Merge e3682373d0
into dbc2b404a3
This commit is contained in:
commit
a8d8a3eb41
8 changed files with 150 additions and 25 deletions
|
@ -113,7 +113,3 @@ COPY test/redhat_sigstore.yaml /etc/containers/registries.d/registry.access.redh
|
|||
WORKDIR /go/src/github.com/kubernetes-incubator/cri-o
|
||||
|
||||
ADD . /go/src/github.com/kubernetes-incubator/cri-o
|
||||
|
||||
RUN make test/copyimg/copyimg \
|
||||
&& mkdir -p .artifacts/redis-image \
|
||||
&& ./test/copyimg/copyimg --import-from=docker://redis --export-to=dir:.artifacts/redis-image --signature-policy ./test/policy.json
|
||||
|
|
2
Makefile
2
Makefile
|
@ -113,7 +113,7 @@ dbuild: crioimage
|
|||
docker run --name=${CRIO_INSTANCE} --privileged ${CRIO_IMAGE} -v ${PWD}:/go/src/${PROJECT} --rm make binaries
|
||||
|
||||
integration: crioimage
|
||||
docker run -e TESTFLAGS -e TRAVIS -t --privileged --rm -v ${CURDIR}:/go/src/${PROJECT} ${CRIO_IMAGE} make localintegration
|
||||
docker run -e STORAGE_OPTS="--storage-driver=vfs" -e TESTFLAGS -e TRAVIS -t --privileged --rm -v ${CURDIR}:/go/src/${PROJECT} ${CRIO_IMAGE} make localintegration
|
||||
|
||||
localintegration: clean binaries
|
||||
./test/test_runner.sh ${TESTFLAGS}
|
||||
|
|
|
@ -335,6 +335,7 @@ func (c *ContainerServer) LoadSandbox(id string) error {
|
|||
if err != nil {
|
||||
return err
|
||||
}
|
||||
sb.AddHostnamePath(m.Annotations[annotations.HostnamePath])
|
||||
sb.AddIP(ip)
|
||||
|
||||
// We add a netNS only if we can load a permanent one.
|
||||
|
|
|
@ -151,6 +151,7 @@ type Sandbox struct {
|
|||
privileged bool
|
||||
trusted bool
|
||||
resolvPath string
|
||||
hostnamePath string
|
||||
hostname string
|
||||
portMappings []*hostport.PortMapping
|
||||
stopped bool
|
||||
|
@ -301,6 +302,16 @@ func (s *Sandbox) ResolvPath() string {
|
|||
return s.resolvPath
|
||||
}
|
||||
|
||||
// AddHostnamePath adds the hostname path to the sandbox
|
||||
func (s *Sandbox) AddHostnamePath(hostname string) {
|
||||
s.hostnamePath = hostname
|
||||
}
|
||||
|
||||
// HostnamePath retrieves the hostname path from a sandbox
|
||||
func (s *Sandbox) HostnamePath() string {
|
||||
return s.hostnamePath
|
||||
}
|
||||
|
||||
// Hostname returns the hsotname of the sandbox
|
||||
func (s *Sandbox) Hostname() string {
|
||||
return s.hostname
|
||||
|
|
|
@ -52,6 +52,9 @@ const (
|
|||
// ResolvPath is the resolver configuration path annotation
|
||||
ResolvPath = "io.kubernetes.cri-o.ResolvPath"
|
||||
|
||||
// HostnamePath is the path to /etc/hostname to bind mount annotation
|
||||
HostnamePath = "io.kubernetes.cri-o.HostnamePath"
|
||||
|
||||
// SandboxID is the sandbox ID annotation
|
||||
SandboxID = "io.kubernetes.cri-o.SandboxID"
|
||||
|
||||
|
|
|
@ -45,7 +45,7 @@ const (
|
|||
defaultSystemdParent = "system.slice"
|
||||
)
|
||||
|
||||
func addOCIBindMounts(sb *sandbox.Sandbox, containerConfig *pb.ContainerConfig, specgen *generate.Generator) ([]oci.ContainerVolume, error) {
|
||||
func addOCIBindMounts(mountLabel string, containerConfig *pb.ContainerConfig, specgen *generate.Generator) ([]oci.ContainerVolume, error) {
|
||||
volumes := []oci.ContainerVolume{}
|
||||
mounts := containerConfig.GetMounts()
|
||||
for _, mount := range mounts {
|
||||
|
@ -73,7 +73,7 @@ func addOCIBindMounts(sb *sandbox.Sandbox, containerConfig *pb.ContainerConfig,
|
|||
|
||||
if mount.SelinuxRelabel {
|
||||
// Need a way in kubernetes to determine if the volume is shared or private
|
||||
if err := label.Relabel(src, sb.MountLabel(), true); err != nil && err != unix.ENOTSUP {
|
||||
if err := label.Relabel(src, mountLabel, true); err != nil && err != unix.ENOTSUP {
|
||||
return nil, fmt.Errorf("relabel failed %s: %v", src, err)
|
||||
}
|
||||
}
|
||||
|
@ -304,11 +304,11 @@ func setupContainerUser(specgen *generate.Generator, rootfs string, sc *pb.Linux
|
|||
if sc != nil {
|
||||
containerUser := ""
|
||||
// Case 1: run as user is set by kubelet
|
||||
if sc.RunAsUser != nil {
|
||||
if sc.GetRunAsUser() != nil {
|
||||
containerUser = strconv.FormatInt(sc.GetRunAsUser().Value, 10)
|
||||
} else {
|
||||
// Case 2: run as username is set by kubelet
|
||||
userName := sc.RunAsUsername
|
||||
userName := sc.GetRunAsUsername()
|
||||
if userName != "" {
|
||||
containerUser = userName
|
||||
} else {
|
||||
|
@ -338,7 +338,7 @@ func setupContainerUser(specgen *generate.Generator, rootfs string, sc *pb.Linux
|
|||
}
|
||||
|
||||
// Add groups from CRI
|
||||
groups := sc.SupplementalGroups
|
||||
groups := sc.GetSupplementalGroups()
|
||||
for _, group := range groups {
|
||||
specgen.AddProcessAdditionalGid(uint32(group))
|
||||
}
|
||||
|
@ -519,7 +519,12 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
|
|||
specgen.HostSpecific = true
|
||||
specgen.ClearProcessRlimits()
|
||||
|
||||
containerVolumes, err := addOCIBindMounts(sb, containerConfig, &specgen)
|
||||
processLabel, mountLabel, err := getSELinuxLabels(containerConfig.GetLinux().GetSecurityContext().GetSelinuxOptions())
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
containerVolumes, err := addOCIBindMounts(mountLabel, containerConfig, &specgen)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
@ -703,7 +708,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
|
|||
}
|
||||
}
|
||||
}
|
||||
specgen.SetProcessSelinuxLabel(sb.ProcessLabel())
|
||||
specgen.SetProcessSelinuxLabel(processLabel)
|
||||
}
|
||||
|
||||
specgen.SetLinuxMountLabel(sb.MountLabel())
|
||||
|
@ -818,18 +823,28 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
|
|||
options = []string{"ro"}
|
||||
}
|
||||
if sb.ResolvPath() != "" {
|
||||
if err := label.Relabel(sb.ResolvPath(), mountLabel, true); err != nil && err != unix.ENOTSUP {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
// bind mount the pod resolver file
|
||||
specgen.AddBindMount(sb.ResolvPath(), "/etc/resolv.conf", options)
|
||||
}
|
||||
|
||||
if sb.HostnamePath() != "" {
|
||||
if err := label.Relabel(sb.HostnamePath(), mountLabel, true); err != nil && err != unix.ENOTSUP {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
specgen.AddBindMount(sb.HostnamePath(), "/etc/hostname", options)
|
||||
}
|
||||
|
||||
// Bind mount /etc/hosts for host networking containers
|
||||
if hostNetwork(containerConfig) {
|
||||
specgen.AddBindMount("/etc/hosts", "/etc/hosts", options)
|
||||
}
|
||||
|
||||
if sb.Hostname() != "" {
|
||||
specgen.SetHostname(sb.Hostname())
|
||||
}
|
||||
specgen.SetHostname(sb.Hostname())
|
||||
|
||||
specgen.AddAnnotation(annotations.Name, containerName)
|
||||
specgen.AddAnnotation(annotations.ContainerID, containerID)
|
||||
|
@ -877,7 +892,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
|
|||
containerName, containerID,
|
||||
metaname,
|
||||
attempt,
|
||||
sb.MountLabel(),
|
||||
mountLabel,
|
||||
nil)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
|
@ -900,7 +915,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
|
|||
}
|
||||
|
||||
// Add image volumes
|
||||
if err := addImageVolumes(mountPoint, s, &containerInfo, &specgen, sb.MountLabel()); err != nil {
|
||||
if err := addImageVolumes(mountPoint, s, &containerInfo, &specgen, mountLabel); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
|
|
|
@ -3,6 +3,7 @@ package server
|
|||
import (
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"io/ioutil"
|
||||
"os"
|
||||
"path"
|
||||
"path/filepath"
|
||||
|
@ -187,12 +188,6 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
|
|||
g.SetProcessArgs([]string{s.config.PauseCommand})
|
||||
}
|
||||
|
||||
// set hostname
|
||||
hostname := req.GetConfig().Hostname
|
||||
if hostname != "" {
|
||||
g.SetHostname(hostname)
|
||||
}
|
||||
|
||||
// set DNS options
|
||||
if req.GetConfig().GetDnsConfig() != nil {
|
||||
dnsServers := req.GetConfig().GetDnsConfig().Servers
|
||||
|
@ -208,6 +203,10 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
|
|||
}
|
||||
return nil, err
|
||||
}
|
||||
if err := label.Relabel(resolvPath, mountLabel, true); err != nil && err != unix.ENOTSUP {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
g.AddBindMount(resolvPath, "/etc/resolv.conf", []string{"ro"})
|
||||
}
|
||||
|
||||
|
@ -301,6 +300,14 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
|
|||
return nil, err
|
||||
}
|
||||
|
||||
hostNetwork := req.GetConfig().GetLinux().GetSecurityContext().GetNamespaceOptions().HostNetwork
|
||||
|
||||
hostname, err := getHostname(id, req.GetConfig().Hostname, hostNetwork)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
g.SetHostname(hostname)
|
||||
|
||||
privileged := s.privilegedSandbox(req)
|
||||
trusted := s.trustedSandbox(req)
|
||||
g.AddAnnotation(annotations.Metadata, string(metadataJSON))
|
||||
|
@ -399,8 +406,6 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
|
|||
|
||||
g.SetLinuxResourcesCPUShares(PodInfraCPUshares)
|
||||
|
||||
hostNetwork := req.GetConfig().GetLinux().GetSecurityContext().GetNamespaceOptions().HostNetwork
|
||||
|
||||
// set up namespaces
|
||||
if hostNetwork {
|
||||
err = g.RemoveLinuxNamespace("network")
|
||||
|
@ -456,6 +461,17 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
|
|||
g.AddAnnotation(annotations.MountPoint, mountPoint)
|
||||
g.SetRootPath(mountPoint)
|
||||
|
||||
hostnamePath := fmt.Sprintf("%s/hostname", podContainer.RunDir)
|
||||
if err := ioutil.WriteFile(hostnamePath, []byte(hostname+"\n"), 0644); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if err := label.Relabel(hostnamePath, mountLabel, true); err != nil && err != unix.ENOTSUP {
|
||||
return nil, err
|
||||
}
|
||||
g.AddBindMount(hostnamePath, "/etc/hostname", []string{"ro"})
|
||||
g.AddAnnotation(annotations.HostnamePath, hostnamePath)
|
||||
sb.AddHostnamePath(hostnamePath)
|
||||
|
||||
container, err := oci.NewContainer(id, containerName, podContainer.RunDir, logPath, sb.NetNs(), labels, kubeAnnotations, "", "", "", nil, id, false, false, false, sb.Privileged(), sb.Trusted(), podContainer.Dir, created, podContainer.Config.Config.StopSignal)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
|
@ -515,6 +531,23 @@ func convertPortMappings(in []*pb.PortMapping) []*hostport.PortMapping {
|
|||
return out
|
||||
}
|
||||
|
||||
func getHostname(id, hostname string, hostNetwork bool) (string, error) {
|
||||
if hostNetwork {
|
||||
if hostname == "" {
|
||||
h, err := os.Hostname()
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
hostname = h
|
||||
}
|
||||
} else {
|
||||
if hostname == "" {
|
||||
hostname = id[:12]
|
||||
}
|
||||
}
|
||||
return hostname, nil
|
||||
}
|
||||
|
||||
func (s *Server) setPodSandboxMountLabel(id, mountLabel string) error {
|
||||
storageMetadata, err := s.StorageRuntimeServer().GetContainerMetadata(id)
|
||||
if err != nil {
|
||||
|
|
|
@ -2,6 +2,72 @@
|
|||
|
||||
load helpers
|
||||
|
||||
@test "ensure correct hostname" {
|
||||
start_crio
|
||||
run crioctl pod run --config "$TESTDATA"/sandbox_config.json
|
||||
echo "$output"
|
||||
[ "$status" -eq 0 ]
|
||||
pod_id="$output"
|
||||
run crioctl ctr create --config "$TESTDATA"/container_redis.json --pod "$pod_id"
|
||||
echo "$output"
|
||||
[ "$status" -eq 0 ]
|
||||
ctr_id="$output"
|
||||
run crioctl ctr start --id "$ctr_id"
|
||||
echo "$output"
|
||||
[ "$status" -eq 0 ]
|
||||
|
||||
run crioctl ctr execsync --id "$ctr_id" sh -c "hostname"
|
||||
echo "$output"
|
||||
[ "$status" -eq 0 ]
|
||||
[[ "$output" =~ "crioctl_host" ]]
|
||||
run crioctl ctr execsync --id "$ctr_id" sh -c "echo \$HOSTNAME"
|
||||
echo "$output"
|
||||
[ "$status" -eq 0 ]
|
||||
[[ "$output" =~ "crioctl_host" ]]
|
||||
run crioctl ctr execsync --id "$ctr_id" sh -c "cat /etc/hostname"
|
||||
echo "$output"
|
||||
[ "$status" -eq 0 ]
|
||||
[[ "$output" =~ "crioctl_host" ]]
|
||||
|
||||
cleanup_ctrs
|
||||
cleanup_pods
|
||||
stop_crio
|
||||
}
|
||||
|
||||
@test "ensure correct hostname for hostnetwork:true" {
|
||||
start_crio
|
||||
hostnetworkconfig=$(cat "$TESTDATA"/sandbox_config.json | python -c 'import json,sys;obj=json.load(sys.stdin);obj["linux"]["security_context"]["namespace_options"]["host_network"] = True; obj["annotations"] = {}; obj["hostname"] = ""; json.dump(obj, sys.stdout)')
|
||||
echo "$hostnetworkconfig" > "$TESTDIR"/sandbox_hostnetwork_config.json
|
||||
run crioctl pod run --config "$TESTDIR"/sandbox_hostnetwork_config.json
|
||||
echo "$output"
|
||||
[ "$status" -eq 0 ]
|
||||
pod_id="$output"
|
||||
run crioctl ctr create --config "$TESTDATA"/container_redis.json --pod "$pod_id"
|
||||
echo "$output"
|
||||
[ "$status" -eq 0 ]
|
||||
ctr_id="$output"
|
||||
run crioctl ctr start --id "$ctr_id"
|
||||
echo "$output"
|
||||
[ "$status" -eq 0 ]
|
||||
|
||||
run crioctl ctr execsync --id "$ctr_id" sh -c "hostname"
|
||||
echo "$output"
|
||||
[ "$status" -eq 0 ]
|
||||
[[ "$output" =~ "$HOSTNAME" ]]
|
||||
run crioctl ctr execsync --id "$ctr_id" sh -c "echo \$HOSTNAME"
|
||||
echo "$output"
|
||||
[ "$status" -eq 0 ]
|
||||
[[ "$output" =~ "$HOSTNAME" ]]
|
||||
run crioctl ctr execsync --id "$ctr_id" sh -c "cat /etc/hostname"
|
||||
echo "$output"
|
||||
[ "$status" -eq 0 ]
|
||||
[[ "$output" =~ "$HOSTNAME" ]]
|
||||
|
||||
cleanup_ctrs
|
||||
cleanup_pods
|
||||
stop_crio
|
||||
}
|
||||
|
||||
@test "Check for valid pod netns CIDR" {
|
||||
start_crio
|
||||
run crioctl pod run --config "$TESTDATA"/sandbox_config.json
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue