Commit graph

999 commits

Author SHA1 Message Date
Daniel J Walsh
54ee55493d Need to cleanup all pods on service poweroff
When powering off the system, we want the ocid service, to shutdown
all containers running on the system so they can cleanup properly
This patch will cleanup all pods on poweroff.

The ocid-shutdown.service drops a file /var/run/ocid.shutdown when the system
is shutting down. The ocid-shutdown.service should only be executed at system
shutdown.

On bootup sequence should be
start ocid.service
start ocid-shutdown.service (This is a NO-OP)

On system shutdown
stop ocid-shutdown.service (Creates /var/run/ocid.shutdown)
stop ocid.service (Notices /var/run/ocid.service and stops all pods before exiting.)

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2017-04-14 06:04:14 -04:00
Antonio Murdaca
7d7570e604 Merge pull request #449 from mrunalp/release_0.2
Release version 0.2
2017-04-13 20:30:55 +02:00
Mrunal Patel
32b546cf0b Release version 0.2
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-04-13 09:50:14 -07:00
Antonio Murdaca
95f683b402 Merge pull request #447 from mrunalp/update_spec
Update runtime-spec to v1.0.0.rc5
2017-04-13 13:22:01 +02:00
Mrunal Patel
24df2538db Update runtime-spec to v1.0.0.rc5
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-04-12 19:15:53 -07:00
Mrunal Patel
b6c022caae Merge pull request #434 from sameo/topic/ocicni-fixes
ocicni: support for asynchronous CNI config changes
2017-04-12 14:02:26 -07:00
Antonio Murdaca
a8b73e7583 Merge pull request #445 from cyphar/conmon-split-stderr
conmon: split std{out,err} pipe for !terminal containers
2017-04-12 21:01:42 +02:00
Aleksa Sarai
6940313691
test: add tests for split std{err,out}
Now that we have support for split std{out,err}, make sure that execsync
will correctly handle the split stdio properly. In addition, extend the
ctr logging test to make sure that the regular container logging is also
split correctly. We can't test !terminal containers because we only have
a single console for both std{out,err}.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2017-04-12 21:59:25 +10:00
Aleksa Sarai
87faf98447
oci: make ExecSync handle split std{out,err}
Now that conmon splits std{out,err} for !terminal containers, ExecSync
can parse that output to return the correct std{out,err} split to the
kubelet. Invalid log lines are ignored but complained about.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2017-04-12 21:59:25 +10:00
Aleksa Sarai
d4c9f3e6dc
conmon: split std{out,err} pipe for !terminal containers
While it's not currently possible to do this for terminal=true
containers, for !terminal containers we can create separate pipes for
stdout and stderr, and then log them separately. This is required for
k8s's conformance tests.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2017-04-12 21:59:24 +10:00
Aleksa Sarai
35a6403604
*: build with C99
It's 2017, let's not stick with C89 (also for some reason the Travis
environment has a different -std= default value than my local machine).

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2017-04-12 21:59:16 +10:00
Mrunal Patel
5589f929c0 Merge pull request #443 from runcom/expose-mount-cstatus
server: expose mounts in container status
2017-04-11 09:01:37 -07:00
Mrunal Patel
7d329bcfde Merge pull request #436 from cyphar/conmon-sane-line-endings
conmon: handle multi-line logging
2017-04-11 08:36:30 -07:00
Antonio Murdaca
7081620128
server: expose mounts in container status
Fix 5 more tests from k8s's conformance tests
```
Ran 5 of 213 Specs in 76.068 seconds
SUCCESS! -- 5 Passed | 0 Failed | 0 Pending | 208 Skipped PASS
```

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-04-11 16:51:09 +02:00
Aleksa Sarai
afadd0aab9
conmon: handle multi-line logging
The CRI requires us to prepend (timestamp, stream) to every line of the
output, and it's quite likely (especially in the !terminal case) that we
will read more than one line of output in the read loop.

So, we need to write out each line separately with the prepended
timestamps. Doing this the simple way (the final part of the buffer is
written partially if it doesn't end in a newline) makes the code much
simpler, with the downside that if we ever switch to multiple streams
for output we'll have to rewrite parts of this.

In addition, drop the debugging output of cri-o for each chunk read so
we stop spamming stderr. We can do this now because 8a928d06e7
("oci: make ExecSync with ExitCode != 0 act properly") actually fixed
how ExecSync was being handled (especially in regards to this patch).

Fixes: 1dc4c87c93 ("conmon: add timestamps to logs")
Signed-off-by: Aleksa Sarai <asarai@suse.de>
2017-04-11 20:32:24 +10:00
Aleksa Sarai
8a928d06e7
oci: make ExecSync with ExitCode != 0 act properly
Previously we returned an internal error result when a program had a
non-zero exit code, which was incorrect. Fix this as well as change the
tests to actually check the "ExitCode" response from ExecSync (rather
than expecting ocic-ctr to return an internal error).

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2017-04-11 20:32:18 +10:00
Mrunal Patel
32750cd3f3 Merge pull request #440 from runcom/image-pull-secret
server: add auth info to image pull
2017-04-10 09:42:21 -07:00
Samuel Ortiz
07ccda3395 tests: Install CNI configuration files by default
Since we no longer fall back to the noop plugin when
CNI configuration files are missing, and since the default
sandbox_config.json test file is running without host
networking, we must install the bridge and loopback
configuration files by default for tests to pass.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-04-10 17:36:34 +02:00
Samuel Ortiz
63c7a7c99b ocicni: Support asynchronous network config creation
We need to support cases where InitCNI() is called before
any CNI configuration files have been installed. This is
for example happening when deploying a k8s cluster with kubeadm.
kubeadm will start the DNS pod and it is left to the caller to
pick a network overlay and create the corresponding pods, that
will typically install a CNI configuration file first.

Here we address that issue by doing 2 things:

- Not returning an error when the default CNI config files
  directory is empty.
- If it is empty, we start a monitoring thread (fsnotify based)
  that will synchronize the network configuration when a CNI
  file is installed there.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-04-10 17:36:28 +02:00
Antonio Murdaca
05cde3e759
server: add auth info to image pull
Fix the following upstream k8s's e2e-node test:
```
should be able to pull from private registry with secret [Conformance]
```

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-04-10 17:09:56 +02:00
Samuel Ortiz
bc4ac7ce04 vendor: Add fsnotify and remove glog
fsnotify is needed by the new ocicni monitoring implementation.
As ocicni switched to logrus, glog is no longer needed.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-04-06 23:06:36 +02:00
Samuel Ortiz
71cfd850f7 ocicni: Convert logs to logrus
To be consistent with the rest of the CRI-O logs, and to be able
to set the ocicni verbosity, we convert it from glog to logrus.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-04-06 23:06:36 +02:00
Antonio Murdaca
88be3a2f91 Merge pull request #435 from surajssd/print-pid-int
Print received container pid as int
2017-04-06 18:49:32 +02:00
Antonio Murdaca
0854c081ec Merge pull request #433 from sameo/topic/sandboxrun-fixes
server: Fix RunPodSandbox error path
2017-04-06 18:46:24 +02:00
Suraj Deshmukh
da89d28473 Print received container pid as int
Earlier the received container pid was printed as unicode
character, this is fixed to print integer.

Fixes #431
2017-04-06 22:14:29 +05:30
Antonio Murdaca
e0abd16421 Merge pull request #432 from runcom/mock-exec
server: mock ExecResponse
2017-04-06 17:54:28 +02:00
Samuel Ortiz
ea1f6517c1 server: Fix RunPodSandbox error path
When RunPodSandbox fails after calling s.addSandbox(sb),
we're left with a sandbox in s.state.sandboxes while the
sandbox is not created.

We fix that by adding removeSandbox() to the deferred cleanup
call

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-04-06 17:36:26 +02:00
Antonio Murdaca
87e288d13a
server: mock ExecResponse
This patch prevents k8s's e2e_node tests from killing CRI-O (because of
a panic in marshaling nil responses). This will ensure tests keep
running and just logging the failure.

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-04-06 16:37:13 +02:00
Mrunal Patel
4247f68764 Merge pull request #428 from mheon/update_cni_buildpath
Change path of CNI build script
2017-04-05 16:06:02 -07:00
Matthew Heon
517f43ce19 Change path of CNI build script and pin to a commit
As of containernetworking/cni commit 1b9caefba5670c59e0ccbf0b008d88da52a7d498,
the script to build has changed from 'build' to 'build.sh' which broke our
integration tests. Change the integration test Dockerfile to update this path,
and update the tutorial for good measure. Pin to current master to ensure this
breakage doesn't happen again.

Signed-off-by: Matthew Heon <mheon@redhat.com>
2017-04-05 14:27:58 -04:00
Antonio Murdaca
09d2a6b519 Merge pull request #427 from mrunalp/fix_nil_config
Check for case when image config isn't present
2017-04-05 12:42:58 +02:00
Mrunal Patel
aac24e1715 Check for case when image config isn't present
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-04-04 15:42:58 -07:00
Mrunal Patel
2b5dca3950 Merge pull request #424 from runcom/fix-schema1-config
read image config from docker v2s1 manifests
2017-04-04 14:49:54 -07:00
Antonio Murdaca
3c7f3ab2ec Merge pull request #409 from sameo/topic/fat-lock
Serialize Update and Sandbox/Container creation operations
2017-04-04 23:23:19 +02:00
Aleksa Sarai
7f660a2060
merge branch 'pr-162'
Closes #162
LGTMs: @sameo @runcom @mrunalp @cyphar
2017-04-05 04:50:27 +10:00
Aleksa Sarai
7679a84c6d
server: issues.k8s.io/44043 workaround
Because kubelet will create broken symlinks for logPath it is necessary
to remove those symlinks before we attempt to write to them. This is a
temporary workaround while the issue is fixed upstream.

Ref: https://issues.k8s.io/44043
Signed-off-by: Aleksa Sarai <asarai@suse.de>
2017-04-05 02:45:58 +10:00
Aleksa Sarai
65527da361
test: add logging tests
The main purpose of these tests is to make sure that the log actually
contains output from the container. We don't test the timestamps or the
stream that's stated at the moment.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2017-04-05 02:45:58 +10:00
Aleksa Sarai
c31f2cf0ee
test: unset log_* in configurations
This is necessary, as otherwise ocid will use its own current directory
as a log_directory, which is not the best idea in the world. The same
applies for log_path.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2017-04-05 02:45:58 +10:00
Mrunal Patel
1dc4c87c93
conmon: add timestamps to logs
CRI requires us to timestamp our logs line-by-line by specifying whether
the line came from std{out,err} and the time at which the log was
recieved. This is a preliminary implementation of said behaviour
(without explicit newline handling at the moment).

Signed-off-by: Mrunal Patel <mpatel@redhat.com>
Signed-off-by: Aleksa Sarai <asarai@suse.de>
2017-04-05 02:45:57 +10:00
Aleksa Sarai
14a37fb407
conmon: use pipes rather than socketpairs for !terminal
While pipes have their downsides, it turns out that socketpair(2) will
break any program that tries to open /dev/std{out,err} for writing
(because they're symlinked to /proc/1/fd/{1,2} which will cause lots of
fun issues with sockets).

Signed-off-by: Mrunal Patel <mpatel@redhat.com>
Signed-off-by: Aleksa Sarai <asarai@suse.de>
2017-04-05 02:45:57 +10:00
Aleksa Sarai
c290c0d9c3
conmon: implement logging to logPath
This adds a very simple implementation of logging within conmon, where
every buffer read from the masterfd of the container is also written to
the log file (with errors during writing to the log file ignored).

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2017-04-05 02:45:57 +10:00
Aleksa Sarai
266c757cc6
runc: update to 31980a53ae7887b2c8f8715d13c3eb486c27b6cf
This is necessary for --console-socket.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2017-04-05 02:45:56 +10:00
Aleksa Sarai
00589b3682
test: fix runtimeversion test
The runtimeversion test was incorrectly written and would fail for no
good reason if setup_ocid happened to run a command that failed (even if
it was handled).

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2017-04-05 02:45:56 +10:00
Aleksa Sarai
8f280dc5c6
oci: ignore silly lint errors
checking lint
  oci/oci.go:372:⚠️ declaration of err shadows declaration at oci.go:240:  (vetshadow)
  oci/oci.go:265:15⚠️ error return value not checked (os.RemoveAll(logPath)) (errcheck)

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2017-04-05 02:45:56 +10:00
Samuel Ortiz
be5084387c server: Serialize container/pod creation with updates
Interleaving asynchronous updates with pod or container creations can
lead to unrecoverable races and corruptions of the pod or container hash
tables. This is fixed by serializing update against pod or container
creation operations, while pod and container creation operations can
run in parallel.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-04-04 18:43:21 +02:00
Samuel Ortiz
c89cc876d2
server: Remove Image Config hack
Now that the image package has fixes to support docker images v2s1,
we can remove our buildOCIProcessARgs() hack for empty image configs
and simplify this routine.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-04-04 17:52:40 +02:00
Antonio Murdaca
a0071de607
read image config from docker v2s1 manifests
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-04-04 17:52:37 +02:00
Samuel Ortiz
d1006fdfbc server: Add new sandboxes to the sandbox hash table first
We want new sandboxes to be added to the sandbox hash table before
adding their ID to the pod Index registrar, in order to avoid potential
Update() races.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-04-04 17:22:34 +02:00
Aleksa Sarai
70883dbe6b
lint: bump cyclo
Signed-off-by: Aleksa Sarai <asarai@suse.de>
2017-04-04 20:51:29 +10:00
Antonio Murdaca
6b704d1f78 Merge pull request #425 from mrunalp/ctr_status_labels
Add labels/annotations to container status
2017-04-04 11:17:44 +02:00