Commit graph

517 commits

Author SHA1 Message Date
Daniel J Walsh
f6555bd868
Merge pull request #1087 from runcom/sort-mounts
container_create: sort mounts before adding them to the spec
2017-10-30 12:40:00 -04:00
Antonio Murdaca
15afc4d3de
container_create: sort mounts before adding them to the spec
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-10-29 12:31:18 +01:00
Mrunal Patel
03f9350a15 lint fixes
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-10-28 13:17:00 -07:00
Antonio Murdaca
584a256388
server: correctly return and close ch from exits routine
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-10-26 16:55:18 +02:00
Daniel J Walsh
a3cd7c422c Merge pull request #1052 from mheon/conmon_socket_as_arg
Make attach sockets directory an argument in Conmon
2017-10-24 21:48:33 -07:00
Antonio Murdaca
c316e5d8cf
oci: respect process spec on exec
This patch fixes exec to use the original (start-time) process exec
configuration. Otherwise, we were creating a brand new spec process w/o
additional groups for instance.
Spotted while integrating CRI-O with cri-test...The test was failing
with:
```
• Failure [10.640 seconds]
[k8s.io] Security Context
/home/amurdaca/go/src/github.com/kubernetes-incubator/cri-tools/pkg/framework/framework.go:72
  bucket
  /home/amurdaca/go/src/github.com/kubernetes-incubator/cri-tools/pkg/validate/security_context.go:407
    runtime should support SupplementalGroups [It]
    /home/amurdaca/go/src/github.com/kubernetes-incubator/cri-tools/pkg/validate/security_context.go:272

    Expected
        <[]string | len:1, cap:1>: ["0"]
    to contain element matching
        <string>: 1234
```

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-10-24 22:39:17 +02:00
Matthew Heon
ae5fc471ea Make attach sockets directory an argument in Conmon
This is required to enable ongoing work in libpod

Signed-off-by: Matthew Heon <mheon@redhat.com>
2017-10-24 15:42:23 -04:00
Mrunal Patel
d7d2ce7ce2 Merge pull request #1044 from runcom/fix-host-pid
fix host pid handling for containers and share uts ns
2017-10-19 14:11:41 -07:00
Antonio Murdaca
da725f3e5f
fix host pid handling for containers and share uts ns
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-10-19 21:13:28 +02:00
Mrunal Patel
b0e9f0eba8 Revert "Move crio default sock to /var/run/crio/crio.sock"
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-10-19 10:13:49 -07:00
Antonio Murdaca
12ce3ba3ed Merge pull request #1030 from mrunalp/move_crio_sock
Move crio default sock to /var/run/crio/crio.sock
2017-10-19 00:53:10 +02:00
Daniel J Walsh
c2b7f37bd3 Merge pull request #1017 from baude/cri_tests_sandbox
server/sandbox_list.go: No error on filtered list find by ID
2017-10-18 16:10:11 -04:00
Mrunal Patel
c04f585a53 Merge pull request #1021 from runcom/fix-crio-versioning
version: fix version handling and kube info
2017-10-17 22:04:55 -07:00
Mrunal Patel
761e73c82e Move crio default sock to /var/run/crio/crio.sock
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-10-17 22:02:53 -07:00
Mrunal Patel
eafb7f7105 Merge pull request #1014 from runcom/oci-kill-all-fix
oci: fixes to properly handle container stop action
2017-10-17 21:59:32 -07:00
umohnani8
a11b1f953d Fixed logic flaw in the secrets mounts
Tested on a REHL box and found out that the mounts were not showing up
Had a logic flaw, where if the mount was "host:container"
Was setting the mount source to "host" and destination to "ctrRunDir/container"
When instead, the mount source should be "ctrRunDir/container" and destination "container"
with the data copied from "host" to "ctrRunDir/container"

Signed-off-by: umohnani8 <umohnani@redhat.com>
2017-10-17 13:08:42 -04:00
Antonio Murdaca
e07ba4b2d1
version: fix version handling and kube info
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-10-17 10:44:50 +02:00
Antonio Murdaca
c6f5a290d8
oci: fixes to properly handle container stop action
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-10-17 00:21:17 +02:00
baude
179a3f9c0e server/sandbox_list.go: No error on filtered list find by ID
We should not error when we try to find a pod ID in a filtered
list of sandboxes; instead we should return an empty struct
and log it.

This fixes another cri-test failure.

Signed-off-by: baude <bbaude@redhat.com>
2017-10-16 16:36:15 -05:00
Daniel J Walsh
7b9a5c259e Merge pull request #992 from baude/cri_tests_sec
Initial fixes for cri-tests
2017-10-13 19:15:08 -04:00
baude
fc2cae39ef Initial fixes for cri-tests
We now can pass 37/55 tests with this PR.  Remaining tests include may be fixed
with 1.8.

[Fail] [k8s.io] Security Context bucket [It] runtime should support RunAsUserName
[Fail] [k8s.io] Security Context NamespaceOption [It] runtime should support HostPID
[Fail] [k8s.io] PodSandbox runtime should support sysctls [It] should support unsafe sysctls
[Fail] [k8s.io] PodSandbox runtime should support basic operations on PodSandbox [It] runtime should support removing PodSandbox [Conformance]
[Fail] [k8s.io] Streaming runtime should support streaming interfaces [It] runtime should support portforward [Conformance]
[Fail] [k8s.io] Security Context SeccompProfilePath [It] runtime should not support a custom seccomp profile without using localhost/ as a prefix
[Fail] [k8s.io] Image Manager [It] listImage should get exactly 2 repoTags in the result image [Conformance]
[Fail] [k8s.io] PodSandbox runtime should support sysctls [It] should support safe sysctls
[Fail] [k8s.io] Security Context NoNewPrivs [It] should not allow privilege escalation when true
[Fail] [k8s.io] Security Context SeccompProfilePath [It] runtime should support an seccomp profile that blocks setting hostname with SYS_ADMIN
[Fail] [k8s.io] Container runtime should support mount propagation [It] mount with 'rslave' should support propagation from host to container
[Fail] [k8s.io] Container runtime should support mount propagation [It] mount with 'rshared' should support propagation from host to container and vice versa
[Fail] [k8s.io] Networking runtime should support networking [It] runtime should support port mapping with host port and container port [Conformance]
[Fail] [k8s.io] Security Context SeccompProfilePath [It] should support seccomp localhost/profile on the container
[Fail] [k8s.io] Container runtime should support log [It] runtime should support starting container with log [Conformance]
[Fail] [k8s.io] Security Context bucket [It] runtime should support RunAsUser
[Fail] [k8s.io] Security Context bucket [It] runtime should support SupplementalGroups
[Fail] [k8s.io] Security Context SeccompProfilePath docker/default [It] should support seccomp docker/default on the container

Signed-off-by: baude <bbaude@redhat.com>
2017-10-13 08:36:14 -05:00
umohnani8
d1aea31786 Follow up changes on secrets patch
Deleted mounts.conf file and moved the secrets mount paths
to a list (default-mounts) in crio.conf

Signed-off-by: umohnani8 <umohnani@redhat.com>
2017-10-12 15:10:07 -04:00
Daniel J Walsh
5b41729b6c Merge pull request #942 from umohnani8/secrets_patch
Add secrets support to crio
2017-10-12 11:04:20 -04:00
umohnani8
d5b5028cb9 Add secrets patch to crio
Allows the user to define secret paths in /etc/containers/mounts.conf
These are then volume mounted into the container

Signed-off-by: umohnani8 <umohnani@redhat.com>
2017-10-11 20:00:38 -04:00
Mrunal Patel
bb4b2e9fea test: Modify Fatal to Fatalf as we have a specifier
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-10-11 14:51:11 -07:00
Mrunal Patel
7c2c9a8c85 test: Fix format specifier
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-10-10 16:23:54 -07:00
baude
3611f92ddf BUGFIX: Invalid return codes in kpod
Set the exitsdir for kpod back to /var/run/crio... so kpod can benefit
from the container exit file.

Because 0 is the int32 blank value, kpod needs its own container state
struct with the omitempty removed so it can actually display 0 in
its default json output.

Signed-off-by: baude <bbaude@redhat.com>
2017-10-04 09:34:28 -05:00
Dongsu Park
644a4af377 server: handle cases of securityContext, namespaceOptions being nil
Both GetSecurityContext() and GetNamespaceOptions() can return nil.
In these cases, cri-o will panic like this:

```
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x1 pc=0x1cc43f6]

goroutine 66 [running]:
.../cri-o/server.(*Server).RunPodSandbox(0xc42060e300, 0x7f611d37a0b8,
0xc420207e60, 0xc42015e318, 0x0, 0x0, 0x0)
        .../cri-o/server/sandbox_run.go:261 +0xfe6
.../cri-o/vendor/k8s.io/kubernetes/pkg/kubelet/apis/cri/v1alpha1/runtime._RuntimeService_RunPodSandbox_Handler(0x2180920,
0xc42060e300, 0x7f611d37a0b8, 0xc420207e60, 0xc420505950, 0x0, 0x0, 0x0,
0x64ed0d, 0xc42064bc80)
        .../cri-o/vendor/k8s.io/kubernetes/pkg/kubelet/apis/cri/v1alpha1/runtime/api.pb.go:3645 +0x279
.../cri-o/vendor/google.golang.org/grpc.(*Server).processUnaryRPC(0xc4200a4240,
0x33f28e0, 0xc4204b0360, 0xc42074a870, 0xc420476de0, 0x33bcd38, 0xc420207e30, 0x0, 0x0)
```

Signed-off-by: Dongsu Park <dongsu@kinvolk.io>
2017-09-29 17:00:16 +02:00
Dongsu Park
2080744963 server: fix panic when assigning entry to nil map
When running cri-tests with cri-o, I found out that cri-o panicked
immediately with the following message. Fix it by accessing to the
labels map only if it's non-nil.

```
panic: assignment to entry in nil map

goroutine 57 [running]:
.../cri-o/server.(*Server).RunPodSandbox(0xc42048e000, 0x7efcad4cd400,
0xc42066ec90, 0xc4201703d0, 0x0, 0x0, 0x0)
        .../cri-o/server/sandbox_run.go:225 +0xda5
.../cri-o/vendor/k8s.io/kubernetes/pkg/kubelet/apis/cri/v1alpha1/runtime
._RuntimeService_RunPodSandbox_Handler(0x21793e0, 0xc42048e000,
0x7efcad4cd400, 0xc42066ec90, 0xc4204fe780, 0x0, 0x0, 0x0, 0x0, 0x0)
        .../cri-o/vendor/k8s.io/kubernetes/pkg/kubelet/apis/cri/v1alpha1/runtime/api.pb.go:3645 +0x279
.../cri-o/vendor/google.golang.org/grpc.(*Server).processUnaryRPC(0xc420
09e3c0, 0x33e79c0, 0xc4203d1950, 0xc42080a000, 0xc4202bb980, 0x33b1d58,
0xc42066ec60, 0x0, 0x0)
        .../cri-o/vendor/google.golang.org/grpc/server.go:638 +0x99c
```

Signed-off-by: Dongsu Park <dongsu@kinvolk.io>
2017-09-29 16:19:21 +02:00
Mrunal Patel
db0bd66fca Merge pull request #917 from runcom/fixes-rc3-0
Fix Origin test and update kube to v1.7.6
2017-09-25 14:55:42 -07:00
Antonio Murdaca
3dd043c581
sandbox_network: pass sandbox to newPodNetwork
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-09-25 21:08:11 +02:00
Antonio Murdaca
6c871769b4
server: more fixes for selinux and privileged mode
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-09-25 21:08:11 +02:00
Antonio Murdaca
7b0bde4362
container_create: fix seccomp annotations
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-09-25 21:08:11 +02:00
Antonio Murdaca
59c0218a9c
container_create: follow symlink for mount host path
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-09-25 21:08:11 +02:00
Antonio Murdaca
e8cfe3b867
container_create: support seccomp docker/default annotation
Fixes the following Origin/Kube test:

```
• Failure [10.323 seconds]
[k8s.io] Security Context [Feature:SecurityContext]
/go/src/github.com/openshift/origin/vendor/k8s.io/kubernetes/test/e2e/framework/framework.go:619
  should support seccomp alpha docker/default annotation
[Feature:Seccomp] [It]
  /go/src/github.com/openshift/origin/vendor/k8s.io/kubernetes/test/e2e/security_context.go:133

  Expected error:
      <*errors.errorString | 0xc420cbacf0>: {
          s: "expected \"2\" in container output: Expected\n
<string>: Seccomp:\t0\n    \nto contain substring\n    <string>: 2",
      }
      expected "2" in container output: Expected
          <string>: Seccomp:	0

      to contain substring
          <string>: 2
  not to have occurred
}
```

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-09-25 21:08:11 +02:00
Mrunal Patel
50baca10e9 Add crio annotations to container endpoint
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-09-25 11:59:40 -07:00
Mrunal Patel
2e3d5240c2 client: Add crio client package
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-09-25 11:59:40 -07:00
Antonio Murdaca
a11b8cd8ec
sandbox, ctr: SELinux fixes
server: fix selinux labels for pod and containers

Signed-off-by: Antonio Murdaca <runcom@redhat.com>

sandbox: set selinux labels from request, not defaults

Signed-off-by: Antonio Murdaca <runcom@redhat.com>

container_create: use sandbox's selinux if container's nil

Signed-off-by: Antonio Murdaca <runcom@redhat.com>

sandbox: correctly init selinux labels

First, we weren't correctly initializing selinux labels. If any of
(level, user, role, type) was missing from kube selinux options, we
were erroring out. This is wrong as kube sends just `level=s0`
sometimes and docker itself allows `--security-opt label=level:s0`.
This patch directly initializes selinux labels, correctly, and adds a
test to verify it.

Signed-off-by: Antonio Murdaca <runcom@redhat.com>

test: testdata: use container_runtime_t selinux type

RHEL SELinux policy doesn't have `container_t` type but we're using it
in our fixtures. That means Fedora integration tests pass because
`container_t` is in Fedora's container policy but RHEL is broken.
Fix it by using `container_runtime_t` which is aliased in Fedora policy
to `container_t`.

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-09-17 22:40:17 +02:00
Antonio Murdaca
ec42a40936
server: use grpc getters
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-09-17 10:19:32 +02:00
Antonio Murdaca
9ec518491f
server: correctly set hostname
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-09-17 10:19:31 +02:00
Antonio Murdaca
0c1383fd30
test: add inspect integration tests
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-09-17 10:19:31 +02:00
Antonio Murdaca
e26e48ec87
server: add inspect unit test
The inspect endpoint is used mainly in the CRI-O cAdvisor handler.
Let's make sure we don't break it by adding some trivial unit tests.

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-09-17 10:19:29 +02:00
Dan Williams
6a58bdf787 server: clean up sandbox network when running the sandbox fails
Runtimes need to clean up anything that needs it if RunPodSandbox()
fails.

Signed-off-by: Dan Williams <dcbw@redhat.com>
2017-09-11 14:19:27 -05:00
Antonio Murdaca
b8a6d358e7 Merge pull request #562 from rhatdan/hooks
Add support for running oci-hooks
2017-09-07 19:06:01 +02:00
Antonio Murdaca
e5b5ffdeac Merge pull request #846 from mrunalp/fix_cgroup_config
Fix cgroup config
2017-09-07 19:04:25 +02:00
Antonio Murdaca
af0a494251
container_create: handle cap add/drop ALL
Kubelet can send cap add/drop ALL. Handle that in CRI-O as well.
Also, this PR is re-vendoring runtime-tools to fix capabilities add to
add caps to _all_ caps set **and** fix a shared memory issue (caps set
were initialized with the same slice, if one modifies one slice, it's
reflected on the other slices, the vendoring fixes this as well)

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-09-07 16:43:33 +02:00
Mrunal Patel
7f4f630b98 Merge pull request #852 from runcom/fixies-42
*: bunch of fixes...
2017-09-07 07:37:37 -07:00
Antonio Murdaca
e8553a124d
container_create: better handling of devices
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-09-07 10:13:22 +02:00
Antonio Murdaca
b7b57e8731
container_create: Add TERM=xterm when tty=true
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-09-07 10:13:22 +02:00
Antonio Murdaca
cde40ad5ca
container_create: set privileged on ctr only if also on sandbox
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-09-07 10:13:22 +02:00