github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
dacec687a4
kubernetes/pkg/kubelet/dockertools
History
Kubernetes Submit Queue b600533794 Merge pull request #36423 from Random-Liu/support-root-nobody 
Automatic merge from submit-queue

CRI: Support string user name.

https://github.com/kubernetes/kubernetes/pull/33239 and https://github.com/kubernetes/kubernetes/pull/34811 combined together broke the cri e2e test. https://k8s-testgrid.appspot.com/google-gce#gci-gce-cri

The reason is that:
1) In dockershim and dockertools, we assume that `Image.Config.User` should be an integer. However, sometimes when user build the image with `USER nobody:nobody` or `USER root:root`, the field will become `nobody:nobody` and `root:root`. This makes dockershim to always return error.
2) The new kube-dns-autoscaler image is using `USER nobody:nobody`. (See https://github.com/kubernetes-incubator/cluster-proportional-autoscaler/blob/master/Dockerfile.in#L21)

This doesn't break the normal e2e test, because in dockertools [we only inspect image uid if `RunAsNonRoot` is set](https://github.com/kubernetes/kubernetes/blob/master/pkg/kubelet/dockertools/docker_manager.go#L2333-L2338), which is just a coincidence. However, in kuberuntime, [we always inspect image uid first](https://github.com/kubernetes/kubernetes/blob/master/pkg/kubelet/kuberuntime/kuberuntime_container.go#L141).

This PR adds literal `root` and `nobody` support. One problem is that `nobody` is not quite the same in different OS distros. Usually it should be `65534`, but some os distro doesn't follow that. For example, Fedora is using `99`. (See https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/Q5GCKZ7Q7PAUQW66EV7IBJGSRJWYXBBH/?sort=date)

Possible solution:
* Option 1: ~~Just use `65534`. This is fine because currently we only need to know whether the user is root or not.~~ Actually, we need to pass the user id to runtime when creating a container.
* Option 2: Return the uid as string in CRI, and let kuberuntime handle the string directly.

This PR is using option 1.

@yujuhong @feiskyer 
/cc @kubernetes/sig-node
/cc @MrHohn
2016-11-08 20:24:31 -08:00
..
fixtures/seccomp Add profile unit tests 2016-06-13 14:39:09 +02:00
BUILD Merge pull request #31707 from apprenda/windows_infra_container 2016-11-06 01:30:11 -07:00
container_gc_test.go * Refactor kuberuntime unit test 2016-10-24 00:03:34 -07:00
container_gc.go dockershim: implement ContainerStatus() 2016-07-28 18:24:29 -07:00
convert_test.go Remove "All rights reserved" from all the headers. 2016-06-29 17:47:36 -07:00
convert.go Avoiding trying to gc images with no tags which are still in use 2016-07-27 10:31:47 -07:00
docker_manager_linux.go Fixed kubelet build. 2016-11-01 16:34:47 -04:00
docker_manager_test.go Add non-numeric user name support. 2016-11-08 16:07:29 -08:00
docker_manager_unsupported.go Fixed kubelet build. 2016-11-01 16:34:47 -04:00
docker_manager_windows.go Fixed kubelet build. 2016-11-01 16:34:47 -04:00
docker_manager.go Merge pull request #36423 from Random-Liu/support-root-nobody 2016-11-08 20:24:31 -08:00
docker_test.go pod and qos level cgroup support 2016-11-02 08:07:04 -04:00
docker.go pod and qos level cgroup support 2016-11-02 08:07:04 -04:00
exec.go Add timeout argument to ExecInContainer 2016-11-07 13:00:59 +01:00
fake_docker_client.go * Add docker pullable support. 2016-10-12 09:21:10 -07:00
fake_manager.go Revert "Remove pod mutation for PVs with supplemental GIDs" 2016-07-14 17:47:46 -07:00
images_test.go Remove "All rights reserved" from all the headers. 2016-06-29 17:47:36 -07:00
images.go Remove "All rights reserved" from all the headers. 2016-06-29 17:47:36 -07:00
instrumented_docker.go Add method to inspect Docker images by ID 2016-10-10 15:16:58 -04:00
kube_docker_client.go * Add docker pullable support. 2016-10-12 09:21:10 -07:00
labels_test.go Add container ports label. 2016-08-08 18:40:18 -07:00
labels.go Add container ports label. 2016-08-08 18:40:18 -07:00