Merge f41bf4688c into 54e76afc03

lib/sandbox/sandbox.go

@@ -168,9 +168,6 @@ const (
 	// NsRunDir is the default directory in which running network namespaces
 	// are stored
 	NsRunDir = "/var/run/netns"
-	// PodInfraCommand is the default command when starting a pod infrastructure
-	// container
-	PodInfraCommand = "/pause"
 )
 
 var (

server/container_create.go

@@ -376,7 +376,7 @@ func addDevices(sb *sandbox.Sandbox, containerConfig *pb.ContainerConfig, specge
 }
 
 // buildOCIProcessArgs build an OCI compatible process arguments slice.
-func buildOCIProcessArgs(containerKubeConfig *pb.ContainerConfig, imageOCIConfig *v1.Image) ([]string, error) {
+func buildOCIProcessArgs(containerKubeConfig *pb.ContainerConfig, ociConfig *v1.ImageConfig) ([]string, error) {
 	//# Start the nginx container using the default command, but use custom
 	//arguments (arg1 .. argN) for that command.
 	//kubectl run nginx --image=nginx -- <arg1> <arg2> ... <argN>
@@ -388,34 +388,14 @@ func buildOCIProcessArgs(containerKubeConfig *pb.ContainerConfig, imageOCIConfig
 	kubeArgs := containerKubeConfig.Args
 
 	// merge image config and kube config
-	// same as docker does today...
+	if ociConfig != nil && len(kubeCommands) == 0 {
-	if imageOCIConfig != nil {
+		kubeCommands = ociConfig.Entrypoint
-		if len(kubeCommands) == 0 {
+		if len(kubeArgs) == 0 {
-			if len(kubeArgs) == 0 {
+			kubeArgs = ociConfig.Cmd
-				kubeArgs = imageOCIConfig.Config.Cmd
-			}
-			if kubeCommands == nil {
-				kubeCommands = imageOCIConfig.Config.Entrypoint
-			}
 		}
 	}
 
-	if len(kubeCommands) == 0 && len(kubeArgs) == 0 {
+	processArgs := append(kubeCommands, kubeArgs...)
-		return nil, fmt.Errorf("no command specified")
-	}
-
-	// create entrypoint and args
-	var entrypoint string
-	var args []string
-	if len(kubeCommands) != 0 {
-		entrypoint = kubeCommands[0]
-		args = append(kubeCommands[1:], kubeArgs...)
-	} else {
-		entrypoint = kubeArgs[0]
-		args = kubeArgs[1:]
-	}
-
-	processArgs := append([]string{entrypoint}, args...)
 
 	logrus.Debugf("OCI process args %v", processArgs)
 
@@ -1179,37 +1159,53 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
 		return nil, err
 	}
 
-	processArgs, err := buildOCIProcessArgs(containerConfig, containerImageConfig)
+	processArgs := []string{}
+	if containerImageConfig == nil {
+		processArgs, err = buildOCIProcessArgs(containerConfig, nil)
+	} else {
+		processArgs, err = buildOCIProcessArgs(containerConfig, &containerImageConfig.Config)
+	}
 	if err != nil {
 		return nil, err
 	}
-	specgen.SetProcessArgs(processArgs)
+	if len(processArgs) == 0 {
+		specgen.Spec().Process = nil
+	} else {
+		specgen.SetProcessArgs(processArgs)
 
-	envs := mergeEnvs(containerImageConfig, containerConfig.GetEnvs())
+		envs := mergeEnvs(containerImageConfig, containerConfig.GetEnvs())
-	for _, e := range envs {
+		for _, e := range envs {
-		parts := strings.SplitN(e, "=", 2)
+			parts := strings.SplitN(e, "=", 2)
-		specgen.AddProcessEnv(parts[0], parts[1])
+			specgen.AddProcessEnv(parts[0], parts[1])
-	}
+		}
 
-	// Set working directory
+		// Set working directory
-	// Pick it up from image config first and override if specified in CRI
+		// Pick it up from image config first and override if specified in CRI
-	containerCwd := "/"
+		containerCwd := "/"
-	if containerImageConfig != nil {
+		if containerImageConfig != nil {
-		imageCwd := containerImageConfig.Config.WorkingDir
+			imageCwd := containerImageConfig.Config.WorkingDir
-		if imageCwd != "" {
+			if imageCwd != "" {
-			containerCwd = imageCwd
+				containerCwd = imageCwd
+			}
 		}
-	}
+		runtimeCwd := containerConfig.WorkingDir
-	runtimeCwd := containerConfig.WorkingDir
+		if runtimeCwd != "" {
-	if runtimeCwd != "" {
+			containerCwd = runtimeCwd
-		containerCwd = runtimeCwd
+		}
-	}
+		specgen.SetProcessCwd(containerCwd)
-	specgen.SetProcessCwd(containerCwd)
+		if err := setupWorkingDirectory(mountPoint, mountLabel, containerCwd); err != nil {
-	if err := setupWorkingDirectory(mountPoint, mountLabel, containerCwd); err != nil {
+			if err1 := s.StorageRuntimeServer().StopContainer(containerID); err1 != nil {
-		if err1 := s.StorageRuntimeServer().StopContainer(containerID); err1 != nil {
+				return nil, fmt.Errorf("can't umount container after cwd error %v: %v", err, err1)
-			return nil, fmt.Errorf("can't umount container after cwd error %v: %v", err, err1)
+			}
+			return nil, err
+		}
+
+		// Setup user and groups
+		if linux != nil {
+			if err = setupContainerUser(&specgen, mountPoint, linux.GetSecurityContext(), containerImageConfig); err != nil {
+				return nil, err
+			}
 		}
-		return nil, err
 	}
 
 	var secretMounts []rspec.Mount
@@ -1242,13 +1238,6 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
 		return nil, err
 	}
 
-	// Setup user and groups
-	if linux != nil {
-		if err = setupContainerUser(&specgen, mountPoint, linux.GetSecurityContext(), containerImageConfig); err != nil {
-			return nil, err
-		}
-	}
-
 	// Set up pids limit if pids cgroup is mounted
 	_, err = cgroups.FindCgroupMountpoint("pids")
 	if err == nil {

server/sandbox_run.go

@@ -186,15 +186,6 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
 
 	// setup defaults for the pod sandbox
 	g.SetRootReadonly(true)
-	if s.config.PauseCommand == "" {
-		if podContainer.Config != nil {
-			g.SetProcessArgs(podContainer.Config.Config.Cmd)
-		} else {
-			g.SetProcessArgs([]string{sandbox.PodInfraCommand})
-		}
-	} else {
-		g.SetProcessArgs([]string{s.config.PauseCommand})
-	}
 
 	// set DNS options
 	if req.GetConfig().GetDnsConfig() != nil {
@@ -286,6 +277,20 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
 	g.SetProcessSelinuxLabel(processLabel)
 	g.SetLinuxMountLabel(mountLabel)
 
+	containerKubeConfig := &pb.ContainerConfig{}
+	if s.config.PauseCommand != "" {
+		containerKubeConfig.Command = []string{s.config.PauseCommand}
+	}
+	processArgs, err := buildOCIProcessArgs(containerKubeConfig, &podContainer.Config.Config)
+	if err != nil {
+		return nil, err
+	}
+	if len(processArgs) == 0 {
+		g.Spec().Process = nil
+	} else {
+		g.SetProcessArgs(processArgs)
+	}
+
 	// create shm mount for the pod containers.
 	var shmPath string
 	if securityContext.GetNamespaceOptions().GetHostIpc() {