kubernetes

History

Kubernetes Submit Queue b600533794 Merge pull request #36423 from Random-Liu/support-root-nobody Automatic merge from submit-queue CRI: Support string user name. https://github.com/kubernetes/kubernetes/pull/33239 and https://github.com/kubernetes/kubernetes/pull/34811 combined together broke the cri e2e test. https://k8s-testgrid.appspot.com/google-gce#gci-gce-cri The reason is that: 1) In dockershim and dockertools, we assume that `Image.Config.User` should be an integer. However, sometimes when user build the image with `USER nobody:nobody` or `USER root:root`, the field will become `nobody:nobody` and `root:root`. This makes dockershim to always return error. 2) The new kube-dns-autoscaler image is using `USER nobody:nobody`. (See https://github.com/kubernetes-incubator/cluster-proportional-autoscaler/blob/master/Dockerfile.in#L21) This doesn't break the normal e2e test, because in dockertools [we only inspect image uid if `RunAsNonRoot` is set](https://github.com/kubernetes/kubernetes/blob/master/pkg/kubelet/dockertools/docker_manager.go#L2333-L2338), which is just a coincidence. However, in kuberuntime, [we always inspect image uid first](https://github.com/kubernetes/kubernetes/blob/master/pkg/kubelet/kuberuntime/kuberuntime_container.go#L141). This PR adds literal `root` and `nobody` support. One problem is that `nobody` is not quite the same in different OS distros. Usually it should be `65534`, but some os distro doesn't follow that. For example, Fedora is using `99`. (See https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/Q5GCKZ7Q7PAUQW66EV7IBJGSRJWYXBBH/?sort=date) Possible solution: * Option 1: ~~Just use `65534`. This is fine because currently we only need to know whether the user is root or not.~~ Actually, we need to pass the user id to runtime when creating a container. * Option 2: Return the uid as string in CRI, and let kuberuntime handle the string directly. This PR is using option 1. @yujuhong @feiskyer /cc @kubernetes/sig-node /cc @MrHohn		2016-11-08 20:24:31 -08:00
..
BUILD	Add non-numeric user name support.	2016-11-08 16:07:29 -08:00
doc.go	Kubelet: add garbage collection for new runtime API	2016-09-14 09:09:45 +08:00
fake_kuberuntime_manager.go	Add oom score adj in new CRI implementation.	2016-09-26 11:39:02 -07:00
helpers_test.go	kuberuntime: include container hash in backoff keys	2016-09-23 14:52:30 -07:00
helpers.go	Add non-numeric user name support.	2016-11-08 16:07:29 -08:00
instrumented_services.go	Add Status implementation.	2016-11-05 00:02:05 -07:00
kuberuntime_container_test.go	* Refactor kuberuntime unit test	2016-10-24 00:03:34 -07:00
kuberuntime_container.go	Merge pull request #36423 from Random-Liu/support-root-nobody	2016-11-08 20:24:31 -08:00
kuberuntime_gc_test.go	CRI: Rename container/sandbox states	2016-11-01 13:18:21 -07:00
kuberuntime_gc.go	CRI: stop sandbox before removing it	2016-11-03 14:11:19 -07:00
kuberuntime_image_test.go	Implement temporary ImageStats in kuberuntime_manager, and	2016-10-03 22:56:25 -07:00
kuberuntime_image.go	* Add docker pullable support.	2016-10-12 09:21:10 -07:00
kuberuntime_logs_test.go	Add unit test for kuberuntime container logs.	2016-10-26 17:37:09 -07:00
kuberuntime_logs.go	Add kuberuntime container logs support.	2016-10-26 17:37:09 -07:00
kuberuntime_manager_test.go	CRI: Rename container/sandbox states	2016-11-01 13:18:21 -07:00
kuberuntime_manager.go	kuberuntime: remove unused GetNs code	2016-11-07 11:45:39 -08:00
kuberuntime_sandbox_test.go	Symlink docker logs to CRI defined log path.	2016-10-23 19:08:47 -07:00
kuberuntime_sandbox.go	Add non-numeric user name support.	2016-11-08 16:07:29 -08:00
labels_test.go	Kubelet: implement labels for kuberuntime	2016-08-09 10:01:45 +08:00
labels.go	Kubelet: implement GetPods for kuberuntime	2016-08-22 10:59:05 +08:00
legacy.go	Add legacy container log location support.	2016-10-23 19:08:47 -07:00
security_context.go	Add non-numeric user name support.	2016-11-08 16:07:29 -08:00