This commit is contained in:
Antonio Murdaca 2017-09-16 09:13:06 +00:00 committed by GitHub
commit a8d8a3eb41
8 changed files with 150 additions and 25 deletions

View file

@ -113,7 +113,3 @@ COPY test/redhat_sigstore.yaml /etc/containers/registries.d/registry.access.redh
WORKDIR /go/src/github.com/kubernetes-incubator/cri-o
ADD . /go/src/github.com/kubernetes-incubator/cri-o
RUN make test/copyimg/copyimg \
&& mkdir -p .artifacts/redis-image \
&& ./test/copyimg/copyimg --import-from=docker://redis --export-to=dir:.artifacts/redis-image --signature-policy ./test/policy.json

View file

@ -113,7 +113,7 @@ dbuild: crioimage
docker run --name=${CRIO_INSTANCE} --privileged ${CRIO_IMAGE} -v ${PWD}:/go/src/${PROJECT} --rm make binaries
integration: crioimage
docker run -e TESTFLAGS -e TRAVIS -t --privileged --rm -v ${CURDIR}:/go/src/${PROJECT} ${CRIO_IMAGE} make localintegration
docker run -e STORAGE_OPTS="--storage-driver=vfs" -e TESTFLAGS -e TRAVIS -t --privileged --rm -v ${CURDIR}:/go/src/${PROJECT} ${CRIO_IMAGE} make localintegration
localintegration: clean binaries
./test/test_runner.sh ${TESTFLAGS}

View file

@ -335,6 +335,7 @@ func (c *ContainerServer) LoadSandbox(id string) error {
if err != nil {
return err
}
sb.AddHostnamePath(m.Annotations[annotations.HostnamePath])
sb.AddIP(ip)
// We add a netNS only if we can load a permanent one.

View file

@ -151,6 +151,7 @@ type Sandbox struct {
privileged bool
trusted bool
resolvPath string
hostnamePath string
hostname string
portMappings []*hostport.PortMapping
stopped bool
@ -301,6 +302,16 @@ func (s *Sandbox) ResolvPath() string {
return s.resolvPath
}
// AddHostnamePath adds the hostname path to the sandbox
func (s *Sandbox) AddHostnamePath(hostname string) {
s.hostnamePath = hostname
}
// HostnamePath retrieves the hostname path from a sandbox
func (s *Sandbox) HostnamePath() string {
return s.hostnamePath
}
// Hostname returns the hsotname of the sandbox
func (s *Sandbox) Hostname() string {
return s.hostname

View file

@ -52,6 +52,9 @@ const (
// ResolvPath is the resolver configuration path annotation
ResolvPath = "io.kubernetes.cri-o.ResolvPath"
// HostnamePath is the path to /etc/hostname to bind mount annotation
HostnamePath = "io.kubernetes.cri-o.HostnamePath"
// SandboxID is the sandbox ID annotation
SandboxID = "io.kubernetes.cri-o.SandboxID"

View file

@ -45,7 +45,7 @@ const (
defaultSystemdParent = "system.slice"
)
func addOCIBindMounts(sb *sandbox.Sandbox, containerConfig *pb.ContainerConfig, specgen *generate.Generator) ([]oci.ContainerVolume, error) {
func addOCIBindMounts(mountLabel string, containerConfig *pb.ContainerConfig, specgen *generate.Generator) ([]oci.ContainerVolume, error) {
volumes := []oci.ContainerVolume{}
mounts := containerConfig.GetMounts()
for _, mount := range mounts {
@ -73,7 +73,7 @@ func addOCIBindMounts(sb *sandbox.Sandbox, containerConfig *pb.ContainerConfig,
if mount.SelinuxRelabel {
// Need a way in kubernetes to determine if the volume is shared or private
if err := label.Relabel(src, sb.MountLabel(), true); err != nil && err != unix.ENOTSUP {
if err := label.Relabel(src, mountLabel, true); err != nil && err != unix.ENOTSUP {
return nil, fmt.Errorf("relabel failed %s: %v", src, err)
}
}
@ -304,11 +304,11 @@ func setupContainerUser(specgen *generate.Generator, rootfs string, sc *pb.Linux
if sc != nil {
containerUser := ""
// Case 1: run as user is set by kubelet
if sc.RunAsUser != nil {
if sc.GetRunAsUser() != nil {
containerUser = strconv.FormatInt(sc.GetRunAsUser().Value, 10)
} else {
// Case 2: run as username is set by kubelet
userName := sc.RunAsUsername
userName := sc.GetRunAsUsername()
if userName != "" {
containerUser = userName
} else {
@ -338,7 +338,7 @@ func setupContainerUser(specgen *generate.Generator, rootfs string, sc *pb.Linux
}
// Add groups from CRI
groups := sc.SupplementalGroups
groups := sc.GetSupplementalGroups()
for _, group := range groups {
specgen.AddProcessAdditionalGid(uint32(group))
}
@ -519,7 +519,12 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
specgen.HostSpecific = true
specgen.ClearProcessRlimits()
containerVolumes, err := addOCIBindMounts(sb, containerConfig, &specgen)
processLabel, mountLabel, err := getSELinuxLabels(containerConfig.GetLinux().GetSecurityContext().GetSelinuxOptions())
if err != nil {
return nil, err
}
containerVolumes, err := addOCIBindMounts(mountLabel, containerConfig, &specgen)
if err != nil {
return nil, err
}
@ -703,7 +708,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
}
}
}
specgen.SetProcessSelinuxLabel(sb.ProcessLabel())
specgen.SetProcessSelinuxLabel(processLabel)
}
specgen.SetLinuxMountLabel(sb.MountLabel())
@ -818,18 +823,28 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
options = []string{"ro"}
}
if sb.ResolvPath() != "" {
if err := label.Relabel(sb.ResolvPath(), mountLabel, true); err != nil && err != unix.ENOTSUP {
return nil, err
}
// bind mount the pod resolver file
specgen.AddBindMount(sb.ResolvPath(), "/etc/resolv.conf", options)
}
if sb.HostnamePath() != "" {
if err := label.Relabel(sb.HostnamePath(), mountLabel, true); err != nil && err != unix.ENOTSUP {
return nil, err
}
specgen.AddBindMount(sb.HostnamePath(), "/etc/hostname", options)
}
// Bind mount /etc/hosts for host networking containers
if hostNetwork(containerConfig) {
specgen.AddBindMount("/etc/hosts", "/etc/hosts", options)
}
if sb.Hostname() != "" {
specgen.SetHostname(sb.Hostname())
}
specgen.SetHostname(sb.Hostname())
specgen.AddAnnotation(annotations.Name, containerName)
specgen.AddAnnotation(annotations.ContainerID, containerID)
@ -877,7 +892,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
containerName, containerID,
metaname,
attempt,
sb.MountLabel(),
mountLabel,
nil)
if err != nil {
return nil, err
@ -900,7 +915,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
}
// Add image volumes
if err := addImageVolumes(mountPoint, s, &containerInfo, &specgen, sb.MountLabel()); err != nil {
if err := addImageVolumes(mountPoint, s, &containerInfo, &specgen, mountLabel); err != nil {
return nil, err
}

View file

@ -3,6 +3,7 @@ package server
import (
"encoding/json"
"fmt"
"io/ioutil"
"os"
"path"
"path/filepath"
@ -187,12 +188,6 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
g.SetProcessArgs([]string{s.config.PauseCommand})
}
// set hostname
hostname := req.GetConfig().Hostname
if hostname != "" {
g.SetHostname(hostname)
}
// set DNS options
if req.GetConfig().GetDnsConfig() != nil {
dnsServers := req.GetConfig().GetDnsConfig().Servers
@ -208,6 +203,10 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
}
return nil, err
}
if err := label.Relabel(resolvPath, mountLabel, true); err != nil && err != unix.ENOTSUP {
return nil, err
}
g.AddBindMount(resolvPath, "/etc/resolv.conf", []string{"ro"})
}
@ -301,6 +300,14 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
return nil, err
}
hostNetwork := req.GetConfig().GetLinux().GetSecurityContext().GetNamespaceOptions().HostNetwork
hostname, err := getHostname(id, req.GetConfig().Hostname, hostNetwork)
if err != nil {
return nil, err
}
g.SetHostname(hostname)
privileged := s.privilegedSandbox(req)
trusted := s.trustedSandbox(req)
g.AddAnnotation(annotations.Metadata, string(metadataJSON))
@ -399,8 +406,6 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
g.SetLinuxResourcesCPUShares(PodInfraCPUshares)
hostNetwork := req.GetConfig().GetLinux().GetSecurityContext().GetNamespaceOptions().HostNetwork
// set up namespaces
if hostNetwork {
err = g.RemoveLinuxNamespace("network")
@ -456,6 +461,17 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
g.AddAnnotation(annotations.MountPoint, mountPoint)
g.SetRootPath(mountPoint)
hostnamePath := fmt.Sprintf("%s/hostname", podContainer.RunDir)
if err := ioutil.WriteFile(hostnamePath, []byte(hostname+"\n"), 0644); err != nil {
return nil, err
}
if err := label.Relabel(hostnamePath, mountLabel, true); err != nil && err != unix.ENOTSUP {
return nil, err
}
g.AddBindMount(hostnamePath, "/etc/hostname", []string{"ro"})
g.AddAnnotation(annotations.HostnamePath, hostnamePath)
sb.AddHostnamePath(hostnamePath)
container, err := oci.NewContainer(id, containerName, podContainer.RunDir, logPath, sb.NetNs(), labels, kubeAnnotations, "", "", "", nil, id, false, false, false, sb.Privileged(), sb.Trusted(), podContainer.Dir, created, podContainer.Config.Config.StopSignal)
if err != nil {
return nil, err
@ -515,6 +531,23 @@ func convertPortMappings(in []*pb.PortMapping) []*hostport.PortMapping {
return out
}
func getHostname(id, hostname string, hostNetwork bool) (string, error) {
if hostNetwork {
if hostname == "" {
h, err := os.Hostname()
if err != nil {
return "", err
}
hostname = h
}
} else {
if hostname == "" {
hostname = id[:12]
}
}
return hostname, nil
}
func (s *Server) setPodSandboxMountLabel(id, mountLabel string) error {
storageMetadata, err := s.StorageRuntimeServer().GetContainerMetadata(id)
if err != nil {

View file

@ -2,6 +2,72 @@
load helpers
@test "ensure correct hostname" {
start_crio
run crioctl pod run --config "$TESTDATA"/sandbox_config.json
echo "$output"
[ "$status" -eq 0 ]
pod_id="$output"
run crioctl ctr create --config "$TESTDATA"/container_redis.json --pod "$pod_id"
echo "$output"
[ "$status" -eq 0 ]
ctr_id="$output"
run crioctl ctr start --id "$ctr_id"
echo "$output"
[ "$status" -eq 0 ]
run crioctl ctr execsync --id "$ctr_id" sh -c "hostname"
echo "$output"
[ "$status" -eq 0 ]
[[ "$output" =~ "crioctl_host" ]]
run crioctl ctr execsync --id "$ctr_id" sh -c "echo \$HOSTNAME"
echo "$output"
[ "$status" -eq 0 ]
[[ "$output" =~ "crioctl_host" ]]
run crioctl ctr execsync --id "$ctr_id" sh -c "cat /etc/hostname"
echo "$output"
[ "$status" -eq 0 ]
[[ "$output" =~ "crioctl_host" ]]
cleanup_ctrs
cleanup_pods
stop_crio
}
@test "ensure correct hostname for hostnetwork:true" {
start_crio
hostnetworkconfig=$(cat "$TESTDATA"/sandbox_config.json | python -c 'import json,sys;obj=json.load(sys.stdin);obj["linux"]["security_context"]["namespace_options"]["host_network"] = True; obj["annotations"] = {}; obj["hostname"] = ""; json.dump(obj, sys.stdout)')
echo "$hostnetworkconfig" > "$TESTDIR"/sandbox_hostnetwork_config.json
run crioctl pod run --config "$TESTDIR"/sandbox_hostnetwork_config.json
echo "$output"
[ "$status" -eq 0 ]
pod_id="$output"
run crioctl ctr create --config "$TESTDATA"/container_redis.json --pod "$pod_id"
echo "$output"
[ "$status" -eq 0 ]
ctr_id="$output"
run crioctl ctr start --id "$ctr_id"
echo "$output"
[ "$status" -eq 0 ]
run crioctl ctr execsync --id "$ctr_id" sh -c "hostname"
echo "$output"
[ "$status" -eq 0 ]
[[ "$output" =~ "$HOSTNAME" ]]
run crioctl ctr execsync --id "$ctr_id" sh -c "echo \$HOSTNAME"
echo "$output"
[ "$status" -eq 0 ]
[[ "$output" =~ "$HOSTNAME" ]]
run crioctl ctr execsync --id "$ctr_id" sh -c "cat /etc/hostname"
echo "$output"
[ "$status" -eq 0 ]
[[ "$output" =~ "$HOSTNAME" ]]
cleanup_ctrs
cleanup_pods
stop_crio
}
@test "Check for valid pod netns CIDR" {
start_crio
run crioctl pod run --config "$TESTDATA"/sandbox_config.json