Commit graph

320 commits

Author SHA1 Message Date
Mrunal Patel
58bc35ab40 server: Add an inspect endpoint for containers
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-08-30 11:45:56 -07:00
baude
94602a1e85 cmd/kpod/ps.go: Use getCommand for JSON
The getCommand func strips out unwanted characters around the
command of the container.  The JSON output should use this func
like the regular ps output for both consistency and because
Python does a literal interpretation of the bracket [] characters
when consuming as JSON.

Signed-off-by: baude <bbaude@redhat.com>
2017-08-30 09:26:20 -05:00
Daniel J Walsh
85215abf7e Merge pull request #807 from nalind/kpod-storage-status
kpod: add more storage information to "info"
2017-08-29 13:53:58 -04:00
Ryan Cole
380ea16232 Remove duplicate kpod command names
Some kpod commands were listed twice in main.go.  Removed these
duplicates and alphabetized the remaining commands to prevent this
from happening in the future

Signed-off-by: Ryan Cole <rcyoalne@gmail.com>
2017-08-29 11:25:35 -04:00
Mrunal Patel
662e80492c Merge pull request #801 from runcom/not-exist-exit
server: container_remove: ignore not existent exit file
2017-08-29 07:58:33 -07:00
Daniel J Walsh
62f275c784 Merge pull request #802 from baude/add_image_id_to_ps
Add image_id to json output
2017-08-29 06:57:45 -04:00
Daniel J Walsh
3e7cbc9fe7 Merge pull request #795 from rhatdan/kpod-push-compression
Disable compression by default.
2017-08-29 06:54:07 -04:00
Antonio Murdaca
f35147e23c
cmd: {crio,crioctl}: bump to beta
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-08-29 11:25:33 +02:00
baude
6f492593ec Add image_id to json output
Consumers of the json output, like the atomic cli, need the ID of the
image for the container as well as the name.  Specifically, it is used
to tract "used" and "vulnerable" images.

Signed-off-by: baude <bbaude@redhat.com>
2017-08-28 20:44:22 -05:00
Nalin Dahyabhai
eef5e6d5da kpod: add more storage information to "info"
Have the "kpod info" command also package up the driver-level status
information that the github.com/containers/storage.Store's Status()
method returns.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2017-08-28 17:32:03 -04:00
Daniel J Walsh
e48f7a3491 Remove compress variable
No reason to carry this temporary variable for documentation purposes.
If in the future we find that it is necessary to add a CLI option, we
can add the variable then.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2017-08-28 08:29:42 -04:00
Ryan Cole
865612c3db Disable compression by default
Signed-off-by: Ryan Cole <rcyoalne@gmail.com>
2017-08-28 08:29:42 -04:00
umohnani8
d76e500b59 Modify the JSON output of kpod ps
Changed the JSON output to hold the actual type of the data.
For example the creation time of a container will be of form time.Time.
The human readable output modifies all the fields to type string, which
is not helpful when the JSON output wants to be used for further processing.

Signed-off-by: umohnani8 <umohnani@redhat.com>
2017-08-27 20:41:50 -04:00
Daniel J Walsh
7af1ae71ed Merge pull request #776 from umohnani8/kpod_ps
Add 'kpod ps' command
2017-08-23 07:08:31 -04:00
Mrunal Patel
a1071649f0 Merge pull request #784 from vbatts/no_images_list
kpod-images: don't nil pointer on empty list
2017-08-22 14:57:33 -07:00
umohnani8
35ca80abe6 Add 'kpod ps' command
kpod ps lists the containers currently stored

Displays the list of containers

Signed-off-by: umohnani8 <umohnani@redhat.com>
2017-08-22 16:40:45 -04:00
41c689ac77
kpod-images: don't nil pointer on empty list
Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>
2017-08-22 14:15:58 -04:00
Antonio Murdaca
8088d7a1e2
*: fix lint issues
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-08-22 17:32:18 +02:00
Antonio Murdaca
d56bf090ce
*: update kube vendor to v1.7.4
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-08-22 17:32:14 +02:00
Nalin Dahyabhai
6f27dddf93 kpod images: output multiple image names
Output multiple image names, if we have more than one.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2017-08-21 11:27:45 -04:00
Nalin Dahyabhai
ef8df00e6a kpod: shut down the storage library before exiting
Before exiting, have kpod shut down the storage library if it can.  This
should keep us from leaving mountpoints for the root (for non-vfs cases)
and run directory (with newer containers/storage) busy when testing kpod.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2017-08-21 11:27:44 -04:00
Daniel J Walsh
c0f3e02bae Merge pull request #765 from baude/format
Format
2017-08-19 04:10:40 -04:00
baude
78c6151519 Modify kpod diff --json to --format json
We want all kpod subcommands to use the formats code to output
formats like json.  Altering kpod diff --json to kpod diff --format json
like the kpod images command.

Signed-off-by: baude <bbaude@redhat.com>
2017-08-18 21:05:58 -05:00
Nalin Dahyabhai
05985ff2f7 kpod: make --debug work
The --debug flag is a global CLI flag, so parse it like one.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2017-08-17 15:27:04 -04:00
Mrunal Patel
f82fe5691a Merge pull request #706 from 14rcole/kpod-stats
Kpod stats
2017-08-17 11:24:38 -07:00
Mrunal Patel
a5591d34b7 Merge pull request #772 from 14rcole/kpod-rename
implement kpod rename
2017-08-17 10:04:16 -07:00
Ryan Cole
ceeed6c32e add kpod stats function
Signed-off-by: Ryan Cole <rcyoalne@gmail.com>
2017-08-17 11:34:10 -04:00
Ryan Cole
1eb21f8e15 implement kpod rename
rename a container

Signed-off-by: Ryan Cole <rcyoalne@gmail.com>
2017-08-17 09:00:41 -04:00
Ryan Cole
ba07bfb932 Make kpod images use text/template by default
Signed-off-by: Ryan Cole <rcyoalne@gmail.com>
2017-08-17 08:32:38 -04:00
Ryan Cole
08c3d241a4 Add format functions
Add functions to go templates such as truncating a field.  Also add
the table keyword, which, if placed at the beginning of a format string,
adds headers to the output

Signed-off-by: Ryan Cole <rcyoalne@gmail.com>
2017-08-16 15:45:13 -04:00
Ryan Cole
07572e85f5 Add kpod logs command
Signed-off-by: Ryan Cole <rcyoalne@gmail.com>
2017-08-16 08:55:23 -04:00
Mrunal Patel
36fd0a7208 Merge pull request #744 from rhatdan/debug
Add --debug flag to kpod to turn up logging level to debug
2017-08-14 16:21:22 -07:00
Antonio Murdaca
95165063bd Merge pull request #758 from mrunalp/inotify_exit_watch
Inotify exit watch
2017-08-14 16:00:35 +02:00
Mrunal Patel
30ded83096 Add inotify watcher for container exits
This allows the container list API to return updated status
for exited container without having to call container status first.

Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-08-13 08:01:48 -07:00
Mrunal Patel
4311020c36 Merge pull request #653 from baude/images_json
cmd/kpod/images.go: Add JSON output option
2017-08-13 07:19:04 -07:00
baude
01b71393e3 cmd/kpod/images.go: Add structured format ouput
For kpod images, we need to output in JSON format so that consumers
(programatic) have structured input to work with.

kpod images --format json

Signed-off-by: baude <bbaude@redhat.com>
2017-08-12 19:09:49 -05:00
Daniel J Walsh
464d6852de Add --debug flag to kpod to turn up logging level to debug
Also set default level of logging to errors,  we should not see
info messages in the kpod command line.

While adding this patch, I found missing options in kpod command line
and bash completions, so I added them in.

Also fixed some sorting issues in the way commands are displayer in help or in
bash completions.

Finally fixed the error message to be output on failure using logrus.Errorf, so
we don't get the stack any longer.

Also updated README.md with missing kpod commands.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2017-08-11 16:41:25 -04:00
Ryan Cole
949268f958 Add kpod diff command
kpod diff reports on differences between two layers, specified as
layer IDs, containers, or images.  In the case of containers or
images, kpod diff produces a diff for the top layer

Signed-off-by: Ryan Cole <rcyoalne@gmail.com>
2017-08-11 16:08:41 -04:00
Mrunal Patel
fb2ee59225 Merge pull request #737 from umohnani8/kpod_export
Add 'kpod export' command
2017-08-11 10:54:34 -07:00
Mrunal Patel
43bc359fc0 Add metrics endpoint support to server
We add two flags --enable-metrics and --metrics-port
to enable metrics endpoint and allow specifying the
port which defaults to 9090.

Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-08-10 13:44:42 -04:00
Mrunal Patel
4310e6d86f Merge pull request #741 from 14rcole/kpod-inspect-update
have server update list of containers on creation
2017-08-10 05:23:39 -07:00
umohnani8
be8ba17534 Add 'kpod export' command
kpod export exports the container's filesystem to a tar archive

Signed-off-by: umohnani8 <umohnani@redhat.com>
2017-08-08 16:46:01 -04:00
Dan Walsh
0cc45cf26a Add kpod-mount and kpod-umount to mount and umount container images
This command will allow users to manipulate and examine the container
images from outside of the container.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2017-08-08 15:46:50 -04:00
Ryan Cole
bfbb99e05c have server update list of containers on creation
Signed-off-by: Ryan Cole <rcyoalne@gmail.com>
2017-08-08 10:23:32 -04:00
Daniel J Walsh
63a218a458 Move to new github.com/sirupsen/logrus.
Need to mv to latest released and supported version of logrus
switch github.com/Sirupsen/logrus github.com/sirupsen/logrus

Also vendor in latest containers/storage and containers/image

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2017-08-07 11:50:04 -04:00
Mrunal Patel
3b888a54d3 Merge pull request #720 from 14rcole/containerserver-integration
Move functions in libkpod to ContainerServer
2017-08-07 08:09:53 -07:00
Mrunal Patel
ce8bd648de Merge pull request #730 from 14rcole/kpod-image-filter
fix bug with creation time in ParseFilter()
2017-08-04 19:24:37 -07:00
Ryan Cole
c6dc7d3e22 Fix bug resulting in kpod images --quiet only printing one image
Signed-off-by: Ryan Cole <rcyoalne@gmail.com>
2017-08-04 11:50:38 -04:00
Ryan Cole
0d8f015675 Allow password for docker registry to be inputted silently
Signed-off-by: Ryan Cole <rcyoalne@gmail.com>
2017-08-04 09:35:36 -04:00
Ryan Cole
b1eb754ef5 Move functions in libkpod to ContainerServer
Signed-off-by: Ryan Cole <rcyoalne@gmail.com>
2017-08-03 13:05:44 -04:00
Antonio Murdaca
a35727c80b
*: implement additional pull registries
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-08-02 16:38:11 +02:00
Matthew Heon
9529f565b2 Add option to use file-based locking for libkpod state
Signed-off-by: Matthew Heon <mheon@redhat.com>
2017-07-31 15:58:29 -04:00
umohnani8
412b98be26 Add 'kpod load' command
Signed-off-by: umohnani8 <umohnani@redhat.com>
2017-07-28 22:30:48 -04:00
Nalin Dahyabhai
40117e8bfe Use inspected creation dates
We already parse every image if there's a label filter so that we can
check against the filter, so when we do that, go ahead and read the
OCI-format configuration and inspection data as well, and use an image's
creation date as recorded in inspection data everywhere.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2017-07-28 16:58:12 -04:00
Ryan Cole
2cb57e0cb5 Switch kpod save to use config
Signed-off-by: Ryan Cole <rcyoalne@gmail.com>
2017-07-28 15:51:11 -04:00
Mrunal Patel
d2a82a28c1 Merge pull request #678 from umohnani8/kpod_save
Add 'kpod save' command
2017-07-28 10:49:49 -07:00
Mrunal Patel
13c874753c Merge pull request #693 from 14rcole/libkpod-config
add basic config struct to libkpod
2017-07-28 06:24:45 -07:00
Ryan Cole
a8b6f2ad8a Update kpod commands to use getConfig()
Make getStore() take a config struct from which it pulls the store
options, then update the kpod commands so that they call getConfig()
and pass the config into getStore()

Signed-off-by: Ryan Cole <rcyoalne@gmail.com>
2017-07-27 15:58:55 -04:00
umohnani8
ff5eda509a Add 'kpod save' command
Signed-off-by: umohnani8 <umohnani@redhat.com>
2017-07-27 13:35:30 -04:00
Mrunal Patel
9dbd60a0df Merge pull request #698 from nalind/kpod-updates
kpod: avoid digging into unpublished formats
2017-07-27 10:20:46 -07:00
Ryan Cole
0c8f106ee8 add basic config struct to libkpod
Signed-off-by: Ryan Cole <rcyoalne@gmail.com>
2017-07-27 11:12:50 -04:00
Nalin Dahyabhai
cb0bb94c68 Avoid parsing image metadata
Avoid parsing metadata that the image library keeps in order to find an
image's top layer and creation date; instead, use the values which the
storage library now makes available, which will be correct once we merge
PR #654 or something like it.

Instead of assuming the last blob which was added for the image was the
manifest, read it directly and compute its digest ourselves.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2017-07-26 16:33:02 -04:00
Mrunal Patel
1f40531dca Make the profile port configurable
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-07-26 10:57:55 -07:00
Nalin Dahyabhai
2e50006f1c Avoid using lower-level storage APIs
Switch from using the lower-level storage APIs (accessing LayerStore,
ImageStore, and ContainerStore types directly) in favor of the
higher-level ones that take care of synchronization and locking for us.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2017-07-25 13:29:49 -04:00
Ryan Cole
18f94f38ba Remove GetImage() and make rmi use more robust FindImage()
Signed-off-by: Ryan Cole <rcyoalne@gmail.com>
2017-07-25 09:02:45 -04:00
Ryan Cole
c1706475c0 move functions supporting rmi command to libkpod/image
Signed-off-by: Ryan Cole <rcyoalne@gmail.com>
2017-07-24 16:17:26 -04:00
Ryan Cole
0f44ff1d3b move functions supporting images command to libkpod/image
Signed-off-by: Ryan Cole <rcyoalne@gmail.com>
2017-07-24 14:35:36 -04:00
Ryan Cole
df7536e3c0 move PushImage and PullImage to libkpod/image
Signed-off-by: Ryan Cole <rcyoalne@gmail.com>
2017-07-24 14:35:36 -04:00
Ryan Cole
14864f820e move code supporting push, pull, and inspect to libkpod and libkpod/image
Signed-off-by: Ryan Cole <rcyoalne@gmail.com>
2017-07-24 14:35:36 -04:00
Ryan Cole
2c1fd1ad3f move container-related functions out of kpod and into libkpod
Signed-off-by: Ryan Cole <rcyoalne@gmail.com>
2017-07-24 14:34:55 -04:00
Ryan Cole
a68a981d0b move image-related functions out of cmd/kpod/common.go and into libkpod/image
Signed-off-by: Ryan Cole <rcyoalne@gmail.com>
2017-07-24 14:34:55 -04:00
Ryan Cole
95e17b4a73 move driver and image metadata to libkpod
Signed-off-by: Ryan Cole <rcyoalne@gmail.com>
2017-07-24 14:34:55 -04:00
Dan Walsh
d76645680f Bump image, storage, and image-spec
Bump containers/image (pulling in its new dependency on ostree-go),
containers/storage, and updated image-spec.

This pulls in the OCI v1.0 specifications and code that allows us to
support 1.0 images.

Signed-off-by: Dan Walsh <dwalsh@redhat.com>
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2017-07-24 13:01:54 -04:00
Mrunal Patel
1aa0d5da86 Merge pull request #686 from sak0/dev
crioctl ctr stop: enable timeout input
2017-07-22 13:22:13 -07:00
CuiHaozhi
13fd708f04 crioctl ctr stop: enable timeout input
Signed-off-by: CuiHaozhi <cuihz@wise2c.com>
2017-07-21 09:48:22 -04:00
Ryan Cole
0d4305a261 Implement kpod inspect
kpod inspect allows the user to view low-level information about
containers and images

Signed-off-by: Ryan Cole <rcyoalne@gmail.com>
2017-07-21 08:11:27 -04:00
Ryan Cole
680f7a6106 Add kpod push command
Push an image to a specified location, such as to an atomic registry
or a local directory

Signed-off-by: Ryan Cole <rcyoalne@gmail.com>
2017-07-20 11:12:40 -04:00
Mrunal Patel
a7c1745aa2 Merge pull request #643 from umohnani8/kpod_history
Add 'kpod history' command
2017-07-19 16:15:28 -07:00
umohnani8
ad490708a4 Add 'kpod history' command
Signed-off-by: umohnani8 <umohnani@redhat.com>
2017-07-19 15:11:25 -04:00
CuiHaozhi
8c3950ad6d kpod images --digests output align
Signed-off-by: CuiHaozhi <cuihz@wise2c.com>
2017-07-18 23:07:29 -04:00
ab36ad50be
kpod: info subcommand
Design: The output of the `info` subcommand ought to be directly
consumable in a format like JSON or yaml.
The structure being a map of sorts.

Each subsection of information being an individual cluster under the
top-level, like platform info, debug, storage, etc.

Even if there are errors under the top level key, the value will be a
map with the key of "error" and the value as the message of the
`err.Error()`. In this way, the command always returns usable output.

Ideally there will be a means for anything that can register info to do
so independently from it being in the single info.go, so this approach
is having a typed signature for the function that gives info, but i'm
sure it could be better.

Current iteration of this outputs the following as a limited user:

```yaml
host:
  MemFree: 711307264
  MemTotal: 2096222208
  SwapFree: 2147479552
  SwapTotal: 2147479552
  arch: amd64
  cpus: 1
  os: linux
store:
  error: 'mkdir /var/run/containers/storage: permission denied'

```

and as root (`sudo kpod info -D`):

```yaml
debug:
  compiler: gc
  go version: go1.7.6
  goroutines: 3
host:
  MemFree: 717795328
  MemTotal: 2096222208
  SwapFree: 2147479552
  SwapTotal: 2147479552
  arch: amd64
  cpus: 1
  os: linux
store:
  ContainerStore:
    number: 1
  GraphDriverName: overlay2
  GraphRoot: /var/lib/containers/storage
  ImageStore:
    number: 1
```

And with the `--json --debug` flag:

```json
{
  "debug": {
    "compiler": "gc",
    "go version": "go1.7.6",
    "goroutines": 3
  },
  "host": {
    "MemFree": 709402624,
    "MemTotal": 2096222208,
    "SwapFree": 2147479552,
    "SwapTotal": 2147479552,
    "arch": "amd64",
    "cpus": 1,
    "os": "linux"
  },
  "store": {
    "ContainerStore": {
      "number": 1
    },
    "GraphDriverName": "overlay2",
    "GraphRoot": "/var/lib/containers/storage",
    "ImageStore": {
      "number": 1
    }
  }
}
```

Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>
2017-07-17 14:23:53 -04:00
Daniel J Walsh
0bd5f6cebc Remove kpod launch example code
We now have actual kpod code, so no reason to have a not implemented feature.
Especially when we don't intend to create kpod launch.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2017-07-15 06:54:41 -04:00
Mrunal Patel
7443263bd6 Add config for ImageVolumesBind option
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-07-14 15:31:50 -07:00
umohnani8
f9b9f92d3f Remove repeated app.Flags in cmd/kpod/main.go
Signed-off-by: umohnani8 <umohnani@redhat.com>
2017-07-12 11:59:45 -04:00
Antonio Murdaca
17584facf0 Merge pull request #641 from mrunalp/pids_limit
Pids limit
2017-07-12 12:39:54 +02:00
Tobias Klauser
822172a892 all: Switch from package syscall to golang.org/x/sys/unix
The syscall package is locked down and the comment in [1] advises to
switch code to use the corresponding package from golang.org/x/sys. Do
so and replace usage of package syscall where possible (leave
syscall.SysProcAttr and syscall.Stat_t).

  [1] https://github.com/golang/go/blob/master/src/syscall/syscall.go#L21-L24

This will also allow to get updates and fixes just by re-vendoring
golang.org/x/sys/unix instead of having to update to a new go version.

Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2017-07-12 08:18:55 +02:00
Mrunal Patel
e49dd34657 Add support for container pids limit
We add a daemon level setting and will add a container
override once it is supported in CRI.

Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-07-11 14:59:52 -07:00
Ryan Cole
a040f20a76 Add 'kpod images' and 'kpod rmi' commands
'kpod images' lists all images on a system.  'kpod rmi' removes
one or more images from a system.  The images will not be removed
if they are associated with a running container, unless the -f
option is used

Signed-off-by: Ryan Cole <rcyoalne@gmail.com>
2017-07-11 15:52:57 -04:00
Mrunal Patel
7fb772b7d1 Merge pull request #638 from umohnani8/kpod_pull
Add 'kpod pull' command
2017-07-11 12:23:01 -07:00
Mrunal Patel
d270de78c4 Merge pull request #645 from vbatts/kpod-version-failsafe
kpod: version should not fail
2017-07-11 07:30:15 -07:00
umohnani8
ac9b53266d Add 'kpod pull' command
Signed-off-by: umohnani8 <umohnani@redhat.com>
2017-07-11 09:05:17 -04:00
55d526e213
kpod: version should not fail
even when the variables are not provided at compile, the `kpod version`
command ought not fail.

Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>
2017-07-10 17:02:13 -04:00
Mrunal Patel
dc55fd2f14 config: Add ImageVolumes configuration setting
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-07-10 13:46:14 -07:00
Ryan Cole
b84f064976 Add kpod tag command
Add one or more tags to an image

Signed-off-by: Ryan Cole <rcyoalne@gmail.com>
2017-07-06 10:10:51 -04:00
umohnani8
9595d7900e Add kpod version
Signed-off-by: umohnani8 <umohnani@redhat.com>
2017-06-27 16:48:24 -04:00
Antonio Murdaca
78e2fd3d5e
cmd/crio: fix reading insecure-registry flags
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-24 13:16:45 +02:00
Mrunal Patel
b82df188c6 version: Bump up version to 1.0.0-alpha.0
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-06-20 09:48:12 -07:00
Antonio Murdaca
20e11e3b90
cmd: crio: enable remote profiler
This patch also hides the profile under the debug flag as there's
runtime cost to enable the profiler.
This removes the old way of profiling (CPU) as that's not really
needed.

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-18 11:42:04 +02:00
Mrunal Patel
bd40bbc30b Add missing error checks and simplify bool check
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-06-16 15:49:16 -07:00
Samuel Ortiz
0e51bbb778 oci: Support mixing trusted and untrusted workloads
Container runtimes provide different levels of isolation, from kernel
namespaces to hardware virtualization. When starting a specific
container, one may want to decide which level of isolation to use
depending on how much we trust the container workload. Fully verified
and signed containers may not need the hardware isolation layer but e.g.
CI jobs pulling packages from many untrusted sources should probably not
run only on a kernel namespace isolation layer.

Here we allow CRI-O users to define a container runtime for trusted
containers and another one for untrusted containers, and also to define
a general, default trust level. This anticipates future kubelet
implementations that would be able to tag containers as trusted or
untrusted. When missing a kubelet hint, containers are trusted by
default.

A container becomes untrusted if we get a hint in that direction from
kubelet or if the default trust level is set to "untrusted" and the
container is not privileged. In both cases CRI-O will try to use the
untrusted container runtime. For any other cases, it will switch to the
trusted one.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-06-15 10:04:36 +02:00
Andrew Pilloud
c77b5fbea8 Add stream-address and stream-port flags to crio
Signed-off-by: Andrew Pilloud <andrewpilloud@igneoussystems.com>
2017-06-12 16:12:36 -07:00
Antonio Murdaca
8b53fabcbd
*: support insecure registries
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-09 01:04:29 +02:00
Mrunal Patel
ea9a90abce Set Container Status Reason when OOM Killed
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-05-25 11:30:58 -07:00
Antonio Murdaca
d099e3a988
server: container_status: we should return digested references in imageRef
currently blocked on
https://github.com/kubernetes-incubator/cri-o/issues/531

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-05-22 16:37:46 +02:00
Antonio Murdaca
22d055869d
server: container_status: return image name if available
If we create a container using the image ID like
771cd5947d5ea4bf8e8f4900dd357dbb67e7b16486c270f8274087d182d457c6, then
a call to container_status will return that same ID for the "Image"
field in ContainerStatusResponse.

This patch matches dockershim behavior and return the first tagged name
if available from the image store.

This is also needed to fix a failure in k8s e2d tests.

Reference:
https://github.com/kubernetes/kubernetes/pull/39298/files#diff-c7dd39479fd733354254e70845075db5R369
Reference:
67a5bf8454/test/e2e/framework/util.go (L1941)

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-05-22 16:37:46 +02:00
Antonio Murdaca
1ca660e3b7 Merge pull request #512 from runcom/stop-timeout
server: honor container stop timeout from CRI
2017-05-16 10:06:47 +02:00
Mrunal Patel
5e4809bdfe Fix remnants of ocid -> crio rename
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-05-15 15:05:58 -07:00
Antonio Murdaca
b3683ab184
server: honor container stop timeout from CRI
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-05-15 22:56:31 +02:00
Dan Walsh
4493b6f176 Rename ocid to crio.
The ocid project was renamed to CRI-O, months ago, it is time that we moved
all of the code to the new name.  We want to elminate the name ocid from use.
Move fully to crio.

Also cric is being renamed to crioctl for the time being.

Signed-off-by: Dan Walsh <dwalsh@redhat.com>
2017-05-12 09:56:06 -04:00
Mrunal Patel
22babd5bcd Bump up to version 0.3
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-04-28 08:13:00 -07:00
Suraj Deshmukh
2699198610 Add flag --cpu-profile to enable pprof
To collect CPU profile information added a flag `--cpu-profile`
which is a path to file where this collected information will be
dumped.

Fixes #464

Signed-off-by: Suraj Deshmukh <surajssd009005@gmail.com>
2017-04-27 11:17:56 +05:30
Samuel Ortiz
c676b7b6c3 ocic: Initial implementation for ocic ctr exec
We use the k8s remotecommand client API to create a
streaming executor, and then stream the executed process
into stdout/stderr.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-04-24 18:44:49 +02:00
Jacek J. Łakis
3babbf0de1 ocic: Add container exec command
Signed-off-by: Jacek J. Łakis <jacek.lakis@intel.com>
2017-04-24 18:44:40 +02:00
Mrunal Patel
32b546cf0b Release version 0.2
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-04-13 09:50:14 -07:00
Daniel J Walsh
19620f3d1e Switch to using opencontainers/selinux
We have moved selinux support out of opencontainers/runc into its
own package.  This patch moves to using the new selinux go bindings.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2017-03-23 15:53:09 -04:00
Mrunal Patel
e147601584 Bump up version to 0.1
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-03-20 14:12:09 -07:00
Samuel Ortiz
2fc4d0cac1 config: Add host privileged runtime configuration
Not all runtimes are able to handle some of the kubelet
security context options, in particular the ones granting
host privileges to containers.

By adding a host privileged runtime path configuration, we
allow ocid to use a different runtime for host privileged
operations like e.g. host namespaces access.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-03-03 17:22:09 +01:00
Daniel J Walsh
cf5b0ae57f Deprecate --storage-option for --storage-opt
container-storage-setup (Formerly docker-storage-setup) is being converted to
run with container runtimes outside of docker.  Specifically we want to use it
with CRI-O/ocid.  It does not know anything about the container runtimes it
is generating options for, so it generates them based on the storage CLI of
docker.  I see no reason to have the storage option for ocid to be different
and we can just depracate the option for now.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2017-02-25 09:09:50 -05:00
Michał Żyłowski
5c81217e09 Applying k8s.io v3 API for ocic and ocid
Signed-off-by: Michał Żyłowski <michal.zylowski@intel.com>
2017-02-06 13:05:10 +01:00
Nalin Dahyabhai
c0333b102b Integrate containers/storage
Use containers/storage to store images, pod sandboxes, and containers.
A pod sandbox's infrastructure container has the same ID as the pod to
which it belongs, and all containers also keep track of their pod's ID.

The container configuration that we build using the data in a
CreateContainerRequest is stored in the container's ContainerDirectory
and ContainerRunDirectory.

We catch SIGTERM and SIGINT, and when we receive either, we gracefully
exit the grpc loop.  If we also think that there aren't any container
filesystems in use, we attempt to do a clean shutdown of the storage
driver.

The test harness now waits for ocid to exit before attempting to delete
the storage root directory.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2017-01-18 10:23:30 -05:00
Nalin Dahyabhai
caee4a99c9 Vendor containers/image and containers/storage
Vendor updated containers/image and containers/storage, along
with any new dependencies they drag in, and updated versions of other
dependencies that happen to get pulled in.

github.com/coreos/go-systemd/daemon/SdNotify() now takes a boolean to
control whether or not it unsets the NOTIFY_SOCKET variable from the
calling process's environment.  Adapt.

github.com/opencontainers/runtime-tools/generate/Generator.AddProcessEnv()
now takes the environment variable name and value as two arguments, not
one.  Adapt.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2017-01-18 10:21:59 -05:00
Jonathan Yu
6c9628cdb1
Build and install from GOPATH
* Rename 'vendor/src' -> 'vendor'
  * Ignore vendor/ instead of vendor/src/ for lint
* Rename 'cmd/client' -> 'cmd/ocic' to make it 'go install'able
* Rename 'cmd/server' -> 'cmd/ocid' to make it 'go install'able
* Update Makefile to build and install from GOPATH
* Update tests to locate ocid/ocic in GOPATH/bin
* Search for binaries in GOPATH/bin instead of PATH
* Install tools using `go get -u`, so they are updated on each run

Signed-off-by: Jonathan Yu <jawnsy@redhat.com>
2017-01-17 12:09:09 -08:00
Jonathan Yu
d5d297d50b
Promote DefaultConfig() to server package
The default configuration can only be accessed from the cmd/server
package, which cannot be imported (since it's a "package main").
This change promotes DefaultConfig() to the "server" package.

Closes: #315

Signed-off-by: Jonathan Yu <jawnsy@redhat.com>
2017-01-16 16:22:35 -08:00
Xianglin Gao
088c53579a Remove byName in cmd/server/main.go, since urfave/cli#544 has been in.
Signed-off-by: Xianglin Gao <xlgao@zju.edu.cn>
2017-01-05 15:42:22 +08:00
Antonio Murdaca
ac7943c707 Merge pull request #285 from sameo/topic/network-bats
Add Initial networking BATs
2016-12-20 16:49:04 +01:00
Nalin Dahyabhai
5e28e20213 Fix client size reporting
The client size field that we get back when we inspect an image is a
pointer to a number, not just a number, so we need to dereference it for
display.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2016-12-20 09:06:07 -05:00
Samuel Ortiz
c525459000
main: Add CNI options
We add 2 ocid options for choosing the CNI configuration and plugin
binaries directories: --cni-config-dir and --cni-plugin-dir.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2016-12-20 12:50:17 +01:00
Mrunal Patel
edad8f866d Add configuration for specifying cgroup manager
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2016-12-19 15:04:34 -08:00
Nalin Dahyabhai
d45ff58056 Initialize the reexec package
Any binary that will be managing storage needs to initialize the reexec
package in order to be able to apply or read image layers.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2016-12-19 11:44:34 -05:00
Antonio Murdaca
e1054cf28e
cmd/client: move pod create to pod run
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-12-14 18:15:37 +01:00
Antonio Murdaca
430297dd81
store annotations and image for a container
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-12-12 11:12:03 +01:00
Mrunal Patel
79073df3c2 Merge pull request #215 from xlgao-zju/support-apparmor
support apparmor
2016-12-05 21:24:50 -08:00
Mrunal Patel
529bebbe68 Merge pull request #222 from mheon/kpod
Add basic skeleton of kpod executable
2016-12-01 20:37:32 -08:00
Matthew Heon
f512f211d0 Add basic skeleton of kpod executable
Signed-off-by: Matthew Heon <mheon@redhat.com>
2016-12-01 22:42:54 -05:00
Mrunal Patel
0d0b70a475 Add README for kpod
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2016-12-01 07:31:36 -08:00
Xianglin Gao
06cc0ba6ba Add docs about apparmor profile setting
Signed-off-by: Xianglin Gao <xlgao@zju.edu.cn>
2016-12-01 13:26:59 +08:00
Xianglin Gao
26645c90ac Make the profile configurable
Signed-off-by: Xianglin Gao <xlgao@zju.edu.cn>
2016-12-01 13:26:59 +08:00
Antonio Murdaca
78ee03a8fc
add seccomp support
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-11-28 22:05:34 +01:00
Mrunal Patel
5c1adcbf6a Add client implementation for exec sync
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2016-11-17 16:42:08 -08:00
Mrunal Patel
b62a150151 Update to the latest upstream API
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2016-11-16 17:20:37 -08:00
Crazykev
82a01cbdda fix ocic time display
Signed-off-by: Crazykev <crazykev@zju.edu.cn>
2016-11-16 15:36:32 +08:00
Antonio Murdaca
02ec8754f5 Merge pull request #169 from cyphar/make-configurable
server: make more things configurable
2016-11-10 14:55:29 +01:00
Crazykev
295c32331a sort all map type result in ocic
Signed-off-by: Crazykev <crazykev@zju.edu.cn>
2016-11-02 14:36:42 +08:00
Crazykev
ca59eaf1a4 display container metadata on the client for container list and status
Signed-off-by: Crazykev <crazykev@zju.edu.cn>
2016-11-02 00:37:40 +08:00
Aleksa Sarai
96c0966ce9
server: make logDir configurable
While logDir isn't currently used (until the conmon implementation
lands) it's probably not a great idea to hardcode our defaults. The main
issue with this setting is that the kubelet can override it at will.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2016-10-31 23:26:42 +11:00
Aleksa Sarai
33f47d6a6b
server: make ImageStore configurable
It's a bit odd to have ImageStore be part of the config and yet we don't
allow people to modify it. However, leave it out of the commented
version because it's currently unused.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2016-10-31 23:26:42 +11:00
Mrunal Patel
e4b76edd96 Add timestamps to logs
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2016-10-26 12:45:29 -07:00
Nalin Dahyabhai
346553312e Add "image list/remove/status" to the client
Add "image list", "image status", and "image remove" subcommands to the
client.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2016-10-26 13:19:36 -04:00
HaoZhang
9c11cc7dba make conmon inherit env from ocid
Signed-off-by: HaoZhang <crazykev@zju.edu.cn>
2016-10-23 19:22:27 +08:00
Mrunal Patel
68a350d9ae Merge pull request #157 from YaoZengzeng/ocic-timeout
add timeout for ocic connect to server
2016-10-18 09:32:09 -07:00