Commit graph

1771 commits

Author SHA1 Message Date
Samuel Ortiz
b480336dd7 ocicni: Handle create and write events
By only handling create events, we are breaking plugins that don't
create and write atomically, like weave for example.
The Weave plugin creates the file first and later write to it. We are
missing the second part and never see the final CNI config file.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-06-09 10:19:26 +02:00
Antonio Murdaca
8b53fabcbd
*: support insecure registries
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-09 01:04:29 +02:00
Mrunal Patel
8441dca284 Merge pull request #574 from runcom/smarter-pull
image_pull: check image already pulled
2017-06-08 15:38:08 -07:00
Antonio Murdaca
77fc45e7bc Merge pull request #575 from runcom/unit-after-network-online
contrib: systemd: change After to network-online.target
2017-06-08 22:17:00 +02:00
Mrunal Patel
7cd0ab671d Merge pull request #572 from runcom/fix-processArgs
container_create: fix OCI processArgs assemblement
2017-06-08 11:41:43 -07:00
Alexander Larsson
fcac68bf27 conmon: Handle runc exiting before passing terminal fd
We don't want to block on accepting the terminal fd, because then
we can't detect if runc died before calling out to pass the terminal
fd. To handle this we spin the glib mainloop listening to both the
terminal accept fd and a child pid watch.

Signed-off-by: Alexander Larsson <alexl@redhat.com>
2017-06-08 19:29:52 +02:00
Alexander Larsson
4494d82cfe conmon: Use glib mainloop instead of epoll
Signed-off-by: Alexander Larsson <alexl@redhat.com>
2017-06-08 16:21:20 +02:00
Antonio Murdaca
3b545abf12
image_pull: check image already pulled
This is an optimization of our image pull code path. It's basically
how docker handles pulls as well. Let's be smart and check the image in
pull code path as well.
This also matches docker behavior which first checks whether we're
allowed to actually pull an image before looking into local storage.

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-08 15:03:27 +02:00
Antonio Murdaca
65d4ac8fc2
container_create: fix OCI processArgs assemblement
This patch fixes the following command:

kubectl run -i --tty centos --image=centos -- sh

The command above use to fail with:

/usr/bin/sh: /usr/bin/sh: cannot execute binary file

That's because we were wrongly assembling the OCI processArgs.

Thanks @alexlarsson for spotting this.

This patch basically replicates what docker does when merging container
config and image config. It also replicates how docker sets processArgs
for the OCI runtime.

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-08 11:48:11 +02:00
Antonio Murdaca
6a0aab40cb
contrib: systemd: change After to network-online.target
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-08 01:25:37 +02:00
Mrunal Patel
86b6856faf Merge pull request #573 from rhatdan/manpage
Add missing options from man page
2017-06-07 14:55:50 -07:00
Daniel J Walsh
6fec37d708 Add missing options from man page
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2017-06-07 21:08:21 +00:00
Antonio Murdaca
45eee4caa8 Merge pull request #570 from mrunalp/detach
Detach
2017-06-07 19:46:21 +02:00
Antonio Murdaca
cb4c6004fc Merge pull request #564 from runcom/vndr-master
vendor: remove dep and use vndr
2017-06-07 10:24:59 +02:00
Mrunal Patel
d0486e542f Support detaching in CRI attach
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-06-06 20:49:54 -07:00
Mrunal Patel
6e53568d15 conmon: Close client on zero read from attach client
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-06-06 20:49:54 -07:00
Mrunal Patel
0b6f68479b utils: Add function to allow copying with detach
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-06-06 20:49:52 -07:00
Antonio Murdaca
148e72d81e
vendor: remove dep and use vndr
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-07 00:04:21 +02:00
Antonio Murdaca
16f44674a4
Makefile: exclude ./vendor from git-validation
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-07 00:04:15 +02:00
Mrunal Patel
7c56d20988 Merge pull request #567 from vbatts/tutorial
tutorial: pull the redis image first
2017-06-06 14:59:27 -07:00
Antonio Murdaca
3f7e8e9884 Merge pull request #546 from mrunalp/cri/attach
Attach
2017-06-06 22:43:06 +02:00
e63bace453
tutorial: pull the redis image first
Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>
2017-06-06 16:00:36 -04:00
Mrunal Patel
8f5f7aa5e2 Add code to handle CRI attach
A goroutine is started to forward terminal resize requests
from the resize channel. Also, data is copied back/forth
between stdin, stdout, stderr streams and the attach socket
for the container.

Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-06-06 07:36:52 -07:00
Mrunal Patel
1a6825758c conmon: Add control fifo for terminal resize handling
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-06-06 07:36:52 -07:00
Mrunal Patel
065f12490c conmon: Add unix domain socket for attach
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-06-06 07:36:52 -07:00
Mrunal Patel
5c383d13d2 conmon: Add info/warn to syslog as well
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-06-06 07:36:52 -07:00
Mrunal Patel
fee5291495 Merge pull request #563 from rhatdan/master
Need to be consistent in out nameing of OCI
2017-06-05 18:09:52 -07:00
Dan Walsh
4c48e13619 Need to be consistent in out nameing of Oci.
It should always be captitalized.

Signed-off-by: Dan Walsh <dwalsh@redhat.com>
2017-06-05 15:11:03 -04:00
Mrunal Patel
7f2a769f96 Merge pull request #559 from runcom/fix-net-tests-node-e2e-rhel
contrib: test: fix failing networking tests in RHEL
2017-06-04 15:31:00 -07:00
Antonio Murdaca
4369537d32
contrib: test: fix failing networking tests in RHEL
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-04 19:30:30 +02:00
Antonio Murdaca
8fa574325e Merge pull request #556 from sameo/topic/conmon-fix
conmon: Fix Ubuntu build failure
2017-06-03 23:27:08 +02:00
Mrunal Patel
34357ec7a4 Merge pull request #557 from runcom/streamserver-bindaddress
server: do not use localhost for streaming service
2017-06-03 11:01:43 -07:00
Antonio Murdaca
315c385371
server: do not use localhost for streaming service
The bug is silly if you have a master/node cluster where node is on a
different machine than the master.
The current behavior is to give our addresses like "0.0.0.0:10101". If
you run "kubectl exec ..." from another host, that's not going to work
since on a different host 0.0.0.0 resolves to localhost and kubectl
exec fails with:

error: unable to upgrade connection: 404 page not found

This patch fixes the above by giving our correct addresses for reaching
from outside.

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-03 18:26:33 +02:00
Samuel Ortiz
23ca7307e4 conmon: Fix Ubuntu build failure
conmon.c fails to build on Ubuntu:

cc -std=c99 -Os -Wall -Wextra -I/usr/include/glib-2.0 -I/usr/lib/x86_64-linux-gnu/glib-2.0/include   -c -o conmon.o conmon.c
In file included from /usr/include/fcntl.h:289:0,
                 from conmon.c:4:
In function ‘open’,
    inlined from ‘main’ at conmon.c:519:10:
/usr/include/x86_64-linux-gnu/bits/fcntl2.h:50:4: error: call to ‘__open_missing_mode’ declared with attribute error: open with O_CREAT or O_TMPFILE in second argument needs 3 arguments
    __open_missing_mode ();
    ^
<builtin>: recipe for target 'conmon.o' failed
make[1]: *** [conmon.o] Error 1

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-06-03 01:37:24 +02:00
Antonio Murdaca
a8848bc028 Merge pull request #550 from sameo/topic/annotations
pkg/annotations: Export CRI-O annotations namespace
2017-06-02 23:06:47 +02:00
Antonio Murdaca
14983d1402 Merge pull request #553 from mrunalp/add_missing_include
Add missing include for writev
2017-06-02 23:06:18 +02:00
Mrunal Patel
5d9dcc8431 Add missing include for writev
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-06-02 10:29:50 -07:00
Mrunal Patel
6ff71d0f84 Merge pull request #552 from alexlarsson/conmon-fixes
Various fixes for conmon
2017-06-02 10:10:16 -07:00
Alexander Larsson
2507ba6453 Remove json-glib in the remaining places
Signed-off-by: Alexander Larsson <alexl@redhat.com>
2017-06-02 16:18:27 +02:00
Alexander Larsson
f4b3e90141 conmon: Make console socket mode 0700
It doesn't make sense for other users to connect to this, so
lets make sure of this.

Signed-off-by: Alexander Larsson <alexl@redhat.com>
2017-06-02 16:11:26 +02:00
Alexander Larsson
f1b0f542e1 conmon: Silence uninitialized read compiler warning
This is not actually read uninitialized, its just that the compiler
can't detect this, but we initilize it anyway to silence the compiler.

Signed-off-by: Alexander Larsson <alexl@redhat.com>
2017-06-02 16:11:21 +02:00
Alexander Larsson
fe6f1f4786 conmon: Add -Os flag
This is what the other C code uses, and its nice to have as adding
any optimization flags enables a bunch of more warnings.

Signed-off-by: Alexander Larsson <alexl@redhat.com>
2017-06-02 16:11:15 +02:00
Alexander Larsson
1a168cb196 conmon: Drop json-glib dependency
json-glib is a fine library for parsing json. However, all we need
to do is generate some trivial json output, so it is not needed.

Signed-off-by: Alexander Larsson <alexl@redhat.com>
2017-06-02 16:11:10 +02:00
Alexander Larsson
f3408cbb5c conmon: Make all file descriptors CLOEXEC
We want to avoid inheriting these into the child. Doing so is both
confusing for the child, and a potential security issue if the
container has access to FDs that are from the outside of the
container.

Some of these are created after we fork for the child, so they
are not technically necessary. However, its best to do this as
we may change the code in the future and forget about this.

Signed-off-by: Alexander Larsson <alexl@redhat.com>
2017-06-02 16:11:06 +02:00
Alexander Larsson
829ec7f351 conmon: Build argv instead of commandline to spawn runtime
This means we don't have to spawn via a shell, but it also
means we do the right thing for any input that would have
needed to be escaped. For instance if the container name had
a $ in i, or even worse, a back-quote!

Signed-off-by: Alexander Larsson <alexl@redhat.com>
2017-06-02 16:11:01 +02:00
Alexander Larsson
d2f09ef483 conmon: Increase buffer size
The buffer is used to read from the stderr/stdout stream, which
can easily be larger than 256 bytes. With a larger buffer we will
do fewer, larger reads, which is more efficient. And 8k more stack
size use is not really a problem.

Signed-off-by: Alexander Larsson <alexl@redhat.com>
2017-06-02 16:10:56 +02:00
Alexander Larsson
fe80f857ca conmon: Fix cgroup subsystem parsing
The code as is doesn't handle merged controllers.
For instance, I have this in my /proc/self/cgrous:

4:cpu,cpuacct:/user.slice/user-0.slice/session-4.scope

The current code fails to match "cpuacct" wit this line, and
additionally it just does a prefix match so if you were looking
for say "cpu", it would match this:

2:cpuset:/

I also removed some ninfo spew that didn't seem very useful.

Signed-off-by: Alexander Larsson <alexl@redhat.com>
2017-06-02 16:10:36 +02:00
Alexander Larsson
d34c5829f8 conmon: Write log in larger chunks
Rather than writing the logs with one write per line, use writev()
to write multiple lines in one call. Additionally, this avoids
using dprintf() when writing to the log, which is nice because that
doesn't correctly handle partial writes or ENOINTR.

This also changes set_k8s_timestamp to add the pipe to the reused
buffer so that we don't have to append it on each line.

Signed-off-by: Alexander Larsson <alexl@redhat.com>
2017-06-02 16:10:30 +02:00
Alexander Larsson
ae933d0d03 conmon: Handle EINTR and partial writes when writing
Any write could be interupted by EINTR if we get some kind of signal,
which means we could be either reporting a EINTR error or a partial
write (if some data was written). Its also generally good to handle
partial writes correctly, as they can happen e.g. when writing to
full pipes.

Signed-off-by: Alexander Larsson <alexl@redhat.com>
2017-06-02 16:09:48 +02:00
Samuel Ortiz
f15859c79f pkg/annotations: Export CRI-O annotations namespace
Some runtimes like Clear Containers need to interpret the CRI-O
annotations, to distinguish the infra container from the regular one.
Here we export those annotations and use a more standard dotted
namespace for them.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-06-01 23:45:44 +02:00