This patch fixes selinuxopt generation as found in:
```
install /usr/sbin/selinuxenabled -D -m 644 crio.conf /etc/crio/crio.conf
```
The above is clearly wrong when installing the configuration because
`commmand -v` outputs the path of selinuxenabled as well, resulting in
/usr/bin/selinuxenabled -Z
This patch fixes that by just echoing the -Z as needed.
Issue introduced in
https://github.com/kubernetes-incubator/cri-o/pull/1363
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
This should have happened in f4883dd2 (Makefile: do not install man1
files, 2017-11-08, #1129). It may have been missed due to the
man1/man8 typo from e61c672a (Add missing man pages and bash
completions for kpod, 2016-12-02, #230).
Signed-off-by: W. Trevor King <wking@tremily.us>
The hard-coded path landed in 488216f5 (Make sure selinuxenabled
exists before executing it, 2016-10-17, #154), but there's no need to
require that path. Using 'command -v' (in POSIX [1]) supports anyone
who has selinuxenabled in their PATH.
[1]: http://pubs.opengroup.org/onlinepubs/9699919799/utilities/command.html
Signed-off-by: W. Trevor King <wking@tremily.us>
Without this change, hitting these targets directly will fail. For
example:
$ make clean
$ make MANDIR=/tmp install.man
install -d -m 755 /tmp/man5
install -d -m 755 /tmp/man8
install -m 644 docs/crio.conf.5 -t /tmp/man5
install: cannot stat 'docs/crio.conf.5': No such file or directory
make: *** [Makefile:150: install.man] Error 1
Signed-off-by: W. Trevor King <wking@tremily.us>
Umount/Remove below can go wrong and next calls to NetNsRemove would
trigger:
481 Feb 22 14:37:35 ip-172-31-48-190.ec2.internal
atomic-openshift-node[88937]: E0222 14:37:35.291692 88937
remote_runtime.g o:115] StopPodSandbox
"200a062985ebfda2bbdb1b5d724005d4a0c1be54f277a4de52f9f101d9c43db6" from
runtime service failed: rpc error: code = Unknown desc = close
/var/run/netns/k8s_psql-1-tht5r_bingli328usyu727s_6a7b8edc-174d-11e8-9e8f-0a46c474dfe0_
0-dda1c649: file already closed
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
Make this more like the runtime spec, using the RFC 2119 keywords for
both JSON-author and CRI-O requirements. This also clarifies the
regular expression language (POSIX EREs), links to a JSON spec, and
tightens wording for the various matching criteria.
I think the hook-config format could be improved (versioning it, and
reusing the runtime-spec hook structure instead of renaming 'path' to
'hook', dropping 'timeout', etc.). But I'm leaving that sort of thing
to future work.
Signed-off-by: W. Trevor King <wking@tremily.us>
These backticks landed with the rest of the hook docs in 139d0841 (Add
support for oci-hooks to libkpod, 2017-08-12, #562). But "CRI-O" is
the project name, so it doesn't need backticks. We would need
backticks if we used the executable filename "crio".
Signed-off-by: W. Trevor King <wking@tremily.us>
The old "won't never" was a potentially-confusing double negative.
This commit rewords the comment to avoid that issue and also lands
some other minor cleanups.
Signed-off-by: W. Trevor King <wking@tremily.us>
Cache information about images that isn't trivially read from them, so
that ImageStatus and particularly ListImages don't have to do
potentially-expensive things for every image that they report.
The cache is an in-memory map, and we prune it after ListImages has
assembled its result set.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
This uses the previously unusued lib/stats.go code to return data
about container stats to the CRI API. Helpers have been built around
filtering based on the OCI API, and CPU stat reporting has been fixed.
No data on filesystem layer usage is returned at this time.
Fixes one-half of #1248
Signed-off-by: Yann Ramin <atrus@stackworks.net>
We had a bug in ImageStatus where we weren't returning the default
image user if set, thus running all containers as root despite a user
being set in the image config. We weren't populating the Username field
of ImageStatus.
This patch fixes that along with the handling of multiple images based
on the registry patch for multiple images.
It also fixes ListImages to return Username as well.
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
We need to record whether the sandbox is using hostnetwok because the
kubelet needs that information when computing pod changes. Without this
patch it could happen that a pod that's using host network is restarted
just because the sandbox's status isn't reporting that it's running
using host network.
Signed-off-by: Antonio Murdaca <runcom@redhat.com>