Commit graph

529 commits

Author SHA1 Message Date
Mrunal Patel
3f9e539bde
Merge pull request #1117 from runcom/setup-cwd
container_create: setup cwd for containers
2017-11-04 05:21:26 -07:00
Antonio Murdaca
140f85df72
container_create: setup cwd for containers
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-11-03 19:23:44 +01:00
Mrunal Patel
fa1ad4f54e Add HOSTNAME env var to container
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-11-02 10:24:56 -07:00
Mrunal Patel
4e2c6911ad
container: Don't add rprivate to all mounts
This fixes the mount propagation tests

Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-11-02 16:07:52 +01:00
Mrunal Patel
815bb7652b
sandbox: Use first class sysctls instead of annotations
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-11-02 16:07:52 +01:00
Antonio Murdaca
c25530ac0b
server: implement update container resources
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-11-02 16:07:52 +01:00
Antonio Murdaca
7d7024999b
sandbox, ctrs: fixup seccomp for 1.8
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-11-02 16:07:52 +01:00
Antonio Murdaca
c70198617f
container_create: set mount propagation
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-11-02 16:07:51 +01:00
Antonio Murdaca
e41ba62b19
container_create: honor no_new_privs
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-11-02 16:07:51 +01:00
Antonio Murdaca
d6e819133d
*: initial update to kube 1.8
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-11-02 16:07:51 +01:00
Nalin Dahyabhai
2e5e92730a Switch to ImageServer.UntagImage in RemoveImage handler
Add an UntagImage() method to pkg/storage/ImageServer, which will check
if the passed-in NameOrID is a name.  If so, it merely removes that name
from the image, removing the image only if it was the last name that the
image had.  If the NameOrID is an image ID, the image is removed, as
RemoveImage() does.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2017-10-31 10:30:18 -04:00
Nalin Dahyabhai
3f2bc09231 Return image references in ImageStatus()
The image's canonical reference is a name with a digest of the image's
manifest, so compute and return that value as the image's reference in
ImageStatus() and in ContainerStatus().

We don't auto-store a name based on the image digest when we pull one by
tag, but then CRI doesn't need us to do that.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2017-10-31 10:29:06 -04:00
Daniel J Walsh
f6555bd868
Merge pull request #1087 from runcom/sort-mounts
container_create: sort mounts before adding them to the spec
2017-10-30 12:40:00 -04:00
Antonio Murdaca
15afc4d3de
container_create: sort mounts before adding them to the spec
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-10-29 12:31:18 +01:00
Mrunal Patel
03f9350a15 lint fixes
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-10-28 13:17:00 -07:00
Antonio Murdaca
584a256388
server: correctly return and close ch from exits routine
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-10-26 16:55:18 +02:00
Daniel J Walsh
a3cd7c422c Merge pull request #1052 from mheon/conmon_socket_as_arg
Make attach sockets directory an argument in Conmon
2017-10-24 21:48:33 -07:00
Antonio Murdaca
c316e5d8cf
oci: respect process spec on exec
This patch fixes exec to use the original (start-time) process exec
configuration. Otherwise, we were creating a brand new spec process w/o
additional groups for instance.
Spotted while integrating CRI-O with cri-test...The test was failing
with:
```
• Failure [10.640 seconds]
[k8s.io] Security Context
/home/amurdaca/go/src/github.com/kubernetes-incubator/cri-tools/pkg/framework/framework.go:72
  bucket
  /home/amurdaca/go/src/github.com/kubernetes-incubator/cri-tools/pkg/validate/security_context.go:407
    runtime should support SupplementalGroups [It]
    /home/amurdaca/go/src/github.com/kubernetes-incubator/cri-tools/pkg/validate/security_context.go:272

    Expected
        <[]string | len:1, cap:1>: ["0"]
    to contain element matching
        <string>: 1234
```

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-10-24 22:39:17 +02:00
Matthew Heon
ae5fc471ea Make attach sockets directory an argument in Conmon
This is required to enable ongoing work in libpod

Signed-off-by: Matthew Heon <mheon@redhat.com>
2017-10-24 15:42:23 -04:00
Mrunal Patel
d7d2ce7ce2 Merge pull request #1044 from runcom/fix-host-pid
fix host pid handling for containers and share uts ns
2017-10-19 14:11:41 -07:00
Antonio Murdaca
da725f3e5f
fix host pid handling for containers and share uts ns
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-10-19 21:13:28 +02:00
Mrunal Patel
b0e9f0eba8 Revert "Move crio default sock to /var/run/crio/crio.sock"
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-10-19 10:13:49 -07:00
Antonio Murdaca
12ce3ba3ed Merge pull request #1030 from mrunalp/move_crio_sock
Move crio default sock to /var/run/crio/crio.sock
2017-10-19 00:53:10 +02:00
Daniel J Walsh
c2b7f37bd3 Merge pull request #1017 from baude/cri_tests_sandbox
server/sandbox_list.go: No error on filtered list find by ID
2017-10-18 16:10:11 -04:00
Mrunal Patel
c04f585a53 Merge pull request #1021 from runcom/fix-crio-versioning
version: fix version handling and kube info
2017-10-17 22:04:55 -07:00
Mrunal Patel
761e73c82e Move crio default sock to /var/run/crio/crio.sock
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-10-17 22:02:53 -07:00
Mrunal Patel
eafb7f7105 Merge pull request #1014 from runcom/oci-kill-all-fix
oci: fixes to properly handle container stop action
2017-10-17 21:59:32 -07:00
umohnani8
a11b1f953d Fixed logic flaw in the secrets mounts
Tested on a REHL box and found out that the mounts were not showing up
Had a logic flaw, where if the mount was "host:container"
Was setting the mount source to "host" and destination to "ctrRunDir/container"
When instead, the mount source should be "ctrRunDir/container" and destination "container"
with the data copied from "host" to "ctrRunDir/container"

Signed-off-by: umohnani8 <umohnani@redhat.com>
2017-10-17 13:08:42 -04:00
Antonio Murdaca
e07ba4b2d1
version: fix version handling and kube info
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-10-17 10:44:50 +02:00
Antonio Murdaca
c6f5a290d8
oci: fixes to properly handle container stop action
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-10-17 00:21:17 +02:00
baude
179a3f9c0e server/sandbox_list.go: No error on filtered list find by ID
We should not error when we try to find a pod ID in a filtered
list of sandboxes; instead we should return an empty struct
and log it.

This fixes another cri-test failure.

Signed-off-by: baude <bbaude@redhat.com>
2017-10-16 16:36:15 -05:00
Daniel J Walsh
7b9a5c259e Merge pull request #992 from baude/cri_tests_sec
Initial fixes for cri-tests
2017-10-13 19:15:08 -04:00
baude
fc2cae39ef Initial fixes for cri-tests
We now can pass 37/55 tests with this PR.  Remaining tests include may be fixed
with 1.8.

[Fail] [k8s.io] Security Context bucket [It] runtime should support RunAsUserName
[Fail] [k8s.io] Security Context NamespaceOption [It] runtime should support HostPID
[Fail] [k8s.io] PodSandbox runtime should support sysctls [It] should support unsafe sysctls
[Fail] [k8s.io] PodSandbox runtime should support basic operations on PodSandbox [It] runtime should support removing PodSandbox [Conformance]
[Fail] [k8s.io] Streaming runtime should support streaming interfaces [It] runtime should support portforward [Conformance]
[Fail] [k8s.io] Security Context SeccompProfilePath [It] runtime should not support a custom seccomp profile without using localhost/ as a prefix
[Fail] [k8s.io] Image Manager [It] listImage should get exactly 2 repoTags in the result image [Conformance]
[Fail] [k8s.io] PodSandbox runtime should support sysctls [It] should support safe sysctls
[Fail] [k8s.io] Security Context NoNewPrivs [It] should not allow privilege escalation when true
[Fail] [k8s.io] Security Context SeccompProfilePath [It] runtime should support an seccomp profile that blocks setting hostname with SYS_ADMIN
[Fail] [k8s.io] Container runtime should support mount propagation [It] mount with 'rslave' should support propagation from host to container
[Fail] [k8s.io] Container runtime should support mount propagation [It] mount with 'rshared' should support propagation from host to container and vice versa
[Fail] [k8s.io] Networking runtime should support networking [It] runtime should support port mapping with host port and container port [Conformance]
[Fail] [k8s.io] Security Context SeccompProfilePath [It] should support seccomp localhost/profile on the container
[Fail] [k8s.io] Container runtime should support log [It] runtime should support starting container with log [Conformance]
[Fail] [k8s.io] Security Context bucket [It] runtime should support RunAsUser
[Fail] [k8s.io] Security Context bucket [It] runtime should support SupplementalGroups
[Fail] [k8s.io] Security Context SeccompProfilePath docker/default [It] should support seccomp docker/default on the container

Signed-off-by: baude <bbaude@redhat.com>
2017-10-13 08:36:14 -05:00
umohnani8
d1aea31786 Follow up changes on secrets patch
Deleted mounts.conf file and moved the secrets mount paths
to a list (default-mounts) in crio.conf

Signed-off-by: umohnani8 <umohnani@redhat.com>
2017-10-12 15:10:07 -04:00
Daniel J Walsh
5b41729b6c Merge pull request #942 from umohnani8/secrets_patch
Add secrets support to crio
2017-10-12 11:04:20 -04:00
umohnani8
d5b5028cb9 Add secrets patch to crio
Allows the user to define secret paths in /etc/containers/mounts.conf
These are then volume mounted into the container

Signed-off-by: umohnani8 <umohnani@redhat.com>
2017-10-11 20:00:38 -04:00
Mrunal Patel
bb4b2e9fea test: Modify Fatal to Fatalf as we have a specifier
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-10-11 14:51:11 -07:00
Mrunal Patel
7c2c9a8c85 test: Fix format specifier
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-10-10 16:23:54 -07:00
baude
3611f92ddf BUGFIX: Invalid return codes in kpod
Set the exitsdir for kpod back to /var/run/crio... so kpod can benefit
from the container exit file.

Because 0 is the int32 blank value, kpod needs its own container state
struct with the omitempty removed so it can actually display 0 in
its default json output.

Signed-off-by: baude <bbaude@redhat.com>
2017-10-04 09:34:28 -05:00
Dongsu Park
644a4af377 server: handle cases of securityContext, namespaceOptions being nil
Both GetSecurityContext() and GetNamespaceOptions() can return nil.
In these cases, cri-o will panic like this:

```
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x1 pc=0x1cc43f6]

goroutine 66 [running]:
.../cri-o/server.(*Server).RunPodSandbox(0xc42060e300, 0x7f611d37a0b8,
0xc420207e60, 0xc42015e318, 0x0, 0x0, 0x0)
        .../cri-o/server/sandbox_run.go:261 +0xfe6
.../cri-o/vendor/k8s.io/kubernetes/pkg/kubelet/apis/cri/v1alpha1/runtime._RuntimeService_RunPodSandbox_Handler(0x2180920,
0xc42060e300, 0x7f611d37a0b8, 0xc420207e60, 0xc420505950, 0x0, 0x0, 0x0,
0x64ed0d, 0xc42064bc80)
        .../cri-o/vendor/k8s.io/kubernetes/pkg/kubelet/apis/cri/v1alpha1/runtime/api.pb.go:3645 +0x279
.../cri-o/vendor/google.golang.org/grpc.(*Server).processUnaryRPC(0xc4200a4240,
0x33f28e0, 0xc4204b0360, 0xc42074a870, 0xc420476de0, 0x33bcd38, 0xc420207e30, 0x0, 0x0)
```

Signed-off-by: Dongsu Park <dongsu@kinvolk.io>
2017-09-29 17:00:16 +02:00
Dongsu Park
2080744963 server: fix panic when assigning entry to nil map
When running cri-tests with cri-o, I found out that cri-o panicked
immediately with the following message. Fix it by accessing to the
labels map only if it's non-nil.

```
panic: assignment to entry in nil map

goroutine 57 [running]:
.../cri-o/server.(*Server).RunPodSandbox(0xc42048e000, 0x7efcad4cd400,
0xc42066ec90, 0xc4201703d0, 0x0, 0x0, 0x0)
        .../cri-o/server/sandbox_run.go:225 +0xda5
.../cri-o/vendor/k8s.io/kubernetes/pkg/kubelet/apis/cri/v1alpha1/runtime
._RuntimeService_RunPodSandbox_Handler(0x21793e0, 0xc42048e000,
0x7efcad4cd400, 0xc42066ec90, 0xc4204fe780, 0x0, 0x0, 0x0, 0x0, 0x0)
        .../cri-o/vendor/k8s.io/kubernetes/pkg/kubelet/apis/cri/v1alpha1/runtime/api.pb.go:3645 +0x279
.../cri-o/vendor/google.golang.org/grpc.(*Server).processUnaryRPC(0xc420
09e3c0, 0x33e79c0, 0xc4203d1950, 0xc42080a000, 0xc4202bb980, 0x33b1d58,
0xc42066ec60, 0x0, 0x0)
        .../cri-o/vendor/google.golang.org/grpc/server.go:638 +0x99c
```

Signed-off-by: Dongsu Park <dongsu@kinvolk.io>
2017-09-29 16:19:21 +02:00
Mrunal Patel
db0bd66fca Merge pull request #917 from runcom/fixes-rc3-0
Fix Origin test and update kube to v1.7.6
2017-09-25 14:55:42 -07:00
Antonio Murdaca
3dd043c581
sandbox_network: pass sandbox to newPodNetwork
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-09-25 21:08:11 +02:00
Antonio Murdaca
6c871769b4
server: more fixes for selinux and privileged mode
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-09-25 21:08:11 +02:00
Antonio Murdaca
7b0bde4362
container_create: fix seccomp annotations
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-09-25 21:08:11 +02:00
Antonio Murdaca
59c0218a9c
container_create: follow symlink for mount host path
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-09-25 21:08:11 +02:00
Antonio Murdaca
e8cfe3b867
container_create: support seccomp docker/default annotation
Fixes the following Origin/Kube test:

```
• Failure [10.323 seconds]
[k8s.io] Security Context [Feature:SecurityContext]
/go/src/github.com/openshift/origin/vendor/k8s.io/kubernetes/test/e2e/framework/framework.go:619
  should support seccomp alpha docker/default annotation
[Feature:Seccomp] [It]
  /go/src/github.com/openshift/origin/vendor/k8s.io/kubernetes/test/e2e/security_context.go:133

  Expected error:
      <*errors.errorString | 0xc420cbacf0>: {
          s: "expected \"2\" in container output: Expected\n
<string>: Seccomp:\t0\n    \nto contain substring\n    <string>: 2",
      }
      expected "2" in container output: Expected
          <string>: Seccomp:	0

      to contain substring
          <string>: 2
  not to have occurred
}
```

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-09-25 21:08:11 +02:00
Mrunal Patel
50baca10e9 Add crio annotations to container endpoint
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-09-25 11:59:40 -07:00
Mrunal Patel
2e3d5240c2 client: Add crio client package
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-09-25 11:59:40 -07:00
Antonio Murdaca
a11b8cd8ec
sandbox, ctr: SELinux fixes
server: fix selinux labels for pod and containers

Signed-off-by: Antonio Murdaca <runcom@redhat.com>

sandbox: set selinux labels from request, not defaults

Signed-off-by: Antonio Murdaca <runcom@redhat.com>

container_create: use sandbox's selinux if container's nil

Signed-off-by: Antonio Murdaca <runcom@redhat.com>

sandbox: correctly init selinux labels

First, we weren't correctly initializing selinux labels. If any of
(level, user, role, type) was missing from kube selinux options, we
were erroring out. This is wrong as kube sends just `level=s0`
sometimes and docker itself allows `--security-opt label=level:s0`.
This patch directly initializes selinux labels, correctly, and adds a
test to verify it.

Signed-off-by: Antonio Murdaca <runcom@redhat.com>

test: testdata: use container_runtime_t selinux type

RHEL SELinux policy doesn't have `container_t` type but we're using it
in our fixtures. That means Fedora integration tests pass because
`container_t` is in Fedora's container policy but RHEL is broken.
Fix it by using `container_runtime_t` which is aliased in Fedora policy
to `container_t`.

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-09-17 22:40:17 +02:00