Commit graph

274 commits

Author SHA1 Message Date
Mrunal Patel
24df2538db Update runtime-spec to v1.0.0.rc5
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-04-12 19:15:53 -07:00
Mrunal Patel
5589f929c0 Merge pull request #443 from runcom/expose-mount-cstatus
server: expose mounts in container status
2017-04-11 09:01:37 -07:00
Antonio Murdaca
7081620128
server: expose mounts in container status
Fix 5 more tests from k8s's conformance tests
```
Ran 5 of 213 Specs in 76.068 seconds
SUCCESS! -- 5 Passed | 0 Failed | 0 Pending | 208 Skipped PASS
```

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-04-11 16:51:09 +02:00
Antonio Murdaca
05cde3e759
server: add auth info to image pull
Fix the following upstream k8s's e2e-node test:
```
should be able to pull from private registry with secret [Conformance]
```

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-04-10 17:09:56 +02:00
Antonio Murdaca
0854c081ec Merge pull request #433 from sameo/topic/sandboxrun-fixes
server: Fix RunPodSandbox error path
2017-04-06 18:46:24 +02:00
Samuel Ortiz
ea1f6517c1 server: Fix RunPodSandbox error path
When RunPodSandbox fails after calling s.addSandbox(sb),
we're left with a sandbox in s.state.sandboxes while the
sandbox is not created.

We fix that by adding removeSandbox() to the deferred cleanup
call

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-04-06 17:36:26 +02:00
Antonio Murdaca
87e288d13a
server: mock ExecResponse
This patch prevents k8s's e2e_node tests from killing CRI-O (because of
a panic in marshaling nil responses). This will ensure tests keep
running and just logging the failure.

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-04-06 16:37:13 +02:00
Antonio Murdaca
09d2a6b519 Merge pull request #427 from mrunalp/fix_nil_config
Check for case when image config isn't present
2017-04-05 12:42:58 +02:00
Mrunal Patel
aac24e1715 Check for case when image config isn't present
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-04-04 15:42:58 -07:00
Mrunal Patel
2b5dca3950 Merge pull request #424 from runcom/fix-schema1-config
read image config from docker v2s1 manifests
2017-04-04 14:49:54 -07:00
Antonio Murdaca
3c7f3ab2ec Merge pull request #409 from sameo/topic/fat-lock
Serialize Update and Sandbox/Container creation operations
2017-04-04 23:23:19 +02:00
Aleksa Sarai
7679a84c6d
server: issues.k8s.io/44043 workaround
Because kubelet will create broken symlinks for logPath it is necessary
to remove those symlinks before we attempt to write to them. This is a
temporary workaround while the issue is fixed upstream.

Ref: https://issues.k8s.io/44043
Signed-off-by: Aleksa Sarai <asarai@suse.de>
2017-04-05 02:45:58 +10:00
Aleksa Sarai
65527da361
test: add logging tests
The main purpose of these tests is to make sure that the log actually
contains output from the container. We don't test the timestamps or the
stream that's stated at the moment.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2017-04-05 02:45:58 +10:00
Aleksa Sarai
c290c0d9c3
conmon: implement logging to logPath
This adds a very simple implementation of logging within conmon, where
every buffer read from the masterfd of the container is also written to
the log file (with errors during writing to the log file ignored).

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2017-04-05 02:45:57 +10:00
Samuel Ortiz
be5084387c server: Serialize container/pod creation with updates
Interleaving asynchronous updates with pod or container creations can
lead to unrecoverable races and corruptions of the pod or container hash
tables. This is fixed by serializing update against pod or container
creation operations, while pod and container creation operations can
run in parallel.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-04-04 18:43:21 +02:00
Samuel Ortiz
c89cc876d2
server: Remove Image Config hack
Now that the image package has fixes to support docker images v2s1,
we can remove our buildOCIProcessARgs() hack for empty image configs
and simplify this routine.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-04-04 17:52:40 +02:00
Samuel Ortiz
d1006fdfbc server: Add new sandboxes to the sandbox hash table first
We want new sandboxes to be added to the sandbox hash table before
adding their ID to the pod Index registrar, in order to avoid potential
Update() races.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-04-04 17:22:34 +02:00
Mrunal Patel
c5e15cfd5f Add labels/annotations to container status
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-04-03 15:05:57 -07:00
Mrunal Patel
fd435256e7 Set default working directory to /
runc/runtime-spec doesn't allow empty working dir
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-03-31 14:04:16 -07:00
Antonio Murdaca
1ce8be1ccf Merge pull request #417 from surajssd/update-conmon-default-path
Update the default conmonPath
2017-03-31 18:30:22 +02:00
Mrunal Patel
fa467a30f1 Merge pull request #420 from mrunalp/fix_hostname
Set the container hostname same as pod hostname
2017-03-31 07:35:49 -07:00
Mrunal Patel
c6897b5f62 Set the uid, gid and groups from container user
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-03-30 10:58:57 -07:00
Mrunal Patel
4ccc5bbe7c Set the container hostnames same as pod hostname
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-03-29 16:11:57 -07:00
Mrunal Patel
505bc2cbd5 Add function to lookup user in container /etc/{passwd,group}
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-03-29 11:18:35 -07:00
Mrunal Patel
f422235b3e Add function to safely open a file in container rootfs
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-03-29 11:16:53 -07:00
Suraj Deshmukh
c93c7cd1b8 Update the default conmonPath
After change in `Makefile` at #304 where `PREFIX`
has changed from `/usr` to `/usr/local` these changes
has to be reflected in default `conmonPath`.

Signed-off-by: Suraj Deshmukh <surajssd009005@gmail.com>
2017-03-29 21:23:52 +05:30
Mrunal Patel
8709f1b5bb Apply working dir and env from image config
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-03-27 16:41:43 -07:00
Mrunal Patel
d69ad9b5a3 Fix lint issues
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-03-27 10:21:30 -07:00
Antonio Murdaca
37f118d73a Merge pull request #398 from rhatdan/containers_storage
Default all container storage to /var/lib/containers/storage
2017-03-25 08:22:11 +01:00
Samuel Ortiz
48a297ed7b container: Propagate the pod sandbox resolv.conf mount point
When a pod sandbox comes with DNS settings, the resulting resolv.conf
file needs to be bind mounted in all pod containers under
/etc/resolv.conf.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-03-24 15:32:16 +01:00
Samuel Ortiz
72129ee3fb sandbox: Track and store the pod resolv.conf path
When we get a pod with DNS settings, we need to build
a resolv.conf file and mount it in all pod containers.
In order to do that, we have to track the built resolv.conf
file and store/load it.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-03-24 15:28:14 +01:00
Daniel J Walsh
6f81ec8c67 Default all container storage to /var/lib/containers/storage
containers/storage is defaulting to /var/lib/containers/storage
for image and containers storage.  It is also defaulting to
/var/run/containers/storage for all runtime.  The defaults
for CRI-O should match so that lots of other tools that use
containers/storage can share the same storage.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2017-03-24 08:19:08 -04:00
Antonio Murdaca
673b6e4c51 Merge pull request #400 from sameo/topic/oci-process
server: Fix the OCI process arguments build routine
2017-03-24 09:07:00 +01:00
Daniel J Walsh
19620f3d1e Switch to using opencontainers/selinux
We have moved selinux support out of opencontainers/runc into its
own package.  This patch moves to using the new selinux go bindings.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2017-03-23 15:53:09 -04:00
Samuel Ortiz
21afa1a975 server: Fix the OCI process arguments build routine
We need to support a 2x2 matrix of use cases with both
kubelet giving us (command, args) slices and the OCI
image config file giving us (ENTRYPOINT, CMD) slices.

Here we always prioritize the kubelet information over
the OCI image one, and use the latter when the former
is incomplete.

Not that this routine will be slightly simpler when
issue #395 is fixed.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-03-23 12:59:26 +01:00
Mrunal Patel
b487a9b7dd Merge pull request #383 from sameo/topic/storage
server: Remove the mount points after stopping the containers
2017-03-21 07:46:08 -07:00
Samuel Ortiz
c3cb6a133f server: Remove the mount points after stopping the containers
When starting pods or containers, we create the mount points
first. It seems natural to do something symetrical when stopping
pods or containers, i.e. removing the mount point at last.

Also, the current logic may not work with VM based containers as the
hypervisor may hold a reference on the mount point while we're trying to
remove them.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-03-20 17:50:38 +01:00
Samuel Ortiz
4ac92d73e4 container: Fix the OCI Process Args string build
The way we build the OCI Process Args slice is incorrect.
With the current implementation we may for example end up building this
slice with only the entry point arguments, if the kubelet passed
information is missing the Command slice.
We also will end up building the Args slice with the Image config
process arguments, without the defined entry point, if kubelet does not
tell us anything about the container process command to be run.

This patch fixes that by favoring the kubelet ContainerConfig
information. If that is missing, we try to complete it with the
container image information. We always use ContainerConfig.Command[] or
ImageConfig.EntryPoint[] as the first OCI Process Args slice entries.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-03-20 15:17:34 +01:00
Samuel Ortiz
0169dce585 container: Add image ID and name to the container status
Kubelet 1.6 seems to request that those fields must be present.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-03-20 10:55:44 +01:00
Daniel J Walsh
ff950a8e37 Set SELinux mount label for pod sandbox
The pause container is creating an AVC since the /dev/null device
is not labeled correctly.  Looks like we are only setting the label of
the process not the label of the content inside of the container.
This change will label content in the pause container correctly and
eliminate the AVC.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2017-03-16 14:09:38 -04:00
Mrunal Patel
8c0ff7d904 Run conmon under cgroups (systemd)
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-03-06 15:08:46 -08:00
Pengfei Ni
3195f45904 Merge pull request #367 from sameo/topic/host-privileged-runtime
Support alternate runtime for host privileged operations
2017-03-05 07:53:20 +08:00
Mrunal Patel
38f497a701 Fix cgroup parent
We were using a variable before it was set.

Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-03-03 16:38:46 -08:00
Samuel Ortiz
f7eee71792 server: Reduce createSandboxContainer complexity
By factorizing the bind mounts generation code.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-03-03 19:06:29 +01:00
Samuel Ortiz
2ec696be41 server: Set sandbox and container privileged flags
The sandbox privileged flag is set to true only if either the
pod configuration privileged flag is set to true or when any
of the pod namespaces are the host ones.

A container inherit its privileged flag from its sandbox, and
will be run by the privileged runtime only if it's set to true.
In other words, the privileged runtime (when defined) will be
when one of the below conditions is true:

- The sandbox will be asked to run at least one privileged container.
- The sandbox requires access to either the host IPC or networking
  namespaces.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-03-03 19:06:04 +01:00
Samuel Ortiz
eab6b00ea6 oci: Support for the host privileged runtime path
We add a privileged flag to the container and sandbox structures
and can now select the appropriate runtime path for any container
operations depending on that flag.

Here again, the default runtime will be used for non privileged
containers and for privileged ones in case there are no privileged
runtime defined.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-03-03 17:22:09 +01:00
Samuel Ortiz
2fc4d0cac1 config: Add host privileged runtime configuration
Not all runtimes are able to handle some of the kubelet
security context options, in particular the ones granting
host privileges to containers.

By adding a host privileged runtime path configuration, we
allow ocid to use a different runtime for host privileged
operations like e.g. host namespaces access.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-03-03 17:22:09 +01:00
Andrew Pilloud
5f63cdcf89 Use canonical import path for apimachinery
Signed-off-by: Andrew Pilloud <andrewpilloud@igneoussystems.com>
2017-02-22 18:32:42 -08:00
Andrew Pilloud
4ce17f893a Change bool style
Signed-off-by: Andrew Pilloud <andrewpilloud@igneoussystems.com>
2017-02-22 10:27:35 -08:00
Andrew Pilloud
2bb4191047 Move seccomp enabled check into seccomp package
Signed-off-by: Andrew Pilloud <andrewpilloud@igneoussystems.com>
2017-02-22 09:32:12 -08:00