Commit graph

877 commits

Author SHA1 Message Date
Antonio Murdaca
fdec993e62 Merge pull request #365 from jawnsy/update-readme
Updates to README.md
2017-03-25 08:16:20 +01:00
Jonathan Yu
e53e70d12a Updates to README.md
* Describe how to get source/configure GOPATH appropriately
* Dependency installation commands that can be easily copied/pasted

Signed-off-by: Jonathan Yu <jawnsy@redhat.com>
2017-03-24 14:49:05 -07:00
Antonio Murdaca
a752a72ee0 Merge pull request #406 from mrunalp/fixup_prereqs
Cleanup prerequisites section in README.md
2017-03-24 22:03:33 +01:00
Mrunal Patel
b7c97540b7 make: Fixup install/invocation of tools
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-03-24 11:18:37 -07:00
Antonio Murdaca
a7492f4a2f Merge pull request #405 from nalind/pull-tag
Preserve the tag of the pulled image's name
2017-03-24 19:16:23 +01:00
Mrunal Patel
ae9b5849a7 Cleanup prerequisites section in README.md
Make it easier to copy/paste and run.

Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-03-24 10:59:24 -07:00
Nalin Dahyabhai
e7748cba6e Preserve the tag of the pulled image's name
When we pull an image, preserve the tag portion of the name that we were
asked to use for pulling it, instead of unconditionally replacing it
with "latest".

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2017-03-24 11:54:56 -04:00
Mrunal Patel
4cdc1a31d6 Merge pull request #404 from sameo/topic/resolver
Propagate the sandbox DNS mount point to pod containers
2017-03-24 08:48:13 -07:00
Samuel Ortiz
48a297ed7b container: Propagate the pod sandbox resolv.conf mount point
When a pod sandbox comes with DNS settings, the resulting resolv.conf
file needs to be bind mounted in all pod containers under
/etc/resolv.conf.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-03-24 15:32:16 +01:00
Samuel Ortiz
72129ee3fb sandbox: Track and store the pod resolv.conf path
When we get a pod with DNS settings, we need to build
a resolv.conf file and mount it in all pod containers.
In order to do that, we have to track the built resolv.conf
file and store/load it.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-03-24 15:28:14 +01:00
Daniel J Walsh
89be1e9f35 Switch to using opencontainers/selinux
We have moved selinux support out of opencontainers/runc into its
own package.  This patch moves to using the new selinux go bindings.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2017-03-24 08:20:11 -04:00
Daniel J Walsh
6f81ec8c67 Default all container storage to /var/lib/containers/storage
containers/storage is defaulting to /var/lib/containers/storage
for image and containers storage.  It is also defaulting to
/var/run/containers/storage for all runtime.  The defaults
for CRI-O should match so that lots of other tools that use
containers/storage can share the same storage.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2017-03-24 08:19:08 -04:00
Antonio Murdaca
673b6e4c51 Merge pull request #400 from sameo/topic/oci-process
server: Fix the OCI process arguments build routine
2017-03-24 09:07:00 +01:00
Mrunal Patel
2f761ff0ad Merge pull request #399 from rhatdan/selinux
Switch to using opencontainers/selinux
2017-03-23 14:08:37 -07:00
Daniel J Walsh
7f21253f57 Vendor in opencontainers/selinux
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2017-03-23 15:53:10 -04:00
Daniel J Walsh
19620f3d1e Switch to using opencontainers/selinux
We have moved selinux support out of opencontainers/runc into its
own package.  This patch moves to using the new selinux go bindings.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2017-03-23 15:53:09 -04:00
Antonio Murdaca
c12db22819 Merge pull request #401 from mrunalp/inc_create_timeout
Increase the timeout value for create container
2017-03-23 19:13:49 +01:00
Mrunal Patel
be47583041 Increase the timeout value for create container
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-03-23 10:06:52 -07:00
Samuel Ortiz
21afa1a975 server: Fix the OCI process arguments build routine
We need to support a 2x2 matrix of use cases with both
kubelet giving us (command, args) slices and the OCI
image config file giving us (ENTRYPOINT, CMD) slices.

Here we always prioritize the kubelet information over
the OCI image one, and use the latter when the former
is incomplete.

Not that this routine will be slightly simpler when
issue #395 is fixed.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-03-23 12:59:26 +01:00
Mrunal Patel
b487a9b7dd Merge pull request #383 from sameo/topic/storage
server: Remove the mount points after stopping the containers
2017-03-21 07:46:08 -07:00
Mrunal Patel
4feb74cee9 Merge pull request #390 from rhatdan/MissingExit
If the container exit file is missing default exit code to -1
2017-03-21 07:32:47 -07:00
Daniel J Walsh
d679da0645 If the container exit file is missing default exit code to -1
If I create a sandbox pod and then restart the ocid service, the
pod ends up in a stopped state without an exit file.  Whether this is
a bug in ocid or not we should handle this case where a container exits
so that we can clean up the container.

This change just defaults to exit code to -1 if the container is not
running and does not have an exit file.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2017-03-21 08:00:04 -04:00
Mrunal Patel
987007862e Merge pull request #396 from mrunalp/version_0.1
Bump up version to 0.1
2017-03-20 19:28:21 -07:00
Mrunal Patel
e147601584 Bump up version to 0.1
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-03-20 14:12:09 -07:00
Antonio Murdaca
0298981a82 Merge pull request #392 from sameo/topic/kubelet-1.6-fixes
Fixes for kubelet 1.6 and kubeadm 1.7
2017-03-20 20:40:31 +01:00
Antonio Murdaca
526f104f21 Merge pull request #129 from YaoZengzeng/add-create-container-timeout
add timeout when wait to get container pid from conmon
2017-03-20 18:45:47 +01:00
Samuel Ortiz
c3cb6a133f server: Remove the mount points after stopping the containers
When starting pods or containers, we create the mount points
first. It seems natural to do something symetrical when stopping
pods or containers, i.e. removing the mount point at last.

Also, the current logic may not work with VM based containers as the
hypervisor may hold a reference on the mount point while we're trying to
remove them.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-03-20 17:50:38 +01:00
Antonio Murdaca
19e7b78aea Merge pull request #295 from cyphar/example-cni-config
contrib: cni: provide example CNI configurations
2017-03-20 16:53:52 +01:00
Samuel Ortiz
4ac92d73e4 container: Fix the OCI Process Args string build
The way we build the OCI Process Args slice is incorrect.
With the current implementation we may for example end up building this
slice with only the entry point arguments, if the kubelet passed
information is missing the Command slice.
We also will end up building the Args slice with the Image config
process arguments, without the defined entry point, if kubelet does not
tell us anything about the container process command to be run.

This patch fixes that by favoring the kubelet ContainerConfig
information. If that is missing, we try to complete it with the
container image information. We always use ContainerConfig.Command[] or
ImageConfig.EntryPoint[] as the first OCI Process Args slice entries.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-03-20 15:17:34 +01:00
YaoZengzeng
3b7d815af1 add timeout when wait to get container pid from conmon
Signed-off-by: Yao Zengzeng <yaozengzeng@zju.edu.cn>
2017-03-20 21:49:30 +08:00
Aleksa Sarai
9088a12c75
contrib: cni: provide example CNI configurations
This also updates the readme to no longer contain CNI configuration
information (which had incorrect steps), and rather just points to the
example configs.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2017-03-20 23:08:28 +11:00
Samuel Ortiz
0169dce585 container: Add image ID and name to the container status
Kubelet 1.6 seems to request that those fields must be present.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-03-20 10:55:44 +01:00
Mrunal Patel
792f585c44 Merge pull request #391 from rhatdan/selinux
Set SELinux mount label for pod sandbox
2017-03-16 14:45:29 -07:00
Daniel J Walsh
031e184624 Change lint timeout to 60 seconds, to fix test failure
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2017-03-16 17:03:12 -04:00
Daniel J Walsh
ff950a8e37 Set SELinux mount label for pod sandbox
The pause container is creating an AVC since the /dev/null device
is not labeled correctly.  Looks like we are only setting the label of
the process not the label of the content inside of the container.
This change will label content in the pause container correctly and
eliminate the AVC.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2017-03-16 14:09:38 -04:00
Daniel J Walsh
bf6c4141c1 Fix golint error
golint has figured out an optimization that is blocking other pull requests.
This fixes the golint issue.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2017-03-16 14:09:38 -04:00
Mrunal Patel
fdc7f5a77a Merge pull request #387 from apilloud/update_image
Update containers/image
2017-03-13 12:09:51 -07:00
Andrew Pilloud
de9995d5f0 dep: Update containers/image to 1d7e25b91705e4d1cddb5396baf112caeb1119f3
Signed-off-by: Andrew Pilloud <andrewpilloud@igneoussystems.com>
2017-03-13 09:33:17 -07:00
Andrew Pilloud
54c176e336 storage: Support latest containers/image
Signed-off-by: Andrew Pilloud <andrewpilloud@igneoussystems.com>
2017-03-13 08:51:02 -07:00
Antonio Murdaca
ee3027f8be Merge pull request #385 from mrunalp/conmon_cgroup
Run conmon under cgroups (systemd)
2017-03-09 19:01:44 +01:00
Mrunal Patel
8c0ff7d904 Run conmon under cgroups (systemd)
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-03-06 15:08:46 -08:00
Pengfei Ni
3195f45904 Merge pull request #367 from sameo/topic/host-privileged-runtime
Support alternate runtime for host privileged operations
2017-03-05 07:53:20 +08:00
Antonio Murdaca
4589048b18 Merge pull request #384 from mrunalp/fix_cgroup_parent
Fix cgroup parent
2017-03-04 10:20:29 +01:00
Mrunal Patel
38f497a701 Fix cgroup parent
We were using a variable before it was set.

Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-03-03 16:38:46 -08:00
Antonio Murdaca
0b6afbd78a Merge pull request #378 from mrunalp/add_scope_run
util: Add function to run in scope
2017-03-04 00:44:35 +01:00
Mrunal Patel
91ed3d4fbf Add a utility to run a pid in a systemd scope
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-03-03 15:02:14 -08:00
Samuel Ortiz
f7eee71792 server: Reduce createSandboxContainer complexity
By factorizing the bind mounts generation code.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-03-03 19:06:29 +01:00
Samuel Ortiz
2ec696be41 server: Set sandbox and container privileged flags
The sandbox privileged flag is set to true only if either the
pod configuration privileged flag is set to true or when any
of the pod namespaces are the host ones.

A container inherit its privileged flag from its sandbox, and
will be run by the privileged runtime only if it's set to true.
In other words, the privileged runtime (when defined) will be
when one of the below conditions is true:

- The sandbox will be asked to run at least one privileged container.
- The sandbox requires access to either the host IPC or networking
  namespaces.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-03-03 19:06:04 +01:00
Samuel Ortiz
eab6b00ea6 oci: Support for the host privileged runtime path
We add a privileged flag to the container and sandbox structures
and can now select the appropriate runtime path for any container
operations depending on that flag.

Here again, the default runtime will be used for non privileged
containers and for privileged ones in case there are no privileged
runtime defined.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-03-03 17:22:09 +01:00
Samuel Ortiz
2fc4d0cac1 config: Add host privileged runtime configuration
Not all runtimes are able to handle some of the kubelet
security context options, in particular the ones granting
host privileges to containers.

By adding a host privileged runtime path configuration, we
allow ocid to use a different runtime for host privileged
operations like e.g. host namespaces access.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-03-03 17:22:09 +01:00