Commit graph

105 commits

Author SHA1 Message Date
Daniel J Walsh
19f37f5c14 Merge pull request #955 from sameo/topic/delete_container
Handle container creation failures gracefully
2017-10-06 11:54:10 -04:00
Samuel Ortiz
f9bad6cc32 oci: Use error logs for container creation failures
They are more critical than simple debug strings.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-10-05 22:53:20 +02:00
Samuel Ortiz
d27451029b oci: Increase the container creation timeout
Under very heavy loads (e.g. 100 pods created at the same time), VM
based runtimes can take more than 10 seconds to create a pod.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-10-05 22:52:33 +02:00
Samuel Ortiz
eae1b7d6bd oci: Delete container resources upon creation failure
When cri-o assumes the container creation failed, we need to let the
runtime know that we're bailing out so that it cancels all ongoing
operation.
In container creation timeout situations for example, failing to
explictly request the runtime for container deletion can lead to large
resource leaks as kubelet re-creates a failing container, while the
runtime finishes creating the previous one(s).

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-10-05 22:52:33 +02:00
baude
3611f92ddf BUGFIX: Invalid return codes in kpod
Set the exitsdir for kpod back to /var/run/crio... so kpod can benefit
from the container exit file.

Because 0 is the int32 blank value, kpod needs its own container state
struct with the omitempty removed so it can actually display 0 in
its default json output.

Signed-off-by: baude <bbaude@redhat.com>
2017-10-04 09:34:28 -05:00
Daniel J Walsh
214adee0ef Merge pull request #926 from TomSweeneyRedHat/pause
Add `kpod pause` and `kpod unpause`
2017-09-27 09:33:22 -04:00
d6a44bf111
*: allow to not use pivot_root
runc has a `--no-pivot` flag, that uses MS_MOVE instead.

This patch set bubbles up a runtime config to enable using no-pivot
globally.

Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>
2017-09-26 11:35:00 -04:00
Daniel J Walsh
9db7cf1370 Add kpod pause and kpod unpause
Implement the ability to pause and unpause running containers.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
2017-09-26 08:38:07 -04:00
Mrunal Patel
48d0706a49 Add log size max flag to conmon and pass it on container create
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-09-25 15:31:31 -07:00
Mrunal Patel
bb11ee522b oci: Add log size max to container
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-09-25 15:28:29 -07:00
Antonio Murdaca
a51bc9753f
oci: add a note about crio-conmon- sub-cgroup with cgroupfs
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-09-06 17:14:53 +02:00
Antonio Murdaca
f51ca87857
*: constify cgroups stuff
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-08-30 01:10:39 +02:00
Antonio Murdaca
c199f63dba
oci: join crio-conmon for cgroupfs
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-08-29 23:00:02 +02:00
Antonio Murdaca
c2a4fc740f
oci: wait a while for exit file to show up
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-08-29 11:25:51 +02:00
Mrunal Patel
37edc50c1d oci: Check if process exists before trying to kill it
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-08-17 19:42:50 -07:00
Mrunal Patel
30ded83096 Add inotify watcher for container exits
This allows the container list API to return updated status
for exited container without having to call container status first.

Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-08-13 08:01:48 -07:00
Daniel J Walsh
63a218a458 Move to new github.com/sirupsen/logrus.
Need to mv to latest released and supported version of logrus
switch github.com/Sirupsen/logrus github.com/sirupsen/logrus

Also vendor in latest containers/storage and containers/image

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2017-08-07 11:50:04 -04:00
Antonio Murdaca
47ea873253
oci: fix type mismatch on some platform/arch
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-07-17 15:31:19 +02:00
Tobias Klauser
822172a892 all: Switch from package syscall to golang.org/x/sys/unix
The syscall package is locked down and the comment in [1] advises to
switch code to use the corresponding package from golang.org/x/sys. Do
so and replace usage of package syscall where possible (leave
syscall.SysProcAttr and syscall.Stat_t).

  [1] https://github.com/golang/go/blob/master/src/syscall/syscall.go#L21-L24

This will also allow to get updates and fixes just by re-vendoring
golang.org/x/sys/unix instead of having to update to a new go version.

Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2017-07-12 08:18:55 +02:00
Mrunal Patel
67504a02d5 oci: Use container ID as ID instead of container name
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-06-24 08:31:41 -07:00
Alexander Larsson
81cb788004 conmon: Clean up execsync
This moves the timeout handling from the go code to conmon, whic
removes some of the complexity from criod, and additionally it will
makes it possible to do the double-fork in the exec case too.

Signed-off-by: Alexander Larsson <alexl@redhat.com>
2017-06-21 21:03:17 +02:00
Mrunal Patel
88037b143b Merge pull request #583 from alexlarsson/conmon-reap-zombies
conmon: Don't leave zombies and fix cgroup race
2017-06-20 07:53:52 -07:00
Alexander Larsson
72686c78b4 fixup! conmon: Don't leave zombies and fix cgroup race
Signed-off-by: Alexander Larsson <alexl@redhat.com>
2017-06-20 12:18:07 +02:00
Mrunal Patel
2b8e3a0d0f Merge pull request #602 from runcom/busy-loop
oci: remove busy loop
2017-06-15 10:29:33 -07:00
Alexander Larsson
af4fbcd942 conmon: Don't leave zombies and fix cgroup race
Currently, when creating containers we never call Wait on the
conmon exec.Command, which means that the child hangs around
forever as a zombie after it dies.

However, instead of doing this waitpid() in the parent we instead
do a double-fork in conmon, to daemonize it. That makes a lot of
sense, as conmon really is not tied to the launcher, but needs
to outlive it if e.g. the cri-o daemon restarts.

However, this makes even more obvious a race condition which we
already have. When crio-d puts the conmon pid in a cgroup there
is a race where conmon could already have spawned a child, and
it would then not be part of the cgroup. In order to fix this
we add another synchronization pipe to conmon, which we block
on before we create any children. The parent then makes sure the
pid is in the cgroup before letting it continue.

Signed-off-by: Alexander Larsson <alexl@redhat.com>
2017-06-15 14:20:40 +02:00
Antonio Murdaca
9e6359b6f7
oci: remove busy loop
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-15 12:22:32 +02:00
Samuel Ortiz
0e51bbb778 oci: Support mixing trusted and untrusted workloads
Container runtimes provide different levels of isolation, from kernel
namespaces to hardware virtualization. When starting a specific
container, one may want to decide which level of isolation to use
depending on how much we trust the container workload. Fully verified
and signed containers may not need the hardware isolation layer but e.g.
CI jobs pulling packages from many untrusted sources should probably not
run only on a kernel namespace isolation layer.

Here we allow CRI-O users to define a container runtime for trusted
containers and another one for untrusted containers, and also to define
a general, default trust level. This anticipates future kubelet
implementations that would be able to tag containers as trusted or
untrusted. When missing a kubelet hint, containers are trusted by
default.

A container becomes untrusted if we get a hint in that direction from
kubelet or if the default trust level is set to "untrusted" and the
container is not privileged. In both cases CRI-O will try to use the
untrusted container runtime. For any other cases, it will switch to the
trusted one.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-06-15 10:04:36 +02:00
Mrunal Patel
7b9032bac7 Merge pull request #579 from alexlarsson/non-terminal-attach
Implement non-terminal attach
2017-06-14 21:45:44 -07:00
Alexander Larsson
7bb957bf75 Implement non-terminal attach
We use a SOCK_SEQPACKET socket for the attach unix domain socket, which
means the kernel will ensure that the reading side only ever get the
data from one write operation. We use this for frameing, where the
first byte is the pipe that the next bytes are for. We have to make sure
that all reads from the socket are using at least the same size of buffer
as the write side, because otherwise the extra data in the message
will be dropped.

This also adds a stdin pipe for the container, similar to the ones we
use for stdout/err, because we need a way for an attached client
to write to stdin, even if not using a tty.

This fixes https://github.com/kubernetes-incubator/cri-o/issues/569

Signed-off-by: Alexander Larsson <alexl@redhat.com>
2017-06-14 22:59:50 +02:00
Mrunal Patel
62c9caeb83 oci: Add debugs for container create failures
This makes it easier to debug container creation failures
by looking at cri-o logs.

Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-06-14 07:33:07 -07:00
Antonio Murdaca
0b2f6b5354
adjust status on container start failure
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-12 12:48:50 +02:00
Mrunal Patel
065f12490c conmon: Add unix domain socket for attach
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-06-06 07:36:52 -07:00
Antonio Murdaca
88fb9094d0
oci: do not error out on runtime state failure
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-01 17:37:17 +02:00
Antonio Murdaca
b4f1cee2a2
server: store and use image's stop signal to stop containers
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-05-27 10:21:04 +02:00
Antonio Murdaca
b4251aebd8
execsync: rewrite to fix a bug in conmon
conmon has many flags that are parsed when it's executed, one of them
is "-c". During PR #510 where we vendor latest kube master code,
upstream has changed a test to call a "ctr execsync" with a command of
"sh -c commmand ...".
Turns out:

a) conmon has a "-c" flag which refers to the container name/id
b) the exec command has a "-c" flags but it's for "sh"

That leads to conmon parsing the second "-c" flags from the exec
command causing an error. The executed command looks like:

conmon -c [..other flags..] CONTAINERID -e sh -c echo hello world

This patch rewrites the exec sync code to not pass down to conmon the
exec command via command line. Rather, we're now creating an OCI runtime
process spec in a temp file, pass _the path_ down to conmon, and have
runc exec the command using "runc exec --process
/path/to/process-spec.json CONTAINERID". This is far better in which we
don't need to bother anymore about conflicts with flags in conmon.

Added and fixed some tests also.

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-05-25 22:36:33 +02:00
Mrunal Patel
ea9a90abce Set Container Status Reason when OOM Killed
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-05-25 11:30:58 -07:00
Antonio Murdaca
6622feb480
server: still update status on container not found in runc
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-05-18 21:19:51 +02:00
Antonio Murdaca
358dac96d4
server: ignore runc not exist errors
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-05-18 21:19:50 +02:00
Antonio Murdaca
2ddc062bbe
oci: ignore non existing containers on delete
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-05-18 21:19:45 +02:00
Antonio Murdaca
fbc5e49a60
oci: save container's finished time
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-05-18 18:49:55 +02:00
Antonio Murdaca
1ca660e3b7 Merge pull request #512 from runcom/stop-timeout
server: honor container stop timeout from CRI
2017-05-16 10:06:47 +02:00
Antonio Murdaca
b3683ab184
server: honor container stop timeout from CRI
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-05-15 22:56:31 +02:00
Mrunal Patel
0a0533cdfc Capture errors from runtime create failures
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-05-15 13:35:18 -07:00
Dan Walsh
4493b6f176 Rename ocid to crio.
The ocid project was renamed to CRI-O, months ago, it is time that we moved
all of the code to the new name.  We want to elminate the name ocid from use.
Move fully to crio.

Also cric is being renamed to crioctl for the time being.

Signed-off-by: Dan Walsh <dwalsh@redhat.com>
2017-05-12 09:56:06 -04:00
f1fd06bfc1
oci: more grep'able interface name
`git grep -wi store` is not nearly useful enough. Taking steps for
readability.

Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>
2017-04-19 16:12:59 -04:00
Aleksa Sarai
87faf98447
oci: make ExecSync handle split std{out,err}
Now that conmon splits std{out,err} for !terminal containers, ExecSync
can parse that output to return the correct std{out,err} split to the
kubelet. Invalid log lines are ignored but complained about.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2017-04-12 21:59:25 +10:00
Aleksa Sarai
8a928d06e7
oci: make ExecSync with ExitCode != 0 act properly
Previously we returned an internal error result when a program had a
non-zero exit code, which was incorrect. Fix this as well as change the
tests to actually check the "ExitCode" response from ExecSync (rather
than expecting ocic-ctr to return an internal error).

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2017-04-11 20:32:18 +10:00
Suraj Deshmukh
da89d28473 Print received container pid as int
Earlier the received container pid was printed as unicode
character, this is fixed to print integer.

Fixes #431
2017-04-06 22:14:29 +05:30
Aleksa Sarai
c290c0d9c3
conmon: implement logging to logPath
This adds a very simple implementation of logging within conmon, where
every buffer read from the masterfd of the container is also written to
the log file (with errors during writing to the log file ignored).

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2017-04-05 02:45:57 +10:00
Mrunal Patel
d69ad9b5a3 Fix lint issues
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-03-27 10:21:30 -07:00