Commit graph

174 commits

Author SHA1 Message Date
Xianglin Gao
ca7d5c77c2 Do not load ocid-default if configured apparmor profile is set up.
Signed-off-by: Xianglin Gao <xlgao@zju.edu.cn>
2016-12-12 15:55:17 +08:00
Xianglin Gao
6977b3e88d move duplicated consts to apparmor_common.go
Signed-off-by: Xianglin Gao <xlgao@zju.edu.cn>
2016-12-07 20:46:38 +08:00
Xianglin Gao
cb5ed1ce9d reload default apparmor profile if it is unloaded
Signed-off-by: Xianglin Gao <xlgao@zju.edu.cn>
2016-12-07 20:19:29 +08:00
Mrunal Patel
8547c0dbd9 Merge pull request #236 from runcom/check-netns-on-stop
server: check netns path on pod stop
2016-12-06 10:06:46 -08:00
Mrunal Patel
a4021ba179 Merge pull request #235 from runcom/fix-state
server: sync ctr state before checking it
2016-12-06 09:42:43 -08:00
Antonio Murdaca
46dc2b4347
server: check netns path on pod stop
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-12-06 15:36:05 +01:00
Antonio Murdaca
1b2d4f3d60
server: sync ctr state before checking it
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-12-06 12:39:38 +01:00
Antonio Murdaca
f2b4fda554
server: fix ctr filter by truncated id
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-12-06 12:16:34 +01:00
Antonio Murdaca
e7492ca12f
server: fix pod filter by truncated id
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-12-06 12:16:30 +01:00
Xianglin Gao
4f323377ee add apparmor build tag and update readme
Signed-off-by: Xianglin Gao <xlgao@zju.edu.cn>
2016-12-06 11:51:15 +08:00
Xianglin Gao
06cc0ba6ba Add docs about apparmor profile setting
Signed-off-by: Xianglin Gao <xlgao@zju.edu.cn>
2016-12-01 13:26:59 +08:00
Xianglin Gao
26645c90ac Make the profile configurable
Signed-off-by: Xianglin Gao <xlgao@zju.edu.cn>
2016-12-01 13:26:59 +08:00
Xianglin Gao
1f863846f5 add default apparmor profile
Signed-off-by: Xianglin Gao <xlgao@zju.edu.cn>
2016-12-01 13:26:59 +08:00
Xianglin Gao
71b80591e3 support apparmor
Signed-off-by: Xianglin Gao <xlgao@zju.edu.cn>
2016-12-01 13:26:59 +08:00
Antonio Murdaca
0e4af6d69d
*: add seccomp buildtag
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-11-29 17:01:45 +01:00
Samuel Ortiz
60123a77ce server: Export more container metadata for VM containers
VM base container runtimes (e.g. Clear Containers) will run each pod
in a VM and will create containers within that pod VM. Unfortunately
those runtimes will get called by ocid with the same commands
(create and start) for both the pause containers and subsequent
containers to be added to the pod namespace. Unless they work around
that by e.g. infering that a container which rootfs is under
"/pause" would represent a pod, they have no way to decide if they
need to create/start a VM or if they need to add a container to an
already running VM pod.

This patch tries to formalize this difference through pod
annotations. When starting a container or a sandbox, we now add 2
annotations for the container type (Infrastructure or not) and the
sandbox name. This will allow VM based container runtimes to handle
2 things:

- Decide if they need to create a pod VM or not.
- Keep track of which pod ID runs in a given VM, so that they
  know to which sandbox they have to add containers.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2016-11-29 10:24:33 +01:00
Antonio Murdaca
78ee03a8fc
add seccomp support
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-11-28 22:05:34 +01:00
Mrunal Patel
b6f1b027eb Merge pull request #213 from runcom/bump-runtime-tools
*: bump opencontainers/runtime-tools
2016-11-24 08:29:43 -08:00
Mrunal Patel
d12c4b68ac Merge pull request #212 from runcom/execsync-fix
execsync: return proper error description
2016-11-24 08:28:45 -08:00
Antonio Murdaca
70481bc5af
*: bump opencontainers/runtime-tools
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-11-24 12:26:18 +01:00
Antonio Murdaca
cbe2a68ce5
execsync: return proper error description
The gprc execsync client call doesn't populate `ExecSyncResponse` on
error at all. You just get an error.
This patch modifies the code to include command's streams, exit code
and error direcly into the error. `ocic` will then print useful
infomation in the cli, otherwise it won't.

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-11-24 12:11:04 +01:00
HaoZhang
d1e1b7c183 pass sysctls down to oci runtime
Signed-off-by: HaoZhang <crazykev@zju.edu.cn>
2016-11-24 16:29:37 +08:00
Antonio Murdaca
ebe2ea0dba
server: split sandboxes actions
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-11-22 23:23:01 +01:00
Antonio Murdaca
4447207cf1
server: split images actions
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-11-22 23:05:37 +01:00
Antonio Murdaca
61bb04c87c
server: split containers actions
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-11-22 18:38:05 +01:00
Antonio Murdaca
5c94544fb8 Merge pull request #203 from mrunalp/exec_sync
Exec sync
2016-11-21 23:22:20 +01:00
Mrunal Patel
78ecdcd298 Add support for timeout
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2016-11-21 13:16:32 -08:00
Jacek J. Łakis
0289858d21 Add runtime status commpliant with CRI
Signed-off-by: Jacek J. Łakis <jacek.lakis@intel.com>
2016-11-21 10:19:03 +01:00
Mrunal Patel
52e789c44b Add server implementation for exec sync
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2016-11-17 16:41:44 -08:00
Mrunal Patel
b62a150151 Update to the latest upstream API
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2016-11-16 17:20:37 -08:00
Jacek J. Łakis
85f7ebfb48 version: Fix parsing for gRPC version
Signed-off-by: Jacek J. Łakis <jacek.lakis@intel.com>
2016-11-15 09:26:11 +01:00
Pengfei Ni
bbfcf62a0f Set timestamps to nanosecond.
CRI requires all timestamps in nanosends instead of seconds.

Signed-off-by: Pengfei Ni <feiskyer@gmail.com>
2016-11-14 14:26:06 +08:00
Antonio Murdaca
02ec8754f5 Merge pull request #169 from cyphar/make-configurable
server: make more things configurable
2016-11-10 14:55:29 +01:00
Mrunal Patel
5d62a9fbb9 Merge pull request #179 from Crazykev/add-metadata
Return pod metadata in container list and status APIs
2016-11-04 10:00:58 -06:00
Nalin Dahyabhai
ec1bc4d6a8 Handle PodSandboxConfig.DNSConfig.Options
DNSConfig can pass "options" settings in now, so add them to the
resolv.conf that we're generating, too.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2016-11-03 11:57:25 -04:00
Crazykev
87a83e14b0 return pod metadata in container list and status APIs
Signed-off-by: Crazykev <crazykev@zju.edu.cn>
2016-11-02 00:37:40 +08:00
Crazykev
54a022defb restore pod annotations when restart ocid
Signed-off-by: Crazykev <crazykev@zju.edu.cn>
2016-11-01 13:49:21 +08:00
Aleksa Sarai
96c0966ce9
server: make logDir configurable
While logDir isn't currently used (until the conmon implementation
lands) it's probably not a great idea to hardcode our defaults. The main
issue with this setting is that the kubelet can override it at will.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2016-10-31 23:26:42 +11:00
Aleksa Sarai
33f47d6a6b
server: make ImageStore configurable
It's a bit odd to have ImageStore be part of the config and yet we don't
allow people to modify it. However, leave it out of the commented
version because it's currently unused.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2016-10-31 23:26:42 +11:00
Mrunal Patel
7b60703634 Add logging for all container/sandbox responses
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2016-10-28 11:35:14 -04:00
Mrunal Patel
c89157e45c Merge pull request #176 from gao-feng/hidden-infra-container
store infra container in sandbox
2016-10-25 03:25:17 +00:00
Gao feng
78528d9bd1 store infra container in sandbox
infra container is used to implement the pod
sandbox, it should not be exported to user.

this patch stores infra container in sandbox
immediately, only the containers created by user
are stored into container store, this prevents user
from removing/stopping infra container incorrectly.

Signed-off-by: Gao feng <omarapazanadi@gmail.com>
2016-10-24 20:18:19 +08:00
HaoZhang
9c11cc7dba make conmon inherit env from ocid
Signed-off-by: HaoZhang <crazykev@zju.edu.cn>
2016-10-23 19:22:27 +08:00
Antonio Murdaca
af55785b53 Merge pull request #167 from mrunalp/update_api
Update to latest version of kubernetes CRI API
2016-10-22 09:17:59 +02:00
Mrunal Patel
7f726b704a Add more debugs
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2016-10-21 11:14:22 -04:00
Mrunal Patel
b117dd863c Update to latest version of kubernetes CRI API
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2016-10-21 11:06:30 -04:00
Antonio Murdaca
5290ca593a Merge pull request #166 from mrunalp/image_no_nil
Make image APIs return empty struct instead of nil
2016-10-21 08:10:09 +02:00
Mrunal Patel
cc9ce68463 Make image APIs return empty struct instead of nil
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2016-10-20 16:13:41 -04:00
Mrunal Patel
0b76a65033 Set the version to what kubelet expects
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2016-10-20 14:51:38 -04:00
Mrunal Patel
4a7ea899b0 Don't share container UTS namespace with pod
kubernetes doesn't share the UTS namespace

Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2016-10-18 14:17:57 -07:00