Merge pull request #1328 from runcom/record-hostnetwork-snb

sandbox: record whether sb is using host network
This commit is contained in:
Mrunal Patel 2018-02-14 10:06:06 -08:00 committed by GitHub
commit fa8cedf981
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 27 additions and 0 deletions

View file

@ -340,6 +340,7 @@ func (c *ContainerServer) LoadSandbox(id string) error {
privileged := isTrue(m.Annotations[annotations.PrivilegedRuntime]) privileged := isTrue(m.Annotations[annotations.PrivilegedRuntime])
trusted := isTrue(m.Annotations[annotations.TrustedSandbox]) trusted := isTrue(m.Annotations[annotations.TrustedSandbox])
hostNetwork := isTrue(m.Annotations[annotations.HostNetwork])
sb, err := sandbox.New(id, m.Annotations[annotations.Namespace], name, m.Annotations[annotations.KubeName], filepath.Dir(m.Annotations[annotations.LogPath]), labels, kubeAnnotations, processLabel, mountLabel, &metadata, m.Annotations[annotations.ShmPath], m.Annotations[annotations.CgroupParent], privileged, trusted, m.Annotations[annotations.ResolvPath], m.Annotations[annotations.HostName], portMappings) sb, err := sandbox.New(id, m.Annotations[annotations.Namespace], name, m.Annotations[annotations.KubeName], filepath.Dir(m.Annotations[annotations.LogPath]), labels, kubeAnnotations, processLabel, mountLabel, &metadata, m.Annotations[annotations.ShmPath], m.Annotations[annotations.CgroupParent], privileged, trusted, m.Annotations[annotations.ResolvPath], m.Annotations[annotations.HostName], portMappings)
if err != nil { if err != nil {
@ -348,6 +349,7 @@ func (c *ContainerServer) LoadSandbox(id string) error {
sb.AddHostnamePath(m.Annotations[annotations.HostnamePath]) sb.AddHostnamePath(m.Annotations[annotations.HostnamePath])
sb.AddIP(ip) sb.AddIP(ip)
sb.SetSeccompProfilePath(spp) sb.SetSeccompProfilePath(spp)
sb.SetHostNetwork(hostNetwork)
// We add a netNS only if we can load a permanent one. // We add a netNS only if we can load a permanent one.
// Otherwise, the sandbox will live in the host namespace. // Otherwise, the sandbox will live in the host namespace.

View file

@ -160,6 +160,7 @@ type Sandbox struct {
ip string ip string
seccompProfilePath string seccompProfilePath string
created time.Time created time.Time
hostNetwork bool
} }
const ( const (
@ -224,6 +225,16 @@ func (s *Sandbox) AddIP(ip string) {
s.ip = ip s.ip = ip
} }
// SetHostNetwork sets whether the pod is running using host network
func (s *Sandbox) SetHostNetwork(hn bool) {
s.hostNetwork = hn
}
// HostNetwork returns whether the pod is using host network
func (s *Sandbox) HostNetwork() bool {
return s.hostNetwork
}
// IP returns the ip of the sandbox // IP returns the ip of the sandbox
func (s *Sandbox) IP() string { func (s *Sandbox) IP() string {
return s.ip return s.ip

View file

@ -25,6 +25,9 @@ const (
// IP is the container ipv4 or ipv6 address // IP is the container ipv4 or ipv6 address
IP = "io.kubernetes.cri-o.IP" IP = "io.kubernetes.cri-o.IP"
// HostNetwork tells whether the sandbox is using hostnetwork
HostNetwork = "io.kubernetes.cri-o.HostNetwork"
// SeccompProfilePath is the node seccomp profile path // SeccompProfilePath is the node seccomp profile path
SeccompProfilePath = "io.kubernetes.cri-o.SeccompProfilePath" SeccompProfilePath = "io.kubernetes.cri-o.SeccompProfilePath"

View file

@ -353,6 +353,7 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
g.AddAnnotation(annotations.TrustedSandbox, fmt.Sprintf("%v", trusted)) g.AddAnnotation(annotations.TrustedSandbox, fmt.Sprintf("%v", trusted))
g.AddAnnotation(annotations.ResolvPath, resolvPath) g.AddAnnotation(annotations.ResolvPath, resolvPath)
g.AddAnnotation(annotations.HostName, hostname) g.AddAnnotation(annotations.HostName, hostname)
g.AddAnnotation(annotations.HostNetwork, fmt.Sprintf("%v", hostNetwork))
g.AddAnnotation(annotations.KubeName, kubeName) g.AddAnnotation(annotations.KubeName, kubeName)
if podContainer.Config.Config.StopSignal != "" { if podContainer.Config.Config.StopSignal != "" {
// this key is defined in image-spec conversion document at https://github.com/opencontainers/image-spec/pull/492/files#diff-8aafbe2c3690162540381b8cdb157112R57 // this key is defined in image-spec conversion document at https://github.com/opencontainers/image-spec/pull/492/files#diff-8aafbe2c3690162540381b8cdb157112R57
@ -528,6 +529,7 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
g.AddAnnotation(annotations.IP, ip) g.AddAnnotation(annotations.IP, ip)
sb.AddIP(ip) sb.AddIP(ip)
sb.SetHostNetwork(hostNetwork)
spp := req.GetConfig().GetLinux().GetSecurityContext().GetSeccompProfilePath() spp := req.GetConfig().GetLinux().GetSecurityContext().GetSeccompProfilePath()
g.AddAnnotation(annotations.SeccompProfilePath, spp) g.AddAnnotation(annotations.SeccompProfilePath, spp)

View file

@ -31,6 +31,14 @@ func (s *Server) PodSandboxStatus(ctx context.Context, req *pb.PodSandboxStatusR
rStatus = pb.PodSandboxState_SANDBOX_READY rStatus = pb.PodSandboxState_SANDBOX_READY
} }
linux := &pb.LinuxPodSandboxStatus{
Namespaces: &pb.Namespace{
Options: &pb.NamespaceOption{
HostNetwork: sb.HostNetwork(),
},
},
}
sandboxID := sb.ID() sandboxID := sb.ID()
resp = &pb.PodSandboxStatusResponse{ resp = &pb.PodSandboxStatusResponse{
Status: &pb.PodSandboxStatus{ Status: &pb.PodSandboxStatus{
@ -41,6 +49,7 @@ func (s *Server) PodSandboxStatus(ctx context.Context, req *pb.PodSandboxStatusR
Labels: sb.Labels(), Labels: sb.Labels(),
Annotations: sb.Annotations(), Annotations: sb.Annotations(),
Metadata: sb.Metadata(), Metadata: sb.Metadata(),
Linux: linux,
}, },
} }