github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
9478c4b01f5c6324e3e850586a64f843a7b51f57
kubernetes/pkg/kubelet/dockershim
History
Kubernetes Submit Queue b600533794 Merge pull request #36423 from Random-Liu/support-root-nobody 
Automatic merge from submit-queue

CRI: Support string user name.

https://github.com/kubernetes/kubernetes/pull/33239 and https://github.com/kubernetes/kubernetes/pull/34811 combined together broke the cri e2e test. https://k8s-testgrid.appspot.com/google-gce#gci-gce-cri

The reason is that:
1) In dockershim and dockertools, we assume that `Image.Config.User` should be an integer. However, sometimes when user build the image with `USER nobody:nobody` or `USER root:root`, the field will become `nobody:nobody` and `root:root`. This makes dockershim to always return error.
2) The new kube-dns-autoscaler image is using `USER nobody:nobody`. (See https://github.com/kubernetes-incubator/cluster-proportional-autoscaler/blob/master/Dockerfile.in#L21)

This doesn't break the normal e2e test, because in dockertools [we only inspect image uid if `RunAsNonRoot` is set](https://github.com/kubernetes/kubernetes/blob/master/pkg/kubelet/dockertools/docker_manager.go#L2333-L2338), which is just a coincidence. However, in kuberuntime, [we always inspect image uid first](https://github.com/kubernetes/kubernetes/blob/master/pkg/kubelet/kuberuntime/kuberuntime_container.go#L141).

This PR adds literal `root` and `nobody` support. One problem is that `nobody` is not quite the same in different OS distros. Usually it should be `65534`, but some os distro doesn't follow that. For example, Fedora is using `99`. (See https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/Q5GCKZ7Q7PAUQW66EV7IBJGSRJWYXBBH/?sort=date)

Possible solution:
* Option 1: ~~Just use `65534`. This is fine because currently we only need to know whether the user is root or not.~~ Actually, we need to pass the user id to runtime when creating a container.
* Option 2: Return the uid as string in CRI, and let kuberuntime handle the string directly.

This PR is using option 1.

@yujuhong @feiskyer 
/cc @kubernetes/sig-node
/cc @MrHohn
2016-11-08 20:24:31 -08:00
..
cm
Fix build break on non-Linux OS introduced in 87aaf4c0
2016-11-02 12:27:11 +02:00
remote
Add Status implementation.
2016-11-05 00:02:05 -07:00
BUILD
run hack/update-bazel.sh
2016-11-07 11:07:56 +08:00
convert_test.go
CRI: Rename container/sandbox states
2016-11-01 13:18:21 -07:00
convert.go
Add non-numeric user name support.
2016-11-08 16:07:29 -08:00
doc.go
Add a dockershim package
2016-07-27 18:30:25 -07:00
docker_container_test.go
CRI: Rename container/sandbox states
2016-11-01 13:18:21 -07:00
docker_container.go
Add security context support in dockershim
2016-11-07 11:07:56 +08:00
docker_image_test.go
* Add docker pullable support.
2016-10-12 09:21:10 -07:00
docker_image.go
* Add docker pullable support.
2016-10-12 09:21:10 -07:00
docker_sandbox_test.go
Add security context support in dockershim
2016-11-07 11:07:56 +08:00
docker_sandbox.go
Add security context support in dockershim
2016-11-07 11:07:56 +08:00
docker_service_test.go
Populate NetworkReady Status.
2016-11-05 00:02:05 -07:00
docker_service.go
Populate NetworkReady Status.
2016-11-05 00:02:05 -07:00
docker_streaming.go
Add timeout argument to ExecInContainer
2016-11-07 13:00:59 +01:00
helpers_test.go
Add sysctls for dockershim
2016-10-25 11:24:31 +08:00
helpers.go
cleanup TODOs in dockershim
2016-11-07 11:41:06 +08:00
legacy.go
dockershim: remove unused GetContainerLogs method
2016-11-03 17:27:18 -07:00
naming_test.go
dockershim: utilize the Metadata in container names
2016-09-12 10:58:21 -07:00
naming.go
* Add docker pullable support.
2016-10-12 09:21:10 -07:00
security_context_test.go
Add non-numeric user name support.
2016-11-08 16:07:29 -08:00
security_context.go
Add non-numeric user name support.
2016-11-08 16:07:29 -08:00