Commit graph

54 commits

Author SHA1 Message Date
Mrunal Patel
946307e5c2 Make pid namespace sharing optional and disabled by default
We reverse the logic so that pid ns sharing is disabled by default.

Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-11-18 06:47:06 -08:00
Mrunal Patel
d68da8929a
Merge pull request #1149 from weiwei04/share_pid_namespace
share pid namespace for Pod container
2017-11-17 08:12:49 -10:00
Wei Wei
702ab3ee3a share pid namespace for Pod container
Signed-off-by: Wei Wei <weiwei.inf@gmail.com>
2017-11-17 09:56:33 +08:00
Mrunal Patel
8fe6dd36a4
Move crio default sock to /var/run/crio/crio.sock
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-11-14 16:11:43 +01:00
Antonio Murdaca
91d9b4fc29
cmd: crio: correctly stop the streaming server
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-11-02 16:07:51 +01:00
Daniel J Walsh
063b25cef5 Report error when arguments given to crio command
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2017-10-31 16:15:54 -04:00
Antonio Murdaca
158d53e62a
cmd: crio: set ReadTimeout on the info endpoint
This will avoid the goroutines leak we've been seeing during
performance tests. Goroutines count returns to normal after containers
cleanup.

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-10-29 21:56:55 +01:00
Mrunal Patel
b0e9f0eba8 Revert "Move crio default sock to /var/run/crio/crio.sock"
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-10-19 10:13:49 -07:00
Antonio Murdaca
12ce3ba3ed Merge pull request #1030 from mrunalp/move_crio_sock
Move crio default sock to /var/run/crio/crio.sock
2017-10-19 00:53:10 +02:00
Mrunal Patel
761e73c82e Move crio default sock to /var/run/crio/crio.sock
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-10-17 22:02:53 -07:00
Antonio Murdaca
e07ba4b2d1
version: fix version handling and kube info
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-10-17 10:44:50 +02:00
umohnani8
d1aea31786 Follow up changes on secrets patch
Deleted mounts.conf file and moved the secrets mount paths
to a list (default-mounts) in crio.conf

Signed-off-by: umohnani8 <umohnani@redhat.com>
2017-10-12 15:10:07 -04:00
umohnani8
d5b5028cb9 Add secrets patch to crio
Allows the user to define secret paths in /etc/containers/mounts.conf
These are then volume mounted into the container

Signed-off-by: umohnani8 <umohnani@redhat.com>
2017-10-11 20:00:38 -04:00
Daniel J Walsh
974bafe012 Merge pull request #950 from sameo/topic/loglevel
main: Define -log-level option
2017-10-06 09:51:07 -04:00
Mrunal Patel
067cbff207 Make sure log-size-max is atleast as big as read buffer
We need log-size-max to be bigger than the read buffer in conmon
to accurately truncate it.

Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-10-05 15:06:38 -07:00
Samuel Ortiz
a5e5ccb365 main: Replace -debug with -log-level
Running crio with -debug is very verbose. Having more granularity
on the log level can be useful when e.g. only looking for errors.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-10-05 22:53:20 +02:00
d6a44bf111
*: allow to not use pivot_root
runc has a `--no-pivot` flag, that uses MS_MOVE instead.

This patch set bubbles up a runtime config to enable using no-pivot
globally.

Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>
2017-09-26 11:35:00 -04:00
Mrunal Patel
4d0270d138 crio: Add flag for --log-size-max
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-09-25 15:37:10 -07:00
Mrunal Patel
c7f5347673 Add log size max configuration
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-09-25 15:27:21 -07:00
Mrunal Patel
f59e9dae1c docs: Add missing bind option in docs and command help
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-09-15 16:12:13 -07:00
Mrunal Patel
0ae21a5f08 Add support for displaying git commit in version
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-09-08 10:16:01 -07:00
Antonio Murdaca
b8a6d358e7 Merge pull request #562 from rhatdan/hooks
Add support for running oci-hooks
2017-09-07 19:06:01 +02:00
Antonio Murdaca
dacc5c3ece
*: correctly wait and close servers
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-09-07 10:13:21 +02:00
Daniel J Walsh
139d0841e8 Add support for oci-hooks to libkpod
Add new directory /etc/crio/hooks.d, where packagers can drop a json config
file to specify a hook.

The json must specify a valid executable to run.
The json must also specify which stage(s) to run the hook:
prestart, poststart, poststop
The json must specify under which criteria the hook should be launched
If the container HasBindMounts
If the container cmd matches a list of regular expressions
If the containers annotations matches a list of regular expressions.
If any of these match the the hook will be launched.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2017-09-05 07:39:31 -04:00
Daniel J Walsh
553521f03f Merge pull request #805 from baude/config
Make kpod parse configuration file
2017-09-01 14:57:14 -04:00
baude
266fc193e7 Make kpod parse configuration file
kpod must parse the crio configuration file or the storage
is not set up correctly.  By default it is not.  We now read
/etc/crio/crio.conf in as the configuration file unless it is
overriden by the user and the global -c|--config switch.

Signed-off-by: baude <bbaude@redhat.com>
2017-09-01 11:14:40 -05:00
Antonio Murdaca
39006d4cdd
serve grpc and http on the same socket
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-09-01 12:37:10 +02:00
Mrunal Patel
a913cb0b5d server: Use crio socket for info/inspect endpoints
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-08-31 21:30:54 -07:00
Mrunal Patel
004330df8f server: Add a /info endpoint
This will give a way for client to get information about crio daemon.

Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-08-30 20:50:04 -07:00
Mrunal Patel
58bc35ab40 server: Add an inspect endpoint for containers
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-08-30 11:45:56 -07:00
Antonio Murdaca
f35147e23c
cmd: {crio,crioctl}: bump to beta
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-08-29 11:25:33 +02:00
Antonio Murdaca
d56bf090ce
*: update kube vendor to v1.7.4
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-08-22 17:32:14 +02:00
Mrunal Patel
30ded83096 Add inotify watcher for container exits
This allows the container list API to return updated status
for exited container without having to call container status first.

Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-08-13 08:01:48 -07:00
Mrunal Patel
43bc359fc0 Add metrics endpoint support to server
We add two flags --enable-metrics and --metrics-port
to enable metrics endpoint and allow specifying the
port which defaults to 9090.

Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-08-10 13:44:42 -04:00
Daniel J Walsh
63a218a458 Move to new github.com/sirupsen/logrus.
Need to mv to latest released and supported version of logrus
switch github.com/Sirupsen/logrus github.com/sirupsen/logrus

Also vendor in latest containers/storage and containers/image

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2017-08-07 11:50:04 -04:00
Antonio Murdaca
a35727c80b
*: implement additional pull registries
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-08-02 16:38:11 +02:00
Matthew Heon
9529f565b2 Add option to use file-based locking for libkpod state
Signed-off-by: Matthew Heon <mheon@redhat.com>
2017-07-31 15:58:29 -04:00
Ryan Cole
a8b6f2ad8a Update kpod commands to use getConfig()
Make getStore() take a config struct from which it pulls the store
options, then update the kpod commands so that they call getConfig()
and pass the config into getStore()

Signed-off-by: Ryan Cole <rcyoalne@gmail.com>
2017-07-27 15:58:55 -04:00
Ryan Cole
0c8f106ee8 add basic config struct to libkpod
Signed-off-by: Ryan Cole <rcyoalne@gmail.com>
2017-07-27 11:12:50 -04:00
Mrunal Patel
1f40531dca Make the profile port configurable
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-07-26 10:57:55 -07:00
Mrunal Patel
7443263bd6 Add config for ImageVolumesBind option
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-07-14 15:31:50 -07:00
Antonio Murdaca
17584facf0 Merge pull request #641 from mrunalp/pids_limit
Pids limit
2017-07-12 12:39:54 +02:00
Tobias Klauser
822172a892 all: Switch from package syscall to golang.org/x/sys/unix
The syscall package is locked down and the comment in [1] advises to
switch code to use the corresponding package from golang.org/x/sys. Do
so and replace usage of package syscall where possible (leave
syscall.SysProcAttr and syscall.Stat_t).

  [1] https://github.com/golang/go/blob/master/src/syscall/syscall.go#L21-L24

This will also allow to get updates and fixes just by re-vendoring
golang.org/x/sys/unix instead of having to update to a new go version.

Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2017-07-12 08:18:55 +02:00
Mrunal Patel
e49dd34657 Add support for container pids limit
We add a daemon level setting and will add a container
override once it is supported in CRI.

Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-07-11 14:59:52 -07:00
Mrunal Patel
dc55fd2f14 config: Add ImageVolumes configuration setting
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-07-10 13:46:14 -07:00
Antonio Murdaca
78e2fd3d5e
cmd/crio: fix reading insecure-registry flags
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-24 13:16:45 +02:00
Mrunal Patel
b82df188c6 version: Bump up version to 1.0.0-alpha.0
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-06-20 09:48:12 -07:00
Antonio Murdaca
20e11e3b90
cmd: crio: enable remote profiler
This patch also hides the profile under the debug flag as there's
runtime cost to enable the profiler.
This removes the old way of profiling (CPU) as that's not really
needed.

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-18 11:42:04 +02:00
Mrunal Patel
bd40bbc30b Add missing error checks and simplify bool check
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-06-16 15:49:16 -07:00
Samuel Ortiz
0e51bbb778 oci: Support mixing trusted and untrusted workloads
Container runtimes provide different levels of isolation, from kernel
namespaces to hardware virtualization. When starting a specific
container, one may want to decide which level of isolation to use
depending on how much we trust the container workload. Fully verified
and signed containers may not need the hardware isolation layer but e.g.
CI jobs pulling packages from many untrusted sources should probably not
run only on a kernel namespace isolation layer.

Here we allow CRI-O users to define a container runtime for trusted
containers and another one for untrusted containers, and also to define
a general, default trust level. This anticipates future kubelet
implementations that would be able to tag containers as trusted or
untrusted. When missing a kubelet hint, containers are trusted by
default.

A container becomes untrusted if we get a hint in that direction from
kubelet or if the default trust level is set to "untrusted" and the
container is not privileged. In both cases CRI-O will try to use the
untrusted container runtime. For any other cases, it will switch to the
trusted one.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-06-15 10:04:36 +02:00