Commit graph

70 commits

Author SHA1 Message Date
Samuel Ortiz
eab6b00ea6 oci: Support for the host privileged runtime path
We add a privileged flag to the container and sandbox structures
and can now select the appropriate runtime path for any container
operations depending on that flag.

Here again, the default runtime will be used for non privileged
containers and for privileged ones in case there are no privileged
runtime defined.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-03-03 17:22:09 +01:00
Michał Żyłowski
5c81217e09 Applying k8s.io v3 API for ocic and ocid
Signed-off-by: Michał Żyłowski <michal.zylowski@intel.com>
2017-02-06 13:05:10 +01:00
Mrunal Patel
8e5b17cf13 Switch to github.com/golang/dep for vendoring
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-01-31 16:45:59 -08:00
Nalin Dahyabhai
c0333b102b Integrate containers/storage
Use containers/storage to store images, pod sandboxes, and containers.
A pod sandbox's infrastructure container has the same ID as the pod to
which it belongs, and all containers also keep track of their pod's ID.

The container configuration that we build using the data in a
CreateContainerRequest is stored in the container's ContainerDirectory
and ContainerRunDirectory.

We catch SIGTERM and SIGINT, and when we receive either, we gracefully
exit the grpc loop.  If we also think that there aren't any container
filesystems in use, we attempt to do a clean shutdown of the storage
driver.

The test harness now waits for ocid to exit before attempting to delete
the storage root directory.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2017-01-18 10:23:30 -05:00
Harry Zhang
02dfe877e4 Add container to pod qos cgroup
Signed-off-by: Harry Zhang <harryz@hyper.sh>
2016-12-15 14:42:59 +08:00
Samuel Ortiz
ad6ac9391c
sandbox: Force netns unmount and removal when restoring
ns.Close() will not remove and unmount the networking namespace
if it's not currently marked as mounted.
When we restore a sandbox, we generate the sandbox netns from
ns.GetNS() which does not mark the sandbox as mounted.

There currently is a PR open to fix that in the ns package:
https://github.com/containernetworking/cni/pull/342

but meanwhile this patch fixes a netns leak when restoring a pod.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2016-12-14 19:47:05 +01:00
Samuel Ortiz
0df8200e12
sandbox: Create a symbolic link to the networking namespace
In order to workaround a bug introduced with runc commit bc84f833,
we create a symbolic link to our permanent networking namespace so
that runC realizes that this is not the host namespace.

Although this bug is now fixed upstream (See commit f33de5ab4), this
patch works with pre rc3 runC versions.
We may want to revert that patch once runC 1.0.0 is released.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2016-12-12 19:48:23 +01:00
Samuel Ortiz
4cab8ed06a
sandbox: Use persistent networking namespace
Because they need to prepare the hypervisor networking interfaces
and have them match the ones created in the pod networking
namespace (typically to bridge TAP and veth interfaces), hypervisor
based container runtimes need the sandbox pod networking namespace
to be set up before it's created. They can then prepare and start
the hypervisor interfaces when creating the pod virtual machine.

In order to do so, we need to create per pod persitent networking
namespaces that we pass to the CNI plugin. This patch leverages
the CNI ns package to create such namespaces under /var/run/netns,
and assign them to all pod containers.
The persitent namespace is removed when either the pod is stopped
or removed.

Since the StopPodSandbox() API can be called multiple times from
kubelet, we track the pod networking namespace state (closed or
not) so that we don't get a containernetworking/ns package error
when calling its Close() routine multiple times as well.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2016-12-12 19:48:23 +01:00
Antonio Murdaca
d9edbe6817 Merge pull request #249 from mrunalp/dev_shm
Add support for pod /dev/shm that is shared by the pod ctrs
2016-12-09 09:46:27 +01:00
Mrunal Patel
be29524ba4 Add support for pod /dev/shm that is shared by the pod ctrs
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2016-12-08 15:32:17 -08:00
Samuel Ortiz
365c291f1a
server: Make RemovePodSandbox idempotent
And in particular make it not fail when removing an already removed
sandbox pod. According to the CRI spec:

  [RemovePodSandbox] is idempotent, and must not return an error if
  the sandbox has already been removed.

We now only print a warning instead of returning an error.
We still return an error when the passed pod ID is empty.

Fixes #240

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2016-12-08 10:40:14 +01:00
Antonio Murdaca
ebe2ea0dba
server: split sandboxes actions
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-11-22 23:23:01 +01:00
Mrunal Patel
b62a150151 Update to the latest upstream API
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2016-11-16 17:20:37 -08:00
Pengfei Ni
bbfcf62a0f Set timestamps to nanosecond.
CRI requires all timestamps in nanosends instead of seconds.

Signed-off-by: Pengfei Ni <feiskyer@gmail.com>
2016-11-14 14:26:06 +08:00
Antonio Murdaca
02ec8754f5 Merge pull request #169 from cyphar/make-configurable
server: make more things configurable
2016-11-10 14:55:29 +01:00
Mrunal Patel
5d62a9fbb9 Merge pull request #179 from Crazykev/add-metadata
Return pod metadata in container list and status APIs
2016-11-04 10:00:58 -06:00
Nalin Dahyabhai
ec1bc4d6a8 Handle PodSandboxConfig.DNSConfig.Options
DNSConfig can pass "options" settings in now, so add them to the
resolv.conf that we're generating, too.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2016-11-03 11:57:25 -04:00
Crazykev
87a83e14b0 return pod metadata in container list and status APIs
Signed-off-by: Crazykev <crazykev@zju.edu.cn>
2016-11-02 00:37:40 +08:00
Aleksa Sarai
96c0966ce9
server: make logDir configurable
While logDir isn't currently used (until the conmon implementation
lands) it's probably not a great idea to hardcode our defaults. The main
issue with this setting is that the kubelet can override it at will.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2016-10-31 23:26:42 +11:00
Mrunal Patel
7b60703634 Add logging for all container/sandbox responses
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2016-10-28 11:35:14 -04:00
Mrunal Patel
c89157e45c Merge pull request #176 from gao-feng/hidden-infra-container
store infra container in sandbox
2016-10-25 03:25:17 +00:00
Gao feng
78528d9bd1 store infra container in sandbox
infra container is used to implement the pod
sandbox, it should not be exported to user.

this patch stores infra container in sandbox
immediately, only the containers created by user
are stored into container store, this prevents user
from removing/stopping infra container incorrectly.

Signed-off-by: Gao feng <omarapazanadi@gmail.com>
2016-10-24 20:18:19 +08:00
Antonio Murdaca
af55785b53 Merge pull request #167 from mrunalp/update_api
Update to latest version of kubernetes CRI API
2016-10-22 09:17:59 +02:00
Mrunal Patel
7f726b704a Add more debugs
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2016-10-21 11:14:22 -04:00
Mrunal Patel
b117dd863c Update to latest version of kubernetes CRI API
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2016-10-21 11:06:30 -04:00
Mrunal Patel
5e7d96bd6a Add server side pod filtering support
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2016-10-17 12:24:57 -07:00
Mrunal Patel
01c8785ea4 Use Set instead of map for storing pod labels
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2016-10-17 11:28:48 -07:00
Antonio Murdaca
8a9395964e
server/sandbox: fix add/release pod/ctr ids and names
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-10-13 18:48:23 +02:00
Mrunal Patel
e999610fd6 Merge pull request #115 from cyphar/toml-config
cmd: server: use TOML configuration file
2016-10-11 16:07:25 -07:00
Crazykev
f6536bf30e pod/container name should be released when create failed
Signed-off-by: Crazykev <crazykev@zju.edu.cn>
2016-10-11 20:19:51 +08:00
Aleksa Sarai
7bf5110b76
server: refactor to use Config struct
This paves the way for having a configuration file that is loaded rather
than everything being set via the command-line.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2016-10-11 03:10:32 +11:00
Antonio Murdaca
54d6ddb5af
server: containers restore
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-10-08 14:46:39 +02:00
Antonio Murdaca
7c6eb77224 Merge pull request #110 from mrunalp/pod_meta
Return pod metadata in pod list and status APIs
2016-10-07 20:44:40 +02:00
Dan Walsh
cd12a4acfe Can't use SELinux separation when sharing the host pid/ipc namespace
SELinux will cause breakage when sharing these namespaces.  For example it
will block processes inside of the container from looking at the hosts /proc
in hosts Pid Namespace.  It will also block all access to semaphores and
shared memory defined outside of the pod.

Signed-off-by: Dan Walsh <dwalsh@redhat.com>
2016-10-07 07:28:12 -04:00
Antonio Murdaca
fbcd609644 Merge pull request #109 from mrunalp/get_sb
Refactor to use helper method to get sandbox from request
2016-10-07 09:44:00 +02:00
Mrunal Patel
d1198fc75b Populate pod metadata in pod list and status APIs
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-10-06 16:51:13 -07:00
Mrunal Patel
d7e72cb3a2 Refactor to use helper method get sandbox object
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-10-06 15:34:05 -07:00
Mrunal Patel
ec0b27fffc Add a helper method to get sandbox from request
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-10-06 15:34:05 -07:00
Mrunal Patel
77afd34a27 Container state fixes
Move Container State constants to oci package
and fixup where strings were used instead of
the status constants

Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-10-06 15:16:21 -07:00
Dan Walsh
be77b841fa Add SELinux support to OCID
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
2016-10-06 14:13:06 -04:00
Mrunal Patel
0482a4281a Separate container IDs from container names
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-10-04 16:57:12 -07:00
Aleksa Sarai
bac579a9e5
server: create pause rootfs manually without Docker
This lessens the Docker requirement for creating sandboxes (with the
requirement only existing for the actual image pulling that is done when
adding a container to a pod). The interface was chosen to match the
--conmon interface, so that the location of the pause binary can be
chosen by a user.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2016-10-02 20:11:07 +11:00
Antonio Murdaca
3697a61db9 Merge pull request #84 from mrunalp/pod_attempt
Include attempt in the pod name
2016-10-01 01:06:00 +02:00
Mrunal Patel
d5a8d1bae3 Add annotations for pods
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-09-30 15:48:31 -07:00
Mrunal Patel
581c17169c Include attempt in the pod name
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-09-30 15:23:38 -07:00
Mrunal Patel
50bea08c50 Remove containers from state on pod remove
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-09-30 12:23:48 -07:00
Mrunal Patel
1b3d172377 Ensure containers are stopped on RemovePod
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-09-28 13:12:38 -07:00
Antonio Murdaca
4578cc93d1
server: fix panic when listing sandboxes
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-09-27 10:46:45 +02:00
Antonio Murdaca
f7d3f7a69a Merge pull request #59 from mrunalp/pod_create_bug
Pod create bug
2016-09-27 09:13:40 +02:00
Antonio Murdaca
df2eebbbcd Merge pull request #58 from mrunalp/sb_short_id
Pod short ID
2016-09-27 07:51:54 +02:00