Commit graph

748 commits

Author SHA1 Message Date
Samuel Ortiz
c3cb6a133f server: Remove the mount points after stopping the containers
When starting pods or containers, we create the mount points
first. It seems natural to do something symetrical when stopping
pods or containers, i.e. removing the mount point at last.

Also, the current logic may not work with VM based containers as the
hypervisor may hold a reference on the mount point while we're trying to
remove them.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-03-20 17:50:38 +01:00
Antonio Murdaca
19e7b78aea Merge pull request #295 from cyphar/example-cni-config
contrib: cni: provide example CNI configurations
2017-03-20 16:53:52 +01:00
Aleksa Sarai
9088a12c75
contrib: cni: provide example CNI configurations
This also updates the readme to no longer contain CNI configuration
information (which had incorrect steps), and rather just points to the
example configs.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2017-03-20 23:08:28 +11:00
Mrunal Patel
792f585c44 Merge pull request #391 from rhatdan/selinux
Set SELinux mount label for pod sandbox
2017-03-16 14:45:29 -07:00
Daniel J Walsh
031e184624 Change lint timeout to 60 seconds, to fix test failure
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2017-03-16 17:03:12 -04:00
Daniel J Walsh
ff950a8e37 Set SELinux mount label for pod sandbox
The pause container is creating an AVC since the /dev/null device
is not labeled correctly.  Looks like we are only setting the label of
the process not the label of the content inside of the container.
This change will label content in the pause container correctly and
eliminate the AVC.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2017-03-16 14:09:38 -04:00
Daniel J Walsh
bf6c4141c1 Fix golint error
golint has figured out an optimization that is blocking other pull requests.
This fixes the golint issue.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2017-03-16 14:09:38 -04:00
Mrunal Patel
fdc7f5a77a Merge pull request #387 from apilloud/update_image
Update containers/image
2017-03-13 12:09:51 -07:00
Andrew Pilloud
de9995d5f0 dep: Update containers/image to 1d7e25b91705e4d1cddb5396baf112caeb1119f3
Signed-off-by: Andrew Pilloud <andrewpilloud@igneoussystems.com>
2017-03-13 09:33:17 -07:00
Andrew Pilloud
54c176e336 storage: Support latest containers/image
Signed-off-by: Andrew Pilloud <andrewpilloud@igneoussystems.com>
2017-03-13 08:51:02 -07:00
Antonio Murdaca
ee3027f8be Merge pull request #385 from mrunalp/conmon_cgroup
Run conmon under cgroups (systemd)
2017-03-09 19:01:44 +01:00
Mrunal Patel
8c0ff7d904 Run conmon under cgroups (systemd)
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-03-06 15:08:46 -08:00
Pengfei Ni
3195f45904 Merge pull request #367 from sameo/topic/host-privileged-runtime
Support alternate runtime for host privileged operations
2017-03-05 07:53:20 +08:00
Antonio Murdaca
4589048b18 Merge pull request #384 from mrunalp/fix_cgroup_parent
Fix cgroup parent
2017-03-04 10:20:29 +01:00
Mrunal Patel
38f497a701 Fix cgroup parent
We were using a variable before it was set.

Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-03-03 16:38:46 -08:00
Antonio Murdaca
0b6afbd78a Merge pull request #378 from mrunalp/add_scope_run
util: Add function to run in scope
2017-03-04 00:44:35 +01:00
Mrunal Patel
91ed3d4fbf Add a utility to run a pid in a systemd scope
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-03-03 15:02:14 -08:00
Samuel Ortiz
f7eee71792 server: Reduce createSandboxContainer complexity
By factorizing the bind mounts generation code.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-03-03 19:06:29 +01:00
Samuel Ortiz
2ec696be41 server: Set sandbox and container privileged flags
The sandbox privileged flag is set to true only if either the
pod configuration privileged flag is set to true or when any
of the pod namespaces are the host ones.

A container inherit its privileged flag from its sandbox, and
will be run by the privileged runtime only if it's set to true.
In other words, the privileged runtime (when defined) will be
when one of the below conditions is true:

- The sandbox will be asked to run at least one privileged container.
- The sandbox requires access to either the host IPC or networking
  namespaces.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-03-03 19:06:04 +01:00
Samuel Ortiz
eab6b00ea6 oci: Support for the host privileged runtime path
We add a privileged flag to the container and sandbox structures
and can now select the appropriate runtime path for any container
operations depending on that flag.

Here again, the default runtime will be used for non privileged
containers and for privileged ones in case there are no privileged
runtime defined.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-03-03 17:22:09 +01:00
Samuel Ortiz
2fc4d0cac1 config: Add host privileged runtime configuration
Not all runtimes are able to handle some of the kubelet
security context options, in particular the ones granting
host privileges to containers.

By adding a host privileged runtime path configuration, we
allow ocid to use a different runtime for host privileged
operations like e.g. host namespaces access.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-03-03 17:22:09 +01:00
Mrunal Patel
b872bc2fde Merge pull request #380 from feiskyer/fix-make
Fix make
2017-03-02 08:07:06 -08:00
Antonio Murdaca
ce883cf741 Merge pull request #379 from mrunalp/fix_logo
Use png for logo as github doesn't display the svg
2017-03-02 16:34:22 +01:00
Mrunal Patel
ad90b3c23c Use rawgit CDN for logo to make SVG render correctly
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-03-02 07:27:30 -08:00
Pengfei Ni
a1cfb250e1 Add make to traivs
Signed-off-by: Pengfei Ni <feiskyer@gmail.com>
2017-03-02 14:13:03 +08:00
Pengfei Ni
25cc9e9810 Fix make
Signed-off-by: Pengfei Ni <feiskyer@gmail.com>
2017-03-02 12:37:45 +08:00
Mrunal Patel
69ed8639cd Update dependencies to include github.com/godbus/dbus
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-03-01 16:49:45 -08:00
Mrunal Patel
e4adfcc11a Merge pull request #376 from mairin/master
#370 - adding a logo for cri-o
2017-03-01 11:55:33 -08:00
Máirín Duffy
8c85795740 Adding new logo to README.md
Issue: 370
Signed-off-by: Máirín Duffy <duffy@redhat.com>
2017-03-01 13:54:32 -05:00
Máirín Duffy
127f123734 Adding cri-o logo artwork
Note that crio-logo-source is the full Inkscape SVG source and crio-logo.svg
is an SVGO-optimized version of just the white bg version of the logo.

Issue: #370
Signed-off-by: Máirín Duffy <duffy@redhat.com>
2017-03-01 13:34:30 -05:00
Antonio Murdaca
3a9e7036a1 Merge pull request #374 from vbmade2000/pkg-config-correction
Correct package name for pkg-config
2017-02-27 12:24:49 +01:00
Malhar Vora
54c4bc2bd2 Correct package name for pkg-config
Signed-off-by: Malhar Vora  <mlvora.2010@gmail.com>
2017-02-27 16:03:20 +05:30
Mrunal Patel
ecb7718ae9 Merge pull request #373 from rhatdan/storage-opt
Depracate --storage-option for --storage-opt
2017-02-25 20:56:29 -08:00
Daniel J Walsh
cf5b0ae57f Deprecate --storage-option for --storage-opt
container-storage-setup (Formerly docker-storage-setup) is being converted to
run with container runtimes outside of docker.  Specifically we want to use it
with CRI-O/ocid.  It does not know anything about the container runtimes it
is generating options for, so it generates them based on the storage CLI of
docker.  I see no reason to have the storage option for ocid to be different
and we can just depracate the option for now.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2017-02-25 09:09:50 -05:00
Pengfei Ni
3690f4c971 Merge pull request #371 from apilloud/canonical_import
Use canonical import path for apimachinery
2017-02-23 15:54:56 +08:00
Andrew Pilloud
5f63cdcf89 Use canonical import path for apimachinery
Signed-off-by: Andrew Pilloud <andrewpilloud@igneoussystems.com>
2017-02-22 18:32:42 -08:00
Mrunal Patel
860c5419fd Merge pull request #368 from apilloud/no_seccomp
Run without seccomp
2017-02-22 12:01:17 -08:00
Andrew Pilloud
4ce17f893a Change bool style
Signed-off-by: Andrew Pilloud <andrewpilloud@igneoussystems.com>
2017-02-22 10:27:35 -08:00
Andrew Pilloud
2bb4191047 Move seccomp enabled check into seccomp package
Signed-off-by: Andrew Pilloud <andrewpilloud@igneoussystems.com>
2017-02-22 09:32:12 -08:00
Andrew Pilloud
44e7e88ff3 Run without seccomp support
Signed-off-by: Andrew Pilloud <andrewpilloud@igneoussystems.com>
2017-02-21 16:47:03 -08:00
Mrunal Patel
424fc8d0d6 Merge pull request #366 from apilloud/fix_ignore
Make ignore patterns absolute
2017-02-21 13:22:15 -08:00
Andrew Pilloud
0fb74ae661 sort .gitignore
Signed-off-by: Andrew Pilloud <andrewpilloud@igneoussystems.com>
2017-02-21 11:49:28 -08:00
Andrew Pilloud
f74145cc4c Make ignore paths absolute
Signed-off-by: Andrew Pilloud <andrewpilloud@igneoussystems.com>
2017-02-21 11:49:21 -08:00
Aleksa Sarai
7d56dae492
merge branch 'pr-364'
Closes #364
LGTMs: @cyphar @mikebrow
2017-02-21 08:28:21 +11:00
Antonio Murdaca
b041c716e7
.travis.yml: add go1.8
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-02-20 18:32:21 +01:00
Mrunal Patel
48426e3ebc Merge pull request #336 from cyphar/revert-goinstall-build
make: revert switch to 'go install'
2017-02-16 09:35:39 -08:00
Aleksa Sarai
0d7147ff5c
make: revert switch to 'go install'
go install acts incredibly weirdly and rarely does what you want, not to
mention that it's just bad for distribution build setups. Switch back to
go build, which works properly and doesn't have half as many issues.

Fixes: 6c9628cdb1 ("Build and install from GOPATH")
Signed-off-by: Aleksa Sarai <asarai@suse.de>
2017-02-17 03:22:12 +11:00
Mrunal Patel
6d76ea2fa1 Merge pull request #363 from jawnsy/travis-notifications
Travis CI notifications to Freenode #ocid
2017-02-14 09:13:40 -08:00
Jonathan Yu
3560be5d4d Travis CI notifications to Freenode #ocid
Signed-off-by: Jonathan Yu <jawnsy@redhat.com>
2017-02-13 21:14:09 -08:00
Antonio Murdaca
0639f06d03 Merge pull request #362 from nalind/nameasdigest
Don't try to parse an image ID a second time
2017-02-08 17:36:29 +01:00