Commit graph

66 commits

Author SHA1 Message Date
Samuel Ortiz
c525459000
main: Add CNI options
We add 2 ocid options for choosing the CNI configuration and plugin
binaries directories: --cni-config-dir and --cni-plugin-dir.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2016-12-20 12:50:17 +01:00
Mrunal Patel
5eab56e002 Pass cgroup manager to oci runtime manager
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2016-12-19 15:05:32 -08:00
Antonio Murdaca
d2f6a4c0e2
server: remove reaper, let runc take care of reaping
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-12-14 12:15:20 +01:00
Antonio Murdaca
4bb0830c37 Merge pull request #239 from xlgao-zju/reload-apparmor-profile
reload default apparmor profile if it is unloaded
2016-12-13 11:10:26 +01:00
Samuel Ortiz
0df8200e12
sandbox: Create a symbolic link to the networking namespace
In order to workaround a bug introduced with runc commit bc84f833,
we create a symbolic link to our permanent networking namespace so
that runC realizes that this is not the host namespace.

Although this bug is now fixed upstream (See commit f33de5ab4), this
patch works with pre rc3 runC versions.
We may want to revert that patch once runC 1.0.0 is released.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2016-12-12 19:48:23 +01:00
Samuel Ortiz
4cab8ed06a
sandbox: Use persistent networking namespace
Because they need to prepare the hypervisor networking interfaces
and have them match the ones created in the pod networking
namespace (typically to bridge TAP and veth interfaces), hypervisor
based container runtimes need the sandbox pod networking namespace
to be set up before it's created. They can then prepare and start
the hypervisor interfaces when creating the pod virtual machine.

In order to do so, we need to create per pod persitent networking
namespaces that we pass to the CNI plugin. This patch leverages
the CNI ns package to create such namespaces under /var/run/netns,
and assign them to all pod containers.
The persitent namespace is removed when either the pod is stopped
or removed.

Since the StopPodSandbox() API can be called multiple times from
kubelet, we track the pod networking namespace state (closed or
not) so that we don't get a containernetworking/ns package error
when calling its Close() routine multiple times as well.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2016-12-12 19:48:23 +01:00
Antonio Murdaca
430297dd81
store annotations and image for a container
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-12-12 11:12:03 +01:00
Xianglin Gao
ca7d5c77c2 Do not load ocid-default if configured apparmor profile is set up.
Signed-off-by: Xianglin Gao <xlgao@zju.edu.cn>
2016-12-12 15:55:17 +08:00
Antonio Murdaca
5a1605bad5
server: fix calls to logrus again
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-12-11 18:29:59 +01:00
Antonio Murdaca
d9edbe6817 Merge pull request #249 from mrunalp/dev_shm
Add support for pod /dev/shm that is shared by the pod ctrs
2016-12-09 09:46:27 +01:00
Mrunal Patel
868e18614a Fix couple of lint issues
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2016-12-08 15:40:59 -08:00
Mrunal Patel
be29524ba4 Add support for pod /dev/shm that is shared by the pod ctrs
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2016-12-08 15:32:17 -08:00
Xianglin Gao
cb5ed1ce9d reload default apparmor profile if it is unloaded
Signed-off-by: Xianglin Gao <xlgao@zju.edu.cn>
2016-12-07 20:19:29 +08:00
Xianglin Gao
26645c90ac Make the profile configurable
Signed-off-by: Xianglin Gao <xlgao@zju.edu.cn>
2016-12-01 13:26:59 +08:00
Xianglin Gao
1f863846f5 add default apparmor profile
Signed-off-by: Xianglin Gao <xlgao@zju.edu.cn>
2016-12-01 13:26:59 +08:00
Antonio Murdaca
78ee03a8fc
add seccomp support
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-11-28 22:05:34 +01:00
Antonio Murdaca
02ec8754f5 Merge pull request #169 from cyphar/make-configurable
server: make more things configurable
2016-11-10 14:55:29 +01:00
Crazykev
87a83e14b0 return pod metadata in container list and status APIs
Signed-off-by: Crazykev <crazykev@zju.edu.cn>
2016-11-02 00:37:40 +08:00
Crazykev
54a022defb restore pod annotations when restart ocid
Signed-off-by: Crazykev <crazykev@zju.edu.cn>
2016-11-01 13:49:21 +08:00
Aleksa Sarai
33f47d6a6b
server: make ImageStore configurable
It's a bit odd to have ImageStore be part of the config and yet we don't
allow people to modify it. However, leave it out of the commented
version because it's currently unused.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2016-10-31 23:26:42 +11:00
Mrunal Patel
c89157e45c Merge pull request #176 from gao-feng/hidden-infra-container
store infra container in sandbox
2016-10-25 03:25:17 +00:00
Gao feng
78528d9bd1 store infra container in sandbox
infra container is used to implement the pod
sandbox, it should not be exported to user.

this patch stores infra container in sandbox
immediately, only the containers created by user
are stored into container store, this prevents user
from removing/stopping infra container incorrectly.

Signed-off-by: Gao feng <omarapazanadi@gmail.com>
2016-10-24 20:18:19 +08:00
HaoZhang
9c11cc7dba make conmon inherit env from ocid
Signed-off-by: HaoZhang <crazykev@zju.edu.cn>
2016-10-23 19:22:27 +08:00
Mrunal Patel
e999610fd6 Merge pull request #115 from cyphar/toml-config
cmd: server: use TOML configuration file
2016-10-11 16:07:25 -07:00
Antonio Murdaca
be2b0cfa50
server/server: skip f no sandbox when restoring containers
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-10-12 00:36:34 +02:00
Crazykev
f6536bf30e pod/container name should be released when create failed
Signed-off-by: Crazykev <crazykev@zju.edu.cn>
2016-10-11 20:19:51 +08:00
Aleksa Sarai
7bf5110b76
server: refactor to use Config struct
This paves the way for having a configuration file that is loaded rather
than everything being set via the command-line.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2016-10-11 03:10:32 +11:00
Antonio Murdaca
217d278623
server/server: check pods/ctrs directories before restore
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-10-08 14:46:39 +02:00
Antonio Murdaca
54d6ddb5af
server: containers restore
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-10-08 14:46:39 +02:00
Dan Walsh
be77b841fa Add SELinux support to OCID
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
2016-10-06 14:13:06 -04:00
Mrunal Patel
0482a4281a Separate container IDs from container names
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-10-04 16:57:12 -07:00
Mrunal Patel
3e19549232 Add name and id indexes for containers
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-10-04 16:00:04 -07:00
Aleksa Sarai
bac579a9e5
server: create pause rootfs manually without Docker
This lessens the Docker requirement for creating sandboxes (with the
requirement only existing for the actual image pulling that is done when
adding a container to a pod). The interface was chosen to match the
--conmon interface, so that the location of the pause binary can be
chosen by a user.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2016-10-02 20:11:07 +11:00
Dan Walsh
f51c98b057 Install conmon in /usr/libexec/ocid/conmon
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
2016-09-29 08:55:12 -04:00
Antonio Murdaca
4578cc93d1
server: fix panic when listing sandboxes
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-09-27 10:46:45 +02:00
Antonio Murdaca
f7d3f7a69a Merge pull request #59 from mrunalp/pod_create_bug
Pod create bug
2016-09-27 09:13:40 +02:00
Mrunal Patel
4606f2a61a Fix the build for ocid to cri-o rename
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-09-26 16:55:12 -07:00
Mrunal Patel
78aae688e2 Add API to release Pod name when not required
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-09-26 15:41:58 -07:00
Mrunal Patel
e1b8802848 Fix typo 2016-09-26 15:31:06 -07:00
Antonio Murdaca
857aaa7816
cmd/server: provide a flag to set ocid root dir
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-09-24 00:38:06 +02:00
Antonio Murdaca
e269cb8b7e
new vendoring
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-09-22 18:17:45 +02:00
Antonio Murdaca
32029aaba6
id and name indexes for pods
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-09-22 18:17:45 +02:00
Antonio Murdaca
b053e63995
restore server rewrite
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-09-19 19:57:50 +02:00
Antonio Murdaca
22d434c1e6
restructure and make lint
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-09-19 19:56:13 +02:00
Antonio Murdaca
53e76cc752
warn when cannot update container status on server init
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-09-19 19:51:03 +02:00
Antonio Murdaca
caae4b298a
create sandboxdir on server startup
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-09-19 19:51:03 +02:00
Antonio Murdaca
4fd1c583ad
sandboxes restore on server start
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-09-19 19:51:03 +02:00
Antonio Murdaca
35ef46f805
use an in memory store for containers
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-09-19 13:11:36 +02:00
Antonio Murdaca
158dfdfbda
server: locking around server components
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-09-17 16:10:35 +02:00
Mrunal Patel
bbe5325afc Fix the build to account for the change in repository
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-09-09 14:48:39 -07:00