Use the syscall method instead of repeating the type conversions for
the syscall.Stat_t Atim/Atimespec members. This also allows to drop the
//nolint: unconvert comments.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
This patch makes the Windows Integration GitHub workflow conditionally
execute the CI artifact upload to GCP on successful runs iff the GitHub
secrets containing the GCP access info are defined.
Signed-off-by: Nashwan Azhari <nazhari@cloudbasesolutions.com>
Seems $(PWD) if the shell is powershell may not be inherited properly
as it ends up being an empty string. The result of this is that using
mingw's make with powershell is that $(PWD)/bin ends up being /bin and the
windows shim will get placed there. make install afterwards will try to find
the shim at $pwd/bin and fail.
Changing to CURDIR https://www.gnu.org/software/make/manual/make.html#index-CURDIR
seems to be a solution here as it's not inherited by the environment and
is set by make itself so should work across any type of shell.
Signed-off-by: Daniel Canter <dcanter@microsoft.com>
The "notready-sandbox" array will only have a CONTAINER_CREATED
and a CONTAINER_EXITED in the sandbox. So there will be no running
task to send a Kill() to. This means that on Windows, it will always
return an ErrorNotFound.
Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
This offers a more reliable way of killing a process. The /IM flag
allows us to specify the "image name" of the process we're killing.
This means we can use wildcards, foce kill a process and all the child
processes it may have spawned.
Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
This change fixes flakiness on Windows for TestContainerListStatsWithSandboxIdFilter
Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
The global &daemon{} object only gets an address assigned if you call
start() on it, which only gets called if you don't pass no-daemon. The
aftermath of this is that running the integration tests with no-daemon
just has them fail trying to create a client for containerd.
This change just assigns whatever address is passed to the binary even in
the no-daemon case so you can run the integration tests against an already
running containerd instance.
Signed-off-by: Daniel Canter <dcanter@microsoft.com>
A recent change altered the default target that would get run for the makefile.
This ended up making a standalone 'make' invocation only build the Windows
shim and nothing else. This was affecting the CI of some other projects that
relied on 'make' building containerd, ctr, and friends.
Signed-off-by: Daniel Canter <dcanter@microsoft.com>
This change adds the following:
* Default paths to REPORT_DIR, CONTAINERD_STATE and
CONTAINERD_ROOT for Windows
* Removes the need for nssm on Windows. The nssm service
has issues dealing with paths that contain spaces. Also, the
containerd binary is perfectly capable of registering itself
as a service in Windows, and Windows itself can take care of
any failure handling of the service. NSSM is useful for binaries
that do not have any kind of Windows service logic built into
them. That is not the case of containerd.
* Use wrapper functions that run containerd, ctr and criclt
with properly quoted paths to pipes, sockets, state and root dirs.
Currently, if the state and root dirs contain spaces in them, the
command line flags on both Windows and Linux are not properly set.
The wrapper functions will allow us to use the readiness_check
and keepalive functions to retry the commands, while properly
quoting the paths and avoiding eval.
Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
OCI hooks aren't implemented on Windows. The test will, and has been,
actuallyrunning fine on Windows because the Github runners seem to have
a 'ps' binary in the users PATH, but there's not any actual hook
functionality being tested as any of the OCI fields are ignored for
Windows containers.
Signed-off-by: Daniel Canter <dcanter@microsoft.com>
The ability to handle KVM based runtimes with SELinux has been added as
part of d715d00906.
However, that commit introduced some logic to check whether the
"container_kvm_t" label would or not be present in the system, and while
the intentions were good, there's two major issues with the approach:
1. Inspecting "/etc/selinux/targeted/contexts/customizable_types" is not
the way to go, as it doesn't list the "container_kvm_t" at all.
2. There's no need to check for the label, as if the label is invalid an
"Invalid Label" error will be returned and that's it.
With those two in mind, let's simplify the logic behind setting the
"container_kvm_t" label, removing all the unnecessary code.
Here's an output of VMM process running, considering:
* The state before this patch:
```
$ containerd --version
containerd github.com/containerd/containerd v1.6.0-beta.3-88-g7fa44fc98 7fa44fc98f
$ kubectl apply -f ~/simple-pod.yaml
pod/nginx created
$ ps -auxZ | grep cloud-hypervisor
system_u:system_r:container_runtime_t:s0 root 609717 4.0 0.5 2987512 83588 ? Sl 08:32 0:00 /usr/bin/cloud-hypervisor --api-socket /run/vc/vm/be9d5cbabf440510d58d89fc8a8e77c27e96ddc99709ecaf5ab94c6b6b0d4c89/clh-api.sock
```
* The state after this patch:
```
$ containerd --version
containerd github.com/containerd/containerd v1.6.0-beta.3-89-ga5f2113c9 a5f2113c9fc15b19b2c364caaedb99c22de4eb32
$ kubectl apply -f ~/simple-pod.yaml
pod/nginx created
$ ps -auxZ | grep cloud-hypervisor
system_u:system_r:container_kvm_t:s0:c638,c999 root 614842 14.0 0.5 2987512 83228 ? Sl 08:40 0:00 /usr/bin/cloud-hypervisor --api-socket /run/vc/vm/f8ff838afdbe0a546f6995fe9b08e0956d0d0cdfe749705d7ce4618695baa68c/clh-api.sock
```
Note, the tests were performed using the following configuration snippet:
```
[plugins]
[plugins.cri]
enable_selinux = true
[plugins.cri.containerd]
[plugins.cri.containerd.runtimes]
[plugins.cri.containerd.runtimes.kata]
runtime_type = "io.containerd.kata.v2"
privileged_without_host_devices = true
```
And using the following pod yaml:
```
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
runtimeClassName: kata
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
```
Fixes: #6371
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
