add basic config struct to libkpod
Signed-off-by: Ryan Cole <rcyoalne@gmail.com>
This commit is contained in:
parent
f8a822e900
commit
0c8f106ee8
8 changed files with 351 additions and 208 deletions
|
@ -12,6 +12,7 @@ import (
|
||||||
|
|
||||||
"github.com/Sirupsen/logrus"
|
"github.com/Sirupsen/logrus"
|
||||||
"github.com/containers/storage/pkg/reexec"
|
"github.com/containers/storage/pkg/reexec"
|
||||||
|
"github.com/kubernetes-incubator/cri-o/libkpod"
|
||||||
"github.com/kubernetes-incubator/cri-o/server"
|
"github.com/kubernetes-incubator/cri-o/server"
|
||||||
"github.com/opencontainers/selinux/go-selinux"
|
"github.com/opencontainers/selinux/go-selinux"
|
||||||
"github.com/urfave/cli"
|
"github.com/urfave/cli"
|
||||||
|
@ -24,9 +25,9 @@ const crioConfigPath = "/etc/crio/crio.conf"
|
||||||
|
|
||||||
func validateConfig(config *server.Config) error {
|
func validateConfig(config *server.Config) error {
|
||||||
switch config.ImageVolumes {
|
switch config.ImageVolumes {
|
||||||
case server.ImageVolumesMkdir:
|
case libkpod.ImageVolumesMkdir:
|
||||||
case server.ImageVolumesIgnore:
|
case libkpod.ImageVolumesIgnore:
|
||||||
case server.ImageVolumesBind:
|
case libkpod.ImageVolumesBind:
|
||||||
default:
|
default:
|
||||||
return fmt.Errorf("Unrecognized image volume type specified")
|
return fmt.Errorf("Unrecognized image volume type specified")
|
||||||
|
|
||||||
|
@ -114,7 +115,7 @@ func mergeConfig(config *server.Config, ctx *cli.Context) error {
|
||||||
config.PluginDir = ctx.GlobalString("cni-plugin-dir")
|
config.PluginDir = ctx.GlobalString("cni-plugin-dir")
|
||||||
}
|
}
|
||||||
if ctx.GlobalIsSet("image-volumes") {
|
if ctx.GlobalIsSet("image-volumes") {
|
||||||
config.ImageVolumes = server.ImageVolumesType(ctx.GlobalString("image-volumes"))
|
config.ImageVolumes = libkpod.ImageVolumesType(ctx.GlobalString("image-volumes"))
|
||||||
}
|
}
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
@ -245,7 +246,7 @@ func main() {
|
||||||
},
|
},
|
||||||
cli.Int64Flag{
|
cli.Int64Flag{
|
||||||
Name: "pids-limit",
|
Name: "pids-limit",
|
||||||
Value: server.DefaultPidsLimit,
|
Value: libkpod.DefaultPidsLimit,
|
||||||
Usage: "maximum number of processes allowed in a container",
|
Usage: "maximum number of processes allowed in a container",
|
||||||
},
|
},
|
||||||
cli.StringFlag{
|
cli.StringFlag{
|
||||||
|
@ -258,7 +259,7 @@ func main() {
|
||||||
},
|
},
|
||||||
cli.StringFlag{
|
cli.StringFlag{
|
||||||
Name: "image-volumes",
|
Name: "image-volumes",
|
||||||
Value: string(server.ImageVolumesMkdir),
|
Value: string(libkpod.ImageVolumesMkdir),
|
||||||
Usage: "image volume handling ('mkdir' or 'ignore')",
|
Usage: "image volume handling ('mkdir' or 'ignore')",
|
||||||
},
|
},
|
||||||
cli.BoolFlag{
|
cli.BoolFlag{
|
||||||
|
|
|
@ -3,6 +3,7 @@ package main
|
||||||
import (
|
import (
|
||||||
is "github.com/containers/image/storage"
|
is "github.com/containers/image/storage"
|
||||||
"github.com/containers/storage"
|
"github.com/containers/storage"
|
||||||
|
"github.com/kubernetes-incubator/cri-o/libkpod"
|
||||||
"github.com/urfave/cli"
|
"github.com/urfave/cli"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -31,3 +32,30 @@ func getStore(c *cli.Context) (storage.Store, error) {
|
||||||
is.Transport.SetStore(store)
|
is.Transport.SetStore(store)
|
||||||
return store, nil
|
return store, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func getConfig(c *cli.Context) (*libkpod.Config, error) {
|
||||||
|
config := libkpod.DefaultConfig()
|
||||||
|
if c.GlobalIsSet("config") {
|
||||||
|
err := config.FromFile(c.String("config"))
|
||||||
|
if err != nil {
|
||||||
|
return config, err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if c.GlobalIsSet("root") {
|
||||||
|
config.Root = c.GlobalString("root")
|
||||||
|
}
|
||||||
|
if c.GlobalIsSet("runroot") {
|
||||||
|
config.RunRoot = c.GlobalString("runroot")
|
||||||
|
}
|
||||||
|
|
||||||
|
if c.GlobalIsSet("storage-driver") {
|
||||||
|
config.Storage = c.GlobalString("storage-driver")
|
||||||
|
}
|
||||||
|
if c.GlobalIsSet("storage-opt") {
|
||||||
|
opts := c.GlobalStringSlice("storage-opt")
|
||||||
|
if len(opts) > 0 {
|
||||||
|
config.StorageOptions = opts
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return config, nil
|
||||||
|
}
|
||||||
|
|
|
@ -49,6 +49,10 @@ func main() {
|
||||||
Name: "storage-opt",
|
Name: "storage-opt",
|
||||||
Usage: "used to pass an option to the storage driver",
|
Usage: "used to pass an option to the storage driver",
|
||||||
},
|
},
|
||||||
|
cli.StringFlag{
|
||||||
|
Name: "config, c",
|
||||||
|
Usage: "path of a config file detailing container server configuration options",
|
||||||
|
},
|
||||||
}
|
}
|
||||||
if err := app.Run(os.Args); err != nil {
|
if err := app.Run(os.Args); err != nil {
|
||||||
logrus.Fatal(err)
|
logrus.Fatal(err)
|
||||||
|
|
267
libkpod/config.go
Normal file
267
libkpod/config.go
Normal file
|
@ -0,0 +1,267 @@
|
||||||
|
package libkpod
|
||||||
|
|
||||||
|
import (
|
||||||
|
"bytes"
|
||||||
|
"io/ioutil"
|
||||||
|
|
||||||
|
"github.com/BurntSushi/toml"
|
||||||
|
"github.com/opencontainers/selinux/go-selinux"
|
||||||
|
)
|
||||||
|
|
||||||
|
// Default paths if none are specified
|
||||||
|
const (
|
||||||
|
crioRoot = "/var/lib/containers/storage"
|
||||||
|
crioRunRoot = "/var/run/containers/storage"
|
||||||
|
conmonPath = "/usr/local/libexec/crio/conmon"
|
||||||
|
pauseImage = "kubernetes/pause"
|
||||||
|
pauseCommand = "/pause"
|
||||||
|
defaultTransport = "docker://"
|
||||||
|
seccompProfilePath = "/etc/crio/seccomp.json"
|
||||||
|
apparmorProfileName = "crio-default"
|
||||||
|
cniConfigDir = "/etc/cni/net.d/"
|
||||||
|
cniBinDir = "/opt/cni/bin/"
|
||||||
|
cgroupManager = "cgroupfs"
|
||||||
|
)
|
||||||
|
|
||||||
|
// Config represents the entire set of configuration values that can be set for
|
||||||
|
// the server. This is intended to be loaded from a toml-encoded config file.
|
||||||
|
type Config struct {
|
||||||
|
RootConfig
|
||||||
|
RuntimeConfig
|
||||||
|
ImageConfig
|
||||||
|
NetworkConfig
|
||||||
|
}
|
||||||
|
|
||||||
|
// ImageVolumesType describes image volume handling strategies
|
||||||
|
type ImageVolumesType string
|
||||||
|
|
||||||
|
const (
|
||||||
|
// ImageVolumesMkdir option is for using mkdir to handle image volumes
|
||||||
|
ImageVolumesMkdir ImageVolumesType = "mkdir"
|
||||||
|
// ImageVolumesIgnore option is for ignoring image volumes altogether
|
||||||
|
ImageVolumesIgnore ImageVolumesType = "ignore"
|
||||||
|
// ImageVolumesBind option is for using bind mounted volumes
|
||||||
|
ImageVolumesBind ImageVolumesType = "bind"
|
||||||
|
)
|
||||||
|
|
||||||
|
const (
|
||||||
|
// DefaultPidsLimit is the default value for maximum number of processes
|
||||||
|
// allowed inside a container
|
||||||
|
DefaultPidsLimit = 1024
|
||||||
|
)
|
||||||
|
|
||||||
|
// This structure is necessary to fake the TOML tables when parsing,
|
||||||
|
// while also not requiring a bunch of layered structs for no good
|
||||||
|
// reason.
|
||||||
|
|
||||||
|
// RootConfig represents the root of the "crio" TOML config table.
|
||||||
|
type RootConfig struct {
|
||||||
|
// Root is a path to the "root directory" where data not
|
||||||
|
// explicitly handled by other options will be stored.
|
||||||
|
Root string `toml:"root"`
|
||||||
|
|
||||||
|
// RunRoot is a path to the "run directory" where state information not
|
||||||
|
// explicitly handled by other options will be stored.
|
||||||
|
RunRoot string `toml:"runroot"`
|
||||||
|
|
||||||
|
// Storage is the name of the storage driver which handles actually
|
||||||
|
// storing the contents of containers.
|
||||||
|
Storage string `toml:"storage_driver"`
|
||||||
|
|
||||||
|
// StorageOption is a list of storage driver specific options.
|
||||||
|
StorageOptions []string `toml:"storage_option"`
|
||||||
|
|
||||||
|
// LogDir is the default log directory were all logs will go unless kubelet
|
||||||
|
// tells us to put them somewhere else.
|
||||||
|
LogDir string `toml:"log_dir"`
|
||||||
|
}
|
||||||
|
|
||||||
|
// RuntimeConfig represents the "crio.runtime" TOML config table.
|
||||||
|
type RuntimeConfig struct {
|
||||||
|
// Runtime is the OCI compatible runtime used for trusted container workloads.
|
||||||
|
// This is a mandatory setting as this runtime will be the default one and
|
||||||
|
// will also be used for untrusted container workloads if
|
||||||
|
// RuntimeUntrustedWorkload is not set.
|
||||||
|
Runtime string `toml:"runtime"`
|
||||||
|
|
||||||
|
// RuntimeUntrustedWorkload is the OCI compatible runtime used for untrusted
|
||||||
|
// container workloads. This is an optional setting, except if
|
||||||
|
// DefaultWorkloadTrust is set to "untrusted".
|
||||||
|
RuntimeUntrustedWorkload string `toml:"runtime_untrusted_workload"`
|
||||||
|
|
||||||
|
// DefaultWorkloadTrust is the default level of trust crio puts in container
|
||||||
|
// workloads. This can either be "trusted" or "untrusted" and the default
|
||||||
|
// is "trusted"
|
||||||
|
// Containers can be run through different container runtimes, depending on
|
||||||
|
// the trust hints we receive from kubelet:
|
||||||
|
// - If kubelet tags a container workload as untrusted, crio will try first
|
||||||
|
// to run it through the untrusted container workload runtime. If it is not
|
||||||
|
// set, crio will use the trusted runtime.
|
||||||
|
// - If kubelet does not provide any information about the container workload trust
|
||||||
|
// level, the selected runtime will depend on the DefaultWorkloadTrust setting.
|
||||||
|
// If it is set to "untrusted", then all containers except for the host privileged
|
||||||
|
// ones, will be run by the RuntimeUntrustedWorkload runtime. Host privileged
|
||||||
|
// containers are by definition trusted and will always use the trusted container
|
||||||
|
// runtime. If DefaultWorkloadTrust is set to "trusted", crio will use the trusted
|
||||||
|
// container runtime for all containers.
|
||||||
|
DefaultWorkloadTrust string `toml:"default_workload_trust"`
|
||||||
|
|
||||||
|
// Conmon is the path to conmon binary, used for managing the runtime.
|
||||||
|
Conmon string `toml:"conmon"`
|
||||||
|
|
||||||
|
// ConmonEnv is the environment variable list for conmon process.
|
||||||
|
ConmonEnv []string `toml:"conmon_env"`
|
||||||
|
|
||||||
|
// SELinux determines whether or not SELinux is used for pod separation.
|
||||||
|
SELinux bool `toml:"selinux"`
|
||||||
|
|
||||||
|
// SeccompProfile is the seccomp json profile path which is used as the
|
||||||
|
// default for the runtime.
|
||||||
|
SeccompProfile string `toml:"seccomp_profile"`
|
||||||
|
|
||||||
|
// ApparmorProfile is the apparmor profile name which is used as the
|
||||||
|
// default for the runtime.
|
||||||
|
ApparmorProfile string `toml:"apparmor_profile"`
|
||||||
|
|
||||||
|
// CgroupManager is the manager implementation name which is used to
|
||||||
|
// handle cgroups for containers.
|
||||||
|
CgroupManager string `toml:"cgroup_manager"`
|
||||||
|
|
||||||
|
// PidsLimit is the number of processes each container is restricted to
|
||||||
|
// by the cgroup process number controller.
|
||||||
|
PidsLimit int64 `toml:"pids_limit"`
|
||||||
|
}
|
||||||
|
|
||||||
|
// ImageConfig represents the "crio.image" TOML config table.
|
||||||
|
type ImageConfig struct {
|
||||||
|
// DefaultTransport is a value we prefix to image names that fail to
|
||||||
|
// validate source references.
|
||||||
|
DefaultTransport string `toml:"default_transport"`
|
||||||
|
// PauseImage is the name of an image which we use to instantiate infra
|
||||||
|
// containers.
|
||||||
|
PauseImage string `toml:"pause_image"`
|
||||||
|
// PauseCommand is the path of the binary we run in an infra
|
||||||
|
// container that's been instantiated using PauseImage.
|
||||||
|
PauseCommand string `toml:"pause_command"`
|
||||||
|
// SignaturePolicyPath is the name of the file which decides what sort
|
||||||
|
// of policy we use when deciding whether or not to trust an image that
|
||||||
|
// we've pulled. Outside of testing situations, it is strongly advised
|
||||||
|
// that this be left unspecified so that the default system-wide policy
|
||||||
|
// will be used.
|
||||||
|
SignaturePolicyPath string `toml:"signature_policy"`
|
||||||
|
// InsecureRegistries is a list of registries that must be contacted w/o
|
||||||
|
// TLS verification.
|
||||||
|
InsecureRegistries []string `toml:"insecure_registries"`
|
||||||
|
// ImageVolumes controls how volumes specified in image config are handled
|
||||||
|
ImageVolumes ImageVolumesType `toml:"image_volumes"`
|
||||||
|
}
|
||||||
|
|
||||||
|
// NetworkConfig represents the "crio.network" TOML config table
|
||||||
|
type NetworkConfig struct {
|
||||||
|
// NetworkDir is where CNI network configuration files are stored.
|
||||||
|
NetworkDir string `toml:"network_dir"`
|
||||||
|
|
||||||
|
// PluginDir is where CNI plugin binaries are stored.
|
||||||
|
PluginDir string `toml:"plugin_dir"`
|
||||||
|
}
|
||||||
|
|
||||||
|
// tomlConfig is another way of looking at a Config, which is
|
||||||
|
// TOML-friendly (it has all of the explicit tables). It's just used for
|
||||||
|
// conversions.
|
||||||
|
type tomlConfig struct {
|
||||||
|
Crio struct {
|
||||||
|
RootConfig
|
||||||
|
Runtime struct{ RuntimeConfig } `toml:"runtime"`
|
||||||
|
Image struct{ ImageConfig } `toml:"image"`
|
||||||
|
Network struct{ NetworkConfig } `toml:"network"`
|
||||||
|
} `toml:"crio"`
|
||||||
|
}
|
||||||
|
|
||||||
|
func (t *tomlConfig) toConfig(c *Config) {
|
||||||
|
c.RootConfig = t.Crio.RootConfig
|
||||||
|
c.RuntimeConfig = t.Crio.Runtime.RuntimeConfig
|
||||||
|
c.ImageConfig = t.Crio.Image.ImageConfig
|
||||||
|
c.NetworkConfig = t.Crio.Network.NetworkConfig
|
||||||
|
}
|
||||||
|
|
||||||
|
func (t *tomlConfig) fromConfig(c *Config) {
|
||||||
|
t.Crio.RootConfig = c.RootConfig
|
||||||
|
t.Crio.Runtime.RuntimeConfig = c.RuntimeConfig
|
||||||
|
t.Crio.Image.ImageConfig = c.ImageConfig
|
||||||
|
t.Crio.Network.NetworkConfig = c.NetworkConfig
|
||||||
|
}
|
||||||
|
|
||||||
|
// FromFile populates the Config from the TOML-encoded file at the given path.
|
||||||
|
// Returns errors encountered when reading or parsing the files, or nil
|
||||||
|
// otherwise.
|
||||||
|
func (c *Config) FromFile(path string) error {
|
||||||
|
data, err := ioutil.ReadFile(path)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
t := new(tomlConfig)
|
||||||
|
t.fromConfig(c)
|
||||||
|
|
||||||
|
_, err = toml.Decode(string(data), t)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
t.toConfig(c)
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// ToFile outputs the given Config as a TOML-encoded file at the given path.
|
||||||
|
// Returns errors encountered when generating or writing the file, or nil
|
||||||
|
// otherwise.
|
||||||
|
func (c *Config) ToFile(path string) error {
|
||||||
|
var w bytes.Buffer
|
||||||
|
e := toml.NewEncoder(&w)
|
||||||
|
|
||||||
|
t := new(tomlConfig)
|
||||||
|
t.fromConfig(c)
|
||||||
|
|
||||||
|
if err := e.Encode(*t); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
return ioutil.WriteFile(path, w.Bytes(), 0644)
|
||||||
|
}
|
||||||
|
|
||||||
|
// DefaultConfig returns the default configuration for crio.
|
||||||
|
func DefaultConfig() *Config {
|
||||||
|
return &Config{
|
||||||
|
RootConfig: RootConfig{
|
||||||
|
Root: crioRoot,
|
||||||
|
RunRoot: crioRunRoot,
|
||||||
|
LogDir: "/var/log/crio/pods",
|
||||||
|
},
|
||||||
|
RuntimeConfig: RuntimeConfig{
|
||||||
|
Runtime: "/usr/bin/runc",
|
||||||
|
RuntimeUntrustedWorkload: "",
|
||||||
|
DefaultWorkloadTrust: "trusted",
|
||||||
|
|
||||||
|
Conmon: conmonPath,
|
||||||
|
ConmonEnv: []string{
|
||||||
|
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
|
||||||
|
},
|
||||||
|
SELinux: selinux.GetEnabled(),
|
||||||
|
SeccompProfile: seccompProfilePath,
|
||||||
|
ApparmorProfile: apparmorProfileName,
|
||||||
|
CgroupManager: cgroupManager,
|
||||||
|
PidsLimit: DefaultPidsLimit,
|
||||||
|
},
|
||||||
|
ImageConfig: ImageConfig{
|
||||||
|
DefaultTransport: defaultTransport,
|
||||||
|
PauseImage: pauseImage,
|
||||||
|
PauseCommand: pauseCommand,
|
||||||
|
SignaturePolicyPath: "",
|
||||||
|
ImageVolumes: ImageVolumesMkdir,
|
||||||
|
},
|
||||||
|
NetworkConfig: NetworkConfig{
|
||||||
|
NetworkDir: cniConfigDir,
|
||||||
|
PluginDir: cniBinDir,
|
||||||
|
},
|
||||||
|
}
|
||||||
|
}
|
|
@ -29,6 +29,7 @@ type ContainerServer struct {
|
||||||
imageContext *types.SystemContext
|
imageContext *types.SystemContext
|
||||||
stateLock sync.Locker
|
stateLock sync.Locker
|
||||||
state *containerServerState
|
state *containerServerState
|
||||||
|
config *Config
|
||||||
}
|
}
|
||||||
|
|
||||||
// Runtime returns the oci runtime for the ContainerServer
|
// Runtime returns the oci runtime for the ContainerServer
|
||||||
|
@ -71,8 +72,32 @@ func (c *ContainerServer) ImageContext() *types.SystemContext {
|
||||||
return c.imageContext
|
return c.imageContext
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Config gets the configuration for the ContainerServer
|
||||||
|
func (c *ContainerServer) Config() *Config {
|
||||||
|
return c.config
|
||||||
|
}
|
||||||
|
|
||||||
// New creates a new ContainerServer with options provided
|
// New creates a new ContainerServer with options provided
|
||||||
func New(runtime *oci.Runtime, store cstorage.Store, imageService storage.ImageServer, signaturePolicyPath string) *ContainerServer {
|
func New(config *Config) (*ContainerServer, error) {
|
||||||
|
store, err := cstorage.GetStore(cstorage.StoreOptions{
|
||||||
|
RunRoot: config.RunRoot,
|
||||||
|
GraphRoot: config.Root,
|
||||||
|
GraphDriverName: config.Storage,
|
||||||
|
GraphDriverOptions: config.StorageOptions,
|
||||||
|
})
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
imageService, err := storage.GetImageService(store, config.DefaultTransport, config.InsecureRegistries)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
runtime, err := oci.New(config.Runtime, config.RuntimeUntrustedWorkload, config.DefaultWorkloadTrust, config.Conmon, config.ConmonEnv, config.CgroupManager)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
return &ContainerServer{
|
return &ContainerServer{
|
||||||
runtime: runtime,
|
runtime: runtime,
|
||||||
store: store,
|
store: store,
|
||||||
|
@ -81,13 +106,14 @@ func New(runtime *oci.Runtime, store cstorage.Store, imageService storage.ImageS
|
||||||
ctrIDIndex: truncindex.NewTruncIndex([]string{}),
|
ctrIDIndex: truncindex.NewTruncIndex([]string{}),
|
||||||
podNameIndex: registrar.NewRegistrar(),
|
podNameIndex: registrar.NewRegistrar(),
|
||||||
podIDIndex: truncindex.NewTruncIndex([]string{}),
|
podIDIndex: truncindex.NewTruncIndex([]string{}),
|
||||||
imageContext: &types.SystemContext{SignaturePolicyPath: signaturePolicyPath},
|
imageContext: &types.SystemContext{SignaturePolicyPath: config.SignaturePolicyPath},
|
||||||
stateLock: new(sync.Mutex),
|
stateLock: new(sync.Mutex),
|
||||||
state: &containerServerState{
|
state: &containerServerState{
|
||||||
containers: oci.NewMemoryStore(),
|
containers: oci.NewMemoryStore(),
|
||||||
sandboxes: make(map[string]*sandbox.Sandbox),
|
sandboxes: make(map[string]*sandbox.Sandbox),
|
||||||
},
|
},
|
||||||
}
|
config: config,
|
||||||
|
}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// ContainerStateFromDisk retrieves information on the state of a running container
|
// ContainerStateFromDisk retrieves information on the state of a running container
|
||||||
|
|
197
server/config.go
197
server/config.go
|
@ -5,76 +5,14 @@ import (
|
||||||
"io/ioutil"
|
"io/ioutil"
|
||||||
|
|
||||||
"github.com/BurntSushi/toml"
|
"github.com/BurntSushi/toml"
|
||||||
"github.com/opencontainers/selinux/go-selinux"
|
"github.com/kubernetes-incubator/cri-o/libkpod"
|
||||||
)
|
|
||||||
|
|
||||||
// Default paths if none are specified
|
|
||||||
const (
|
|
||||||
crioRoot = "/var/lib/containers/storage"
|
|
||||||
crioRunRoot = "/var/run/containers/storage"
|
|
||||||
conmonPath = "/usr/local/libexec/crio/conmon"
|
|
||||||
pauseImage = "kubernetes/pause"
|
|
||||||
pauseCommand = "/pause"
|
|
||||||
defaultTransport = "docker://"
|
|
||||||
seccompProfilePath = "/etc/crio/seccomp.json"
|
|
||||||
apparmorProfileName = "crio-default"
|
|
||||||
cniConfigDir = "/etc/cni/net.d/"
|
|
||||||
cniBinDir = "/opt/cni/bin/"
|
|
||||||
cgroupManager = "cgroupfs"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
// Config represents the entire set of configuration values that can be set for
|
// Config represents the entire set of configuration values that can be set for
|
||||||
// the server. This is intended to be loaded from a toml-encoded config file.
|
// the server. This is intended to be loaded from a toml-encoded config file.
|
||||||
type Config struct {
|
type Config struct {
|
||||||
RootConfig
|
libkpod.Config
|
||||||
APIConfig
|
APIConfig
|
||||||
RuntimeConfig
|
|
||||||
ImageConfig
|
|
||||||
NetworkConfig
|
|
||||||
}
|
|
||||||
|
|
||||||
// ImageVolumesType describes image volume handling strategies
|
|
||||||
type ImageVolumesType string
|
|
||||||
|
|
||||||
const (
|
|
||||||
// ImageVolumesMkdir option is for using mkdir to handle image volumes
|
|
||||||
ImageVolumesMkdir ImageVolumesType = "mkdir"
|
|
||||||
// ImageVolumesIgnore option is for ignoring image volumes altogether
|
|
||||||
ImageVolumesIgnore ImageVolumesType = "ignore"
|
|
||||||
// ImageVolumesBind option is for using bind mounted volumes
|
|
||||||
ImageVolumesBind ImageVolumesType = "bind"
|
|
||||||
)
|
|
||||||
|
|
||||||
const (
|
|
||||||
// DefaultPidsLimit is the default value for maximum number of processes
|
|
||||||
// allowed inside a container
|
|
||||||
DefaultPidsLimit = 1024
|
|
||||||
)
|
|
||||||
|
|
||||||
// This structure is necessary to fake the TOML tables when parsing,
|
|
||||||
// while also not requiring a bunch of layered structs for no good
|
|
||||||
// reason.
|
|
||||||
|
|
||||||
// RootConfig represents the root of the "crio" TOML config table.
|
|
||||||
type RootConfig struct {
|
|
||||||
// Root is a path to the "root directory" where data not
|
|
||||||
// explicitly handled by other options will be stored.
|
|
||||||
Root string `toml:"root"`
|
|
||||||
|
|
||||||
// RunRoot is a path to the "run directory" where state information not
|
|
||||||
// explicitly handled by other options will be stored.
|
|
||||||
RunRoot string `toml:"runroot"`
|
|
||||||
|
|
||||||
// Storage is the name of the storage driver which handles actually
|
|
||||||
// storing the contents of containers.
|
|
||||||
Storage string `toml:"storage_driver"`
|
|
||||||
|
|
||||||
// StorageOption is a list of storage driver specific options.
|
|
||||||
StorageOptions []string `toml:"storage_option"`
|
|
||||||
|
|
||||||
// LogDir is the default log directory were all logs will go unless kubelet
|
|
||||||
// tells us to put them somewhere else.
|
|
||||||
LogDir string `toml:"log_dir"`
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// APIConfig represents the "crio.api" TOML config table.
|
// APIConfig represents the "crio.api" TOML config table.
|
||||||
|
@ -91,105 +29,16 @@ type APIConfig struct {
|
||||||
StreamPort string `toml:"stream_port"`
|
StreamPort string `toml:"stream_port"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// RuntimeConfig represents the "crio.runtime" TOML config table.
|
|
||||||
type RuntimeConfig struct {
|
|
||||||
// Runtime is the OCI compatible runtime used for trusted container workloads.
|
|
||||||
// This is a mandatory setting as this runtime will be the default one and
|
|
||||||
// will also be used for untrusted container workloads if
|
|
||||||
// RuntimeUntrustedWorkload is not set.
|
|
||||||
Runtime string `toml:"runtime"`
|
|
||||||
|
|
||||||
// RuntimeUntrustedWorkload is the OCI compatible runtime used for untrusted
|
|
||||||
// container workloads. This is an optional setting, except if
|
|
||||||
// DefaultWorkloadTrust is set to "untrusted".
|
|
||||||
RuntimeUntrustedWorkload string `toml:"runtime_untrusted_workload"`
|
|
||||||
|
|
||||||
// DefaultWorkloadTrust is the default level of trust crio puts in container
|
|
||||||
// workloads. This can either be "trusted" or "untrusted" and the default
|
|
||||||
// is "trusted"
|
|
||||||
// Containers can be run through different container runtimes, depending on
|
|
||||||
// the trust hints we receive from kubelet:
|
|
||||||
// - If kubelet tags a container workload as untrusted, crio will try first
|
|
||||||
// to run it through the untrusted container workload runtime. If it is not
|
|
||||||
// set, crio will use the trusted runtime.
|
|
||||||
// - If kubelet does not provide any information about the container workload trust
|
|
||||||
// level, the selected runtime will depend on the DefaultWorkloadTrust setting.
|
|
||||||
// If it is set to "untrusted", then all containers except for the host privileged
|
|
||||||
// ones, will be run by the RuntimeUntrustedWorkload runtime. Host privileged
|
|
||||||
// containers are by definition trusted and will always use the trusted container
|
|
||||||
// runtime. If DefaultWorkloadTrust is set to "trusted", crio will use the trusted
|
|
||||||
// container runtime for all containers.
|
|
||||||
DefaultWorkloadTrust string `toml:"default_workload_trust"`
|
|
||||||
|
|
||||||
// Conmon is the path to conmon binary, used for managing the runtime.
|
|
||||||
Conmon string `toml:"conmon"`
|
|
||||||
|
|
||||||
// ConmonEnv is the environment variable list for conmon process.
|
|
||||||
ConmonEnv []string `toml:"conmon_env"`
|
|
||||||
|
|
||||||
// SELinux determines whether or not SELinux is used for pod separation.
|
|
||||||
SELinux bool `toml:"selinux"`
|
|
||||||
|
|
||||||
// SeccompProfile is the seccomp json profile path which is used as the
|
|
||||||
// default for the runtime.
|
|
||||||
SeccompProfile string `toml:"seccomp_profile"`
|
|
||||||
|
|
||||||
// ApparmorProfile is the apparmor profile name which is used as the
|
|
||||||
// default for the runtime.
|
|
||||||
ApparmorProfile string `toml:"apparmor_profile"`
|
|
||||||
|
|
||||||
// CgroupManager is the manager implementation name which is used to
|
|
||||||
// handle cgroups for containers.
|
|
||||||
CgroupManager string `toml:"cgroup_manager"`
|
|
||||||
|
|
||||||
// PidsLimit is the number of processes each container is restricted to
|
|
||||||
// by the cgroup process number controller.
|
|
||||||
PidsLimit int64 `toml:"pids_limit"`
|
|
||||||
}
|
|
||||||
|
|
||||||
// ImageConfig represents the "crio.image" TOML config table.
|
|
||||||
type ImageConfig struct {
|
|
||||||
// DefaultTransport is a value we prefix to image names that fail to
|
|
||||||
// validate source references.
|
|
||||||
DefaultTransport string `toml:"default_transport"`
|
|
||||||
// PauseImage is the name of an image which we use to instantiate infra
|
|
||||||
// containers.
|
|
||||||
PauseImage string `toml:"pause_image"`
|
|
||||||
// PauseCommand is the path of the binary we run in an infra
|
|
||||||
// container that's been instantiated using PauseImage.
|
|
||||||
PauseCommand string `toml:"pause_command"`
|
|
||||||
// SignaturePolicyPath is the name of the file which decides what sort
|
|
||||||
// of policy we use when deciding whether or not to trust an image that
|
|
||||||
// we've pulled. Outside of testing situations, it is strongly advised
|
|
||||||
// that this be left unspecified so that the default system-wide policy
|
|
||||||
// will be used.
|
|
||||||
SignaturePolicyPath string `toml:"signature_policy"`
|
|
||||||
// InsecureRegistries is a list of registries that must be contacted w/o
|
|
||||||
// TLS verification.
|
|
||||||
InsecureRegistries []string `toml:"insecure_registries"`
|
|
||||||
// ImageVolumes controls how volumes specified in image config are handled
|
|
||||||
ImageVolumes ImageVolumesType `toml:"image_volumes"`
|
|
||||||
}
|
|
||||||
|
|
||||||
// NetworkConfig represents the "crio.network" TOML config table
|
|
||||||
type NetworkConfig struct {
|
|
||||||
// NetworkDir is where CNI network configuration files are stored.
|
|
||||||
NetworkDir string `toml:"network_dir"`
|
|
||||||
|
|
||||||
// PluginDir is where CNI plugin binaries are stored.
|
|
||||||
PluginDir string `toml:"plugin_dir"`
|
|
||||||
}
|
|
||||||
|
|
||||||
// tomlConfig is another way of looking at a Config, which is
|
// tomlConfig is another way of looking at a Config, which is
|
||||||
// TOML-friendly (it has all of the explicit tables). It's just used for
|
// TOML-friendly (it has all of the explicit tables). It's just used for
|
||||||
// conversions.
|
// conversions.
|
||||||
type tomlConfig struct {
|
type tomlConfig struct {
|
||||||
Crio struct {
|
Crio struct {
|
||||||
RootConfig
|
libkpod.RootConfig
|
||||||
API struct{ APIConfig } `toml:"api"`
|
API struct{ APIConfig } `toml:"api"`
|
||||||
Runtime struct{ RuntimeConfig } `toml:"runtime"`
|
Runtime struct{ libkpod.RuntimeConfig } `toml:"runtime"`
|
||||||
Image struct{ ImageConfig } `toml:"image"`
|
Image struct{ libkpod.ImageConfig } `toml:"image"`
|
||||||
Network struct{ NetworkConfig } `toml:"network"`
|
Network struct{ libkpod.NetworkConfig } `toml:"network"`
|
||||||
} `toml:"crio"`
|
} `toml:"crio"`
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -250,41 +99,11 @@ func (c *Config) ToFile(path string) error {
|
||||||
// DefaultConfig returns the default configuration for crio.
|
// DefaultConfig returns the default configuration for crio.
|
||||||
func DefaultConfig() *Config {
|
func DefaultConfig() *Config {
|
||||||
return &Config{
|
return &Config{
|
||||||
RootConfig: RootConfig{
|
Config: *libkpod.DefaultConfig(),
|
||||||
Root: crioRoot,
|
|
||||||
RunRoot: crioRunRoot,
|
|
||||||
LogDir: "/var/log/crio/pods",
|
|
||||||
},
|
|
||||||
APIConfig: APIConfig{
|
APIConfig: APIConfig{
|
||||||
Listen: "/var/run/crio.sock",
|
Listen: "/var/run/crio.sock",
|
||||||
StreamAddress: "",
|
StreamAddress: "",
|
||||||
StreamPort: "10010",
|
StreamPort: "10010",
|
||||||
},
|
},
|
||||||
RuntimeConfig: RuntimeConfig{
|
|
||||||
Runtime: "/usr/bin/runc",
|
|
||||||
RuntimeUntrustedWorkload: "",
|
|
||||||
DefaultWorkloadTrust: "trusted",
|
|
||||||
|
|
||||||
Conmon: conmonPath,
|
|
||||||
ConmonEnv: []string{
|
|
||||||
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
|
|
||||||
},
|
|
||||||
SELinux: selinux.GetEnabled(),
|
|
||||||
SeccompProfile: seccompProfilePath,
|
|
||||||
ApparmorProfile: apparmorProfileName,
|
|
||||||
CgroupManager: cgroupManager,
|
|
||||||
PidsLimit: DefaultPidsLimit,
|
|
||||||
},
|
|
||||||
ImageConfig: ImageConfig{
|
|
||||||
DefaultTransport: defaultTransport,
|
|
||||||
PauseImage: pauseImage,
|
|
||||||
PauseCommand: pauseCommand,
|
|
||||||
SignaturePolicyPath: "",
|
|
||||||
ImageVolumes: ImageVolumesMkdir,
|
|
||||||
},
|
|
||||||
NetworkConfig: NetworkConfig{
|
|
||||||
NetworkDir: cniConfigDir,
|
|
||||||
PluginDir: cniBinDir,
|
|
||||||
},
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -14,6 +14,7 @@ import (
|
||||||
"github.com/Sirupsen/logrus"
|
"github.com/Sirupsen/logrus"
|
||||||
"github.com/docker/docker/pkg/stringid"
|
"github.com/docker/docker/pkg/stringid"
|
||||||
"github.com/docker/docker/pkg/symlink"
|
"github.com/docker/docker/pkg/symlink"
|
||||||
|
"github.com/kubernetes-incubator/cri-o/libkpod"
|
||||||
"github.com/kubernetes-incubator/cri-o/libkpod/sandbox"
|
"github.com/kubernetes-incubator/cri-o/libkpod/sandbox"
|
||||||
"github.com/kubernetes-incubator/cri-o/oci"
|
"github.com/kubernetes-incubator/cri-o/oci"
|
||||||
"github.com/kubernetes-incubator/cri-o/pkg/annotations"
|
"github.com/kubernetes-incubator/cri-o/pkg/annotations"
|
||||||
|
@ -82,11 +83,11 @@ func addImageVolumes(rootfs string, s *Server, containerInfo *storage.ContainerI
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
switch s.config.ImageVolumes {
|
switch s.config.ImageVolumes {
|
||||||
case ImageVolumesMkdir:
|
case libkpod.ImageVolumesMkdir:
|
||||||
if err1 := os.MkdirAll(fp, 0644); err1 != nil {
|
if err1 := os.MkdirAll(fp, 0644); err1 != nil {
|
||||||
return err1
|
return err1
|
||||||
}
|
}
|
||||||
case ImageVolumesBind:
|
case libkpod.ImageVolumesBind:
|
||||||
volumeDirName := stringid.GenerateNonCryptoID()
|
volumeDirName := stringid.GenerateNonCryptoID()
|
||||||
src := filepath.Join(containerInfo.RunDir, "mounts", volumeDirName)
|
src := filepath.Join(containerInfo.RunDir, "mounts", volumeDirName)
|
||||||
if err1 := os.MkdirAll(src, 0644); err1 != nil {
|
if err1 := os.MkdirAll(src, 0644); err1 != nil {
|
||||||
|
@ -101,7 +102,7 @@ func addImageVolumes(rootfs string, s *Server, containerInfo *storage.ContainerI
|
||||||
|
|
||||||
logrus.Debugf("Adding bind mounted volume: %s to %s", src, dest)
|
logrus.Debugf("Adding bind mounted volume: %s to %s", src, dest)
|
||||||
specgen.AddBindMount(src, dest, []string{"rw"})
|
specgen.AddBindMount(src, dest, []string{"rw"})
|
||||||
case ImageVolumesIgnore:
|
case libkpod.ImageVolumesIgnore:
|
||||||
logrus.Debugf("Ignoring volume %v", dest)
|
logrus.Debugf("Ignoring volume %v", dest)
|
||||||
default:
|
default:
|
||||||
logrus.Fatalf("Unrecognized image volumes setting")
|
logrus.Fatalf("Unrecognized image volumes setting")
|
||||||
|
|
|
@ -471,11 +471,6 @@ func New(config *Config) (*Server, error) {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
r, err := oci.New(config.Runtime, config.RuntimeUntrustedWorkload, config.DefaultWorkloadTrust, config.Conmon, config.ConmonEnv, config.CgroupManager)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
|
|
||||||
storageRuntimeService := storage.GetRuntimeService(imageService, config.PauseImage)
|
storageRuntimeService := storage.GetRuntimeService(imageService, config.PauseImage)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
|
@ -484,8 +479,10 @@ func New(config *Config) (*Server, error) {
|
||||||
if err := os.MkdirAll("/var/run/crio", 0755); err != nil {
|
if err := os.MkdirAll("/var/run/crio", 0755); err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
containerServer, err := libkpod.New(&config.Config)
|
||||||
containerServer := libkpod.New(r, store, imageService, config.SignaturePolicyPath)
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
netPlugin, err := ocicni.InitCNI(config.NetworkDir, config.PluginDir)
|
netPlugin, err := ocicni.InitCNI(config.NetworkDir, config.PluginDir)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
Loading…
Reference in a new issue