Commit graph

152 commits

Author SHA1 Message Date
Michael Crosby
71e8d765df set +x on overlay fs dirs
We need to set +x on the overlay dirs or after dropping from root to a
non-root user an eperm will happen on exec or other file access

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2017-03-24 12:55:35 -07:00
Michael Crosby
597815af7e Generate spec based on image config
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2017-03-23 15:40:09 -07:00
Stephen J Day
e1a361bff2
cmd/dist, remotes: break out docker resolver
Allow usage of the experimental docker resolver as a package. There are
very few changes to the consuming code, demonstrating the effectiveness
of the abstraction. This move will allow future contributions to a more
featured resolver implementation.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2017-03-22 14:14:01 -07:00
Stephen J Day
1f21fb7f8b
cmd/dist: show real image size in list
As a demonstration of the power of the visitor implementation, we now
report the image size in the `dist images` command. This is the size of
the packed resources as would be pushed into a remote. A similar method
could be added to calculate the unpacked size.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2017-03-22 13:53:58 -07:00
Michael Crosby
5e5479718c Merge pull request #619 from crosbymichael/no-shim
Add `no_shim` config for not running with a shim
2017-03-22 13:49:03 -07:00
Michael Crosby
f36feb2ed4 Add prometheus container level metrics
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2017-03-22 11:44:25 -07:00
Michael Crosby
977939850b Update runtime spec to 035da1dca3dfbb00d752eb58b0b
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2017-03-22 11:44:25 -07:00
Michael Crosby
ddbeb9f936 Add monitor plugin loading
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2017-03-22 11:44:05 -07:00
Derek McGowan
65e2c02ee1 Merge pull request #650 from stevvooe/move-image-to-images
images: move image package to images
2017-03-21 23:39:23 -07:00
Stephen J Day
39da6ff879
images: move image package to images
Signed-off-by: Stephen J Day <stephen.day@docker.com>
2017-03-21 17:36:37 -07:00
Derek McGowan
26fe49a7bc Merge pull request #647 from otsneh/spec-values-fix
Update shim exec rpc to take fewer args
2017-03-21 17:03:04 -07:00
Ophir Sneh
87f94bf79b Update shim exec rpc to take fewer args
Signed-off-by: Ophir Sneh <otsneh@gmail.com>
2017-03-21 15:34:02 -07:00
Stephen J Day
e53539c58f
cmd/dist, cmd/ctr: end to end image pull
With this changeset, we now have a proof of concept of end to end pull.
Up to this point, the relationship between subsystems has been somewhat
theoretical. We now leverage fetching, the snapshot drivers, the rootfs
service, image metadata and the execution service, validating the proposed
model for containerd. There are a few caveats, including the need to move some
of the access into GRPC services, but the basic components are there.

The first command we will cover here is `dist pull`. This is the analog
of `docker pull` and `git pull`. It performs a full resource fetch for
an image and unpacks the root filesystem into the snapshot drivers. An
example follows:

``` console
$ sudo ./bin/dist pull docker.io/library/redis:latest
docker.io/library/redis:latest:                                                   resolved       |++++++++++++++++++++++++++++++++++++++|
manifest-sha256:4c8fb09e8d634ab823b1c125e64f0e1ceaf216025aa38283ea1b42997f1e8059: done           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:3b281f2bcae3b25c701d53a219924fffe79bdb74385340b73a539ed4020999c4:    done           |++++++++++++++++++++++++++++++++++++++|
config-sha256:e4a35914679d05d25e2fccfd310fde1aa59ffbbf1b0b9d36f7b03db5ca0311b0:   done           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:4b7726832aec75f0a742266c7190c4d2217492722dfd603406208eaa902648d8:    done           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:338a7133395941c85087522582af182d2f6477dbf54ba769cb24ec4fd91d728f:    done           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:83f12ff60ff1132d1e59845e26c41968406b4176c1a85a50506c954696b21570:    done           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:693502eb7dfbc6b94964ae66ebc72d3e32facd981c72995b09794f1e87bac184:    done           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:622732cddc347afc9360b4b04b46c6f758191a1dc73d007f95548658847ee67e:    done           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:19a7e34366a6f558336c364693df538c38307484b729a36fede76432789f084f:    done           |++++++++++++++++++++++++++++++++++++++|
elapsed: 1.6 s                                                                    total:   0.0 B (0.0 B/s)
INFO[0001] unpacking rootfs
```

Note that we haven't integrated rootfs unpacking into the status output, but we
pretty much have what is in docker today (:P). We can see the result of our pull
with the following:

```console
$ sudo ./bin/dist images
REF                            TYPE                                                 DIGEST                                                                  SIZE
docker.io/library/redis:latest application/vnd.docker.distribution.manifest.v2+json sha256:4c8fb09e8d634ab823b1c125e64f0e1ceaf216025aa38283ea1b42997f1e8059 1.8 kB
```

The above shows that we have an image called "docker.io/library/redis:latest"
mapped to the given digest marked with a specific format. We get the size of
the manifest right now, not the full image, but we can add more as we need it.
For the most part, this is all that is needed, but a few tweaks to the model
for naming may need to be added. Specifically, we may want to index under a few
different names, including those qualified by hash or matched by tag versions.
We can do more work in this area as we develop the metadata store.

The name shown above can then be used to run the actual container image. We can
do this with the following command:

```console
$ sudo ./bin/ctr run --id foo docker.io/library/redis:latest /usr/local/bin/redis-server
1:C 17 Mar 17:20:25.316 # Warning: no config file specified, using the default config. In order to specify a config file use /usr/local/bin/redis-server /path/to/redis.conf
1:M 17 Mar 17:20:25.317 * Increased maximum number of open files to 10032 (it was originally set to 1024).
                _._
           _.-``__ ''-._
      _.-``    `.  `_.  ''-._           Redis 3.2.8 (00000000/0) 64 bit
  .-`` .-```.  ```\/    _.,_ ''-._
 (    '      ,       .-`  | `,    )     Running in standalone mode
 |`-._`-...-` __...-.``-._|'` _.-'|     Port: 6379
 |    `-._   `._    /     _.-'    |     PID: 1
  `-._    `-._  `-./  _.-'    _.-'
 |`-._`-._    `-.__.-'    _.-'_.-'|
 |    `-._`-._        _.-'_.-'    |           http://redis.io
  `-._    `-._`-.__.-'_.-'    _.-'
 |`-._`-._    `-.__.-'    _.-'_.-'|
 |    `-._`-._        _.-'_.-'    |
  `-._    `-._`-.__.-'_.-'    _.-'
      `-._    `-.__.-'    _.-'
          `-._        _.-'
              `-.__.-'

1:M 17 Mar 17:20:25.326 # WARNING: The TCP backlog setting of 511 cannot be enforced because /proc/sys/net/core/somaxconn is set to the lower value of 128.
1:M 17 Mar 17:20:25.326 # Server started, Redis version 3.2.8
1:M 17 Mar 17:20:25.326 # WARNING overcommit_memory is set to 0! Background save may fail under low memory condition. To fix this issue add 'vm.overcommit_memory = 1' to /etc/sysctl.conf and then reboot or run the command 'sysctl vm.overcommit_memory=1' for this to take effect.
1:M 17 Mar 17:20:25.326 # WARNING you have Transparent Huge Pages (THP) support enabled in your kernel. This will create latency and memory usage issues with Redis. To fix this issue run the command 'echo never > /sys/kernel/mm/transparent_hugepage/enabled' as root, and add it to your /etc/rc.local in order to retain the setting after a reboot. Redis must be restarted after THP is disabled.
1:M 17 Mar 17:20:25.326 * The server is now ready to accept connections on port 6379
```

Wow! So, now we are running `redis`!

There are still a few things to work out. Notice that we have to specify the
command as part of the arguments to `ctr run`. This is because are not yet
reading the image config and converting it to an OCI runtime config. With the
base laid in this PR, adding such functionality should be straightforward.

While this is a _little_ messy, this is great progress. It should be easy
sailing from here.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2017-03-21 13:08:23 -07:00
Stephen J Day
5a3151eefc
cmd/dist, image, remotes: introduce image handlers
With this PR, we introduce the concept of image handlers. They support
walking a tree of image resource descriptors for doing various tasks
related to processing them. Handlers can be dispatched sequentially or
in parallel and can be stacked for various effects.

The main functionality we introduce here is parameterized fetch without
coupling format resolution to the process itself. Two important
handlers, `remotes.FetchHandler` and `image.ChildrenHandler` can be
composed to implement recursive fetch with full status reporting. The
approach can also be modified to filter based on platform or other
constraints, unlocking a lot of possibilities.

This also includes some light refactoring in the fetch command, in
preparation for submission of end to end pull.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2017-03-17 15:47:50 -07:00
Stephen Day
bb3fbded9c Merge pull request #632 from dmcgowan/rootfs-fixes
Fix rootfs digest computation
2017-03-16 12:04:49 -07:00
Akihiro Suda
6089c1525b new package: compression (ported from docker/pkg/archive)
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2017-03-16 05:29:27 +00:00
Derek McGowan
4492a2cee3
Fix rootfs digest computation
Compute digest from uncompressed archive.
Properly propagate error on unpack.
Rename dist cmd commands to match command name.

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2017-03-15 17:17:25 -07:00
Derek McGowan
212efa578a
Remove get function from rootfs
The service can use the snapshotter directly to get the rootfs.
Removed debug line for mount response.

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2017-03-15 16:32:21 -07:00
Derek McGowan
b1bc82726f
Rename prepare to unpack and init to prepare
Unpack and prepare better map to the actions done by rootfs.

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2017-03-15 16:32:21 -07:00
Derek McGowan
3a20dd41d5
Add init subcommand to rootfs
Init command gets the mounts for a given chain id and
outputs a mount command.

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2017-03-15 16:32:21 -07:00
Derek McGowan
38a6f90f2b
Add rootfs command to dist
Commands allows preparing a rootfs from a manifest hash

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2017-03-15 16:32:21 -07:00
Derek McGowan
ead425f426
Add rootfs service
Add rootfs service to allow creation of rootfs from layer array

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2017-03-15 16:32:21 -07:00
Michael Crosby
f9212348e4 Add grpc prometheus metrics
This provideds generic grpc metrics via prometheus

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2017-03-14 16:16:49 -07:00
Qiang Huang
e663cbddf5 Add grpc health check service
Fixes: #615

Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2017-03-14 15:39:29 +08:00
Michael Crosby
1d7fa45403 Add no_shim config for not running with a shim
This reuses the exiting shim code and services to let containerd run as
the reaper for all container processes without the use of a shim.

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2017-03-10 15:28:21 -08:00
Phil Estes
7b06baa1f2 Merge pull request #616 from crosbymichael/runtime-opts
Runtime configs and global reaper
2017-03-10 14:25:19 -05:00
Michael Crosby
61263bd77e Set containerd as subreaper
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2017-03-09 16:26:14 -08:00
Michael Crosby
6d3a70eb58 Make ctr --rootfs an absolute path
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2017-03-09 16:13:23 -08:00
Michael Crosby
9f3240364f Implement reaper with runc support in shim
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2017-03-09 16:11:57 -08:00
Michael Crosby
df48983fe7 Add reaper code for daemon
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2017-03-09 16:07:35 -08:00
Stephen J Day
831f68fd71
cmd/dist, remotes: simplify resolution flow
After receiving feedback during containerd summit walk through of the
pull POC, we found that the resolution flow for names was out of place.
We could see this present in awkward places where we were trying to
re-resolve whether something was a digest or a tag and extra retries to
various endpoints.

By centering this problem around, "what do we write in the metadata
store?", the following interface comes about:

```
Resolve(ctx context.Context, ref string) (name string, desc ocispec.Descriptor, fetcher Fetcher, err error)
```

The above takes an "opaque" reference (we'll get to this later) and
returns the canonical name for the object, a content description of the
object and a `Fetcher` that can be used to retrieve the object and its
child resources. We can write `name` into the metadata store, pointing
at the descriptor. Descisions about discovery, trust, provenance,
distribution are completely abstracted away from the pulling code.

A first response to such a monstrosity is "that is a lot of return
arguments". When we look at the actual, we can see that in practice, the
usage pattern works well, albeit we don't quite demonstrate the utility
of `name`, which will be more apparent later. Designs that allowed
separate resolution of the `Fetcher` and the return of a collected
object were considered. Let's give this a chance before we go
refactoring this further.

With this change, we introduce a reference package with helps for
remotes to decompose "docker-esque" references into consituent
components, without arbitrarily enforcing those opinions on the backend.
Utlimately, the name and the reference used to qualify that name are
completely opaque to containerd. Obviously, implementors will need to
show some candor in following some conventions, but the possibilities
are fairly wide. Structurally, we still maintain the concept of the
locator and object but the interpretation is up to the resolver.

For the most part, the `dist` tool operates exactly the same, except
objects can be fetched with a reference:

```
dist fetch docker.io/library/redis:latest
```

The above should work well with a running containerd instance. I
recommend giving this a try with `fetch-object`, as well. With
`fetch-object`, it is easy for one to better understand the intricacies
of the OCI/Docker image formats.

Ultimately, this serves the main purpose of the elusive "metadata
store".

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2017-03-08 16:46:13 -08:00
Michael Crosby
fc45d9c119 Chown grpc socket based on config
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2017-03-08 11:42:36 -08:00
Derek McGowan
a4247e2aa9 Add snapshot plugin type
Update existing snapshot drivers to register as plugins.
Load snapshot driver at containerd startup.

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2017-03-07 14:55:36 -08:00
Phil Estes
f06db40baf Merge pull request #608 from dmcgowan/move-plugins
Move plugin registration to separate package
2017-03-07 11:10:24 -05:00
Derek McGowan
0b44e24c07 Move plugin registration to separate package
Only compile in plugin support on non-windows 1.8.
Re-enable go 1.7.x tests.

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2017-03-06 17:23:00 -08:00
Derek McGowan
7359fd0f25 Merge pull request #597 from stevvooe/pull-prototype
cmd/dist: implement fetch prototype
2017-03-06 16:39:26 -08:00
Volodymyr Burenin
72034dad40 Do not read all IO if container is not started.
Signed-off-by: Volodymyr Burenin <vburenin@gmail.com>
2017-03-06 13:47:45 -06:00
Volodymyr Burenin
2972f2728f Added new flag for 'ctr run' to specify user defined runtime.
Signed-off-by: Volodymyr Burenin <vburenin@gmail.com>
2017-03-06 13:11:31 -06:00
Stephen J Day
55a1b4eff8 cmd/dist: implement fetch prototype
With the rename of fetch to fetch-object, we now introduce the `fetch`
command. It will fetch all of the resources required for an image into
the content store. We'll still need to follow this up with metadata
registration but this is a good start.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2017-03-02 17:36:01 -08:00
Stephen J Day
ea9389d4c5
cmd/dist: default mediatypes to oci and docker
To make using the `fetch-object` for demonstrations much easier, the
mediatypes are defaulted when a non-digest object identifier is
provided. We also add support for OCI mediatypes, although they are
mostly unavailable.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2017-03-02 16:50:32 -08:00
Stephen J Day
6ab6cdce71
cmd/dist: change fetch to fetch-object command
To allow us to differentiate from fetching an image, fetch a part of an
image and pulling an image, we now call the `fetch` command the
`fetch-object` command. We can now introduce a command that does the
complete image fetch without creating snapshots, allowing `pull` to
perform the entire process.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2017-03-02 13:50:09 -08:00
Stephen J Day
5da4e1d0d2 services/content: move service client into package
Signed-off-by: Stephen J Day <stephen.day@docker.com>
2017-02-28 17:12:24 -08:00
Stephen Day
4793f968e5 Merge pull request #586 from stevvooe/dist-grpc-connect
cmd/dist: add global connect-timeout for GRPC
2017-02-28 17:12:00 -08:00
Stephen J Day
0c00d4a64c
cmd/containerd: set correct module on interceptor for content
Signed-off-by: Stephen J Day <stephen.day@docker.com>
2017-02-28 16:47:41 -08:00
Stephen J Day
d61d0b5aef
cmd/dist: add global connect-timeout for GRPC
Signed-off-by: Stephen J Day <stephen.day@docker.com>
2017-02-28 16:43:08 -08:00
Stephen J Day
706c629354
api/services/content: define delete method
Allow deletion of content over the GRPC interface. For now, we are going
with a model that conducts reference management outside of the content
store, in the metadata store but this design is valid either way.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2017-02-27 20:06:29 -08:00
Michael Crosby
f4715533da Merge pull request #569 from crosbymichael/linux-builtin
Change linux runtime(w shim) to builtin
2017-02-27 09:51:47 -08:00
Stephen J Day
2e0c92b168
cmd/dist/fetch: address subtle concurrency bug
When using the fetcher concurrently, the loop modifying the closed
`base` parameter was causing urls from different digests to be returned
randomly. We copy the the value and then modify it to make it work
correctly.

Luckily, we are using content addressable storage or this would have
been undetectable.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2017-02-24 18:31:26 -08:00
Michael Crosby
e04df4e3e5 Merge pull request #571 from stevvooe/use-init-func
cmd/dist: consistently replace version string
2017-02-24 16:33:13 -08:00
Stephen J Day
1cdf9dc834
cmd/dist: consistently replace version string
A previous PR placed the version string replacement in the `init`
function in the other commands. This makes this same change consistently
in the `dist` tool.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
2017-02-24 16:09:19 -08:00