Commit graph

1296 commits

Author SHA1 Message Date
Samuel Ortiz
4c702fb60c
test: Add 2 basic networking tests
We create temporary CNI networking configurations and run 2
functional tests:

- Verify that the networking namespace interface has a valid CIDR
- Ping the networking namespace interface from the host

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2016-12-20 12:50:20 +01:00
Samuel Ortiz
c525459000
main: Add CNI options
We add 2 ocid options for choosing the CNI configuration and plugin
binaries directories: --cni-config-dir and --cni-plugin-dir.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2016-12-20 12:50:17 +01:00
Antonio Murdaca
50a3958e5a Merge pull request #289 from mrunalp/cgroup_config
Add support cgroup config and systemd cgroups
2016-12-20 09:26:07 +01:00
Mrunal Patel
6df58df215 Add support for systemd cgroups
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2016-12-19 16:31:29 -08:00
Mrunal Patel
5eab56e002 Pass cgroup manager to oci runtime manager
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2016-12-19 15:05:32 -08:00
Mrunal Patel
edad8f866d Add configuration for specifying cgroup manager
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2016-12-19 15:04:34 -08:00
Antonio Murdaca
a7190853b6 Merge pull request #210 from nalind/metadata
[WIP] Add utility functions for managing containers and images using containers/storage
2016-12-19 19:12:51 +01:00
Nalin Dahyabhai
4ae8606edf Add storage utility functions
Add an intermediate API layer that uses containers/storage, and a
containers/image that has been patched to use it, to manage images and
containers, storing the data that we need to know about containers and
pods in the metadata fields provided by containers/storage.

While ocid manages pods and containers as different types of items, with
disjoint sets of IDs and names, it remains true that every pod includes
at least one container.  When a container's only purpose is to serve as
a home for namespaces that are shared with the other containers in the
pod, it is referred to as the pod's infrastructure container.

At the storage level, a pod is stored as its set of containers.  We keep
track of both pod IDs and container IDs in the metadata field of
Container objects that the storage library manages for us.  Containers
which bear the same pod ID are members of the pod which has that ID.
Other information about the pod, which ocid needs to remember in order
to answer requests for information about the pod, is also kept in the
metadata field of its member containers.

The container's runtime configuration should be stored in the
container's ContainerDirectory, and used as a template.  Each time the
container is about to be started, its layer should be mounted, that
configuration template should be read, the template's rootfs location
should be replaced with the mountpoint for the container's layer, and
the result should be saved to the container's ContainerRunDirectory,
for use as the configuration for the container.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2016-12-19 11:44:34 -05:00
Nalin Dahyabhai
d45ff58056 Initialize the reexec package
Any binary that will be managing storage needs to initialize the reexec
package in order to be able to apply or read image layers.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2016-12-19 11:44:34 -05:00
Nalin Dahyabhai
9b88295f69 Update containers/storage and containers/image
Update the versions of containers/storage and containers/image, and add
new dependencies that they pull in.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2016-12-19 11:44:34 -05:00
Nalin Dahyabhai
f893e38d6d Add build tags for integration tests
Add the necessary build tags and configuration so that integration tests
can properly build against device mapper and btrfs libraries.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2016-12-19 11:44:32 -05:00
Antonio Murdaca
7e3986e88f Merge pull request #286 from nhlfr/dockerfile-cleanup
Clean apt archives and source directories in Dockerfile
2016-12-19 10:00:40 +01:00
Michal Rostecki
6dc28dc766 Clean apt archives and source directories in Dockerfile
Signed-off-by: Michal Rostecki <michal@kinvolk.io>
2016-12-19 09:48:45 +01:00
Antonio Murdaca
ebc77fedde Merge pull request #284 from mrunalp/fix_cgroups_cfg
Fixup cgroup in test sandbox config
2016-12-16 22:48:57 +01:00
Mrunal Patel
a418ef8dc2 Fixup cgroup in test sandbox config
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2016-12-16 13:33:38 -08:00
Mrunal Patel
b2fbd828e1 Merge pull request #271 from resouer/pod-level-qos
Support pod level qos in cri-o
2016-12-16 13:32:22 -08:00
Mrunal Patel
5a769f72ca Merge pull request #274 from Crazykev/gofmt-check
Enable Gofmt check in CI
2016-12-15 16:57:16 -08:00
Mrunal Patel
6e323e8bc9 Merge pull request #281 from runcom/fix-nil-marshal-grpc
server: mock UpdateRuntimeConfig
2016-12-15 07:28:04 -08:00
Mrunal Patel
8bdf3ce91f Merge pull request #279 from runcom/add-sameo-to-owners
OWNERS: add @sameo
2016-12-15 07:21:25 -08:00
Antonio Murdaca
d157c1427c
server: mock UpdateRuntimeConfig
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-12-15 14:31:42 +01:00
Antonio Murdaca
0ec2d44394
OWNERS: add @sameo
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-12-15 12:18:47 +01:00
Harry Zhang
02dfe877e4 Add container to pod qos cgroup
Signed-off-by: Harry Zhang <harryz@hyper.sh>
2016-12-15 14:42:59 +08:00
Crazykev
eb3990ead9 fix gofmt problem in existing code
Signed-off-by: Crazykev <crazykev@zju.edu.cn>
2016-12-15 14:17:22 +08:00
Crazykev
3fa48e54ff add gofmt verify in CI
Signed-off-by: Crazykev <crazykev@zju.edu.cn>
2016-12-15 14:15:57 +08:00
Antonio Murdaca
1d08519ffe Merge pull request #276 from sameo/topic/netns_leaks
sandbox: Force netns unmount and removal when restoring
2016-12-15 01:00:09 +01:00
Antonio Murdaca
c9dcea486f Merge pull request #267 from mrunalp/ctr_oplock
Add operation lock for containers
2016-12-14 23:17:49 +01:00
Mrunal Patel
2800b83f2f Add operation lock for containers
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2016-12-14 10:54:42 -08:00
Samuel Ortiz
ad6ac9391c
sandbox: Force netns unmount and removal when restoring
ns.Close() will not remove and unmount the networking namespace
if it's not currently marked as mounted.
When we restore a sandbox, we generate the sandbox netns from
ns.GetNS() which does not mark the sandbox as mounted.

There currently is a PR open to fix that in the ns package:
https://github.com/containernetworking/cni/pull/342

but meanwhile this patch fixes a netns leak when restoring a pod.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2016-12-14 19:47:05 +01:00
Mrunal Patel
4f21dc6492 Merge pull request #275 from runcom/pod-run
cmd/client: move pod create to pod run
2016-12-14 10:37:56 -08:00
Antonio Murdaca
e1054cf28e
cmd/client: move pod create to pod run
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-12-14 18:15:37 +01:00
Pengfei Ni
7b0c76219c Merge pull request #272 from runcom/remove-reaper
server: remove reaper, let runc take care of reaping
2016-12-14 22:38:03 +08:00
Antonio Murdaca
d2f6a4c0e2
server: remove reaper, let runc take care of reaping
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-12-14 12:15:20 +01:00
Mrunal Patel
4cb5af00f6 Merge pull request #262 from runcom/fix-commands
Read command from ContainerCreateRequest
2016-12-13 10:13:38 -08:00
Mrunal Patel
18d23bc1ee Merge pull request #265 from runcom/setup-cni
README.md: add CNI setup
2016-12-13 08:34:54 -08:00
Antonio Murdaca
f99c0a089c
Read command from ContainerCreateRequest
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-12-13 16:59:16 +01:00
Antonio Murdaca
a4f5c3a8c4
README.md: add CNI setup
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-12-13 16:23:24 +01:00
Antonio Murdaca
4bb0830c37 Merge pull request #239 from xlgao-zju/reload-apparmor-profile
reload default apparmor profile if it is unloaded
2016-12-13 11:10:26 +01:00
Mrunal Patel
bd585c2fca Merge pull request #237 from sameo/topic/sandbox_netns
Enable networking for hypervisor based container runtimes
2016-12-12 16:18:05 -08:00
Samuel Ortiz
0df8200e12
sandbox: Create a symbolic link to the networking namespace
In order to workaround a bug introduced with runc commit bc84f833,
we create a symbolic link to our permanent networking namespace so
that runC realizes that this is not the host namespace.

Although this bug is now fixed upstream (See commit f33de5ab4), this
patch works with pre rc3 runC versions.
We may want to revert that patch once runC 1.0.0 is released.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2016-12-12 19:48:23 +01:00
Samuel Ortiz
a9724c2c9c
sandbox: Fix gocyclo complexity
With the networking namespace code added, we were reaching a
gocyclo complexitiy of 52. By moving the container creation and
starting code path out, we're back to reasonable levels.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2016-12-12 19:48:23 +01:00
Samuel Ortiz
482eb460d6
sandbox: Setup networking namespace before sandbox creation
In order for hypervisor based container runtimes to be able to
fully prepare their pod virtual machines networking interfaces,
this patch sets the pod networking namespace before creating the
sandbox container.

Once the sandbox networking namespace is prepared, the runtime
can scan the networking namespace interfaces and build the pod VM
matching interfaces (typically TAP interfaces) at pod sandbox
creation time. Not doing so means those runtimes would have to
rely on all hypervisors to support networking interfaces hotplug.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2016-12-12 19:48:23 +01:00
Samuel Ortiz
4cab8ed06a
sandbox: Use persistent networking namespace
Because they need to prepare the hypervisor networking interfaces
and have them match the ones created in the pod networking
namespace (typically to bridge TAP and veth interfaces), hypervisor
based container runtimes need the sandbox pod networking namespace
to be set up before it's created. They can then prepare and start
the hypervisor interfaces when creating the pod virtual machine.

In order to do so, we need to create per pod persitent networking
namespaces that we pass to the CNI plugin. This patch leverages
the CNI ns package to create such namespaces under /var/run/netns,
and assign them to all pod containers.
The persitent namespace is removed when either the pod is stopped
or removed.

Since the StopPodSandbox() API can be called multiple times from
kubelet, we track the pod networking namespace state (closed or
not) so that we don't get a containernetworking/ns package error
when calling its Close() routine multiple times as well.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2016-12-12 19:48:23 +01:00
Samuel Ortiz
be3ed3bcbc
vendor: Add CNI ns package
We will need it for our persistent networking
namespace work.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2016-12-12 19:48:23 +01:00
Mrunal Patel
05b10c27ca Merge pull request #261 from sameo/topic/annotations
container: Store annotations under ocid/annotations
2016-12-12 10:43:26 -08:00
Samuel Ortiz
70ede1a5fe
container: Store annotations under ocid/annotations
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2016-12-12 19:16:05 +01:00
Mrunal Patel
1291b13125 Merge pull request #259 from runcom/fix-pod-with-restart=Always
store annotations and image for a container
2016-12-12 07:38:16 -08:00
Antonio Murdaca
430297dd81
store annotations and image for a container
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-12-12 11:12:03 +01:00
Xianglin Gao
ca7d5c77c2 Do not load ocid-default if configured apparmor profile is set up.
Signed-off-by: Xianglin Gao <xlgao@zju.edu.cn>
2016-12-12 15:55:17 +08:00
Mrunal Patel
5142b8a4d7 Merge pull request #258 from runcom/fix-logrus-2
server: fix calls to logrus again
2016-12-11 10:00:15 -08:00
Antonio Murdaca
5a1605bad5
server: fix calls to logrus again
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-12-11 18:29:59 +01:00