Commit graph

488 commits

Author SHA1 Message Date
Tobias Klauser
92a51af7ba seccomp: use Prctl() from x/sys/unix
Use unix.Prctl() instead of manually reimplementing it using
unix.RawSyscall. Also use unix.SECCOMP_MODE_FILTER instead of locally
defining it.

Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2017-07-18 15:34:23 +02:00
Ryan Cole
f3efb850b7 Remove ImageSpec dependency from server
Signed-off-by: Ryan Cole <rcyoalne@gmail.com>
2017-07-17 16:21:56 -04:00
Antonio Murdaca
73c5285260 Merge pull request from mheon/lock_to_interface
Replace sync.Mutex with sync.Locker to allow different locks
2017-07-15 10:48:12 +02:00
Mrunal Patel
d02828e8a6 Support ImageVolumesBind when container is created
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-07-14 16:51:52 -07:00
Mrunal Patel
7443263bd6 Add config for ImageVolumesBind option
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-07-14 15:31:50 -07:00
Matthew Heon
4086f2bc37 Replace sync.Mutex with sync.Locker to allow different locks
Signed-off-by: Matthew Heon <mheon@redhat.com>
2017-07-14 16:27:12 -04:00
Antonio Murdaca
17584facf0 Merge pull request from mrunalp/pids_limit
Pids limit
2017-07-12 12:39:54 +02:00
Antonio Murdaca
f7206aa86d Merge pull request from mrunalp/rename_to_crio
Rename remnants of ocid to crio
2017-07-12 12:38:28 +02:00
Tobias Klauser
822172a892 all: Switch from package syscall to golang.org/x/sys/unix
The syscall package is locked down and the comment in [1] advises to
switch code to use the corresponding package from golang.org/x/sys. Do
so and replace usage of package syscall where possible (leave
syscall.SysProcAttr and syscall.Stat_t).

  [1] https://github.com/golang/go/blob/master/src/syscall/syscall.go#L21-L24

This will also allow to get updates and fixes just by re-vendoring
golang.org/x/sys/unix instead of having to update to a new go version.

Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2017-07-12 08:18:55 +02:00
Mrunal Patel
ed9d49f247 container: Add cgroup mount for introspection
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-07-11 19:17:48 -07:00
Mrunal Patel
6b543be50b Rename remnants of ocid to crio
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-07-11 16:19:18 -07:00
Mrunal Patel
e49dd34657 Add support for container pids limit
We add a daemon level setting and will add a container
override once it is supported in CRI.

Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-07-11 14:59:52 -07:00
Mrunal Patel
d40883d88c container: Use ImageVolumes setting at container creation
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-07-10 13:46:14 -07:00
Mrunal Patel
dc55fd2f14 config: Add ImageVolumes configuration setting
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-07-10 13:46:14 -07:00
Andrew Pilloud
1a01ca7251 server: inherit rlimits from server
Signed-off-by: Andrew Pilloud <andrewpilloud@igneoussystems.com>
2017-07-03 14:49:34 -07:00
Antonio Murdaca
f3f8b67b76 Merge pull request from mrunalp/pod_infra_oom
sandbox: Adjust OOM score of infra container to a low value
2017-06-26 18:38:50 +02:00
Antonio Murdaca
d1850d9993 Merge pull request from mrunalp/oci_id
oci: Use container ID as ID instead of container name
2017-06-25 13:14:26 +02:00
Mrunal Patel
510d7d97d4 Merge pull request from apilloud/hostport
server: Add support for hostPorts
2017-06-24 10:28:28 -07:00
Mrunal Patel
67504a02d5 oci: Use container ID as ID instead of container name
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-06-24 08:31:41 -07:00
Mrunal Patel
975347b874 container: Add containerID to annotations for the container
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-06-23 09:31:13 -07:00
Mrunal Patel
cb4c566fac sandbox: Adjust OOM score of infra container to a low value
This matches the current kube behavior. This will probably
be provided over the CRI at which point we won't have to
define a constant in cri-o code.

Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-06-23 09:24:53 -07:00
Andrew Pilloud
17359e34a6 server: init iptables without kube
Signed-off-by: Andrew Pilloud <andrewpilloud@igneoussystems.com>
2017-06-22 08:51:50 -07:00
Andrew Pilloud
28cd8bde49 server: Hookup kubelet hostport
Signed-off-by: Andrew Pilloud <andrewpilloud@igneoussystems.com>
2017-06-22 08:51:50 -07:00
Antonio Murdaca
6035cff9e4
server: standardize on naming
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-22 11:55:03 +02:00
Antonio Murdaca
94a457d46a
sandbox_run: need to stop sandbox before removing it on conflict
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-18 11:42:07 +02:00
Mrunal Patel
bd40bbc30b Add missing error checks and simplify bool check
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-06-16 15:49:16 -07:00
Mrunal Patel
784d03809e Merge pull request from runcom/fix-mounts-leak
server: adhere to CRI for sandbox stop/remove
2017-06-16 15:10:41 -07:00
Mrunal Patel
2212d34899 Merge pull request from sameo/topic/cni
sandbox_remove: Do not error out when CNI tear down fails
2017-06-15 14:23:17 -07:00
Antonio Murdaca
9f68cb4507
server: adhere to CRI for sandbox stop/remove
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-15 23:08:30 +02:00
Samuel Ortiz
4462480e54 sandbox: Check for trusted annotations
If we get a kubelet annotation about the sandbox trust level, we use it
to toggle our sandbox trust flag.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-06-15 10:04:41 +02:00
Samuel Ortiz
0e51bbb778 oci: Support mixing trusted and untrusted workloads
Container runtimes provide different levels of isolation, from kernel
namespaces to hardware virtualization. When starting a specific
container, one may want to decide which level of isolation to use
depending on how much we trust the container workload. Fully verified
and signed containers may not need the hardware isolation layer but e.g.
CI jobs pulling packages from many untrusted sources should probably not
run only on a kernel namespace isolation layer.

Here we allow CRI-O users to define a container runtime for trusted
containers and another one for untrusted containers, and also to define
a general, default trust level. This anticipates future kubelet
implementations that would be able to tag containers as trusted or
untrusted. When missing a kubelet hint, containers are trusted by
default.

A container becomes untrusted if we get a hint in that direction from
kubelet or if the default trust level is set to "untrusted" and the
container is not privileged. In both cases CRI-O will try to use the
untrusted container runtime. For any other cases, it will switch to the
trusted one.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-06-15 10:04:36 +02:00
Mrunal Patel
7b9032bac7 Merge pull request from alexlarsson/non-terminal-attach
Implement non-terminal attach
2017-06-14 21:45:44 -07:00
Alexander Larsson
7bb957bf75 Implement non-terminal attach
We use a SOCK_SEQPACKET socket for the attach unix domain socket, which
means the kernel will ensure that the reading side only ever get the
data from one write operation. We use this for frameing, where the
first byte is the pipe that the next bytes are for. We have to make sure
that all reads from the socket are using at least the same size of buffer
as the write side, because otherwise the extra data in the message
will be dropped.

This also adds a stdin pipe for the container, similar to the ones we
use for stdout/err, because we need a way for an attached client
to write to stdin, even if not using a tty.

This fixes https://github.com/kubernetes-incubator/cri-o/issues/569

Signed-off-by: Alexander Larsson <alexl@redhat.com>
2017-06-14 22:59:50 +02:00
Antonio Murdaca
0dfec710f2
container_create: net files must be ro when rootfs is ro
we were blindly applying RO mount options but net addons like calico
modify those files.
This patch sets RO only when container's rootfs is RO, same behavior as
docker.

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-14 15:31:34 +02:00
Antonio Murdaca
d2e1d559b7
container_create: just mkdir on image's volumes
tmpfs'es can override whatever there's on the container rootfs. We just
mkdir the volume as we're confident kube manages volumes in container.
We don't need any tmpfs nor any complex volume handling for now.

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-14 15:31:31 +02:00
Samuel Ortiz
53ee423192 sandbox_remove: Do not error out when CNI tear down fails
We don't want to have lingering pods because of CNI failures.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-06-14 14:58:10 +02:00
Andrew Pilloud
c77b5fbea8 Add stream-address and stream-port flags to crio
Signed-off-by: Andrew Pilloud <andrewpilloud@igneoussystems.com>
2017-06-12 16:12:36 -07:00
Mrunal Patel
2a6db15113 Merge pull request from runcom/start-failed
adjust status on container start failure
2017-06-12 07:26:22 -07:00
Antonio Murdaca
b211061016
copy using bytes pools
Vendor and use docker/pkg/pools.
pools are used to lower the number of memory allocations and reuse buffers when
processing large streams operations..

The use of pools.Copy avoids io.Copy's internal buffer allocation.
This commit replaces io.Copy with pools.Copy to avoid the allocation of
buffers in io.Copy.

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-12 12:53:23 +02:00
Antonio Murdaca
0b2f6b5354
adjust status on container start failure
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-12 12:48:50 +02:00
Mrunal Patel
b8130b6852 Merge pull request from runcom/fix-logrus
sandbox_status: Infof->Debugf response
2017-06-09 14:18:00 -07:00
Antonio Murdaca
cfec2c4cf4
sandbox_run: correct a defer
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-09 13:57:45 +02:00
Antonio Murdaca
e28540ca90
sandbox_status: Infof->Debugf response
This was cluttering the logs on my clusters. The log should be just in
debug mode as we do for every request/response flow.

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-09 13:04:33 +02:00
Antonio Murdaca
8b53fabcbd
*: support insecure registries
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-09 01:04:29 +02:00
Mrunal Patel
8441dca284 Merge pull request from runcom/smarter-pull
image_pull: check image already pulled
2017-06-08 15:38:08 -07:00
Mrunal Patel
7cd0ab671d Merge pull request from runcom/fix-processArgs
container_create: fix OCI processArgs assemblement
2017-06-08 11:41:43 -07:00
Antonio Murdaca
3b545abf12
image_pull: check image already pulled
This is an optimization of our image pull code path. It's basically
how docker handles pulls as well. Let's be smart and check the image in
pull code path as well.
This also matches docker behavior which first checks whether we're
allowed to actually pull an image before looking into local storage.

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-08 15:03:27 +02:00
Antonio Murdaca
65d4ac8fc2
container_create: fix OCI processArgs assemblement
This patch fixes the following command:

kubectl run -i --tty centos --image=centos -- sh

The command above use to fail with:

/usr/bin/sh: /usr/bin/sh: cannot execute binary file

That's because we were wrongly assembling the OCI processArgs.

Thanks @alexlarsson for spotting this.

This patch basically replicates what docker does when merging container
config and image config. It also replicates how docker sets processArgs
for the OCI runtime.

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-08 11:48:11 +02:00
Mrunal Patel
d0486e542f Support detaching in CRI attach
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-06-06 20:49:54 -07:00
Mrunal Patel
8f5f7aa5e2 Add code to handle CRI attach
A goroutine is started to forward terminal resize requests
from the resize channel. Also, data is copied back/forth
between stdin, stdout, stderr streams and the attach socket
for the container.

Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-06-06 07:36:52 -07:00
Mrunal Patel
065f12490c conmon: Add unix domain socket for attach
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-06-06 07:36:52 -07:00
Dan Walsh
4c48e13619 Need to be consistent in out nameing of Oci.
It should always be captitalized.

Signed-off-by: Dan Walsh <dwalsh@redhat.com>
2017-06-05 15:11:03 -04:00
Mrunal Patel
34357ec7a4 Merge pull request from runcom/streamserver-bindaddress
server: do not use localhost for streaming service
2017-06-03 11:01:43 -07:00
Antonio Murdaca
315c385371
server: do not use localhost for streaming service
The bug is silly if you have a master/node cluster where node is on a
different machine than the master.
The current behavior is to give our addresses like "0.0.0.0:10101". If
you run "kubectl exec ..." from another host, that's not going to work
since on a different host 0.0.0.0 resolves to localhost and kubectl
exec fails with:

error: unable to upgrade connection: 404 page not found

This patch fixes the above by giving our correct addresses for reaching
from outside.

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-03 18:26:33 +02:00
Samuel Ortiz
f15859c79f pkg/annotations: Export CRI-O annotations namespace
Some runtimes like Clear Containers need to interpret the CRI-O
annotations, to distinguish the infra container from the regular one.
Here we export those annotations and use a more standard dotted
namespace for them.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-06-01 23:45:44 +02:00
Antonio Murdaca
f3650533f0
create src dir for bind mounts
match docker behavior for bind mounts

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-01 17:37:20 +02:00
Antonio Murdaca
a28ed75e12
sandbox_run: fix name releasing on error
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-01 17:37:20 +02:00
Antonio Murdaca
6fd1c8957c
RemovePodSandbox must be idempotent
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-01 17:37:20 +02:00
Antonio Murdaca
a37dd46654
*: stability fixes
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-01 15:42:01 +02:00
Samuel Ortiz
e23d986cf2 container: Do not restrict path access for privileged containers
Privileged containers should see and reach all host paths.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-05-31 02:06:47 +02:00
Antonio Murdaca
089cb88f17
server: container_create: make the spec hostspecific
node-e2e tests were failing in RHEL because, if running a privileged
container, we get all capability in the spec. The spec generator wasn't
filtering caps based on actual host caps, it was just adding _everything_.
This patch makes spec generator host specific.

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-05-30 18:30:26 +02:00
Antonio Murdaca
404194c1fd
server: add nil checks to not panic
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-05-29 13:16:27 +02:00
Mrunal Patel
5ed79fb5cd Merge pull request from runcom/fix-ctr-status-reasons
[e2e fix] server: correctly fill ctr termination reason
2017-05-28 18:03:54 -07:00
Antonio Murdaca
ad3a3fcd5a
server: properly format error
`containerdID` is overridden in `s.ctrIDIndex.Get()`, if the ctr is not
found it's overridden by an empty string making the error return
totally unusable.

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-05-28 20:43:01 +02:00
Antonio Murdaca
b9336c74a3
server: correctly fill ctr termination reason
This patch fixes all port forwarding e2e tests. Those tests were
specifically looking for a termination reason to say that a given
container has finished running. CRI-O wasn't actually returning any
reason field for an exited container.

-> https://github.com/kubernetes/kubernetes/blob/master/test/e2e/portforward.go#L116
   -> https://github.com/kubernetes/kubernetes/blob/master/test/utils/conditions.go#L97

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-05-28 20:14:45 +02:00
Antonio Murdaca
1e9ef65345
server: fix PortForward panic
During "Port forwarding" e2e tests, the following panic happened:

```
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x64981d]

goroutine 52788 [running]:
panic(0x1830ee0, 0xc4200100c0)
        /usr/lib/golang/src/runtime/panic.go:500 +0x1a1
github.com/kubernetes-incubator/cri-o/oci.(*Runtime).UpdateStatus(0xc4202afc00,
0x0, 0x0, 0x0)
        /home/amurdaca/go/src/github.com/kubernetes-incubator/cri-o/oci/oci.go:549
+0x7d
github.com/kubernetes-incubator/cri-o/server.streamService.PortForward(0xc42026e000,
0x0, 0x0, 0x0, 0x0, 0xc420d9af40, 0x40, 0xc400000050, 0x7fe660659a28,
0xc4201cd0e0, ...)
```

The issue is `streamService.PortForward` assumed the first argument to
be the sandbox's infra container ID, thus trying to get it from memory
store using `.state.containers.Get`. Since that ID is of the sandbox
itself, it fails to get the container object from memory and panics in
`UpdateStatus`.

Fix it by looking for the sandbox's infra container ID starting from a
sandbox ID.

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-05-28 18:22:46 +02:00
Antonio Murdaca
b4f1cee2a2
server: store and use image's stop signal to stop containers
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-05-27 10:21:04 +02:00
Mrunal Patel
ea9a90abce Set Container Status Reason when OOM Killed
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-05-25 11:30:58 -07:00
Mrunal Patel
bd6e8a5a20 Merge pull request from runcom/volumes-workaround
server: workaround images with Config.Volumes
2017-05-22 10:59:44 -07:00
Antonio Murdaca
02f3828283
server: workaround images with Config.Volumes
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-05-22 18:01:06 +02:00
Antonio Murdaca
5f53416611
server: sandbox_remove: add comment on sandbox not found empty response
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-05-22 16:38:10 +02:00
Antonio Murdaca
d099e3a988
server: container_status: we should return digested references in imageRef
currently blocked on
https://github.com/kubernetes-incubator/cri-o/issues/531

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-05-22 16:37:46 +02:00
Antonio Murdaca
22d055869d
server: container_status: return image name if available
If we create a container using the image ID like
771cd5947d5ea4bf8e8f4900dd357dbb67e7b16486c270f8274087d182d457c6, then
a call to container_status will return that same ID for the "Image"
field in ContainerStatusResponse.

This patch matches dockershim behavior and return the first tagged name
if available from the image store.

This is also needed to fix a failure in k8s e2d tests.

Reference:
https://github.com/kubernetes/kubernetes/pull/39298/files#diff-c7dd39479fd733354254e70845075db5R369
Reference:
67a5bf8454/test/e2e/framework/util.go (L1941)

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-05-22 16:37:46 +02:00
Antonio Murdaca
a0916b1044
server: sandbox_stop: ignore not found sandboxes
This patch matches dockershim behavior

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-05-22 16:37:39 +02:00
Antonio Murdaca
de96e54230
server: move StopAllSandboxes in sandbox_stop.go
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-05-18 21:19:52 +02:00
Antonio Murdaca
3b2e5aa5c2
add a note on server shutdown...
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-05-18 21:19:52 +02:00
Antonio Murdaca
f00edc2b2d
server: do not remove but stop sandboxes on shutdown
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-05-18 21:19:52 +02:00
Antonio Murdaca
358dac96d4
server: ignore runc not exist errors
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-05-18 21:19:50 +02:00
Antonio Murdaca
a41ca975c1
server: restore containers state from disk on startup
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-05-18 21:19:50 +02:00
Antonio Murdaca
da0b8a6157
server: store containers state on disk
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-05-18 21:19:50 +02:00
Antonio Murdaca
790c6d891a
server: store creation in containers
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-05-18 18:49:54 +02:00
Antonio Murdaca
1f4a4742cb
oci: add container directory to Container struct
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-05-18 18:49:54 +02:00
Antonio Murdaca
3bd4811b3b
server: restore sandbox created time from disk
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-05-18 18:49:54 +02:00
Antonio Murdaca
59e3f98b6d
server: return sandbox's own created time
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-05-18 18:49:54 +02:00
Antonio Murdaca
80a789bce3
server: store sandbox creation time
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-05-18 18:49:54 +02:00
Mrunal Patel
3fefcaa1dd Convert pod cgroupPath to runc format for systemd cgroup
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-05-17 17:46:53 -07:00
Mrunal Patel
d3bc6ab693 Add function to convert kube pod cgroup format to runc format
This is a slightly modified version of the function in k8s.

Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-05-17 17:45:57 -07:00
Antonio Murdaca
ecd0006e80
vendor: upgrade containers/storage
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-05-17 22:18:07 +02:00
Antonio Murdaca
b3683ab184
server: honor container stop timeout from CRI
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-05-15 22:56:31 +02:00
Mrunal Patel
7ea255fcea Merge pull request from rhatdan/rename
Rename ocid to crio
2017-05-15 11:27:28 -07:00
Dan Walsh
4493b6f176 Rename ocid to crio.
The ocid project was renamed to CRI-O, months ago, it is time that we moved
all of the code to the new name.  We want to elminate the name ocid from use.
Move fully to crio.

Also cric is being renamed to crioctl for the time being.

Signed-off-by: Dan Walsh <dwalsh@redhat.com>
2017-05-12 09:56:06 -04:00
Antonio Murdaca
1d455a31a9
server: add RO and masked paths on container creation
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-05-12 12:47:40 +02:00
Mrunal Patel
23cf1a6fdb Add devices to OCI config
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-05-09 14:37:01 -07:00
Mrunal Patel
f7e5e24a05 Add helper for adding devices to OCI spec
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-05-09 14:36:55 -07:00
Antonio Murdaca
b7ba9d058b
server: store kubeName in annotations
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-05-08 09:15:00 +02:00
Dan Williams
13f6e95685 sandbox: pass correct pod Namespace/Name to network plugins and fix id/name ordering
Two issues:
1) pod Namespace was always set to "", which prevents plugins from figuring out
what the actual pod is, and from getting more info about that pod from the
runtime via out-of-band mechanisms

2) the pod Name and ID arguments were switched, further preventing 

Signed-off-by: Dan Williams <dcbw@redhat.com>
2017-05-05 23:55:37 -05:00
Antonio Murdaca
139b16bac2
server: fix set caps on container create
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-05-05 16:31:52 +02:00
Antonio Murdaca
27510ac346 Merge pull request from mrunalp/port_forward
Add support for port forwarding
2017-04-28 01:16:45 +02:00
Antonio Murdaca
275a5a1ff2
server: remove Update calls
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-04-27 14:01:37 +02:00
Antonio Murdaca
5595fad535
server: do not compare pointers
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-04-27 14:01:23 +02:00
Antonio Murdaca
f18e032714
server: do not nil sandbox's infraContainer on remove
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-04-27 14:01:18 +02:00
Mrunal Patel
416a3ba62e Add support for port forwarding
Reusing k8s existing implementation. This could be re-written
to do port-forwarding natively rather than relying on socat/nsenter.

Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-04-26 13:58:48 -07:00
Mrunal Patel
008dab27b1 Fix terminal resize handling so kubectl exec -i -t sh works
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-04-24 18:44:49 +02:00
Jacek J. Łakis
0ba2be0dc8 lint: fix shadowing
Signed-off-by: Jacek J. Łakis <jacek.lakis@intel.com>
2017-04-24 18:44:49 +02:00
Jacek J. Łakis
b4e9023102 exec: Add endpoint for streaming server
Signed-off-by: Jacek J. Łakis <jacek.lakis@intel.com>
2017-04-24 18:44:49 +02:00
Jacek J. Łakis
203a52487c server: Start streaming server
Signed-off-by: Jacek J. Łakis <jacek.lakis@intel.com>
2017-04-24 18:44:48 +02:00
Jacek J. Łakis
70a51fe7f5 server: Add streamService to server
Signed-off-by: Jacek J. Łakis <jacek.lakis@intel.com>
2017-04-24 18:44:48 +02:00
Jacek J. Łakis
b75b6f6e4b container: add exec command prototype
Signed-off-by: Jacek J. Łakis <jacek.lakis@intel.com>
2017-04-24 18:44:48 +02:00
Samuel Ortiz
3b691d085c container: Bind mount hosts file for host networking containers
Fixes 

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-04-22 04:04:38 +02:00
Mrunal Patel
49f3f2ac7f Merge pull request from rhatdan/images
Add kpod image and kpod rmi for the handling of container images.
2017-04-20 15:57:06 -07:00
Antonio Murdaca
339e01ba79 Merge pull request from vbatts/readable_server_fields
server: readable fields
2017-04-21 00:54:35 +02:00
f401adffa9
server: readable fields
`git grep -w images` or `git grep -w storage` needs to be more useful.

Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>
2017-04-20 08:22:50 -04:00
f1fd06bfc1
oci: more grep'able interface name
`git grep -wi store` is not nearly useful enough. Taking steps for
readability.

Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>
2017-04-19 16:12:59 -04:00
Daniel J Walsh
54ee55493d Need to cleanup all pods on service poweroff
When powering off the system, we want the ocid service, to shutdown
all containers running on the system so they can cleanup properly
This patch will cleanup all pods on poweroff.

The ocid-shutdown.service drops a file /var/run/ocid.shutdown when the system
is shutting down. The ocid-shutdown.service should only be executed at system
shutdown.

On bootup sequence should be
start ocid.service
start ocid-shutdown.service (This is a NO-OP)

On system shutdown
stop ocid-shutdown.service (Creates /var/run/ocid.shutdown)
stop ocid.service (Notices /var/run/ocid.service and stops all pods before exiting.)

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2017-04-14 06:04:14 -04:00
Mrunal Patel
24df2538db Update runtime-spec to v1.0.0.rc5
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-04-12 19:15:53 -07:00
Mrunal Patel
5589f929c0 Merge pull request from runcom/expose-mount-cstatus
server: expose mounts in container status
2017-04-11 09:01:37 -07:00
Antonio Murdaca
7081620128
server: expose mounts in container status
Fix 5 more tests from k8s's conformance tests
```
Ran 5 of 213 Specs in 76.068 seconds
SUCCESS! -- 5 Passed | 0 Failed | 0 Pending | 208 Skipped PASS
```

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-04-11 16:51:09 +02:00
Antonio Murdaca
05cde3e759
server: add auth info to image pull
Fix the following upstream k8s's e2e-node test:
```
should be able to pull from private registry with secret [Conformance]
```

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-04-10 17:09:56 +02:00
Antonio Murdaca
0854c081ec Merge pull request from sameo/topic/sandboxrun-fixes
server: Fix RunPodSandbox error path
2017-04-06 18:46:24 +02:00
Samuel Ortiz
ea1f6517c1 server: Fix RunPodSandbox error path
When RunPodSandbox fails after calling s.addSandbox(sb),
we're left with a sandbox in s.state.sandboxes while the
sandbox is not created.

We fix that by adding removeSandbox() to the deferred cleanup
call

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-04-06 17:36:26 +02:00
Antonio Murdaca
87e288d13a
server: mock ExecResponse
This patch prevents k8s's e2e_node tests from killing CRI-O (because of
a panic in marshaling nil responses). This will ensure tests keep
running and just logging the failure.

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-04-06 16:37:13 +02:00
Antonio Murdaca
09d2a6b519 Merge pull request from mrunalp/fix_nil_config
Check for case when image config isn't present
2017-04-05 12:42:58 +02:00
Mrunal Patel
aac24e1715 Check for case when image config isn't present
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-04-04 15:42:58 -07:00
Mrunal Patel
2b5dca3950 Merge pull request from runcom/fix-schema1-config
read image config from docker v2s1 manifests
2017-04-04 14:49:54 -07:00
Antonio Murdaca
3c7f3ab2ec Merge pull request from sameo/topic/fat-lock
Serialize Update and Sandbox/Container creation operations
2017-04-04 23:23:19 +02:00
Aleksa Sarai
7679a84c6d
server: issues.k8s.io/44043 workaround
Because kubelet will create broken symlinks for logPath it is necessary
to remove those symlinks before we attempt to write to them. This is a
temporary workaround while the issue is fixed upstream.

Ref: https://issues.k8s.io/44043
Signed-off-by: Aleksa Sarai <asarai@suse.de>
2017-04-05 02:45:58 +10:00
Aleksa Sarai
65527da361
test: add logging tests
The main purpose of these tests is to make sure that the log actually
contains output from the container. We don't test the timestamps or the
stream that's stated at the moment.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2017-04-05 02:45:58 +10:00
Aleksa Sarai
c290c0d9c3
conmon: implement logging to logPath
This adds a very simple implementation of logging within conmon, where
every buffer read from the masterfd of the container is also written to
the log file (with errors during writing to the log file ignored).

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2017-04-05 02:45:57 +10:00
Samuel Ortiz
be5084387c server: Serialize container/pod creation with updates
Interleaving asynchronous updates with pod or container creations can
lead to unrecoverable races and corruptions of the pod or container hash
tables. This is fixed by serializing update against pod or container
creation operations, while pod and container creation operations can
run in parallel.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-04-04 18:43:21 +02:00
Samuel Ortiz
c89cc876d2
server: Remove Image Config hack
Now that the image package has fixes to support docker images v2s1,
we can remove our buildOCIProcessARgs() hack for empty image configs
and simplify this routine.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-04-04 17:52:40 +02:00
Samuel Ortiz
d1006fdfbc server: Add new sandboxes to the sandbox hash table first
We want new sandboxes to be added to the sandbox hash table before
adding their ID to the pod Index registrar, in order to avoid potential
Update() races.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-04-04 17:22:34 +02:00
Mrunal Patel
c5e15cfd5f Add labels/annotations to container status
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-04-03 15:05:57 -07:00
Mrunal Patel
fd435256e7 Set default working directory to /
runc/runtime-spec doesn't allow empty working dir
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-03-31 14:04:16 -07:00
Antonio Murdaca
1ce8be1ccf Merge pull request from surajssd/update-conmon-default-path
Update the default conmonPath
2017-03-31 18:30:22 +02:00
Mrunal Patel
fa467a30f1 Merge pull request from mrunalp/fix_hostname
Set the container hostname same as pod hostname
2017-03-31 07:35:49 -07:00
Mrunal Patel
c6897b5f62 Set the uid, gid and groups from container user
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-03-30 10:58:57 -07:00
Mrunal Patel
4ccc5bbe7c Set the container hostnames same as pod hostname
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-03-29 16:11:57 -07:00
Mrunal Patel
505bc2cbd5 Add function to lookup user in container /etc/{passwd,group}
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-03-29 11:18:35 -07:00
Mrunal Patel
f422235b3e Add function to safely open a file in container rootfs
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-03-29 11:16:53 -07:00
Suraj Deshmukh
c93c7cd1b8 Update the default conmonPath
After change in `Makefile` at  where `PREFIX`
has changed from `/usr` to `/usr/local` these changes
has to be reflected in default `conmonPath`.

Signed-off-by: Suraj Deshmukh <surajssd009005@gmail.com>
2017-03-29 21:23:52 +05:30
Mrunal Patel
8709f1b5bb Apply working dir and env from image config
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-03-27 16:41:43 -07:00
Mrunal Patel
d69ad9b5a3 Fix lint issues
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-03-27 10:21:30 -07:00
Antonio Murdaca
37f118d73a Merge pull request from rhatdan/containers_storage
Default all container storage to /var/lib/containers/storage
2017-03-25 08:22:11 +01:00
Samuel Ortiz
48a297ed7b container: Propagate the pod sandbox resolv.conf mount point
When a pod sandbox comes with DNS settings, the resulting resolv.conf
file needs to be bind mounted in all pod containers under
/etc/resolv.conf.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-03-24 15:32:16 +01:00
Samuel Ortiz
72129ee3fb sandbox: Track and store the pod resolv.conf path
When we get a pod with DNS settings, we need to build
a resolv.conf file and mount it in all pod containers.
In order to do that, we have to track the built resolv.conf
file and store/load it.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-03-24 15:28:14 +01:00
Daniel J Walsh
6f81ec8c67 Default all container storage to /var/lib/containers/storage
containers/storage is defaulting to /var/lib/containers/storage
for image and containers storage.  It is also defaulting to
/var/run/containers/storage for all runtime.  The defaults
for CRI-O should match so that lots of other tools that use
containers/storage can share the same storage.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2017-03-24 08:19:08 -04:00
Antonio Murdaca
673b6e4c51 Merge pull request from sameo/topic/oci-process
server: Fix the OCI process arguments build routine
2017-03-24 09:07:00 +01:00
Daniel J Walsh
19620f3d1e Switch to using opencontainers/selinux
We have moved selinux support out of opencontainers/runc into its
own package.  This patch moves to using the new selinux go bindings.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2017-03-23 15:53:09 -04:00
Samuel Ortiz
21afa1a975 server: Fix the OCI process arguments build routine
We need to support a 2x2 matrix of use cases with both
kubelet giving us (command, args) slices and the OCI
image config file giving us (ENTRYPOINT, CMD) slices.

Here we always prioritize the kubelet information over
the OCI image one, and use the latter when the former
is incomplete.

Not that this routine will be slightly simpler when
issue  is fixed.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-03-23 12:59:26 +01:00
Mrunal Patel
b487a9b7dd Merge pull request from sameo/topic/storage
server: Remove the mount points after stopping the containers
2017-03-21 07:46:08 -07:00