Running crio with -debug is very verbose. Having more granularity
on the log level can be useful when e.g. only looking for errors.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
* Remove duplicate definitions of storage-related flags for kpod, since
we set them in helpers.bash now, and the other locations that were
also setting it were doing so after loading the definitions in
helpers.
* Set kpod storage flags after checking if we need to force use of the
"vfs" storage driver for cri-o, to make sure kpod also ends up with
the same override if we're using one.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Move kpod tests from kpod.bats to kpod_[commandname].bats
Also make sure all status checks have a echo $output before them.
Signed-off-by: Ryan Cole <rcyoalne@gmail.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Signed-off-by: umohnani8 <umohnani@redhat.com>
Implement the ability to pause and unpause running containers.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
server: fix selinux labels for pod and containers
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
sandbox: set selinux labels from request, not defaults
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
container_create: use sandbox's selinux if container's nil
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
sandbox: correctly init selinux labels
First, we weren't correctly initializing selinux labels. If any of
(level, user, role, type) was missing from kube selinux options, we
were erroring out. This is wrong as kube sends just `level=s0`
sometimes and docker itself allows `--security-opt label=level:s0`.
This patch directly initializes selinux labels, correctly, and adds a
test to verify it.
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
test: testdata: use container_runtime_t selinux type
RHEL SELinux policy doesn't have `container_t` type but we're using it
in our fixtures. That means Fedora integration tests pass because
`container_t` is in Fedora's container policy but RHEL is broken.
Fix it by using `container_runtime_t` which is aliased in Fedora policy
to `container_t`.
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
If the user provides kpod pull a short name like 'debian', we
still want the pull to be sucessful. As such, when a short
name is provided, we get the list of searchable registries via
the systemregistries code in containers-storage. We then
append a tag of 'latest' (if not provided) and we formulate
a list of possible fully-qualified image names to try.
Vendor update for containers-storage to bring in the system_registries
code.
Also includes a patch from Nalin to fix compilation errors.
Signed-off-by: baude <bbaude@redhat.com>
Stop one or more containers. Specific a timeout value
that if the stop operation exceeds, will forcibly stop
the container.
Signed-off-by: baude <bbaude@redhat.com>
Our CI tests on RHEL and Fedora and we want to test the systemd cgroup
driver. However, kubelet needs to run in tests with systemd cgroup
driver as well, or tests fail. This patch fixes broken CI because of
not matching cgroup driver between CRI-O and the kubelet.
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
Kubelet can send cap add/drop ALL. Handle that in CRI-O as well.
Also, this PR is re-vendoring runtime-tools to fix capabilities add to
add caps to _all_ caps set **and** fix a shared memory issue (caps set
were initialized with the same slice, if one modifies one slice, it's
reflected on the other slices, the vendoring fixes this as well)
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
Because we need a working CNI plugin to setup a correct netns so
sandbox_run can grab a working IP address.
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
When performing a tag, if a shortname was provided, tag.go would
preprend docker.io to the shortname through the ParseNormalized
function. Here we work around that such that is a short name
and tag are provided, the resulting tag will be shortname:tag. If
a shortname is provided without a tag, we append "latest" as the
tag.
Added specific tag tests too
Signed-off-by: baude <bbaude@redhat.com>
Kpod rm removes a container from the system
Signed-off-by: Ryan Cole <rcyoalne@gmail.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Signed-off-by: umohnani8 <umohnani@redhat.com>
Add new directory /etc/crio/hooks.d, where packagers can drop a json config
file to specify a hook.
The json must specify a valid executable to run.
The json must also specify which stage(s) to run the hook:
prestart, poststart, poststop
The json must specify under which criteria the hook should be launched
If the container HasBindMounts
If the container cmd matches a list of regular expressions
If the containers annotations matches a list of regular expressions.
If any of these match the the hook will be launched.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Correct some syntax errors in kpod.bats, ensure that it always checks
the exit status of "kpod rmi" commands, correct the order of options
when calling "kpod inspect", and test for string equality correctly.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
We want all kpod subcommands to use the formats code to output
formats like json. Altering kpod diff --json to kpod diff --format json
like the kpod images command.
Signed-off-by: baude <bbaude@redhat.com>
