Commit graph

1101 commits

Author SHA1 Message Date
Samuel Ortiz
0e51bbb778 oci: Support mixing trusted and untrusted workloads
Container runtimes provide different levels of isolation, from kernel
namespaces to hardware virtualization. When starting a specific
container, one may want to decide which level of isolation to use
depending on how much we trust the container workload. Fully verified
and signed containers may not need the hardware isolation layer but e.g.
CI jobs pulling packages from many untrusted sources should probably not
run only on a kernel namespace isolation layer.

Here we allow CRI-O users to define a container runtime for trusted
containers and another one for untrusted containers, and also to define
a general, default trust level. This anticipates future kubelet
implementations that would be able to tag containers as trusted or
untrusted. When missing a kubelet hint, containers are trusted by
default.

A container becomes untrusted if we get a hint in that direction from
kubelet or if the default trust level is set to "untrusted" and the
container is not privileged. In both cases CRI-O will try to use the
untrusted container runtime. For any other cases, it will switch to the
trusted one.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-06-15 10:04:36 +02:00
Mrunal Patel
7b9032bac7 Merge pull request #579 from alexlarsson/non-terminal-attach
Implement non-terminal attach
2017-06-14 21:45:44 -07:00
Mrunal Patel
29f7cd44d8 Merge pull request #599 from runcom/fix-calico
Fix calico
2017-06-14 16:25:42 -07:00
Alexander Larsson
7bb957bf75 Implement non-terminal attach
We use a SOCK_SEQPACKET socket for the attach unix domain socket, which
means the kernel will ensure that the reading side only ever get the
data from one write operation. We use this for frameing, where the
first byte is the pipe that the next bytes are for. We have to make sure
that all reads from the socket are using at least the same size of buffer
as the write side, because otherwise the extra data in the message
will be dropped.

This also adds a stdin pipe for the container, similar to the ones we
use for stdout/err, because we need a way for an attached client
to write to stdin, even if not using a tty.

This fixes https://github.com/kubernetes-incubator/cri-o/issues/569

Signed-off-by: Alexander Larsson <alexl@redhat.com>
2017-06-14 22:59:50 +02:00
Antonio Murdaca
00444753e7 Merge pull request #596 from mrunalp/ctr_create_debug
oci: Add debugs to print error message on create failure
2017-06-14 18:17:41 +02:00
Mrunal Patel
62c9caeb83 oci: Add debugs for container create failures
This makes it easier to debug container creation failures
by looking at cri-o logs.

Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-06-14 07:33:07 -07:00
Mrunal Patel
6a79d25e8c lint: Increase lint timeout to 600 seconds
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-06-14 07:32:37 -07:00
Antonio Murdaca
0dfec710f2
container_create: net files must be ro when rootfs is ro
we were blindly applying RO mount options but net addons like calico
modify those files.
This patch sets RO only when container's rootfs is RO, same behavior as
docker.

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-14 15:31:34 +02:00
Antonio Murdaca
d2e1d559b7
container_create: just mkdir on image's volumes
tmpfs'es can override whatever there's on the container rootfs. We just
mkdir the volume as we're confident kube manages volumes in container.
We don't need any tmpfs nor any complex volume handling for now.

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-14 15:31:31 +02:00
Antonio Murdaca
de0013a2de Merge pull request #591 from mrunalp/readme_runc_version
readme: Fix the required version of runc
2017-06-14 14:46:55 +02:00
Mrunal Patel
066ced207f readme: Fixed the required version of runc
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-06-13 14:29:51 -07:00
Antonio Murdaca
e3170caa2e Merge pull request #593 from sameo/topic/cni
tutorial: Fix CNI plugins URL
2017-06-13 16:59:07 +02:00
Mrunal Patel
bca3f6262a Merge pull request #590 from apilloud/ipv6only
server: add --bind-address flag
2017-06-13 07:42:02 -07:00
Samuel Ortiz
9074d57439 tutorial: Fix CNI plugins URL
And make it clear that we're building the plugins and not only the core
library.

Fixes #592

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-06-13 16:12:07 +02:00
Andrew Pilloud
c77b5fbea8 Add stream-address and stream-port flags to crio
Signed-off-by: Andrew Pilloud <andrewpilloud@igneoussystems.com>
2017-06-12 16:12:36 -07:00
Antonio Murdaca
67306aff8f Merge pull request #588 from mrunalp/update_roadmap
readme: Update the roadmap to reflect current status
2017-06-13 00:23:47 +02:00
Mrunal Patel
b347a50fa4 Merge pull request #589 from sameo/topic/cni
contrib/cni: Fix README link
2017-06-12 14:59:02 -07:00
Samuel Ortiz
0fb682641b contrib/cni: Fix README link
The CNI plugins are now living in a repo of their own.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-06-12 23:14:35 +02:00
Mrunal Patel
0f4aeef288 readme: Update the roadmap to reflect current status
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-06-12 10:58:51 -07:00
Mrunal Patel
2a6db15113 Merge pull request #584 from runcom/start-failed
adjust status on container start failure
2017-06-12 07:26:22 -07:00
Antonio Murdaca
b211061016
copy using bytes pools
Vendor and use docker/pkg/pools.
pools are used to lower the number of memory allocations and reuse buffers when
processing large streams operations..

The use of pools.Copy avoids io.Copy's internal buffer allocation.
This commit replaces io.Copy with pools.Copy to avoid the allocation of
buffers in io.Copy.

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-12 12:53:23 +02:00
Antonio Murdaca
0b2f6b5354
adjust status on container start failure
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-12 12:48:50 +02:00
Mrunal Patel
86a35a1c12 Merge pull request #581 from runcom/readme-irc
README.md: add communication paragraph
2017-06-09 14:52:48 -07:00
Mrunal Patel
b8130b6852 Merge pull request #582 from runcom/fix-logrus
sandbox_status: Infof->Debugf response
2017-06-09 14:18:00 -07:00
Antonio Murdaca
3f56193a15 Merge pull request #577 from runcom/insecure-regisrties
*: support insecure registries
2017-06-09 20:31:43 +02:00
Antonio Murdaca
b5a10084dc
README.md: add communication paragraph
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-09 17:47:13 +02:00
Mrunal Patel
aab6b4e51c Merge pull request #580 from sameo/topic/ocicni
ocicni: Handle create and write events
2017-06-09 07:54:30 -07:00
Antonio Murdaca
cfec2c4cf4
sandbox_run: correct a defer
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-09 13:57:45 +02:00
Antonio Murdaca
e28540ca90
sandbox_status: Infof->Debugf response
This was cluttering the logs on my clusters. The log should be just in
debug mode as we do for every request/response flow.

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-09 13:04:33 +02:00
Antonio Murdaca
952ae0db1c Merge pull request #571 from alexlarsson/conmon-glib-mainloop
conmon: Use glib mainloop instead of epoll
2017-06-09 12:03:56 +02:00
Samuel Ortiz
b480336dd7 ocicni: Handle create and write events
By only handling create events, we are breaking plugins that don't
create and write atomically, like weave for example.
The Weave plugin creates the file first and later write to it. We are
missing the second part and never see the final CNI config file.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-06-09 10:19:26 +02:00
Antonio Murdaca
8b53fabcbd
*: support insecure registries
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-09 01:04:29 +02:00
Mrunal Patel
8441dca284 Merge pull request #574 from runcom/smarter-pull
image_pull: check image already pulled
2017-06-08 15:38:08 -07:00
Antonio Murdaca
77fc45e7bc Merge pull request #575 from runcom/unit-after-network-online
contrib: systemd: change After to network-online.target
2017-06-08 22:17:00 +02:00
Mrunal Patel
7cd0ab671d Merge pull request #572 from runcom/fix-processArgs
container_create: fix OCI processArgs assemblement
2017-06-08 11:41:43 -07:00
Alexander Larsson
fcac68bf27 conmon: Handle runc exiting before passing terminal fd
We don't want to block on accepting the terminal fd, because then
we can't detect if runc died before calling out to pass the terminal
fd. To handle this we spin the glib mainloop listening to both the
terminal accept fd and a child pid watch.

Signed-off-by: Alexander Larsson <alexl@redhat.com>
2017-06-08 19:29:52 +02:00
Alexander Larsson
4494d82cfe conmon: Use glib mainloop instead of epoll
Signed-off-by: Alexander Larsson <alexl@redhat.com>
2017-06-08 16:21:20 +02:00
Antonio Murdaca
3b545abf12
image_pull: check image already pulled
This is an optimization of our image pull code path. It's basically
how docker handles pulls as well. Let's be smart and check the image in
pull code path as well.
This also matches docker behavior which first checks whether we're
allowed to actually pull an image before looking into local storage.

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-08 15:03:27 +02:00
Antonio Murdaca
65d4ac8fc2
container_create: fix OCI processArgs assemblement
This patch fixes the following command:

kubectl run -i --tty centos --image=centos -- sh

The command above use to fail with:

/usr/bin/sh: /usr/bin/sh: cannot execute binary file

That's because we were wrongly assembling the OCI processArgs.

Thanks @alexlarsson for spotting this.

This patch basically replicates what docker does when merging container
config and image config. It also replicates how docker sets processArgs
for the OCI runtime.

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-08 11:48:11 +02:00
Antonio Murdaca
6a0aab40cb
contrib: systemd: change After to network-online.target
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-08 01:25:37 +02:00
Mrunal Patel
86b6856faf Merge pull request #573 from rhatdan/manpage
Add missing options from man page
2017-06-07 14:55:50 -07:00
Daniel J Walsh
6fec37d708 Add missing options from man page
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2017-06-07 21:08:21 +00:00
Antonio Murdaca
45eee4caa8 Merge pull request #570 from mrunalp/detach
Detach
2017-06-07 19:46:21 +02:00
Antonio Murdaca
cb4c6004fc Merge pull request #564 from runcom/vndr-master
vendor: remove dep and use vndr
2017-06-07 10:24:59 +02:00
Mrunal Patel
d0486e542f Support detaching in CRI attach
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-06-06 20:49:54 -07:00
Mrunal Patel
6e53568d15 conmon: Close client on zero read from attach client
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-06-06 20:49:54 -07:00
Mrunal Patel
0b6f68479b utils: Add function to allow copying with detach
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-06-06 20:49:52 -07:00
Antonio Murdaca
148e72d81e
vendor: remove dep and use vndr
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-07 00:04:21 +02:00
Antonio Murdaca
16f44674a4
Makefile: exclude ./vendor from git-validation
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-07 00:04:15 +02:00
Mrunal Patel
7c56d20988 Merge pull request #567 from vbatts/tutorial
tutorial: pull the redis image first
2017-06-06 14:59:27 -07:00