Samuel Ortiz
482eb460d6
sandbox: Setup networking namespace before sandbox creation
...
In order for hypervisor based container runtimes to be able to
fully prepare their pod virtual machines networking interfaces,
this patch sets the pod networking namespace before creating the
sandbox container.
Once the sandbox networking namespace is prepared, the runtime
can scan the networking namespace interfaces and build the pod VM
matching interfaces (typically TAP interfaces) at pod sandbox
creation time. Not doing so means those runtimes would have to
rely on all hypervisors to support networking interfaces hotplug.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2016-12-12 19:48:23 +01:00
Samuel Ortiz
4cab8ed06a
sandbox: Use persistent networking namespace
...
Because they need to prepare the hypervisor networking interfaces
and have them match the ones created in the pod networking
namespace (typically to bridge TAP and veth interfaces), hypervisor
based container runtimes need the sandbox pod networking namespace
to be set up before it's created. They can then prepare and start
the hypervisor interfaces when creating the pod virtual machine.
In order to do so, we need to create per pod persitent networking
namespaces that we pass to the CNI plugin. This patch leverages
the CNI ns package to create such namespaces under /var/run/netns,
and assign them to all pod containers.
The persitent namespace is removed when either the pod is stopped
or removed.
Since the StopPodSandbox() API can be called multiple times from
kubelet, we track the pod networking namespace state (closed or
not) so that we don't get a containernetworking/ns package error
when calling its Close() routine multiple times as well.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2016-12-12 19:48:23 +01:00
Samuel Ortiz
be3ed3bcbc
vendor: Add CNI ns package
...
We will need it for our persistent networking
namespace work.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2016-12-12 19:48:23 +01:00
Mrunal Patel
05b10c27ca
Merge pull request #261 from sameo/topic/annotations
...
container: Store annotations under ocid/annotations
2016-12-12 10:43:26 -08:00
Samuel Ortiz
70ede1a5fe
container: Store annotations under ocid/annotations
...
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2016-12-12 19:16:05 +01:00
Mrunal Patel
1291b13125
Merge pull request #259 from runcom/fix-pod-with-restart=Always
...
store annotations and image for a container
2016-12-12 07:38:16 -08:00
Antonio Murdaca
430297dd81
store annotations and image for a container
...
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-12-12 11:12:03 +01:00
Xianglin Gao
ca7d5c77c2
Do not load ocid-default if configured apparmor profile is set up.
...
Signed-off-by: Xianglin Gao <xlgao@zju.edu.cn>
2016-12-12 15:55:17 +08:00
Mrunal Patel
5142b8a4d7
Merge pull request #258 from runcom/fix-logrus-2
...
server: fix calls to logrus again
2016-12-11 10:00:15 -08:00
Antonio Murdaca
5a1605bad5
server: fix calls to logrus again
...
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-12-11 18:29:59 +01:00
Mrunal Patel
80ccc3a455
Merge pull request #256 from runcom/err-warnf-format
...
server: fix call to logrus.Warnf
2016-12-10 16:11:30 -08:00
Antonio Murdaca
67055e20bc
server: fix call to logrus.Warnf
...
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-12-10 19:21:52 +01:00
Antonio Murdaca
a27a41431e
Merge pull request #253 from mrunalp/fix_selinux_shm
...
Remove unnecessary check for mount label for /dev/shm
2016-12-10 14:18:07 +01:00
Mrunal Patel
378d8d4415
Merge pull request #254 from vbatts/error_passthrough
...
oci: pass through error output from runc
2016-12-09 17:15:53 -08:00
9ce0a55c35
oci: pass through error output from runc
...
Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>
2016-12-09 15:53:56 -05:00
Mrunal Patel
a0177ced09
Remove unnecessary check for mount label for /dev/shm
...
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2016-12-09 09:37:47 -08:00
Mrunal Patel
4cc510c046
Merge pull request #252 from runcom/add-tests
...
test: add restart ocid with pod stopped test
2016-12-09 07:04:00 -08:00
Antonio Murdaca
f22dc5244f
test: add restart ocid with pod stopped test
...
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-12-09 11:56:25 +01:00
Antonio Murdaca
d9edbe6817
Merge pull request #249 from mrunalp/dev_shm
...
Add support for pod /dev/shm that is shared by the pod ctrs
2016-12-09 09:46:27 +01:00
Pengfei Ni
4559e7d05f
Merge pull request #250 from mrunalp/lint_fixes
...
Fix couple of lint issues
2016-12-09 08:44:13 +08:00
Mrunal Patel
0e1db291b6
Merge pull request #251 from sameo/topic/bats
...
test: Add a pod remove idempotent test
2016-12-08 16:20:41 -08:00
Mrunal Patel
7a6213c3ef
Merge pull request #248 from sameo/topic/config.json
...
testdata: Add missing closed curly
2016-12-08 16:12:02 -08:00
Samuel Ortiz
d701009264
test: Add a pod remove idempotent test
...
Test if we can remove a pod several times without
generating an error.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2016-12-09 00:43:25 +01:00
Mrunal Patel
868e18614a
Fix couple of lint issues
...
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2016-12-08 15:40:59 -08:00
Mrunal Patel
de5cc3ff0b
Merge pull request #247 from vbatts/fix_test_json
...
testdata: fix invalid json doc
2016-12-08 15:37:15 -08:00
Mrunal Patel
be29524ba4
Add support for pod /dev/shm that is shared by the pod ctrs
...
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2016-12-08 15:32:17 -08:00
Samuel Ortiz
c55d9a5da6
testdata: Add missing closed curly
...
Typo introduced by PR #244 .
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2016-12-09 00:11:16 +01:00
fd7a052023
testdata: fix invalid json doc
...
Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>
2016-12-08 15:23:24 -05:00
Antonio Murdaca
cba4eed876
Merge pull request #246 from vbatts/fix_man_dest
...
Makefile: fix the creation of man5
2016-12-08 21:21:27 +01:00
6c7756b352
Makefile: fix the creation of man5
...
Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>
2016-12-08 14:49:02 -05:00
Antonio Murdaca
2e83385a40
Merge pull request #244 from sameo/topic/config.json
...
testdata: sandbox ns options should be under security_context
2016-12-08 18:46:45 +01:00
Samuel Ortiz
5d8537f270
testdata: sandbox ns options should be under security_context
...
And not directly under linux.
Fixes #243
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2016-12-08 18:09:28 +01:00
Mrunal Patel
0fcb25cc97
Merge pull request #241 from sameo/topic/sandbox_remove
...
Make RemovePodSandbox idempotent
2016-12-08 07:15:25 -08:00
Samuel Ortiz
365c291f1a
server: Make RemovePodSandbox idempotent
...
And in particular make it not fail when removing an already removed
sandbox pod. According to the CRI spec:
[RemovePodSandbox] is idempotent, and must not return an error if
the sandbox has already been removed.
We now only print a warning instead of returning an error.
We still return an error when the passed pod ID is empty.
Fixes #240
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2016-12-08 10:40:14 +01:00
Xianglin Gao
6977b3e88d
move duplicated consts to apparmor_common.go
...
Signed-off-by: Xianglin Gao <xlgao@zju.edu.cn>
2016-12-07 20:46:38 +08:00
Xianglin Gao
cb5ed1ce9d
reload default apparmor profile if it is unloaded
...
Signed-off-by: Xianglin Gao <xlgao@zju.edu.cn>
2016-12-07 20:19:29 +08:00
Mrunal Patel
8547c0dbd9
Merge pull request #236 from runcom/check-netns-on-stop
...
server: check netns path on pod stop
2016-12-06 10:06:46 -08:00
Mrunal Patel
a4021ba179
Merge pull request #235 from runcom/fix-state
...
server: sync ctr state before checking it
2016-12-06 09:42:43 -08:00
Mrunal Patel
c4fc22af51
Merge pull request #234 from runcom/fixies
...
fix filter by truncated ids (+ apparmor tests)
2016-12-06 09:35:18 -08:00
Antonio Murdaca
46dc2b4347
server: check netns path on pod stop
...
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-12-06 15:36:05 +01:00
Antonio Murdaca
1b2d4f3d60
server: sync ctr state before checking it
...
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-12-06 12:39:38 +01:00
Antonio Murdaca
f2b4fda554
server: fix ctr filter by truncated id
...
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-12-06 12:16:34 +01:00
Antonio Murdaca
e7492ca12f
server: fix pod filter by truncated id
...
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-12-06 12:16:30 +01:00
Antonio Murdaca
15f23bc6ac
test: fix apparmor detection
...
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-12-06 12:10:32 +01:00
Mrunal Patel
79073df3c2
Merge pull request #215 from xlgao-zju/support-apparmor
...
support apparmor
2016-12-05 21:24:50 -08:00
Xianglin Gao
4f323377ee
add apparmor build tag and update readme
...
Signed-off-by: Xianglin Gao <xlgao@zju.edu.cn>
2016-12-06 11:51:15 +08:00
Mrunal Patel
6983ae628b
Merge pull request #230 from rhatdan/docs
...
Add missing man pages and bash completions for kpod
2016-12-02 11:43:48 -08:00
Dan Walsh
e61c672aa7
Add missing man pages and bash completions for kpod
...
We need to start off with man pages and bash completion
support for kpod.
Also fix Makefile to install kpod by default
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
2016-12-02 10:17:58 -05:00
Mrunal Patel
529bebbe68
Merge pull request #222 from mheon/kpod
...
Add basic skeleton of kpod executable
2016-12-01 20:37:32 -08:00
Matthew Heon
f512f211d0
Add basic skeleton of kpod executable
...
Signed-off-by: Matthew Heon <mheon@redhat.com>
2016-12-01 22:42:54 -05:00