Commit graph

1257 commits

Author SHA1 Message Date
Mrunal Patel
d0486e542f Support detaching in CRI attach
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-06-06 20:49:54 -07:00
Mrunal Patel
6e53568d15 conmon: Close client on zero read from attach client
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-06-06 20:49:54 -07:00
Mrunal Patel
0b6f68479b utils: Add function to allow copying with detach
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-06-06 20:49:52 -07:00
Antonio Murdaca
148e72d81e
vendor: remove dep and use vndr
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-07 00:04:21 +02:00
Antonio Murdaca
16f44674a4
Makefile: exclude ./vendor from git-validation
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-07 00:04:15 +02:00
Mrunal Patel
7c56d20988 Merge pull request #567 from vbatts/tutorial
tutorial: pull the redis image first
2017-06-06 14:59:27 -07:00
Antonio Murdaca
3f7e8e9884 Merge pull request #546 from mrunalp/cri/attach
Attach
2017-06-06 22:43:06 +02:00
e63bace453
tutorial: pull the redis image first
Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>
2017-06-06 16:00:36 -04:00
Mrunal Patel
8f5f7aa5e2 Add code to handle CRI attach
A goroutine is started to forward terminal resize requests
from the resize channel. Also, data is copied back/forth
between stdin, stdout, stderr streams and the attach socket
for the container.

Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-06-06 07:36:52 -07:00
Mrunal Patel
1a6825758c conmon: Add control fifo for terminal resize handling
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-06-06 07:36:52 -07:00
Mrunal Patel
065f12490c conmon: Add unix domain socket for attach
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-06-06 07:36:52 -07:00
Mrunal Patel
5c383d13d2 conmon: Add info/warn to syslog as well
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-06-06 07:36:52 -07:00
Mrunal Patel
fee5291495 Merge pull request #563 from rhatdan/master
Need to be consistent in out nameing of OCI
2017-06-05 18:09:52 -07:00
Dan Walsh
4c48e13619 Need to be consistent in out nameing of Oci.
It should always be captitalized.

Signed-off-by: Dan Walsh <dwalsh@redhat.com>
2017-06-05 15:11:03 -04:00
Mrunal Patel
7f2a769f96 Merge pull request #559 from runcom/fix-net-tests-node-e2e-rhel
contrib: test: fix failing networking tests in RHEL
2017-06-04 15:31:00 -07:00
Antonio Murdaca
4369537d32
contrib: test: fix failing networking tests in RHEL
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-04 19:30:30 +02:00
Antonio Murdaca
8fa574325e Merge pull request #556 from sameo/topic/conmon-fix
conmon: Fix Ubuntu build failure
2017-06-03 23:27:08 +02:00
Mrunal Patel
34357ec7a4 Merge pull request #557 from runcom/streamserver-bindaddress
server: do not use localhost for streaming service
2017-06-03 11:01:43 -07:00
Antonio Murdaca
315c385371
server: do not use localhost for streaming service
The bug is silly if you have a master/node cluster where node is on a
different machine than the master.
The current behavior is to give our addresses like "0.0.0.0:10101". If
you run "kubectl exec ..." from another host, that's not going to work
since on a different host 0.0.0.0 resolves to localhost and kubectl
exec fails with:

error: unable to upgrade connection: 404 page not found

This patch fixes the above by giving our correct addresses for reaching
from outside.

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-03 18:26:33 +02:00
Samuel Ortiz
23ca7307e4 conmon: Fix Ubuntu build failure
conmon.c fails to build on Ubuntu:

cc -std=c99 -Os -Wall -Wextra -I/usr/include/glib-2.0 -I/usr/lib/x86_64-linux-gnu/glib-2.0/include   -c -o conmon.o conmon.c
In file included from /usr/include/fcntl.h:289:0,
                 from conmon.c:4:
In function ‘open’,
    inlined from ‘main’ at conmon.c:519:10:
/usr/include/x86_64-linux-gnu/bits/fcntl2.h:50:4: error: call to ‘__open_missing_mode’ declared with attribute error: open with O_CREAT or O_TMPFILE in second argument needs 3 arguments
    __open_missing_mode ();
    ^
<builtin>: recipe for target 'conmon.o' failed
make[1]: *** [conmon.o] Error 1

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-06-03 01:37:24 +02:00
Antonio Murdaca
a8848bc028 Merge pull request #550 from sameo/topic/annotations
pkg/annotations: Export CRI-O annotations namespace
2017-06-02 23:06:47 +02:00
Antonio Murdaca
14983d1402 Merge pull request #553 from mrunalp/add_missing_include
Add missing include for writev
2017-06-02 23:06:18 +02:00
Mrunal Patel
5d9dcc8431 Add missing include for writev
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-06-02 10:29:50 -07:00
Mrunal Patel
6ff71d0f84 Merge pull request #552 from alexlarsson/conmon-fixes
Various fixes for conmon
2017-06-02 10:10:16 -07:00
Alexander Larsson
2507ba6453 Remove json-glib in the remaining places
Signed-off-by: Alexander Larsson <alexl@redhat.com>
2017-06-02 16:18:27 +02:00
Alexander Larsson
f4b3e90141 conmon: Make console socket mode 0700
It doesn't make sense for other users to connect to this, so
lets make sure of this.

Signed-off-by: Alexander Larsson <alexl@redhat.com>
2017-06-02 16:11:26 +02:00
Alexander Larsson
f1b0f542e1 conmon: Silence uninitialized read compiler warning
This is not actually read uninitialized, its just that the compiler
can't detect this, but we initilize it anyway to silence the compiler.

Signed-off-by: Alexander Larsson <alexl@redhat.com>
2017-06-02 16:11:21 +02:00
Alexander Larsson
fe6f1f4786 conmon: Add -Os flag
This is what the other C code uses, and its nice to have as adding
any optimization flags enables a bunch of more warnings.

Signed-off-by: Alexander Larsson <alexl@redhat.com>
2017-06-02 16:11:15 +02:00
Alexander Larsson
1a168cb196 conmon: Drop json-glib dependency
json-glib is a fine library for parsing json. However, all we need
to do is generate some trivial json output, so it is not needed.

Signed-off-by: Alexander Larsson <alexl@redhat.com>
2017-06-02 16:11:10 +02:00
Alexander Larsson
f3408cbb5c conmon: Make all file descriptors CLOEXEC
We want to avoid inheriting these into the child. Doing so is both
confusing for the child, and a potential security issue if the
container has access to FDs that are from the outside of the
container.

Some of these are created after we fork for the child, so they
are not technically necessary. However, its best to do this as
we may change the code in the future and forget about this.

Signed-off-by: Alexander Larsson <alexl@redhat.com>
2017-06-02 16:11:06 +02:00
Alexander Larsson
829ec7f351 conmon: Build argv instead of commandline to spawn runtime
This means we don't have to spawn via a shell, but it also
means we do the right thing for any input that would have
needed to be escaped. For instance if the container name had
a $ in i, or even worse, a back-quote!

Signed-off-by: Alexander Larsson <alexl@redhat.com>
2017-06-02 16:11:01 +02:00
Alexander Larsson
d2f09ef483 conmon: Increase buffer size
The buffer is used to read from the stderr/stdout stream, which
can easily be larger than 256 bytes. With a larger buffer we will
do fewer, larger reads, which is more efficient. And 8k more stack
size use is not really a problem.

Signed-off-by: Alexander Larsson <alexl@redhat.com>
2017-06-02 16:10:56 +02:00
Alexander Larsson
fe80f857ca conmon: Fix cgroup subsystem parsing
The code as is doesn't handle merged controllers.
For instance, I have this in my /proc/self/cgrous:

4:cpu,cpuacct:/user.slice/user-0.slice/session-4.scope

The current code fails to match "cpuacct" wit this line, and
additionally it just does a prefix match so if you were looking
for say "cpu", it would match this:

2:cpuset:/

I also removed some ninfo spew that didn't seem very useful.

Signed-off-by: Alexander Larsson <alexl@redhat.com>
2017-06-02 16:10:36 +02:00
Alexander Larsson
d34c5829f8 conmon: Write log in larger chunks
Rather than writing the logs with one write per line, use writev()
to write multiple lines in one call. Additionally, this avoids
using dprintf() when writing to the log, which is nice because that
doesn't correctly handle partial writes or ENOINTR.

This also changes set_k8s_timestamp to add the pipe to the reused
buffer so that we don't have to append it on each line.

Signed-off-by: Alexander Larsson <alexl@redhat.com>
2017-06-02 16:10:30 +02:00
Alexander Larsson
ae933d0d03 conmon: Handle EINTR and partial writes when writing
Any write could be interupted by EINTR if we get some kind of signal,
which means we could be either reporting a EINTR error or a partial
write (if some data was written). Its also generally good to handle
partial writes correctly, as they can happen e.g. when writing to
full pipes.

Signed-off-by: Alexander Larsson <alexl@redhat.com>
2017-06-02 16:09:48 +02:00
Samuel Ortiz
f15859c79f pkg/annotations: Export CRI-O annotations namespace
Some runtimes like Clear Containers need to interpret the CRI-O
annotations, to distinguish the infra container from the regular one.
Here we export those annotations and use a more standard dotted
namespace for them.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-06-01 23:45:44 +02:00
Mrunal Patel
36255b8663 Merge pull request #549 from runcom/stability-fixes
Stability fixes
2017-06-01 10:10:14 -07:00
Antonio Murdaca
f3650533f0
create src dir for bind mounts
match docker behavior for bind mounts

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-01 17:37:20 +02:00
Antonio Murdaca
a28ed75e12
sandbox_run: fix name releasing on error
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-01 17:37:20 +02:00
Antonio Murdaca
6fd1c8957c
RemovePodSandbox must be idempotent
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-01 17:37:20 +02:00
Antonio Murdaca
88fb9094d0
oci: do not error out on runtime state failure
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-01 17:37:17 +02:00
Antonio Murdaca
a37dd46654
*: stability fixes
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-01 15:42:01 +02:00
Mrunal Patel
b5153e08c5 Merge pull request #547 from sameo/topic/privileged-paths
container: Do not restrict path access for privileged containers
2017-05-30 21:38:57 -07:00
Samuel Ortiz
e23d986cf2 container: Do not restrict path access for privileged containers
Privileged containers should see and reach all host paths.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-05-31 02:06:47 +02:00
Mrunal Patel
42d2fa6576 Merge pull request #545 from runcom/fix-hostspecific-spec
server: container_create: make the spec hostspecific
2017-05-30 11:49:22 -07:00
Antonio Murdaca
089cb88f17
server: container_create: make the spec hostspecific
node-e2e tests were failing in RHEL because, if running a privileged
container, we get all capability in the spec. The spec generator wasn't
filtering caps based on actual host caps, it was just adding _everything_.
This patch makes spec generator host specific.

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-05-30 18:30:26 +02:00
Mrunal Patel
90e3e7a632 Merge pull request #529 from runcom/k8s-node-e2e-RHEL
enable RHEL k8s node-e2e tests
2017-05-30 07:42:09 -07:00
Antonio Murdaca
cf037ce947
contrib: test: fix and enable RHEL k8s node-e2e tests
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-05-30 11:52:59 +02:00
Mrunal Patel
fa8d5c035a Merge pull request #544 from runcom/fix-panics
[e2e fix] server: add nil checks to not panic
2017-05-29 12:20:22 -07:00
Antonio Murdaca
404194c1fd
server: add nil checks to not panic
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-05-29 13:16:27 +02:00