Should fix a possible deadlock in, at least, ListPodSandbox.
There seems to be no reason to hold stateLock when doing operations on
the memory_store for containers and sandboxes.
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
Some oci runtimes may used stderr for logging. Cri-o should not try to
parse this output as json when calling the "state" command.
Signed-off-by: Nicolas Lacasse <nlacasse@google.com>
This patch fixes exec to use the original (start-time) process exec
configuration. Otherwise, we were creating a brand new spec process w/o
additional groups for instance.
Spotted while integrating CRI-O with cri-test...The test was failing
with:
```
• Failure [10.640 seconds]
[k8s.io] Security Context
/home/amurdaca/go/src/github.com/kubernetes-incubator/cri-tools/pkg/framework/framework.go:72
bucket
/home/amurdaca/go/src/github.com/kubernetes-incubator/cri-tools/pkg/validate/security_context.go:407
runtime should support SupplementalGroups [It]
/home/amurdaca/go/src/github.com/kubernetes-incubator/cri-tools/pkg/validate/security_context.go:272
Expected
<[]string | len:1, cap:1>: ["0"]
to contain element matching
<string>: 1234
```
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
It always fails because conmon is still there.
But more importantly it adds a 2 seconds delay to the container
creation as we're trying to delete a cgroup but we can't.
With this patch a container creation is down to typically less than
150ms instead of 2+ seconds.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
Under very heavy loads (e.g. 100 pods created at the same time), VM
based runtimes can take more than 10 seconds to create a pod.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
When cri-o assumes the container creation failed, we need to let the
runtime know that we're bailing out so that it cancels all ongoing
operation.
In container creation timeout situations for example, failing to
explictly request the runtime for container deletion can lead to large
resource leaks as kubelet re-creates a failing container, while the
runtime finishes creating the previous one(s).
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
Set the exitsdir for kpod back to /var/run/crio... so kpod can benefit
from the container exit file.
Because 0 is the int32 blank value, kpod needs its own container state
struct with the omitempty removed so it can actually display 0 in
its default json output.
Signed-off-by: baude <bbaude@redhat.com>
runc has a `--no-pivot` flag, that uses MS_MOVE instead.
This patch set bubbles up a runtime config to enable using no-pivot
globally.
Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>
Implement the ability to pause and unpause running containers.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
The inspect endpoint is used mainly in the CRI-O cAdvisor handler.
Let's make sure we don't break it by adding some trivial unit tests.
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
We add a ContainerVolume struct and store a list of volumes
in the Container object for quick retrieval.
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
We calculate these values at container creation time and store
them in the container object as they are requested during container
status. This avoids re-calculation and speeds up container status.
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
This allows the container list API to return updated status
for exited container without having to call container status first.
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
Need to mv to latest released and supported version of logrus
switch github.com/Sirupsen/logrus github.com/sirupsen/logrus
Also vendor in latest containers/storage and containers/image
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
The syscall package is locked down and the comment in [1] advises to
switch code to use the corresponding package from golang.org/x/sys. Do
so and replace usage of package syscall where possible (leave
syscall.SysProcAttr and syscall.Stat_t).
[1] https://github.com/golang/go/blob/master/src/syscall/syscall.go#L21-L24
This will also allow to get updates and fixes just by re-vendoring
golang.org/x/sys/unix instead of having to update to a new go version.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
This moves the timeout handling from the go code to conmon, whic
removes some of the complexity from criod, and additionally it will
makes it possible to do the double-fork in the exec case too.
Signed-off-by: Alexander Larsson <alexl@redhat.com>