diff --git a/lib/sandbox/sandbox.go b/lib/sandbox/sandbox.go index 7624b072..641e1734 100644 --- a/lib/sandbox/sandbox.go +++ b/lib/sandbox/sandbox.go @@ -168,9 +168,6 @@ const ( // NsRunDir is the default directory in which running network namespaces // are stored NsRunDir = "/var/run/netns" - // PodInfraCommand is the default command when starting a pod infrastructure - // container - PodInfraCommand = "/pause" ) var ( diff --git a/server/container_create.go b/server/container_create.go index a4652cf3..579e8268 100644 --- a/server/container_create.go +++ b/server/container_create.go @@ -376,7 +376,7 @@ func addDevices(sb *sandbox.Sandbox, containerConfig *pb.ContainerConfig, specge } // buildOCIProcessArgs build an OCI compatible process arguments slice. -func buildOCIProcessArgs(containerKubeConfig *pb.ContainerConfig, imageOCIConfig *v1.Image) ([]string, error) { +func buildOCIProcessArgs(containerKubeConfig *pb.ContainerConfig, ociConfig *v1.ImageConfig) ([]string, error) { //# Start the nginx container using the default command, but use custom //arguments (arg1 .. argN) for that command. //kubectl run nginx --image=nginx -- ... @@ -388,34 +388,14 @@ func buildOCIProcessArgs(containerKubeConfig *pb.ContainerConfig, imageOCIConfig kubeArgs := containerKubeConfig.Args // merge image config and kube config - // same as docker does today... - if imageOCIConfig != nil { - if len(kubeCommands) == 0 { - if len(kubeArgs) == 0 { - kubeArgs = imageOCIConfig.Config.Cmd - } - if kubeCommands == nil { - kubeCommands = imageOCIConfig.Config.Entrypoint - } + if ociConfig != nil && len(kubeCommands) == 0 { + kubeCommands = ociConfig.Entrypoint + if len(kubeArgs) == 0 { + kubeArgs = ociConfig.Cmd } } - if len(kubeCommands) == 0 && len(kubeArgs) == 0 { - return nil, fmt.Errorf("no command specified") - } - - // create entrypoint and args - var entrypoint string - var args []string - if len(kubeCommands) != 0 { - entrypoint = kubeCommands[0] - args = append(kubeCommands[1:], kubeArgs...) - } else { - entrypoint = kubeArgs[0] - args = kubeArgs[1:] - } - - processArgs := append([]string{entrypoint}, args...) + processArgs := append(kubeCommands, kubeArgs...) logrus.Debugf("OCI process args %v", processArgs) @@ -1179,37 +1159,53 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string, return nil, err } - processArgs, err := buildOCIProcessArgs(containerConfig, containerImageConfig) + processArgs := []string{} + if containerImageConfig == nil { + processArgs, err = buildOCIProcessArgs(containerConfig, nil) + } else { + processArgs, err = buildOCIProcessArgs(containerConfig, &containerImageConfig.Config) + } if err != nil { return nil, err } - specgen.SetProcessArgs(processArgs) + if len(processArgs) == 0 { + specgen.Spec().Process = nil + } else { + specgen.SetProcessArgs(processArgs) - envs := mergeEnvs(containerImageConfig, containerConfig.GetEnvs()) - for _, e := range envs { - parts := strings.SplitN(e, "=", 2) - specgen.AddProcessEnv(parts[0], parts[1]) - } + envs := mergeEnvs(containerImageConfig, containerConfig.GetEnvs()) + for _, e := range envs { + parts := strings.SplitN(e, "=", 2) + specgen.AddProcessEnv(parts[0], parts[1]) + } - // Set working directory - // Pick it up from image config first and override if specified in CRI - containerCwd := "/" - if containerImageConfig != nil { - imageCwd := containerImageConfig.Config.WorkingDir - if imageCwd != "" { - containerCwd = imageCwd + // Set working directory + // Pick it up from image config first and override if specified in CRI + containerCwd := "/" + if containerImageConfig != nil { + imageCwd := containerImageConfig.Config.WorkingDir + if imageCwd != "" { + containerCwd = imageCwd + } } - } - runtimeCwd := containerConfig.WorkingDir - if runtimeCwd != "" { - containerCwd = runtimeCwd - } - specgen.SetProcessCwd(containerCwd) - if err := setupWorkingDirectory(mountPoint, mountLabel, containerCwd); err != nil { - if err1 := s.StorageRuntimeServer().StopContainer(containerID); err1 != nil { - return nil, fmt.Errorf("can't umount container after cwd error %v: %v", err, err1) + runtimeCwd := containerConfig.WorkingDir + if runtimeCwd != "" { + containerCwd = runtimeCwd + } + specgen.SetProcessCwd(containerCwd) + if err := setupWorkingDirectory(mountPoint, mountLabel, containerCwd); err != nil { + if err1 := s.StorageRuntimeServer().StopContainer(containerID); err1 != nil { + return nil, fmt.Errorf("can't umount container after cwd error %v: %v", err, err1) + } + return nil, err + } + + // Setup user and groups + if linux != nil { + if err = setupContainerUser(&specgen, mountPoint, linux.GetSecurityContext(), containerImageConfig); err != nil { + return nil, err + } } - return nil, err } var secretMounts []rspec.Mount @@ -1242,13 +1238,6 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string, return nil, err } - // Setup user and groups - if linux != nil { - if err = setupContainerUser(&specgen, mountPoint, linux.GetSecurityContext(), containerImageConfig); err != nil { - return nil, err - } - } - // Set up pids limit if pids cgroup is mounted _, err = cgroups.FindCgroupMountpoint("pids") if err == nil { diff --git a/server/sandbox_run.go b/server/sandbox_run.go index 5ba007c2..951e113e 100644 --- a/server/sandbox_run.go +++ b/server/sandbox_run.go @@ -186,15 +186,6 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest // setup defaults for the pod sandbox g.SetRootReadonly(true) - if s.config.PauseCommand == "" { - if podContainer.Config != nil { - g.SetProcessArgs(podContainer.Config.Config.Cmd) - } else { - g.SetProcessArgs([]string{sandbox.PodInfraCommand}) - } - } else { - g.SetProcessArgs([]string{s.config.PauseCommand}) - } // set DNS options if req.GetConfig().GetDnsConfig() != nil { @@ -286,6 +277,20 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest g.SetProcessSelinuxLabel(processLabel) g.SetLinuxMountLabel(mountLabel) + containerKubeConfig := &pb.ContainerConfig{} + if s.config.PauseCommand != "" { + containerKubeConfig.Command = []string{s.config.PauseCommand} + } + processArgs, err := buildOCIProcessArgs(containerKubeConfig, &podContainer.Config.Config) + if err != nil { + return nil, err + } + if len(processArgs) == 0 { + g.Spec().Process = nil + } else { + g.SetProcessArgs(processArgs) + } + // create shm mount for the pod containers. var shmPath string if securityContext.GetNamespaceOptions().GetHostIpc() {