Commit graph

64 commits

Author SHA1 Message Date
umohnani8
e35204c5e0 Fix create container failure due to wrong image reference
When the image name is resolved with the registries from crio.conf only
the resolved name with the first registry is passed to create_container
eventhough there are more registries in the crio.conf file.
Fix this to try the resolved image names with all the registries given in the conf file.

Signed-off-by: umohnani8 <umohnani@redhat.com>
2018-03-02 11:13:51 -05:00
Mrunal Patel
5f7ac28059 Update code for latest k8s
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2018-02-21 11:03:56 -08:00
Mrunal Patel
ea90be40c4
Merge pull request #1337 from nalind/fix-runasuser-cache
imageService: cache information about images
2018-02-15 11:22:33 -08:00
Mrunal Patel
125ec8a7bd image: Add lock around image cache access
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2018-02-15 10:27:39 -05:00
Nalin Dahyabhai
c53211eacd imageService: cache information about images
Cache information about images that isn't trivially read from them, so
that ImageStatus and particularly ListImages don't have to do
potentially-expensive things for every image that they report.

The cache is an in-memory map, and we prune it after ListImages has
assembled its result set.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2018-02-14 14:41:03 -05:00
Antonio Murdaca
96fb47213e
container_create: correctly set user
We had a bug in ImageStatus where we weren't returning the default
image user if set, thus running all containers as root despite a user
being set in the image config. We weren't populating the Username field
of ImageStatus.
This patch fixes that along with the handling of multiple images based
on the registry patch for multiple images.
It also fixes ListImages to return Username as well.

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2018-02-14 13:17:20 +01:00
Antonio Murdaca
ab204b6641
sandbox: record whether sb is using host network
We need to record whether the sandbox is using hostnetwok because the
kubelet needs that information when computing pod changes. Without this
patch it could happen that a pod that's using host network is restarted
just because the sandbox's status isn't reporting that it's running
using host network.

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2018-02-13 11:45:33 +01:00
Antonio Murdaca
e5fc48a3ca
sandbox: restore portMappings on restart
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2018-02-12 11:32:17 +01:00
Antonio Murdaca
a0157078ad
sandbox: fix sandbox logPath when crio restarts
We weren't setting the logPath of the sandbox when restoring sandboxes
and containers upon a crio restarts. That means that if you restart
CRI-O you get sandboxes with empty logPath. That means that when you're
starting a container in a restored sandbox you get a relative logPath
for the container:

sandboxLogPath: "/var/something"
- restore
sandboxLogPath: ""
- create container foo
containerLogPath: "foo_attempt.log"

With this patch we actually get an absolute path (which is correct):

sandboxLogPath: "/var/something"
- restore
sandboxLogPath: "/var/something"
- create container foo
containerLogPath: "/var/something/foo_attempt.log"

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2018-02-09 15:54:47 +01:00
Nalin Dahyabhai
5ea050fc12 Handle truncated IDs in imageService.ResolveNames()
Have ResolveNames() check if the value that it's been given is a
truncated version of the ID of a locally-available image, and if it is,
return the value as it was given.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2017-12-14 14:23:53 -05:00
Nalin Dahyabhai
ff7bbb4f0d Switch to ImageServer.UntagImage in RemoveImage handler
Add an UntagImage() method to pkg/storage/ImageServer, which will check
if the passed-in NameOrID is a name.  If so, it merely removes that name
from the image, removing the image only if it was the last name that the
image had.  If the NameOrID is an image ID, the image is removed, as
RemoveImage() does.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2017-12-14 14:23:53 -05:00
Nalin Dahyabhai
f3b7065bd8 Return image references from the storage package
The image's canonical reference is a name with a digest of the image's
manifest, so in imageService.ImageStatus() and
imageService.ListImages(), divide the image's name list into tagged and
digested values, and if we have names, add canonical versions.

In Server.ContainerStatus(), return the image name as it was given to us
as the image, and the image digested reference as the image reference.

In Server.ListImages(), be sure to only return tagged names in the
RepoTags field.  In Server.ImageStatus(), also return canonical
references in the RepoDigests field.

In Server.PullImage(), be sure that we consistently return the same
image reference for an image, whether we ended up pulling it or not.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2017-12-14 14:23:52 -05:00
Nalin Dahyabhai
553979e1fc storage: API fixups
github.com/containers/image/types.ImageReference.NewImage() can take a
*github.com/containers/image/types.SystemContext now, so pass it one if
pkg/storage/imageService.CanPull() has one to give it.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2017-12-14 11:06:55 -05:00
Antonio Murdaca
87f1ae214f
image_pull: fix image resolver
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-11-28 23:53:18 +01:00
Antonio Murdaca
befd719812
Revert "Merge pull request #654 from nalind/storage-update"
This reverts commit 4c06116c18, reversing
changes made to c5e73ba65f.

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-11-12 01:54:19 +01:00
Antonio Murdaca
4f4e228274
pkg: storage: image: close image after using it
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-11-10 14:21:22 +01:00
Antonio Murdaca
8611c2dfef
image_pull: repull when image ID (config digest) changed
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-11-09 19:46:55 +01:00
Antonio Murdaca
7d7024999b
sandbox, ctrs: fixup seccomp for 1.8
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-11-02 16:07:52 +01:00
Nalin Dahyabhai
2e5e92730a Switch to ImageServer.UntagImage in RemoveImage handler
Add an UntagImage() method to pkg/storage/ImageServer, which will check
if the passed-in NameOrID is a name.  If so, it merely removes that name
from the image, removing the image only if it was the last name that the
image had.  If the NameOrID is an image ID, the image is removed, as
RemoveImage() does.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2017-10-31 10:30:18 -04:00
Nalin Dahyabhai
3f2bc09231 Return image references in ImageStatus()
The image's canonical reference is a name with a digest of the image's
manifest, so compute and return that value as the image's reference in
ImageStatus() and in ContainerStatus().

We don't auto-store a name based on the image digest when we pull one by
tag, but then CRI doesn't need us to do that.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2017-10-31 10:29:06 -04:00
Antonio Murdaca
9ec518491f
server: correctly set hostname
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-09-17 10:19:31 +02:00
Antonio Murdaca
22f96b1806
fix issue with official images and manifest lits
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-09-13 19:01:06 +02:00
Antonio Murdaca
836919876a pkg: storage: image: get size from image ID
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-09-08 07:27:48 -07:00
Mrunal Patel
b13e881a9b Merge pull request #858 from runcom/fix-add-registry
pkg: storage: fix additional registries
2017-09-07 07:34:57 -07:00
Antonio Murdaca
70657ea19a Merge pull request #854 from dcbw/cni-updates
Use CNI driver from cri-o/ocicni instead of internal one
2017-09-07 12:33:31 +02:00
Antonio Murdaca
1f908f0890
pkg: storage: fix additional registries
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-09-07 11:57:16 +02:00
Mrunal Patel
a81e90a9c9 Merge pull request #848 from runcom/panic-img
pkg: storage: fix panic when no image names
2017-09-06 17:31:34 -07:00
Dan Williams
0df30c5319 server: port to github.com/cri-o/ocicni; remove pkg/ocicni
Signed-off-by: Dan Williams <dcbw@redhat.com>
2017-09-06 16:07:50 -05:00
Antonio Murdaca
b29c6108e2
pkg: storage: fix panic when no image names
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-09-06 11:32:53 +02:00
Antonio Murdaca
5d637f015d
*: store sandbox IP
Don't call into net namespace on every status call

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-09-02 02:05:12 +02:00
Antonio Murdaca
b16d73ab2f
server: image_list: report image size
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-08-31 17:50:25 +02:00
Antonio Murdaca
69fc590fc3
server: inspect: add log path and mount point for cadvisor
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-08-31 17:49:07 +02:00
Rajat Chopra
1084ce691a monitor CNI networks continuously
Signed-off-by: Rajat Chopra <rchopra@redhat.com>
2017-08-28 15:47:15 -04:00
Antonio Murdaca
8088d7a1e2
*: fix lint issues
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-08-22 17:32:18 +02:00
Mrunal Patel
5ab6ec3046 oci: Add volumes field to Container
We add a ContainerVolume struct and store a list of volumes
in the Container object for quick retrieval.

Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-08-17 09:01:07 -07:00
Mrunal Patel
bfcebcdb00 Store imageName and imageRef for containers
We calculate these values at container creation time and store
them in the container object as they are requested during container
status. This avoids re-calculation and speeds up container status.

Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-08-17 09:01:07 -07:00
Daniel J Walsh
63a218a458 Move to new github.com/sirupsen/logrus.
Need to mv to latest released and supported version of logrus
switch github.com/Sirupsen/logrus github.com/sirupsen/logrus

Also vendor in latest containers/storage and containers/image

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2017-08-07 11:50:04 -04:00
Nalin Dahyabhai
0b7348b35c Use errors.Cause() when looking at storage errors
The storage library uses github.com/pkg/errors to wrap errors that it
returns from many of its functions, so when passing them to
os.IsNotExist() or comparing them to specific errors defined in the
storage library, unwrap them using errors.Cause().

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2017-08-03 15:40:54 -04:00
Antonio Murdaca
a35727c80b
*: implement additional pull registries
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-08-02 16:38:11 +02:00
Nalin Dahyabhai
82c90747c2 Don't double-free an UnparsedSource
github.com/containers/image.FromUnparsedImage() "takes ownership" of the
UnparsedImage that we pass to it, so we shouldn't also Close() the
UnparsedImage ourselves after we've wrapped it up in an Image object.

Since creating an Image is the only thing we do with the UnparsedImage
after creating it from a SourceImage, just use the FromSource() function
to handle both steps at once.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2017-07-26 15:52:51 -04:00
Samuel Ortiz
0e51bbb778 oci: Support mixing trusted and untrusted workloads
Container runtimes provide different levels of isolation, from kernel
namespaces to hardware virtualization. When starting a specific
container, one may want to decide which level of isolation to use
depending on how much we trust the container workload. Fully verified
and signed containers may not need the hardware isolation layer but e.g.
CI jobs pulling packages from many untrusted sources should probably not
run only on a kernel namespace isolation layer.

Here we allow CRI-O users to define a container runtime for trusted
containers and another one for untrusted containers, and also to define
a general, default trust level. This anticipates future kubelet
implementations that would be able to tag containers as trusted or
untrusted. When missing a kubelet hint, containers are trusted by
default.

A container becomes untrusted if we get a hint in that direction from
kubelet or if the default trust level is set to "untrusted" and the
container is not privileged. In both cases CRI-O will try to use the
untrusted container runtime. For any other cases, it will switch to the
trusted one.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-06-15 10:04:36 +02:00
Alexander Larsson
7bb957bf75 Implement non-terminal attach
We use a SOCK_SEQPACKET socket for the attach unix domain socket, which
means the kernel will ensure that the reading side only ever get the
data from one write operation. We use this for frameing, where the
first byte is the pipe that the next bytes are for. We have to make sure
that all reads from the socket are using at least the same size of buffer
as the write side, because otherwise the extra data in the message
will be dropped.

This also adds a stdin pipe for the container, similar to the ones we
use for stdout/err, because we need a way for an attached client
to write to stdin, even if not using a tty.

This fixes https://github.com/kubernetes-incubator/cri-o/issues/569

Signed-off-by: Alexander Larsson <alexl@redhat.com>
2017-06-14 22:59:50 +02:00
Antonio Murdaca
3f56193a15 Merge pull request #577 from runcom/insecure-regisrties
*: support insecure registries
2017-06-09 20:31:43 +02:00
Samuel Ortiz
b480336dd7 ocicni: Handle create and write events
By only handling create events, we are breaking plugins that don't
create and write atomically, like weave for example.
The Weave plugin creates the file first and later write to it. We are
missing the second part and never see the final CNI config file.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-06-09 10:19:26 +02:00
Antonio Murdaca
8b53fabcbd
*: support insecure registries
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-09 01:04:29 +02:00
Antonio Murdaca
3b545abf12
image_pull: check image already pulled
This is an optimization of our image pull code path. It's basically
how docker handles pulls as well. Let's be smart and check the image in
pull code path as well.
This also matches docker behavior which first checks whether we're
allowed to actually pull an image before looking into local storage.

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-08 15:03:27 +02:00
Samuel Ortiz
f15859c79f pkg/annotations: Export CRI-O annotations namespace
Some runtimes like Clear Containers need to interpret the CRI-O
annotations, to distinguish the infra container from the regular one.
Here we export those annotations and use a more standard dotted
namespace for them.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-06-01 23:45:44 +02:00
Antonio Murdaca
a37dd46654
*: stability fixes
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-01 15:42:01 +02:00
Antonio Murdaca
ecd0006e80
vendor: upgrade containers/storage
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-05-17 22:18:07 +02:00
Dan Walsh
4493b6f176 Rename ocid to crio.
The ocid project was renamed to CRI-O, months ago, it is time that we moved
all of the code to the new name.  We want to elminate the name ocid from use.
Move fully to crio.

Also cric is being renamed to crioctl for the time being.

Signed-off-by: Dan Walsh <dwalsh@redhat.com>
2017-05-12 09:56:06 -04:00