Commit graph

136 commits

Author SHA1 Message Date
Daniel J Walsh
54ee55493d Need to cleanup all pods on service poweroff
When powering off the system, we want the ocid service, to shutdown
all containers running on the system so they can cleanup properly
This patch will cleanup all pods on poweroff.

The ocid-shutdown.service drops a file /var/run/ocid.shutdown when the system
is shutting down. The ocid-shutdown.service should only be executed at system
shutdown.

On bootup sequence should be
start ocid.service
start ocid-shutdown.service (This is a NO-OP)

On system shutdown
stop ocid-shutdown.service (Creates /var/run/ocid.shutdown)
stop ocid.service (Notices /var/run/ocid.service and stops all pods before exiting.)

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2017-04-14 06:04:14 -04:00
Antonio Murdaca
3c7f3ab2ec Merge pull request #409 from sameo/topic/fat-lock
Serialize Update and Sandbox/Container creation operations
2017-04-04 23:23:19 +02:00
Aleksa Sarai
c290c0d9c3
conmon: implement logging to logPath
This adds a very simple implementation of logging within conmon, where
every buffer read from the masterfd of the container is also written to
the log file (with errors during writing to the log file ignored).

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2017-04-05 02:45:57 +10:00
Samuel Ortiz
be5084387c server: Serialize container/pod creation with updates
Interleaving asynchronous updates with pod or container creations can
lead to unrecoverable races and corruptions of the pod or container hash
tables. This is fixed by serializing update against pod or container
creation operations, while pod and container creation operations can
run in parallel.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-04-04 18:43:21 +02:00
Mrunal Patel
d69ad9b5a3 Fix lint issues
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-03-27 10:21:30 -07:00
Samuel Ortiz
72129ee3fb sandbox: Track and store the pod resolv.conf path
When we get a pod with DNS settings, we need to build
a resolv.conf file and mount it in all pod containers.
In order to do that, we have to track the built resolv.conf
file and store/load it.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-03-24 15:28:14 +01:00
Daniel J Walsh
19620f3d1e Switch to using opencontainers/selinux
We have moved selinux support out of opencontainers/runc into its
own package.  This patch moves to using the new selinux go bindings.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2017-03-23 15:53:09 -04:00
Samuel Ortiz
2ec696be41 server: Set sandbox and container privileged flags
The sandbox privileged flag is set to true only if either the
pod configuration privileged flag is set to true or when any
of the pod namespaces are the host ones.

A container inherit its privileged flag from its sandbox, and
will be run by the privileged runtime only if it's set to true.
In other words, the privileged runtime (when defined) will be
when one of the below conditions is true:

- The sandbox will be asked to run at least one privileged container.
- The sandbox requires access to either the host IPC or networking
  namespaces.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-03-03 19:06:04 +01:00
Samuel Ortiz
eab6b00ea6 oci: Support for the host privileged runtime path
We add a privileged flag to the container and sandbox structures
and can now select the appropriate runtime path for any container
operations depending on that flag.

Here again, the default runtime will be used for non privileged
containers and for privileged ones in case there are no privileged
runtime defined.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-03-03 17:22:09 +01:00
Andrew Pilloud
2bb4191047 Move seccomp enabled check into seccomp package
Signed-off-by: Andrew Pilloud <andrewpilloud@igneoussystems.com>
2017-02-22 09:32:12 -08:00
Andrew Pilloud
44e7e88ff3 Run without seccomp support
Signed-off-by: Andrew Pilloud <andrewpilloud@igneoussystems.com>
2017-02-21 16:47:03 -08:00
Michał Żyłowski
5c81217e09 Applying k8s.io v3 API for ocic and ocid
Signed-off-by: Michał Żyłowski <michal.zylowski@intel.com>
2017-02-06 13:05:10 +01:00
Aleksa Sarai
d5abfa1ecf
server: respect ocid.network.plugin_dir setting
Previously ocicni did not have support for setting the plugin directory.
Now that it has grown support for it, use it to actually respect the
setting a user has provided for ocid.network.* options.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2017-01-25 04:12:51 +11:00
Rajat Chopra
c04040fa95 move ocicni from vendors to pkg/
Signed-off-by: Rajat Chopra <rchopra@redhat.com>
2017-01-19 17:45:54 -05:00
Nalin Dahyabhai
aeea656581 Limit implicit image pulling to the pause image
The CRI doesn't expect us to implicitly pull an image if it isn't
already present before we're asked to use it to create a container, and
the tests no longer depend on us doing so, either.

Limit the logic which attempts to pull an image, if it isn't present, to
only pulling the configured "pause" image, since our use of that image
for running pod sandboxes is an implementation detail that our clients
can't be expected to know or care about.  Include the name of the image
that we didn't pull in the error we return when we don't pull one.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2017-01-18 10:23:30 -05:00
Antonio Murdaca
749d24fbab server: cleanup on failed restore
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-01-18 10:23:30 -05:00
Antonio Murdaca
437459bd64 server: do not add ctrs with bad state when restoring
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-01-18 10:23:30 -05:00
Antonio Murdaca
c61a83a930 server: skip pods containers in bad state on disk
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-01-18 10:23:30 -05:00
Antonio Murdaca
7bd7595b18 server: skip pods in bad state on disk
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-01-18 10:23:30 -05:00
Nalin Dahyabhai
c0333b102b Integrate containers/storage
Use containers/storage to store images, pod sandboxes, and containers.
A pod sandbox's infrastructure container has the same ID as the pod to
which it belongs, and all containers also keep track of their pod's ID.

The container configuration that we build using the data in a
CreateContainerRequest is stored in the container's ContainerDirectory
and ContainerRunDirectory.

We catch SIGTERM and SIGINT, and when we receive either, we gracefully
exit the grpc loop.  If we also think that there aren't any container
filesystems in use, we attempt to do a clean shutdown of the storage
driver.

The test harness now waits for ocid to exit before attempting to delete
the storage root directory.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2017-01-18 10:23:30 -05:00
Samuel Ortiz
c525459000
main: Add CNI options
We add 2 ocid options for choosing the CNI configuration and plugin
binaries directories: --cni-config-dir and --cni-plugin-dir.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2016-12-20 12:50:17 +01:00
Mrunal Patel
5eab56e002 Pass cgroup manager to oci runtime manager
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2016-12-19 15:05:32 -08:00
Antonio Murdaca
d2f6a4c0e2
server: remove reaper, let runc take care of reaping
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-12-14 12:15:20 +01:00
Antonio Murdaca
4bb0830c37 Merge pull request #239 from xlgao-zju/reload-apparmor-profile
reload default apparmor profile if it is unloaded
2016-12-13 11:10:26 +01:00
Samuel Ortiz
0df8200e12
sandbox: Create a symbolic link to the networking namespace
In order to workaround a bug introduced with runc commit bc84f833,
we create a symbolic link to our permanent networking namespace so
that runC realizes that this is not the host namespace.

Although this bug is now fixed upstream (See commit f33de5ab4), this
patch works with pre rc3 runC versions.
We may want to revert that patch once runC 1.0.0 is released.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2016-12-12 19:48:23 +01:00
Samuel Ortiz
4cab8ed06a
sandbox: Use persistent networking namespace
Because they need to prepare the hypervisor networking interfaces
and have them match the ones created in the pod networking
namespace (typically to bridge TAP and veth interfaces), hypervisor
based container runtimes need the sandbox pod networking namespace
to be set up before it's created. They can then prepare and start
the hypervisor interfaces when creating the pod virtual machine.

In order to do so, we need to create per pod persitent networking
namespaces that we pass to the CNI plugin. This patch leverages
the CNI ns package to create such namespaces under /var/run/netns,
and assign them to all pod containers.
The persitent namespace is removed when either the pod is stopped
or removed.

Since the StopPodSandbox() API can be called multiple times from
kubelet, we track the pod networking namespace state (closed or
not) so that we don't get a containernetworking/ns package error
when calling its Close() routine multiple times as well.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2016-12-12 19:48:23 +01:00
Antonio Murdaca
430297dd81
store annotations and image for a container
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-12-12 11:12:03 +01:00
Xianglin Gao
ca7d5c77c2 Do not load ocid-default if configured apparmor profile is set up.
Signed-off-by: Xianglin Gao <xlgao@zju.edu.cn>
2016-12-12 15:55:17 +08:00
Antonio Murdaca
5a1605bad5
server: fix calls to logrus again
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-12-11 18:29:59 +01:00
Antonio Murdaca
d9edbe6817 Merge pull request #249 from mrunalp/dev_shm
Add support for pod /dev/shm that is shared by the pod ctrs
2016-12-09 09:46:27 +01:00
Mrunal Patel
868e18614a Fix couple of lint issues
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2016-12-08 15:40:59 -08:00
Mrunal Patel
be29524ba4 Add support for pod /dev/shm that is shared by the pod ctrs
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2016-12-08 15:32:17 -08:00
Xianglin Gao
cb5ed1ce9d reload default apparmor profile if it is unloaded
Signed-off-by: Xianglin Gao <xlgao@zju.edu.cn>
2016-12-07 20:19:29 +08:00
Xianglin Gao
26645c90ac Make the profile configurable
Signed-off-by: Xianglin Gao <xlgao@zju.edu.cn>
2016-12-01 13:26:59 +08:00
Xianglin Gao
1f863846f5 add default apparmor profile
Signed-off-by: Xianglin Gao <xlgao@zju.edu.cn>
2016-12-01 13:26:59 +08:00
Antonio Murdaca
78ee03a8fc
add seccomp support
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-11-28 22:05:34 +01:00
Antonio Murdaca
02ec8754f5 Merge pull request #169 from cyphar/make-configurable
server: make more things configurable
2016-11-10 14:55:29 +01:00
Crazykev
87a83e14b0 return pod metadata in container list and status APIs
Signed-off-by: Crazykev <crazykev@zju.edu.cn>
2016-11-02 00:37:40 +08:00
Crazykev
54a022defb restore pod annotations when restart ocid
Signed-off-by: Crazykev <crazykev@zju.edu.cn>
2016-11-01 13:49:21 +08:00
Aleksa Sarai
33f47d6a6b
server: make ImageStore configurable
It's a bit odd to have ImageStore be part of the config and yet we don't
allow people to modify it. However, leave it out of the commented
version because it's currently unused.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2016-10-31 23:26:42 +11:00
Mrunal Patel
c89157e45c Merge pull request #176 from gao-feng/hidden-infra-container
store infra container in sandbox
2016-10-25 03:25:17 +00:00
Gao feng
78528d9bd1 store infra container in sandbox
infra container is used to implement the pod
sandbox, it should not be exported to user.

this patch stores infra container in sandbox
immediately, only the containers created by user
are stored into container store, this prevents user
from removing/stopping infra container incorrectly.

Signed-off-by: Gao feng <omarapazanadi@gmail.com>
2016-10-24 20:18:19 +08:00
HaoZhang
9c11cc7dba make conmon inherit env from ocid
Signed-off-by: HaoZhang <crazykev@zju.edu.cn>
2016-10-23 19:22:27 +08:00
Mrunal Patel
e999610fd6 Merge pull request #115 from cyphar/toml-config
cmd: server: use TOML configuration file
2016-10-11 16:07:25 -07:00
Antonio Murdaca
be2b0cfa50
server/server: skip f no sandbox when restoring containers
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-10-12 00:36:34 +02:00
Crazykev
f6536bf30e pod/container name should be released when create failed
Signed-off-by: Crazykev <crazykev@zju.edu.cn>
2016-10-11 20:19:51 +08:00
Aleksa Sarai
7bf5110b76
server: refactor to use Config struct
This paves the way for having a configuration file that is loaded rather
than everything being set via the command-line.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2016-10-11 03:10:32 +11:00
Antonio Murdaca
217d278623
server/server: check pods/ctrs directories before restore
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-10-08 14:46:39 +02:00
Antonio Murdaca
54d6ddb5af
server: containers restore
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-10-08 14:46:39 +02:00
Dan Walsh
be77b841fa Add SELinux support to OCID
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
2016-10-06 14:13:06 -04:00
Mrunal Patel
0482a4281a Separate container IDs from container names
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-10-04 16:57:12 -07:00
Mrunal Patel
3e19549232 Add name and id indexes for containers
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-10-04 16:00:04 -07:00
Aleksa Sarai
bac579a9e5
server: create pause rootfs manually without Docker
This lessens the Docker requirement for creating sandboxes (with the
requirement only existing for the actual image pulling that is done when
adding a container to a pod). The interface was chosen to match the
--conmon interface, so that the location of the pause binary can be
chosen by a user.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2016-10-02 20:11:07 +11:00
Dan Walsh
f51c98b057 Install conmon in /usr/libexec/ocid/conmon
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
2016-09-29 08:55:12 -04:00
Antonio Murdaca
4578cc93d1
server: fix panic when listing sandboxes
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-09-27 10:46:45 +02:00
Antonio Murdaca
f7d3f7a69a Merge pull request #59 from mrunalp/pod_create_bug
Pod create bug
2016-09-27 09:13:40 +02:00
Mrunal Patel
4606f2a61a Fix the build for ocid to cri-o rename
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-09-26 16:55:12 -07:00
Mrunal Patel
78aae688e2 Add API to release Pod name when not required
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-09-26 15:41:58 -07:00
Mrunal Patel
e1b8802848 Fix typo 2016-09-26 15:31:06 -07:00
Antonio Murdaca
857aaa7816
cmd/server: provide a flag to set ocid root dir
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-09-24 00:38:06 +02:00
Antonio Murdaca
e269cb8b7e
new vendoring
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-09-22 18:17:45 +02:00
Antonio Murdaca
32029aaba6
id and name indexes for pods
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-09-22 18:17:45 +02:00
Antonio Murdaca
b053e63995
restore server rewrite
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-09-19 19:57:50 +02:00
Antonio Murdaca
22d434c1e6
restructure and make lint
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-09-19 19:56:13 +02:00
Antonio Murdaca
53e76cc752
warn when cannot update container status on server init
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-09-19 19:51:03 +02:00
Antonio Murdaca
caae4b298a
create sandboxdir on server startup
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-09-19 19:51:03 +02:00
Antonio Murdaca
4fd1c583ad
sandboxes restore on server start
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-09-19 19:51:03 +02:00
Antonio Murdaca
35ef46f805
use an in memory store for containers
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-09-19 13:11:36 +02:00
Antonio Murdaca
158dfdfbda
server: locking around server components
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-09-17 16:10:35 +02:00
Mrunal Patel
bbe5325afc Fix the build to account for the change in repository
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-09-09 14:48:39 -07:00
Rajat Chopra
4cf737bb7d add cni networking with noop plugin as default
Signed-off-by: Rajat Chopra <rchopra@redhat.com>
2016-09-09 14:41:03 -07:00
Mrunal Patel
0c386f74f9 Track container removal in state
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-09-09 14:41:03 -07:00
Mrunal Patel
b01d9dcc10 Make the server process a reaper
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-09-09 14:41:03 -07:00
Haiyan Meng
c2ee13d187 Implement CreateContainer
Signed-off-by: Haiyan Meng <hmeng@redhat.com>
2016-09-09 14:41:03 -07:00
Antonio Murdaca
c5d0f23e5a server: ensure /var/lib/ocid/images exists
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-09-09 14:41:03 -07:00
Mrunal Patel
fc3b7b5aae Setup the server as subreaper for child processes
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-09-09 14:41:03 -07:00
Mrunal Patel
c13dbaf6ab Further refactoring
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-09-09 14:41:03 -07:00
Mrunal Patel
764f02ca11 Add container dir to oci
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-09-09 14:41:03 -07:00
Mrunal Patel
ac1340488d Refactor to add oci and util packages
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>

Change the sandbox directory path

Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-09-09 14:41:03 -07:00
Haiyan Meng
819d76b6fd Add first version of createPodSandbox
Signed-off-by: Haiyan Meng <hmeng@redhat.com>
2016-09-09 14:41:03 -07:00
Antonio Murdaca
06e013cd3d *: abstractions and ImageService
plus some fix here and there

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-09-09 14:41:03 -07:00
Antonio Murdaca
713bbabc61 server,cmd: fix error handling
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-09-09 14:41:03 -07:00
Mrunal Patel
90a446e2a5 Import ocitools/generate library
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-09-09 14:41:03 -07:00
Mrunal Patel
32876892fc Refactor runtimeversion to be a command instead of option
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-09-09 14:41:03 -07:00
Haiyan Meng
5c4a79543f Add Server.Version and cmd/client test code
Signed-off-by: Haiyan Meng <hmeng@redhat.com>
2016-09-09 14:41:03 -07:00
Mrunal Patel
e93156e71e Add stubs for server implementation
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-09-09 14:41:03 -07:00