From 7a7403ae0e38a56cca9069ea56a2933137b86829 Mon Sep 17 00:00:00 2001 From: Gianni Salinetti Date: Tue, 2 May 2017 23:03:31 +0200 Subject: [PATCH 01/24] Updated paths on tutorial.md to reflect the Makefile install configuration Signed-off-by: Gianni Salinetti --- tutorial.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/tutorial.md b/tutorial.md index 584e084f..74011534 100644 --- a/tutorial.md +++ b/tutorial.md @@ -129,15 +129,15 @@ sudo make install Output: ``` -install -D -m 755 kpod /usr/bin/kpod -install -D -m 755 ocid /usr/bin/ocid -install -D -m 755 ocic /usr/bin/ocic +install -D -m 755 kpod /usr/local/bin/kpod +install -D -m 755 ocid /usr/local/bin/ocid +install -D -m 755 ocic /usr/local/bin/ocic install -D -m 755 conmon/conmon /usr/local/libexec/ocid/conmon -install -D -m 755 pause/pause /usr/libexec/ocid/pause -install -d -m 755 /usr/share/man/man{1,5,8} -install -m 644 docs/kpod.1 docs/kpod-launch.1 -t /usr/share/man/man1 -install -m 644 docs/ocid.conf.5 -t /usr/share/man/man5 -install -m 644 docs/ocid.8 -t /usr/share/man/man8 +install -D -m 755 pause/pause /usr/local/libexec/ocid/pause +install -d -m 755 /usr/local/share/man/man{1,5,8} +install -m 644 docs/kpod.1 docs/kpod-launch.1 -t /usr/local/share/man/man1 +install -m 644 docs/ocid.conf.5 -t /usr/local/share/man/man5 +install -m 644 docs/ocid.8 -t /usr/local/share/man/man8 install -D -m 644 ocid.conf /etc/ocid/ocid.conf install -D -m 644 seccomp.json /etc/ocid/seccomp.json ``` @@ -163,7 +163,7 @@ Description=OCI-based implementation of Kubernetes Container Runtime Interface Documentation=https://github.com/kubernetes-incubator/cri-o [Service] -ExecStart=/usr/bin/ocid --debug +ExecStart=/usr/local/bin/ocid --debug Restart=on-failure RestartSec=5 From a73f39acf2d48c8a0bda2230e546423b938a1cd5 Mon Sep 17 00:00:00 2001 From: Antonio Murdaca Date: Wed, 3 May 2017 23:25:12 +0200 Subject: [PATCH 02/24] contrib: systemd: fix ocid path Signed-off-by: Antonio Murdaca --- contrib/systemd/ocid.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contrib/systemd/ocid.service b/contrib/systemd/ocid.service index 62f78f28..b275d966 100644 --- a/contrib/systemd/ocid.service +++ b/contrib/systemd/ocid.service @@ -8,7 +8,7 @@ Type=notify EnvironmentFile=-/etc/sysconfig/ocid-storage EnvironmentFile=-/etc/sysconfig/ocid-network Environment=GOTRACEBACK=crash -ExecStart=/usr/bin/ocid \ +ExecStart=/usr/local/bin/ocid \ $OCID_STORAGE_OPTIONS \ $OCID_NETWORK_OPTIONS \ ExecReload=/bin/kill -s HUP $MAINPID From 715785950c3388d54b4a9b81e71d311883be2c5a Mon Sep 17 00:00:00 2001 From: Antonio Murdaca Date: Fri, 5 May 2017 14:49:02 +0200 Subject: [PATCH 03/24] test: use redis:alpine Signed-off-by: Antonio Murdaca --- test/helpers.bash | 10 +++++----- test/testdata/container_config.json | 2 +- test/testdata/container_config_by_imageid.json | 4 +--- test/testdata/container_config_seccomp.json | 2 +- test/testdata/container_redis.json | 2 +- 5 files changed, 9 insertions(+), 11 deletions(-) diff --git a/test/helpers.bash b/test/helpers.bash index 722e1dee..7844916b 100644 --- a/test/helpers.bash +++ b/test/helpers.bash @@ -68,7 +68,7 @@ PATH=$PATH:$TESTDIR # Make sure we have a copy of the redis:latest image. if ! [ -d "$ARTIFACTS_PATH"/redis-image ]; then mkdir -p "$ARTIFACTS_PATH"/redis-image - if ! "$COPYIMG_BINARY" --import-from=docker://redis --export-to=dir:"$ARTIFACTS_PATH"/redis-image --signature-policy="$INTEGRATION_ROOT"/policy.json ; then + if ! "$COPYIMG_BINARY" --import-from=docker://redis:alpine --export-to=dir:"$ARTIFACTS_PATH"/redis-image --signature-policy="$INTEGRATION_ROOT"/policy.json ; then echo "Error pulling docker://redis" rm -fr "$ARTIFACTS_PATH"/redis-image exit 1 @@ -145,7 +145,7 @@ function start_ocid() { if ! [ "$3" = "--no-pause-image" ] ; then "$BIN2IMG_BINARY" --root "$TESTDIR/ocid" $STORAGE_OPTS --runroot "$TESTDIR/ocid-run" --source-binary "$PAUSE_BINARY" fi - "$COPYIMG_BINARY" --root "$TESTDIR/ocid" $STORAGE_OPTS --runroot "$TESTDIR/ocid-run" --image-name=redis --import-from=dir:"$ARTIFACTS_PATH"/redis-image --add-name=docker://docker.io/library/redis:latest --signature-policy="$INTEGRATION_ROOT"/policy.json + "$COPYIMG_BINARY" --root "$TESTDIR/ocid" $STORAGE_OPTS --runroot "$TESTDIR/ocid-run" --image-name=redis:alpine --import-from=dir:"$ARTIFACTS_PATH"/redis-image --add-name=docker://docker.io/library/redis:alpine --signature-policy="$INTEGRATION_ROOT"/policy.json "$OCID_BINARY" --conmon "$CONMON_BINARY" --listen "$OCID_SOCKET" --runtime "$RUNTIME_BINARY" --root "$TESTDIR/ocid" --runroot "$TESTDIR/ocid-run" $STORAGE_OPTS --seccomp-profile "$seccomp" --apparmor-profile "$apparmor" --cni-config-dir "$OCID_CNI_CONFIG" --signature-policy "$INTEGRATION_ROOT"/policy.json --config /dev/null config >$OCID_CONFIG # Prepare the CNI configuration files, we're running with non host networking by default @@ -154,11 +154,11 @@ function start_ocid() { "$OCID_BINARY" --debug --config "$OCID_CONFIG" & OCID_PID=$! wait_until_reachable - run ocic image status --id=redis + run ocic image status --id=redis:alpine if [ "$status" -ne 0 ] ; then - ocic image pull redis:latest + ocic image pull redis:alpine fi - REDIS_IMAGEID=$(ocic image status --id=redis | head -1 | sed -e "s/ID: //g") + REDIS_IMAGEID=$(ocic image status --id=redis:alpine | head -1 | sed -e "s/ID: //g") run ocic image status --id=busybox if [ "$status" -ne 0 ] ; then ocic image pull busybox:latest diff --git a/test/testdata/container_config.json b/test/testdata/container_config.json index 3ab8fb8d..9b09a0d5 100644 --- a/test/testdata/container_config.json +++ b/test/testdata/container_config.json @@ -4,7 +4,7 @@ "attempt": 1 }, "image": { - "image": "docker://redis:latest" + "image": "redis:alpine" }, "command": [ "/bin/ls" diff --git a/test/testdata/container_config_by_imageid.json b/test/testdata/container_config_by_imageid.json index 5c87e7a5..1062c7e2 100644 --- a/test/testdata/container_config_by_imageid.json +++ b/test/testdata/container_config_by_imageid.json @@ -7,11 +7,9 @@ "image": "%VALUE%" }, "command": [ - "/bin/bash" - ], - "args": [ "/bin/ls" ], + "args": [], "working_dir": "/", "envs": [ { diff --git a/test/testdata/container_config_seccomp.json b/test/testdata/container_config_seccomp.json index 027c25e1..948944b0 100644 --- a/test/testdata/container_config_seccomp.json +++ b/test/testdata/container_config_seccomp.json @@ -4,7 +4,7 @@ "attempt": 1 }, "image": { - "image": "docker://redis:latest" + "image": "redis:alpine" }, "command": [ "/bin/bash" diff --git a/test/testdata/container_redis.json b/test/testdata/container_redis.json index 839ca746..96a22ac9 100644 --- a/test/testdata/container_redis.json +++ b/test/testdata/container_redis.json @@ -3,7 +3,7 @@ "name": "podsandbox1-redis" }, "image": { - "image": "docker://redis:latest" + "image": "redis:alpine" }, "args": [ "docker-entrypoint.sh", From 139b16bac2eff3942b3f5295bf1966d5bfda6f79 Mon Sep 17 00:00:00 2001 From: Antonio Murdaca Date: Fri, 5 May 2017 12:14:34 +0200 Subject: [PATCH 04/24] server: fix set caps on container create Signed-off-by: Antonio Murdaca --- server/container_create.go | 10 ++++- test/testdata/container_config.json | 40 +++++++----------- .../testdata/container_config_by_imageid.json | 40 +++++++----------- test/testdata/container_config_logging.json | 42 ++++++++----------- test/testdata/container_config_seccomp.json | 40 +++++++----------- test/testdata/container_exit_test.json | 8 +--- test/testdata/container_redis.json | 14 +++---- 7 files changed, 80 insertions(+), 114 deletions(-) diff --git a/server/container_create.go b/server/container_create.go index a25c8c83..38fc3c6f 100644 --- a/server/container_create.go +++ b/server/container_create.go @@ -400,11 +400,17 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string, } capabilities := linux.GetSecurityContext().GetCapabilities() + toCAPPrefixed := func(cap string) string { + if !strings.HasPrefix(strings.ToLower(cap), "cap_") { + return "CAP_" + cap + } + return cap + } if capabilities != nil { addCaps := capabilities.AddCapabilities if addCaps != nil { for _, cap := range addCaps { - if err := specgen.AddProcessCapability(cap); err != nil { + if err := specgen.AddProcessCapability(toCAPPrefixed(cap)); err != nil { return nil, err } } @@ -413,7 +419,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string, dropCaps := capabilities.DropCapabilities if dropCaps != nil { for _, cap := range dropCaps { - if err := specgen.DropProcessCapability(cap); err != nil { + if err := specgen.DropProcessCapability(toCAPPrefixed(cap)); err != nil { return nil, err } } diff --git a/test/testdata/container_config.json b/test/testdata/container_config.json index 9b09a0d5..fecc72eb 100644 --- a/test/testdata/container_config.json +++ b/test/testdata/container_config.json @@ -51,30 +51,22 @@ "memory_limit_in_bytes": 88000000, "oom_score_adj": 30 }, - "capabilities": { - "add_capabilities": [ - "setuid", - "setgid" - ], - "drop_capabilities": [ - "audit_write", - "audit_read" - ] - }, - "selinux_options": { - "user": "system_u", - "role": "system_r", - "type": "container_t", - "level": "s0:c4,c5" - }, - "user": { - "uid": 5, - "gid": 300, - "additional_gids": [ - 400, - 401, - 402 - ] + "security_context": { + "capabilities": { + "add_capabilities": [ + "setuid", + "setgid" + ], + "drop_capabilities": [ + "audit_read" + ] + }, + "selinux_options": { + "user": "system_u", + "role": "system_r", + "type": "container_t", + "level": "s0:c4,c5" + } } } } diff --git a/test/testdata/container_config_by_imageid.json b/test/testdata/container_config_by_imageid.json index 1062c7e2..7bed4b4f 100644 --- a/test/testdata/container_config_by_imageid.json +++ b/test/testdata/container_config_by_imageid.json @@ -51,30 +51,22 @@ "memory_limit_in_bytes": 88000000, "oom_score_adj": 30 }, - "capabilities": { - "add_capabilities": [ - "setuid", - "setgid" - ], - "drop_capabilities": [ - "audit_write", - "audit_read" - ] - }, - "selinux_options": { - "user": "system_u", - "role": "system_r", - "type": "container_t", - "level": "s0:c4,c5" - }, - "user": { - "uid": 5, - "gid": 300, - "additional_gids": [ - 400, - 401, - 402 - ] + "security_context": { + "capabilities": { + "add_capabilities": [ + "setuid", + "setgid" + ], + "drop_capabilities": [ + "audit_read" + ] + }, + "selinux_options": { + "user": "system_u", + "role": "system_r", + "type": "container_t", + "level": "s0:c4,c5" + } } } } diff --git a/test/testdata/container_config_logging.json b/test/testdata/container_config_logging.json index 2d48747c..018f9539 100644 --- a/test/testdata/container_config_logging.json +++ b/test/testdata/container_config_logging.json @@ -4,7 +4,7 @@ "attempt": 1 }, "image": { - "image": "docker://busybox:latest" + "image": "busybox:latest" }, "command": [ "/bin/sh", "-c" @@ -53,30 +53,22 @@ "memory_limit_in_bytes": 88000000, "oom_score_adj": 30 }, - "capabilities": { - "add_capabilities": [ - "setuid", - "setgid" - ], - "drop_capabilities": [ - "audit_write", - "audit_read" - ] - }, - "selinux_options": { - "user": "system_u", - "role": "system_r", - "type": "container_t", - "level": "s0:c4,c5" - }, - "user": { - "uid": 5, - "gid": 300, - "additional_gids": [ - 400, - 401, - 402 - ] + "security_context": { + "capabilities": { + "add_capabilities": [ + "setuid", + "setgid" + ], + "drop_capabilities": [ + "audit_read" + ] + }, + "selinux_options": { + "user": "system_u", + "role": "system_r", + "type": "container_t", + "level": "s0:c4,c5" + } } } } diff --git a/test/testdata/container_config_seccomp.json b/test/testdata/container_config_seccomp.json index 948944b0..e62be3c1 100644 --- a/test/testdata/container_config_seccomp.json +++ b/test/testdata/container_config_seccomp.json @@ -53,30 +53,22 @@ "memory_limit_in_bytes": 88000000, "oom_score_adj": 30 }, - "capabilities": { - "add_capabilities": [ - "setuid", - "setgid" - ], - "drop_capabilities": [ - "audit_write", - "audit_read" - ] - }, - "selinux_options": { - "user": "system_u", - "role": "system_r", - "type": "svirt_lxc_net_t", - "level": "s0:c4-c5" - }, - "user": { - "uid": 5, - "gid": 300, - "additional_gids": [ - 400, - 401, - 402 - ] + "security_context": { + "capabilities": { + "add_capabilities": [ + "setuid", + "setgid" + ], + "drop_capabilities": [ + "audit_read" + ] + }, + "selinux_options": { + "user": "system_u", + "role": "system_r", + "type": "svirt_lxc_net_t", + "level": "s0:c4-c5" + } } } } diff --git a/test/testdata/container_exit_test.json b/test/testdata/container_exit_test.json index bca99fb7..6ead905a 100644 --- a/test/testdata/container_exit_test.json +++ b/test/testdata/container_exit_test.json @@ -18,11 +18,5 @@ "log_path": "", "stdin": false, "stdin_once": false, - "tty": false, - "linux": { - "user": { - "uid": 0, - "gid": 0 - } - } + "tty": false } diff --git a/test/testdata/container_redis.json b/test/testdata/container_redis.json index 96a22ac9..7c63a3c3 100644 --- a/test/testdata/container_redis.json +++ b/test/testdata/container_redis.json @@ -51,14 +51,12 @@ "memory_limit_in_bytes": 88000000, "oom_score_adj": 30 }, - "capabilities": { - "add_capabilities": [ - "sys_admin" - ] - }, - "user": { - "uid": 0, - "gid": 0 + "security_context": { + "capabilities": { + "add_capabilities": [ + "sys_admin" + ] + } } } } From b71bcd65afeb5ff2ef85effb675a93f31ccff81b Mon Sep 17 00:00:00 2001 From: Mrunal Patel Date: Fri, 5 May 2017 15:01:37 -0700 Subject: [PATCH 05/24] makefile: Look for go-md2man in system path first In build environments such as koji, there is no access to download and install go packages so we should look for go-md2man in system path first. Signed-off-by: Mrunal Patel --- Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Makefile b/Makefile index 4f1d1dcf..9e211a3c 100644 --- a/Makefile +++ b/Makefile @@ -116,13 +116,13 @@ MANPAGES_MD := $(wildcard docs/*.md) MANPAGES := $(MANPAGES_MD:%.md=%) docs/%.1: docs/%.1.md .gopathok - $(GOPATH)/bin/go-md2man -in $< -out $@.tmp && touch $@.tmp && mv $@.tmp $@ + go-md2man -in $< -out $@.tmp && touch $@.tmp && mv $@.tmp $@ || $(GOPATH)/bin/go-md2man -in $< -out $@.tmp && touch $@.tmp && mv $@.tmp $@ docs/%.5: docs/%.5.md .gopathok - $(GOPATH)/bin/go-md2man -in $< -out $@.tmp && touch $@.tmp && mv $@.tmp $@ + go-md2man -in $< -out $@.tmp && touch $@.tmp && mv $@.tmp $@ || $(GOPATH)/bin/go-md2man -in $< -out $@.tmp && touch $@.tmp && mv $@.tmp $@ docs/%.8: docs/%.8.md .gopathok - $(GOPATH)/bin/go-md2man -in $< -out $@.tmp && touch $@.tmp && mv $@.tmp $@ + go-md2man -in $< -out $@.tmp && touch $@.tmp && mv $@.tmp $@ || $(GOPATH)/bin/go-md2man -in $< -out $@.tmp && touch $@.tmp && mv $@.tmp $@ docs: $(MANPAGES) From 13f6e956855304816fdb79568ae7633307d65a58 Mon Sep 17 00:00:00 2001 From: Dan Williams Date: Thu, 4 May 2017 11:41:15 -0500 Subject: [PATCH 06/24] sandbox: pass correct pod Namespace/Name to network plugins and fix id/name ordering Two issues: 1) pod Namespace was always set to "", which prevents plugins from figuring out what the actual pod is, and from getting more info about that pod from the runtime via out-of-band mechanisms 2) the pod Name and ID arguments were switched, further preventing #1 Signed-off-by: Dan Williams --- Dockerfile | 2 ++ server/sandbox.go | 17 ++++++++++------- server/sandbox_run.go | 11 ++++++----- server/sandbox_status.go | 3 +-- server/sandbox_stop.go | 5 ++--- test/helpers.bash | 20 +++++++++++++++++++- test/network.bats | 16 ++++++++++++++++ test/plugin_test_args.bash | 37 +++++++++++++++++++++++++++++++++++++ 8 files changed, 93 insertions(+), 18 deletions(-) create mode 100755 test/plugin_test_args.bash diff --git a/Dockerfile b/Dockerfile index d24b4040..b93728c1 100644 --- a/Dockerfile +++ b/Dockerfile @@ -66,6 +66,8 @@ RUN set -x \ && cp bin/* /opt/cni/bin/ \ && rm -rf "$GOPATH" +COPY test/plugin_test_args.bash /opt/cni/bin/plugin_test_args.bash + # Make sure we have some policy for pulling images RUN mkdir -p /etc/containers COPY test/policy.json /etc/containers/policy.json diff --git a/server/sandbox.go b/server/sandbox.go index 4fdf7491..0f57f557 100644 --- a/server/sandbox.go +++ b/server/sandbox.go @@ -125,8 +125,12 @@ func hostNetNsPath() (string, error) { } type sandbox struct { - id string - name string + id string + namespace string + // OCI pod name (eg "--") + name string + // Kubernetes pod name (eg, "") + kubeName string logDir string labels fields.Set annotations map[string]string @@ -144,10 +148,9 @@ type sandbox struct { } const ( - podDefaultNamespace = "default" - defaultShmSize = 64 * 1024 * 1024 - nsRunDir = "/var/run/netns" - podInfraCommand = "/pause" + defaultShmSize = 64 * 1024 * 1024 + nsRunDir = "/var/run/netns" + podInfraCommand = "/pause" ) var ( @@ -254,7 +257,7 @@ func (s *Server) generatePodIDandName(name string, namespace string, attempt uin id = stringid.GenerateNonCryptoID() ) if namespace == "" { - namespace = podDefaultNamespace + return "", "", fmt.Errorf("cannot generate pod ID without namespace") } if name, err = s.reservePodName(id, fmt.Sprintf("%s-%s-%v", namespace, name, attempt)); err != nil { diff --git a/server/sandbox_run.go b/server/sandbox_run.go index d8dbff12..88797343 100644 --- a/server/sandbox_run.go +++ b/server/sandbox_run.go @@ -71,15 +71,15 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest logrus.Debugf("RunPodSandboxRequest %+v", req) var processLabel, mountLabel, netNsPath, resolvPath string // process req.Name - name := req.GetConfig().GetMetadata().Name - if name == "" { + kubeName := req.GetConfig().GetMetadata().Name + if kubeName == "" { return nil, fmt.Errorf("PodSandboxConfig.Name should not be empty") } namespace := req.GetConfig().GetMetadata().Namespace attempt := req.GetConfig().GetMetadata().Attempt - id, name, err := s.generatePodIDandName(name, namespace, attempt) + id, name, err := s.generatePodIDandName(kubeName, namespace, attempt) if err != nil { return nil, err } @@ -268,7 +268,9 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest sb := &sandbox{ id: id, + namespace: namespace, name: name, + kubeName: kubeName, logDir: logDir, labels: labels, annotations: annotations, @@ -405,8 +407,7 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest // setup the network if !hostNetwork { - podNamespace := "" - if err = s.netPlugin.SetUpPod(netNsPath, podNamespace, id, containerName); err != nil { + if err = s.netPlugin.SetUpPod(netNsPath, namespace, kubeName, id); err != nil { return nil, fmt.Errorf("failed to create network for container %s in sandbox %s: %v", containerName, id, err) } } diff --git a/server/sandbox_status.go b/server/sandbox_status.go index 7f8b241f..15d35260 100644 --- a/server/sandbox_status.go +++ b/server/sandbox_status.go @@ -27,8 +27,7 @@ func (s *Server) PodSandboxStatus(ctx context.Context, req *pb.PodSandboxStatusR if err != nil { return nil, err } - podNamespace := "" - ip, err := s.netPlugin.GetContainerNetworkStatus(netNsPath, podNamespace, sb.id, podInfraContainer.Name()) + ip, err := s.netPlugin.GetContainerNetworkStatus(netNsPath, sb.namespace, sb.kubeName, sb.id) if err != nil { // ignore the error on network status ip = "" diff --git a/server/sandbox_stop.go b/server/sandbox_stop.go index 002dbb24..a6f8d32b 100644 --- a/server/sandbox_stop.go +++ b/server/sandbox_stop.go @@ -19,20 +19,19 @@ func (s *Server) StopPodSandbox(ctx context.Context, req *pb.StopPodSandboxReque return nil, err } - podNamespace := "" podInfraContainer := sb.infraContainer netnsPath, err := podInfraContainer.NetNsPath() if err != nil { return nil, err } if _, err := os.Stat(netnsPath); err == nil { - if err2 := s.netPlugin.TearDownPod(netnsPath, podNamespace, sb.id, podInfraContainer.Name()); err2 != nil { + if err2 := s.netPlugin.TearDownPod(netnsPath, sb.namespace, sb.kubeName, sb.id); err2 != nil { return nil, fmt.Errorf("failed to destroy network for container %s in sandbox %s: %v", podInfraContainer.Name(), sb.id, err2) } } else if !os.IsNotExist(err) { // it's ok for netnsPath to *not* exist return nil, fmt.Errorf("failed to stat netns path for container %s in sandbox %s before tearing down the network: %v", - podInfraContainer.Name(), sb.id, err) + sb.name, sb.id, err) } // Close the sandbox networking namespace. diff --git a/test/helpers.bash b/test/helpers.bash index 7844916b..4a244c16 100644 --- a/test/helpers.bash +++ b/test/helpers.bash @@ -149,7 +149,12 @@ function start_ocid() { "$OCID_BINARY" --conmon "$CONMON_BINARY" --listen "$OCID_SOCKET" --runtime "$RUNTIME_BINARY" --root "$TESTDIR/ocid" --runroot "$TESTDIR/ocid-run" $STORAGE_OPTS --seccomp-profile "$seccomp" --apparmor-profile "$apparmor" --cni-config-dir "$OCID_CNI_CONFIG" --signature-policy "$INTEGRATION_ROOT"/policy.json --config /dev/null config >$OCID_CONFIG # Prepare the CNI configuration files, we're running with non host networking by default - prepare_network_conf $POD_CIDR + if [[ -n "$4" ]]; then + netfunc="$4" + else + netfunc="prepare_network_conf" + fi + ${netfunc} $POD_CIDR "$OCID_BINARY" --debug --config "$OCID_CONFIG" & OCID_PID=$! wait_until_reachable @@ -288,6 +293,19 @@ EOF echo 0 } +function prepare_plugin_test_args_network_conf() { + mkdir -p $OCID_CNI_CONFIG + cat >$OCID_CNI_CONFIG/10-plugin-test-args.conf <<-EOF +{ + "cniVersion": "0.2.0", + "name": "ocidnet", + "type": "plugin_test_args.bash" +} +EOF + + echo 0 +} + function check_pod_cidr() { fullnetns=`ocic pod status --id $1 | grep namespace | cut -d ' ' -f 3` netns=`basename $fullnetns` diff --git a/test/network.bats b/test/network.bats index a044b6fb..39480d40 100644 --- a/test/network.bats +++ b/test/network.bats @@ -51,3 +51,19 @@ load helpers cleanup_pods stop_ocid } + +@test "Ensure correct CNI plugin namespace/name/container-id arguments" { + start_ocid "" "" "" "prepare_plugin_test_args_network_conf" + run ocic pod run --config "$TESTDATA"/sandbox_config.json + [ "$status" -eq 0 ] + + . /tmp/plugin_test_args.out + + [ "$FOUND_CNI_CONTAINERID" != "redhat.test.ocid" ] + [ "$FOUND_CNI_CONTAINERID" != "podsandbox1" ] + [ "$FOUND_K8S_POD_NAMESPACE" = "redhat.test.ocid" ] + [ "$FOUND_K8S_POD_NAME" = "podsandbox1" ] + + cleanup_pods + stop_ocid +} diff --git a/test/plugin_test_args.bash b/test/plugin_test_args.bash new file mode 100755 index 00000000..fad0d943 --- /dev/null +++ b/test/plugin_test_args.bash @@ -0,0 +1,37 @@ +#!/bin/bash + +if [[ -z "${CNI_ARGS}" ]]; then + exit 1 +fi + +IFS=';' read -ra array <<< "${CNI_ARGS}" +for arg in "${array[@]}"; do + IFS='=' read -ra item <<< "${arg}" + if [[ "${item[0]}" = "K8S_POD_NAMESPACE" ]]; then + K8S_POD_NAMESPACE="${item[1]}" + elif [[ "${item[0]}" = "K8S_POD_NAME" ]]; then + K8S_POD_NAME="${item[1]}" + fi +done + +if [[ -z "${CNI_CONTAINERID}" ]]; then + exit 1 +elif [[ -z "${K8S_POD_NAMESPACE}" ]]; then + exit 1 +elif [[ -z "${K8S_POD_NAME}" ]]; then + exit 1 +fi + +echo "FOUND_CNI_CONTAINERID=${CNI_CONTAINERID}" >> /tmp/plugin_test_args.out +echo "FOUND_K8S_POD_NAMESPACE=${K8S_POD_NAMESPACE}" >> /tmp/plugin_test_args.out +echo "FOUND_K8S_POD_NAME=${K8S_POD_NAME}" >> /tmp/plugin_test_args.out + +cat <<-EOF +{ + "cniVersion": "0.2.0", + "ip4": { + "ip": "1.1.1.1/24" + } +} +EOF + From b7ba9d058beae76dfbbab82bcfa79f435b59d1f6 Mon Sep 17 00:00:00 2001 From: Antonio Murdaca Date: Mon, 8 May 2017 09:15:00 +0200 Subject: [PATCH 07/24] server: store kubeName in annotations Signed-off-by: Antonio Murdaca --- server/sandbox_run.go | 1 + server/server.go | 1 + 2 files changed, 2 insertions(+) diff --git a/server/sandbox_run.go b/server/sandbox_run.go index 88797343..a43bd55f 100644 --- a/server/sandbox_run.go +++ b/server/sandbox_run.go @@ -265,6 +265,7 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest g.AddAnnotation("ocid/privileged_runtime", fmt.Sprintf("%v", privileged)) g.AddAnnotation("ocid/resolv_path", resolvPath) g.AddAnnotation("ocid/hostname", hostname) + g.AddAnnotation("ocid/kube_name", kubeName) sb := &sandbox{ id: id, diff --git a/server/server.go b/server/server.go index ff265197..2fe7e3ee 100644 --- a/server/server.go +++ b/server/server.go @@ -203,6 +203,7 @@ func (s *Server) loadSandbox(id string) error { sb := &sandbox{ id: id, name: name, + kubeName: m.Annotations["ocid/kube_name"], logDir: filepath.Dir(m.Annotations["ocid/log_path"]), labels: labels, containers: oci.NewMemoryStore(), From f7e5e24a051fe2650e04c002849b1029f7294671 Mon Sep 17 00:00:00 2001 From: Mrunal Patel Date: Mon, 8 May 2017 15:10:09 -0700 Subject: [PATCH 08/24] Add helper for adding devices to OCI spec Signed-off-by: Mrunal Patel --- server/container_create.go | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/server/container_create.go b/server/container_create.go index 38fc3c6f..e240c7ef 100644 --- a/server/container_create.go +++ b/server/container_create.go @@ -18,7 +18,9 @@ import ( "github.com/kubernetes-incubator/cri-o/server/apparmor" "github.com/kubernetes-incubator/cri-o/server/seccomp" "github.com/opencontainers/image-spec/specs-go/v1" + "github.com/opencontainers/runc/libcontainer/devices" "github.com/opencontainers/runc/libcontainer/user" + rspec "github.com/opencontainers/runtime-spec/specs-go" "github.com/opencontainers/runtime-tools/generate" "github.com/opencontainers/selinux/go-selinux/label" "golang.org/x/net/context" @@ -62,6 +64,34 @@ func addOciBindMounts(sb *sandbox, containerConfig *pb.ContainerConfig, specgen return nil } +func addDevices(sb *sandbox, containerConfig *pb.ContainerConfig, specgen *generate.Generator) error { + sp := specgen.Spec() + for _, device := range containerConfig.GetDevices() { + dev, err := devices.DeviceFromPath(device.HostPath, device.Permissions) + if err != nil { + return fmt.Errorf("failed to add device: %v", err) + } + rd := rspec.LinuxDevice{ + Path: device.ContainerPath, + Type: string(dev.Type), + Major: dev.Major, + Minor: dev.Minor, + UID: &dev.Uid, + GID: &dev.Gid, + } + specgen.AddDevice(rd) + sp.Linux.Resources.Devices = append(sp.Linux.Resources.Devices, rspec.LinuxDeviceCgroup{ + Allow: true, + Type: string(dev.Type), + Major: &dev.Major, + Minor: &dev.Minor, + Access: dev.Permissions, + }) + + } + return nil +} + // buildOCIProcessArgs build an OCI compatible process arguments slice. func buildOCIProcessArgs(containerKubeConfig *pb.ContainerConfig, imageOCIConfig *v1.Image) ([]string, error) { processArgs := []string{} From 23cf1a6fdbb1ab24908b9e19995d1be363f80ae2 Mon Sep 17 00:00:00 2001 From: Mrunal Patel Date: Mon, 8 May 2017 15:11:36 -0700 Subject: [PATCH 09/24] Add devices to OCI config Signed-off-by: Mrunal Patel --- server/container_create.go | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/server/container_create.go b/server/container_create.go index e240c7ef..3b7ce7e8 100644 --- a/server/container_create.go +++ b/server/container_create.go @@ -87,7 +87,6 @@ func addDevices(sb *sandbox, containerConfig *pb.ContainerConfig, specgen *gener Minor: &dev.Minor, Access: dev.Permissions, }) - } return nil } @@ -333,6 +332,10 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string, return nil, err } + if err := addDevices(sb, containerConfig, &specgen); err != nil { + return nil, err + } + labels := containerConfig.GetLabels() metadata := containerConfig.GetMetadata() From 4a02418c826273bf47af6c7c02413d08ee6f9772 Mon Sep 17 00:00:00 2001 From: Mrunal Patel Date: Wed, 10 May 2017 13:36:33 -0700 Subject: [PATCH 10/24] Add a test config for device Signed-off-by: Mrunal Patel --- test/testdata/container_redis_device.json | 69 +++++++++++++++++++++++ 1 file changed, 69 insertions(+) create mode 100644 test/testdata/container_redis_device.json diff --git a/test/testdata/container_redis_device.json b/test/testdata/container_redis_device.json new file mode 100644 index 00000000..abeaadee --- /dev/null +++ b/test/testdata/container_redis_device.json @@ -0,0 +1,69 @@ +{ + "metadata": { + "name": "podsandbox1-redis" + }, + "image": { + "image": "redis:alpine" + }, + "args": [ + "docker-entrypoint.sh", + "redis-server" + ], + "working_dir": "/data", + "envs": [ + { + "key": "PATH", + "value": "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + }, + { + "key": "TERM", + "value": "xterm" + }, + { + "key": "REDIS_VERSION", + "value": "3.2.3" + }, + { + "key": "REDIS_DOWNLOAD_URL", + "value": "http://download.redis.io/releases/redis-3.2.3.tar.gz" + }, + { + "key": "REDIS_DOWNLOAD_SHA1", + "value": "92d6d93ef2efc91e595c8bf578bf72baff397507" + } + ], + "devices": [ + { + "host_path": "/dev/null", + "container_path": "/dev/mynull", + "permissions": "rwm" + } + ], + "labels": { + "tier": "backend" + }, + "annotations": { + "pod": "podsandbox1" + }, + "readonly_rootfs": false, + "log_path": "", + "stdin": false, + "stdin_once": false, + "tty": false, + "linux": { + "resources": { + "cpu_period": 10000, + "cpu_quota": 20000, + "cpu_shares": 512, + "memory_limit_in_bytes": 88000000, + "oom_score_adj": 30 + }, + "security_context": { + "capabilities": { + "add_capabilities": [ + "sys_admin" + ] + } + } + } +} From d3c7a24896eb57121ad65722e725479df487daec Mon Sep 17 00:00:00 2001 From: Mrunal Patel Date: Wed, 10 May 2017 13:36:51 -0700 Subject: [PATCH 11/24] bats: Add a test for adding device to a container Signed-off-by: Mrunal Patel --- test/ctr.bats | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/test/ctr.bats b/test/ctr.bats index 2c936add..375fc8bf 100644 --- a/test/ctr.bats +++ b/test/ctr.bats @@ -429,6 +429,31 @@ function teardown() { stop_ocid } +@test "ctr device add" { + start_ocid + run ocic pod run --config "$TESTDATA"/sandbox_config.json + echo "$output" + [ "$status" -eq 0 ] + pod_id="$output" + run ocic ctr create --config "$TESTDATA"/container_redis_device.json --pod "$pod_id" + echo "$output" + [ "$status" -eq 0 ] + ctr_id="$output" + run ocic ctr start --id "$ctr_id" + echo "$output" + [ "$status" -eq 0 ] + run ocic ctr execsync --id "$ctr_id" ls /dev/mynull + echo "$output" + [ "$status" -eq 0 ] + [[ "$output" =~ "/dev/mynull" ]] + run ocic pod remove --id "$pod_id" + echo "$output" + [ "$status" -eq 0 ] + cleanup_ctrs + cleanup_pods + stop_ocid +} + @test "ctr execsync failure" { start_ocid run ocic pod run --config "$TESTDATA"/sandbox_config.json From fb90eccb426941b94d32eb775fc378ebb122020d Mon Sep 17 00:00:00 2001 From: Antonio Murdaca Date: Thu, 11 May 2017 10:43:50 +0200 Subject: [PATCH 12/24] server: store sandbox creation time Signed-off-by: Antonio Murdaca --- server/sandbox.go | 2 ++ server/sandbox_run.go | 5 +++++ 2 files changed, 7 insertions(+) diff --git a/server/sandbox.go b/server/sandbox.go index 0f57f557..ffcef13f 100644 --- a/server/sandbox.go +++ b/server/sandbox.go @@ -7,6 +7,7 @@ import ( "os" "path/filepath" "sync" + "time" "github.com/Sirupsen/logrus" "github.com/containernetworking/cni/pkg/ns" @@ -145,6 +146,7 @@ type sandbox struct { privileged bool resolvPath string hostname string + created time.Time } const ( diff --git a/server/sandbox_run.go b/server/sandbox_run.go index a43bd55f..713b4581 100644 --- a/server/sandbox_run.go +++ b/server/sandbox_run.go @@ -7,6 +7,7 @@ import ( "path/filepath" "strconv" "syscall" + "time" "github.com/Sirupsen/logrus" "github.com/containers/storage/storage" @@ -267,6 +268,9 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest g.AddAnnotation("ocid/hostname", hostname) g.AddAnnotation("ocid/kube_name", kubeName) + created := time.Now() + g.AddAnnotation("ocid/created", created.Format(time.RFC3339Nano)) + sb := &sandbox{ id: id, namespace: namespace, @@ -283,6 +287,7 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest privileged: privileged, resolvPath: resolvPath, hostname: hostname, + created: created, } defer func() { From a680b845ae1e83037537c8dcff89188507698139 Mon Sep 17 00:00:00 2001 From: Antonio Murdaca Date: Thu, 11 May 2017 11:00:55 +0200 Subject: [PATCH 13/24] server: return sandbox's own created time Signed-off-by: Antonio Murdaca --- server/sandbox_status.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/server/sandbox_status.go b/server/sandbox_status.go index 15d35260..6be2ebb0 100644 --- a/server/sandbox_status.go +++ b/server/sandbox_status.go @@ -21,7 +21,6 @@ func (s *Server) PodSandboxStatus(ctx context.Context, req *pb.PodSandboxStatusR } cState := s.runtime.ContainerStatus(podInfraContainer) - created := cState.Created.UnixNano() netNsPath, err := podInfraContainer.NetNsPath() if err != nil { @@ -42,7 +41,7 @@ func (s *Server) PodSandboxStatus(ctx context.Context, req *pb.PodSandboxStatusR resp := &pb.PodSandboxStatusResponse{ Status: &pb.PodSandboxStatus{ Id: sandboxID, - CreatedAt: created, + CreatedAt: sb.created.UnixNano(), Linux: &pb.LinuxPodSandboxStatus{ Namespaces: &pb.Namespace{ Network: netNsPath, From 1094ffa2045c4e35e7129f5824d2a1029b8a9f4e Mon Sep 17 00:00:00 2001 From: Antonio Murdaca Date: Thu, 11 May 2017 11:04:43 +0200 Subject: [PATCH 14/24] server: restore sandbox created time from disk Signed-off-by: Antonio Murdaca --- server/server.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/server/server.go b/server/server.go index 2fe7e3ee..d6a01f55 100644 --- a/server/server.go +++ b/server/server.go @@ -7,6 +7,7 @@ import ( "os" "path/filepath" "sync" + "time" "github.com/Sirupsen/logrus" "github.com/containers/image/types" @@ -199,6 +200,10 @@ func (s *Server) loadSandbox(id string) error { } privileged := m.Annotations["ocid/privileged_runtime"] == "true" + created, err := time.Parse(time.RFC3339Nano, m.Annotations["ocid/created"]) + if err != nil { + return err + } sb := &sandbox{ id: id, @@ -214,6 +219,7 @@ func (s *Server) loadSandbox(id string) error { shmPath: m.Annotations["ocid/shm_path"], privileged: privileged, resolvPath: m.Annotations["ocid/resolv_path"], + created: created, } // We add a netNS only if we can load a permanent one. From 399045858864a9036897a43971385019ea68df5c Mon Sep 17 00:00:00 2001 From: Antonio Murdaca Date: Thu, 11 May 2017 11:12:37 +0200 Subject: [PATCH 15/24] oci: add container directory to Container struct Signed-off-by: Antonio Murdaca --- oci/container.go | 8 ++++++-- server/container_create.go | 2 +- server/sandbox_run.go | 2 +- server/server.go | 14 ++++++++++++-- 4 files changed, 20 insertions(+), 6 deletions(-) diff --git a/oci/container.go b/oci/container.go index 9ac624e4..ea8856c0 100644 --- a/oci/container.go +++ b/oci/container.go @@ -15,7 +15,6 @@ import ( type Container struct { id string name string - bundlePath string logPath string labels fields.Set annotations fields.Set @@ -27,6 +26,10 @@ type Container struct { state *ContainerState metadata *pb.ContainerMetadata opLock sync.Mutex + // this is the /var/run/storage/... directory, erased on reboot + bundlePath string + // this is the /var/lib/storage/... directory + dir string } // ContainerState represents the status of a container. @@ -39,7 +42,7 @@ type ContainerState struct { } // NewContainer creates a container object. -func NewContainer(id string, name string, bundlePath string, logPath string, netns ns.NetNS, labels map[string]string, annotations map[string]string, image *pb.ImageSpec, metadata *pb.ContainerMetadata, sandbox string, terminal bool, privileged bool) (*Container, error) { +func NewContainer(id string, name string, bundlePath string, logPath string, netns ns.NetNS, labels map[string]string, annotations map[string]string, image *pb.ImageSpec, metadata *pb.ContainerMetadata, sandbox string, terminal bool, privileged bool, dir string) (*Container, error) { c := &Container{ id: id, name: name, @@ -53,6 +56,7 @@ func NewContainer(id string, name string, bundlePath string, logPath string, net metadata: metadata, annotations: annotations, image: image, + dir: dir, } return c, nil } diff --git a/server/container_create.go b/server/container_create.go index 3b7ce7e8..6babb63b 100644 --- a/server/container_create.go +++ b/server/container_create.go @@ -627,7 +627,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string, return nil, err } - container, err := oci.NewContainer(containerID, containerName, containerInfo.RunDir, logPath, sb.netNs(), labels, annotations, imageSpec, metadata, sb.id, containerConfig.Tty, sb.privileged) + container, err := oci.NewContainer(containerID, containerName, containerInfo.RunDir, logPath, sb.netNs(), labels, annotations, imageSpec, metadata, sb.id, containerConfig.Tty, sb.privileged, containerInfo.Dir) if err != nil { return nil, err } diff --git a/server/sandbox_run.go b/server/sandbox_run.go index 713b4581..68a404b1 100644 --- a/server/sandbox_run.go +++ b/server/sandbox_run.go @@ -404,7 +404,7 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest return nil, fmt.Errorf("failed to write runtime configuration for pod sandbox %s(%s): %v", sb.name, id, err) } - container, err := oci.NewContainer(id, containerName, podContainer.RunDir, logPath, sb.netNs(), labels, annotations, nil, nil, id, false, sb.privileged) + container, err := oci.NewContainer(id, containerName, podContainer.RunDir, logPath, sb.netNs(), labels, annotations, nil, nil, id, false, sb.privileged, podContainer.Dir) if err != nil { return nil, err } diff --git a/server/server.go b/server/server.go index d6a01f55..d6e9ce9d 100644 --- a/server/server.go +++ b/server/server.go @@ -121,6 +121,11 @@ func (s *Server) loadContainer(id string) error { return err } + containerDir, err := s.store.GetContainerDirectory(id) + if err != nil { + return err + } + var img *pb.ImageSpec image, ok := m.Annotations["ocid/image"] if ok { @@ -134,7 +139,7 @@ func (s *Server) loadContainer(id string) error { return err } - ctr, err := oci.NewContainer(id, name, containerPath, m.Annotations["ocid/log_path"], sb.netNs(), labels, annotations, img, &metadata, sb.id, tty, sb.privileged) + ctr, err := oci.NewContainer(id, name, containerPath, m.Annotations["ocid/log_path"], sb.netNs(), labels, annotations, img, &metadata, sb.id, tty, sb.privileged, containerDir) if err != nil { return err } @@ -250,6 +255,11 @@ func (s *Server) loadSandbox(id string) error { return err } + sandboxDir, err := s.store.GetContainerDirectory(id) + if err != nil { + return err + } + cname, err := s.reserveContainerName(m.Annotations["ocid/container_id"], m.Annotations["ocid/container_name"]) if err != nil { return err @@ -260,7 +270,7 @@ func (s *Server) loadSandbox(id string) error { } }() - scontainer, err := oci.NewContainer(m.Annotations["ocid/container_id"], cname, sandboxPath, m.Annotations["ocid/log_path"], sb.netNs(), labels, annotations, nil, nil, id, false, privileged) + scontainer, err := oci.NewContainer(m.Annotations["ocid/container_id"], cname, sandboxPath, m.Annotations["ocid/log_path"], sb.netNs(), labels, annotations, nil, nil, id, false, privileged, sandboxDir) if err != nil { return err } From e0a6764866adb362be8e9a3a8481ee95f479a3b6 Mon Sep 17 00:00:00 2001 From: Antonio Murdaca Date: Thu, 11 May 2017 11:22:47 +0200 Subject: [PATCH 16/24] server: store creation in containers Signed-off-by: Antonio Murdaca --- oci/container.go | 10 +++++++++- server/container_create.go | 6 +++++- server/sandbox.go | 2 -- server/sandbox_run.go | 3 +-- server/sandbox_status.go | 2 +- server/server.go | 19 ++++++++++++------- 6 files changed, 28 insertions(+), 14 deletions(-) diff --git a/oci/container.go b/oci/container.go index ea8856c0..cd020fcb 100644 --- a/oci/container.go +++ b/oci/container.go @@ -42,7 +42,9 @@ type ContainerState struct { } // NewContainer creates a container object. -func NewContainer(id string, name string, bundlePath string, logPath string, netns ns.NetNS, labels map[string]string, annotations map[string]string, image *pb.ImageSpec, metadata *pb.ContainerMetadata, sandbox string, terminal bool, privileged bool, dir string) (*Container, error) { +func NewContainer(id string, name string, bundlePath string, logPath string, netns ns.NetNS, labels map[string]string, annotations map[string]string, image *pb.ImageSpec, metadata *pb.ContainerMetadata, sandbox string, terminal bool, privileged bool, dir string, created time.Time) (*Container, error) { + state := &ContainerState{} + state.Created = created c := &Container{ id: id, name: name, @@ -57,10 +59,16 @@ func NewContainer(id string, name string, bundlePath string, logPath string, net annotations: annotations, image: image, dir: dir, + state: state, } return c, nil } +// CreatedAt returns the container creation time +func (c *Container) CreatedAt() time.Time { + return c.state.Created +} + // Name returns the name of the container. func (c *Container) Name() string { return c.name diff --git a/server/container_create.go b/server/container_create.go index 6babb63b..6c5c3679 100644 --- a/server/container_create.go +++ b/server/container_create.go @@ -10,6 +10,7 @@ import ( "strconv" "strings" "syscall" + "time" "github.com/Sirupsen/logrus" "github.com/docker/docker/pkg/stringid" @@ -519,6 +520,9 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string, specgen.AddAnnotation("ocid/tty", fmt.Sprintf("%v", containerConfig.Tty)) specgen.AddAnnotation("ocid/image", image) + created := time.Now() + specgen.AddAnnotation("ocid/created", created.Format(time.RFC3339Nano)) + metadataJSON, err := json.Marshal(metadata) if err != nil { return nil, err @@ -627,7 +631,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string, return nil, err } - container, err := oci.NewContainer(containerID, containerName, containerInfo.RunDir, logPath, sb.netNs(), labels, annotations, imageSpec, metadata, sb.id, containerConfig.Tty, sb.privileged, containerInfo.Dir) + container, err := oci.NewContainer(containerID, containerName, containerInfo.RunDir, logPath, sb.netNs(), labels, annotations, imageSpec, metadata, sb.id, containerConfig.Tty, sb.privileged, containerInfo.Dir, created) if err != nil { return nil, err } diff --git a/server/sandbox.go b/server/sandbox.go index ffcef13f..0f57f557 100644 --- a/server/sandbox.go +++ b/server/sandbox.go @@ -7,7 +7,6 @@ import ( "os" "path/filepath" "sync" - "time" "github.com/Sirupsen/logrus" "github.com/containernetworking/cni/pkg/ns" @@ -146,7 +145,6 @@ type sandbox struct { privileged bool resolvPath string hostname string - created time.Time } const ( diff --git a/server/sandbox_run.go b/server/sandbox_run.go index 68a404b1..72bc8ee7 100644 --- a/server/sandbox_run.go +++ b/server/sandbox_run.go @@ -287,7 +287,6 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest privileged: privileged, resolvPath: resolvPath, hostname: hostname, - created: created, } defer func() { @@ -404,7 +403,7 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest return nil, fmt.Errorf("failed to write runtime configuration for pod sandbox %s(%s): %v", sb.name, id, err) } - container, err := oci.NewContainer(id, containerName, podContainer.RunDir, logPath, sb.netNs(), labels, annotations, nil, nil, id, false, sb.privileged, podContainer.Dir) + container, err := oci.NewContainer(id, containerName, podContainer.RunDir, logPath, sb.netNs(), labels, annotations, nil, nil, id, false, sb.privileged, podContainer.Dir, created) if err != nil { return nil, err } diff --git a/server/sandbox_status.go b/server/sandbox_status.go index 6be2ebb0..9a8c864f 100644 --- a/server/sandbox_status.go +++ b/server/sandbox_status.go @@ -41,7 +41,7 @@ func (s *Server) PodSandboxStatus(ctx context.Context, req *pb.PodSandboxStatusR resp := &pb.PodSandboxStatusResponse{ Status: &pb.PodSandboxStatus{ Id: sandboxID, - CreatedAt: sb.created.UnixNano(), + CreatedAt: podInfraContainer.CreatedAt().UnixNano(), Linux: &pb.LinuxPodSandboxStatus{ Namespaces: &pb.Namespace{ Network: netNsPath, diff --git a/server/server.go b/server/server.go index d6e9ce9d..1e51ae1d 100644 --- a/server/server.go +++ b/server/server.go @@ -139,7 +139,12 @@ func (s *Server) loadContainer(id string) error { return err } - ctr, err := oci.NewContainer(id, name, containerPath, m.Annotations["ocid/log_path"], sb.netNs(), labels, annotations, img, &metadata, sb.id, tty, sb.privileged, containerDir) + created, err := time.Parse(time.RFC3339Nano, m.Annotations["ocid/created"]) + if err != nil { + return err + } + + ctr, err := oci.NewContainer(id, name, containerPath, m.Annotations["ocid/log_path"], sb.netNs(), labels, annotations, img, &metadata, sb.id, tty, sb.privileged, containerDir, created) if err != nil { return err } @@ -205,10 +210,6 @@ func (s *Server) loadSandbox(id string) error { } privileged := m.Annotations["ocid/privileged_runtime"] == "true" - created, err := time.Parse(time.RFC3339Nano, m.Annotations["ocid/created"]) - if err != nil { - return err - } sb := &sandbox{ id: id, @@ -224,7 +225,6 @@ func (s *Server) loadSandbox(id string) error { shmPath: m.Annotations["ocid/shm_path"], privileged: privileged, resolvPath: m.Annotations["ocid/resolv_path"], - created: created, } // We add a netNS only if we can load a permanent one. @@ -270,7 +270,12 @@ func (s *Server) loadSandbox(id string) error { } }() - scontainer, err := oci.NewContainer(m.Annotations["ocid/container_id"], cname, sandboxPath, m.Annotations["ocid/log_path"], sb.netNs(), labels, annotations, nil, nil, id, false, privileged, sandboxDir) + created, err := time.Parse(time.RFC3339Nano, m.Annotations["ocid/created"]) + if err != nil { + return err + } + + scontainer, err := oci.NewContainer(m.Annotations["ocid/container_id"], cname, sandboxPath, m.Annotations["ocid/log_path"], sb.netNs(), labels, annotations, nil, nil, id, false, privileged, sandboxDir, created) if err != nil { return err } From 8ba28d7c1282f639f6e4ede1ad342d7caa73d1b9 Mon Sep 17 00:00:00 2001 From: Antonio Murdaca Date: Thu, 11 May 2017 11:35:31 +0200 Subject: [PATCH 17/24] oci: save container's finished time Signed-off-by: Antonio Murdaca --- oci/oci.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/oci/oci.go b/oci/oci.go index 1f927102..e318ba3d 100644 --- a/oci/oci.go +++ b/oci/oci.go @@ -460,6 +460,8 @@ func (r *Runtime) StopContainer(c *Container) error { i++ } + c.state.Finished = time.Now() + return nil } From 437948a86bde60e11b18d1f9d11197d9a97d95ae Mon Sep 17 00:00:00 2001 From: Antonio Murdaca Date: Thu, 11 May 2017 11:41:53 +0200 Subject: [PATCH 18/24] oci: do not stop containers not running Signed-off-by: Antonio Murdaca --- oci/oci.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/oci/oci.go b/oci/oci.go index e318ba3d..33e7d18f 100644 --- a/oci/oci.go +++ b/oci/oci.go @@ -439,6 +439,11 @@ func (r *Runtime) ExecSync(c *Container, command []string, timeout int64) (resp func (r *Runtime) StopContainer(c *Container) error { c.opLock.Lock() defer c.opLock.Unlock() + + if c.state.Status != ContainerStateRunning { + return nil + } + if err := utils.ExecCmdWithStdStreams(os.Stdin, os.Stdout, os.Stderr, r.Path(c), "kill", c.name, "TERM"); err != nil { return err } From 3c0db0beced160916c8d2dcfd7c734ee783d1dc1 Mon Sep 17 00:00:00 2001 From: Antonio Murdaca Date: Thu, 11 May 2017 11:45:31 +0200 Subject: [PATCH 19/24] oci: ignore non existing containers on delete Signed-off-by: Antonio Murdaca --- oci/oci.go | 5 ++++- utils/utils.go | 2 +- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/oci/oci.go b/oci/oci.go index 33e7d18f..96cbc909 100644 --- a/oci/oci.go +++ b/oci/oci.go @@ -474,7 +474,10 @@ func (r *Runtime) StopContainer(c *Container) error { func (r *Runtime) DeleteContainer(c *Container) error { c.opLock.Lock() defer c.opLock.Unlock() - return utils.ExecCmdWithStdStreams(os.Stdin, os.Stdout, os.Stderr, r.Path(c), "delete", c.name) + if _, err := utils.ExecCmd(r.Path(c), "delete", c.name); err != nil && !strings.Contains(err.Error(), "does not exist") { + return err + } + return nil } // UpdateStatus refreshes the status of the container. diff --git a/utils/utils.go b/utils/utils.go index 340e1ba9..a46a7c24 100644 --- a/utils/utils.go +++ b/utils/utils.go @@ -23,7 +23,7 @@ func ExecCmd(name string, args ...string) (string, error) { err := cmd.Run() if err != nil { - return "", fmt.Errorf("`%v %v` failed: %v (%v)", name, strings.Join(args, " "), stderr.String(), err) + return "", fmt.Errorf("`%v %v` failed: %v (%v)", name, strings.Join(args, " "), stderr.String(), stdout.String(), err) } return stdout.String(), nil From 87d7296ea81fc266c558ad0e118d7b657bd6cbc6 Mon Sep 17 00:00:00 2001 From: Antonio Murdaca Date: Thu, 11 May 2017 11:50:19 +0200 Subject: [PATCH 20/24] server: do not guard runtime.StopContainer Signed-off-by: Antonio Murdaca --- server/container_remove.go | 8 ++------ server/container_stop.go | 8 ++------ server/sandbox_remove.go | 9 ++------- server/sandbox_stop.go | 8 ++------ 4 files changed, 8 insertions(+), 25 deletions(-) diff --git a/server/container_remove.go b/server/container_remove.go index 028ffed8..3f36b3d6 100644 --- a/server/container_remove.go +++ b/server/container_remove.go @@ -4,7 +4,6 @@ import ( "fmt" "github.com/Sirupsen/logrus" - "github.com/kubernetes-incubator/cri-o/oci" "golang.org/x/net/context" pb "k8s.io/kubernetes/pkg/kubelet/api/v1alpha1/runtime" ) @@ -22,11 +21,8 @@ func (s *Server) RemoveContainer(ctx context.Context, req *pb.RemoveContainerReq return nil, fmt.Errorf("failed to update container state: %v", err) } - cState := s.runtime.ContainerStatus(c) - if cState.Status == oci.ContainerStateCreated || cState.Status == oci.ContainerStateRunning { - if err := s.runtime.StopContainer(c); err != nil { - return nil, fmt.Errorf("failed to stop container %s: %v", c.ID(), err) - } + if err := s.runtime.StopContainer(c); err != nil { + return nil, fmt.Errorf("failed to stop container %s: %v", c.ID(), err) } if err := s.runtime.DeleteContainer(c); err != nil { diff --git a/server/container_stop.go b/server/container_stop.go index 58865edf..fd255cf5 100644 --- a/server/container_stop.go +++ b/server/container_stop.go @@ -4,7 +4,6 @@ import ( "fmt" "github.com/Sirupsen/logrus" - "github.com/kubernetes-incubator/cri-o/oci" "golang.org/x/net/context" pb "k8s.io/kubernetes/pkg/kubelet/api/v1alpha1/runtime" ) @@ -20,11 +19,8 @@ func (s *Server) StopContainer(ctx context.Context, req *pb.StopContainerRequest if err := s.runtime.UpdateStatus(c); err != nil { return nil, err } - cStatus := s.runtime.ContainerStatus(c) - if cStatus.Status != oci.ContainerStateStopped { - if err := s.runtime.StopContainer(c); err != nil { - return nil, fmt.Errorf("failed to stop container %s: %v", c.ID(), err) - } + if err := s.runtime.StopContainer(c); err != nil { + return nil, fmt.Errorf("failed to stop container %s: %v", c.ID(), err) } resp := &pb.StopContainerResponse{} diff --git a/server/sandbox_remove.go b/server/sandbox_remove.go index 9628c6b5..862739eb 100644 --- a/server/sandbox_remove.go +++ b/server/sandbox_remove.go @@ -5,7 +5,6 @@ import ( "syscall" "github.com/Sirupsen/logrus" - "github.com/kubernetes-incubator/cri-o/oci" "github.com/opencontainers/selinux/go-selinux/label" "golang.org/x/net/context" pb "k8s.io/kubernetes/pkg/kubelet/api/v1alpha1/runtime" @@ -36,12 +35,8 @@ func (s *Server) RemovePodSandbox(ctx context.Context, req *pb.RemovePodSandboxR return nil, fmt.Errorf("failed to update container state: %v", err) } - cState := s.runtime.ContainerStatus(c) - if cState.Status == oci.ContainerStateCreated || cState.Status == oci.ContainerStateRunning { - if err := s.runtime.StopContainer(c); err != nil { - // Assume container is already stopped - logrus.Warnf("failed to stop container %s: %v", c.Name(), err) - } + if err := s.runtime.StopContainer(c); err != nil { + return fmt.Errorf("failed to stop container %s: %v", c.Name(), err) } if err := s.runtime.DeleteContainer(c); err != nil { diff --git a/server/sandbox_stop.go b/server/sandbox_stop.go index a6f8d32b..755410da 100644 --- a/server/sandbox_stop.go +++ b/server/sandbox_stop.go @@ -5,7 +5,6 @@ import ( "os" "github.com/Sirupsen/logrus" - "github.com/kubernetes-incubator/cri-o/oci" "golang.org/x/net/context" pb "k8s.io/kubernetes/pkg/kubelet/api/v1alpha1/runtime" ) @@ -46,11 +45,8 @@ func (s *Server) StopPodSandbox(ctx context.Context, req *pb.StopPodSandboxReque if err := s.runtime.UpdateStatus(c); err != nil { return nil, err } - cStatus := s.runtime.ContainerStatus(c) - if cStatus.Status != oci.ContainerStateStopped { - if err := s.runtime.StopContainer(c); err != nil { - return nil, fmt.Errorf("failed to stop container %s in pod sandbox %s: %v", c.Name(), sb.id, err) - } + if err := s.runtime.StopContainer(c); err != nil { + return nil, fmt.Errorf("failed to stop container %s in pod sandbox %s: %v", c.Name(), sb.id, err) } } From 603f0d7ed4c48ec7528af1e1ef90492a810d4797 Mon Sep 17 00:00:00 2001 From: Antonio Murdaca Date: Thu, 11 May 2017 12:03:59 +0200 Subject: [PATCH 21/24] server: store containers state on disk Signed-off-by: Antonio Murdaca --- oci/container.go | 6 ++++++ server/container_create.go | 2 ++ server/container_start.go | 2 ++ server/container_stop.go | 2 ++ server/sandbox_remove.go | 2 +- server/sandbox_run.go | 2 ++ server/sandbox_stop.go | 1 + server/server.go | 15 +++++++++++++++ 8 files changed, 31 insertions(+), 1 deletion(-) diff --git a/oci/container.go b/oci/container.go index cd020fcb..7a5ba81e 100644 --- a/oci/container.go +++ b/oci/container.go @@ -2,6 +2,7 @@ package oci import ( "fmt" + "path/filepath" "sync" "time" @@ -64,6 +65,11 @@ func NewContainer(id string, name string, bundlePath string, logPath string, net return c, nil } +// StatePath returns the containers state.json path +func (c *Container) StatePath() string { + return filepath.Join(c.dir, "state.json") +} + // CreatedAt returns the container creation time func (c *Container) CreatedAt() time.Time { return c.state.Created diff --git a/server/container_create.go b/server/container_create.go index 6c5c3679..81a0c55c 100644 --- a/server/container_create.go +++ b/server/container_create.go @@ -310,6 +310,8 @@ func (s *Server) CreateContainer(ctx context.Context, req *pb.CreateContainerReq return nil, err } + s.containerStateToDisk(container) + resp := &pb.CreateContainerResponse{ ContainerId: containerID, } diff --git a/server/container_start.go b/server/container_start.go index 128cc5fc..a426def9 100644 --- a/server/container_start.go +++ b/server/container_start.go @@ -20,6 +20,8 @@ func (s *Server) StartContainer(ctx context.Context, req *pb.StartContainerReque return nil, fmt.Errorf("failed to start container %s: %v", c.ID(), err) } + s.containerStateToDisk(c) + resp := &pb.StartContainerResponse{} logrus.Debugf("StartContainerResponse %+v", resp) return resp, nil diff --git a/server/container_stop.go b/server/container_stop.go index fd255cf5..d77f320e 100644 --- a/server/container_stop.go +++ b/server/container_stop.go @@ -23,6 +23,8 @@ func (s *Server) StopContainer(ctx context.Context, req *pb.StopContainerRequest return nil, fmt.Errorf("failed to stop container %s: %v", c.ID(), err) } + s.containerStateToDisk(c) + resp := &pb.StopContainerResponse{} logrus.Debugf("StopContainerResponse: %+v", resp) return resp, nil diff --git a/server/sandbox_remove.go b/server/sandbox_remove.go index 862739eb..24ac62b1 100644 --- a/server/sandbox_remove.go +++ b/server/sandbox_remove.go @@ -36,7 +36,7 @@ func (s *Server) RemovePodSandbox(ctx context.Context, req *pb.RemovePodSandboxR } if err := s.runtime.StopContainer(c); err != nil { - return fmt.Errorf("failed to stop container %s: %v", c.Name(), err) + return nil, fmt.Errorf("failed to stop container %s: %v", c.Name(), err) } if err := s.runtime.DeleteContainer(c); err != nil { diff --git a/server/sandbox_run.go b/server/sandbox_run.go index 72bc8ee7..d4d25065 100644 --- a/server/sandbox_run.go +++ b/server/sandbox_run.go @@ -421,6 +421,8 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest return nil, err } + s.containerStateToDisk(container) + resp = &pb.RunPodSandboxResponse{PodSandboxId: id} logrus.Debugf("RunPodSandboxResponse: %+v", resp) return resp, nil diff --git a/server/sandbox_stop.go b/server/sandbox_stop.go index 755410da..3d7e168d 100644 --- a/server/sandbox_stop.go +++ b/server/sandbox_stop.go @@ -48,6 +48,7 @@ func (s *Server) StopPodSandbox(ctx context.Context, req *pb.StopPodSandboxReque if err := s.runtime.StopContainer(c); err != nil { return nil, fmt.Errorf("failed to stop container %s in pod sandbox %s: %v", c.Name(), sb.id, err) } + s.containerStateToDisk(c) } resp := &pb.StopPodSandboxResponse{} diff --git a/server/server.go b/server/server.go index 1e51ae1d..889fc603 100644 --- a/server/server.go +++ b/server/server.go @@ -19,6 +19,7 @@ import ( "github.com/kubernetes-incubator/cri-o/pkg/storage" "github.com/kubernetes-incubator/cri-o/server/apparmor" "github.com/kubernetes-incubator/cri-o/server/seccomp" + "github.com/moby/moby/pkg/ioutils" rspec "github.com/opencontainers/runtime-spec/specs-go" "github.com/opencontainers/selinux/go-selinux/label" pb "k8s.io/kubernetes/pkg/kubelet/api/v1alpha1/runtime" @@ -155,6 +156,20 @@ func (s *Server) loadContainer(id string) error { return s.ctrIDIndex.Add(id) } +func (s *Server) containerStateToDisk(c *oci.Container) error { + // ignore errors, this is a best effort to have up-to-date info about + // a given container before its state gets stored + s.runtime.UpdateStatus(c) + + jsonSource, err := ioutils.NewAtomicFileWriter(c.StatePath(), 0644) + if err != nil { + return err + } + defer jsonSource.Close() + enc := json.NewEncoder(jsonSource) + return enc.Encode(s.runtime.ContainerStatus(c)) +} + func configNetNsPath(spec rspec.Spec) (string, error) { for _, ns := range spec.Linux.Namespaces { if ns.Type != rspec.NetworkNamespace { From ea98e2a2955a4e10a137c20c65f26593e6289638 Mon Sep 17 00:00:00 2001 From: Antonio Murdaca Date: Thu, 11 May 2017 12:10:18 +0200 Subject: [PATCH 22/24] server: restore containers state from disk on startup Signed-off-by: Antonio Murdaca --- oci/container.go | 14 ++++++++++++++ server/server.go | 25 ++++++++++++++++++------- 2 files changed, 32 insertions(+), 7 deletions(-) diff --git a/oci/container.go b/oci/container.go index 7a5ba81e..4717b9ea 100644 --- a/oci/container.go +++ b/oci/container.go @@ -1,7 +1,9 @@ package oci import ( + "encoding/json" "fmt" + "os" "path/filepath" "sync" "time" @@ -65,6 +67,18 @@ func NewContainer(id string, name string, bundlePath string, logPath string, net return c, nil } +// FromDisk restores container's state from disk +func (c *Container) FromDisk() error { + jsonSource, err := os.Open(c.StatePath()) + if err != nil { + return err + } + defer jsonSource.Close() + + dec := json.NewDecoder(jsonSource) + return dec.Decode(c.state) +} + // StatePath returns the containers state.json path func (c *Container) StatePath() string { return filepath.Join(c.dir, "state.json") diff --git a/server/server.go b/server/server.go index 889fc603..5e290464 100644 --- a/server/server.go +++ b/server/server.go @@ -12,6 +12,7 @@ import ( "github.com/Sirupsen/logrus" "github.com/containers/image/types" sstorage "github.com/containers/storage/storage" + "github.com/docker/docker/pkg/ioutils" "github.com/docker/docker/pkg/registrar" "github.com/docker/docker/pkg/truncindex" "github.com/kubernetes-incubator/cri-o/oci" @@ -19,7 +20,6 @@ import ( "github.com/kubernetes-incubator/cri-o/pkg/storage" "github.com/kubernetes-incubator/cri-o/server/apparmor" "github.com/kubernetes-incubator/cri-o/server/seccomp" - "github.com/moby/moby/pkg/ioutils" rspec "github.com/opencontainers/runtime-spec/specs-go" "github.com/opencontainers/selinux/go-selinux/label" pb "k8s.io/kubernetes/pkg/kubelet/api/v1alpha1/runtime" @@ -149,13 +149,24 @@ func (s *Server) loadContainer(id string) error { if err != nil { return err } - if err = s.runtime.UpdateStatus(ctr); err != nil { - return fmt.Errorf("error updating status for container %s: %v", ctr.ID(), err) - } + + s.containerStateFromDisk(ctr) + s.addContainer(ctr) return s.ctrIDIndex.Add(id) } +func (s *Server) containerStateFromDisk(c *oci.Container) error { + if err := c.FromDisk(); err != nil { + return err + } + // ignore errors, this is a best effort to have up-to-date info about + // a given container before its state gets stored + s.runtime.UpdateStatus(c) + + return nil +} + func (s *Server) containerStateToDisk(c *oci.Container) error { // ignore errors, this is a best effort to have up-to-date info about // a given container before its state gets stored @@ -294,9 +305,9 @@ func (s *Server) loadSandbox(id string) error { if err != nil { return err } - if err = s.runtime.UpdateStatus(scontainer); err != nil { - return fmt.Errorf("error updating status for pod sandbox infra container %s: %v", scontainer.ID(), err) - } + + s.containerStateFromDisk(scontainer) + if err = label.ReserveLabel(processLabel); err != nil { return err } From 03da0fe03e9fdcf843aca3f180f53c9f7dd72fa1 Mon Sep 17 00:00:00 2001 From: Antonio Murdaca Date: Thu, 11 May 2017 12:16:32 +0200 Subject: [PATCH 23/24] server: *_status: do not fail on updating containers status Signed-off-by: Antonio Murdaca --- server/container_status.go | 5 ++--- server/sandbox_status.go | 5 ++--- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/server/container_status.go b/server/container_status.go index 82a51877..1879e244 100644 --- a/server/container_status.go +++ b/server/container_status.go @@ -18,9 +18,8 @@ func (s *Server) ContainerStatus(ctx context.Context, req *pb.ContainerStatusReq return nil, err } - if err = s.runtime.UpdateStatus(c); err != nil { - return nil, err - } + // best effort if container is still in runc store... + s.runtime.UpdateStatus(c) containerID := c.ID() image := c.Image() diff --git a/server/sandbox_status.go b/server/sandbox_status.go index 9a8c864f..e2d0286c 100644 --- a/server/sandbox_status.go +++ b/server/sandbox_status.go @@ -16,9 +16,8 @@ func (s *Server) PodSandboxStatus(ctx context.Context, req *pb.PodSandboxStatusR } podInfraContainer := sb.infraContainer - if err = s.runtime.UpdateStatus(podInfraContainer); err != nil { - return nil, err - } + // best effort if container is still in runc store... + s.runtime.UpdateStatus(podInfraContainer) cState := s.runtime.ContainerStatus(podInfraContainer) From e4200d331329f4e1e630530ad1f6ffde9cb56d05 Mon Sep 17 00:00:00 2001 From: Antonio Murdaca Date: Thu, 11 May 2017 12:41:08 +0200 Subject: [PATCH 24/24] server: ignore runc not exist errors Signed-off-by: Antonio Murdaca --- oci/oci.go | 3 +++ server/container_list.go | 4 +--- server/container_status.go | 1 + server/sandbox_list.go | 5 ++--- server/sandbox_status.go | 2 ++ 5 files changed, 9 insertions(+), 6 deletions(-) diff --git a/oci/oci.go b/oci/oci.go index 96cbc909..b407c827 100644 --- a/oci/oci.go +++ b/oci/oci.go @@ -486,6 +486,9 @@ func (r *Runtime) UpdateStatus(c *Container) error { defer c.opLock.Unlock() out, err := exec.Command(r.Path(c), "state", c.name).CombinedOutput() if err != nil { + if strings.Contains(string(out), "does not exist") { + return nil + } return fmt.Errorf("error getting container state for %s: %s: %q", c.name, err, out) } if err := json.NewDecoder(bytes.NewBuffer(out)).Decode(&c.state); err != nil { diff --git a/server/container_list.go b/server/container_list.go index 9e372a5f..908145f2 100644 --- a/server/container_list.go +++ b/server/container_list.go @@ -66,9 +66,7 @@ func (s *Server) ListContainers(ctx context.Context, req *pb.ListContainersReque } for _, ctr := range ctrList { - if err := s.runtime.UpdateStatus(ctr); err != nil { - return nil, err - } + s.runtime.UpdateStatus(ctr) podSandboxID := ctr.Sandbox() cState := s.runtime.ContainerStatus(ctr) diff --git a/server/container_status.go b/server/container_status.go index 1879e244..f28d21b2 100644 --- a/server/container_status.go +++ b/server/container_status.go @@ -20,6 +20,7 @@ func (s *Server) ContainerStatus(ctx context.Context, req *pb.ContainerStatusReq // best effort if container is still in runc store... s.runtime.UpdateStatus(c) + s.containerStateToDisk(c) containerID := c.ID() image := c.Image() diff --git a/server/sandbox_list.go b/server/sandbox_list.go index 9e4b3562..447db7ca 100644 --- a/server/sandbox_list.go +++ b/server/sandbox_list.go @@ -59,9 +59,8 @@ func (s *Server) ListPodSandbox(ctx context.Context, req *pb.ListPodSandboxReque // it's better not to panic continue } - if err := s.runtime.UpdateStatus(podInfraContainer); err != nil { - return nil, err - } + s.runtime.UpdateStatus(podInfraContainer) + cState := s.runtime.ContainerStatus(podInfraContainer) created := cState.Created.UnixNano() rStatus := pb.PodSandboxState_SANDBOX_NOTREADY diff --git a/server/sandbox_status.go b/server/sandbox_status.go index e2d0286c..65e51a84 100644 --- a/server/sandbox_status.go +++ b/server/sandbox_status.go @@ -18,6 +18,7 @@ func (s *Server) PodSandboxStatus(ctx context.Context, req *pb.PodSandboxStatusR podInfraContainer := sb.infraContainer // best effort if container is still in runc store... s.runtime.UpdateStatus(podInfraContainer) + s.containerStateToDisk(podInfraContainer) cState := s.runtime.ContainerStatus(podInfraContainer) @@ -32,6 +33,7 @@ func (s *Server) PodSandboxStatus(ctx context.Context, req *pb.PodSandboxStatusR } rStatus := pb.PodSandboxState_SANDBOX_NOTREADY + if cState.Status == oci.ContainerStateRunning { rStatus = pb.PodSandboxState_SANDBOX_READY }