Commit graph

111 commits

Author SHA1 Message Date
Antonio Murdaca
af0a494251
container_create: handle cap add/drop ALL
Kubelet can send cap add/drop ALL. Handle that in CRI-O as well.
Also, this PR is re-vendoring runtime-tools to fix capabilities add to
add caps to _all_ caps set **and** fix a shared memory issue (caps set
were initialized with the same slice, if one modifies one slice, it's
reflected on the other slices, the vendoring fixes this as well)

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-09-07 16:43:33 +02:00
Antonio Murdaca
e8553a124d
container_create: better handling of devices
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-09-07 10:13:22 +02:00
Antonio Murdaca
b7b57e8731
container_create: Add TERM=xterm when tty=true
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-09-07 10:13:22 +02:00
Antonio Murdaca
cde40ad5ca
container_create: set privileged on ctr only if also on sandbox
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-09-07 10:13:22 +02:00
Antonio Murdaca
e1125af435
server: expose container Name and IP
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-09-06 17:14:53 +02:00
Antonio Murdaca
2ac2832686
server: container_create: store sandbox's ip in annotations
So it can be later retrieved when needed (cadvisor)

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-09-02 02:05:58 +02:00
Antonio Murdaca
69fc590fc3
server: inspect: add log path and mount point for cadvisor
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-08-31 17:49:07 +02:00
Antonio Murdaca
f51ca87857
*: constify cgroups stuff
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-08-30 01:10:39 +02:00
Antonio Murdaca
c199f63dba
oci: join crio-conmon for cgroupfs
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-08-29 23:00:02 +02:00
Antonio Murdaca
dd2b4a8907
server: container_create: fix cgroupfs scopes naming
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-08-29 23:00:00 +02:00
Antonio Murdaca
d56bf090ce
*: update kube vendor to v1.7.4
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-08-22 17:32:14 +02:00
Mrunal Patel
ea4b6fa55d container: Reduce number of calls to UpdateStatus
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-08-17 09:01:07 -07:00
Mrunal Patel
fa317b41fd Add volumes to container object at container create time
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-08-17 09:01:07 -07:00
Mrunal Patel
bfcebcdb00 Store imageName and imageRef for containers
We calculate these values at container creation time and store
them in the container object as they are requested during container
status. This avoids re-calculation and speeds up container status.

Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-08-17 09:01:07 -07:00
Daniel J Walsh
50ad19148d CRI-O default bind mounts to "rbind, rprivate" to match docker
Containers running in kubernetes currently do not specify options
for mount propagation and whether to bind or rbind the mount point.
Since docker defaults to bind and rbind, we should match their
behavious, since this is what admins expect

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2017-08-16 11:16:39 -04:00
asifdxtreme
1442ba988a Fix Typo to improve GoReport
Signed-off-by: asifdxtreme <mohammad.asif.siddiqui1@huawei.com>
2017-08-15 10:15:01 +08:00
Daniel J Walsh
63a218a458 Move to new github.com/sirupsen/logrus.
Need to mv to latest released and supported version of logrus
switch github.com/Sirupsen/logrus github.com/sirupsen/logrus

Also vendor in latest containers/storage and containers/image

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2017-08-07 11:50:04 -04:00
Antonio Murdaca
a35727c80b
*: implement additional pull registries
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-08-02 16:38:11 +02:00
Ryan Cole
b56da85fc1 Make container server update it's list of containers upon creation
Signed-off-by: Ryan Cole <rcyoalne@gmail.com>
2017-08-01 11:44:57 -04:00
Ryan Cole
0c8f106ee8 add basic config struct to libkpod
Signed-off-by: Ryan Cole <rcyoalne@gmail.com>
2017-07-27 11:12:50 -04:00
Matthew Heon
158893bd1a Move Pod ID and Name indexes into libkpod
Signed-off-by: Matthew Heon <mheon@redhat.com>
2017-07-25 11:46:22 -04:00
Ryan Cole
49ed4ab710 move reserve/release container name into libkpod
Signed-off-by: Ryan Cole <rcyoalne@gmail.com>
2017-07-24 10:35:31 -04:00
Ryan Cole
d625e0e468 move containerState to/from disk to libkpod
Signed-off-by: Ryan Cole <rcyoalne@gmail.com>
2017-07-24 10:35:20 -04:00
Ryan Cole
d50dba979e Move sandbox into its own package
If sandbox is in the same package as server, there will be a circular dependency when
kpod create is implemented

Signed-off-by: Ryan Cole <rcyoalne@gmail.com>
2017-07-21 08:15:55 -04:00
Mrunal Patel
4128bbd7dc Bump up runtime-spec dependency to v1.0.0
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-07-19 21:38:05 -07:00
Ryan Cole
3ddf2efae2 Refactor server sandbox
Make sandbox struct and it methods public, and add accessor methods
for the struct fields

Signed-off-by: Ryan Cole <rcyoalne@gmail.com>
2017-07-19 08:53:45 -04:00
Ryan Cole
64ad902480 Decouple kubernetes-dependent an non-dependent parts of server
Move non-kubernetes-dependent portions of server struct to libkpod.
So far, only the struct fields have been moved and not their dependent
functions

Signed-off-by: Ryan Cole <rcyoalne@gmail.com>
2017-07-18 14:23:50 -04:00
Ryan Cole
f3efb850b7 Remove ImageSpec dependency from server
Signed-off-by: Ryan Cole <rcyoalne@gmail.com>
2017-07-17 16:21:56 -04:00
Mrunal Patel
d02828e8a6 Support ImageVolumesBind when container is created
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-07-14 16:51:52 -07:00
Antonio Murdaca
17584facf0 Merge pull request #641 from mrunalp/pids_limit
Pids limit
2017-07-12 12:39:54 +02:00
Tobias Klauser
822172a892 all: Switch from package syscall to golang.org/x/sys/unix
The syscall package is locked down and the comment in [1] advises to
switch code to use the corresponding package from golang.org/x/sys. Do
so and replace usage of package syscall where possible (leave
syscall.SysProcAttr and syscall.Stat_t).

  [1] https://github.com/golang/go/blob/master/src/syscall/syscall.go#L21-L24

This will also allow to get updates and fixes just by re-vendoring
golang.org/x/sys/unix instead of having to update to a new go version.

Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2017-07-12 08:18:55 +02:00
Mrunal Patel
ed9d49f247 container: Add cgroup mount for introspection
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-07-11 19:17:48 -07:00
Mrunal Patel
e49dd34657 Add support for container pids limit
We add a daemon level setting and will add a container
override once it is supported in CRI.

Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-07-11 14:59:52 -07:00
Mrunal Patel
d40883d88c container: Use ImageVolumes setting at container creation
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-07-10 13:46:14 -07:00
Andrew Pilloud
1a01ca7251 server: inherit rlimits from server
Signed-off-by: Andrew Pilloud <andrewpilloud@igneoussystems.com>
2017-07-03 14:49:34 -07:00
Mrunal Patel
975347b874 container: Add containerID to annotations for the container
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-06-23 09:31:13 -07:00
Antonio Murdaca
6035cff9e4
server: standardize on naming
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-22 11:55:03 +02:00
Mrunal Patel
bd40bbc30b Add missing error checks and simplify bool check
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-06-16 15:49:16 -07:00
Samuel Ortiz
0e51bbb778 oci: Support mixing trusted and untrusted workloads
Container runtimes provide different levels of isolation, from kernel
namespaces to hardware virtualization. When starting a specific
container, one may want to decide which level of isolation to use
depending on how much we trust the container workload. Fully verified
and signed containers may not need the hardware isolation layer but e.g.
CI jobs pulling packages from many untrusted sources should probably not
run only on a kernel namespace isolation layer.

Here we allow CRI-O users to define a container runtime for trusted
containers and another one for untrusted containers, and also to define
a general, default trust level. This anticipates future kubelet
implementations that would be able to tag containers as trusted or
untrusted. When missing a kubelet hint, containers are trusted by
default.

A container becomes untrusted if we get a hint in that direction from
kubelet or if the default trust level is set to "untrusted" and the
container is not privileged. In both cases CRI-O will try to use the
untrusted container runtime. For any other cases, it will switch to the
trusted one.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-06-15 10:04:36 +02:00
Mrunal Patel
7b9032bac7 Merge pull request #579 from alexlarsson/non-terminal-attach
Implement non-terminal attach
2017-06-14 21:45:44 -07:00
Alexander Larsson
7bb957bf75 Implement non-terminal attach
We use a SOCK_SEQPACKET socket for the attach unix domain socket, which
means the kernel will ensure that the reading side only ever get the
data from one write operation. We use this for frameing, where the
first byte is the pipe that the next bytes are for. We have to make sure
that all reads from the socket are using at least the same size of buffer
as the write side, because otherwise the extra data in the message
will be dropped.

This also adds a stdin pipe for the container, similar to the ones we
use for stdout/err, because we need a way for an attached client
to write to stdin, even if not using a tty.

This fixes https://github.com/kubernetes-incubator/cri-o/issues/569

Signed-off-by: Alexander Larsson <alexl@redhat.com>
2017-06-14 22:59:50 +02:00
Antonio Murdaca
0dfec710f2
container_create: net files must be ro when rootfs is ro
we were blindly applying RO mount options but net addons like calico
modify those files.
This patch sets RO only when container's rootfs is RO, same behavior as
docker.

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-14 15:31:34 +02:00
Antonio Murdaca
d2e1d559b7
container_create: just mkdir on image's volumes
tmpfs'es can override whatever there's on the container rootfs. We just
mkdir the volume as we're confident kube manages volumes in container.
We don't need any tmpfs nor any complex volume handling for now.

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-14 15:31:31 +02:00
Antonio Murdaca
65d4ac8fc2
container_create: fix OCI processArgs assemblement
This patch fixes the following command:

kubectl run -i --tty centos --image=centos -- sh

The command above use to fail with:

/usr/bin/sh: /usr/bin/sh: cannot execute binary file

That's because we were wrongly assembling the OCI processArgs.

Thanks @alexlarsson for spotting this.

This patch basically replicates what docker does when merging container
config and image config. It also replicates how docker sets processArgs
for the OCI runtime.

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-08 11:48:11 +02:00
Dan Walsh
4c48e13619 Need to be consistent in out nameing of Oci.
It should always be captitalized.

Signed-off-by: Dan Walsh <dwalsh@redhat.com>
2017-06-05 15:11:03 -04:00
Samuel Ortiz
f15859c79f pkg/annotations: Export CRI-O annotations namespace
Some runtimes like Clear Containers need to interpret the CRI-O
annotations, to distinguish the infra container from the regular one.
Here we export those annotations and use a more standard dotted
namespace for them.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-06-01 23:45:44 +02:00
Antonio Murdaca
f3650533f0
create src dir for bind mounts
match docker behavior for bind mounts

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-01 17:37:20 +02:00
Samuel Ortiz
e23d986cf2 container: Do not restrict path access for privileged containers
Privileged containers should see and reach all host paths.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-05-31 02:06:47 +02:00
Antonio Murdaca
089cb88f17
server: container_create: make the spec hostspecific
node-e2e tests were failing in RHEL because, if running a privileged
container, we get all capability in the spec. The spec generator wasn't
filtering caps based on actual host caps, it was just adding _everything_.
This patch makes spec generator host specific.

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-05-30 18:30:26 +02:00
Antonio Murdaca
b4f1cee2a2
server: store and use image's stop signal to stop containers
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-05-27 10:21:04 +02:00