diff --git a/.tool/lint b/.tool/lint index ce8a5482..d91ef17e 100755 --- a/.tool/lint +++ b/.tool/lint @@ -15,7 +15,7 @@ for d in $(find . -type d -not -iwholename '*.git*' -a -not -iname '.tool' -a -n --disable=aligncheck \ --disable=gotype \ --disable=gas \ - --cyclo-over=50 \ + --cyclo-over=60 \ --dupl-threshold=100 \ --tests \ --deadline=30s "${d}" diff --git a/server/container_create.go b/server/container_create.go index f0cf96d2..dedef4ea 100644 --- a/server/container_create.go +++ b/server/container_create.go @@ -283,6 +283,9 @@ func (s *Server) createSandboxContainer(containerID string, containerName string } } + // bind mount the pod shm + specgen.AddBindMount(sb.shmPath, "/dev/shm", []string{"rw"}) + specgen.AddAnnotation("ocid/name", containerName) specgen.AddAnnotation("ocid/sandbox_id", sb.id) specgen.AddAnnotation("ocid/sandbox_name", sb.infraContainer.Name()) diff --git a/server/sandbox.go b/server/sandbox.go index 73c6919a..34174575 100644 --- a/server/sandbox.go +++ b/server/sandbox.go @@ -21,10 +21,12 @@ type sandbox struct { processLabel string mountLabel string metadata *pb.PodSandboxMetadata + shmPath string } const ( podDefaultNamespace = "default" + defaultShmSize = 64 * 1024 * 1024 ) var ( diff --git a/server/sandbox_remove.go b/server/sandbox_remove.go index df9c5128..00c1d74f 100644 --- a/server/sandbox_remove.go +++ b/server/sandbox_remove.go @@ -4,6 +4,7 @@ import ( "fmt" "os" "path/filepath" + "syscall" "github.com/Sirupsen/logrus" "github.com/kubernetes-incubator/cri-o/oci" @@ -65,6 +66,13 @@ func (s *Server) RemovePodSandbox(ctx context.Context, req *pb.RemovePodSandboxR return nil, err } + // unmount the shm for the pod + if sb.shmPath != "/dev/shm" { + if err := syscall.Unmount(sb.shmPath, syscall.MNT_DETACH); err != nil { + return nil, err + } + } + // Remove the files related to the sandbox podSandboxDir := filepath.Join(s.config.SandboxDir, sb.id) if err := os.RemoveAll(podSandboxDir); err != nil { diff --git a/server/sandbox_run.go b/server/sandbox_run.go index f776476d..b9c8abe3 100644 --- a/server/sandbox_run.go +++ b/server/sandbox_run.go @@ -5,6 +5,8 @@ import ( "fmt" "os" "path/filepath" + "strconv" + "syscall" "github.com/Sirupsen/logrus" "github.com/kubernetes-incubator/cri-o/oci" @@ -139,6 +141,24 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest g.SetProcessSelinuxLabel(processLabel) } + // create shm mount for the pod containers. + var shmPath string + if req.GetConfig().GetLinux().GetSecurityContext().GetNamespaceOptions().GetHostIpc() { + shmPath = "/dev/shm" + } else { + shmPath, err = setupShm(podSandboxDir, mountLabel) + if err != nil { + return nil, err + } + defer func() { + if err != nil { + if err2 := syscall.Unmount(shmPath, syscall.MNT_DETACH); err2 != nil { + logrus.Warnf("failed to unmount shm for pod: %v", err2) + } + } + }() + } + containerID, containerName, err := s.generateContainerIDandName(name, "infra", 0) if err != nil { return nil, err @@ -170,6 +190,7 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest g.AddAnnotation("ocid/container_type", containerTypeSandbox) g.AddAnnotation("ocid/container_name", containerName) g.AddAnnotation("ocid/container_id", containerID) + g.AddAnnotation("ocid/shm_path", shmPath) sb := &sandbox{ id: id, @@ -181,6 +202,7 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest processLabel: processLabel, mountLabel: mountLabel, metadata: metadata, + shmPath: shmPath, } s.addSandbox(sb) @@ -309,3 +331,19 @@ func getSELinuxLabels(selinuxOptions *pb.SELinuxOption) (processLabel string, mo } return label.InitLabels(label.DupSecOpt(processLabel)) } + +func setupShm(podSandboxDir, mountLabel string) (shmPath string, err error) { + shmPath = filepath.Join(podSandboxDir, "shm") + if err = os.Mkdir(shmPath, 0700); err != nil { + return "", err + } + shmOptions := "mode=1777,size=" + strconv.Itoa(defaultShmSize) + if mountLabel != "" { + shmOptions = label.FormatMountLabel(shmOptions, mountLabel) + + } + if err = syscall.Mount("shm", shmPath, "tmpfs", uintptr(syscall.MS_NOEXEC|syscall.MS_NOSUID|syscall.MS_NODEV), shmOptions); err != nil { + return "", fmt.Errorf("failed to mount shm tmpfs for pod: %v", err) + } + return shmPath, nil +} diff --git a/server/server.go b/server/server.go index cc65a264..1915e772 100644 --- a/server/server.go +++ b/server/server.go @@ -136,6 +136,7 @@ func (s *Server) loadSandbox(id string) error { mountLabel: mountLabel, annotations: annotations, metadata: &metadata, + shmPath: m.Annotations["ocid/shm_path"], } s.addSandbox(sb)