Commit graph

55 commits

Author SHA1 Message Date
YaoZengzeng
3b7d815af1 add timeout when wait to get container pid from conmon
Signed-off-by: Yao Zengzeng <yaozengzeng@zju.edu.cn>
2017-03-20 21:49:30 +08:00
Mrunal Patel
8c0ff7d904 Run conmon under cgroups (systemd)
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-03-06 15:08:46 -08:00
Samuel Ortiz
2ec696be41 server: Set sandbox and container privileged flags
The sandbox privileged flag is set to true only if either the
pod configuration privileged flag is set to true or when any
of the pod namespaces are the host ones.

A container inherit its privileged flag from its sandbox, and
will be run by the privileged runtime only if it's set to true.
In other words, the privileged runtime (when defined) will be
when one of the below conditions is true:

- The sandbox will be asked to run at least one privileged container.
- The sandbox requires access to either the host IPC or networking
  namespaces.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-03-03 19:06:04 +01:00
Samuel Ortiz
eab6b00ea6 oci: Support for the host privileged runtime path
We add a privileged flag to the container and sandbox structures
and can now select the appropriate runtime path for any container
operations depending on that flag.

Here again, the default runtime will be used for non privileged
containers and for privileged ones in case there are no privileged
runtime defined.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-03-03 17:22:09 +01:00
Mrunal Patel
8e5b17cf13 Switch to github.com/golang/dep for vendoring
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-01-31 16:45:59 -08:00
Nalin Dahyabhai
c0333b102b Integrate containers/storage
Use containers/storage to store images, pod sandboxes, and containers.
A pod sandbox's infrastructure container has the same ID as the pod to
which it belongs, and all containers also keep track of their pod's ID.

The container configuration that we build using the data in a
CreateContainerRequest is stored in the container's ContainerDirectory
and ContainerRunDirectory.

We catch SIGTERM and SIGINT, and when we receive either, we gracefully
exit the grpc loop.  If we also think that there aren't any container
filesystems in use, we attempt to do a clean shutdown of the storage
driver.

The test harness now waits for ocid to exit before attempting to delete
the storage root directory.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2017-01-18 10:23:30 -05:00
Samuel Ortiz
4c7583b467
oci: Do not call the container runtime from ExecSync
Some OCI container runtimes (in particular the hypervisor
based ones) will typically create a shim process between
the hypervisor and the runtime caller, in order to not
rely on the hypervisor process for e.g. forwarding the
output streams or getting a command exit code.

When executing a command inside a running container those
runtimes will create that shim process and terminate.
Therefore calling and monitoring them directly from
ExecSync() will fail. Instead we need to have a subreaper
calling the runtime and monitoring the shim process.
This change uses conmon as the subreaper from ExecSync(),
monitors the shim process and read the exec'ed command
exit code from the synchronization pipe.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-01-14 02:02:43 +01:00
Samuel Ortiz
9a4a1092fe
conmon: Return the exit status code
waitpid fills its second argument with a value that
contains the process exit code in the 8 least significant
bits. Instead of returning the complete value and then
convert it from ocid, return the exit status directly
by using WEXITSTATUS from conmon.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-01-14 02:00:45 +01:00
Xianglin Gao
ab4a408b66 fix typo to make go report more happy
Signed-off-by: Xianglin Gao <xlgao@zju.edu.cn>
2017-01-04 14:24:11 +08:00
Aleksa Sarai
da975261e7
oci: fix runc kill usage
In later versions of runC, `runc kill` *requires* the signal parameter
to know what signal needs to be sent.

Signed-off-by: Aleksa Sarai <asarai@suse.com>
2016-12-31 17:01:19 +11:00
Mrunal Patel
6df58df215 Add support for systemd cgroups
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2016-12-19 16:31:29 -08:00
Mrunal Patel
5eab56e002 Pass cgroup manager to oci runtime manager
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2016-12-19 15:05:32 -08:00
Mrunal Patel
2800b83f2f Add operation lock for containers
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2016-12-14 10:54:42 -08:00
Antonio Murdaca
d2f6a4c0e2
server: remove reaper, let runc take care of reaping
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-12-14 12:15:20 +01:00
Samuel Ortiz
4cab8ed06a
sandbox: Use persistent networking namespace
Because they need to prepare the hypervisor networking interfaces
and have them match the ones created in the pod networking
namespace (typically to bridge TAP and veth interfaces), hypervisor
based container runtimes need the sandbox pod networking namespace
to be set up before it's created. They can then prepare and start
the hypervisor interfaces when creating the pod virtual machine.

In order to do so, we need to create per pod persitent networking
namespaces that we pass to the CNI plugin. This patch leverages
the CNI ns package to create such namespaces under /var/run/netns,
and assign them to all pod containers.
The persitent namespace is removed when either the pod is stopped
or removed.

Since the StopPodSandbox() API can be called multiple times from
kubelet, we track the pod networking namespace state (closed or
not) so that we don't get a containernetworking/ns package error
when calling its Close() routine multiple times as well.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2016-12-12 19:48:23 +01:00
Antonio Murdaca
430297dd81
store annotations and image for a container
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-12-12 11:12:03 +01:00
9ce0a55c35
oci: pass through error output from runc
Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>
2016-12-09 15:53:56 -05:00
Antonio Murdaca
cbe2a68ce5
execsync: return proper error description
The gprc execsync client call doesn't populate `ExecSyncResponse` on
error at all. You just get an error.
This patch modifies the code to include command's streams, exit code
and error direcly into the error. `ocic` will then print useful
infomation in the cli, otherwise it won't.

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-11-24 12:11:04 +01:00
Antonio Murdaca
5c94544fb8 Merge pull request #203 from mrunalp/exec_sync
Exec sync
2016-11-21 23:22:20 +01:00
Mrunal Patel
78ecdcd298 Add support for timeout
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2016-11-21 13:16:32 -08:00
Jacek J. Łakis
0289858d21 Add runtime status commpliant with CRI
Signed-off-by: Jacek J. Łakis <jacek.lakis@intel.com>
2016-11-21 10:19:03 +01:00
Mrunal Patel
b12a508e4e Add method to exec a command sync in a container
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2016-11-17 16:40:52 -08:00
Samuel Ortiz
5bbef5fc88 oci: Pass the bundle and pid file paths to conmon
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2016-11-15 14:11:47 +01:00
Crazykev
87a83e14b0 return pod metadata in container list and status APIs
Signed-off-by: Crazykev <crazykev@zju.edu.cn>
2016-11-02 00:37:40 +08:00
HaoZhang
9c11cc7dba make conmon inherit env from ocid
Signed-off-by: HaoZhang <crazykev@zju.edu.cn>
2016-10-23 19:22:27 +08:00
Mrunal Patel
97d1916772 Revert "oci: cast timestamp to int64"
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2016-10-21 14:31:12 -04:00
Aleksa Sarai
8ace3647fa
oci: cast timestamp to int64
Found while trying to package ocid for openSUSE.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2016-10-21 22:18:51 +11:00
Mrunal Patel
50cc7ce940 Use Set instead of map[string]string for container labels
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2016-10-13 15:45:41 -07:00
Mrunal Patel
77afd34a27 Container state fixes
Move Container State constants to oci package
and fixup where strings were used instead of
the status constants

Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-10-06 15:16:21 -07:00
Mrunal Patel
0482a4281a Separate container IDs from container names
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-10-04 16:57:12 -07:00
Mrunal Patel
b2c383892c Add id field to container
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-10-04 14:17:15 -07:00
Dan Walsh
f51c98b057 Install conmon in /usr/libexec/ocid/conmon
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
2016-09-29 08:55:12 -04:00
Mrunal Patel
89c051f81f Make sure that the container stops when StopContainer API is called
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-09-27 11:46:05 -07:00
Mrunal Patel
4606f2a61a Fix the build for ocid to cri-o rename
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-09-26 16:55:12 -07:00
Antonio Murdaca
32029aaba6
id and name indexes for pods
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-09-22 18:17:45 +02:00
Mrunal Patel
17b6f3b64c Convert status to exit code
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-09-19 12:25:13 -07:00
Antonio Murdaca
22d434c1e6
restructure and make lint
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-09-19 19:56:13 +02:00
Antonio Murdaca
35ef46f805
use an in memory store for containers
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-09-19 13:11:36 +02:00
Antonio Murdaca
4a4897bbfe
conmon: use runtime path from ocid
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-09-17 11:37:45 +02:00
Mrunal Patel
f7f02009c2 Report exit code and finish time on container status
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-09-16 16:33:33 -07:00
Mrunal Patel
02236bbda0 Integrate conmon into ocid
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-09-15 16:40:44 -07:00
Mrunal Patel
6e05f772ed Add a property to track whether a container needs terminal
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-09-15 15:01:39 -07:00
Mrunal Patel
1f01486600 Add lock around container state access
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-09-13 13:58:25 -07:00
Mrunal Patel
0741159ce8 Set the started time for a container
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-09-12 15:43:11 -07:00
Mrunal Patel
bbe5325afc Fix the build to account for the change in repository
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-09-09 14:48:39 -07:00
Mrunal Patel
c53b8c8afe Add API to get container network namespace path
We need this for networking integration.

Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-09-09 14:41:03 -07:00
Mrunal Patel
9cb0813d1e Server changes for supporting pod status
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-09-09 14:41:03 -07:00
Rajat Chopra
56df8bb639 sandboxDir not needed in runtime
Signed-off-by: Rajat Chopra <rchopra@redhat.com>
2016-09-09 14:41:03 -07:00
Mrunal Patel
6852c44130 Add methods for updating and getting the container status
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-09-09 14:41:03 -07:00
Mrunal Patel
2513ac2523 Add helper for deleting a container
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-09-09 14:41:03 -07:00