Commit graph

1919 commits

Author SHA1 Message Date
Samuel Ortiz
ad6ac9391c
sandbox: Force netns unmount and removal when restoring
ns.Close() will not remove and unmount the networking namespace
if it's not currently marked as mounted.
When we restore a sandbox, we generate the sandbox netns from
ns.GetNS() which does not mark the sandbox as mounted.

There currently is a PR open to fix that in the ns package:
https://github.com/containernetworking/cni/pull/342

but meanwhile this patch fixes a netns leak when restoring a pod.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2016-12-14 19:47:05 +01:00
Mrunal Patel
4f21dc6492 Merge pull request #275 from runcom/pod-run
cmd/client: move pod create to pod run
2016-12-14 10:37:56 -08:00
Antonio Murdaca
e1054cf28e
cmd/client: move pod create to pod run
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-12-14 18:15:37 +01:00
Pengfei Ni
7b0c76219c Merge pull request #272 from runcom/remove-reaper
server: remove reaper, let runc take care of reaping
2016-12-14 22:38:03 +08:00
Antonio Murdaca
d2f6a4c0e2
server: remove reaper, let runc take care of reaping
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-12-14 12:15:20 +01:00
Mrunal Patel
4cb5af00f6 Merge pull request #262 from runcom/fix-commands
Read command from ContainerCreateRequest
2016-12-13 10:13:38 -08:00
Mrunal Patel
18d23bc1ee Merge pull request #265 from runcom/setup-cni
README.md: add CNI setup
2016-12-13 08:34:54 -08:00
Antonio Murdaca
f99c0a089c
Read command from ContainerCreateRequest
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-12-13 16:59:16 +01:00
Antonio Murdaca
a4f5c3a8c4
README.md: add CNI setup
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-12-13 16:23:24 +01:00
Antonio Murdaca
4bb0830c37 Merge pull request #239 from xlgao-zju/reload-apparmor-profile
reload default apparmor profile if it is unloaded
2016-12-13 11:10:26 +01:00
Mrunal Patel
bd585c2fca Merge pull request #237 from sameo/topic/sandbox_netns
Enable networking for hypervisor based container runtimes
2016-12-12 16:18:05 -08:00
Samuel Ortiz
0df8200e12
sandbox: Create a symbolic link to the networking namespace
In order to workaround a bug introduced with runc commit bc84f833,
we create a symbolic link to our permanent networking namespace so
that runC realizes that this is not the host namespace.

Although this bug is now fixed upstream (See commit f33de5ab4), this
patch works with pre rc3 runC versions.
We may want to revert that patch once runC 1.0.0 is released.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2016-12-12 19:48:23 +01:00
Samuel Ortiz
a9724c2c9c
sandbox: Fix gocyclo complexity
With the networking namespace code added, we were reaching a
gocyclo complexitiy of 52. By moving the container creation and
starting code path out, we're back to reasonable levels.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2016-12-12 19:48:23 +01:00
Samuel Ortiz
482eb460d6
sandbox: Setup networking namespace before sandbox creation
In order for hypervisor based container runtimes to be able to
fully prepare their pod virtual machines networking interfaces,
this patch sets the pod networking namespace before creating the
sandbox container.

Once the sandbox networking namespace is prepared, the runtime
can scan the networking namespace interfaces and build the pod VM
matching interfaces (typically TAP interfaces) at pod sandbox
creation time. Not doing so means those runtimes would have to
rely on all hypervisors to support networking interfaces hotplug.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2016-12-12 19:48:23 +01:00
Samuel Ortiz
4cab8ed06a
sandbox: Use persistent networking namespace
Because they need to prepare the hypervisor networking interfaces
and have them match the ones created in the pod networking
namespace (typically to bridge TAP and veth interfaces), hypervisor
based container runtimes need the sandbox pod networking namespace
to be set up before it's created. They can then prepare and start
the hypervisor interfaces when creating the pod virtual machine.

In order to do so, we need to create per pod persitent networking
namespaces that we pass to the CNI plugin. This patch leverages
the CNI ns package to create such namespaces under /var/run/netns,
and assign them to all pod containers.
The persitent namespace is removed when either the pod is stopped
or removed.

Since the StopPodSandbox() API can be called multiple times from
kubelet, we track the pod networking namespace state (closed or
not) so that we don't get a containernetworking/ns package error
when calling its Close() routine multiple times as well.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2016-12-12 19:48:23 +01:00
Samuel Ortiz
be3ed3bcbc
vendor: Add CNI ns package
We will need it for our persistent networking
namespace work.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2016-12-12 19:48:23 +01:00
Mrunal Patel
05b10c27ca Merge pull request #261 from sameo/topic/annotations
container: Store annotations under ocid/annotations
2016-12-12 10:43:26 -08:00
Samuel Ortiz
70ede1a5fe
container: Store annotations under ocid/annotations
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2016-12-12 19:16:05 +01:00
Mrunal Patel
1291b13125 Merge pull request #259 from runcom/fix-pod-with-restart=Always
store annotations and image for a container
2016-12-12 07:38:16 -08:00
Antonio Murdaca
430297dd81
store annotations and image for a container
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-12-12 11:12:03 +01:00
Xianglin Gao
ca7d5c77c2 Do not load ocid-default if configured apparmor profile is set up.
Signed-off-by: Xianglin Gao <xlgao@zju.edu.cn>
2016-12-12 15:55:17 +08:00
Mrunal Patel
5142b8a4d7 Merge pull request #258 from runcom/fix-logrus-2
server: fix calls to logrus again
2016-12-11 10:00:15 -08:00
Antonio Murdaca
5a1605bad5
server: fix calls to logrus again
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-12-11 18:29:59 +01:00
Mrunal Patel
80ccc3a455 Merge pull request #256 from runcom/err-warnf-format
server: fix call to logrus.Warnf
2016-12-10 16:11:30 -08:00
Antonio Murdaca
67055e20bc
server: fix call to logrus.Warnf
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-12-10 19:21:52 +01:00
Antonio Murdaca
a27a41431e Merge pull request #253 from mrunalp/fix_selinux_shm
Remove unnecessary check for mount label for /dev/shm
2016-12-10 14:18:07 +01:00
Mrunal Patel
378d8d4415 Merge pull request #254 from vbatts/error_passthrough
oci: pass through error output from runc
2016-12-09 17:15:53 -08:00
9ce0a55c35
oci: pass through error output from runc
Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>
2016-12-09 15:53:56 -05:00
Mrunal Patel
a0177ced09 Remove unnecessary check for mount label for /dev/shm
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2016-12-09 09:37:47 -08:00
Mrunal Patel
4cc510c046 Merge pull request #252 from runcom/add-tests
test: add restart ocid with pod stopped test
2016-12-09 07:04:00 -08:00
Antonio Murdaca
f22dc5244f
test: add restart ocid with pod stopped test
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-12-09 11:56:25 +01:00
Antonio Murdaca
d9edbe6817 Merge pull request #249 from mrunalp/dev_shm
Add support for pod /dev/shm that is shared by the pod ctrs
2016-12-09 09:46:27 +01:00
Pengfei Ni
4559e7d05f Merge pull request #250 from mrunalp/lint_fixes
Fix couple of lint issues
2016-12-09 08:44:13 +08:00
Mrunal Patel
0e1db291b6 Merge pull request #251 from sameo/topic/bats
test: Add a pod remove idempotent test
2016-12-08 16:20:41 -08:00
Mrunal Patel
7a6213c3ef Merge pull request #248 from sameo/topic/config.json
testdata: Add missing closed curly
2016-12-08 16:12:02 -08:00
Samuel Ortiz
d701009264
test: Add a pod remove idempotent test
Test if we can remove a pod several times without
generating an error.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2016-12-09 00:43:25 +01:00
Mrunal Patel
868e18614a Fix couple of lint issues
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2016-12-08 15:40:59 -08:00
Mrunal Patel
de5cc3ff0b Merge pull request #247 from vbatts/fix_test_json
testdata: fix invalid json doc
2016-12-08 15:37:15 -08:00
Mrunal Patel
be29524ba4 Add support for pod /dev/shm that is shared by the pod ctrs
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2016-12-08 15:32:17 -08:00
Samuel Ortiz
c55d9a5da6
testdata: Add missing closed curly
Typo introduced by PR #244.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2016-12-09 00:11:16 +01:00
fd7a052023
testdata: fix invalid json doc
Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>
2016-12-08 15:23:24 -05:00
Antonio Murdaca
cba4eed876 Merge pull request #246 from vbatts/fix_man_dest
Makefile: fix the creation of man5
2016-12-08 21:21:27 +01:00
6c7756b352
Makefile: fix the creation of man5
Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>
2016-12-08 14:49:02 -05:00
Antonio Murdaca
2e83385a40 Merge pull request #244 from sameo/topic/config.json
testdata: sandbox ns options should be under security_context
2016-12-08 18:46:45 +01:00
Samuel Ortiz
5d8537f270
testdata: sandbox ns options should be under security_context
And not directly under linux.

Fixes #243

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2016-12-08 18:09:28 +01:00
Mrunal Patel
0fcb25cc97 Merge pull request #241 from sameo/topic/sandbox_remove
Make RemovePodSandbox idempotent
2016-12-08 07:15:25 -08:00
Samuel Ortiz
365c291f1a
server: Make RemovePodSandbox idempotent
And in particular make it not fail when removing an already removed
sandbox pod. According to the CRI spec:

  [RemovePodSandbox] is idempotent, and must not return an error if
  the sandbox has already been removed.

We now only print a warning instead of returning an error.
We still return an error when the passed pod ID is empty.

Fixes #240

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2016-12-08 10:40:14 +01:00
Xianglin Gao
6977b3e88d move duplicated consts to apparmor_common.go
Signed-off-by: Xianglin Gao <xlgao@zju.edu.cn>
2016-12-07 20:46:38 +08:00
Xianglin Gao
cb5ed1ce9d reload default apparmor profile if it is unloaded
Signed-off-by: Xianglin Gao <xlgao@zju.edu.cn>
2016-12-07 20:19:29 +08:00
Mrunal Patel
8547c0dbd9 Merge pull request #236 from runcom/check-netns-on-stop
server: check netns path on pod stop
2016-12-06 10:06:46 -08:00