contrib: import system containers
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
This commit is contained in:
		
							parent
							
								
									bdaba5c4e8
								
							
						
					
					
						commit
						585cf56fea
					
				
					 25 changed files with 1719 additions and 0 deletions
				
			
		
							
								
								
									
										29
									
								
								contrib/system_containers/centos/Dockerfile
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										29
									
								
								contrib/system_containers/centos/Dockerfile
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,29 @@ | |||
| FROM centos | ||||
| 
 | ||||
| ENV VERSION=0 RELEASE=1 ARCH=x86_64 | ||||
| LABEL com.redhat.component="cri-o" \ | ||||
|       name="$FGC/cri-o" \ | ||||
|       version="$VERSION" \ | ||||
|       release="$RELEASE.$DISTTAG" \ | ||||
|       architecture="$ARCH" \ | ||||
|       usage="atomic install --system --system-package=no crio && systemctl start crio" \ | ||||
|       summary="The cri-o daemon as a system container." \ | ||||
|       maintainer="Yu Qi Zhang <jzehrarnyg@gmail.com>" \ | ||||
|       atomic.type="system" | ||||
| 
 | ||||
| RUN yum-config-manager --nogpgcheck --add-repo https://cbs.centos.org/repos/virt7-container-common-candidate/x86_64/os/ && \ | ||||
|     yum install --disablerepo=extras --nogpgcheck --setopt=tsflags=nodocs -y iptables cri-o socat iproute runc && \ | ||||
|     rpm -V iptables cri-o iproute runc && \ | ||||
|     yum clean all && \ | ||||
|     mkdir -p /exports/hostfs/etc/crio /exports/hostfs/opt/cni/bin/ /exports/hostfs/var/lib/containers/storage/ && \ | ||||
|     cp /etc/crio/* /exports/hostfs/etc/crio && \ | ||||
|     if test -e /usr/libexec/cni; then cp -Lr /usr/libexec/cni/* /exports/hostfs/opt/cni/bin/; fi | ||||
| 
 | ||||
| RUN sed -i '/storage_option =/s/.*/&\n"overlay.override_kernel_check=1",/' /exports/hostfs/etc/crio/crio.conf | ||||
| 
 | ||||
| COPY manifest.json tmpfiles.template config.json.template service.template /exports/ | ||||
| 
 | ||||
| COPY set_mounts.sh / | ||||
| COPY run.sh /usr/bin/ | ||||
| 
 | ||||
| CMD ["/usr/bin/run.sh"] | ||||
							
								
								
									
										57
									
								
								contrib/system_containers/centos/README.md
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										57
									
								
								contrib/system_containers/centos/README.md
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,57 @@ | |||
| # cri-o | ||||
| 
 | ||||
| This is the cri-o daemon as a system container. | ||||
| 
 | ||||
| ## Building the image from source: | ||||
| 
 | ||||
| ``` | ||||
| # git clone https://github.com/projectatomic/atomic-system-containers | ||||
| # cd atomic-system-containers/cri-o | ||||
| # docker build -t crio . | ||||
| ``` | ||||
| 
 | ||||
| ## Running the system container, with the atomic CLI: | ||||
| 
 | ||||
| Pull from registry into ostree: | ||||
| 
 | ||||
| ``` | ||||
| # atomic pull --storage ostree $REGISTRY/crio | ||||
| ``` | ||||
| 
 | ||||
| Or alternatively, pull from local docker: | ||||
| 
 | ||||
| ``` | ||||
| # atomic pull --storage ostree docker:crio:latest | ||||
| ``` | ||||
| 
 | ||||
| Install the container: | ||||
| 
 | ||||
| Currently we recommend using --system-package=no to avoid having rpmbuild create an rpm file | ||||
| during installation. This flag will tell the atomic CLI to fall back to copying files to the | ||||
| host instead. | ||||
| 
 | ||||
| ``` | ||||
| # atomic install --system --system-package=no --name=crio ($REGISTRY)/crio | ||||
| ``` | ||||
| 
 | ||||
| Start as a systemd service: | ||||
| 
 | ||||
| ``` | ||||
| # systemctl start crio | ||||
| ``` | ||||
| 
 | ||||
| Stopping the service | ||||
| 
 | ||||
| ``` | ||||
| # systemctl stop crio | ||||
| ``` | ||||
| 
 | ||||
| Removing the container | ||||
| 
 | ||||
| ``` | ||||
| # atomic uninstall crio | ||||
| ``` | ||||
| 
 | ||||
| ## Binary version | ||||
| 
 | ||||
| You can find the image automatically built as: registry.centos.org/projectatomic/cri-o:latest | ||||
							
								
								
									
										41
									
								
								contrib/system_containers/centos/cccp.yml
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										41
									
								
								contrib/system_containers/centos/cccp.yml
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,41 @@ | |||
| # This is for the purpose of building containers on the CentOS Community Container | ||||
| # Pipeline. The containers are built, tested and delivered to registry.centos.org and | ||||
| # lifecycled as well. A corresponding entry must exist in the container index itself, | ||||
| # located at https://github.com/CentOS/container-index/tree/master/index.d | ||||
| # You can know more at the following links: | ||||
| # * https://github.com/CentOS/container-pipeline-service/blob/master/README.md | ||||
| # * https://github.com/CentOS/container-index/blob/master/README.rst | ||||
| # * https://wiki.centos.org/ContainerPipeline | ||||
| 
 | ||||
| # This will be part of the name of the container. It should match the job-id in index entry | ||||
| job-id: cri-o | ||||
| 
 | ||||
| #the following are optional, can be left blank | ||||
| #defaults, where applicable are filled in | ||||
| #nulecule-file   : nulecule | ||||
| 
 | ||||
| # This flag tells the container pipeline to skip user defined tests on their container | ||||
| test-skip       : True | ||||
| 
 | ||||
| # This is path of the script that initiates the user defined tests. It must be able to | ||||
| # return an exit code. | ||||
| test-script     : null | ||||
| 
 | ||||
| # This is the path of custom build script. | ||||
| build-script    : null | ||||
| 
 | ||||
| # This is the path of the custom delivery script | ||||
| delivery-script : null | ||||
| 
 | ||||
| # This flag tells the pipeline to deliver this container to docker hub. | ||||
| docker-index    : True | ||||
| 
 | ||||
| # This flag can be used to enable or disable the custom delivery | ||||
| custom-delivery : False | ||||
| 
 | ||||
| # This flag can be used to enable or disable delivery of container to local registry | ||||
| local-delivery  : True | ||||
| 
 | ||||
| Upstreams       : | ||||
|         - ref           : | ||||
|           url           : | ||||
							
								
								
									
										427
									
								
								contrib/system_containers/centos/config.json.template
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										427
									
								
								contrib/system_containers/centos/config.json.template
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,427 @@ | |||
| { | ||||
|     "ociVersion": "1.0.0", | ||||
|     "platform": { | ||||
|         "arch": "amd64", | ||||
|         "os": "linux" | ||||
|     }, | ||||
|     "process": { | ||||
|         "args": [ | ||||
|             "/usr/bin/run.sh" | ||||
|         ], | ||||
|         "capabilities": { | ||||
|             "ambient": [ | ||||
|                 "CAP_CHOWN", | ||||
|                 "CAP_FOWNER", | ||||
|                 "CAP_FSETID", | ||||
|                 "CAP_KILL", | ||||
|                 "CAP_SETGID", | ||||
|                 "CAP_SETUID", | ||||
|                 "CAP_SETPCAP", | ||||
|                 "CAP_LINUX_IMMUTABLE", | ||||
|                 "CAP_NET_BIND_SERVICE", | ||||
|                 "CAP_NET_BROADCAST", | ||||
|                 "CAP_NET_ADMIN", | ||||
|                 "CAP_NET_RAW", | ||||
|                 "CAP_IPC_LOCK", | ||||
|                 "CAP_IPC_OWNER", | ||||
|                 "CAP_SYS_MODULE", | ||||
|                 "CAP_SYS_RAWIO", | ||||
|                 "CAP_SYS_CHROOT", | ||||
|                 "CAP_SYS_PTRACE", | ||||
|                 "CAP_SYS_PACCT", | ||||
|                 "CAP_SYS_ADMIN", | ||||
|                 "CAP_SYS_BOOT", | ||||
|                 "CAP_SYS_NICE", | ||||
|                 "CAP_SYS_RESOURCE", | ||||
|                 "CAP_SYS_TIME", | ||||
|                 "CAP_SYS_TTY_CONFIG", | ||||
|                 "CAP_MKNOD", | ||||
|                 "CAP_LEASE", | ||||
|                 "CAP_AUDIT_WRITE", | ||||
|                 "CAP_AUDIT_CONTROL", | ||||
|                 "CAP_SETFCAP", | ||||
|                 "CAP_DAC_OVERRIDE", | ||||
|                 "CAP_MAC_OVERRIDE", | ||||
|                 "CAP_DAC_READ_SEARCH", | ||||
|                 "CAP_MAC_ADMIN", | ||||
|                 "CAP_SYSLOG", | ||||
|                 "CAP_WAKE_ALARM", | ||||
|                 "CAP_BLOCK_SUSPEND" | ||||
|             ], | ||||
|             "bounding": [ | ||||
|                 "CAP_CHOWN", | ||||
|                 "CAP_FOWNER", | ||||
|                 "CAP_FSETID", | ||||
|                 "CAP_KILL", | ||||
|                 "CAP_SETGID", | ||||
|                 "CAP_SETUID", | ||||
|                 "CAP_SETPCAP", | ||||
|                 "CAP_LINUX_IMMUTABLE", | ||||
|                 "CAP_NET_BIND_SERVICE", | ||||
|                 "CAP_NET_BROADCAST", | ||||
|                 "CAP_NET_ADMIN", | ||||
|                 "CAP_NET_RAW", | ||||
|                 "CAP_IPC_LOCK", | ||||
|                 "CAP_IPC_OWNER", | ||||
|                 "CAP_SYS_MODULE", | ||||
|                 "CAP_SYS_RAWIO", | ||||
|                 "CAP_SYS_CHROOT", | ||||
|                 "CAP_SYS_PTRACE", | ||||
|                 "CAP_SYS_PACCT", | ||||
|                 "CAP_SYS_ADMIN", | ||||
|                 "CAP_SYS_BOOT", | ||||
|                 "CAP_SYS_NICE", | ||||
|                 "CAP_SYS_RESOURCE", | ||||
|                 "CAP_SYS_TIME", | ||||
|                 "CAP_SYS_TTY_CONFIG", | ||||
|                 "CAP_MKNOD", | ||||
|                 "CAP_LEASE", | ||||
|                 "CAP_AUDIT_WRITE", | ||||
|                 "CAP_AUDIT_CONTROL", | ||||
|                 "CAP_SETFCAP", | ||||
|                 "CAP_DAC_OVERRIDE", | ||||
|                 "CAP_MAC_OVERRIDE", | ||||
|                 "CAP_DAC_READ_SEARCH", | ||||
|                 "CAP_MAC_ADMIN", | ||||
|                 "CAP_SYSLOG", | ||||
|                 "CAP_WAKE_ALARM", | ||||
|                 "CAP_BLOCK_SUSPEND" | ||||
|             ], | ||||
|             "effective": [ | ||||
|                 "CAP_CHOWN", | ||||
|                 "CAP_FOWNER", | ||||
|                 "CAP_FSETID", | ||||
|                 "CAP_KILL", | ||||
|                 "CAP_SETGID", | ||||
|                 "CAP_SETUID", | ||||
|                 "CAP_SETPCAP", | ||||
|                 "CAP_LINUX_IMMUTABLE", | ||||
|                 "CAP_NET_BIND_SERVICE", | ||||
|                 "CAP_NET_BROADCAST", | ||||
|                 "CAP_NET_ADMIN", | ||||
|                 "CAP_NET_RAW", | ||||
|                 "CAP_IPC_LOCK", | ||||
|                 "CAP_IPC_OWNER", | ||||
|                 "CAP_SYS_MODULE", | ||||
|                 "CAP_SYS_RAWIO", | ||||
|                 "CAP_SYS_CHROOT", | ||||
|                 "CAP_SYS_PTRACE", | ||||
|                 "CAP_SYS_PACCT", | ||||
|                 "CAP_SYS_ADMIN", | ||||
|                 "CAP_SYS_BOOT", | ||||
|                 "CAP_SYS_NICE", | ||||
|                 "CAP_SYS_RESOURCE", | ||||
|                 "CAP_SYS_TIME", | ||||
|                 "CAP_SYS_TTY_CONFIG", | ||||
|                 "CAP_MKNOD", | ||||
|                 "CAP_LEASE", | ||||
|                 "CAP_AUDIT_WRITE", | ||||
|                 "CAP_AUDIT_CONTROL", | ||||
|                 "CAP_SETFCAP", | ||||
|                 "CAP_DAC_OVERRIDE", | ||||
|                 "CAP_MAC_OVERRIDE", | ||||
|                 "CAP_DAC_READ_SEARCH", | ||||
|                 "CAP_MAC_ADMIN", | ||||
|                 "CAP_SYSLOG", | ||||
|                 "CAP_WAKE_ALARM", | ||||
|                 "CAP_BLOCK_SUSPEND" | ||||
|             ], | ||||
|             "inheritable": [ | ||||
|                 "CAP_CHOWN", | ||||
|                 "CAP_FOWNER", | ||||
|                 "CAP_FSETID", | ||||
|                 "CAP_KILL", | ||||
|                 "CAP_SETGID", | ||||
|                 "CAP_SETUID", | ||||
|                 "CAP_SETPCAP", | ||||
|                 "CAP_LINUX_IMMUTABLE", | ||||
|                 "CAP_NET_BIND_SERVICE", | ||||
|                 "CAP_NET_BROADCAST", | ||||
|                 "CAP_NET_ADMIN", | ||||
|                 "CAP_NET_RAW", | ||||
|                 "CAP_IPC_LOCK", | ||||
|                 "CAP_IPC_OWNER", | ||||
|                 "CAP_SYS_MODULE", | ||||
|                 "CAP_SYS_RAWIO", | ||||
|                 "CAP_SYS_CHROOT", | ||||
|                 "CAP_SYS_PTRACE", | ||||
|                 "CAP_SYS_PACCT", | ||||
|                 "CAP_SYS_ADMIN", | ||||
|                 "CAP_SYS_BOOT", | ||||
|                 "CAP_SYS_NICE", | ||||
|                 "CAP_SYS_RESOURCE", | ||||
|                 "CAP_SYS_TIME", | ||||
|                 "CAP_SYS_TTY_CONFIG", | ||||
|                 "CAP_MKNOD", | ||||
|                 "CAP_LEASE", | ||||
|                 "CAP_AUDIT_WRITE", | ||||
|                 "CAP_AUDIT_CONTROL", | ||||
|                 "CAP_SETFCAP", | ||||
|                 "CAP_DAC_OVERRIDE", | ||||
|                 "CAP_MAC_OVERRIDE", | ||||
|                 "CAP_DAC_READ_SEARCH", | ||||
|                 "CAP_MAC_ADMIN", | ||||
|                 "CAP_SYSLOG", | ||||
|                 "CAP_WAKE_ALARM", | ||||
|                 "CAP_BLOCK_SUSPEND" | ||||
|             ], | ||||
|             "permitted": [ | ||||
|                 "CAP_CHOWN", | ||||
|                 "CAP_FOWNER", | ||||
|                 "CAP_FSETID", | ||||
|                 "CAP_KILL", | ||||
|                 "CAP_SETGID", | ||||
|                 "CAP_SETUID", | ||||
|                 "CAP_SETPCAP", | ||||
|                 "CAP_LINUX_IMMUTABLE", | ||||
|                 "CAP_NET_BIND_SERVICE", | ||||
|                 "CAP_NET_BROADCAST", | ||||
|                 "CAP_NET_ADMIN", | ||||
|                 "CAP_NET_RAW", | ||||
|                 "CAP_IPC_LOCK", | ||||
|                 "CAP_IPC_OWNER", | ||||
|                 "CAP_SYS_MODULE", | ||||
|                 "CAP_SYS_RAWIO", | ||||
|                 "CAP_SYS_CHROOT", | ||||
|                 "CAP_SYS_PTRACE", | ||||
|                 "CAP_SYS_PACCT", | ||||
|                 "CAP_SYS_ADMIN", | ||||
|                 "CAP_SYS_BOOT", | ||||
|                 "CAP_SYS_NICE", | ||||
|                 "CAP_SYS_RESOURCE", | ||||
|                 "CAP_SYS_TIME", | ||||
|                 "CAP_SYS_TTY_CONFIG", | ||||
|                 "CAP_MKNOD", | ||||
|                 "CAP_LEASE", | ||||
|                 "CAP_AUDIT_WRITE", | ||||
|                 "CAP_AUDIT_CONTROL", | ||||
|                 "CAP_SETFCAP", | ||||
|                 "CAP_DAC_OVERRIDE", | ||||
|                 "CAP_MAC_OVERRIDE", | ||||
|                 "CAP_DAC_READ_SEARCH", | ||||
|                 "CAP_MAC_ADMIN", | ||||
|                 "CAP_SYSLOG", | ||||
|                 "CAP_WAKE_ALARM", | ||||
|                 "CAP_BLOCK_SUSPEND" | ||||
|             ] | ||||
|         }, | ||||
|         "selinuxLabel": "system_u:system_r:container_runtime_t:s0", | ||||
|         "cwd": "/", | ||||
|         "env": [ | ||||
|             "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/go/bin:/root/go/bin", | ||||
|             "TERM=xterm", | ||||
|             "LOG_LEVEL=$LOG_LEVEL", | ||||
|             "NAME=$NAME" | ||||
|         ], | ||||
|         "noNewPrivileges": false, | ||||
|         "terminal": false, | ||||
|         "user": { | ||||
|             "gid": 0, | ||||
|             "uid": 0 | ||||
|         } | ||||
|     }, | ||||
|     "root": { | ||||
|         "path": "rootfs", | ||||
|         "readonly": true | ||||
|     }, | ||||
|     "hooks": {}, | ||||
|     "linux": { | ||||
|         "namespaces": [ | ||||
|             { | ||||
|                 "type": "mount" | ||||
|             } | ||||
|         ], | ||||
|         "resources": { | ||||
|             "devices": [ | ||||
|                 { | ||||
|                     "access": "rwm", | ||||
|                     "allow": true | ||||
|                 } | ||||
|             ] | ||||
|         }, | ||||
|         "rootfsPropagation": "private" | ||||
|     }, | ||||
|     "mounts": [ | ||||
|         { | ||||
|             "destination": "/tmp", | ||||
|             "options": [ | ||||
|                 "private", | ||||
|                 "bind", | ||||
|                 "rw", | ||||
|                 "mode=755" | ||||
|             ], | ||||
|             "source": "/tmp", | ||||
|             "type": "bind" | ||||
|         }, | ||||
|         { | ||||
|             "destination": "/etc", | ||||
|             "options": [ | ||||
|                 "rbind", | ||||
|                 "rprivate", | ||||
|                 "rw", | ||||
|                 "mode=755" | ||||
|             ], | ||||
|             "source": "/etc", | ||||
|             "type": "bind" | ||||
|         }, | ||||
|         { | ||||
|             "destination": "/lib/modules", | ||||
|             "options": [ | ||||
|                 "rbind", | ||||
|                 "rprivate", | ||||
|                 "rw", | ||||
|                 "mode=755" | ||||
|             ], | ||||
|             "source": "/lib/modules", | ||||
|             "type": "bind" | ||||
|         }, | ||||
|         { | ||||
|             "destination": "/root", | ||||
|             "options": [ | ||||
|                 "rbind", | ||||
|                 "rprivate", | ||||
|                 "rw", | ||||
|                 "mode=755" | ||||
|             ], | ||||
|             "source": "/root", | ||||
|             "type": "bind" | ||||
|         }, | ||||
|         { | ||||
|             "destination": "/home", | ||||
|             "options": [ | ||||
|                 "rbind", | ||||
|                 "rprivate", | ||||
|                 "rw", | ||||
|                 "mode=755" | ||||
|             ], | ||||
|             "source": "/home", | ||||
|             "type": "bind" | ||||
|         }, | ||||
|         { | ||||
|             "destination": "/mnt", | ||||
|             "options": [ | ||||
|                 "rbind", | ||||
|                 "rw", | ||||
|                 "rprivate", | ||||
|                 "mode=755" | ||||
|             ], | ||||
|             "source": "/mnt", | ||||
|             "type": "bind" | ||||
|         }, | ||||
| 	{ | ||||
| 	    "type": "bind", | ||||
| 	    "source": "${RUN_DIRECTORY}", | ||||
| 	    "destination": "/run", | ||||
| 	    "options": [ | ||||
| 		"rshared", | ||||
| 		"rbind", | ||||
| 		"rw", | ||||
| 		"mode=755" | ||||
| 	    ] | ||||
| 	}, | ||||
| 	{ | ||||
| 	    "type": "bind", | ||||
| 	    "source": "${RUN_DIRECTORY}/systemd", | ||||
| 	    "destination": "/run/systemd", | ||||
| 	    "options": [ | ||||
|                 "rslave", | ||||
|                 "bind", | ||||
|                 "rw", | ||||
|                 "mode=755" | ||||
| 	    ] | ||||
| 	}, | ||||
|         { | ||||
|             "destination": "/var/log", | ||||
|             "options": [ | ||||
|                 "rbind", | ||||
|                 "rslave", | ||||
|                 "rw" | ||||
|             ], | ||||
|             "source": "/var/log", | ||||
|             "type": "bind" | ||||
|         }, | ||||
|         { | ||||
|             "destination": "/var/lib", | ||||
|             "options": [ | ||||
|                 "rbind", | ||||
|                 "rprivate", | ||||
|                 "rw" | ||||
|             ], | ||||
|             "source": "${STATE_DIRECTORY}", | ||||
|             "type": "bind" | ||||
|         }, | ||||
|         { | ||||
|             "destination": "/var/lib/containers/storage", | ||||
|             "options": [ | ||||
|                 "rbind", | ||||
|                 "rshared", | ||||
|                 "rw" | ||||
|             ], | ||||
|             "source": "${VAR_LIB_CONTAINERS_STORAGE}", | ||||
|             "type": "bind" | ||||
|         }, | ||||
|         { | ||||
|             "destination": "/var/lib/origin", | ||||
|             "options": [ | ||||
|                 "rshared", | ||||
|                 "bind", | ||||
|                 "rw" | ||||
|             ], | ||||
|             "source": "${VAR_LIB_ORIGIN}", | ||||
|             "type": "bind" | ||||
|         }, | ||||
|         { | ||||
|             "destination": "/var/lib/kubelet", | ||||
|             "options": [ | ||||
|                 "rshared", | ||||
|                 "bind", | ||||
|                 "rw" | ||||
|             ], | ||||
|             "source": "${VAR_LIB_KUBE}", | ||||
|             "type": "bind" | ||||
|         }, | ||||
|         { | ||||
|             "destination": "/opt/cni", | ||||
|             "options": [ | ||||
|                 "rbind", | ||||
|                 "rprivate", | ||||
|                 "ro", | ||||
|                 "mode=755" | ||||
|             ], | ||||
|             "source": "${OPT_CNI}", | ||||
|             "type": "bind" | ||||
|         }, | ||||
|         { | ||||
|             "destination": "/dev", | ||||
|             "options": [ | ||||
|                 "rprivate", | ||||
|                 "rbind", | ||||
|                 "rw", | ||||
|                 "mode=755" | ||||
|             ], | ||||
|             "source": "/dev", | ||||
|             "type": "bind" | ||||
|         }, | ||||
|         { | ||||
|             "destination": "/sys", | ||||
|             "options": [ | ||||
|                 "rprivate", | ||||
|                 "rbind", | ||||
|                 "rw", | ||||
|                 "mode=755" | ||||
|             ], | ||||
|             "source": "/sys", | ||||
|             "type": "bind" | ||||
|         }, | ||||
|         { | ||||
|             "destination": "/proc", | ||||
|             "options": [ | ||||
|                 "rbind", | ||||
|                 "rw", | ||||
|                 "mode=755" | ||||
|             ], | ||||
|             "source": "/proc", | ||||
|             "type": "proc" | ||||
|         } | ||||
|     ] | ||||
| } | ||||
							
								
								
									
										10
									
								
								contrib/system_containers/centos/manifest.json
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										10
									
								
								contrib/system_containers/centos/manifest.json
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,10 @@ | |||
| { | ||||
|     "version": "1.0", | ||||
|     "defaultValues": { | ||||
|         "LOG_LEVEL" : "info", | ||||
|         "OPT_CNI" : "/opt/cni", | ||||
|         "VAR_LIB_CONTAINERS_STORAGE" : "/var/lib/containers/storage", | ||||
|         "VAR_LIB_ORIGIN" : "/var/lib/origin", | ||||
|         "VAR_LIB_KUBE" : "/var/lib/kubelet" | ||||
|     } | ||||
| } | ||||
							
								
								
									
										8
									
								
								contrib/system_containers/centos/run.sh
									
										
									
									
									
										Executable file
									
								
							
							
						
						
									
										8
									
								
								contrib/system_containers/centos/run.sh
									
										
									
									
									
										Executable file
									
								
							|  | @ -0,0 +1,8 @@ | |||
| #!/bin/sh | ||||
| 
 | ||||
| # Ensure that new process maintain this SELinux label | ||||
| PID=$$ | ||||
| LABEL=`tr -d '\000' < /proc/$PID/attr/current` | ||||
| printf %s $LABEL > /proc/self/attr/exec | ||||
| 
 | ||||
| exec /usr/bin/crio --log-level=$LOG_LEVEL | ||||
							
								
								
									
										20
									
								
								contrib/system_containers/centos/service.template
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										20
									
								
								contrib/system_containers/centos/service.template
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,20 @@ | |||
| [Unit] | ||||
| Description=crio daemon | ||||
| After=network.target | ||||
| 
 | ||||
| [Service] | ||||
| Type=notify | ||||
| ExecStartPre=/bin/sh $DESTDIR/rootfs/set_mounts.sh | ||||
| ExecStart=$EXEC_START | ||||
| ExecStop=$EXEC_STOP | ||||
| Restart=on-failure | ||||
| WorkingDirectory=$DESTDIR | ||||
| RuntimeDirectory=${NAME} | ||||
| TasksMax=infinity | ||||
| LimitNOFILE=1048576 | ||||
| LimitNPROC=1048576 | ||||
| LimitCORE=infinity | ||||
| TimeoutStartSec=0 | ||||
| 
 | ||||
| [Install] | ||||
| WantedBy=multi-user.target | ||||
							
								
								
									
										7
									
								
								contrib/system_containers/centos/set_mounts.sh
									
										
									
									
									
										Executable file
									
								
							
							
						
						
									
										7
									
								
								contrib/system_containers/centos/set_mounts.sh
									
										
									
									
									
										Executable file
									
								
							|  | @ -0,0 +1,7 @@ | |||
| #!/bin/sh | ||||
| 
 | ||||
| findmnt /var/lib/containers/storage > /dev/null || mount --rbind --make-shared /var/lib/containers/storage /var/lib/containers/storage | ||||
| findmnt /var/lib/origin > /dev/null || mount --bind --make-shared /var/lib/origin /var/lib/origin | ||||
| findmnt /var/lib/kubelet > /dev/null || mount --bind --make-shared /var/lib/kubelet /var/lib/kubelet | ||||
| mount --make-shared /run | ||||
| findmnt /run/systemd > /dev/null || mount --bind --make-rslave /run/systemd /run/systemd | ||||
							
								
								
									
										5
									
								
								contrib/system_containers/centos/tmpfiles.template
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										5
									
								
								contrib/system_containers/centos/tmpfiles.template
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,5 @@ | |||
| d    ${RUN_DIRECTORY}/${NAME}               -        -           -       - - | ||||
| d    /etc/crio - - - - - | ||||
| Z    /etc/crio - - - - - | ||||
| d    ${STATE_DIRECTORY}/origin               -        -           -       - - | ||||
| d    ${STATE_DIRECTORY}/kubelet              -        -           -       - - | ||||
							
								
								
									
										30
									
								
								contrib/system_containers/fedora/Dockerfile
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										30
									
								
								contrib/system_containers/fedora/Dockerfile
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,30 @@ | |||
| FROM registry.fedoraproject.org/fedora:27 | ||||
| 
 | ||||
| ENV VERSION=0 RELEASE=1 ARCH=x86_64 | ||||
| LABEL com.redhat.component="cri-o" \ | ||||
|       name="$FGC/cri-o" \ | ||||
|       version="$VERSION" \ | ||||
|       release="$RELEASE.$DISTTAG" \ | ||||
|       architecture="$ARCH" \ | ||||
|       usage="atomic install --system --system-package=no crio && systemctl start crio" \ | ||||
|       summary="The cri-o daemon as a system container." \ | ||||
|       maintainer="Yu Qi Zhang <jzehrarnyg@gmail.com>" \ | ||||
|       atomic.type="system" | ||||
| 
 | ||||
| COPY README.md / | ||||
| 
 | ||||
| RUN dnf install --enablerepo=updates-testing --setopt=tsflags=nodocs -y iptables cri-o socat iproute runc && \ | ||||
|     rpm -V iptables cri-o iproute runc && \ | ||||
|     dnf clean all && \ | ||||
|     mkdir -p /exports/hostfs/etc/crio /exports/hostfs/opt/cni/bin/ /exports/hostfs/var/lib/containers/storage/ && \ | ||||
|     cp /etc/crio/* /exports/hostfs/etc/crio && \ | ||||
|     if test -e /usr/libexec/cni; then cp -Lr /usr/libexec/cni/* /exports/hostfs/opt/cni/bin/; fi | ||||
| 
 | ||||
| RUN sed -i '/storage_option =/s/.*/&\n"overlay.override_kernel_check=1",/' /exports/hostfs/etc/crio/crio.conf | ||||
| 
 | ||||
| COPY manifest.json tmpfiles.template config.json.template service.template /exports/ | ||||
| 
 | ||||
| COPY set_mounts.sh / | ||||
| COPY run.sh /usr/bin/ | ||||
| 
 | ||||
| CMD ["/usr/bin/run.sh"] | ||||
							
								
								
									
										53
									
								
								contrib/system_containers/fedora/README.md
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										53
									
								
								contrib/system_containers/fedora/README.md
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,53 @@ | |||
| # cri-o | ||||
| 
 | ||||
| This is the cri-o daemon as a system container. | ||||
| 
 | ||||
| ## Building the image from source: | ||||
| 
 | ||||
| ``` | ||||
| # git clone https://github.com/projectatomic/atomic-system-containers | ||||
| # cd atomic-system-containers/cri-o | ||||
| # docker build -t crio . | ||||
| ``` | ||||
| 
 | ||||
| ## Running the system container, with the atomic CLI: | ||||
| 
 | ||||
| Pull from registry into ostree: | ||||
| 
 | ||||
| ``` | ||||
| # atomic pull --storage ostree $REGISTRY/crio | ||||
| ``` | ||||
| 
 | ||||
| Or alternatively, pull from local docker: | ||||
| 
 | ||||
| ``` | ||||
| # atomic pull --storage ostree docker:crio:latest | ||||
| ``` | ||||
| 
 | ||||
| Install the container: | ||||
| 
 | ||||
| Currently we recommend using --system-package=no to avoid having rpmbuild create an rpm file | ||||
| during installation. This flag will tell the atomic CLI to fall back to copying files to the | ||||
| host instead. | ||||
| 
 | ||||
| ``` | ||||
| # atomic install --system --system-package=no --name=crio ($REGISTRY)/crio | ||||
| ``` | ||||
| 
 | ||||
| Start as a systemd service: | ||||
| 
 | ||||
| ``` | ||||
| # systemctl start crio | ||||
| ``` | ||||
| 
 | ||||
| Stopping the service | ||||
| 
 | ||||
| ``` | ||||
| # systemctl stop crio | ||||
| ``` | ||||
| 
 | ||||
| Removing the container | ||||
| 
 | ||||
| ``` | ||||
| # atomic uninstall crio | ||||
| ``` | ||||
							
								
								
									
										432
									
								
								contrib/system_containers/fedora/config.json.template
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										432
									
								
								contrib/system_containers/fedora/config.json.template
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,432 @@ | |||
| { | ||||
|     "ociVersion": "1.0.0", | ||||
|     "platform": { | ||||
|         "arch": "amd64", | ||||
|         "os": "linux" | ||||
|     }, | ||||
|     "process": { | ||||
|         "args": [ | ||||
|             "/usr/bin/run.sh" | ||||
|         ], | ||||
|         "selinuxLabel": "system_u:system_r:container_runtime_t:s0", | ||||
|         "capabilities": { | ||||
|             "ambient": [ | ||||
|                 "CAP_CHOWN", | ||||
|                 "CAP_FOWNER", | ||||
|                 "CAP_FSETID", | ||||
|                 "CAP_KILL", | ||||
|                 "CAP_SETGID", | ||||
|                 "CAP_SETUID", | ||||
|                 "CAP_SETPCAP", | ||||
|                 "CAP_LINUX_IMMUTABLE", | ||||
|                 "CAP_NET_BIND_SERVICE", | ||||
|                 "CAP_NET_BROADCAST", | ||||
|                 "CAP_NET_ADMIN", | ||||
|                 "CAP_NET_RAW", | ||||
|                 "CAP_IPC_LOCK", | ||||
|                 "CAP_IPC_OWNER", | ||||
|                 "CAP_SYS_MODULE", | ||||
|                 "CAP_SYS_RAWIO", | ||||
|                 "CAP_SYS_CHROOT", | ||||
|                 "CAP_SYS_PTRACE", | ||||
|                 "CAP_SYS_PACCT", | ||||
|                 "CAP_SYS_ADMIN", | ||||
|                 "CAP_SYS_BOOT", | ||||
|                 "CAP_SYS_NICE", | ||||
|                 "CAP_SYS_RESOURCE", | ||||
|                 "CAP_SYS_TIME", | ||||
|                 "CAP_SYS_TTY_CONFIG", | ||||
|                 "CAP_MKNOD", | ||||
|                 "CAP_LEASE", | ||||
|                 "CAP_AUDIT_WRITE", | ||||
|                 "CAP_AUDIT_CONTROL", | ||||
|                 "CAP_SETFCAP", | ||||
|                 "CAP_DAC_OVERRIDE", | ||||
|                 "CAP_MAC_OVERRIDE", | ||||
|                 "CAP_DAC_READ_SEARCH", | ||||
|                 "CAP_MAC_ADMIN", | ||||
|                 "CAP_SYSLOG", | ||||
|                 "CAP_WAKE_ALARM", | ||||
|                 "CAP_BLOCK_SUSPEND", | ||||
|                 "CAP_AUDIT_READ" | ||||
|             ], | ||||
|             "bounding": [ | ||||
|                 "CAP_CHOWN", | ||||
|                 "CAP_FOWNER", | ||||
|                 "CAP_FSETID", | ||||
|                 "CAP_KILL", | ||||
|                 "CAP_SETGID", | ||||
|                 "CAP_SETUID", | ||||
|                 "CAP_SETPCAP", | ||||
|                 "CAP_LINUX_IMMUTABLE", | ||||
|                 "CAP_NET_BIND_SERVICE", | ||||
|                 "CAP_NET_BROADCAST", | ||||
|                 "CAP_NET_ADMIN", | ||||
|                 "CAP_NET_RAW", | ||||
|                 "CAP_IPC_LOCK", | ||||
|                 "CAP_IPC_OWNER", | ||||
|                 "CAP_SYS_MODULE", | ||||
|                 "CAP_SYS_RAWIO", | ||||
|                 "CAP_SYS_CHROOT", | ||||
|                 "CAP_SYS_PTRACE", | ||||
|                 "CAP_SYS_PACCT", | ||||
|                 "CAP_SYS_ADMIN", | ||||
|                 "CAP_SYS_BOOT", | ||||
|                 "CAP_SYS_NICE", | ||||
|                 "CAP_SYS_RESOURCE", | ||||
|                 "CAP_SYS_TIME", | ||||
|                 "CAP_SYS_TTY_CONFIG", | ||||
|                 "CAP_MKNOD", | ||||
|                 "CAP_LEASE", | ||||
|                 "CAP_AUDIT_WRITE", | ||||
|                 "CAP_AUDIT_CONTROL", | ||||
|                 "CAP_SETFCAP", | ||||
|                 "CAP_DAC_OVERRIDE", | ||||
|                 "CAP_MAC_OVERRIDE", | ||||
|                 "CAP_DAC_READ_SEARCH", | ||||
|                 "CAP_MAC_ADMIN", | ||||
|                 "CAP_SYSLOG", | ||||
|                 "CAP_WAKE_ALARM", | ||||
|                 "CAP_BLOCK_SUSPEND", | ||||
|                 "CAP_AUDIT_READ" | ||||
|             ], | ||||
|             "effective": [ | ||||
|                 "CAP_CHOWN", | ||||
|                 "CAP_FOWNER", | ||||
|                 "CAP_FSETID", | ||||
|                 "CAP_KILL", | ||||
|                 "CAP_SETGID", | ||||
|                 "CAP_SETUID", | ||||
|                 "CAP_SETPCAP", | ||||
|                 "CAP_LINUX_IMMUTABLE", | ||||
|                 "CAP_NET_BIND_SERVICE", | ||||
|                 "CAP_NET_BROADCAST", | ||||
|                 "CAP_NET_ADMIN", | ||||
|                 "CAP_NET_RAW", | ||||
|                 "CAP_IPC_LOCK", | ||||
|                 "CAP_IPC_OWNER", | ||||
|                 "CAP_SYS_MODULE", | ||||
|                 "CAP_SYS_RAWIO", | ||||
|                 "CAP_SYS_CHROOT", | ||||
|                 "CAP_SYS_PTRACE", | ||||
|                 "CAP_SYS_PACCT", | ||||
|                 "CAP_SYS_ADMIN", | ||||
|                 "CAP_SYS_BOOT", | ||||
|                 "CAP_SYS_NICE", | ||||
|                 "CAP_SYS_RESOURCE", | ||||
|                 "CAP_SYS_TIME", | ||||
|                 "CAP_SYS_TTY_CONFIG", | ||||
|                 "CAP_MKNOD", | ||||
|                 "CAP_LEASE", | ||||
|                 "CAP_AUDIT_WRITE", | ||||
|                 "CAP_AUDIT_CONTROL", | ||||
|                 "CAP_SETFCAP", | ||||
|                 "CAP_DAC_OVERRIDE", | ||||
|                 "CAP_MAC_OVERRIDE", | ||||
|                 "CAP_DAC_READ_SEARCH", | ||||
|                 "CAP_MAC_ADMIN", | ||||
|                 "CAP_SYSLOG", | ||||
|                 "CAP_WAKE_ALARM", | ||||
|                 "CAP_BLOCK_SUSPEND", | ||||
|                 "CAP_AUDIT_READ" | ||||
|             ], | ||||
|             "inheritable": [ | ||||
|                 "CAP_CHOWN", | ||||
|                 "CAP_FOWNER", | ||||
|                 "CAP_FSETID", | ||||
|                 "CAP_KILL", | ||||
|                 "CAP_SETGID", | ||||
|                 "CAP_SETUID", | ||||
|                 "CAP_SETPCAP", | ||||
|                 "CAP_LINUX_IMMUTABLE", | ||||
|                 "CAP_NET_BIND_SERVICE", | ||||
|                 "CAP_NET_BROADCAST", | ||||
|                 "CAP_NET_ADMIN", | ||||
|                 "CAP_NET_RAW", | ||||
|                 "CAP_IPC_LOCK", | ||||
|                 "CAP_IPC_OWNER", | ||||
|                 "CAP_SYS_MODULE", | ||||
|                 "CAP_SYS_RAWIO", | ||||
|                 "CAP_SYS_CHROOT", | ||||
|                 "CAP_SYS_PTRACE", | ||||
|                 "CAP_SYS_PACCT", | ||||
|                 "CAP_SYS_ADMIN", | ||||
|                 "CAP_SYS_BOOT", | ||||
|                 "CAP_SYS_NICE", | ||||
|                 "CAP_SYS_RESOURCE", | ||||
|                 "CAP_SYS_TIME", | ||||
|                 "CAP_SYS_TTY_CONFIG", | ||||
|                 "CAP_MKNOD", | ||||
|                 "CAP_LEASE", | ||||
|                 "CAP_AUDIT_WRITE", | ||||
|                 "CAP_AUDIT_CONTROL", | ||||
|                 "CAP_SETFCAP", | ||||
|                 "CAP_DAC_OVERRIDE", | ||||
|                 "CAP_MAC_OVERRIDE", | ||||
|                 "CAP_DAC_READ_SEARCH", | ||||
|                 "CAP_MAC_ADMIN", | ||||
|                 "CAP_SYSLOG", | ||||
|                 "CAP_WAKE_ALARM", | ||||
|                 "CAP_BLOCK_SUSPEND", | ||||
|                 "CAP_AUDIT_READ" | ||||
|             ], | ||||
|             "permitted": [ | ||||
|                 "CAP_CHOWN", | ||||
|                 "CAP_FOWNER", | ||||
|                 "CAP_FSETID", | ||||
|                 "CAP_KILL", | ||||
|                 "CAP_SETGID", | ||||
|                 "CAP_SETUID", | ||||
|                 "CAP_SETPCAP", | ||||
|                 "CAP_LINUX_IMMUTABLE", | ||||
|                 "CAP_NET_BIND_SERVICE", | ||||
|                 "CAP_NET_BROADCAST", | ||||
|                 "CAP_NET_ADMIN", | ||||
|                 "CAP_NET_RAW", | ||||
|                 "CAP_IPC_LOCK", | ||||
|                 "CAP_IPC_OWNER", | ||||
|                 "CAP_SYS_MODULE", | ||||
|                 "CAP_SYS_RAWIO", | ||||
|                 "CAP_SYS_CHROOT", | ||||
|                 "CAP_SYS_PTRACE", | ||||
|                 "CAP_SYS_PACCT", | ||||
|                 "CAP_SYS_ADMIN", | ||||
|                 "CAP_SYS_BOOT", | ||||
|                 "CAP_SYS_NICE", | ||||
|                 "CAP_SYS_RESOURCE", | ||||
|                 "CAP_SYS_TIME", | ||||
|                 "CAP_SYS_TTY_CONFIG", | ||||
|                 "CAP_MKNOD", | ||||
|                 "CAP_LEASE", | ||||
|                 "CAP_AUDIT_WRITE", | ||||
|                 "CAP_AUDIT_CONTROL", | ||||
|                 "CAP_SETFCAP", | ||||
|                 "CAP_DAC_OVERRIDE", | ||||
|                 "CAP_MAC_OVERRIDE", | ||||
|                 "CAP_DAC_READ_SEARCH", | ||||
|                 "CAP_MAC_ADMIN", | ||||
|                 "CAP_SYSLOG", | ||||
|                 "CAP_WAKE_ALARM", | ||||
|                 "CAP_BLOCK_SUSPEND", | ||||
|                 "CAP_AUDIT_READ" | ||||
|             ] | ||||
|         }, | ||||
|         "cwd": "/", | ||||
|         "env": [ | ||||
|             "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/go/bin:/root/go/bin", | ||||
|             "TERM=xterm", | ||||
|             "LOG_LEVEL=$LOG_LEVEL", | ||||
|             "NAME=$NAME" | ||||
|         ], | ||||
|         "noNewPrivileges": false, | ||||
|         "terminal": false, | ||||
|         "user": { | ||||
|             "gid": 0, | ||||
|             "uid": 0 | ||||
|         } | ||||
|     }, | ||||
|     "root": { | ||||
|         "path": "rootfs", | ||||
|         "readonly": true | ||||
|     }, | ||||
|     "hooks": {}, | ||||
|     "linux": { | ||||
|         "namespaces": [ | ||||
|             { | ||||
|                 "type": "mount" | ||||
|             } | ||||
|         ], | ||||
|         "resources": { | ||||
|             "devices": [ | ||||
|                 { | ||||
|                     "access": "rwm", | ||||
|                     "allow": true | ||||
|                 } | ||||
|             ] | ||||
|         }, | ||||
|         "rootfsPropagation": "private" | ||||
|     }, | ||||
|     "mounts": [ | ||||
|         { | ||||
|             "destination": "/tmp", | ||||
|             "options": [ | ||||
|                 "private", | ||||
|                 "bind", | ||||
|                 "rw", | ||||
|                 "mode=755" | ||||
|             ], | ||||
|             "source": "/tmp", | ||||
|             "type": "bind" | ||||
|         }, | ||||
|         { | ||||
|             "destination": "/etc", | ||||
|             "options": [ | ||||
|                 "rbind", | ||||
|                 "rprivate", | ||||
|                 "rw", | ||||
|                 "mode=755" | ||||
|             ], | ||||
|             "source": "/etc", | ||||
|             "type": "bind" | ||||
|         }, | ||||
|         { | ||||
|             "destination": "/lib/modules", | ||||
|             "options": [ | ||||
|                 "rbind", | ||||
|                 "rprivate", | ||||
|                 "rw", | ||||
|                 "mode=755" | ||||
|             ], | ||||
|             "source": "/lib/modules", | ||||
|             "type": "bind" | ||||
|         }, | ||||
|         { | ||||
|             "destination": "/root", | ||||
|             "options": [ | ||||
|                 "rbind", | ||||
|                 "rprivate", | ||||
|                 "rw", | ||||
|                 "mode=755" | ||||
|             ], | ||||
|             "source": "/root", | ||||
|             "type": "bind" | ||||
|         }, | ||||
|         { | ||||
|             "destination": "/home", | ||||
|             "options": [ | ||||
|                 "rbind", | ||||
|                 "rprivate", | ||||
|                 "rw", | ||||
|                 "mode=755" | ||||
|             ], | ||||
|             "source": "/home", | ||||
|             "type": "bind" | ||||
|         }, | ||||
|         { | ||||
|             "destination": "/mnt", | ||||
|             "options": [ | ||||
|                 "rbind", | ||||
|                 "rw", | ||||
|                 "rprivate", | ||||
|                 "mode=755" | ||||
|             ], | ||||
|             "source": "/mnt", | ||||
|             "type": "bind" | ||||
|         }, | ||||
| 	{ | ||||
| 	    "type": "bind", | ||||
| 	    "source": "${RUN_DIRECTORY}", | ||||
| 	    "destination": "/run", | ||||
| 	    "options": [ | ||||
| 		"rshared", | ||||
| 		"rbind", | ||||
| 		"rw", | ||||
| 		"mode=755" | ||||
| 	    ] | ||||
| 	}, | ||||
| 	{ | ||||
| 	    "type": "bind", | ||||
| 	    "source": "${RUN_DIRECTORY}/systemd", | ||||
| 	    "destination": "/run/systemd", | ||||
| 	    "options": [ | ||||
|                 "rslave", | ||||
|                 "bind", | ||||
|                 "rw", | ||||
|                 "mode=755" | ||||
| 	    ] | ||||
| 	}, | ||||
|         { | ||||
|             "destination": "/var/log", | ||||
|             "options": [ | ||||
|                 "rbind", | ||||
|                 "rslave", | ||||
|                 "rw" | ||||
|             ], | ||||
|             "source": "/var/log", | ||||
|             "type": "bind" | ||||
|         }, | ||||
|         { | ||||
|             "destination": "/var/lib", | ||||
|             "options": [ | ||||
|                 "rbind", | ||||
|                 "rprivate", | ||||
|                 "rw" | ||||
|             ], | ||||
|             "source": "${STATE_DIRECTORY}", | ||||
|             "type": "bind" | ||||
|         }, | ||||
|         { | ||||
|             "destination": "/var/lib/containers/storage", | ||||
|             "options": [ | ||||
|                 "rbind", | ||||
|                 "rshared", | ||||
|                 "rw" | ||||
|             ], | ||||
|             "source": "${VAR_LIB_CONTAINERS_STORAGE}", | ||||
|             "type": "bind" | ||||
|         }, | ||||
|         { | ||||
|             "destination": "/var/lib/origin", | ||||
|             "options": [ | ||||
|                 "rshared", | ||||
|                 "bind", | ||||
|                 "rw" | ||||
|             ], | ||||
|             "source": "${VAR_LIB_ORIGIN}", | ||||
|             "type": "bind" | ||||
|         }, | ||||
|         { | ||||
|             "destination": "/var/lib/kubelet", | ||||
|             "options": [ | ||||
|                 "rshared", | ||||
|                 "bind", | ||||
|                 "rw" | ||||
|             ], | ||||
|             "source": "${VAR_LIB_KUBE}", | ||||
|             "type": "bind" | ||||
|         }, | ||||
|         { | ||||
|             "destination": "/opt/cni", | ||||
|             "options": [ | ||||
|                 "rbind", | ||||
|                 "rprivate", | ||||
|                 "ro", | ||||
|                 "mode=755" | ||||
|             ], | ||||
|             "source": "${OPT_CNI}", | ||||
|             "type": "bind" | ||||
|         }, | ||||
|         { | ||||
|             "destination": "/dev", | ||||
|             "options": [ | ||||
|                 "rprivate", | ||||
|                 "rbind", | ||||
|                 "rw", | ||||
|                 "mode=755" | ||||
|             ], | ||||
|             "source": "/dev", | ||||
|             "type": "bind" | ||||
|         }, | ||||
|         { | ||||
|             "destination": "/sys", | ||||
|             "options": [ | ||||
|                 "rprivate", | ||||
|                 "rbind", | ||||
|                 "rw", | ||||
|                 "mode=755" | ||||
|             ], | ||||
|             "source": "/sys", | ||||
|             "type": "bind" | ||||
|         }, | ||||
|         { | ||||
|             "destination": "/proc", | ||||
|             "options": [ | ||||
|                 "rbind", | ||||
|                 "rw", | ||||
|                 "mode=755" | ||||
|             ], | ||||
|             "source": "/proc", | ||||
|             "type": "proc" | ||||
|         } | ||||
|     ] | ||||
| } | ||||
							
								
								
									
										10
									
								
								contrib/system_containers/fedora/manifest.json
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										10
									
								
								contrib/system_containers/fedora/manifest.json
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,10 @@ | |||
| { | ||||
|     "version": "1.0", | ||||
|     "defaultValues": { | ||||
|         "LOG_LEVEL" : "info", | ||||
|         "OPT_CNI" : "/opt/cni", | ||||
|         "VAR_LIB_CONTAINERS_STORAGE" : "/var/lib/containers/storage", | ||||
|         "VAR_LIB_ORIGIN" : "/var/lib/origin", | ||||
|         "VAR_LIB_KUBE" : "/var/lib/kubelet" | ||||
|     } | ||||
| } | ||||
							
								
								
									
										8
									
								
								contrib/system_containers/fedora/run.sh
									
										
									
									
									
										Executable file
									
								
							
							
						
						
									
										8
									
								
								contrib/system_containers/fedora/run.sh
									
										
									
									
									
										Executable file
									
								
							|  | @ -0,0 +1,8 @@ | |||
| #!/bin/sh | ||||
| 
 | ||||
| # Ensure that new process maintain this SELinux label | ||||
| PID=$$ | ||||
| LABEL=`tr -d '\000' < /proc/$PID/attr/current` | ||||
| printf %s $LABEL > /proc/self/attr/exec | ||||
| 
 | ||||
| exec /usr/bin/crio --log-level=$LOG_LEVEL | ||||
							
								
								
									
										20
									
								
								contrib/system_containers/fedora/service.template
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										20
									
								
								contrib/system_containers/fedora/service.template
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,20 @@ | |||
| [Unit] | ||||
| Description=crio daemon | ||||
| After=network.target | ||||
| 
 | ||||
| [Service] | ||||
| Type=notify | ||||
| ExecStartPre=/bin/sh $DESTDIR/rootfs/set_mounts.sh | ||||
| ExecStart=$EXEC_START | ||||
| ExecStop=$EXEC_STOP | ||||
| Restart=on-failure | ||||
| WorkingDirectory=$DESTDIR | ||||
| RuntimeDirectory=${NAME} | ||||
| TasksMax=infinity | ||||
| LimitNOFILE=1048576 | ||||
| LimitNPROC=1048576 | ||||
| LimitCORE=infinity | ||||
| TimeoutStartSec=0 | ||||
| 
 | ||||
| [Install] | ||||
| WantedBy=multi-user.target | ||||
							
								
								
									
										7
									
								
								contrib/system_containers/fedora/set_mounts.sh
									
										
									
									
									
										Executable file
									
								
							
							
						
						
									
										7
									
								
								contrib/system_containers/fedora/set_mounts.sh
									
										
									
									
									
										Executable file
									
								
							|  | @ -0,0 +1,7 @@ | |||
| #!/bin/sh | ||||
| 
 | ||||
| findmnt /var/lib/containers/storage > /dev/null || mount --rbind --make-shared /var/lib/containers/storage /var/lib/containers/storage | ||||
| findmnt /var/lib/origin > /dev/null || mount --bind --make-shared /var/lib/origin /var/lib/origin | ||||
| findmnt /var/lib/kubelet > /dev/null || mount --bind --make-shared /var/lib/kubelet /var/lib/kubelet | ||||
| mount --make-shared /run | ||||
| findmnt /run/systemd > /dev/null || mount --bind --make-rslave /run/systemd /run/systemd | ||||
							
								
								
									
										5
									
								
								contrib/system_containers/fedora/tmpfiles.template
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										5
									
								
								contrib/system_containers/fedora/tmpfiles.template
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,5 @@ | |||
| d    ${RUN_DIRECTORY}/${NAME}               -        -           -       - - | ||||
| d    /etc/crio - - - - - | ||||
| Z    /etc/crio - - - - - | ||||
| d    ${STATE_DIRECTORY}/origin               -        -           -       - - | ||||
| d    ${STATE_DIRECTORY}/kubelet              -        -           -       - - | ||||
							
								
								
									
										41
									
								
								contrib/system_containers/rhel/Dockerfile
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										41
									
								
								contrib/system_containers/rhel/Dockerfile
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,41 @@ | |||
| #oit## This file is managed by the OpenShift Image Tool | ||||
| #oit## by the OpenShift Continuous Delivery team. | ||||
| #oit## | ||||
| #oit## Any yum repos listed in this file will effectively be ignored during CD builds. | ||||
| #oit## Yum repos must be enabled in the oit configuration files. | ||||
| #oit## Some aspects of this file may be managed programmatically. For example, the image name, labels (version, | ||||
| #oit## release, and other), and the base FROM. Changes made directly in distgit may be lost during the next | ||||
| #oit## reconciliation. | ||||
| #oit## | ||||
| FROM rhel7:7-released | ||||
| 
 | ||||
| RUN \ | ||||
|     yum install --setopt=tsflags=nodocs -y socat iptables cri-o iproute runc skopeo-containers container-selinux && \ | ||||
|     rpm -V socat iptables cri-o iproute runc skopeo-containers container-selinux && \ | ||||
|     yum clean all && \ | ||||
|     mkdir -p /exports/hostfs/etc/crio /exports/hostfs/opt/cni/bin/ /exports/hostfs/var/lib/containers/storage/ && \ | ||||
|     cp /etc/crio/* /exports/hostfs/etc/crio && \ | ||||
|     if test -e /usr/libexec/cni; then cp -Lr /usr/libexec/cni/* /exports/hostfs/opt/cni/bin/; fi | ||||
| 
 | ||||
| COPY manifest.json tmpfiles.template config.json.template service.template /exports/ | ||||
| 
 | ||||
| COPY set_mounts.sh / | ||||
| COPY run.sh /usr/bin/ | ||||
| 
 | ||||
| CMD ["/usr/bin/run.sh"] | ||||
| 
 | ||||
| LABEL \ | ||||
|         com.redhat.component="cri-o-docker" \ | ||||
|         io.k8s.description="CRI-O is an implementation of the Kubernetes CRI. It is a lightweight, OCI-compliant runtime that is native to kubernetes. CRI-O supports OCI container images and can pull from any container registry." \ | ||||
|         maintainer="Jhon Honce <jhonce@redhat.com>" \ | ||||
|         name="openshift3/cri-o" \ | ||||
|         License="GPLv2+" \ | ||||
|         io.k8s.display-name="CRI-O" \ | ||||
|         summary="OCI-based implementation of Kubernetes Container Runtime Interface" \ | ||||
|         release="0.13.0.0" \ | ||||
|         version="v3.8.0" \ | ||||
|         architecture="x86_64" \ | ||||
|         usage="atomic install --system --system-package=no crio && systemctl start crio" \ | ||||
|         vendor="Red Hat" \ | ||||
|         io.openshift.tags="cri-o system rhel7" \ | ||||
|         atomic.type="system" | ||||
							
								
								
									
										422
									
								
								contrib/system_containers/rhel/config.json.template
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										422
									
								
								contrib/system_containers/rhel/config.json.template
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,422 @@ | |||
| { | ||||
|   "ociVersion": "1.0.0", | ||||
|   "platform": { | ||||
|     "arch": "amd64", | ||||
|     "os": "linux" | ||||
|   }, | ||||
|   "process": { | ||||
|     "args": [ | ||||
|       "/usr/bin/run.sh" | ||||
|     ], | ||||
|     "capabilities": { | ||||
|       "ambient": [ | ||||
|         "CAP_CHOWN", | ||||
|         "CAP_FOWNER", | ||||
|         "CAP_FSETID", | ||||
|         "CAP_KILL", | ||||
|         "CAP_SETGID", | ||||
|         "CAP_SETUID", | ||||
|         "CAP_SETPCAP", | ||||
|         "CAP_LINUX_IMMUTABLE", | ||||
|         "CAP_NET_BIND_SERVICE", | ||||
|         "CAP_NET_BROADCAST", | ||||
|         "CAP_NET_ADMIN", | ||||
|         "CAP_NET_RAW", | ||||
|         "CAP_IPC_LOCK", | ||||
|         "CAP_IPC_OWNER", | ||||
|         "CAP_SYS_MODULE", | ||||
|         "CAP_SYS_RAWIO", | ||||
|         "CAP_SYS_CHROOT", | ||||
|         "CAP_SYS_PTRACE", | ||||
|         "CAP_SYS_PACCT", | ||||
|         "CAP_SYS_ADMIN", | ||||
|         "CAP_SYS_BOOT", | ||||
|         "CAP_SYS_NICE", | ||||
|         "CAP_SYS_RESOURCE", | ||||
|         "CAP_SYS_TIME", | ||||
|         "CAP_SYS_TTY_CONFIG", | ||||
|         "CAP_MKNOD", | ||||
|         "CAP_LEASE", | ||||
|         "CAP_AUDIT_WRITE", | ||||
|         "CAP_AUDIT_CONTROL", | ||||
|         "CAP_SETFCAP", | ||||
|         "CAP_DAC_OVERRIDE", | ||||
|         "CAP_MAC_OVERRIDE", | ||||
|         "CAP_DAC_READ_SEARCH", | ||||
|         "CAP_MAC_ADMIN", | ||||
|         "CAP_SYSLOG", | ||||
|         "CAP_WAKE_ALARM", | ||||
|         "CAP_BLOCK_SUSPEND" | ||||
|       ], | ||||
|       "bounding": [ | ||||
|         "CAP_CHOWN", | ||||
|         "CAP_FOWNER", | ||||
|         "CAP_FSETID", | ||||
|         "CAP_KILL", | ||||
|         "CAP_SETGID", | ||||
|         "CAP_SETUID", | ||||
|         "CAP_SETPCAP", | ||||
|         "CAP_LINUX_IMMUTABLE", | ||||
|         "CAP_NET_BIND_SERVICE", | ||||
|         "CAP_NET_BROADCAST", | ||||
|         "CAP_NET_ADMIN", | ||||
|         "CAP_NET_RAW", | ||||
|         "CAP_IPC_LOCK", | ||||
|         "CAP_IPC_OWNER", | ||||
|         "CAP_SYS_MODULE", | ||||
|         "CAP_SYS_RAWIO", | ||||
|         "CAP_SYS_CHROOT", | ||||
|         "CAP_SYS_PTRACE", | ||||
|         "CAP_SYS_PACCT", | ||||
|         "CAP_SYS_ADMIN", | ||||
|         "CAP_SYS_BOOT", | ||||
|         "CAP_SYS_NICE", | ||||
|         "CAP_SYS_RESOURCE", | ||||
|         "CAP_SYS_TIME", | ||||
|         "CAP_SYS_TTY_CONFIG", | ||||
|         "CAP_MKNOD", | ||||
|         "CAP_LEASE", | ||||
|         "CAP_AUDIT_WRITE", | ||||
|         "CAP_AUDIT_CONTROL", | ||||
|         "CAP_SETFCAP", | ||||
|         "CAP_DAC_OVERRIDE", | ||||
|         "CAP_MAC_OVERRIDE", | ||||
|         "CAP_DAC_READ_SEARCH", | ||||
|         "CAP_MAC_ADMIN", | ||||
|         "CAP_SYSLOG", | ||||
|         "CAP_WAKE_ALARM", | ||||
|         "CAP_BLOCK_SUSPEND" | ||||
|       ], | ||||
|       "effective": [ | ||||
|         "CAP_CHOWN", | ||||
|         "CAP_FOWNER", | ||||
|         "CAP_FSETID", | ||||
|         "CAP_KILL", | ||||
|         "CAP_SETGID", | ||||
|         "CAP_SETUID", | ||||
|         "CAP_SETPCAP", | ||||
|         "CAP_LINUX_IMMUTABLE", | ||||
|         "CAP_NET_BIND_SERVICE", | ||||
|         "CAP_NET_BROADCAST", | ||||
|         "CAP_NET_ADMIN", | ||||
|         "CAP_NET_RAW", | ||||
|         "CAP_IPC_LOCK", | ||||
|         "CAP_IPC_OWNER", | ||||
|         "CAP_SYS_MODULE", | ||||
|         "CAP_SYS_RAWIO", | ||||
|         "CAP_SYS_CHROOT", | ||||
|         "CAP_SYS_PTRACE", | ||||
|         "CAP_SYS_PACCT", | ||||
|         "CAP_SYS_ADMIN", | ||||
|         "CAP_SYS_BOOT", | ||||
|         "CAP_SYS_NICE", | ||||
|         "CAP_SYS_RESOURCE", | ||||
|         "CAP_SYS_TIME", | ||||
|         "CAP_SYS_TTY_CONFIG", | ||||
|         "CAP_MKNOD", | ||||
|         "CAP_LEASE", | ||||
|         "CAP_AUDIT_WRITE", | ||||
|         "CAP_AUDIT_CONTROL", | ||||
|         "CAP_SETFCAP", | ||||
|         "CAP_DAC_OVERRIDE", | ||||
|         "CAP_MAC_OVERRIDE", | ||||
|         "CAP_DAC_READ_SEARCH", | ||||
|         "CAP_MAC_ADMIN", | ||||
|         "CAP_SYSLOG", | ||||
|         "CAP_WAKE_ALARM", | ||||
|         "CAP_BLOCK_SUSPEND" | ||||
|       ], | ||||
|       "inheritable": [ | ||||
|         "CAP_CHOWN", | ||||
|         "CAP_FOWNER", | ||||
|         "CAP_FSETID", | ||||
|         "CAP_KILL", | ||||
|         "CAP_SETGID", | ||||
|         "CAP_SETUID", | ||||
|         "CAP_SETPCAP", | ||||
|         "CAP_LINUX_IMMUTABLE", | ||||
|         "CAP_NET_BIND_SERVICE", | ||||
|         "CAP_NET_BROADCAST", | ||||
|         "CAP_NET_ADMIN", | ||||
|         "CAP_NET_RAW", | ||||
|         "CAP_IPC_LOCK", | ||||
|         "CAP_IPC_OWNER", | ||||
|         "CAP_SYS_MODULE", | ||||
|         "CAP_SYS_RAWIO", | ||||
|         "CAP_SYS_CHROOT", | ||||
|         "CAP_SYS_PTRACE", | ||||
|         "CAP_SYS_PACCT", | ||||
|         "CAP_SYS_ADMIN", | ||||
|         "CAP_SYS_BOOT", | ||||
|         "CAP_SYS_NICE", | ||||
|         "CAP_SYS_RESOURCE", | ||||
|         "CAP_SYS_TIME", | ||||
|         "CAP_SYS_TTY_CONFIG", | ||||
|         "CAP_MKNOD", | ||||
|         "CAP_LEASE", | ||||
|         "CAP_AUDIT_WRITE", | ||||
|         "CAP_AUDIT_CONTROL", | ||||
|         "CAP_SETFCAP", | ||||
|         "CAP_DAC_OVERRIDE", | ||||
|         "CAP_MAC_OVERRIDE", | ||||
|         "CAP_DAC_READ_SEARCH", | ||||
|         "CAP_MAC_ADMIN", | ||||
|         "CAP_SYSLOG", | ||||
|         "CAP_WAKE_ALARM", | ||||
|         "CAP_BLOCK_SUSPEND" | ||||
|       ], | ||||
|       "permitted": [ | ||||
|         "CAP_CHOWN", | ||||
|         "CAP_FOWNER", | ||||
|         "CAP_FSETID", | ||||
|         "CAP_KILL", | ||||
|         "CAP_SETGID", | ||||
|         "CAP_SETUID", | ||||
|         "CAP_SETPCAP", | ||||
|         "CAP_LINUX_IMMUTABLE", | ||||
|         "CAP_NET_BIND_SERVICE", | ||||
|         "CAP_NET_BROADCAST", | ||||
|         "CAP_NET_ADMIN", | ||||
|         "CAP_NET_RAW", | ||||
|         "CAP_IPC_LOCK", | ||||
|         "CAP_IPC_OWNER", | ||||
|         "CAP_SYS_MODULE", | ||||
|         "CAP_SYS_RAWIO", | ||||
|         "CAP_SYS_CHROOT", | ||||
|         "CAP_SYS_PTRACE", | ||||
|         "CAP_SYS_PACCT", | ||||
|         "CAP_SYS_ADMIN", | ||||
|         "CAP_SYS_BOOT", | ||||
|         "CAP_SYS_NICE", | ||||
|         "CAP_SYS_RESOURCE", | ||||
|         "CAP_SYS_TIME", | ||||
|         "CAP_SYS_TTY_CONFIG", | ||||
|         "CAP_MKNOD", | ||||
|         "CAP_LEASE", | ||||
|         "CAP_AUDIT_WRITE", | ||||
|         "CAP_AUDIT_CONTROL", | ||||
|         "CAP_SETFCAP", | ||||
|         "CAP_DAC_OVERRIDE", | ||||
|         "CAP_MAC_OVERRIDE", | ||||
|         "CAP_DAC_READ_SEARCH", | ||||
|         "CAP_MAC_ADMIN", | ||||
|         "CAP_SYSLOG", | ||||
|         "CAP_WAKE_ALARM", | ||||
|         "CAP_BLOCK_SUSPEND" | ||||
|       ] | ||||
|     }, | ||||
|     "selinuxLabel": "system_u:system_r:container_runtime_t:s0", | ||||
|     "cwd": "/", | ||||
|     "env": [ | ||||
|       "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/go/bin:/root/go/bin", | ||||
|       "TERM=xterm", | ||||
|       "LOG_LEVEL=$LOG_LEVEL", | ||||
|       "NAME=$NAME" | ||||
|     ], | ||||
|     "noNewPrivileges": false, | ||||
|     "terminal": false, | ||||
|     "user": { | ||||
|       "gid": 0, | ||||
|       "uid": 0 | ||||
|     } | ||||
|   }, | ||||
|   "root": { | ||||
|     "path": "rootfs", | ||||
|     "readonly": true | ||||
|   }, | ||||
|   "hooks": {}, | ||||
|   "linux": { | ||||
|     "namespaces": [{ | ||||
|       "type": "mount" | ||||
|     }], | ||||
|     "resources": { | ||||
|       "devices": [{ | ||||
|         "access": "rwm", | ||||
|         "allow": true | ||||
|       }] | ||||
|     }, | ||||
|     "rootfsPropagation": "private" | ||||
|   }, | ||||
|   "mounts": [{ | ||||
|       "destination": "/tmp", | ||||
|       "options": [ | ||||
|         "private", | ||||
|         "bind", | ||||
|         "rw", | ||||
|         "mode=755" | ||||
|       ], | ||||
|       "source": "/tmp", | ||||
|       "type": "bind" | ||||
|     }, | ||||
|     { | ||||
|       "destination": "/etc", | ||||
|       "options": [ | ||||
|         "rbind", | ||||
|         "rprivate", | ||||
|         "rw", | ||||
|         "mode=755" | ||||
|       ], | ||||
|       "source": "/etc", | ||||
|       "type": "bind" | ||||
|     }, | ||||
|     { | ||||
|       "destination": "/lib/modules", | ||||
|       "options": [ | ||||
|         "rbind", | ||||
|         "rprivate", | ||||
|         "rw", | ||||
|         "mode=755" | ||||
|       ], | ||||
|       "source": "/lib/modules", | ||||
|       "type": "bind" | ||||
|     }, | ||||
|     { | ||||
|       "destination": "/root", | ||||
|       "options": [ | ||||
|         "rbind", | ||||
|         "rprivate", | ||||
|         "rw", | ||||
|         "mode=755" | ||||
|       ], | ||||
|       "source": "/root", | ||||
|       "type": "bind" | ||||
|     }, | ||||
|     { | ||||
|       "destination": "/home", | ||||
|       "options": [ | ||||
|         "rbind", | ||||
|         "rprivate", | ||||
|         "rw", | ||||
|         "mode=755" | ||||
|       ], | ||||
|       "source": "/home", | ||||
|       "type": "bind" | ||||
|     }, | ||||
|     { | ||||
|       "destination": "/mnt", | ||||
|       "options": [ | ||||
|         "rbind", | ||||
|         "rw", | ||||
|         "rprivate", | ||||
|         "mode=755" | ||||
|       ], | ||||
|       "source": "/mnt", | ||||
|       "type": "bind" | ||||
|     }, | ||||
|     { | ||||
|       "type": "bind", | ||||
|       "source": "${RUN_DIRECTORY}", | ||||
|       "destination": "/run", | ||||
|       "options": [ | ||||
|         "rshared", | ||||
|         "rbind", | ||||
|         "rw", | ||||
|         "mode=755" | ||||
|       ] | ||||
|     }, | ||||
|     { | ||||
|       "type": "bind", | ||||
|       "source": "${RUN_DIRECTORY}/systemd", | ||||
|       "destination": "/run/systemd", | ||||
|       "options": [ | ||||
|         "rslave", | ||||
|         "bind", | ||||
|         "rw", | ||||
|         "mode=755" | ||||
|       ] | ||||
|     }, | ||||
|     { | ||||
|       "destination": "/var/log", | ||||
|       "options": [ | ||||
|         "rbind", | ||||
|         "rslave", | ||||
|         "rw" | ||||
|       ], | ||||
|       "source": "/var/log", | ||||
|       "type": "bind" | ||||
|     }, | ||||
|     { | ||||
|       "destination": "/var/lib", | ||||
|       "options": [ | ||||
|         "rbind", | ||||
|         "rprivate", | ||||
|         "rw" | ||||
|       ], | ||||
|       "source": "${STATE_DIRECTORY}", | ||||
|       "type": "bind" | ||||
|     }, | ||||
|     { | ||||
|       "destination": "/var/lib/containers/storage", | ||||
|       "options": [ | ||||
|         "rbind", | ||||
|         "rshared", | ||||
|         "rw" | ||||
|       ], | ||||
|       "source": "${VAR_LIB_CONTAINERS_STORAGE}", | ||||
|       "type": "bind" | ||||
|     }, | ||||
|     { | ||||
|       "destination": "/var/lib/origin", | ||||
|       "options": [ | ||||
|         "rshared", | ||||
|         "bind", | ||||
|         "rw" | ||||
|       ], | ||||
|       "source": "${VAR_LIB_ORIGIN}", | ||||
|       "type": "bind" | ||||
|     }, | ||||
|     { | ||||
|       "destination": "/var/lib/kubelet", | ||||
|       "options": [ | ||||
|         "rshared", | ||||
|         "bind", | ||||
|         "rw" | ||||
|       ], | ||||
|       "source": "${VAR_LIB_KUBE}", | ||||
|       "type": "bind" | ||||
|     }, | ||||
|     { | ||||
|       "destination": "/opt/cni", | ||||
|       "options": [ | ||||
|         "rbind", | ||||
|         "rprivate", | ||||
|         "ro", | ||||
|         "mode=755" | ||||
|       ], | ||||
|       "source": "${OPT_CNI}", | ||||
|       "type": "bind" | ||||
|     }, | ||||
|     { | ||||
|       "destination": "/dev", | ||||
|       "options": [ | ||||
|         "rprivate", | ||||
|         "rbind", | ||||
|         "rw", | ||||
|         "mode=755" | ||||
|       ], | ||||
|       "source": "/dev", | ||||
|       "type": "bind" | ||||
|     }, | ||||
|     { | ||||
|       "destination": "/sys", | ||||
|       "options": [ | ||||
|         "rprivate", | ||||
|         "rbind", | ||||
|         "rw", | ||||
|         "mode=755" | ||||
|       ], | ||||
|       "source": "/sys", | ||||
|       "type": "bind" | ||||
|     }, | ||||
|     { | ||||
|       "destination": "/proc", | ||||
|       "options": [ | ||||
|         "rbind", | ||||
|         "rw", | ||||
|         "mode=755" | ||||
|       ], | ||||
|       "source": "/proc", | ||||
|       "type": "proc" | ||||
|     } | ||||
|   ] | ||||
| } | ||||
							
								
								
									
										37
									
								
								contrib/system_containers/rhel/help.md
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										37
									
								
								contrib/system_containers/rhel/help.md
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,37 @@ | |||
| % CRI-O (1) Container Image Pages | ||||
| % Jhon Honce | ||||
| % September 7, 2017 | ||||
| 
 | ||||
| # NAME | ||||
| cri-o - OCI-based implementation of Kubernetes Container Runtime Interface | ||||
| 
 | ||||
| # DESCRIPTION | ||||
| CRI-O is an implementation of the Kubernetes CRI. It is a lightweight, OCI-compliant runtime that is native to kubernetes. CRI-O supports OCI container images and can pull from any container registry. | ||||
| 
 | ||||
| You can find more information on the CRI-O project at <https://github.com/kubernetes-incubator/cri-o/> | ||||
| 
 | ||||
| # USAGE | ||||
| Pull from local docker and install system container: | ||||
| 
 | ||||
| ``` | ||||
| # atomic pull --storage ostree docker:openshift3/cri-o:latest | ||||
| # atomic install --system --system-package=no --name cri-o openshift3/cri-o | ||||
| ``` | ||||
| 
 | ||||
| Start and enable as a systemd service: | ||||
| ``` | ||||
| # systemctl enable --now cri-o | ||||
| ``` | ||||
| 
 | ||||
| Stopping the service | ||||
| ``` | ||||
| # systemctl stop cri-o | ||||
| ``` | ||||
| 
 | ||||
| Removing the container | ||||
| ``` | ||||
| # atomic uninstall cri-o | ||||
| ``` | ||||
| 
 | ||||
| # SEE ALSO | ||||
| man systemd(1) | ||||
							
								
								
									
										10
									
								
								contrib/system_containers/rhel/manifest.json
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										10
									
								
								contrib/system_containers/rhel/manifest.json
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,10 @@ | |||
| { | ||||
|   "version": "1.0", | ||||
|   "defaultValues": { | ||||
|     "LOG_LEVEL": "info", | ||||
|     "OPT_CNI": "/opt/cni", | ||||
|     "VAR_LIB_CONTAINERS_STORAGE": "/var/lib/containers/storage", | ||||
|     "VAR_LIB_ORIGIN": "/var/lib/origin", | ||||
|     "VAR_LIB_KUBE": "/var/lib/kubelet" | ||||
|   } | ||||
| } | ||||
							
								
								
									
										8
									
								
								contrib/system_containers/rhel/run.sh
									
										
									
									
									
										Executable file
									
								
							
							
						
						
									
										8
									
								
								contrib/system_containers/rhel/run.sh
									
										
									
									
									
										Executable file
									
								
							|  | @ -0,0 +1,8 @@ | |||
| #!/bin/sh | ||||
| 
 | ||||
| # Ensure that new process maintain this SELinux label | ||||
| PID=$$ | ||||
| LABEL=`tr -d '\000' < /proc/$PID/attr/current` | ||||
| printf %s $LABEL > /proc/self/attr/exec | ||||
| 
 | ||||
| exec /usr/bin/crio --log-level=$LOG_LEVEL | ||||
							
								
								
									
										20
									
								
								contrib/system_containers/rhel/service.template
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										20
									
								
								contrib/system_containers/rhel/service.template
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,20 @@ | |||
| [Unit] | ||||
| Description=crio daemon | ||||
| After=network.target | ||||
| 
 | ||||
| [Service] | ||||
| Type=notify | ||||
| ExecStartPre=/bin/sh $DESTDIR/rootfs/set_mounts.sh | ||||
| ExecStart=$EXEC_START | ||||
| ExecStop=$EXEC_STOP | ||||
| Restart=on-failure | ||||
| WorkingDirectory=$DESTDIR | ||||
| RuntimeDirectory=${NAME} | ||||
| TasksMax=infinity | ||||
| LimitNOFILE=1048576 | ||||
| LimitNPROC=1048576 | ||||
| LimitCORE=infinity | ||||
| TimeoutStartSec=0 | ||||
| 
 | ||||
| [Install] | ||||
| WantedBy=multi-user.target | ||||
							
								
								
									
										7
									
								
								contrib/system_containers/rhel/set_mounts.sh
									
										
									
									
									
										Executable file
									
								
							
							
						
						
									
										7
									
								
								contrib/system_containers/rhel/set_mounts.sh
									
										
									
									
									
										Executable file
									
								
							|  | @ -0,0 +1,7 @@ | |||
| #!/bin/sh | ||||
| 
 | ||||
| findmnt /var/lib/containers/storage > /dev/null || mount --rbind --make-shared /var/lib/containers/storage /var/lib/containers/storage | ||||
| findmnt /var/lib/origin > /dev/null || mount --bind --make-shared /var/lib/origin /var/lib/origin | ||||
| findmnt /var/lib/kubelet > /dev/null || mount --bind --make-shared /var/lib/kubelet /var/lib/kubelet | ||||
| mount --make-shared /run | ||||
| findmnt /run/systemd > /dev/null || mount --bind --make-rslave /run/systemd /run/systemd | ||||
							
								
								
									
										5
									
								
								contrib/system_containers/rhel/tmpfiles.template
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										5
									
								
								contrib/system_containers/rhel/tmpfiles.template
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,5 @@ | |||
| d    ${RUN_DIRECTORY}/${NAME}               -        -           -       - - | ||||
| d    /etc/crio - - - - - | ||||
| Z    /etc/crio - - - - - | ||||
| d    ${STATE_DIRECTORY}/origin               -        -           -       - - | ||||
| d    ${STATE_DIRECTORY}/kubelet              -        -           -       - - | ||||
		Loading…
	
	Add table
		Add a link
		
	
		Reference in a new issue