When performing a tag, if a shortname was provided, tag.go would
preprend docker.io to the shortname through the ParseNormalized
function. Here we work around that such that is a short name
and tag are provided, the resulting tag will be shortname:tag. If
a shortname is provided without a tag, we append "latest" as the
tag.
Added specific tag tests too
Signed-off-by: baude <bbaude@redhat.com>
Kpod rm removes a container from the system
Signed-off-by: Ryan Cole <rcyoalne@gmail.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Signed-off-by: umohnani8 <umohnani@redhat.com>
Add new directory /etc/crio/hooks.d, where packagers can drop a json config
file to specify a hook.
The json must specify a valid executable to run.
The json must also specify which stage(s) to run the hook:
prestart, poststart, poststop
The json must specify under which criteria the hook should be launched
If the container HasBindMounts
If the container cmd matches a list of regular expressions
If the containers annotations matches a list of regular expressions.
If any of these match the the hook will be launched.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Correct some syntax errors in kpod.bats, ensure that it always checks
the exit status of "kpod rmi" commands, correct the order of options
when calling "kpod inspect", and test for string equality correctly.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
We want all kpod subcommands to use the formats code to output
formats like json. Altering kpod diff --json to kpod diff --format json
like the kpod images command.
Signed-off-by: baude <bbaude@redhat.com>
For kpod images, we need to output in JSON format so that consumers
(programatic) have structured input to work with.
kpod images --format json
Signed-off-by: baude <bbaude@redhat.com>
kpod diff reports on differences between two layers, specified as
layer IDs, containers, or images. In the case of containers or
images, kpod diff produces a diff for the top layer
Signed-off-by: Ryan Cole <rcyoalne@gmail.com>
This command will allow users to manipulate and examine the container
images from outside of the container.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Need to mv to latest released and supported version of logrus
switch github.com/Sirupsen/logrus github.com/sirupsen/logrus
Also vendor in latest containers/storage and containers/image
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Basically none of the clever storage drivers will work when we're on top
of AUFS, so if we find ourselves in that situation when running tests,
default to storage options of "--storage-driver vfs".
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Use unix.Prctl() instead of manually reimplementing it using
unix.RawSyscall. Also use unix.SECCOMP_MODE_FILTER instead of locally
defining it.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
The syscall package is locked down and the comment in [1] advises to
switch code to use the corresponding package from golang.org/x/sys. Do
so and replace usage of package syscall where possible (leave
syscall.SysProcAttr and syscall.Stat_t).
[1] https://github.com/golang/go/blob/master/src/syscall/syscall.go#L21-L24
This will also allow to get updates and fixes just by re-vendoring
golang.org/x/sys/unix instead of having to update to a new go version.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
The test "ctr execsync std{out,err}" from ctr.bats works with runc,
but the semantics behind is wrong.
We should not be able to execute a new process on a container which
has not been previously started. That's why this patch adds a call
to start the container.
Moreover, we don't want to be able to execute a new process on a
container that has already returned because its workload is done.
For that reason, we need to force the container workload to be a
"sleep 10" to ensure it is still running when the call to "exec"
is issued.
Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
This patch isn't adding a test for /etc/hosts as that requires host
network and we don't want to play with host's /etc/hosts when running
make localintegration on our laptops. That may change in the future
moving to some sort of in-container testing.
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
This patch fixes the following command:
kubectl run -i --tty centos --image=centos -- sh
The command above use to fail with:
/usr/bin/sh: /usr/bin/sh: cannot execute binary file
That's because we were wrongly assembling the OCI processArgs.
Thanks @alexlarsson for spotting this.
This patch basically replicates what docker does when merging container
config and image config. It also replicates how docker sets processArgs
for the OCI runtime.
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
`containerdID` is overridden in `s.ctrIDIndex.Get()`, if the ctr is not
found it's overridden by an empty string making the error return
totally unusable.
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
conmon has many flags that are parsed when it's executed, one of them
is "-c". During PR #510 where we vendor latest kube master code,
upstream has changed a test to call a "ctr execsync" with a command of
"sh -c commmand ...".
Turns out:
a) conmon has a "-c" flag which refers to the container name/id
b) the exec command has a "-c" flags but it's for "sh"
That leads to conmon parsing the second "-c" flags from the exec
command causing an error. The executed command looks like:
conmon -c [..other flags..] CONTAINERID -e sh -c echo hello world
This patch rewrites the exec sync code to not pass down to conmon the
exec command via command line. Rather, we're now creating an OCI runtime
process spec in a temp file, pass _the path_ down to conmon, and have
runc exec the command using "runc exec --process
/path/to/process-spec.json CONTAINERID". This is far better in which we
don't need to bother anymore about conflicts with flags in conmon.
Added and fixed some tests also.
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
If we create a container using the image ID like
771cd5947d5ea4bf8e8f4900dd357dbb67e7b16486c270f8274087d182d457c6, then
a call to container_status will return that same ID for the "Image"
field in ContainerStatusResponse.
This patch matches dockershim behavior and return the first tagged name
if available from the image store.
This is also needed to fix a failure in k8s e2d tests.
Reference:
https://github.com/kubernetes/kubernetes/pull/39298/files#diff-c7dd39479fd733354254e70845075db5R369
Reference:
67a5bf8454/test/e2e/framework/util.go (L1941)
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
The ocid project was renamed to CRI-O, months ago, it is time that we moved
all of the code to the new name. We want to elminate the name ocid from use.
Move fully to crio.
Also cric is being renamed to crioctl for the time being.
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
Two issues:
1) pod Namespace was always set to "", which prevents plugins from figuring out
what the actual pod is, and from getting more info about that pod from the
runtime via out-of-band mechanisms
2) the pod Name and ID arguments were switched, further preventing #1
Signed-off-by: Dan Williams <dcbw@redhat.com>
If an image that we're pulling from a registry has a digest in its
reference, use that to construct the destination image's reference.
This should help us detect cases where the image has previously been
pulled.
When we have a filter to use when listing images, expand it into a
reference so that we can properly match against names of images that
we've previously stored using fully expanded references.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Now that we have support for split std{out,err}, make sure that execsync
will correctly handle the split stdio properly. In addition, extend the
ctr logging test to make sure that the regular container logging is also
split correctly. We can't test !terminal containers because we only have
a single console for both std{out,err}.
Signed-off-by: Aleksa Sarai <asarai@suse.de>
Previously we returned an internal error result when a program had a
non-zero exit code, which was incorrect. Fix this as well as change the
tests to actually check the "ExitCode" response from ExecSync (rather
than expecting ocic-ctr to return an internal error).
Signed-off-by: Aleksa Sarai <asarai@suse.de>
Since we no longer fall back to the noop plugin when
CNI configuration files are missing, and since the default
sandbox_config.json test file is running without host
networking, we must install the bridge and loopback
configuration files by default for tests to pass.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
The main purpose of these tests is to make sure that the log actually
contains output from the container. We don't test the timestamps or the
stream that's stated at the moment.
Signed-off-by: Aleksa Sarai <asarai@suse.de>
This is necessary, as otherwise ocid will use its own current directory
as a log_directory, which is not the best idea in the world. The same
applies for log_path.
Signed-off-by: Aleksa Sarai <asarai@suse.de>
The runtimeversion test was incorrectly written and would fail for no
good reason if setup_ocid happened to run a command that failed (even if
it was handled).
Signed-off-by: Aleksa Sarai <asarai@suse.de>
Instead of requiring the developer to set up their own GOPATH somewhere,
do like Kubernetes and OpenShift Origin do:
git clone xxxxx
cd xxxxx
make
by creating an _output/ directory and linking the local source tree
into it, and setting that to be the GOPATH.
Signed-off-by: Dan Williams <dcbw@redhat.com>
