Commit graph

716 commits

Author SHA1 Message Date
Daniel J Walsh
9c61688098 Default type for containers is not container_t
We usually specify MCS Labels as comma separated pair.
Finally if we run two different containers we want them on different
MCS labels.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2017-01-25 22:11:30 +01:00
Mrunal Patel
7fda27a5b3 Merge pull request #337 from cyphar/respect-plugindir-config
server: respect ocid.network.plugin_dir setting
2017-01-24 10:54:38 -08:00
Aleksa Sarai
d5abfa1ecf
server: respect ocid.network.plugin_dir setting
Previously ocicni did not have support for setting the plugin directory.
Now that it has grown support for it, use it to actually respect the
setting a user has provided for ocid.network.* options.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2017-01-25 04:12:51 +11:00
Antonio Murdaca
b1685800dd Merge pull request #335 from yujuhong/update_owners
Update the OWNERS file
2017-01-23 20:20:05 +01:00
Yu-Ju Hong
ade3022172 Update the OWNERS file
I am not actively working on the project, so removing myself from the file.
2017-01-23 11:14:28 -08:00
Antonio Murdaca
03fe8d6777 Merge pull request #333 from rhatdan/master
Fix README to tell user to pull the image for container
2017-01-20 22:37:48 +01:00
Daniel J Walsh
dc55ef764d Fix README to tell user to pull the image for container
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2017-01-20 15:33:59 -05:00
Mrunal Patel
f085c1cb6d Merge pull request #329 from rajatchopra/master
move ocicni from vendors to pkg
2017-01-19 15:26:06 -08:00
Rajat Chopra
c04040fa95 move ocicni from vendors to pkg/
Signed-off-by: Rajat Chopra <rchopra@redhat.com>
2017-01-19 17:45:54 -05:00
Antonio Murdaca
89369c1eae Merge pull request #328 from mrunalp/gopath_target
Move GOPATH check to a phony target
2017-01-19 21:52:03 +01:00
Mrunal Patel
bfe4f11f80 Move GOPATH check to a phony target
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-01-19 11:50:08 -08:00
Mrunal Patel
c4673a9136 Merge pull request #325 from runcom/tests-in-docker
fix integration tests in docker
2017-01-19 11:44:38 -08:00
Antonio Murdaca
5d86f1f110
test: enable tests in Travis
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-01-19 19:14:46 +01:00
Mrunal Patel
7cc84922b3 Merge pull request #327 from nalind/multigopath
Makefile: handle cases where $GOPATH is a list
2017-01-19 10:13:20 -08:00
Antonio Murdaca
25d40b6927
test: use checkseccomp to test if seccomp is supported
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-01-19 18:51:47 +01:00
Antonio Murdaca
0d37c41521
test: add a custom binary to reliable check seccomp support
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-01-19 18:51:47 +01:00
Antonio Murdaca
f1f5c635d2
test: change location of the test image
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-01-19 18:51:47 +01:00
Antonio Murdaca
e5126a9176
Dockerfile: pull test image at build time
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-01-19 18:51:47 +01:00
Antonio Murdaca
f195d51615
Dockerfile: install CNI plugins for integration tests
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-01-19 18:51:47 +01:00
Antonio Murdaca
0a36d3ca3d
Dockerfile: use golang:1.7
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-01-19 18:51:40 +01:00
Nalin Dahyabhai
9cac1f6d66 Makefile: handle cases where $GOPATH is a list
In multiple places, we've been assuming that we can invoke binaries that
we install as $GOPATH/bin/$binary.  This doesn't work in cases where
$GOPATH is a list.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2017-01-19 12:13:49 -05:00
Antonio Murdaca
b9dc097c40 Merge pull request #189 from nalind/storage
Storage in Image Management
2017-01-18 23:02:08 +01:00
Antonio Murdaca
0e3ff61350 server: fix ImagePullResponse
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-01-18 10:23:30 -05:00
Nalin Dahyabhai
aeea656581 Limit implicit image pulling to the pause image
The CRI doesn't expect us to implicitly pull an image if it isn't
already present before we're asked to use it to create a container, and
the tests no longer depend on us doing so, either.

Limit the logic which attempts to pull an image, if it isn't present, to
only pulling the configured "pause" image, since our use of that image
for running pod sandboxes is an implementation detail that our clients
can't be expected to know or care about.  Include the name of the image
that we didn't pull in the error we return when we don't pull one.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2017-01-18 10:23:30 -05:00
Antonio Murdaca
749d24fbab server: cleanup on failed restore
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-01-18 10:23:30 -05:00
Antonio Murdaca
437459bd64 server: do not add ctrs with bad state when restoring
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-01-18 10:23:30 -05:00
Antonio Murdaca
c61a83a930 server: skip pods containers in bad state on disk
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-01-18 10:23:30 -05:00
Antonio Murdaca
7bd7595b18 server: skip pods in bad state on disk
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-01-18 10:23:30 -05:00
Antonio Murdaca
dc37d36759 server: image_status: ignore storage.ErrImageUnknown
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-01-18 10:23:30 -05:00
Nalin Dahyabhai
925806b8fa Add and use copyimg for caching images for tests
Add a basic tool for copying images from one location to another,
optionally adding a name if it's to local storage.  Ideally we could use
skopeo for this, but we don't want to build it.

Use it to initially populate the test/testdata/redis-image directory, if
it's not been cleaned out, with a copy of "docker://redis:latest", and
to copy it in to the storage that ocid is using before we start up ocid.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2017-01-18 10:23:30 -05:00
Nalin Dahyabhai
636d5d8e9a Add and use bin2img for creating images for tests
Add tests which exercise image pulling, listing, and removal.  When running
tests, prepopulate the store with an image with the default infrastructure
container's name, using the locally-built "pause" binary, so that tests won't
have to pull it down from the network.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2017-01-18 10:23:30 -05:00
Nalin Dahyabhai
c0333b102b Integrate containers/storage
Use containers/storage to store images, pod sandboxes, and containers.
A pod sandbox's infrastructure container has the same ID as the pod to
which it belongs, and all containers also keep track of their pod's ID.

The container configuration that we build using the data in a
CreateContainerRequest is stored in the container's ContainerDirectory
and ContainerRunDirectory.

We catch SIGTERM and SIGINT, and when we receive either, we gracefully
exit the grpc loop.  If we also think that there aren't any container
filesystems in use, we attempt to do a clean shutdown of the storage
driver.

The test harness now waits for ocid to exit before attempting to delete
the storage root directory.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2017-01-18 10:23:30 -05:00
Nalin Dahyabhai
caee4a99c9 Vendor containers/image and containers/storage
Vendor updated containers/image and containers/storage, along
with any new dependencies they drag in, and updated versions of other
dependencies that happen to get pulled in.

github.com/coreos/go-systemd/daemon/SdNotify() now takes a boolean to
control whether or not it unsets the NOTIFY_SOCKET variable from the
calling process's environment.  Adapt.

github.com/opencontainers/runtime-tools/generate/Generator.AddProcessEnv()
now takes the environment variable name and value as two arguments, not
one.  Adapt.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2017-01-18 10:21:59 -05:00
Antonio Murdaca
00e6832715 Merge pull request #320 from jawnsy/build-with-go-install
Build with go install
2017-01-18 00:06:13 +01:00
Antonio Murdaca
85454901e2 Merge pull request #322 from mrunalp/remove_host_ping_test
Remove host ping test
2017-01-18 00:02:00 +01:00
Mrunal Patel
e785e3e07f Remove host ping test
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2017-01-17 13:43:23 -08:00
Jonathan Yu
6c9628cdb1
Build and install from GOPATH
* Rename 'vendor/src' -> 'vendor'
  * Ignore vendor/ instead of vendor/src/ for lint
* Rename 'cmd/client' -> 'cmd/ocic' to make it 'go install'able
* Rename 'cmd/server' -> 'cmd/ocid' to make it 'go install'able
* Update Makefile to build and install from GOPATH
* Update tests to locate ocid/ocic in GOPATH/bin
* Search for binaries in GOPATH/bin instead of PATH
* Install tools using `go get -u`, so they are updated on each run

Signed-off-by: Jonathan Yu <jawnsy@redhat.com>
2017-01-17 12:09:09 -08:00
Jonathan Yu
9da2882d49
Update hack/vendor.sh to clone directly into vendor/ instead of vendor/src/
Signed-off-by: Jonathan Yu <jawnsy@redhat.com>
2017-01-17 11:19:25 -08:00
Mrunal Patel
3243cf7307 Merge pull request #316 from intelsdi-x/kubelet-net-fix
sandbox_run: Do not run net plugin in host namespace
2017-01-17 09:39:03 -08:00
Mrunal Patel
a93c132af5 Merge pull request #321 from runcom/bump-k8s-550f8be73aac92c7c23b1783d3db17f8660019f6
bump k8s@550f8be73aac92c7c23b1783d3db17f8660019f6
2017-01-17 08:46:24 -08:00
Antonio Murdaca
25a85afe1c
bump k8s@550f8be73aac92c7c23b1783d3db17f8660019f6
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-01-17 12:19:23 +01:00
Antonio Murdaca
38acbb4625 Merge pull request #318 from jawnsy/promote-config
Promote DefaultConfig() to server package
2017-01-17 08:23:43 +01:00
Jonathan Yu
d5d297d50b
Promote DefaultConfig() to server package
The default configuration can only be accessed from the cmd/server
package, which cannot be imported (since it's a "package main").
This change promotes DefaultConfig() to the "server" package.

Closes: #315

Signed-off-by: Jonathan Yu <jawnsy@redhat.com>
2017-01-16 16:22:35 -08:00
Mrunal Patel
1df8e6638b Merge pull request #317 from mikebrow/make158fix
fixes issue with make install on ubuntu
2017-01-16 15:16:38 -08:00
Mike Brown
7ae5b5fe24 fixes issue with make install on ubuntu
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
2017-01-16 17:01:49 -06:00
Mrunal Patel
2421aba39a Merge pull request #310 from sameo/topic/cc-exec
Fix ExecSync support for runtimes other than runC
2017-01-16 11:41:12 -08:00
Jacek J. Łakis
b034072d6a sandbox_run: Do not run net plugin in host namespace
Signed-off-by: Jacek J. Łakis <jacek.lakis@intel.com>
2017-01-16 16:53:29 +01:00
Samuel Ortiz
ce54c1e5e9
test: Do not hardcode runc specific output
"executable file not found in" is part of a runc
specific output when 'runc exec' fails.
This prevents the execsync failure to pass when running
ocid with other runtimes than runc.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-01-14 02:02:45 +01:00
Samuel Ortiz
4c7583b467
oci: Do not call the container runtime from ExecSync
Some OCI container runtimes (in particular the hypervisor
based ones) will typically create a shim process between
the hypervisor and the runtime caller, in order to not
rely on the hypervisor process for e.g. forwarding the
output streams or getting a command exit code.

When executing a command inside a running container those
runtimes will create that shim process and terminate.
Therefore calling and monitoring them directly from
ExecSync() will fail. Instead we need to have a subreaper
calling the runtime and monitoring the shim process.
This change uses conmon as the subreaper from ExecSync(),
monitors the shim process and read the exec'ed command
exit code from the synchronization pipe.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-01-14 02:02:43 +01:00
Samuel Ortiz
d60d0ac0c3
conmon: Use conmon for exec'ing a command
Some OCI container runtimes (in particular the hypervisor
based ones) will typically create a shim process between
the hypervisor and the runtime caller, in order to not
rely on the hypervisor process for e.g. forwarding the
output streams or getting a command exit code.

With these runtimes we need to monitor a different process
than the runtime one when executing a command inside a
running container. The natural place to do so is conmon
and thus we add a new option to conmon for calling the
runtime exec command, monitor the PID and then return the
running command exit code through the sync pipe to the
parent.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-01-14 02:02:40 +01:00