Commit graph

115 commits

Author SHA1 Message Date
Mrunal Patel
50baca10e9 Add crio annotations to container endpoint
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-09-25 11:59:40 -07:00
Antonio Murdaca
e26e48ec87
server: add inspect unit test
The inspect endpoint is used mainly in the CRI-O cAdvisor handler.
Let's make sure we don't break it by adding some trivial unit tests.

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-09-17 10:19:29 +02:00
Dan Williams
0df30c5319 server: port to github.com/cri-o/ocicni; remove pkg/ocicni
Signed-off-by: Dan Williams <dcbw@redhat.com>
2017-09-06 16:07:50 -05:00
Antonio Murdaca
a51bc9753f
oci: add a note about crio-conmon- sub-cgroup with cgroupfs
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-09-06 17:14:53 +02:00
Antonio Murdaca
69fc590fc3
server: inspect: add log path and mount point for cadvisor
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-08-31 17:49:07 +02:00
Antonio Murdaca
f51ca87857
*: constify cgroups stuff
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-08-30 01:10:39 +02:00
Antonio Murdaca
c199f63dba
oci: join crio-conmon for cgroupfs
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-08-29 23:00:02 +02:00
Antonio Murdaca
c2a4fc740f
oci: wait a while for exit file to show up
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-08-29 11:25:51 +02:00
Antonio Murdaca
d56bf090ce
*: update kube vendor to v1.7.4
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-08-22 17:32:14 +02:00
Mrunal Patel
959aab4fd5 Merge pull request #766 from mrunalp/ctr_status_fixes
Container status fixes
2017-08-18 07:39:56 -07:00
Mrunal Patel
37edc50c1d oci: Check if process exists before trying to kill it
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-08-17 19:42:50 -07:00
Mrunal Patel
5ab6ec3046 oci: Add volumes field to Container
We add a ContainerVolume struct and store a list of volumes
in the Container object for quick retrieval.

Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-08-17 09:01:07 -07:00
Mrunal Patel
bfcebcdb00 Store imageName and imageRef for containers
We calculate these values at container creation time and store
them in the container object as they are requested during container
status. This avoids re-calculation and speeds up container status.

Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-08-17 09:01:07 -07:00
Ryan Cole
1eb21f8e15 implement kpod rename
rename a container

Signed-off-by: Ryan Cole <rcyoalne@gmail.com>
2017-08-17 09:00:41 -04:00
Mrunal Patel
30ded83096 Add inotify watcher for container exits
This allows the container list API to return updated status
for exited container without having to call container status first.

Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-08-13 08:01:48 -07:00
Daniel J Walsh
63a218a458 Move to new github.com/sirupsen/logrus.
Need to mv to latest released and supported version of logrus
switch github.com/Sirupsen/logrus github.com/sirupsen/logrus

Also vendor in latest containers/storage and containers/image

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2017-08-07 11:50:04 -04:00
Antonio Murdaca
c24daefd3e
oci: fix build condition
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-08-03 20:20:38 +02:00
Ryan Cole
0d4305a261 Implement kpod inspect
kpod inspect allows the user to view low-level information about
containers and images

Signed-off-by: Ryan Cole <rcyoalne@gmail.com>
2017-07-21 08:11:27 -04:00
Ryan Cole
f3efb850b7 Remove ImageSpec dependency from server
Signed-off-by: Ryan Cole <rcyoalne@gmail.com>
2017-07-17 16:21:56 -04:00
Antonio Murdaca
47ea873253
oci: fix type mismatch on some platform/arch
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-07-17 15:31:19 +02:00
Matthew Heon
a3c95bf903 Change opLock mutex for containers to sync.Locker
Signed-off-by: Matthew Heon <mheon@redhat.com>
2017-07-14 17:09:08 -04:00
Tobias Klauser
822172a892 all: Switch from package syscall to golang.org/x/sys/unix
The syscall package is locked down and the comment in [1] advises to
switch code to use the corresponding package from golang.org/x/sys. Do
so and replace usage of package syscall where possible (leave
syscall.SysProcAttr and syscall.Stat_t).

  [1] https://github.com/golang/go/blob/master/src/syscall/syscall.go#L21-L24

This will also allow to get updates and fixes just by re-vendoring
golang.org/x/sys/unix instead of having to update to a new go version.

Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2017-07-12 08:18:55 +02:00
Mrunal Patel
67504a02d5 oci: Use container ID as ID instead of container name
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-06-24 08:31:41 -07:00
Alexander Larsson
81cb788004 conmon: Clean up execsync
This moves the timeout handling from the go code to conmon, whic
removes some of the complexity from criod, and additionally it will
makes it possible to do the double-fork in the exec case too.

Signed-off-by: Alexander Larsson <alexl@redhat.com>
2017-06-21 21:03:17 +02:00
Mrunal Patel
88037b143b Merge pull request #583 from alexlarsson/conmon-reap-zombies
conmon: Don't leave zombies and fix cgroup race
2017-06-20 07:53:52 -07:00
Alexander Larsson
72686c78b4 fixup! conmon: Don't leave zombies and fix cgroup race
Signed-off-by: Alexander Larsson <alexl@redhat.com>
2017-06-20 12:18:07 +02:00
Mrunal Patel
2b8e3a0d0f Merge pull request #602 from runcom/busy-loop
oci: remove busy loop
2017-06-15 10:29:33 -07:00
Alexander Larsson
af4fbcd942 conmon: Don't leave zombies and fix cgroup race
Currently, when creating containers we never call Wait on the
conmon exec.Command, which means that the child hangs around
forever as a zombie after it dies.

However, instead of doing this waitpid() in the parent we instead
do a double-fork in conmon, to daemonize it. That makes a lot of
sense, as conmon really is not tied to the launcher, but needs
to outlive it if e.g. the cri-o daemon restarts.

However, this makes even more obvious a race condition which we
already have. When crio-d puts the conmon pid in a cgroup there
is a race where conmon could already have spawned a child, and
it would then not be part of the cgroup. In order to fix this
we add another synchronization pipe to conmon, which we block
on before we create any children. The parent then makes sure the
pid is in the cgroup before letting it continue.

Signed-off-by: Alexander Larsson <alexl@redhat.com>
2017-06-15 14:20:40 +02:00
Antonio Murdaca
9e6359b6f7
oci: remove busy loop
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-15 12:22:32 +02:00
Samuel Ortiz
0e51bbb778 oci: Support mixing trusted and untrusted workloads
Container runtimes provide different levels of isolation, from kernel
namespaces to hardware virtualization. When starting a specific
container, one may want to decide which level of isolation to use
depending on how much we trust the container workload. Fully verified
and signed containers may not need the hardware isolation layer but e.g.
CI jobs pulling packages from many untrusted sources should probably not
run only on a kernel namespace isolation layer.

Here we allow CRI-O users to define a container runtime for trusted
containers and another one for untrusted containers, and also to define
a general, default trust level. This anticipates future kubelet
implementations that would be able to tag containers as trusted or
untrusted. When missing a kubelet hint, containers are trusted by
default.

A container becomes untrusted if we get a hint in that direction from
kubelet or if the default trust level is set to "untrusted" and the
container is not privileged. In both cases CRI-O will try to use the
untrusted container runtime. For any other cases, it will switch to the
trusted one.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-06-15 10:04:36 +02:00
Mrunal Patel
7b9032bac7 Merge pull request #579 from alexlarsson/non-terminal-attach
Implement non-terminal attach
2017-06-14 21:45:44 -07:00
Alexander Larsson
7bb957bf75 Implement non-terminal attach
We use a SOCK_SEQPACKET socket for the attach unix domain socket, which
means the kernel will ensure that the reading side only ever get the
data from one write operation. We use this for frameing, where the
first byte is the pipe that the next bytes are for. We have to make sure
that all reads from the socket are using at least the same size of buffer
as the write side, because otherwise the extra data in the message
will be dropped.

This also adds a stdin pipe for the container, similar to the ones we
use for stdout/err, because we need a way for an attached client
to write to stdin, even if not using a tty.

This fixes https://github.com/kubernetes-incubator/cri-o/issues/569

Signed-off-by: Alexander Larsson <alexl@redhat.com>
2017-06-14 22:59:50 +02:00
Mrunal Patel
62c9caeb83 oci: Add debugs for container create failures
This makes it easier to debug container creation failures
by looking at cri-o logs.

Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-06-14 07:33:07 -07:00
Antonio Murdaca
0b2f6b5354
adjust status on container start failure
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-12 12:48:50 +02:00
Mrunal Patel
065f12490c conmon: Add unix domain socket for attach
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-06-06 07:36:52 -07:00
Antonio Murdaca
88fb9094d0
oci: do not error out on runtime state failure
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-01 17:37:17 +02:00
Antonio Murdaca
b4f1cee2a2
server: store and use image's stop signal to stop containers
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-05-27 10:21:04 +02:00
Antonio Murdaca
b4251aebd8
execsync: rewrite to fix a bug in conmon
conmon has many flags that are parsed when it's executed, one of them
is "-c". During PR #510 where we vendor latest kube master code,
upstream has changed a test to call a "ctr execsync" with a command of
"sh -c commmand ...".
Turns out:

a) conmon has a "-c" flag which refers to the container name/id
b) the exec command has a "-c" flags but it's for "sh"

That leads to conmon parsing the second "-c" flags from the exec
command causing an error. The executed command looks like:

conmon -c [..other flags..] CONTAINERID -e sh -c echo hello world

This patch rewrites the exec sync code to not pass down to conmon the
exec command via command line. Rather, we're now creating an OCI runtime
process spec in a temp file, pass _the path_ down to conmon, and have
runc exec the command using "runc exec --process
/path/to/process-spec.json CONTAINERID". This is far better in which we
don't need to bother anymore about conflicts with flags in conmon.

Added and fixed some tests also.

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-05-25 22:36:33 +02:00
Mrunal Patel
ea9a90abce Set Container Status Reason when OOM Killed
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-05-25 11:30:58 -07:00
Antonio Murdaca
4a8debe6c5
oci: do not serialize empty fields on disk
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-05-18 21:19:51 +02:00
Antonio Murdaca
6622feb480
server: still update status on container not found in runc
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-05-18 21:19:51 +02:00
Antonio Murdaca
358dac96d4
server: ignore runc not exist errors
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-05-18 21:19:50 +02:00
Antonio Murdaca
a41ca975c1
server: restore containers state from disk on startup
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-05-18 21:19:50 +02:00
Antonio Murdaca
da0b8a6157
server: store containers state on disk
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-05-18 21:19:50 +02:00
Antonio Murdaca
2ddc062bbe
oci: ignore non existing containers on delete
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-05-18 21:19:45 +02:00
Antonio Murdaca
fbc5e49a60
oci: save container's finished time
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-05-18 18:49:55 +02:00
Antonio Murdaca
790c6d891a
server: store creation in containers
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-05-18 18:49:54 +02:00
Antonio Murdaca
1f4a4742cb
oci: add container directory to Container struct
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-05-18 18:49:54 +02:00
Antonio Murdaca
1ca660e3b7 Merge pull request #512 from runcom/stop-timeout
server: honor container stop timeout from CRI
2017-05-16 10:06:47 +02:00
Antonio Murdaca
b3683ab184
server: honor container stop timeout from CRI
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-05-15 22:56:31 +02:00