Our CI tests on RHEL and Fedora and we want to test the systemd cgroup
driver. However, kubelet needs to run in tests with systemd cgroup
driver as well, or tests fail. This patch fixes broken CI because of
not matching cgroup driver between CRI-O and the kubelet.
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
Kubelet can send cap add/drop ALL. Handle that in CRI-O as well.
Also, this PR is re-vendoring runtime-tools to fix capabilities add to
add caps to _all_ caps set **and** fix a shared memory issue (caps set
were initialized with the same slice, if one modifies one slice, it's
reflected on the other slices, the vendoring fixes this as well)
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
Because we need a working CNI plugin to setup a correct netns so
sandbox_run can grab a working IP address.
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
When performing a tag, if a shortname was provided, tag.go would
preprend docker.io to the shortname through the ParseNormalized
function. Here we work around that such that is a short name
and tag are provided, the resulting tag will be shortname:tag. If
a shortname is provided without a tag, we append "latest" as the
tag.
Added specific tag tests too
Signed-off-by: baude <bbaude@redhat.com>
Kpod rm removes a container from the system
Signed-off-by: Ryan Cole <rcyoalne@gmail.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Signed-off-by: umohnani8 <umohnani@redhat.com>
Add new directory /etc/crio/hooks.d, where packagers can drop a json config
file to specify a hook.
The json must specify a valid executable to run.
The json must also specify which stage(s) to run the hook:
prestart, poststart, poststop
The json must specify under which criteria the hook should be launched
If the container HasBindMounts
If the container cmd matches a list of regular expressions
If the containers annotations matches a list of regular expressions.
If any of these match the the hook will be launched.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Correct some syntax errors in kpod.bats, ensure that it always checks
the exit status of "kpod rmi" commands, correct the order of options
when calling "kpod inspect", and test for string equality correctly.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
We want all kpod subcommands to use the formats code to output
formats like json. Altering kpod diff --json to kpod diff --format json
like the kpod images command.
Signed-off-by: baude <bbaude@redhat.com>
For kpod images, we need to output in JSON format so that consumers
(programatic) have structured input to work with.
kpod images --format json
Signed-off-by: baude <bbaude@redhat.com>
kpod diff reports on differences between two layers, specified as
layer IDs, containers, or images. In the case of containers or
images, kpod diff produces a diff for the top layer
Signed-off-by: Ryan Cole <rcyoalne@gmail.com>
This command will allow users to manipulate and examine the container
images from outside of the container.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Need to mv to latest released and supported version of logrus
switch github.com/Sirupsen/logrus github.com/sirupsen/logrus
Also vendor in latest containers/storage and containers/image
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Basically none of the clever storage drivers will work when we're on top
of AUFS, so if we find ourselves in that situation when running tests,
default to storage options of "--storage-driver vfs".
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Use unix.Prctl() instead of manually reimplementing it using
unix.RawSyscall. Also use unix.SECCOMP_MODE_FILTER instead of locally
defining it.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
The syscall package is locked down and the comment in [1] advises to
switch code to use the corresponding package from golang.org/x/sys. Do
so and replace usage of package syscall where possible (leave
syscall.SysProcAttr and syscall.Stat_t).
[1] https://github.com/golang/go/blob/master/src/syscall/syscall.go#L21-L24
This will also allow to get updates and fixes just by re-vendoring
golang.org/x/sys/unix instead of having to update to a new go version.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
