github/containerd
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity
8,923 Commits 3 Branches 4 Tags
eb7c7c71e21bdff485ba54666c12a72c0bd4792c
Commit Graph

73 Commits

Author SHA1 Message Date
Sebastiaan van Stijn
708299ca40 Move RunningInUserNS() to its own package 
This allows using the utility without bringing whole of "sys" with it.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2021-03-23 11:29:53 +01:00
Michael Crosby
3f98a6d2d3 Merge pull request #5211 from pacoxu/pause/3.5 
upgrade pause image to 3.5 for non-root
 2021-03-18 11:43:59 -04:00
Phil Estes
32a08f1a6a Merge pull request #4847 from cpuguy83/devices_by_dir 
Support adding devices by dir
 2021-03-17 09:41:02 -04:00
pacoxu
ffff688663 upgrade pause image to 3.5 for non-root 
Signed-off-by: pacoxu <paco.xu@daocloud.io>
 2021-03-16 23:20:35 +08:00
Derek McGowan
2755ead927 Merge pull request #4978 from cpuguy83/certs_dir 
Add support for using a host registry dir in cri
 2021-03-15 13:47:03 -07:00
Brian Goff
7776e5ef2a Support adding devices by dir 
This enables cases where devices exist in a subdirectory of /dev,
particularly where those device names are not portable across machines,
which makes it problematic to specify from a runtime such as cri.

Added this to `ctr` as well so I could test that the code at least
works.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
 2021-03-15 16:42:23 +00:00
Brian Goff
b0b6d9aa03 Add support for using a host registry dir in cri 
This will be used instead of the cri registry config in the main config
toml.

---

Also pulls in changes from containerd/cri@d0b4eecbb3

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
 2021-03-12 22:42:22 +00:00
Derek McGowan
35eeb24a17 Fix exported comments enforcer in CI 
Add comments where missing and fix incorrect comments

Signed-off-by: Derek McGowan <derek@mcg.dev>
 2021-03-12 08:47:05 -08:00
Iceber Gu
f37ae8fc35 move to v3.4.1 for the pause image 
Signed-off-by: Iceber Gu <wei.cai-nat@daocloud.io>
 2021-03-07 15:21:20 +08:00
Iceber Gu
92ab1a63b0 cri: fix container status 
Signed-off-by: Iceber Gu <wei.cai-nat@daocloud.io>
 2021-03-05 00:00:10 +08:00
f00231050
591caece0c cri: check fsnotify watcher when receiving cni conf dir events 
carry: 612f5f9f44

Signed-off-by: Wei Fu <fuweid89@gmail.com>
 2021-03-03 16:46:41 +08:00
Yohei Ueda
07f1df4541 cri: set default masked/readonly paths to empty paths 
Fixes #5029.

Signed-off-by: Yohei Ueda <yohei@jp.ibm.com>
 2021-02-24 23:50:40 +09:00
Phil Estes
757be0a090 Merge pull request #5017 from AkihiroSuda/parse-cap 
oci.WithPrivileged: set the current caps, not the known caps
 2021-02-23 09:10:57 -05:00
Mike Brown
9173d3e929 Merge pull request #5021 from wzshiming/fix/signal_repeatedly 
Fix repeated sending signal
 2021-02-22 09:45:56 -06:00
Justin Terry (SF)
06e4e09567 cri: append envs from image config to empty slice to avoid env lost 
Signed-off-by: Justin Terry (SF) <juterry@microsoft.com>
 2021-02-18 16:39:28 -08:00
Phil Estes
c32ccdf8be Merge pull request #5024 from yadzhang/deepcopy-imageconfig 
cri: append envs from image config to empty slice to avoid env lost
 2021-02-18 12:51:51 -05:00
Akihiro Suda
746cef0bc2 Merge pull request #5044 from wzshiming/fix/empty-error-warpping 
Fix empty error warpping
 2021-02-18 13:47:13 +09:00
zhangyadong.0808
08318b1ab9 cri: append envs from image config to empty slice to avoid env lost 
Signed-off-by: Yadong Zhang <yadzhang@gmail.com>
 2021-02-18 11:37:41 +08:00
Shiming Zhang
59db8a10e0 Fix empty error warpping 
Signed-off-by: Shiming Zhang <wzshiming@foxmail.com>
 2021-02-18 11:06:59 +08:00
Shiming Zhang
dc6f5ef3b9 Fix repeated sending signal 
Signed-off-by: Shiming Zhang <wzshiming@foxmail.com>
 2021-02-17 21:33:49 +08:00
Michael Crosby
41e3057cc6 Merge pull request #5025 from jeremyje/win20h2 
Add references to Windows 20H2 test images.
 2021-02-12 11:58:49 -05:00
Lorenz Brun
36d0bc1f2b Allow moving netns directory into StateDir 
Signed-off-by: Lorenz Brun <lorenz@nexantic.com>
 2021-02-10 18:33:14 +01:00
Akihiro Suda
a2d1a8a865 oci.WithPrivileged: set the current caps, not the known caps 
This change is needed for running the latest containerd inside Docker
that is not aware of the recently added caps (BPF, PERFMON, CHECKPOINT_RESTORE).

Without this change, containerd inside Docker fails to run containers with
"apply caps: operation not permitted" error.

See kubernetes-sigs/kind 2058

NOTE: The caller process of this function is now assumed to be as
privileged as possible.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2021-02-10 17:14:17 +09:00
Michael Crosby
e874e2597e [cri] add pod annotations to CNI call 
Signed-off-by: Michael Crosby <michael@thepasture.io>
 2021-02-09 13:24:01 -05:00
Jeremy Edwards
1c81071d39 Add references to Windows 20H2 test images. 
Signed-off-by: Jeremy Edwards <1312331+jeremyje@users.noreply.github.com>
 2021-02-09 16:25:36 +00:00
Derek McGowan
b3f2402062 Merge pull request #5002 from crosbymichael/anno-image-name 
[cri] add image-name annotation
 2021-02-05 08:27:41 -08:00
Akihiro Suda
e908be5b58 Merge pull request #5001 from kzys/no-lint-upgrade 2021-02-06 00:40:38 +09:00
Kazuyoshi Kato
07db46ee23 lint: update nolint syntax for golangci-lint 
Newer golangci-lint needs explicit `//` separator. Otherwise it treats
the entire line (`staticcheck deprecated ... yet`) as a name.

https://golangci-lint.run/usage/false-positives/#nolint

Signed-off-by: Kazuyoshi Kato <katokazu@amazon.com>
 2021-02-04 11:59:55 -08:00
Sebastiaan van Stijn
04d061fa6a update runc to v1.0.0-rc93 
full diff: https://github.com/opencontainers/runc/compare/v1.0.0-rc92...v1.0.0-rc93

also removes dependency on libcontainer/configs

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2021-02-04 16:13:30 +01:00
Sebastiaan van Stijn
54cc3483ff pkg/cri/server: don't import libcontainer/configs 
Looks like this import was not needed for the test; simplified the test
by just using the device-path (a counter would work, but for debugging,
having the list of paths can be useful).

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2021-02-04 16:08:39 +01:00
Michael Crosby
99cb62f233 [cri] add image-name annotation 
For some tools having the actual image name in the annotations is helpful for
debugging and auditing the workload.

Signed-off-by: Michael Crosby <michael@thepasture.io>
 2021-02-04 07:05:11 -05:00
Lantao Liu
b5bf1fd5d8 Fix deprecated registry auth conversion. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2021-02-03 19:22:26 -08:00
Michael Crosby
591d7e2fb1 remove exec sync debug contents from logs 
This was dumping untrusted output to the debug logs from user containers.
We should not dump this type of information to reduce log sizes and any
information leaks from user containers.

Signed-off-by: Michael Crosby <michael@thepasture.io>
 2021-01-26 14:57:54 -05:00
Alban Crequy
28e4fb25f4 cri: add annotations for pod name and namespace 
cri-o has annotations for pod name, namespace and container name:
https://github.com/containers/podman/blob/master/pkg/annotations/annotations.go

But so far containerd had only the container name.

This patch will be useful for seccomp agents to have a different
behaviour depending on the pod (see runtime-spec PR 1074 and runc PR
2682). This should simplify the code in:
b2d423695d/pkg/kuberesolver/kuberesolver.go (L16-L27)

Signed-off-by: Alban Crequy <alban@kinvolk.io>
 2021-01-26 12:10:39 +01:00
Wei Fu
e56de63099 cri: handle sandbox/container exit event separately 
The event monitor handles exit events one by one. If there is something
wrong about deleting task, it will slow down the terminating Pods. In
order to reduce the impact, the exit event watcher should handle exit
event separately. If it failed, the watcher should put it into backoff
queue and retry it.

Signed-off-by: Wei Fu <fuweid89@gmail.com>
 2021-01-24 13:43:38 +08:00
Shengjing Zhu
2818fdebaa Move runtimeoptions out of cri package 
Since it's a standard set of runtime opts, and used in ctr as well,
it could be moved out of cri.

Signed-off-by: Shengjing Zhu <zhsj@debian.org>
 2021-01-23 01:24:35 +08:00
Michael Crosby
a731039238 [cri] label etc files for selinux containers 
Signed-off-by: Michael Crosby <michael@thepasture.io>
 2021-01-19 13:42:09 -05:00
Mike Brown
550b4949cb Merge pull request #4700 from mikebrow/cri-security-profile-update 
CRI security profile update for CRI graduation
 2021-01-12 12:21:56 -06:00
Sebastiaan van Stijn
2374178c9b pkg/cri/server: optimizations in unmountRecursive() 
Use a PrefixFilter() to get only the mounts we're interested in,
which removes the need to manually filter mounts from the mountinfo
results.

Additional optimizations can be made, as:

> ... there's a little known fact that `umount(MNT_DETACH)` is actually
> recursive in Linux, IOW this function can be replaced with
> `unix.Umount(target, unix.MNT_DETACH)` (or `mount.UnmountAll(target, unix.MNT_DETACH)`
>  (provided that target itself is a mount point).

e8fb2c392f (r535450446)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2021-01-08 17:32:01 +01:00
Sebastiaan van Stijn
7572919201 mount: remove remaining uses of mount.Self() 
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2021-01-08 17:31:59 +01:00
Davanum Srinivas
1f5b84f27c [CRI] Reduce clutter of log entries during process execution 
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
 2021-01-06 13:09:03 -05:00
Shengjing Zhu
5988bfc1ef docs: Various typo found by codespell 
Signed-off-by: Shengjing Zhu <zhsj@debian.org>
 2020-12-22 13:22:16 +08:00
Michael Crosby
2e442ea485 [cri] ensure log dir is created 
containerd is responsible for creating the log but there is no code to ensure
that the log dir exists.  While kubelet should have created this there can be
times where this is not the case and this can cause stuck tasks.

Signed-off-by: Michael Crosby <michael@thepasture.io>
 2020-12-17 15:04:39 -05:00
Akihiro Suda
7e6e4c466f remove "selinux" build tag 
The build tag was removed in go-selinux v1.8.0: opencontainers/selinux#132

Related: remove "apparmor" build tag: 0a9147f3aa

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2020-12-15 20:05:25 +09:00
Mike Brown
6467c3374d refactor based on comments 
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
 2020-12-07 21:39:31 -06:00
Phil Estes
73a301c7a1 Merge pull request #4772 from gaurav1086/ValidatePluginConfig_fix_range_iterator_issue 
[cri/config] : fix range iterator issue in ValidatePluginConfig
 2020-12-07 12:42:07 -05:00
Phil Estes
efad13faaf Merge pull request #4811 from AkihiroSuda/expose-apparmor 
expose hostSupportsAppArmor()
 2020-12-07 08:22:16 -05:00
Akihiro Suda
55eda46b22 expose hostSupportsAppArmor() 
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2020-12-07 19:12:59 +09:00
Gaurav Singh
071a185506 cri/config: fix range iterator issue in ValidatePluginConfig 
Go uses the same address variable while iterating in a range,
so use a copy when using its address.

Signed-off-by: Gaurav Singh <gaurav1086@gmail.com>
 2020-12-04 17:37:09 -05:00
Mike Brown
b4727eafbe adding code to support seccomp apparmor securityprofile 
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
 2020-12-04 15:15:32 -06:00