Commit graph

24 commits

Author SHA1 Message Date
Samuel Ortiz
0e51bbb778 oci: Support mixing trusted and untrusted workloads
Container runtimes provide different levels of isolation, from kernel
namespaces to hardware virtualization. When starting a specific
container, one may want to decide which level of isolation to use
depending on how much we trust the container workload. Fully verified
and signed containers may not need the hardware isolation layer but e.g.
CI jobs pulling packages from many untrusted sources should probably not
run only on a kernel namespace isolation layer.

Here we allow CRI-O users to define a container runtime for trusted
containers and another one for untrusted containers, and also to define
a general, default trust level. This anticipates future kubelet
implementations that would be able to tag containers as trusted or
untrusted. When missing a kubelet hint, containers are trusted by
default.

A container becomes untrusted if we get a hint in that direction from
kubelet or if the default trust level is set to "untrusted" and the
container is not privileged. In both cases CRI-O will try to use the
untrusted container runtime. For any other cases, it will switch to the
trusted one.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-06-15 10:04:36 +02:00
Alexander Larsson
7bb957bf75 Implement non-terminal attach
We use a SOCK_SEQPACKET socket for the attach unix domain socket, which
means the kernel will ensure that the reading side only ever get the
data from one write operation. We use this for frameing, where the
first byte is the pipe that the next bytes are for. We have to make sure
that all reads from the socket are using at least the same size of buffer
as the write side, because otherwise the extra data in the message
will be dropped.

This also adds a stdin pipe for the container, similar to the ones we
use for stdout/err, because we need a way for an attached client
to write to stdin, even if not using a tty.

This fixes https://github.com/kubernetes-incubator/cri-o/issues/569

Signed-off-by: Alexander Larsson <alexl@redhat.com>
2017-06-14 22:59:50 +02:00
Antonio Murdaca
3f56193a15 Merge pull request #577 from runcom/insecure-regisrties
*: support insecure registries
2017-06-09 20:31:43 +02:00
Samuel Ortiz
b480336dd7 ocicni: Handle create and write events
By only handling create events, we are breaking plugins that don't
create and write atomically, like weave for example.
The Weave plugin creates the file first and later write to it. We are
missing the second part and never see the final CNI config file.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-06-09 10:19:26 +02:00
Antonio Murdaca
8b53fabcbd
*: support insecure registries
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-09 01:04:29 +02:00
Antonio Murdaca
3b545abf12
image_pull: check image already pulled
This is an optimization of our image pull code path. It's basically
how docker handles pulls as well. Let's be smart and check the image in
pull code path as well.
This also matches docker behavior which first checks whether we're
allowed to actually pull an image before looking into local storage.

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-08 15:03:27 +02:00
Samuel Ortiz
f15859c79f pkg/annotations: Export CRI-O annotations namespace
Some runtimes like Clear Containers need to interpret the CRI-O
annotations, to distinguish the infra container from the regular one.
Here we export those annotations and use a more standard dotted
namespace for them.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-06-01 23:45:44 +02:00
Antonio Murdaca
a37dd46654
*: stability fixes
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-01 15:42:01 +02:00
Antonio Murdaca
ecd0006e80
vendor: upgrade containers/storage
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-05-17 22:18:07 +02:00
Dan Walsh
4493b6f176 Rename ocid to crio.
The ocid project was renamed to CRI-O, months ago, it is time that we moved
all of the code to the new name.  We want to elminate the name ocid from use.
Move fully to crio.

Also cric is being renamed to crioctl for the time being.

Signed-off-by: Dan Walsh <dwalsh@redhat.com>
2017-05-12 09:56:06 -04:00
Nalin Dahyabhai
b75a1ba44d Remove some redundant target image namesetting
Remove some logic that messed with the names we assigned to just-pulled
images in the storage layer, since the image and storage libraries now
take care of that for us.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2017-04-27 14:13:02 -04:00
Nalin Dahyabhai
a0b1da15a3 Expand image refs and handle refs with digests
If an image that we're pulling from a registry has a digest in its
reference, use that to construct the destination image's reference.
This should help us detect cases where the image has previously been
pulled.

When we have a filter to use when listing images, expand it into a
reference so that we can properly match against names of images that
we've previously stored using fully expanded references.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2017-04-27 14:13:02 -04:00
f401adffa9
server: readable fields
`git grep -w images` or `git grep -w storage` needs to be more useful.

Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>
2017-04-20 08:22:50 -04:00
aa24e0554d
pkg/storage: switch to searchable fieldname
`image` as a variable/field name becomes too redundant and difficult to
grep for. Switching to `imageServer` makes for more readable code.

Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>
2017-04-18 07:53:53 -04:00
Samuel Ortiz
63c7a7c99b ocicni: Support asynchronous network config creation
We need to support cases where InitCNI() is called before
any CNI configuration files have been installed. This is
for example happening when deploying a k8s cluster with kubeadm.
kubeadm will start the DNS pod and it is left to the caller to
pick a network overlay and create the corresponding pods, that
will typically install a CNI configuration file first.

Here we address that issue by doing 2 things:

- Not returning an error when the default CNI config files
  directory is empty.
- If it is empty, we start a monitoring thread (fsnotify based)
  that will synchronize the network configuration when a CNI
  file is installed there.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-04-10 17:36:28 +02:00
Samuel Ortiz
71cfd850f7 ocicni: Convert logs to logrus
To be consistent with the rest of the CRI-O logs, and to be able
to set the ocicni verbosity, we convert it from glog to logrus.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-04-06 23:06:36 +02:00
Antonio Murdaca
a0071de607
read image config from docker v2s1 manifests
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-04-04 17:52:37 +02:00
Nalin Dahyabhai
e7748cba6e Preserve the tag of the pulled image's name
When we pull an image, preserve the tag portion of the name that we were
asked to use for pulling it, instead of unconditionally replacing it
with "latest".

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2017-03-24 11:54:56 -04:00
Andrew Pilloud
54c176e336 storage: Support latest containers/image
Signed-off-by: Andrew Pilloud <andrewpilloud@igneoussystems.com>
2017-03-13 08:51:02 -07:00
Nalin Dahyabhai
3eca785331 Don't try to parse an image ID a second time
When looking for the image to use for creating a container, there's no
need to attempt parsing the ID a second time, and doing so can create
confusing error messages.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2017-02-08 10:58:00 -05:00
Antonio Murdaca
2202c1a460
storage: fix image retrieval by id
kubelet sends a request to create a container with an image ID (as
opposed as an image name). That ID comes from the ImageStatus response.
This patch fixes that by setting the image ID as well as the image name
and fix the login to lookup for image ID as well.

Found while running `make test-e2e-node`.

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-01-31 16:32:30 +01:00
Rajat Chopra
c04040fa95 move ocicni from vendors to pkg/
Signed-off-by: Rajat Chopra <rchopra@redhat.com>
2017-01-19 17:45:54 -05:00
Nalin Dahyabhai
aeea656581 Limit implicit image pulling to the pause image
The CRI doesn't expect us to implicitly pull an image if it isn't
already present before we're asked to use it to create a container, and
the tests no longer depend on us doing so, either.

Limit the logic which attempts to pull an image, if it isn't present, to
only pulling the configured "pause" image, since our use of that image
for running pod sandboxes is an implementation detail that our clients
can't be expected to know or care about.  Include the name of the image
that we didn't pull in the error we return when we don't pull one.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2017-01-18 10:23:30 -05:00
Nalin Dahyabhai
4ae8606edf Add storage utility functions
Add an intermediate API layer that uses containers/storage, and a
containers/image that has been patched to use it, to manage images and
containers, storing the data that we need to know about containers and
pods in the metadata fields provided by containers/storage.

While ocid manages pods and containers as different types of items, with
disjoint sets of IDs and names, it remains true that every pod includes
at least one container.  When a container's only purpose is to serve as
a home for namespaces that are shared with the other containers in the
pod, it is referred to as the pod's infrastructure container.

At the storage level, a pod is stored as its set of containers.  We keep
track of both pod IDs and container IDs in the metadata field of
Container objects that the storage library manages for us.  Containers
which bear the same pod ID are members of the pod which has that ID.
Other information about the pod, which ocid needs to remember in order
to answer requests for information about the pod, is also kept in the
metadata field of its member containers.

The container's runtime configuration should be stored in the
container's ContainerDirectory, and used as a template.  Each time the
container is about to be started, its layer should be mounted, that
configuration template should be read, the template's rootfs location
should be replaced with the mountpoint for the container's layer, and
the result should be saved to the container's ContainerRunDirectory,
for use as the configuration for the container.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2016-12-19 11:44:34 -05:00