao Liu
ac4f238f48 Cleanup image operations. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-08-31 00:52:09 +00:00
Lantao Liu
130aa5ac0d Checkpoint container status onto disk. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-08-31 00:41:52 +00:00
Abhinandan Prativadi
e1edeae4c9 Adding option to configure cgroup to start cri-containerd 
Signed-off-by: Abhinandan Prativadi <abhi@docker.com>
 2017-08-30 14:37:40 -07:00
Lantao Liu
c4d95aa2c4 Fix sandbox container snapshotter. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-08-30 18:33:59 +00:00
Lantao Liu
3f4978b77b Use rbind and rprivate in bind mount. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-08-30 01:40:03 +00:00
Lantao Liu
55ee423224 Merge pull request #175 from Random-Liu/disable-pid-ns-sharing 
Disable pid namespace sharing
 2017-08-29 13:14:18 -07:00
Lantao Liu
b73161627d Fix fifo files leakage. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-08-28 21:14:35 +00:00
Lantao Liu
3b2d29be46 Merge pull request #177 from miaoyq/related-to-173 
Exclude the event of sandbox containers from event stream
 2017-08-28 10:00:21 -07:00
Yanqiang Miao
b18542c586 Excloude the event of sandbox containers from event stream 
We should exclude the event of sandbox containers from event
stream in order to avoid outputting unexpected error print.

related #173

Signed-off-by: Yanqiang Miao <miao.yanqiang@zte.com.cn>
 2017-08-28 14:21:03 +08:00
Lantao Liu
f46cd1a71a Disable pid namespace sharing 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-08-28 05:44:46 +00:00
Lantao Liu
fda30c3ad2 Do not teardown when network namespace is removed already. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-08-28 05:10:30 +00:00
Lantao Liu
270e09ab26 Use containerd WithUserID. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-08-25 21:11:56 +00:00
Lantao Liu
980e8e8007 Merge pull request #168 from Random-Liu/add-run-as-user 
Add RunAsUser support
 2017-08-25 13:45:47 -07:00
Lantao Liu
60d8430ac1 Do not checkpoint sandbox pid. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-08-25 01:38:05 +00:00
Lantao Liu
a80df151d1 Add RunAsUsername support. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-08-25 00:47:35 +00:00
Lantao Liu
e1f74f00a5 Various security related fixes 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-08-24 21:52:30 +00:00
Lantao Liu
a795927c5a Get CreatedAt from containerd instead of maintaining it ourselves. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-08-24 18:38:00 +00:00
Lantao Liu
73bb9696e8 Merge pull request #151 from Random-Liu/add-instrumented-service 
Add instrumented service.
 2017-08-24 11:26:39 -07:00
Lantao Liu
36da027c20 Merge pull request #138 from abhinandanpb/p_netns 
Creating sandbox namespace
 2017-08-24 11:26:21 -07:00
Lantao Liu
c6191122f2 Merge pull request #163 from abhinandanpb/containerd-alpha6 
Updating to container1.0-alpha
 2017-08-24 10:43:43 -07:00
Abhinandan Prativadi
5a119200b8 Creating permanent sandbox namespace 
This commit contains changes to create/delete permanent namespace
for a sandbox container.

Signed-off-by: Abhinandan Prativadi <abhi@docker.com>
 2017-08-24 10:43:42 -07:00
zhangzhenhao
331e542c09 add the user id support of runAsUser 
Signed-off-by: zhangzhenhao <zhangzhenhao@outlook.com>
 2017-08-24 23:29:45 +08:00
Abhinandan Prativadi
728dced6a1 Updating to container1.0-alpha 
Signed-off-by: Abhinandan Prativadi <abhi@docker.com>
 2017-08-23 23:17:21 -07:00
Lantao Liu
2faa665eb2 Merge pull request #155 from miaoyq/support-nonewprivileges 
Support NoNewPrivileges
 2017-08-23 20:58:38 -07:00
Yanqiang Miao
1aec120d5f Support NoNewPrivileges 
fixes #117

Signed-off-by: Yanqiang Miao <miao.yanqiang@zte.com.cn>
 2017-08-24 08:37:40 +08:00
Lantao Liu
45ee2e554a Add container attach support. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-08-23 23:48:31 +00:00
Lantao Liu
77b703f1e7 Move generateID to util. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-08-23 23:46:55 +00:00
Lantao Liu
dd6e9fb88d Merge pull request #156 from yanxuean/metalabel 
Checkpoint and restart recovery
 2017-08-23 15:36:19 -07:00
yanxuean
d2757cb8f9 Checkpoint and restart recovery 
fix part of #120

Signed-off-by: yanxuean <yan.xuean@zte.com.cn>
 2017-08-23 17:01:13 +08:00
Lantao Liu
195b52500f Add instrumented service. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-08-23 07:02:12 +00:00
Lantao Liu
7901f56367 Merge pull request #150 from Random-Liu/support-update-container-resources 
Support update container resources
 2017-08-22 23:28:48 -07:00
Lantao Liu
f6d99abcf4 Add hostport support 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-08-23 01:33:02 +00:00
Lantao Liu
8f898cb3b8 Import ocicni update from https://github.com/Random-Liu/ocicni 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-08-23 01:25:12 +00:00
Lantao Liu
a0589d37dd Implement container resources update 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-08-22 18:40:30 +00:00
Lantao Liu
d41c23e31d Update code to make it build 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-08-22 05:38:51 +00:00
Lantao Liu
50b01812ce Merge pull request #147 from miaoyq/group-all-privileged-logic 
Group all privileged logic together
 2017-08-21 18:43:06 -07:00
Yanqiang Miao
8adad23015 Group all privileged logic together 
Signed-off-by: Yanqiang Miao <miao.yanqiang@zte.com.cn>
 2017-08-22 09:16:37 +08:00
Lantao Liu
c05a7e74ee Add node e2e test CI. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-08-21 21:21:41 +00:00
Lantao Liu
dcc3cb2a05 Merge pull request #137 from Random-Liu/cleanup-with-new-client 
Some cleanup after switching to new client.
 2017-08-18 15:04:24 -07:00
Lantao Liu
ed640d3972 Some cleanup after switching to new client. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-08-18 21:04:38 +00:00
Lantao Liu
8e9a251f72 Merge pull request #135 from yanxuean/myfeature 
The parameters of InitCNI should be filled in reverse order
 2017-08-16 19:50:22 -07:00
yanxuean
8cc0347b0a The parameters of InitCNI should be filled in reverse order. 
fix  #131

Signed-off-by: yanxuean <yan.xuean@zte.com.cn>
 2017-08-17 10:18:40 +08:00
Lantao Liu
f555bb1242 Add portforward support. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-08-17 00:13:31 +00:00
Abhinandan Prativadi
32e0313418 Containerd client integration 
This commit:
1) Replaces the usage of containerd GRPC APIs with the containerd client for all operations related to containerd.
2) Updated containerd to v1.0alpha4+
3) Updated runc to v1.0.0

Signed-off-by: Abhinandan Prativadi <abhi@docker.com>
 2017-08-16 14:43:22 -07:00
Lantao Liu
2427d332f0 Add TERM=xterm when tty=true. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-08-11 16:53:40 +00:00
Lantao Liu
86a0f6a59b Merge pull request #126 from miaoyq/change-defaut-spec 
Replace the original default spec with containerd default spec
 2017-08-10 14:25:23 -07:00
Yanqiang Miao
9cc93886ea Replace the original default spec with containerd default spec 
The original default spec contain `seccomp` configuration,
but some OS do not support this feature, such as ubuntu14.04,
and `make test-cri` always fail. The containerd default spec dosen't
contain `seccomp`, so I think we could replace the default spec
with containerd default spec.

Signed-off-by: Yanqiang Miao <miao.yanqiang@zte.com.cn>
 2017-08-10 20:31:03 +08:00
Mike Brown
8d37d97d01 sets sysctls from pod config annotations 
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
 2017-08-09 18:42:04 -05:00
Lantao Liu
4c5cea9258 Handle device symlink. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-08-08 00:53:15 +00:00
Lantao Liu
54286313ce Add container Exec support. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-08-07 22:49:06 +00:00
Lantao Liu
8b56c91ec5 Extract execInContainer 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-08-07 22:35:50 +00:00
Lantao Liu
bf270fae1c Use containerd client for container execsync. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-08-04 18:32:39 +00:00
Mike Brown
73748840da Swicth to 1.0.0-alpha2 containerd api. 
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
 2017-08-02 23:21:37 +00:00
Lantao Liu
ffb69423ec Temporarily remove unit test relying on fake containerd services. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-07-31 22:42:10 +00:00
Lantao Liu
f4df66eaaf Remove old metadata store. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-07-28 23:35:31 +00:00
Lantao Liu
7b16a35287 Use new metadata store. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-07-28 23:35:31 +00:00
Lantao Liu
4317e6119a Remove sandbox truncindex. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-07-28 23:35:31 +00:00
Lantao Liu
a393f3a084 Add new metadata store. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-07-28 23:35:31 +00:00
Random-Liu
b398a161de Get runtime spec from container metadata. 
Signed-off-by: Random-Liu <lantaol@google.com>
 2017-07-28 16:26:20 +00:00
Lantao Liu
faf592069b Remove out-of-date TODOs. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-06-30 01:19:51 +00:00