CRI-O's server relies on this for creation attempts, but it can set
the option. conmon itself doesn't need to care one way or the other.
Perhaps it is being called by a process that doesn't care about the
container exit code or has another way to access that information.
With this commit, we trust callers to set --exit-dir if they want it,
instead of requiring non-exec callers to set it.
Signed-off-by: W. Trevor King <wking@tremily.us>
add the possibility to run a custom command, and optionally provide
additional arguments to it, when conmon exits.
For example, it could be possible to delete the terminated container
with:
conmon [...] --exit-command /usr/bin/runc \
--exit-command-arg delete \
--exit-command-arg $CONTAINER_UUID
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Avoid:
$ make clean && make conmon.o 2>&1
rm -f conmon.o cmsg.o ../bin/conmon
cc -std=c99 -Os -Wall -Wextra -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include -DVERSION=\"1.9.0-dev\" -DGIT_COMMIT=\""74cd1ec97c13a9784ce5e67a9e50e8977b5d2f38"\" -c -o conmon.o conmon.c
conmon.c: In function ‘main’:
conmon.c:1175:3: warning: ignoring return value of ‘read’, declared with attribute warn_unused_result [-Wunused-result]
read(start_pipe_fd, buf, BUF_SIZE);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by catching and exiting on any read errors. A read error here would
be because the caller died before writing to the start pipe, and we
don't want to continue in those cases because it would reopen the
cgroup race discussed in af4fbcd9 (conmon: Don't leave zombies and fix
cgroup race, 2017-06-09, #583). af4fbcd9 is where this line
originally landed, and it didn't have error checking then.
Signed-off-by: W. Trevor King <wking@tremily.us>
This patch fixes selinuxopt generation as found in:
```
install /usr/sbin/selinuxenabled -D -m 644 crio.conf /etc/crio/crio.conf
```
The above is clearly wrong when installing the configuration because
`commmand -v` outputs the path of selinuxenabled as well, resulting in
/usr/bin/selinuxenabled -Z
This patch fixes that by just echoing the -Z as needed.
Issue introduced in
https://github.com/kubernetes-incubator/cri-o/pull/1363
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
This should have happened in f4883dd2 (Makefile: do not install man1
files, 2017-11-08, #1129). It may have been missed due to the
man1/man8 typo from e61c672a (Add missing man pages and bash
completions for kpod, 2016-12-02, #230).
Signed-off-by: W. Trevor King <wking@tremily.us>
The hard-coded path landed in 488216f5 (Make sure selinuxenabled
exists before executing it, 2016-10-17, #154), but there's no need to
require that path. Using 'command -v' (in POSIX [1]) supports anyone
who has selinuxenabled in their PATH.
[1]: http://pubs.opengroup.org/onlinepubs/9699919799/utilities/command.html
Signed-off-by: W. Trevor King <wking@tremily.us>
Without this change, hitting these targets directly will fail. For
example:
$ make clean
$ make MANDIR=/tmp install.man
install -d -m 755 /tmp/man5
install -d -m 755 /tmp/man8
install -m 644 docs/crio.conf.5 -t /tmp/man5
install: cannot stat 'docs/crio.conf.5': No such file or directory
make: *** [Makefile:150: install.man] Error 1
Signed-off-by: W. Trevor King <wking@tremily.us>
Umount/Remove below can go wrong and next calls to NetNsRemove would
trigger:
481 Feb 22 14:37:35 ip-172-31-48-190.ec2.internal
atomic-openshift-node[88937]: E0222 14:37:35.291692 88937
remote_runtime.g o:115] StopPodSandbox
"200a062985ebfda2bbdb1b5d724005d4a0c1be54f277a4de52f9f101d9c43db6" from
runtime service failed: rpc error: code = Unknown desc = close
/var/run/netns/k8s_psql-1-tht5r_bingli328usyu727s_6a7b8edc-174d-11e8-9e8f-0a46c474dfe0_
0-dda1c649: file already closed
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
Make this more like the runtime spec, using the RFC 2119 keywords for
both JSON-author and CRI-O requirements. This also clarifies the
regular expression language (POSIX EREs), links to a JSON spec, and
tightens wording for the various matching criteria.
I think the hook-config format could be improved (versioning it, and
reusing the runtime-spec hook structure instead of renaming 'path' to
'hook', dropping 'timeout', etc.). But I'm leaving that sort of thing
to future work.
Signed-off-by: W. Trevor King <wking@tremily.us>
These backticks landed with the rest of the hook docs in 139d0841 (Add
support for oci-hooks to libkpod, 2017-08-12, #562). But "CRI-O" is
the project name, so it doesn't need backticks. We would need
backticks if we used the executable filename "crio".
Signed-off-by: W. Trevor King <wking@tremily.us>
The old "won't never" was a potentially-confusing double negative.
This commit rewords the comment to avoid that issue and also lands
some other minor cleanups.
Signed-off-by: W. Trevor King <wking@tremily.us>
Cache information about images that isn't trivially read from them, so
that ImageStatus and particularly ListImages don't have to do
potentially-expensive things for every image that they report.
The cache is an in-memory map, and we prune it after ListImages has
assembled its result set.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
