vbatts/cri-o
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

server/container_create: Allow for nil Process

Browse source 
OCI runtime callers (like CRI-O) are allowed to leave process unset
[1] for containers that they do not intend to 'start'.  When we don't
have any process.args, we *must* leave process unset (because
process.args is required [2]).  My personal preference would have been
to have both process and process.args optional [3], which would have
allowed for these settings to be decoupled, but that's not where the
spec ended up.

When we have no args and are clearing Process, we need to ensure that
we don't re-create an args-less structure later on by populating
process.user or similar.  This commit collects later process-creating
calls (e.g. setupContainerUser, which populates process.user) into the
"we have some args" branch.

This commit leaves earlier process-creating calls
(e.g. SetProcessTerminal) where they were.  Anything they do inside
Process will be clobbered later if we nil it, but that's fine.

[1]: https://github.com/opencontainers/runtime-spec/blame/v1.0.1/config.md#L145
[2]: https://github.com/opencontainers/runtime-spec/blame/v1.0.1/config.md#L157
[3]: https://github.com/opencontainers/runtime-spec/pull/701#issue-210601101

Signed-off-by: W. Trevor King <wking@tremily.us>
This commit is contained in:
W. Trevor King 2018-01-19 10:05:12 -08:00
parent c93ca853f3
commit 375ddf4b3a
1 changed files with 42 additions and 40 deletions
Download patch file Download diff file Expand all files Collapse all files

30
server/container_create.go
View file

@ -395,10 +395,6 @@ func buildOCIProcessArgs(containerKubeConfig *pb.ContainerConfig, ociConfig *v1.
} }
} }
if len(kubeCommands) == 0 && len(kubeArgs) == 0 {
return nil, fmt.Errorf("no command specified")
}
processArgs := append(kubeCommands, kubeArgs...) processArgs := append(kubeCommands, kubeArgs...)
logrus.Debugf("OCI process args %v", processArgs) logrus.Debugf("OCI process args %v", processArgs)
@ -1164,12 +1160,17 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
} }
processArgs := []string{} processArgs := []string{}
if containerImageConfig != nil { if containerImageConfig == nil {
processArgs, err := buildOCIProcessArgs(containerConfig, &containerImageConfig.Config) processArgs, err = buildOCIProcessArgs(containerConfig, nil)
} else {
processArgs, err = buildOCIProcessArgs(containerConfig, &containerImageConfig.Config)
}
if err != nil { if err != nil {
return nil, err return nil, err
} }
} if len(processArgs) == 0 {
specgen.Spec().Process = nil
} else {
specgen.SetProcessArgs(processArgs) specgen.SetProcessArgs(processArgs)
envs := mergeEnvs(containerImageConfig, containerConfig.GetEnvs()) envs := mergeEnvs(containerImageConfig, containerConfig.GetEnvs())
@ -1199,6 +1200,14 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
return nil, err return nil, err
} }
// Setup user and groups
if linux != nil {
if err = setupContainerUser(&specgen, mountPoint, linux.GetSecurityContext(), containerImageConfig); err != nil {
return nil, err
}
}
}
var secretMounts []rspec.Mount var secretMounts []rspec.Mount
if len(s.config.DefaultMounts) > 0 { if len(s.config.DefaultMounts) > 0 {
var err error var err error
@ -1229,13 +1238,6 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
return nil, err return nil, err
} }
// Setup user and groups
if linux != nil {
if err = setupContainerUser(&specgen, mountPoint, linux.GetSecurityContext(), containerImageConfig); err != nil {
return nil, err
}
}
// Set up pids limit if pids cgroup is mounted // Set up pids limit if pids cgroup is mounted
_, err = cgroups.FindCgroupMountpoint("pids") _, err = cgroups.FindCgroupMountpoint("pids")
if err == nil { if err == nil {