Switch from using the lower-level storage APIs (accessing LayerStore,
ImageStore, and ContainerStore types directly) in favor of the
higher-level ones that take care of synchronization and locking for us.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Bump containers/image (pulling in its new dependency on ostree-go),
containers/storage, and updated image-spec.
This pulls in the OCI v1.0 specifications and code that allows us to
support 1.0 images.
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Design: The output of the `info` subcommand ought to be directly
consumable in a format like JSON or yaml.
The structure being a map of sorts.
Each subsection of information being an individual cluster under the
top-level, like platform info, debug, storage, etc.
Even if there are errors under the top level key, the value will be a
map with the key of "error" and the value as the message of the
`err.Error()`. In this way, the command always returns usable output.
Ideally there will be a means for anything that can register info to do
so independently from it being in the single info.go, so this approach
is having a typed signature for the function that gives info, but i'm
sure it could be better.
Current iteration of this outputs the following as a limited user:
```yaml
host:
MemFree: 711307264
MemTotal: 2096222208
SwapFree: 2147479552
SwapTotal: 2147479552
arch: amd64
cpus: 1
os: linux
store:
error: 'mkdir /var/run/containers/storage: permission denied'
```
and as root (`sudo kpod info -D`):
```yaml
debug:
compiler: gc
go version: go1.7.6
goroutines: 3
host:
MemFree: 717795328
MemTotal: 2096222208
SwapFree: 2147479552
SwapTotal: 2147479552
arch: amd64
cpus: 1
os: linux
store:
ContainerStore:
number: 1
GraphDriverName: overlay2
GraphRoot: /var/lib/containers/storage
ImageStore:
number: 1
```
And with the `--json --debug` flag:
```json
{
"debug": {
"compiler": "gc",
"go version": "go1.7.6",
"goroutines": 3
},
"host": {
"MemFree": 709402624,
"MemTotal": 2096222208,
"SwapFree": 2147479552,
"SwapTotal": 2147479552,
"arch": "amd64",
"cpus": 1,
"os": "linux"
},
"store": {
"ContainerStore": {
"number": 1
},
"GraphDriverName": "overlay2",
"GraphRoot": "/var/lib/containers/storage",
"ImageStore": {
"number": 1
}
}
}
```
Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>
We now have actual kpod code, so no reason to have a not implemented feature.
Especially when we don't intend to create kpod launch.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
The syscall package is locked down and the comment in [1] advises to
switch code to use the corresponding package from golang.org/x/sys. Do
so and replace usage of package syscall where possible (leave
syscall.SysProcAttr and syscall.Stat_t).
[1] https://github.com/golang/go/blob/master/src/syscall/syscall.go#L21-L24
This will also allow to get updates and fixes just by re-vendoring
golang.org/x/sys/unix instead of having to update to a new go version.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
'kpod images' lists all images on a system. 'kpod rmi' removes
one or more images from a system. The images will not be removed
if they are associated with a running container, unless the -f
option is used
Signed-off-by: Ryan Cole <rcyoalne@gmail.com>
This patch also hides the profile under the debug flag as there's
runtime cost to enable the profiler.
This removes the old way of profiling (CPU) as that's not really
needed.
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
Container runtimes provide different levels of isolation, from kernel
namespaces to hardware virtualization. When starting a specific
container, one may want to decide which level of isolation to use
depending on how much we trust the container workload. Fully verified
and signed containers may not need the hardware isolation layer but e.g.
CI jobs pulling packages from many untrusted sources should probably not
run only on a kernel namespace isolation layer.
Here we allow CRI-O users to define a container runtime for trusted
containers and another one for untrusted containers, and also to define
a general, default trust level. This anticipates future kubelet
implementations that would be able to tag containers as trusted or
untrusted. When missing a kubelet hint, containers are trusted by
default.
A container becomes untrusted if we get a hint in that direction from
kubelet or if the default trust level is set to "untrusted" and the
container is not privileged. In both cases CRI-O will try to use the
untrusted container runtime. For any other cases, it will switch to the
trusted one.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
If we create a container using the image ID like
771cd5947d5ea4bf8e8f4900dd357dbb67e7b16486c270f8274087d182d457c6, then
a call to container_status will return that same ID for the "Image"
field in ContainerStatusResponse.
This patch matches dockershim behavior and return the first tagged name
if available from the image store.
This is also needed to fix a failure in k8s e2d tests.
Reference:
https://github.com/kubernetes/kubernetes/pull/39298/files#diff-c7dd39479fd733354254e70845075db5R369
Reference:
67a5bf8454/test/e2e/framework/util.go (L1941)
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
The ocid project was renamed to CRI-O, months ago, it is time that we moved
all of the code to the new name. We want to elminate the name ocid from use.
Move fully to crio.
Also cric is being renamed to crioctl for the time being.
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
To collect CPU profile information added a flag `--cpu-profile`
which is a path to file where this collected information will be
dumped.
Fixes#464
Signed-off-by: Suraj Deshmukh <surajssd009005@gmail.com>
We use the k8s remotecommand client API to create a
streaming executor, and then stream the executed process
into stdout/stderr.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
