Compare commits
90 Commits
v1.9.0-bet
...
master
Author | SHA1 | Date |
---|---|---|
Antonio Murdaca | 54e76afc03 | |
Daniel J Walsh | 4fee97abe3 | |
Kei Sawada | a50f352eb4 | |
Mrunal Patel | ed40d645cd | |
W. Trevor King | 8dbc2d1fff | |
Mrunal Patel | ddb14b7303 | |
Mrunal Patel | 924821e4bf | |
W. Trevor King | 080b84dfcd | |
Mrunal Patel | 214096b7ed | |
Antonio Murdaca | 8c87b6104f | |
Mrunal Patel | b7995aa526 | |
W. Trevor King | 822a6516cf | |
W. Trevor King | 523326b7ba | |
W. Trevor King | 826298483a | |
Mrunal Patel | 7851115693 | |
Antonio Murdaca | 77561e95cf | |
Antonio Murdaca | cbfdda868a | |
W. Trevor King | 282b900433 | |
Mrunal Patel | 1bb5846d7d | |
W. Trevor King | 15d839ea0d | |
W. Trevor King | bf8a99c085 | |
W. Trevor King | 2bf750c871 | |
Mrunal Patel | ba2b4a03d0 | |
W. Trevor King | 8c7c70c2db | |
W. Trevor King | e124834b0d | |
Antonio Murdaca | cb8033cd19 | |
Antonio Murdaca | 8c190a683c | |
Mrunal Patel | d0e0303921 | |
Antonio Murdaca | 8d2a572ead | |
Daniel J Walsh | 22e25158ca | |
Vincent Batts | 27c2eda635 | |
Daniel J Walsh | 23d20c9db5 | |
Mrunal Patel | 41aaf4e3d8 | |
Giuseppe Scrivano | 2cb22eba49 | |
Giuseppe Scrivano | 6bb1b7e17d | |
Giuseppe Scrivano | b1b380d67b | |
Antonio Murdaca | 6f4d7c1ae0 | |
Mrunal Patel | c351bc81e1 | |
Giuseppe Scrivano | b5167d4e8f | |
Giuseppe Scrivano | 1f75ec82e1 | |
Giuseppe Scrivano | 3881f375b9 | |
Mrunal Patel | ad46c581fa | |
Daniel J Walsh | 3c1c6d047e | |
Mrunal Patel | a34038350c | |
Aaron Crickenberger | a28eb8374e | |
Mrunal Patel | 295a11eb17 | |
Mrunal Patel | 28976738de | |
Haoran Wang | 88b13dfddf | |
Jianyong Wu | 8b1fefad71 | |
Mrunal Patel | 6b91df3da7 | |
Antonio Murdaca | de0be63495 | |
Daniel J Walsh | a85f3127d8 | |
Daniel J Walsh | 6c0b79b706 | |
Mrunal Patel | aee7dea272 | |
Antonio Murdaca | e344ad105a | |
Antonio Murdaca | 43119a7b13 | |
Antonio Murdaca | ecc572e7cf | |
Antonio Murdaca | 455245e65b | |
Antonio Murdaca | 7d2bde110a | |
Nalin Dahyabhai | fa90249c59 | |
Nalin Dahyabhai | 72442d0957 | |
Nalin Dahyabhai | 0ab8c507f4 | |
Nalin Dahyabhai | 492f758176 | |
Nalin Dahyabhai | 893aa4e8c7 | |
Nalin Dahyabhai | 6a456d1502 | |
Nalin Dahyabhai | 5ea050fc12 | |
Nalin Dahyabhai | ff7bbb4f0d | |
Nalin Dahyabhai | f3b7065bd8 | |
Nalin Dahyabhai | 553979e1fc | |
Nalin Dahyabhai | 0651d3a8de | |
Mrunal Patel | 2fa1f3f74a | |
Antonio Murdaca | d91df68638 | |
Mrunal Patel | da50e6ca11 | |
Mrunal Patel | ebc249cad8 | |
Antonio Murdaca | f317ffce5b | |
Mrunal Patel | a85ea609db | |
Antonio Murdaca | afeab27a36 | |
Mrunal Patel | 1f3fbdc987 | |
Nicolas Lacasse | 1138af9e59 | |
Antonio Murdaca | 06904d4dbb | |
Mrunal Patel | 85f303f3ff | |
Mrunal Patel | 989d275e76 | |
Antonio Murdaca | d168fc5fec | |
Daniel J Walsh | b9ffd277b9 | |
Antonio Murdaca | 910cfab6e9 | |
Samuel Ortiz | a2e08d5dc4 | |
Antonio Murdaca | 0eaa52c356 | |
Antonio Murdaca | b8bba70f99 | |
Oleksandr Stepanov | a71948e9e7 | |
Liu Chang | c0ad5277e6 |
|
@ -0,0 +1,10 @@
|
|||
Aleksa Sarai <asarai@suse.de> <asarai@suse.com>
|
||||
Antonio Murdaca <runcom@redhat.com> <runcom@users.noreply.github.com>
|
||||
CuiHaozhi <cuihaozhi@chinacloud.com.cn> <cuihz@wise2c.com>
|
||||
Daniel J Walsh <dwalsh@redhat.com>
|
||||
Haiyan Meng <hmeng@redhat.com> <haiyanalady@gmail.com>
|
||||
Lorenzo Fontana <lo@linux.com> <fontanalorenz@gmail.com>
|
||||
Mrunal Patel <mrunalp@gmail.com> <mpatel@redhat.com>
|
||||
Mrunal Patel <mrunalp@gmail.com> <mrunal@me.com>
|
||||
Pengfei Ni <feiskyer@gmail.com> <feiskyer@users.noreply.github.com>
|
||||
Tobias Klauser <tklauser@distanz.ch> <tobias.klauser@gmail.com>
|
|
@ -38,6 +38,7 @@ RUN apt-get update && apt-get install -y \
|
|||
netcat \
|
||||
socat \
|
||||
--no-install-recommends \
|
||||
bsdmainutils \
|
||||
&& apt-get clean
|
||||
|
||||
# install bats
|
||||
|
@ -56,7 +57,7 @@ RUN mkdir -p /usr/src/criu \
|
|||
&& rm -rf /usr/src/criu
|
||||
|
||||
# Install runc
|
||||
ENV RUNC_COMMIT 84a082bfef6f932de921437815355186db37aeb1
|
||||
ENV RUNC_COMMIT c6e4a1ebeb1a72b529c6f1b6ee2b1ae5b868b14f
|
||||
RUN set -x \
|
||||
&& export GOPATH="$(mktemp -d)" \
|
||||
&& git clone https://github.com/opencontainers/runc.git "$GOPATH/src/github.com/opencontainers/runc" \
|
||||
|
|
15
Makefile
15
Makefile
|
@ -11,7 +11,7 @@ LIBEXECDIR ?= ${PREFIX}/libexec
|
|||
MANDIR ?= ${PREFIX}/share/man
|
||||
ETCDIR ?= ${DESTDIR}/etc
|
||||
ETCDIR_CRIO ?= ${ETCDIR}/crio
|
||||
BUILDTAGS ?= seccomp $(shell hack/btrfs_tag.sh) $(shell hack/libdm_tag.sh) $(shell hack/btrfs_installed_tag.sh) $(shell hack/ostree_tag.sh) $(shell hack/selinux_tag.sh)
|
||||
BUILDTAGS ?= seccomp $(shell hack/btrfs_tag.sh) $(shell hack/libdm_installed.sh) $(shell hack/libdm_no_deferred_remove_tag.sh) $(shell hack/btrfs_installed_tag.sh) $(shell hack/ostree_tag.sh) $(shell hack/selinux_tag.sh)
|
||||
CRICTL_CONFIG_DIR=${DESTDIR}/etc
|
||||
|
||||
BASHINSTALLDIR=${PREFIX}/share/bash-completion/completions
|
||||
|
@ -64,7 +64,8 @@ lint: .gopathok
|
|||
@./.tool/lint
|
||||
|
||||
gofmt:
|
||||
@./hack/verify-gofmt.sh
|
||||
find . -name '*.go' ! -path './vendor/*' -exec gofmt -s -w {} \+
|
||||
git diff --exit-code
|
||||
|
||||
conmon:
|
||||
$(MAKE) -C $@
|
||||
|
@ -73,16 +74,16 @@ pause:
|
|||
$(MAKE) -C $@
|
||||
|
||||
test/bin2img/bin2img: .gopathok $(wildcard test/bin2img/*.go)
|
||||
$(GO) build $(LDFLAGS) -tags "$(BUILDTAGS) containers_image_ostree_stub" -o $@ $(PROJECT)/test/bin2img
|
||||
$(GO) build -i $(LDFLAGS) -tags "$(BUILDTAGS) containers_image_ostree_stub" -o $@ $(PROJECT)/test/bin2img
|
||||
|
||||
test/copyimg/copyimg: .gopathok $(wildcard test/copyimg/*.go)
|
||||
$(GO) build $(LDFLAGS) -tags "$(BUILDTAGS) containers_image_ostree_stub" -o $@ $(PROJECT)/test/copyimg
|
||||
$(GO) build -i $(LDFLAGS) -tags "$(BUILDTAGS) containers_image_ostree_stub" -o $@ $(PROJECT)/test/copyimg
|
||||
|
||||
test/checkseccomp/checkseccomp: .gopathok $(wildcard test/checkseccomp/*.go)
|
||||
$(GO) build $(LDFLAGS) -tags "$(BUILDTAGS) containers_image_ostree_stub" -o $@ $(PROJECT)/test/checkseccomp
|
||||
$(GO) build -i $(LDFLAGS) -tags "$(BUILDTAGS) containers_image_ostree_stub" -o $@ $(PROJECT)/test/checkseccomp
|
||||
|
||||
crio: .gopathok $(shell hack/find-godeps.sh $(GOPKGDIR) cmd/crio $(PROJECT))
|
||||
$(GO) build $(LDFLAGS) -tags "$(BUILDTAGS) containers_image_ostree_stub" -o bin/$@ $(PROJECT)/cmd/crio
|
||||
$(GO) build -i $(LDFLAGS) -tags "$(BUILDTAGS) containers_image_ostree_stub" -o bin/$@ $(PROJECT)/cmd/crio
|
||||
|
||||
crio.conf: crio
|
||||
./bin/crio --config="" config --default > crio.conf
|
||||
|
@ -145,7 +146,7 @@ install.man:
|
|||
install ${SELINUXOPT} -m 644 $(filter %.5,$(MANPAGES)) -t $(MANDIR)/man5
|
||||
install ${SELINUXOPT} -m 644 $(filter %.8,$(MANPAGES)) -t $(MANDIR)/man8
|
||||
|
||||
install.config:
|
||||
install.config: crio.conf
|
||||
install ${SELINUXOPT} -D -m 644 crio.conf $(ETCDIR_CRIO)/crio.conf
|
||||
install ${SELINUXOPT} -D -m 644 seccomp.json $(ETCDIR_CRIO)/seccomp.json
|
||||
install ${SELINUXOPT} -D -m 644 crio-umount.conf $(OCIUMOUNTINSTALLDIR)/crio-umount.conf
|
||||
|
|
|
@ -12,6 +12,7 @@
|
|||
|----------------------------|-------------------------------|--------------------|
|
||||
| CRI-O 1.0.x - release-1.0 | Kubernetes 1.7 branch, v1.7.x | = |
|
||||
| CRI-O 1.8.x - release-1.8 | Kubernetes 1.8 branch, v1.8.x | = |
|
||||
| CRI-O 1.9.x - release-1.9 | Kubernetes 1.9 branch, v1.9.x | = |
|
||||
| CRI-O HEAD - master | Kubernetes master branch | ✓ |
|
||||
|
||||
Key:
|
||||
|
|
|
@ -14,7 +14,7 @@ import (
|
|||
"time"
|
||||
|
||||
"github.com/containers/storage/pkg/reexec"
|
||||
"github.com/kubernetes-incubator/cri-o/libkpod"
|
||||
"github.com/kubernetes-incubator/cri-o/lib"
|
||||
"github.com/kubernetes-incubator/cri-o/server"
|
||||
"github.com/kubernetes-incubator/cri-o/version"
|
||||
"github.com/opencontainers/selinux/go-selinux"
|
||||
|
@ -32,9 +32,9 @@ var gitCommit = ""
|
|||
|
||||
func validateConfig(config *server.Config) error {
|
||||
switch config.ImageVolumes {
|
||||
case libkpod.ImageVolumesMkdir:
|
||||
case libkpod.ImageVolumesIgnore:
|
||||
case libkpod.ImageVolumesBind:
|
||||
case lib.ImageVolumesMkdir:
|
||||
case lib.ImageVolumesIgnore:
|
||||
case lib.ImageVolumesBind:
|
||||
default:
|
||||
return fmt.Errorf("Unrecognized image volume type specified")
|
||||
|
||||
|
@ -145,7 +145,7 @@ func mergeConfig(config *server.Config, ctx *cli.Context) error {
|
|||
config.PluginDir = ctx.GlobalString("cni-plugin-dir")
|
||||
}
|
||||
if ctx.GlobalIsSet("image-volumes") {
|
||||
config.ImageVolumes = libkpod.ImageVolumesType(ctx.GlobalString("image-volumes"))
|
||||
config.ImageVolumes = lib.ImageVolumesType(ctx.GlobalString("image-volumes"))
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
@ -297,7 +297,7 @@ func main() {
|
|||
},
|
||||
cli.Int64Flag{
|
||||
Name: "pids-limit",
|
||||
Value: libkpod.DefaultPidsLimit,
|
||||
Value: lib.DefaultPidsLimit,
|
||||
Usage: "maximum number of processes allowed in a container",
|
||||
},
|
||||
cli.BoolFlag{
|
||||
|
@ -306,7 +306,7 @@ func main() {
|
|||
},
|
||||
cli.Int64Flag{
|
||||
Name: "log-size-max",
|
||||
Value: libkpod.DefaultLogSizeMax,
|
||||
Value: lib.DefaultLogSizeMax,
|
||||
Usage: "maximum log size in bytes for a container",
|
||||
},
|
||||
cli.StringFlag{
|
||||
|
@ -319,13 +319,13 @@ func main() {
|
|||
},
|
||||
cli.StringFlag{
|
||||
Name: "image-volumes",
|
||||
Value: string(libkpod.ImageVolumesMkdir),
|
||||
Value: string(lib.ImageVolumesMkdir),
|
||||
Usage: "image volume handling ('mkdir', 'bind', or 'ignore')",
|
||||
},
|
||||
cli.StringFlag{
|
||||
Name: "hooks-dir-path",
|
||||
Usage: "set the OCI hooks directory path",
|
||||
Value: libkpod.DefaultHooksDirPath,
|
||||
Value: lib.DefaultHooksDirPath,
|
||||
Hidden: true,
|
||||
},
|
||||
cli.StringSliceFlag{
|
||||
|
@ -509,7 +509,7 @@ func main() {
|
|||
if graceful && strings.Contains(strings.ToLower(err.Error()), "use of closed network connection") {
|
||||
err = nil
|
||||
} else {
|
||||
logrus.Errorf("Failed to serve grpc grpc request: %v", err)
|
||||
logrus.Errorf("Failed to serve grpc request: %v", err)
|
||||
}
|
||||
}
|
||||
}()
|
||||
|
|
|
@ -1,55 +1,3 @@
|
|||
## Kubernetes Community Code of Conduct
|
||||
# Kubernetes Community Code of Conduct
|
||||
|
||||
### Contributor Code of Conduct
|
||||
|
||||
As contributors and maintainers of this project, and in the interest of fostering
|
||||
an open and welcoming community, we pledge to respect all people who contribute
|
||||
through reporting issues, posting feature requests, updating documentation,
|
||||
submitting pull requests or patches, and other activities.
|
||||
|
||||
We are committed to making participation in this project a harassment-free experience for
|
||||
everyone, regardless of level of experience, gender, gender identity and expression,
|
||||
sexual orientation, disability, personal appearance, body size, race, ethnicity, age,
|
||||
religion, or nationality.
|
||||
|
||||
Examples of unacceptable behavior by participants include:
|
||||
|
||||
* The use of sexualized language or imagery.
|
||||
* Personal attacks.
|
||||
* Trolling or insulting/derogatory comments.
|
||||
* Public or private harassment.
|
||||
* Publishing other's private information, such as physical or electronic addresses,
|
||||
without explicit permission.
|
||||
* Other unethical or unprofessional conduct.
|
||||
|
||||
Project maintainers have the right and responsibility to remove, edit, or reject
|
||||
comments, commits, code, wiki edits, issues, and other contributions that are not
|
||||
aligned to this Code of Conduct. By adopting this Code of Conduct, project maintainers
|
||||
commit themselves to fairly and consistently applying these principles to every aspect
|
||||
of managing this project. Project maintainers who do not follow or enforce the Code of
|
||||
Conduct may be permanently removed from the project team.
|
||||
|
||||
This code of conduct applies both within project spaces and in public spaces
|
||||
when an individual is representing the project or its community.
|
||||
|
||||
Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting a Kubernetes maintainer, Sarah Novotny <sarahnovotny@google.com>, and/or Dan Kohn <dan@linuxfoundation.org>.
|
||||
|
||||
This Code of Conduct is adapted from the Contributor Covenant
|
||||
(http://contributor-covenant.org), version 1.2.0, available at
|
||||
http://contributor-covenant.org/version/1/2/0/
|
||||
|
||||
### Kubernetes Events Code of Conduct
|
||||
|
||||
Kubernetes events are working conferences intended for professional networking and collaboration in the
|
||||
Kubernetes community. Attendees are expected to behave according to professional standards and in accordance
|
||||
with their employer's policies on appropriate workplace behavior.
|
||||
|
||||
While at Kubernetes events or related social networking opportunities, attendees should not engage in
|
||||
discriminatory or offensive speech or actions regarding gender, sexuality, race, or religion. Speakers should
|
||||
be especially aware of these concerns.
|
||||
|
||||
The Kubernetes team does not condone any statements by speakers contrary to these standards. The Kubernetes
|
||||
team reserves the right to deny entrance and/or eject from an event (without refund) any individual found to
|
||||
be engaging in discriminatory or offensive speech or actions.
|
||||
|
||||
Please bring any concerns to the immediate attention of the Kubernetes event staff.
|
||||
Please refer to our [Kubernetes Community Code of Conduct](https://git.k8s.io/community/code-of-conduct.md)
|
||||
|
|
|
@ -12,7 +12,6 @@
|
|||
#include <sys/socket.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/un.h>
|
||||
#include <sys/stat.h>
|
||||
#include <sys/wait.h>
|
||||
#include <sys/eventfd.h>
|
||||
#include <sys/stat.h>
|
||||
|
@ -350,7 +349,7 @@ static int write_k8s_log(int fd, stdpipe_t pipe, const char *buf, ssize_t buflen
|
|||
/* Open the log path file again */
|
||||
log_fd = open(opt_log_path, O_WRONLY | O_APPEND | O_CREAT | O_CLOEXEC, 0600);
|
||||
if (log_fd < 0)
|
||||
pexit("Failed to open log file");
|
||||
pexit("Failed to open log file %s: %s", opt_log_path, strerror(errno));
|
||||
fd = log_fd;
|
||||
}
|
||||
|
||||
|
@ -1121,6 +1120,8 @@ int main(int argc, char *argv[])
|
|||
|
||||
if (opt_runtime_path == NULL)
|
||||
nexit("Runtime path not provided. Use --runtime");
|
||||
if (access(opt_runtime_path, X_OK) < 0)
|
||||
pexit("Runtime path %s is not valid: %s", opt_runtime_path, strerror(errno));
|
||||
|
||||
if (!opt_exec && opt_exit_dir == NULL)
|
||||
nexit("Container exit directory not provided. Use --exit-dir");
|
||||
|
|
|
@ -0,0 +1,29 @@
|
|||
FROM centos
|
||||
|
||||
ENV VERSION=0 RELEASE=1 ARCH=x86_64
|
||||
LABEL com.redhat.component="cri-o" \
|
||||
name="$FGC/cri-o" \
|
||||
version="$VERSION" \
|
||||
release="$RELEASE.$DISTTAG" \
|
||||
architecture="$ARCH" \
|
||||
usage="atomic install --system --system-package=no crio && systemctl start crio" \
|
||||
summary="The cri-o daemon as a system container." \
|
||||
maintainer="Yu Qi Zhang <jzehrarnyg@gmail.com>" \
|
||||
atomic.type="system"
|
||||
|
||||
RUN yum-config-manager --nogpgcheck --add-repo https://cbs.centos.org/repos/virt7-container-common-candidate/x86_64/os/ && \
|
||||
yum install --disablerepo=extras --nogpgcheck --setopt=tsflags=nodocs -y iptables cri-o socat iproute runc && \
|
||||
rpm -V iptables cri-o iproute runc && \
|
||||
yum clean all && \
|
||||
mkdir -p /exports/hostfs/etc/crio /exports/hostfs/opt/cni/bin/ /exports/hostfs/var/lib/containers/storage/ && \
|
||||
cp /etc/crio/* /exports/hostfs/etc/crio && \
|
||||
if test -e /usr/libexec/cni; then cp -Lr /usr/libexec/cni/* /exports/hostfs/opt/cni/bin/; fi
|
||||
|
||||
RUN sed -i '/storage_option =/s/.*/&\n"overlay.override_kernel_check=1",/' /exports/hostfs/etc/crio/crio.conf
|
||||
|
||||
COPY manifest.json tmpfiles.template config.json.template service.template /exports/
|
||||
|
||||
COPY set_mounts.sh /
|
||||
COPY run.sh /usr/bin/
|
||||
|
||||
CMD ["/usr/bin/run.sh"]
|
|
@ -0,0 +1,57 @@
|
|||
# cri-o
|
||||
|
||||
This is the cri-o daemon as a system container.
|
||||
|
||||
## Building the image from source:
|
||||
|
||||
```
|
||||
# git clone https://github.com/projectatomic/atomic-system-containers
|
||||
# cd atomic-system-containers/cri-o
|
||||
# docker build -t crio .
|
||||
```
|
||||
|
||||
## Running the system container, with the atomic CLI:
|
||||
|
||||
Pull from registry into ostree:
|
||||
|
||||
```
|
||||
# atomic pull --storage ostree $REGISTRY/crio
|
||||
```
|
||||
|
||||
Or alternatively, pull from local docker:
|
||||
|
||||
```
|
||||
# atomic pull --storage ostree docker:crio:latest
|
||||
```
|
||||
|
||||
Install the container:
|
||||
|
||||
Currently we recommend using --system-package=no to avoid having rpmbuild create an rpm file
|
||||
during installation. This flag will tell the atomic CLI to fall back to copying files to the
|
||||
host instead.
|
||||
|
||||
```
|
||||
# atomic install --system --system-package=no --name=crio ($REGISTRY)/crio
|
||||
```
|
||||
|
||||
Start as a systemd service:
|
||||
|
||||
```
|
||||
# systemctl start crio
|
||||
```
|
||||
|
||||
Stopping the service
|
||||
|
||||
```
|
||||
# systemctl stop crio
|
||||
```
|
||||
|
||||
Removing the container
|
||||
|
||||
```
|
||||
# atomic uninstall crio
|
||||
```
|
||||
|
||||
## Binary version
|
||||
|
||||
You can find the image automatically built as: registry.centos.org/projectatomic/cri-o:latest
|
|
@ -0,0 +1,41 @@
|
|||
# This is for the purpose of building containers on the CentOS Community Container
|
||||
# Pipeline. The containers are built, tested and delivered to registry.centos.org and
|
||||
# lifecycled as well. A corresponding entry must exist in the container index itself,
|
||||
# located at https://github.com/CentOS/container-index/tree/master/index.d
|
||||
# You can know more at the following links:
|
||||
# * https://github.com/CentOS/container-pipeline-service/blob/master/README.md
|
||||
# * https://github.com/CentOS/container-index/blob/master/README.rst
|
||||
# * https://wiki.centos.org/ContainerPipeline
|
||||
|
||||
# This will be part of the name of the container. It should match the job-id in index entry
|
||||
job-id: cri-o
|
||||
|
||||
#the following are optional, can be left blank
|
||||
#defaults, where applicable are filled in
|
||||
#nulecule-file : nulecule
|
||||
|
||||
# This flag tells the container pipeline to skip user defined tests on their container
|
||||
test-skip : True
|
||||
|
||||
# This is path of the script that initiates the user defined tests. It must be able to
|
||||
# return an exit code.
|
||||
test-script : null
|
||||
|
||||
# This is the path of custom build script.
|
||||
build-script : null
|
||||
|
||||
# This is the path of the custom delivery script
|
||||
delivery-script : null
|
||||
|
||||
# This flag tells the pipeline to deliver this container to docker hub.
|
||||
docker-index : True
|
||||
|
||||
# This flag can be used to enable or disable the custom delivery
|
||||
custom-delivery : False
|
||||
|
||||
# This flag can be used to enable or disable delivery of container to local registry
|
||||
local-delivery : True
|
||||
|
||||
Upstreams :
|
||||
- ref :
|
||||
url :
|
|
@ -0,0 +1,427 @@
|
|||
{
|
||||
"ociVersion": "1.0.0",
|
||||
"platform": {
|
||||
"arch": "amd64",
|
||||
"os": "linux"
|
||||
},
|
||||
"process": {
|
||||
"args": [
|
||||
"/usr/bin/run.sh"
|
||||
],
|
||||
"capabilities": {
|
||||
"ambient": [
|
||||
"CAP_CHOWN",
|
||||
"CAP_FOWNER",
|
||||
"CAP_FSETID",
|
||||
"CAP_KILL",
|
||||
"CAP_SETGID",
|
||||
"CAP_SETUID",
|
||||
"CAP_SETPCAP",
|
||||
"CAP_LINUX_IMMUTABLE",
|
||||
"CAP_NET_BIND_SERVICE",
|
||||
"CAP_NET_BROADCAST",
|
||||
"CAP_NET_ADMIN",
|
||||
"CAP_NET_RAW",
|
||||
"CAP_IPC_LOCK",
|
||||
"CAP_IPC_OWNER",
|
||||
"CAP_SYS_MODULE",
|
||||
"CAP_SYS_RAWIO",
|
||||
"CAP_SYS_CHROOT",
|
||||
"CAP_SYS_PTRACE",
|
||||
"CAP_SYS_PACCT",
|
||||
"CAP_SYS_ADMIN",
|
||||
"CAP_SYS_BOOT",
|
||||
"CAP_SYS_NICE",
|
||||
"CAP_SYS_RESOURCE",
|
||||
"CAP_SYS_TIME",
|
||||
"CAP_SYS_TTY_CONFIG",
|
||||
"CAP_MKNOD",
|
||||
"CAP_LEASE",
|
||||
"CAP_AUDIT_WRITE",
|
||||
"CAP_AUDIT_CONTROL",
|
||||
"CAP_SETFCAP",
|
||||
"CAP_DAC_OVERRIDE",
|
||||
"CAP_MAC_OVERRIDE",
|
||||
"CAP_DAC_READ_SEARCH",
|
||||
"CAP_MAC_ADMIN",
|
||||
"CAP_SYSLOG",
|
||||
"CAP_WAKE_ALARM",
|
||||
"CAP_BLOCK_SUSPEND"
|
||||
],
|
||||
"bounding": [
|
||||
"CAP_CHOWN",
|
||||
"CAP_FOWNER",
|
||||
"CAP_FSETID",
|
||||
"CAP_KILL",
|
||||
"CAP_SETGID",
|
||||
"CAP_SETUID",
|
||||
"CAP_SETPCAP",
|
||||
"CAP_LINUX_IMMUTABLE",
|
||||
"CAP_NET_BIND_SERVICE",
|
||||
"CAP_NET_BROADCAST",
|
||||
"CAP_NET_ADMIN",
|
||||
"CAP_NET_RAW",
|
||||
"CAP_IPC_LOCK",
|
||||
"CAP_IPC_OWNER",
|
||||
"CAP_SYS_MODULE",
|
||||
"CAP_SYS_RAWIO",
|
||||
"CAP_SYS_CHROOT",
|
||||
"CAP_SYS_PTRACE",
|
||||
"CAP_SYS_PACCT",
|
||||
"CAP_SYS_ADMIN",
|
||||
"CAP_SYS_BOOT",
|
||||
"CAP_SYS_NICE",
|
||||
"CAP_SYS_RESOURCE",
|
||||
"CAP_SYS_TIME",
|
||||
"CAP_SYS_TTY_CONFIG",
|
||||
"CAP_MKNOD",
|
||||
"CAP_LEASE",
|
||||
"CAP_AUDIT_WRITE",
|
||||
"CAP_AUDIT_CONTROL",
|
||||
"CAP_SETFCAP",
|
||||
"CAP_DAC_OVERRIDE",
|
||||
"CAP_MAC_OVERRIDE",
|
||||
"CAP_DAC_READ_SEARCH",
|
||||
"CAP_MAC_ADMIN",
|
||||
"CAP_SYSLOG",
|
||||
"CAP_WAKE_ALARM",
|
||||
"CAP_BLOCK_SUSPEND"
|
||||
],
|
||||
"effective": [
|
||||
"CAP_CHOWN",
|
||||
"CAP_FOWNER",
|
||||
"CAP_FSETID",
|
||||
"CAP_KILL",
|
||||
"CAP_SETGID",
|
||||
"CAP_SETUID",
|
||||
"CAP_SETPCAP",
|
||||
"CAP_LINUX_IMMUTABLE",
|
||||
"CAP_NET_BIND_SERVICE",
|
||||
"CAP_NET_BROADCAST",
|
||||
"CAP_NET_ADMIN",
|
||||
"CAP_NET_RAW",
|
||||
"CAP_IPC_LOCK",
|
||||
"CAP_IPC_OWNER",
|
||||
"CAP_SYS_MODULE",
|
||||
"CAP_SYS_RAWIO",
|
||||
"CAP_SYS_CHROOT",
|
||||
"CAP_SYS_PTRACE",
|
||||
"CAP_SYS_PACCT",
|
||||
"CAP_SYS_ADMIN",
|
||||
"CAP_SYS_BOOT",
|
||||
"CAP_SYS_NICE",
|
||||
"CAP_SYS_RESOURCE",
|
||||
"CAP_SYS_TIME",
|
||||
"CAP_SYS_TTY_CONFIG",
|
||||
"CAP_MKNOD",
|
||||
"CAP_LEASE",
|
||||
"CAP_AUDIT_WRITE",
|
||||
"CAP_AUDIT_CONTROL",
|
||||
"CAP_SETFCAP",
|
||||
"CAP_DAC_OVERRIDE",
|
||||
"CAP_MAC_OVERRIDE",
|
||||
"CAP_DAC_READ_SEARCH",
|
||||
"CAP_MAC_ADMIN",
|
||||
"CAP_SYSLOG",
|
||||
"CAP_WAKE_ALARM",
|
||||
"CAP_BLOCK_SUSPEND"
|
||||
],
|
||||
"inheritable": [
|
||||
"CAP_CHOWN",
|
||||
"CAP_FOWNER",
|
||||
"CAP_FSETID",
|
||||
"CAP_KILL",
|
||||
"CAP_SETGID",
|
||||
"CAP_SETUID",
|
||||
"CAP_SETPCAP",
|
||||
"CAP_LINUX_IMMUTABLE",
|
||||
"CAP_NET_BIND_SERVICE",
|
||||
"CAP_NET_BROADCAST",
|
||||
"CAP_NET_ADMIN",
|
||||
"CAP_NET_RAW",
|
||||
"CAP_IPC_LOCK",
|
||||
"CAP_IPC_OWNER",
|
||||
"CAP_SYS_MODULE",
|
||||
"CAP_SYS_RAWIO",
|
||||
"CAP_SYS_CHROOT",
|
||||
"CAP_SYS_PTRACE",
|
||||
"CAP_SYS_PACCT",
|
||||
"CAP_SYS_ADMIN",
|
||||
"CAP_SYS_BOOT",
|
||||
"CAP_SYS_NICE",
|
||||
"CAP_SYS_RESOURCE",
|
||||
"CAP_SYS_TIME",
|
||||
"CAP_SYS_TTY_CONFIG",
|
||||
"CAP_MKNOD",
|
||||
"CAP_LEASE",
|
||||
"CAP_AUDIT_WRITE",
|
||||
"CAP_AUDIT_CONTROL",
|
||||
"CAP_SETFCAP",
|
||||
"CAP_DAC_OVERRIDE",
|
||||
"CAP_MAC_OVERRIDE",
|
||||
"CAP_DAC_READ_SEARCH",
|
||||
"CAP_MAC_ADMIN",
|
||||
"CAP_SYSLOG",
|
||||
"CAP_WAKE_ALARM",
|
||||
"CAP_BLOCK_SUSPEND"
|
||||
],
|
||||
"permitted": [
|
||||
"CAP_CHOWN",
|
||||
"CAP_FOWNER",
|
||||
"CAP_FSETID",
|
||||
"CAP_KILL",
|
||||
"CAP_SETGID",
|
||||
"CAP_SETUID",
|
||||
"CAP_SETPCAP",
|
||||
"CAP_LINUX_IMMUTABLE",
|
||||
"CAP_NET_BIND_SERVICE",
|
||||
"CAP_NET_BROADCAST",
|
||||
"CAP_NET_ADMIN",
|
||||
"CAP_NET_RAW",
|
||||
"CAP_IPC_LOCK",
|
||||
"CAP_IPC_OWNER",
|
||||
"CAP_SYS_MODULE",
|
||||
"CAP_SYS_RAWIO",
|
||||
"CAP_SYS_CHROOT",
|
||||
"CAP_SYS_PTRACE",
|
||||
"CAP_SYS_PACCT",
|
||||
"CAP_SYS_ADMIN",
|
||||
"CAP_SYS_BOOT",
|
||||
"CAP_SYS_NICE",
|
||||
"CAP_SYS_RESOURCE",
|
||||
"CAP_SYS_TIME",
|
||||
"CAP_SYS_TTY_CONFIG",
|
||||
"CAP_MKNOD",
|
||||
"CAP_LEASE",
|
||||
"CAP_AUDIT_WRITE",
|
||||
"CAP_AUDIT_CONTROL",
|
||||
"CAP_SETFCAP",
|
||||
"CAP_DAC_OVERRIDE",
|
||||
"CAP_MAC_OVERRIDE",
|
||||
"CAP_DAC_READ_SEARCH",
|
||||
"CAP_MAC_ADMIN",
|
||||
"CAP_SYSLOG",
|
||||
"CAP_WAKE_ALARM",
|
||||
"CAP_BLOCK_SUSPEND"
|
||||
]
|
||||
},
|
||||
"selinuxLabel": "system_u:system_r:container_runtime_t:s0",
|
||||
"cwd": "/",
|
||||
"env": [
|
||||
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/go/bin:/root/go/bin",
|
||||
"TERM=xterm",
|
||||
"LOG_LEVEL=$LOG_LEVEL",
|
||||
"NAME=$NAME"
|
||||
],
|
||||
"noNewPrivileges": false,
|
||||
"terminal": false,
|
||||
"user": {
|
||||
"gid": 0,
|
||||
"uid": 0
|
||||
}
|
||||
},
|
||||
"root": {
|
||||
"path": "rootfs",
|
||||
"readonly": true
|
||||
},
|
||||
"hooks": {},
|
||||
"linux": {
|
||||
"namespaces": [
|
||||
{
|
||||
"type": "mount"
|
||||
}
|
||||
],
|
||||
"resources": {
|
||||
"devices": [
|
||||
{
|
||||
"access": "rwm",
|
||||
"allow": true
|
||||
}
|
||||
]
|
||||
},
|
||||
"rootfsPropagation": "private"
|
||||
},
|
||||
"mounts": [
|
||||
{
|
||||
"destination": "/tmp",
|
||||
"options": [
|
||||
"private",
|
||||
"bind",
|
||||
"rw",
|
||||
"mode=755"
|
||||
],
|
||||
"source": "/tmp",
|
||||
"type": "bind"
|
||||
},
|
||||
{
|
||||
"destination": "/etc",
|
||||
"options": [
|
||||
"rbind",
|
||||
"rprivate",
|
||||
"rw",
|
||||
"mode=755"
|
||||
],
|
||||
"source": "/etc",
|
||||
"type": "bind"
|
||||
},
|
||||
{
|
||||
"destination": "/lib/modules",
|
||||
"options": [
|
||||
"rbind",
|
||||
"rprivate",
|
||||
"rw",
|
||||
"mode=755"
|
||||
],
|
||||
"source": "/lib/modules",
|
||||
"type": "bind"
|
||||
},
|
||||
{
|
||||
"destination": "/root",
|
||||
"options": [
|
||||
"rbind",
|
||||
"rprivate",
|
||||
"rw",
|
||||
"mode=755"
|
||||
],
|
||||
"source": "/root",
|
||||
"type": "bind"
|
||||
},
|
||||
{
|
||||
"destination": "/home",
|
||||
"options": [
|
||||
"rbind",
|
||||
"rprivate",
|
||||
"rw",
|
||||
"mode=755"
|
||||
],
|
||||
"source": "/home",
|
||||
"type": "bind"
|
||||
},
|
||||
{
|
||||
"destination": "/mnt",
|
||||
"options": [
|
||||
"rbind",
|
||||
"rw",
|
||||
"rprivate",
|
||||
"mode=755"
|
||||
],
|
||||
"source": "/mnt",
|
||||
"type": "bind"
|
||||
},
|
||||
{
|
||||
"type": "bind",
|
||||
"source": "${RUN_DIRECTORY}",
|
||||
"destination": "/run",
|
||||
"options": [
|
||||
"rshared",
|
||||
"rbind",
|
||||
"rw",
|
||||
"mode=755"
|
||||
]
|
||||
},
|
||||
{
|
||||
"type": "bind",
|
||||
"source": "${RUN_DIRECTORY}/systemd",
|
||||
"destination": "/run/systemd",
|
||||
"options": [
|
||||
"rslave",
|
||||
"bind",
|
||||
"rw",
|
||||
"mode=755"
|
||||
]
|
||||
},
|
||||
{
|
||||
"destination": "/var/log",
|
||||
"options": [
|
||||
"rbind",
|
||||
"rslave",
|
||||
"rw"
|
||||
],
|
||||
"source": "/var/log",
|
||||
"type": "bind"
|
||||
},
|
||||
{
|
||||
"destination": "/var/lib",
|
||||
"options": [
|
||||
"rbind",
|
||||
"rprivate",
|
||||
"rw"
|
||||
],
|
||||
"source": "${STATE_DIRECTORY}",
|
||||
"type": "bind"
|
||||
},
|
||||
{
|
||||
"destination": "/var/lib/containers/storage",
|
||||
"options": [
|
||||
"rbind",
|
||||
"rshared",
|
||||
"rw"
|
||||
],
|
||||
"source": "${VAR_LIB_CONTAINERS_STORAGE}",
|
||||
"type": "bind"
|
||||
},
|
||||
{
|
||||
"destination": "/var/lib/origin",
|
||||
"options": [
|
||||
"rshared",
|
||||
"bind",
|
||||
"rw"
|
||||
],
|
||||
"source": "${VAR_LIB_ORIGIN}",
|
||||
"type": "bind"
|
||||
},
|
||||
{
|
||||
"destination": "/var/lib/kubelet",
|
||||
"options": [
|
||||
"rshared",
|
||||
"bind",
|
||||
"rw"
|
||||
],
|
||||
"source": "${VAR_LIB_KUBE}",
|
||||
"type": "bind"
|
||||
},
|
||||
{
|
||||
"destination": "/opt/cni",
|
||||
"options": [
|
||||
"rbind",
|
||||
"rprivate",
|
||||
"ro",
|
||||
"mode=755"
|
||||
],
|
||||
"source": "${OPT_CNI}",
|
||||
"type": "bind"
|
||||
},
|
||||
{
|
||||
"destination": "/dev",
|
||||
"options": [
|
||||
"rprivate",
|
||||
"rbind",
|
||||
"rw",
|
||||
"mode=755"
|
||||
],
|
||||
"source": "/dev",
|
||||
"type": "bind"
|
||||
},
|
||||
{
|
||||
"destination": "/sys",
|
||||
"options": [
|
||||
"rprivate",
|
||||
"rbind",
|
||||
"rw",
|
||||
"mode=755"
|
||||
],
|
||||
"source": "/sys",
|
||||
"type": "bind"
|
||||
},
|
||||
{
|
||||
"destination": "/proc",
|
||||
"options": [
|
||||
"rbind",
|
||||
"rw",
|
||||
"mode=755"
|
||||
],
|
||||
"source": "/proc",
|
||||
"type": "proc"
|
||||
}
|
||||
]
|
||||
}
|
|
@ -0,0 +1,10 @@
|
|||
{
|
||||
"version": "1.0",
|
||||
"defaultValues": {
|
||||
"LOG_LEVEL" : "info",
|
||||
"OPT_CNI" : "/opt/cni",
|
||||
"VAR_LIB_CONTAINERS_STORAGE" : "/var/lib/containers/storage",
|
||||
"VAR_LIB_ORIGIN" : "/var/lib/origin",
|
||||
"VAR_LIB_KUBE" : "/var/lib/kubelet"
|
||||
}
|
||||
}
|
|
@ -0,0 +1,11 @@
|
|||
#!/bin/sh
|
||||
|
||||
# Ensure that new process maintain this SELinux label
|
||||
PID=$$
|
||||
LABEL=`tr -d '\000' < /proc/$PID/attr/current`
|
||||
printf %s $LABEL > /proc/self/attr/exec
|
||||
|
||||
test -e /etc/sysconfig/crio-storage && source /etc/sysconfig/crio-storage
|
||||
test -e /etc/sysconfig/crio-network && source /etc/sysconfig/crio-network
|
||||
|
||||
exec /usr/bin/crio --log-level=$LOG_LEVEL
|
|
@ -0,0 +1,20 @@
|
|||
[Unit]
|
||||
Description=crio daemon
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
Type=notify
|
||||
ExecStartPre=/bin/sh $DESTDIR/rootfs/set_mounts.sh
|
||||
ExecStart=$EXEC_START
|
||||
ExecStop=$EXEC_STOP
|
||||
Restart=on-failure
|
||||
WorkingDirectory=$DESTDIR
|
||||
RuntimeDirectory=${NAME}
|
||||
TasksMax=infinity
|
||||
LimitNOFILE=1048576
|
||||
LimitNPROC=1048576
|
||||
LimitCORE=infinity
|
||||
TimeoutStartSec=0
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
|
@ -0,0 +1,7 @@
|
|||
#!/bin/sh
|
||||
|
||||
findmnt /var/lib/containers/storage > /dev/null || mount --rbind --make-shared /var/lib/containers/storage /var/lib/containers/storage
|
||||
findmnt /var/lib/origin > /dev/null || mount --bind --make-shared /var/lib/origin /var/lib/origin
|
||||
findmnt /var/lib/kubelet > /dev/null || mount --bind --make-shared /var/lib/kubelet /var/lib/kubelet
|
||||
mount --make-shared /run
|
||||
findmnt /run/systemd > /dev/null || mount --bind --make-rslave /run/systemd /run/systemd
|
|
@ -0,0 +1,5 @@
|
|||
d ${RUN_DIRECTORY}/crio - - - - -
|
||||
d /etc/crio - - - - -
|
||||
Z /etc/crio - - - - -
|
||||
d ${STATE_DIRECTORY}/origin - - - - -
|
||||
d ${STATE_DIRECTORY}/kubelet - - - - -
|
|
@ -0,0 +1,30 @@
|
|||
FROM registry.fedoraproject.org/fedora:27
|
||||
|
||||
ENV VERSION=0 RELEASE=1 ARCH=x86_64
|
||||
LABEL com.redhat.component="cri-o" \
|
||||
name="$FGC/cri-o" \
|
||||
version="$VERSION" \
|
||||
release="$RELEASE.$DISTTAG" \
|
||||
architecture="$ARCH" \
|
||||
usage="atomic install --system --system-package=no crio && systemctl start crio" \
|
||||
summary="The cri-o daemon as a system container." \
|
||||
maintainer="Yu Qi Zhang <jzehrarnyg@gmail.com>" \
|
||||
atomic.type="system"
|
||||
|
||||
COPY README.md /
|
||||
|
||||
RUN dnf install --enablerepo=updates-testing --setopt=tsflags=nodocs -y iptables cri-o socat iproute runc && \
|
||||
rpm -V iptables cri-o iproute runc && \
|
||||
dnf clean all && \
|
||||
mkdir -p /exports/hostfs/etc/crio /exports/hostfs/opt/cni/bin/ /exports/hostfs/var/lib/containers/storage/ && \
|
||||
cp /etc/crio/* /exports/hostfs/etc/crio && \
|
||||
if test -e /usr/libexec/cni; then cp -Lr /usr/libexec/cni/* /exports/hostfs/opt/cni/bin/; fi
|
||||
|
||||
RUN sed -i '/storage_option =/s/.*/&\n"overlay.override_kernel_check=1",/' /exports/hostfs/etc/crio/crio.conf
|
||||
|
||||
COPY manifest.json tmpfiles.template config.json.template service.template /exports/
|
||||
|
||||
COPY set_mounts.sh /
|
||||
COPY run.sh /usr/bin/
|
||||
|
||||
CMD ["/usr/bin/run.sh"]
|
|
@ -0,0 +1,53 @@
|
|||
# cri-o
|
||||
|
||||
This is the cri-o daemon as a system container.
|
||||
|
||||
## Building the image from source:
|
||||
|
||||
```
|
||||
# git clone https://github.com/projectatomic/atomic-system-containers
|
||||
# cd atomic-system-containers/cri-o
|
||||
# docker build -t crio .
|
||||
```
|
||||
|
||||
## Running the system container, with the atomic CLI:
|
||||
|
||||
Pull from registry into ostree:
|
||||
|
||||
```
|
||||
# atomic pull --storage ostree $REGISTRY/crio
|
||||
```
|
||||
|
||||
Or alternatively, pull from local docker:
|
||||
|
||||
```
|
||||
# atomic pull --storage ostree docker:crio:latest
|
||||
```
|
||||
|
||||
Install the container:
|
||||
|
||||
Currently we recommend using --system-package=no to avoid having rpmbuild create an rpm file
|
||||
during installation. This flag will tell the atomic CLI to fall back to copying files to the
|
||||
host instead.
|
||||
|
||||
```
|
||||
# atomic install --system --system-package=no --name=crio ($REGISTRY)/crio
|
||||
```
|
||||
|
||||
Start as a systemd service:
|
||||
|
||||
```
|
||||
# systemctl start crio
|
||||
```
|
||||
|
||||
Stopping the service
|
||||
|
||||
```
|
||||
# systemctl stop crio
|
||||
```
|
||||
|
||||
Removing the container
|
||||
|
||||
```
|
||||
# atomic uninstall crio
|
||||
```
|
|
@ -0,0 +1,432 @@
|
|||
{
|
||||
"ociVersion": "1.0.0",
|
||||
"platform": {
|
||||
"arch": "amd64",
|
||||
"os": "linux"
|
||||
},
|
||||
"process": {
|
||||
"args": [
|
||||
"/usr/bin/run.sh"
|
||||
],
|
||||
"selinuxLabel": "system_u:system_r:container_runtime_t:s0",
|
||||
"capabilities": {
|
||||
"ambient": [
|
||||
"CAP_CHOWN",
|
||||
"CAP_FOWNER",
|
||||
"CAP_FSETID",
|
||||
"CAP_KILL",
|
||||
"CAP_SETGID",
|
||||
"CAP_SETUID",
|
||||
"CAP_SETPCAP",
|
||||
"CAP_LINUX_IMMUTABLE",
|
||||
"CAP_NET_BIND_SERVICE",
|
||||
"CAP_NET_BROADCAST",
|
||||
"CAP_NET_ADMIN",
|
||||
"CAP_NET_RAW",
|
||||
"CAP_IPC_LOCK",
|
||||
"CAP_IPC_OWNER",
|
||||
"CAP_SYS_MODULE",
|
||||
"CAP_SYS_RAWIO",
|
||||
"CAP_SYS_CHROOT",
|
||||
"CAP_SYS_PTRACE",
|
||||
"CAP_SYS_PACCT",
|
||||
"CAP_SYS_ADMIN",
|
||||
"CAP_SYS_BOOT",
|
||||
"CAP_SYS_NICE",
|
||||
"CAP_SYS_RESOURCE",
|
||||
"CAP_SYS_TIME",
|
||||
"CAP_SYS_TTY_CONFIG",
|
||||
"CAP_MKNOD",
|
||||
"CAP_LEASE",
|
||||
"CAP_AUDIT_WRITE",
|
||||
"CAP_AUDIT_CONTROL",
|
||||
"CAP_SETFCAP",
|
||||
"CAP_DAC_OVERRIDE",
|
||||
"CAP_MAC_OVERRIDE",
|
||||
"CAP_DAC_READ_SEARCH",
|
||||
"CAP_MAC_ADMIN",
|
||||
"CAP_SYSLOG",
|
||||
"CAP_WAKE_ALARM",
|
||||
"CAP_BLOCK_SUSPEND",
|
||||
"CAP_AUDIT_READ"
|
||||
],
|
||||
"bounding": [
|
||||
"CAP_CHOWN",
|
||||
"CAP_FOWNER",
|
||||
"CAP_FSETID",
|
||||
"CAP_KILL",
|
||||
"CAP_SETGID",
|
||||
"CAP_SETUID",
|
||||
"CAP_SETPCAP",
|
||||
"CAP_LINUX_IMMUTABLE",
|
||||
"CAP_NET_BIND_SERVICE",
|
||||
"CAP_NET_BROADCAST",
|
||||
"CAP_NET_ADMIN",
|
||||
"CAP_NET_RAW",
|
||||
"CAP_IPC_LOCK",
|
||||
"CAP_IPC_OWNER",
|
||||
"CAP_SYS_MODULE",
|
||||
"CAP_SYS_RAWIO",
|
||||
"CAP_SYS_CHROOT",
|
||||
"CAP_SYS_PTRACE",
|
||||
"CAP_SYS_PACCT",
|
||||
"CAP_SYS_ADMIN",
|
||||
"CAP_SYS_BOOT",
|
||||
"CAP_SYS_NICE",
|
||||
"CAP_SYS_RESOURCE",
|
||||
"CAP_SYS_TIME",
|
||||
"CAP_SYS_TTY_CONFIG",
|
||||
"CAP_MKNOD",
|
||||
"CAP_LEASE",
|
||||
"CAP_AUDIT_WRITE",
|
||||
"CAP_AUDIT_CONTROL",
|
||||
"CAP_SETFCAP",
|
||||
"CAP_DAC_OVERRIDE",
|
||||
"CAP_MAC_OVERRIDE",
|
||||
"CAP_DAC_READ_SEARCH",
|
||||
"CAP_MAC_ADMIN",
|
||||
"CAP_SYSLOG",
|
||||
"CAP_WAKE_ALARM",
|
||||
"CAP_BLOCK_SUSPEND",
|
||||
"CAP_AUDIT_READ"
|
||||
],
|
||||
"effective": [
|
||||
"CAP_CHOWN",
|
||||
"CAP_FOWNER",
|
||||
"CAP_FSETID",
|
||||
"CAP_KILL",
|
||||
"CAP_SETGID",
|
||||
"CAP_SETUID",
|
||||
"CAP_SETPCAP",
|
||||
"CAP_LINUX_IMMUTABLE",
|
||||
"CAP_NET_BIND_SERVICE",
|
||||
"CAP_NET_BROADCAST",
|
||||
"CAP_NET_ADMIN",
|
||||
"CAP_NET_RAW",
|
||||
"CAP_IPC_LOCK",
|
||||
"CAP_IPC_OWNER",
|
||||
"CAP_SYS_MODULE",
|
||||
"CAP_SYS_RAWIO",
|
||||
"CAP_SYS_CHROOT",
|
||||
"CAP_SYS_PTRACE",
|
||||
"CAP_SYS_PACCT",
|
||||
"CAP_SYS_ADMIN",
|
||||
"CAP_SYS_BOOT",
|
||||
"CAP_SYS_NICE",
|
||||
"CAP_SYS_RESOURCE",
|
||||
"CAP_SYS_TIME",
|
||||
"CAP_SYS_TTY_CONFIG",
|
||||
"CAP_MKNOD",
|
||||
"CAP_LEASE",
|
||||
"CAP_AUDIT_WRITE",
|
||||
"CAP_AUDIT_CONTROL",
|
||||
"CAP_SETFCAP",
|
||||
"CAP_DAC_OVERRIDE",
|
||||
"CAP_MAC_OVERRIDE",
|
||||
"CAP_DAC_READ_SEARCH",
|
||||
"CAP_MAC_ADMIN",
|
||||
"CAP_SYSLOG",
|
||||
"CAP_WAKE_ALARM",
|
||||
"CAP_BLOCK_SUSPEND",
|
||||
"CAP_AUDIT_READ"
|
||||
],
|
||||
"inheritable": [
|
||||
"CAP_CHOWN",
|
||||
"CAP_FOWNER",
|
||||
"CAP_FSETID",
|
||||
"CAP_KILL",
|
||||
"CAP_SETGID",
|
||||
"CAP_SETUID",
|
||||
"CAP_SETPCAP",
|
||||
"CAP_LINUX_IMMUTABLE",
|
||||
"CAP_NET_BIND_SERVICE",
|
||||
"CAP_NET_BROADCAST",
|
||||
"CAP_NET_ADMIN",
|
||||
"CAP_NET_RAW",
|
||||
"CAP_IPC_LOCK",
|
||||
"CAP_IPC_OWNER",
|
||||
"CAP_SYS_MODULE",
|
||||
"CAP_SYS_RAWIO",
|
||||
"CAP_SYS_CHROOT",
|
||||
"CAP_SYS_PTRACE",
|
||||
"CAP_SYS_PACCT",
|
||||
"CAP_SYS_ADMIN",
|
||||
"CAP_SYS_BOOT",
|
||||
"CAP_SYS_NICE",
|
||||
"CAP_SYS_RESOURCE",
|
||||
"CAP_SYS_TIME",
|
||||
"CAP_SYS_TTY_CONFIG",
|
||||
"CAP_MKNOD",
|
||||
"CAP_LEASE",
|
||||
"CAP_AUDIT_WRITE",
|
||||
"CAP_AUDIT_CONTROL",
|
||||
"CAP_SETFCAP",
|
||||
"CAP_DAC_OVERRIDE",
|
||||
"CAP_MAC_OVERRIDE",
|
||||
"CAP_DAC_READ_SEARCH",
|
||||
"CAP_MAC_ADMIN",
|
||||
"CAP_SYSLOG",
|
||||
"CAP_WAKE_ALARM",
|
||||
"CAP_BLOCK_SUSPEND",
|
||||
"CAP_AUDIT_READ"
|
||||
],
|
||||
"permitted": [
|
||||
"CAP_CHOWN",
|
||||
"CAP_FOWNER",
|
||||
"CAP_FSETID",
|
||||
"CAP_KILL",
|
||||
"CAP_SETGID",
|
||||
"CAP_SETUID",
|
||||
"CAP_SETPCAP",
|
||||
"CAP_LINUX_IMMUTABLE",
|
||||
"CAP_NET_BIND_SERVICE",
|
||||
"CAP_NET_BROADCAST",
|
||||
"CAP_NET_ADMIN",
|
||||
"CAP_NET_RAW",
|
||||
"CAP_IPC_LOCK",
|
||||
"CAP_IPC_OWNER",
|
||||
"CAP_SYS_MODULE",
|
||||
"CAP_SYS_RAWIO",
|
||||
"CAP_SYS_CHROOT",
|
||||
"CAP_SYS_PTRACE",
|
||||
"CAP_SYS_PACCT",
|
||||
"CAP_SYS_ADMIN",
|
||||
"CAP_SYS_BOOT",
|
||||
"CAP_SYS_NICE",
|
||||
"CAP_SYS_RESOURCE",
|
||||
"CAP_SYS_TIME",
|
||||
"CAP_SYS_TTY_CONFIG",
|
||||
"CAP_MKNOD",
|
||||
"CAP_LEASE",
|
||||
"CAP_AUDIT_WRITE",
|
||||
"CAP_AUDIT_CONTROL",
|
||||
"CAP_SETFCAP",
|
||||
"CAP_DAC_OVERRIDE",
|
||||
"CAP_MAC_OVERRIDE",
|
||||
"CAP_DAC_READ_SEARCH",
|
||||
"CAP_MAC_ADMIN",
|
||||
"CAP_SYSLOG",
|
||||
"CAP_WAKE_ALARM",
|
||||
"CAP_BLOCK_SUSPEND",
|
||||
"CAP_AUDIT_READ"
|
||||
]
|
||||
},
|
||||
"cwd": "/",
|
||||
"env": [
|
||||
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/go/bin:/root/go/bin",
|
||||
"TERM=xterm",
|
||||
"LOG_LEVEL=$LOG_LEVEL",
|
||||
"NAME=$NAME"
|
||||
],
|
||||
"noNewPrivileges": false,
|
||||
"terminal": false,
|
||||
"user": {
|
||||
"gid": 0,
|
||||
"uid": 0
|
||||
}
|
||||
},
|
||||
"root": {
|
||||
"path": "rootfs",
|
||||
"readonly": true
|
||||
},
|
||||
"hooks": {},
|
||||
"linux": {
|
||||
"namespaces": [
|
||||
{
|
||||
"type": "mount"
|
||||
}
|
||||
],
|
||||
"resources": {
|
||||
"devices": [
|
||||
{
|
||||
"access": "rwm",
|
||||
"allow": true
|
||||
}
|
||||
]
|
||||
},
|
||||
"rootfsPropagation": "private"
|
||||
},
|
||||
"mounts": [
|
||||
{
|
||||
"destination": "/tmp",
|
||||
"options": [
|
||||
"private",
|
||||
"bind",
|
||||
"rw",
|
||||
"mode=755"
|
||||
],
|
||||
"source": "/tmp",
|
||||
"type": "bind"
|
||||
},
|
||||
{
|
||||
"destination": "/etc",
|
||||
"options": [
|
||||
"rbind",
|
||||
"rprivate",
|
||||
"rw",
|
||||
"mode=755"
|
||||
],
|
||||
"source": "/etc",
|
||||
"type": "bind"
|
||||
},
|
||||
{
|
||||
"destination": "/lib/modules",
|
||||
"options": [
|
||||
"rbind",
|
||||
"rprivate",
|
||||
"rw",
|
||||
"mode=755"
|
||||
],
|
||||
"source": "/lib/modules",
|
||||
"type": "bind"
|
||||
},
|
||||
{
|
||||
"destination": "/root",
|
||||
"options": [
|
||||
"rbind",
|
||||
"rprivate",
|
||||
"rw",
|
||||
"mode=755"
|
||||
],
|
||||
"source": "/root",
|
||||
"type": "bind"
|
||||
},
|
||||
{
|
||||
"destination": "/home",
|
||||
"options": [
|
||||
"rbind",
|
||||
"rprivate",
|
||||
"rw",
|
||||
"mode=755"
|
||||
],
|
||||
"source": "/home",
|
||||
"type": "bind"
|
||||
},
|
||||
{
|
||||
"destination": "/mnt",
|
||||
"options": [
|
||||
"rbind",
|
||||
"rw",
|
||||
"rprivate",
|
||||
"mode=755"
|
||||
],
|
||||
"source": "/mnt",
|
||||
"type": "bind"
|
||||
},
|
||||
{
|
||||
"type": "bind",
|
||||
"source": "${RUN_DIRECTORY}",
|
||||
"destination": "/run",
|
||||
"options": [
|
||||
"rshared",
|
||||
"rbind",
|
||||
"rw",
|
||||
"mode=755"
|
||||
]
|
||||
},
|
||||
{
|
||||
"type": "bind",
|
||||
"source": "${RUN_DIRECTORY}/systemd",
|
||||
"destination": "/run/systemd",
|
||||
"options": [
|
||||
"rslave",
|
||||
"bind",
|
||||
"rw",
|
||||
"mode=755"
|
||||
]
|
||||
},
|
||||
{
|
||||
"destination": "/var/log",
|
||||
"options": [
|
||||
"rbind",
|
||||
"rslave",
|
||||
"rw"
|
||||
],
|
||||
"source": "/var/log",
|
||||
"type": "bind"
|
||||
},
|
||||
{
|
||||
"destination": "/var/lib",
|
||||
"options": [
|
||||
"rbind",
|
||||
"rprivate",
|
||||
"rw"
|
||||
],
|
||||
"source": "${STATE_DIRECTORY}",
|
||||
"type": "bind"
|
||||
},
|
||||
{
|
||||
"destination": "/var/lib/containers/storage",
|
||||
"options": [
|
||||
"rbind",
|
||||
"rshared",
|
||||
"rw"
|
||||
],
|
||||
"source": "${VAR_LIB_CONTAINERS_STORAGE}",
|
||||
"type": "bind"
|
||||
},
|
||||
{
|
||||
"destination": "/var/lib/origin",
|
||||
"options": [
|
||||
"rshared",
|
||||
"bind",
|
||||
"rw"
|
||||
],
|
||||
"source": "${VAR_LIB_ORIGIN}",
|
||||
"type": "bind"
|
||||
},
|
||||
{
|
||||
"destination": "/var/lib/kubelet",
|
||||
"options": [
|
||||
"rshared",
|
||||
"bind",
|
||||
"rw"
|
||||
],
|
||||
"source": "${VAR_LIB_KUBE}",
|
||||
"type": "bind"
|
||||
},
|
||||
{
|
||||
"destination": "/opt/cni",
|
||||
"options": [
|
||||
"rbind",
|
||||
"rprivate",
|
||||
"ro",
|
||||
"mode=755"
|
||||
],
|
||||
"source": "${OPT_CNI}",
|
||||
"type": "bind"
|
||||
},
|
||||
{
|
||||
"destination": "/dev",
|
||||
"options": [
|
||||
"rprivate",
|
||||
"rbind",
|
||||
"rw",
|
||||
"mode=755"
|
||||
],
|
||||
"source": "/dev",
|
||||
"type": "bind"
|
||||
},
|
||||
{
|
||||
"destination": "/sys",
|
||||
"options": [
|
||||
"rprivate",
|
||||
"rbind",
|
||||
"rw",
|
||||
"mode=755"
|
||||
],
|
||||
"source": "/sys",
|
||||
"type": "bind"
|
||||
},
|
||||
{
|
||||
"destination": "/proc",
|
||||
"options": [
|
||||
"rbind",
|
||||
"rw",
|
||||
"mode=755"
|
||||
],
|
||||
"source": "/proc",
|
||||
"type": "proc"
|
||||
}
|
||||
]
|
||||
}
|
|
@ -0,0 +1,10 @@
|
|||
{
|
||||
"version": "1.0",
|
||||
"defaultValues": {
|
||||
"LOG_LEVEL" : "info",
|
||||
"OPT_CNI" : "/opt/cni",
|
||||
"VAR_LIB_CONTAINERS_STORAGE" : "/var/lib/containers/storage",
|
||||
"VAR_LIB_ORIGIN" : "/var/lib/origin",
|
||||
"VAR_LIB_KUBE" : "/var/lib/kubelet"
|
||||
}
|
||||
}
|
|
@ -0,0 +1,11 @@
|
|||
#!/bin/sh
|
||||
|
||||
# Ensure that new process maintain this SELinux label
|
||||
PID=$$
|
||||
LABEL=`tr -d '\000' < /proc/$PID/attr/current`
|
||||
printf %s $LABEL > /proc/self/attr/exec
|
||||
|
||||
test -e /etc/sysconfig/crio-storage && source /etc/sysconfig/crio-storage
|
||||
test -e /etc/sysconfig/crio-network && source /etc/sysconfig/crio-network
|
||||
|
||||
exec /usr/bin/crio --log-level=$LOG_LEVEL
|
|
@ -0,0 +1,20 @@
|
|||
[Unit]
|
||||
Description=crio daemon
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
Type=notify
|
||||
ExecStartPre=/bin/sh $DESTDIR/rootfs/set_mounts.sh
|
||||
ExecStart=$EXEC_START
|
||||
ExecStop=$EXEC_STOP
|
||||
Restart=on-failure
|
||||
WorkingDirectory=$DESTDIR
|
||||
RuntimeDirectory=${NAME}
|
||||
TasksMax=infinity
|
||||
LimitNOFILE=1048576
|
||||
LimitNPROC=1048576
|
||||
LimitCORE=infinity
|
||||
TimeoutStartSec=0
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
|
@ -0,0 +1,7 @@
|
|||
#!/bin/sh
|
||||
|
||||
findmnt /var/lib/containers/storage > /dev/null || mount --rbind --make-shared /var/lib/containers/storage /var/lib/containers/storage
|
||||
findmnt /var/lib/origin > /dev/null || mount --bind --make-shared /var/lib/origin /var/lib/origin
|
||||
findmnt /var/lib/kubelet > /dev/null || mount --bind --make-shared /var/lib/kubelet /var/lib/kubelet
|
||||
mount --make-shared /run
|
||||
findmnt /run/systemd > /dev/null || mount --bind --make-rslave /run/systemd /run/systemd
|
|
@ -0,0 +1,5 @@
|
|||
d ${RUN_DIRECTORY}/crio - - - - -
|
||||
d /etc/crio - - - - -
|
||||
Z /etc/crio - - - - -
|
||||
d ${STATE_DIRECTORY}/origin - - - - -
|
||||
d ${STATE_DIRECTORY}/kubelet - - - - -
|
|
@ -0,0 +1,41 @@
|
|||
#oit## This file is managed by the OpenShift Image Tool
|
||||
#oit## by the OpenShift Continuous Delivery team.
|
||||
#oit##
|
||||
#oit## Any yum repos listed in this file will effectively be ignored during CD builds.
|
||||
#oit## Yum repos must be enabled in the oit configuration files.
|
||||
#oit## Some aspects of this file may be managed programmatically. For example, the image name, labels (version,
|
||||
#oit## release, and other), and the base FROM. Changes made directly in distgit may be lost during the next
|
||||
#oit## reconciliation.
|
||||
#oit##
|
||||
FROM rhel7:7-released
|
||||
|
||||
RUN \
|
||||
yum install --setopt=tsflags=nodocs -y socat iptables cri-o iproute runc skopeo-containers container-selinux && \
|
||||
rpm -V socat iptables cri-o iproute runc skopeo-containers container-selinux && \
|
||||
yum clean all && \
|
||||
mkdir -p /exports/hostfs/etc/crio /exports/hostfs/opt/cni/bin/ /exports/hostfs/var/lib/containers/storage/ && \
|
||||
cp /etc/crio/* /exports/hostfs/etc/crio && \
|
||||
if test -e /usr/libexec/cni; then cp -Lr /usr/libexec/cni/* /exports/hostfs/opt/cni/bin/; fi
|
||||
|
||||
COPY manifest.json tmpfiles.template config.json.template service.template /exports/
|
||||
|
||||
COPY set_mounts.sh /
|
||||
COPY run.sh /usr/bin/
|
||||
|
||||
CMD ["/usr/bin/run.sh"]
|
||||
|
||||
LABEL \
|
||||
com.redhat.component="cri-o-docker" \
|
||||
io.k8s.description="CRI-O is an implementation of the Kubernetes CRI. It is a lightweight, OCI-compliant runtime that is native to kubernetes. CRI-O supports OCI container images and can pull from any container registry." \
|
||||
maintainer="Jhon Honce <jhonce@redhat.com>" \
|
||||
name="openshift3/cri-o" \
|
||||
License="GPLv2+" \
|
||||
io.k8s.display-name="CRI-O" \
|
||||
summary="OCI-based implementation of Kubernetes Container Runtime Interface" \
|
||||
release="0.13.0.0" \
|
||||
version="v3.8.0" \
|
||||
architecture="x86_64" \
|
||||
usage="atomic install --system --system-package=no crio && systemctl start crio" \
|
||||
vendor="Red Hat" \
|
||||
io.openshift.tags="cri-o system rhel7" \
|
||||
atomic.type="system"
|
|
@ -0,0 +1,422 @@
|
|||
{
|
||||
"ociVersion": "1.0.0",
|
||||
"platform": {
|
||||
"arch": "amd64",
|
||||
"os": "linux"
|
||||
},
|
||||
"process": {
|
||||
"args": [
|
||||
"/usr/bin/run.sh"
|
||||
],
|
||||
"capabilities": {
|
||||
"ambient": [
|
||||
"CAP_CHOWN",
|
||||
"CAP_FOWNER",
|
||||
"CAP_FSETID",
|
||||
"CAP_KILL",
|
||||
"CAP_SETGID",
|
||||
"CAP_SETUID",
|
||||
"CAP_SETPCAP",
|
||||
"CAP_LINUX_IMMUTABLE",
|
||||
"CAP_NET_BIND_SERVICE",
|
||||
"CAP_NET_BROADCAST",
|
||||
"CAP_NET_ADMIN",
|
||||
"CAP_NET_RAW",
|
||||
"CAP_IPC_LOCK",
|
||||
"CAP_IPC_OWNER",
|
||||
"CAP_SYS_MODULE",
|
||||
"CAP_SYS_RAWIO",
|
||||
"CAP_SYS_CHROOT",
|
||||
"CAP_SYS_PTRACE",
|
||||
"CAP_SYS_PACCT",
|
||||
"CAP_SYS_ADMIN",
|
||||
"CAP_SYS_BOOT",
|
||||
"CAP_SYS_NICE",
|
||||
"CAP_SYS_RESOURCE",
|
||||
"CAP_SYS_TIME",
|
||||
"CAP_SYS_TTY_CONFIG",
|
||||
"CAP_MKNOD",
|
||||
"CAP_LEASE",
|
||||
"CAP_AUDIT_WRITE",
|
||||
"CAP_AUDIT_CONTROL",
|
||||
"CAP_SETFCAP",
|
||||
"CAP_DAC_OVERRIDE",
|
||||
"CAP_MAC_OVERRIDE",
|
||||
"CAP_DAC_READ_SEARCH",
|
||||
"CAP_MAC_ADMIN",
|
||||
"CAP_SYSLOG",
|
||||
"CAP_WAKE_ALARM",
|
||||
"CAP_BLOCK_SUSPEND"
|
||||
],
|
||||
"bounding": [
|
||||
"CAP_CHOWN",
|
||||
"CAP_FOWNER",
|
||||
"CAP_FSETID",
|
||||
"CAP_KILL",
|
||||
"CAP_SETGID",
|
||||
"CAP_SETUID",
|
||||
"CAP_SETPCAP",
|
||||
"CAP_LINUX_IMMUTABLE",
|
||||
"CAP_NET_BIND_SERVICE",
|
||||
"CAP_NET_BROADCAST",
|
||||
"CAP_NET_ADMIN",
|
||||
"CAP_NET_RAW",
|
||||
"CAP_IPC_LOCK",
|
||||
"CAP_IPC_OWNER",
|
||||
"CAP_SYS_MODULE",
|
||||
"CAP_SYS_RAWIO",
|
||||
"CAP_SYS_CHROOT",
|
||||
"CAP_SYS_PTRACE",
|
||||
"CAP_SYS_PACCT",
|
||||
"CAP_SYS_ADMIN",
|
||||
"CAP_SYS_BOOT",
|
||||
"CAP_SYS_NICE",
|
||||
"CAP_SYS_RESOURCE",
|
||||
"CAP_SYS_TIME",
|
||||
"CAP_SYS_TTY_CONFIG",
|
||||
"CAP_MKNOD",
|
||||
"CAP_LEASE",
|
||||
"CAP_AUDIT_WRITE",
|
||||
"CAP_AUDIT_CONTROL",
|
||||
"CAP_SETFCAP",
|
||||
"CAP_DAC_OVERRIDE",
|
||||
"CAP_MAC_OVERRIDE",
|
||||
"CAP_DAC_READ_SEARCH",
|
||||
"CAP_MAC_ADMIN",
|
||||
"CAP_SYSLOG",
|
||||
"CAP_WAKE_ALARM",
|
||||
"CAP_BLOCK_SUSPEND"
|
||||
],
|
||||
"effective": [
|
||||
"CAP_CHOWN",
|
||||
"CAP_FOWNER",
|
||||
"CAP_FSETID",
|
||||
"CAP_KILL",
|
||||
"CAP_SETGID",
|
||||
"CAP_SETUID",
|
||||
"CAP_SETPCAP",
|
||||
"CAP_LINUX_IMMUTABLE",
|
||||
"CAP_NET_BIND_SERVICE",
|
||||
"CAP_NET_BROADCAST",
|
||||
"CAP_NET_ADMIN",
|
||||
"CAP_NET_RAW",
|
||||
"CAP_IPC_LOCK",
|
||||
"CAP_IPC_OWNER",
|
||||
"CAP_SYS_MODULE",
|
||||
"CAP_SYS_RAWIO",
|
||||
"CAP_SYS_CHROOT",
|
||||
"CAP_SYS_PTRACE",
|
||||
"CAP_SYS_PACCT",
|
||||
"CAP_SYS_ADMIN",
|
||||
"CAP_SYS_BOOT",
|
||||
"CAP_SYS_NICE",
|
||||
"CAP_SYS_RESOURCE",
|
||||
"CAP_SYS_TIME",
|
||||
"CAP_SYS_TTY_CONFIG",
|
||||
"CAP_MKNOD",
|
||||
"CAP_LEASE",
|
||||
"CAP_AUDIT_WRITE",
|
||||
"CAP_AUDIT_CONTROL",
|
||||
"CAP_SETFCAP",
|
||||
"CAP_DAC_OVERRIDE",
|
||||
"CAP_MAC_OVERRIDE",
|
||||
"CAP_DAC_READ_SEARCH",
|
||||
"CAP_MAC_ADMIN",
|
||||
"CAP_SYSLOG",
|
||||
"CAP_WAKE_ALARM",
|
||||
"CAP_BLOCK_SUSPEND"
|
||||
],
|
||||
"inheritable": [
|
||||
"CAP_CHOWN",
|
||||
"CAP_FOWNER",
|
||||
"CAP_FSETID",
|
||||
"CAP_KILL",
|
||||
"CAP_SETGID",
|
||||
"CAP_SETUID",
|
||||
"CAP_SETPCAP",
|
||||
"CAP_LINUX_IMMUTABLE",
|
||||
"CAP_NET_BIND_SERVICE",
|
||||
"CAP_NET_BROADCAST",
|
||||
"CAP_NET_ADMIN",
|
||||
"CAP_NET_RAW",
|
||||
"CAP_IPC_LOCK",
|
||||
"CAP_IPC_OWNER",
|
||||
"CAP_SYS_MODULE",
|
||||
"CAP_SYS_RAWIO",
|
||||
"CAP_SYS_CHROOT",
|
||||
"CAP_SYS_PTRACE",
|
||||
"CAP_SYS_PACCT",
|
||||
"CAP_SYS_ADMIN",
|
||||
"CAP_SYS_BOOT",
|
||||
"CAP_SYS_NICE",
|
||||
"CAP_SYS_RESOURCE",
|
||||
"CAP_SYS_TIME",
|
||||
"CAP_SYS_TTY_CONFIG",
|
||||
"CAP_MKNOD",
|
||||
"CAP_LEASE",
|
||||
"CAP_AUDIT_WRITE",
|
||||
"CAP_AUDIT_CONTROL",
|
||||
"CAP_SETFCAP",
|
||||
"CAP_DAC_OVERRIDE",
|
||||
"CAP_MAC_OVERRIDE",
|
||||
"CAP_DAC_READ_SEARCH",
|
||||
"CAP_MAC_ADMIN",
|
||||
"CAP_SYSLOG",
|
||||
"CAP_WAKE_ALARM",
|
||||
"CAP_BLOCK_SUSPEND"
|
||||
],
|
||||
"permitted": [
|
||||
"CAP_CHOWN",
|
||||
"CAP_FOWNER",
|
||||
"CAP_FSETID",
|
||||
"CAP_KILL",
|
||||
"CAP_SETGID",
|
||||
"CAP_SETUID",
|
||||
"CAP_SETPCAP",
|
||||
"CAP_LINUX_IMMUTABLE",
|
||||
"CAP_NET_BIND_SERVICE",
|
||||
"CAP_NET_BROADCAST",
|
||||
"CAP_NET_ADMIN",
|
||||
"CAP_NET_RAW",
|
||||
"CAP_IPC_LOCK",
|
||||
"CAP_IPC_OWNER",
|
||||
"CAP_SYS_MODULE",
|
||||
"CAP_SYS_RAWIO",
|
||||
"CAP_SYS_CHROOT",
|
||||
"CAP_SYS_PTRACE",
|
||||
"CAP_SYS_PACCT",
|
||||
"CAP_SYS_ADMIN",
|
||||
"CAP_SYS_BOOT",
|
||||
"CAP_SYS_NICE",
|
||||
"CAP_SYS_RESOURCE",
|
||||
"CAP_SYS_TIME",
|
||||
"CAP_SYS_TTY_CONFIG",
|
||||
"CAP_MKNOD",
|
||||
"CAP_LEASE",
|
||||
"CAP_AUDIT_WRITE",
|
||||
"CAP_AUDIT_CONTROL",
|
||||
"CAP_SETFCAP",
|
||||
"CAP_DAC_OVERRIDE",
|
||||
"CAP_MAC_OVERRIDE",
|
||||
"CAP_DAC_READ_SEARCH",
|
||||
"CAP_MAC_ADMIN",
|
||||
"CAP_SYSLOG",
|
||||
"CAP_WAKE_ALARM",
|
||||
"CAP_BLOCK_SUSPEND"
|
||||
]
|
||||
},
|
||||
"selinuxLabel": "system_u:system_r:container_runtime_t:s0",
|
||||
"cwd": "/",
|
||||
"env": [
|
||||
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/go/bin:/root/go/bin",
|
||||
"TERM=xterm",
|
||||
"LOG_LEVEL=$LOG_LEVEL",
|
||||
"NAME=$NAME"
|
||||
],
|
||||
"noNewPrivileges": false,
|
||||
"terminal": false,
|
||||
"user": {
|
||||
"gid": 0,
|
||||
"uid": 0
|
||||
}
|
||||
},
|
||||
"root": {
|
||||
"path": "rootfs",
|
||||
"readonly": true
|
||||
},
|
||||
"hooks": {},
|
||||
"linux": {
|
||||
"namespaces": [{
|
||||
"type": "mount"
|
||||
}],
|
||||
"resources": {
|
||||
"devices": [{
|
||||
"access": "rwm",
|
||||
"allow": true
|
||||
}]
|
||||
},
|
||||
"rootfsPropagation": "private"
|
||||
},
|
||||
"mounts": [{
|
||||
"destination": "/tmp",
|
||||
"options": [
|
||||
"private",
|
||||
"bind",
|
||||
"rw",
|
||||
"mode=755"
|
||||
],
|
||||
"source": "/tmp",
|
||||
"type": "bind"
|
||||
},
|
||||
{
|
||||
"destination": "/etc",
|
||||
"options": [
|
||||
"rbind",
|
||||
"rprivate",
|
||||
"rw",
|
||||
"mode=755"
|
||||
],
|
||||
"source": "/etc",
|
||||
"type": "bind"
|
||||
},
|
||||
{
|
||||
"destination": "/lib/modules",
|
||||
"options": [
|
||||
"rbind",
|
||||
"rprivate",
|
||||
"rw",
|
||||
"mode=755"
|
||||
],
|
||||
"source": "/lib/modules",
|
||||
"type": "bind"
|
||||
},
|
||||
{
|
||||
"destination": "/root",
|
||||
"options": [
|
||||
"rbind",
|
||||
"rprivate",
|
||||
"rw",
|
||||
"mode=755"
|
||||
],
|
||||
"source": "/root",
|
||||
"type": "bind"
|
||||
},
|
||||
{
|
||||
"destination": "/home",
|
||||
"options": [
|
||||
"rbind",
|
||||
"rprivate",
|
||||
"rw",
|
||||
"mode=755"
|
||||
],
|
||||
"source": "/home",
|
||||
"type": "bind"
|
||||
},
|
||||
{
|
||||
"destination": "/mnt",
|
||||
"options": [
|
||||
"rbind",
|
||||
"rw",
|
||||
"rprivate",
|
||||
"mode=755"
|
||||
],
|
||||
"source": "/mnt",
|
||||
"type": "bind"
|
||||
},
|
||||
{
|
||||
"type": "bind",
|
||||
"source": "${RUN_DIRECTORY}",
|
||||
"destination": "/run",
|
||||
"options": [
|
||||
"rshared",
|
||||
"rbind",
|
||||
"rw",
|
||||
"mode=755"
|
||||
]
|
||||
},
|
||||
{
|
||||
"type": "bind",
|
||||
"source": "${RUN_DIRECTORY}/systemd",
|
||||
"destination": "/run/systemd",
|
||||
"options": [
|
||||
"rslave",
|
||||
"bind",
|
||||
"rw",
|
||||
"mode=755"
|
||||
]
|
||||
},
|
||||
{
|
||||
"destination": "/var/log",
|
||||
"options": [
|
||||
"rbind",
|
||||
"rslave",
|
||||
"rw"
|
||||
],
|
||||
"source": "/var/log",
|
||||
"type": "bind"
|
||||
},
|
||||
{
|
||||
"destination": "/var/lib",
|
||||
"options": [
|
||||
"rbind",
|
||||
"rprivate",
|
||||
"rw"
|
||||
],
|
||||
"source": "${STATE_DIRECTORY}",
|
||||
"type": "bind"
|
||||
},
|
||||
{
|
||||
"destination": "/var/lib/containers/storage",
|
||||
"options": [
|
||||
"rbind",
|
||||
"rshared",
|
||||
"rw"
|
||||
],
|
||||
"source": "${VAR_LIB_CONTAINERS_STORAGE}",
|
||||
"type": "bind"
|
||||
},
|
||||
{
|
||||
"destination": "/var/lib/origin",
|
||||
"options": [
|
||||
"rshared",
|
||||
"bind",
|
||||
"rw"
|
||||
],
|
||||
"source": "${VAR_LIB_ORIGIN}",
|
||||
"type": "bind"
|
||||
},
|
||||
{
|
||||
"destination": "/var/lib/kubelet",
|
||||
"options": [
|
||||
"rshared",
|
||||
"bind",
|
||||
"rw"
|
||||
],
|
||||
"source": "${VAR_LIB_KUBE}",
|
||||
"type": "bind"
|
||||
},
|
||||
{
|
||||
"destination": "/opt/cni",
|
||||
"options": [
|
||||
"rbind",
|
||||
"rprivate",
|
||||
"ro",
|
||||
"mode=755"
|
||||
],
|
||||
"source": "${OPT_CNI}",
|
||||
"type": "bind"
|
||||
},
|
||||
{
|
||||
"destination": "/dev",
|
||||
"options": [
|
||||
"rprivate",
|
||||
"rbind",
|
||||
"rw",
|
||||
"mode=755"
|
||||
],
|
||||
"source": "/dev",
|
||||
"type": "bind"
|
||||
},
|
||||
{
|
||||
"destination": "/sys",
|
||||
"options": [
|
||||
"rprivate",
|
||||
"rbind",
|
||||
"rw",
|
||||
"mode=755"
|
||||
],
|
||||
"source": "/sys",
|
||||
"type": "bind"
|
||||
},
|
||||
{
|
||||
"destination": "/proc",
|
||||
"options": [
|
||||
"rbind",
|
||||
"rw",
|
||||
"mode=755"
|
||||
],
|
||||
"source": "/proc",
|
||||
"type": "proc"
|
||||
}
|
||||
]
|
||||
}
|
|
@ -0,0 +1,37 @@
|
|||
% CRI-O (1) Container Image Pages
|
||||
% Jhon Honce
|
||||
% September 7, 2017
|
||||
|
||||
# NAME
|
||||
cri-o - OCI-based implementation of Kubernetes Container Runtime Interface
|
||||
|
||||
# DESCRIPTION
|
||||
CRI-O is an implementation of the Kubernetes CRI. It is a lightweight, OCI-compliant runtime that is native to kubernetes. CRI-O supports OCI container images and can pull from any container registry.
|
||||
|
||||
You can find more information on the CRI-O project at <https://github.com/kubernetes-incubator/cri-o/>
|
||||
|
||||
# USAGE
|
||||
Pull from local docker and install system container:
|
||||
|
||||
```
|
||||
# atomic pull --storage ostree docker:openshift3/cri-o:latest
|
||||
# atomic install --system --system-package=no --name cri-o openshift3/cri-o
|
||||
```
|
||||
|
||||
Start and enable as a systemd service:
|
||||
```
|
||||
# systemctl enable --now cri-o
|
||||
```
|
||||
|
||||
Stopping the service
|
||||
```
|
||||
# systemctl stop cri-o
|
||||
```
|
||||
|
||||
Removing the container
|
||||
```
|
||||
# atomic uninstall cri-o
|
||||
```
|
||||
|
||||
# SEE ALSO
|
||||
man systemd(1)
|
|
@ -0,0 +1,10 @@
|
|||
{
|
||||
"version": "1.0",
|
||||
"defaultValues": {
|
||||
"LOG_LEVEL": "info",
|
||||
"OPT_CNI": "/opt/cni",
|
||||
"VAR_LIB_CONTAINERS_STORAGE": "/var/lib/containers/storage",
|
||||
"VAR_LIB_ORIGIN": "/var/lib/origin",
|
||||
"VAR_LIB_KUBE": "/var/lib/kubelet"
|
||||
}
|
||||
}
|
|
@ -0,0 +1,11 @@
|
|||
#!/bin/sh
|
||||
|
||||
# Ensure that new process maintain this SELinux label
|
||||
PID=$$
|
||||
LABEL=`tr -d '\000' < /proc/$PID/attr/current`
|
||||
printf %s $LABEL > /proc/self/attr/exec
|
||||
|
||||
test -e /etc/sysconfig/crio-storage && source /etc/sysconfig/crio-storage
|
||||
test -e /etc/sysconfig/crio-network && source /etc/sysconfig/crio-network
|
||||
|
||||
exec /usr/bin/crio --log-level=$LOG_LEVEL
|
|
@ -0,0 +1,20 @@
|
|||
[Unit]
|
||||
Description=crio daemon
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
Type=notify
|
||||
ExecStartPre=/bin/sh $DESTDIR/rootfs/set_mounts.sh
|
||||
ExecStart=$EXEC_START
|
||||
ExecStop=$EXEC_STOP
|
||||
Restart=on-failure
|
||||
WorkingDirectory=$DESTDIR
|
||||
RuntimeDirectory=${NAME}
|
||||
TasksMax=infinity
|
||||
LimitNOFILE=1048576
|
||||
LimitNPROC=1048576
|
||||
LimitCORE=infinity
|
||||
TimeoutStartSec=0
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
|
@ -0,0 +1,7 @@
|
|||
#!/bin/sh
|
||||
|
||||
findmnt /var/lib/containers/storage > /dev/null || mount --rbind --make-shared /var/lib/containers/storage /var/lib/containers/storage
|
||||
findmnt /var/lib/origin > /dev/null || mount --bind --make-shared /var/lib/origin /var/lib/origin
|
||||
findmnt /var/lib/kubelet > /dev/null || mount --bind --make-shared /var/lib/kubelet /var/lib/kubelet
|
||||
mount --make-shared /run
|
||||
findmnt /run/systemd > /dev/null || mount --bind --make-rslave /run/systemd /run/systemd
|
|
@ -0,0 +1,5 @@
|
|||
d ${RUN_DIRECTORY}/crio - - - - -
|
||||
d /etc/crio - - - - -
|
||||
Z /etc/crio - - - - -
|
||||
d ${STATE_DIRECTORY}/origin - - - - -
|
||||
d ${STATE_DIRECTORY}/kubelet - - - - -
|
|
@ -43,10 +43,12 @@
|
|||
export CONTAINER_RUNTIME_ENDPOINT='{{ crio_socket }} --runtime-request-timeout=5m'
|
||||
export ALLOW_SECURITY_CONTEXT=","
|
||||
export ALLOW_PRIVILEGED=1
|
||||
export DNS_SERVER_IP={{ ansible_eth0.ipv4.address }}
|
||||
export API_HOST={{ ansible_eth0.ipv4.address }}
|
||||
export API_HOST_IP={{ ansible_eth0.ipv4.address }}
|
||||
export DNS_SERVER_IP={{ ansible_default_ipv4.address }}
|
||||
export API_HOST={{ ansible_default_ipv4.address }}
|
||||
export API_HOST_IP={{ ansible_default_ipv4.address }}
|
||||
export KUBE_ENABLE_CLUSTER_DNS=true
|
||||
export ENABLE_HOSTPATH_PROVISIONER=true
|
||||
export KUBE_ENABLE_CLUSTER_DASHBOARD=true
|
||||
./hack/local-up-cluster.sh
|
||||
mode: "u=rwx,g=rwx,o=x"
|
||||
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
git:
|
||||
repo: "https://github.com/opencontainers/runc.git"
|
||||
dest: "{{ ansible_env.GOPATH }}/src/github.com/opencontainers/runc"
|
||||
version: "84a082bfef6f932de921437815355186db37aeb1"
|
||||
version: "c6e4a1ebeb1a72b529c6f1b6ee2b1ae5b868b14f"
|
||||
|
||||
- name: build runc
|
||||
make:
|
||||
|
|
|
@ -16,24 +16,21 @@
|
|||
- name: Add masquerade for localhost
|
||||
command: iptables -t nat -I POSTROUTING -s 127.0.0.1 ! -d 127.0.0.1 -j MASQUERADE
|
||||
|
||||
# TODO(runcom): enable skipped tests once we fix them (image list related)
|
||||
# https://github.com/kubernetes-incubator/cri-o/issues/1048
|
||||
- name: run critest validation
|
||||
shell: "critest -c --runtime-endpoint /var/run/crio/crio.sock --image-endpoint /var/run/crio/crio.sock -s 'listImage should get exactly 2 repoTags in the result image' v"
|
||||
shell: "critest -c --runtime-endpoint /var/run/crio/crio.sock --image-endpoint /var/run/crio/crio.sock v"
|
||||
args:
|
||||
chdir: "{{ ansible_env.GOPATH }}/src/github.com/kubernetes-incubator/cri-o"
|
||||
async: 5400
|
||||
poll: 30
|
||||
when: ansible_distribution not in ['RedHat', 'CentOS']
|
||||
|
||||
# XXX: RHEL has an additional test which fails beacuse of selinux but disabling
|
||||
# XXX: RHEL has an additional test which fails because of selinux but disabling
|
||||
# it doesn't solve the issue.
|
||||
# TODO(runcom): enable skipped tests once we fix them (image list related and selinux)
|
||||
# https://github.com/kubernetes-incubator/cri-o/issues/1048
|
||||
# TODO(runcom): enable skipped tests once we fix them (selinux)
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1414236
|
||||
# https://access.redhat.com/solutions/2897781
|
||||
- name: run critest validation
|
||||
shell: "critest -c --runtime-endpoint /var/run/crio/crio.sock --image-endpoint /var/run/crio/crio.sock -s 'listImage should get exactly 2 repoTags in the result image|should not allow privilege escalation when true' v"
|
||||
shell: "critest -c --runtime-endpoint /var/run/crio/crio.sock --image-endpoint /var/run/crio/crio.sock -s 'should not allow privilege escalation when true' v"
|
||||
args:
|
||||
chdir: "{{ ansible_env.GOPATH }}/src/github.com/kubernetes-incubator/cri-o"
|
||||
async: 5400
|
||||
|
|
|
@ -10,7 +10,7 @@
|
|||
- name: update the server address for the custom cluster
|
||||
lineinfile:
|
||||
dest: /usr/local/bin/createcluster.sh
|
||||
line: "export {{ item }}={{ ansible_eth0.ipv4.address }}"
|
||||
line: "export {{ item }}={{ ansible_default_ipv4.address }}"
|
||||
regexp: "^export {{ item }}="
|
||||
state: present
|
||||
with_items:
|
||||
|
@ -37,13 +37,14 @@
|
|||
path: "{{ artifacts }}"
|
||||
state: directory
|
||||
|
||||
# TODO remove the last test skipped once https://github.com/kubernetes-incubator/cri-o/pull/1217 is merged
|
||||
- name: Buffer the e2e testing command to workaround Ansible YAML folding "feature"
|
||||
set_fact:
|
||||
e2e_shell_cmd: >
|
||||
/usr/bin/go run hack/e2e.go
|
||||
--test
|
||||
--test_args="-host=https://{{ ansible_default_ipv4.address }}:6443
|
||||
--ginkgo.focus=\[Conformance\]
|
||||
--ginkgo.skip=\[Slow\]|\[Serial\]|\[Disruptive\]|\[Flaky\]|\[Feature:.+\]|PersistentVolumes|\[HPA\]|should.support.building.a.client.with.a.CSR|should.support.inline.execution.and.attach
|
||||
--report-dir={{ artifacts }}"
|
||||
&> {{ artifacts }}/e2e.log
|
||||
# Fix vim syntax hilighting: "
|
||||
|
|
|
@ -41,6 +41,8 @@
|
|||
tags:
|
||||
- integration
|
||||
- e2e
|
||||
- node-e2e
|
||||
- critest
|
||||
tasks:
|
||||
- name: clone build and install cri-o
|
||||
include: "build/cri-o.yml"
|
||||
|
@ -65,7 +67,7 @@
|
|||
vars_files:
|
||||
- "{{ playbook_dir }}/vars.yml"
|
||||
tags:
|
||||
- e2e
|
||||
- critest
|
||||
tasks:
|
||||
- name: install Golang tools
|
||||
include: golang.yml
|
||||
|
@ -78,12 +80,46 @@
|
|||
cri_tools_git_version: "a9e38a4a000bc1a4052fb33de1c967b8cfe9ad40"
|
||||
- name: run critest validation and benchmarks
|
||||
include: critest.yml
|
||||
|
||||
- hosts: all
|
||||
remote_user: root
|
||||
vars_files:
|
||||
- "{{ playbook_dir }}/vars.yml"
|
||||
tags:
|
||||
- node-e2e
|
||||
tasks:
|
||||
- name: install Golang tools
|
||||
include: golang.yml
|
||||
vars:
|
||||
version: "1.9.2"
|
||||
- name: clone build and install kubernetes
|
||||
include: "build/kubernetes.yml"
|
||||
vars:
|
||||
force_clone: True
|
||||
k8s_git_version: "release-1.9"
|
||||
k8s_git_version: "master"
|
||||
k8s_github_fork: "kubernetes"
|
||||
crio_socket: "/var/run/crio/crio.sock"
|
||||
- name: run k8s node-e2e tests
|
||||
include: node-e2e.yml
|
||||
|
||||
- hosts: all
|
||||
remote_user: root
|
||||
vars_files:
|
||||
- "{{ playbook_dir }}/vars.yml"
|
||||
tags:
|
||||
- e2e
|
||||
tasks:
|
||||
- name: install Golang tools
|
||||
include: golang.yml
|
||||
vars:
|
||||
version: "1.9.2"
|
||||
- name: clone build and install kubernetes
|
||||
include: "build/kubernetes.yml"
|
||||
vars:
|
||||
force_clone: True
|
||||
# master as of 12/11/2017
|
||||
k8s_git_version: "master-nfs-fix"
|
||||
k8s_github_fork: "runcom"
|
||||
crio_socket: "/var/run/crio/crio.sock"
|
||||
- name: run k8s e2e tests
|
||||
include: e2e.yml
|
||||
|
|
|
@ -0,0 +1,26 @@
|
|||
---
|
||||
|
||||
- name: enable and start CRI-O
|
||||
systemd:
|
||||
name: crio
|
||||
state: started
|
||||
enabled: yes
|
||||
daemon_reload: yes
|
||||
|
||||
- name: disable SELinux
|
||||
command: setenforce 0
|
||||
|
||||
- name: Flush the iptables
|
||||
command: iptables -F
|
||||
|
||||
- name: run node-e2e tests
|
||||
shell: |
|
||||
# parametrize crio socket
|
||||
# cgroup-driver???
|
||||
# TODO(runcom): remove conformance focus, we want everything for testgrid
|
||||
make test-e2e-node PARALLELISM=1 RUNTIME=remote CONTAINER_RUNTIME_ENDPOINT=/var/run/crio.sock IMAGE_SERVICE_ENDPOINT=/var/run/crio/crio.sock TEST_ARGS='--prepull-images=true --kubelet-flags="--cgroup-driver=systemd"' FOCUS="\[Conformance\]" &> {{ artifacts }}/node-e2e.log
|
||||
args:
|
||||
chdir: "{{ ansible_env.GOPATH }}/src/k8s.io/kubernetes"
|
||||
async: 7200
|
||||
poll: 10
|
||||
ignore_errors: true
|
|
@ -5,6 +5,7 @@
|
|||
name: "{{ item }}"
|
||||
state: present
|
||||
with_items:
|
||||
- atomic-registries
|
||||
- container-selinux
|
||||
- curl
|
||||
- device-mapper-devel
|
||||
|
@ -41,9 +42,9 @@
|
|||
- ostree-devel
|
||||
- pkgconfig
|
||||
- python
|
||||
- python2-boto
|
||||
- python2-crypto
|
||||
- python-devel
|
||||
- python-rhsm-certificates
|
||||
- python-virtualenv
|
||||
- PyYAML
|
||||
- redhat-rpm-config
|
||||
|
@ -57,6 +58,22 @@
|
|||
async: 600
|
||||
poll: 10
|
||||
|
||||
- name: Add python2-boto for Fedora
|
||||
package:
|
||||
name: "{{ item }}"
|
||||
state: present
|
||||
with_items:
|
||||
- python2-boto
|
||||
when: ansible_distribution in ['Fedora']
|
||||
|
||||
- name: Add python-boto for RHEL and CentOS
|
||||
package:
|
||||
name: "{{ item }}"
|
||||
state: present
|
||||
with_items:
|
||||
- python-boto
|
||||
when: ansible_distribution in ['RedHat', 'CentOS']
|
||||
|
||||
- name: Add Btrfs for Fedora
|
||||
package:
|
||||
name: "{{ item }}"
|
||||
|
|
BIN
docs/play.png
BIN
docs/play.png
Binary file not shown.
Before Width: | Height: | Size: 1.6 KiB |
|
@ -0,0 +1,7 @@
|
|||
#!/bin/bash
|
||||
cc -E - > /dev/null 2> /dev/null << EOF
|
||||
#include <libdevmapper.h>
|
||||
EOF
|
||||
if test $? -ne 0 ; then
|
||||
echo exclude_graphdriver_devicemapper
|
||||
fi
|
|
@ -1,21 +0,0 @@
|
|||
#!/bin/bash
|
||||
|
||||
set -o errexit
|
||||
set -o nounset
|
||||
set -o pipefail
|
||||
|
||||
find_files() {
|
||||
find . -not \( \
|
||||
\( \
|
||||
-wholename '*/vendor/*' \
|
||||
\) -prune \
|
||||
\) -name '*.go'
|
||||
}
|
||||
|
||||
GOFMT="gofmt -s"
|
||||
bad_files=$(find_files | xargs $GOFMT -l)
|
||||
if [[ -n "${bad_files}" ]]; then
|
||||
echo "!!! '$GOFMT' needs to be run on the following files: "
|
||||
echo "${bad_files}"
|
||||
exit 1
|
||||
fi
|
5
hooks.md
5
hooks.md
|
@ -53,6 +53,7 @@ type HookParams struct {
|
|||
Cmds []string `json:"cmds"`
|
||||
Annotations []string `json:"annotations"`
|
||||
HasBindMounts bool `json:"hasbindmounts"`
|
||||
Arguments []string `json:"arguments"`
|
||||
}
|
||||
```
|
||||
|
||||
|
@ -63,6 +64,7 @@ type HookParams struct {
|
|||
| cmds | List of regular expressions to match the command for running the container. If the command matches a regex, the hook will be run | Optional |
|
||||
| annotations | List of regular expressions to match against the Annotations in the container runtime spec, if an Annotation matches the hook will be run|optional |
|
||||
| hasbindmounts | Tells CRI-O to run the hook if the container has bind mounts from the host into the container | Optional |
|
||||
| arguments | Additional arguments to append to the hook command when executing it. For example --debug | Optional |
|
||||
|
||||
### Example
|
||||
|
||||
|
@ -85,6 +87,7 @@ cat /etc/containers/oci/hooks.d/oci-systemd-hook.json
|
|||
"hasbindmounts": true,
|
||||
"hook": "/usr/libexec/oci/hooks.d/oci-umount",
|
||||
"stages": [ "prestart" ]
|
||||
"arguments": [ "--debug" ]
|
||||
}
|
||||
```
|
||||
In this example the oci-umount will only be run during the prestart phase if the container has volume/bind mounts from the host into the container.
|
||||
In this example the oci-umount will only be run during the prestart phase if the container has volume/bind mounts from the host into the container, it will also execute oci-umount with the --debug argument.
|
||||
|
|
|
@ -13,17 +13,15 @@ Below, you can find an instruction how to switch one or more nodes on running ku
|
|||
|
||||
### Preparing crio
|
||||
|
||||
You must prepare and install `crio` on each node you would like to switch. Here's the list of files that must be provided:
|
||||
You must prepare and install `crio` on each node you would like to switch.
|
||||
Besides the files installed by `make install install.config`, here's the list of files that must be provided:
|
||||
|
||||
| File path | Description | Location |
|
||||
|--------------------------------------------|----------------------------|-----------------------------------------------------|
|
||||
| `/etc/crio/crio.conf` | crio configuration | Generated on cri-o `make install` |
|
||||
| `/etc/crio/seccomp.conf` | seccomp config | Example stored in cri-o repository |
|
||||
| `/etc/containers/policy.json` | containers policy | Example stored in cri-o repository |
|
||||
| `/bin/{crio, runc}` | `crio` and `runc` binaries | Built from cri-o repository |
|
||||
| `/usr/local/libexec/crio/conmon` | `conmon` binary | Built from cri-o repository |
|
||||
| `/opt/cni/bin/{flannel, bridge,...}` | CNI plugins binaries | Can be built from sources `containernetworking/cni` |
|
||||
| `/etc/cni/net.d/10-mynet.conf` | Network config | Example stored in [README file](README.md) |
|
||||
| File path | Description | Location |
|
||||
|--------------------------------------------|-----------------------------|---------------------------------------------------------|
|
||||
| `/etc/containers/policy.json` | containers policy | [Example](test/policy.json) stored in cri-o repository |
|
||||
| `/bin/runc` | `runc` or other OCI runtime | Can be build from sources `opencontainers/runc` |
|
||||
| `/opt/cni/bin/{flannel, bridge,...}` | CNI plugins binaries | Can be built from sources `containernetworking/plugins` |
|
||||
| `/etc/cni/net.d/...` | CNI network config | Example [here](contrib/cni) |
|
||||
|
||||
`crio` binary can be executed directly on host, inside the container or in any way.
|
||||
However, recommended way is to set it as a systemd service.
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
package libkpod
|
||||
package lib
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
|
@ -83,7 +83,7 @@ type RootConfig struct {
|
|||
LogDir string `toml:"log_dir"`
|
||||
|
||||
// FileLocking specifies whether to use file-based or in-memory locking
|
||||
// File-based locking is required when multiple users of libkpod are
|
||||
// File-based locking is required when multiple users of lib are
|
||||
// present on the same system
|
||||
FileLocking bool `toml:"file_locking"`
|
||||
}
|
|
@ -1,4 +1,4 @@
|
|||
package libkpod
|
||||
package lib
|
||||
|
||||
import (
|
||||
"io/ioutil"
|
|
@ -1,10 +1,10 @@
|
|||
package libkpod
|
||||
package lib
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
|
||||
cstorage "github.com/containers/storage"
|
||||
"github.com/kubernetes-incubator/cri-o/libkpod/sandbox"
|
||||
"github.com/kubernetes-incubator/cri-o/lib/sandbox"
|
||||
"github.com/kubernetes-incubator/cri-o/oci"
|
||||
"github.com/kubernetes-incubator/cri-o/pkg/registrar"
|
||||
"github.com/pkg/errors"
|
|
@ -1,4 +1,4 @@
|
|||
package libkpod
|
||||
package lib
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
|
@ -12,7 +12,7 @@ import (
|
|||
cstorage "github.com/containers/storage"
|
||||
"github.com/docker/docker/pkg/ioutils"
|
||||
"github.com/docker/docker/pkg/truncindex"
|
||||
"github.com/kubernetes-incubator/cri-o/libkpod/sandbox"
|
||||
"github.com/kubernetes-incubator/cri-o/lib/sandbox"
|
||||
"github.com/kubernetes-incubator/cri-o/oci"
|
||||
"github.com/kubernetes-incubator/cri-o/pkg/annotations"
|
||||
"github.com/kubernetes-incubator/cri-o/pkg/registrar"
|
||||
|
@ -168,7 +168,7 @@ func New(config *Config) (*ContainerServer, error) {
|
|||
state: &containerServerState{
|
||||
containers: oci.NewMemoryStore(),
|
||||
infraContainers: oci.NewMemoryStore(),
|
||||
sandboxes: make(map[string]*sandbox.Sandbox),
|
||||
sandboxes: sandbox.NewMemoryStore(),
|
||||
processLevels: make(map[string]int),
|
||||
},
|
||||
config: config,
|
||||
|
@ -617,70 +617,53 @@ func (c *ContainerServer) Shutdown() error {
|
|||
type containerServerState struct {
|
||||
containers oci.ContainerStorer
|
||||
infraContainers oci.ContainerStorer
|
||||
sandboxes map[string]*sandbox.Sandbox
|
||||
sandboxes sandbox.Storer
|
||||
// processLevels The number of sandboxes using the same SELinux MCS level. Need to release MCS Level, when count reaches 0
|
||||
processLevels map[string]int
|
||||
}
|
||||
|
||||
// AddContainer adds a container to the container state store
|
||||
func (c *ContainerServer) AddContainer(ctr *oci.Container) {
|
||||
c.stateLock.Lock()
|
||||
defer c.stateLock.Unlock()
|
||||
sandbox := c.state.sandboxes[ctr.Sandbox()]
|
||||
sandbox := c.state.sandboxes.Get(ctr.Sandbox())
|
||||
sandbox.AddContainer(ctr)
|
||||
c.state.containers.Add(ctr.ID(), ctr)
|
||||
}
|
||||
|
||||
// AddInfraContainer adds a container to the container state store
|
||||
func (c *ContainerServer) AddInfraContainer(ctr *oci.Container) {
|
||||
c.stateLock.Lock()
|
||||
defer c.stateLock.Unlock()
|
||||
c.state.infraContainers.Add(ctr.ID(), ctr)
|
||||
}
|
||||
|
||||
// GetContainer returns a container by its ID
|
||||
func (c *ContainerServer) GetContainer(id string) *oci.Container {
|
||||
c.stateLock.Lock()
|
||||
defer c.stateLock.Unlock()
|
||||
return c.state.containers.Get(id)
|
||||
}
|
||||
|
||||
// GetInfraContainer returns a container by its ID
|
||||
func (c *ContainerServer) GetInfraContainer(id string) *oci.Container {
|
||||
c.stateLock.Lock()
|
||||
defer c.stateLock.Unlock()
|
||||
return c.state.infraContainers.Get(id)
|
||||
}
|
||||
|
||||
// HasContainer checks if a container exists in the state
|
||||
func (c *ContainerServer) HasContainer(id string) bool {
|
||||
c.stateLock.Lock()
|
||||
defer c.stateLock.Unlock()
|
||||
ctr := c.state.containers.Get(id)
|
||||
return ctr != nil
|
||||
return c.state.containers.Get(id) != nil
|
||||
}
|
||||
|
||||
// RemoveContainer removes a container from the container state store
|
||||
func (c *ContainerServer) RemoveContainer(ctr *oci.Container) {
|
||||
c.stateLock.Lock()
|
||||
defer c.stateLock.Unlock()
|
||||
sbID := ctr.Sandbox()
|
||||
sb := c.state.sandboxes[sbID]
|
||||
sb := c.state.sandboxes.Get(sbID)
|
||||
sb.RemoveContainer(ctr)
|
||||
c.state.containers.Delete(ctr.ID())
|
||||
}
|
||||
|
||||
// RemoveInfraContainer removes a container from the container state store
|
||||
func (c *ContainerServer) RemoveInfraContainer(ctr *oci.Container) {
|
||||
c.stateLock.Lock()
|
||||
defer c.stateLock.Unlock()
|
||||
c.state.infraContainers.Delete(ctr.ID())
|
||||
}
|
||||
|
||||
// listContainers returns a list of all containers stored by the server state
|
||||
func (c *ContainerServer) listContainers() []*oci.Container {
|
||||
c.stateLock.Lock()
|
||||
defer c.stateLock.Unlock()
|
||||
return c.state.containers.List()
|
||||
}
|
||||
|
||||
|
@ -704,62 +687,52 @@ func (c *ContainerServer) ListContainers(filters ...func(*oci.Container) bool) (
|
|||
|
||||
// AddSandbox adds a sandbox to the sandbox state store
|
||||
func (c *ContainerServer) AddSandbox(sb *sandbox.Sandbox) {
|
||||
c.state.sandboxes.Add(sb.ID(), sb)
|
||||
|
||||
c.stateLock.Lock()
|
||||
defer c.stateLock.Unlock()
|
||||
c.state.sandboxes[sb.ID()] = sb
|
||||
c.state.processLevels[selinux.NewContext(sb.ProcessLabel())["level"]]++
|
||||
c.stateLock.Unlock()
|
||||
}
|
||||
|
||||
// GetSandbox returns a sandbox by its ID
|
||||
func (c *ContainerServer) GetSandbox(id string) *sandbox.Sandbox {
|
||||
c.stateLock.Lock()
|
||||
defer c.stateLock.Unlock()
|
||||
return c.state.sandboxes[id]
|
||||
return c.state.sandboxes.Get(id)
|
||||
}
|
||||
|
||||
// GetSandboxContainer returns a sandbox's infra container
|
||||
func (c *ContainerServer) GetSandboxContainer(id string) *oci.Container {
|
||||
c.stateLock.Lock()
|
||||
defer c.stateLock.Unlock()
|
||||
sb, ok := c.state.sandboxes[id]
|
||||
if !ok {
|
||||
return nil
|
||||
}
|
||||
sb := c.state.sandboxes.Get(id)
|
||||
return sb.InfraContainer()
|
||||
}
|
||||
|
||||
// HasSandbox checks if a sandbox exists in the state
|
||||
func (c *ContainerServer) HasSandbox(id string) bool {
|
||||
c.stateLock.Lock()
|
||||
defer c.stateLock.Unlock()
|
||||
_, ok := c.state.sandboxes[id]
|
||||
return ok
|
||||
return c.state.sandboxes.Get(id) != nil
|
||||
}
|
||||
|
||||
// RemoveSandbox removes a sandbox from the state store
|
||||
func (c *ContainerServer) RemoveSandbox(id string) {
|
||||
c.stateLock.Lock()
|
||||
defer c.stateLock.Unlock()
|
||||
processLabel := c.state.sandboxes[id].ProcessLabel()
|
||||
delete(c.state.sandboxes, id)
|
||||
sb := c.state.sandboxes.Get(id)
|
||||
processLabel := sb.ProcessLabel()
|
||||
level := selinux.NewContext(processLabel)["level"]
|
||||
c.state.processLevels[level]--
|
||||
if c.state.processLevels[level] == 0 {
|
||||
label.ReleaseLabel(processLabel)
|
||||
delete(c.state.processLevels, level)
|
||||
|
||||
c.stateLock.Lock()
|
||||
pl, ok := c.state.processLevels[level]
|
||||
if ok {
|
||||
c.state.processLevels[level] = pl - 1
|
||||
if c.state.processLevels[level] == 0 {
|
||||
label.ReleaseLabel(processLabel)
|
||||
delete(c.state.processLevels, level)
|
||||
}
|
||||
}
|
||||
c.stateLock.Unlock()
|
||||
|
||||
c.state.sandboxes.Delete(id)
|
||||
}
|
||||
|
||||
// ListSandboxes lists all sandboxes in the state store
|
||||
func (c *ContainerServer) ListSandboxes() []*sandbox.Sandbox {
|
||||
c.stateLock.Lock()
|
||||
defer c.stateLock.Unlock()
|
||||
sbArray := make([]*sandbox.Sandbox, 0, len(c.state.sandboxes))
|
||||
for _, sb := range c.state.sandboxes {
|
||||
sbArray = append(sbArray, sb)
|
||||
}
|
||||
|
||||
return sbArray
|
||||
return c.state.sandboxes.List()
|
||||
}
|
||||
|
||||
// LibcontainerStats gets the stats for the container with the given id from runc/libcontainer
|
|
@ -1,4 +1,4 @@
|
|||
package libkpod
|
||||
package lib
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
|
@ -27,6 +27,7 @@ type HookParams struct {
|
|||
Cmds []string `json:"cmd"`
|
||||
Annotations []string `json:"annotation"`
|
||||
HasBindMounts bool `json:"hasbindmounts"`
|
||||
Arguments []string `json:"arguments"`
|
||||
}
|
||||
|
||||
// readHook reads hooks json files, verifies it and returns the json config
|
|
@ -1,4 +1,4 @@
|
|||
package libkpod
|
||||
package lib
|
||||
|
||||
import (
|
||||
"github.com/docker/docker/pkg/signal"
|
|
@ -1,4 +1,4 @@
|
|||
package libkpod
|
||||
package lib
|
||||
|
||||
import (
|
||||
"path"
|
|
@ -1,4 +1,4 @@
|
|||
package libkpod
|
||||
package lib
|
||||
|
||||
import (
|
||||
"github.com/kubernetes-incubator/cri-o/oci"
|
|
@ -1,4 +1,4 @@
|
|||
package libkpod
|
||||
package lib
|
||||
|
||||
import (
|
||||
"os"
|
|
@ -1,4 +1,4 @@
|
|||
package libkpod
|
||||
package lib
|
||||
|
||||
import (
|
||||
"encoding/json"
|
|
@ -0,0 +1,31 @@
|
|||
package sandbox
|
||||
|
||||
import "sort"
|
||||
|
||||
// History is a convenience type for storing a list of sandboxes,
|
||||
// sorted by creation date in descendant order.
|
||||
type History []*Sandbox
|
||||
|
||||
// Len returns the number of sandboxes in the history.
|
||||
func (history *History) Len() int {
|
||||
return len(*history)
|
||||
}
|
||||
|
||||
// Less compares two sandboxes and returns true if the second one
|
||||
// was created before the first one.
|
||||
func (history *History) Less(i, j int) bool {
|
||||
sandboxes := *history
|
||||
// FIXME: state access should be serialized
|
||||
return sandboxes[j].created.Before(sandboxes[i].created)
|
||||
}
|
||||
|
||||
// Swap switches sandboxes i and j positions in the history.
|
||||
func (history *History) Swap(i, j int) {
|
||||
sandboxes := *history
|
||||
sandboxes[i], sandboxes[j] = sandboxes[j], sandboxes[i]
|
||||
}
|
||||
|
||||
// sort orders the history by creation date in descendant order.
|
||||
func (history *History) sort() {
|
||||
sort.Sort(history)
|
||||
}
|
|
@ -0,0 +1,93 @@
|
|||
package sandbox
|
||||
|
||||
import "sync"
|
||||
|
||||
// memoryStore implements a Store in memory.
|
||||
type memoryStore struct {
|
||||
s map[string]*Sandbox
|
||||
sync.RWMutex
|
||||
}
|
||||
|
||||
// NewMemoryStore initializes a new memory store.
|
||||
func NewMemoryStore() Storer {
|
||||
return &memoryStore{
|
||||
s: make(map[string]*Sandbox),
|
||||
}
|
||||
}
|
||||
|
||||
// Add appends a new sandbox to the memory store.
|
||||
// It overrides the id if it existed before.
|
||||
func (c *memoryStore) Add(id string, cont *Sandbox) {
|
||||
c.Lock()
|
||||
c.s[id] = cont
|
||||
c.Unlock()
|
||||
}
|
||||
|
||||
// Get returns a sandbox from the store by id.
|
||||
func (c *memoryStore) Get(id string) *Sandbox {
|
||||
var res *Sandbox
|
||||
c.RLock()
|
||||
res = c.s[id]
|
||||
c.RUnlock()
|
||||
return res
|
||||
}
|
||||
|
||||
// Delete removes a sandbox from the store by id.
|
||||
func (c *memoryStore) Delete(id string) {
|
||||
c.Lock()
|
||||
delete(c.s, id)
|
||||
c.Unlock()
|
||||
}
|
||||
|
||||
// List returns a sorted list of sandboxes from the store.
|
||||
// The sandboxes are ordered by creation date.
|
||||
func (c *memoryStore) List() []*Sandbox {
|
||||
sandboxes := History(c.all())
|
||||
sandboxes.sort()
|
||||
return sandboxes
|
||||
}
|
||||
|
||||
// Size returns the number of sandboxes in the store.
|
||||
func (c *memoryStore) Size() int {
|
||||
c.RLock()
|
||||
defer c.RUnlock()
|
||||
return len(c.s)
|
||||
}
|
||||
|
||||
// First returns the first sandbox found in the store by a given filter.
|
||||
func (c *memoryStore) First(filter StoreFilter) *Sandbox {
|
||||
for _, cont := range c.all() {
|
||||
if filter(cont) {
|
||||
return cont
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// ApplyAll calls the reducer function with every sandbox in the store.
|
||||
// This operation is asynchronous in the memory store.
|
||||
// NOTE: Modifications to the store MUST NOT be done by the StoreReducer.
|
||||
func (c *memoryStore) ApplyAll(apply StoreReducer) {
|
||||
wg := new(sync.WaitGroup)
|
||||
for _, cont := range c.all() {
|
||||
wg.Add(1)
|
||||
go func(sandbox *Sandbox) {
|
||||
apply(sandbox)
|
||||
wg.Done()
|
||||
}(cont)
|
||||
}
|
||||
|
||||
wg.Wait()
|
||||
}
|
||||
|
||||
func (c *memoryStore) all() []*Sandbox {
|
||||
c.RLock()
|
||||
sandboxes := make([]*Sandbox, 0, len(c.s))
|
||||
for _, cont := range c.s {
|
||||
sandboxes = append(sandboxes, cont)
|
||||
}
|
||||
c.RUnlock()
|
||||
return sandboxes
|
||||
}
|
||||
|
||||
var _ Storer = &memoryStore{}
|
|
@ -7,6 +7,7 @@ import (
|
|||
"os"
|
||||
"path/filepath"
|
||||
"sync"
|
||||
"time"
|
||||
|
||||
"github.com/containernetworking/plugins/pkg/ns"
|
||||
"github.com/docker/docker/pkg/mount"
|
||||
|
@ -158,6 +159,7 @@ type Sandbox struct {
|
|||
// ipv4 or ipv6 cache
|
||||
ip string
|
||||
seccompProfilePath string
|
||||
created time.Time
|
||||
}
|
||||
|
||||
const (
|
||||
|
@ -202,6 +204,7 @@ func New(id, namespace, name, kubeName, logDir string, labels, annotations map[s
|
|||
sb.resolvPath = resolvPath
|
||||
sb.hostname = hostname
|
||||
sb.portMappings = portMappings
|
||||
sb.created = time.Now()
|
||||
|
||||
return sb, nil
|
||||
}
|
|
@ -0,0 +1,27 @@
|
|||
package sandbox
|
||||
|
||||
// StoreFilter defines a function to filter
|
||||
// sandboxes in the store.
|
||||
type StoreFilter func(*Sandbox) bool
|
||||
|
||||
// StoreReducer defines a function to
|
||||
// manipulate sandboxes in the store
|
||||
type StoreReducer func(*Sandbox)
|
||||
|
||||
// Storer defines an interface that any container store must implement.
|
||||
type Storer interface {
|
||||
// Add appends a new sandbox to the store.
|
||||
Add(string, *Sandbox)
|
||||
// Get returns a sandbox from the store by the identifier it was stored with.
|
||||
Get(string) *Sandbox
|
||||
// Delete removes a sandbox from the store by the identifier it was stored with.
|
||||
Delete(string)
|
||||
// List returns a list of sandboxes from the store.
|
||||
List() []*Sandbox
|
||||
// Size returns the number of sandboxes in the store.
|
||||
Size() int
|
||||
// First returns the first sandbox found in the store by a given filter.
|
||||
First(StoreFilter) *Sandbox
|
||||
// ApplyAll calls the reducer function with every sandbox in the store.
|
||||
ApplyAll(StoreReducer)
|
||||
}
|
|
@ -1,4 +1,4 @@
|
|||
package libkpod
|
||||
package lib
|
||||
|
||||
import (
|
||||
"path/filepath"
|
|
@ -1,4 +1,4 @@
|
|||
package libkpod
|
||||
package lib
|
||||
|
||||
import (
|
||||
"github.com/kubernetes-incubator/cri-o/oci"
|
|
@ -1,4 +1,4 @@
|
|||
package libkpod
|
||||
package lib
|
||||
|
||||
import (
|
||||
"github.com/kubernetes-incubator/cri-o/oci"
|
|
@ -25,8 +25,9 @@ func (c *memoryStore) Add(id string, cont *Container) {
|
|||
|
||||
// Get returns a container from the store by id.
|
||||
func (c *memoryStore) Get(id string) *Container {
|
||||
var res *Container
|
||||
c.RLock()
|
||||
res := c.s[id]
|
||||
res = c.s[id]
|
||||
c.RUnlock()
|
||||
return res
|
||||
}
|
||||
|
|
49
oci/oci.go
49
oci/oci.go
|
@ -423,15 +423,6 @@ func (r *Runtime) ExecSync(c *Container, command []string, timeout int64) (resp
|
|||
os.RemoveAll(logPath)
|
||||
}()
|
||||
|
||||
f, err := ioutil.TempFile("", "exec-sync-process")
|
||||
if err != nil {
|
||||
return nil, ExecSyncError{
|
||||
ExitCode: -1,
|
||||
Err: err,
|
||||
}
|
||||
}
|
||||
defer os.RemoveAll(f.Name())
|
||||
|
||||
var args []string
|
||||
args = append(args, "-c", c.id)
|
||||
args = append(args, "-r", r.Path(c))
|
||||
|
@ -447,24 +438,16 @@ func (r *Runtime) ExecSync(c *Container, command []string, timeout int64) (resp
|
|||
args = append(args, "-l", logPath)
|
||||
args = append(args, "--socket-dir-path", ContainerAttachSocketDir)
|
||||
|
||||
pspec := c.Spec().Process
|
||||
pspec.Args = command
|
||||
processJSON, err := json.Marshal(pspec)
|
||||
processFile, err := PrepareProcessExec(c, command, false)
|
||||
if err != nil {
|
||||
return nil, ExecSyncError{
|
||||
ExitCode: -1,
|
||||
Err: err,
|
||||
}
|
||||
}
|
||||
defer os.RemoveAll(processFile.Name())
|
||||
|
||||
if err := ioutil.WriteFile(f.Name(), processJSON, 0644); err != nil {
|
||||
return nil, ExecSyncError{
|
||||
ExitCode: -1,
|
||||
Err: err,
|
||||
}
|
||||
}
|
||||
|
||||
args = append(args, "--exec-process-spec", f.Name())
|
||||
args = append(args, "--exec-process-spec", processFile.Name())
|
||||
|
||||
cmd := exec.Command(r.conmonPath, args...)
|
||||
|
||||
|
@ -669,7 +652,7 @@ func (r *Runtime) SetStartFailed(c *Container, err error) {
|
|||
func (r *Runtime) UpdateStatus(c *Container) error {
|
||||
c.opLock.Lock()
|
||||
defer c.opLock.Unlock()
|
||||
out, err := exec.Command(r.Path(c), "state", c.id).CombinedOutput()
|
||||
out, err := exec.Command(r.Path(c), "state", c.id).Output()
|
||||
if err != nil {
|
||||
// there are many code paths that could lead to have a bad state in the
|
||||
// underlying runtime.
|
||||
|
@ -772,3 +755,27 @@ func (r *Runtime) UnpauseContainer(c *Container) error {
|
|||
_, err := utils.ExecCmd(r.Path(c), "resume", c.id)
|
||||
return err
|
||||
}
|
||||
|
||||
// PrepareProcessExec returns the path of the process.json used in runc exec -p
|
||||
// caller is responsible to close the returned *os.File if needed.
|
||||
func PrepareProcessExec(c *Container, cmd []string, tty bool) (*os.File, error) {
|
||||
f, err := ioutil.TempFile("", "exec-process-")
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
pspec := c.Spec().Process
|
||||
pspec.Args = cmd
|
||||
if tty {
|
||||
pspec.Terminal = true
|
||||
}
|
||||
processJSON, err := json.Marshal(pspec)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if err := ioutil.WriteFile(f.Name(), processJSON, 0644); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return f, nil
|
||||
}
|
||||
|
|
|
@ -3,12 +3,13 @@ package storage
|
|||
import (
|
||||
"errors"
|
||||
"net"
|
||||
"path/filepath"
|
||||
"path"
|
||||
"strings"
|
||||
|
||||
"github.com/containers/image/copy"
|
||||
"github.com/containers/image/docker/reference"
|
||||
"github.com/containers/image/image"
|
||||
"github.com/containers/image/manifest"
|
||||
"github.com/containers/image/signature"
|
||||
istorage "github.com/containers/image/storage"
|
||||
"github.com/containers/image/transports/alltransports"
|
||||
|
@ -17,20 +18,26 @@ import (
|
|||
digest "github.com/opencontainers/go-digest"
|
||||
)
|
||||
|
||||
const (
|
||||
minimumTruncatedIDLength = 3
|
||||
)
|
||||
|
||||
var (
|
||||
// ErrCannotParseImageID is returned when we try to ResolveNames for an image ID
|
||||
ErrCannotParseImageID = errors.New("cannot parse an image ID")
|
||||
// ErrImageMultiplyTagged is returned when we try to remove an image that still has multiple names
|
||||
ErrImageMultiplyTagged = errors.New("image still has multiple names applied")
|
||||
)
|
||||
|
||||
// ImageResult wraps a subset of information about an image: its ID, its names,
|
||||
// and the size, if known, or nil if it isn't.
|
||||
type ImageResult struct {
|
||||
ID string
|
||||
Names []string
|
||||
Size *uint64
|
||||
// TODO(runcom): this is an hack for https://github.com/kubernetes-incubator/cri-o/pull/1136
|
||||
// drop this when we have proper image IDs (as in, image IDs should be just
|
||||
// the config blog digest which is stable across same images).
|
||||
ID string
|
||||
Name string
|
||||
RepoTags []string
|
||||
RepoDigests []string
|
||||
Size *uint64
|
||||
Digest digest.Digest
|
||||
ConfigDigest digest.Digest
|
||||
}
|
||||
|
||||
|
@ -47,6 +54,11 @@ type imageService struct {
|
|||
registries []string
|
||||
}
|
||||
|
||||
// sizer knows its size.
|
||||
type sizer interface {
|
||||
Size() (int64, error)
|
||||
}
|
||||
|
||||
// ImageServer wraps up various CRI-related activities into a reusable
|
||||
// implementation.
|
||||
type ImageServer interface {
|
||||
|
@ -59,6 +71,9 @@ type ImageServer interface {
|
|||
PrepareImage(systemContext *types.SystemContext, imageName string, options *copy.Options) (types.Image, error)
|
||||
// PullImage imports an image from the specified location.
|
||||
PullImage(systemContext *types.SystemContext, imageName string, options *copy.Options) (types.ImageReference, error)
|
||||
// UntagImage removes a name from the specified image, and if it was
|
||||
// the only name the image had, removes the image.
|
||||
UntagImage(systemContext *types.SystemContext, imageName string) error
|
||||
// RemoveImage deletes the specified image.
|
||||
RemoveImage(systemContext *types.SystemContext, imageName string) error
|
||||
// GetStore returns the reference to the storage library Store which
|
||||
|
@ -88,6 +103,66 @@ func (svc *imageService) getRef(name string) (types.ImageReference, error) {
|
|||
return ref, nil
|
||||
}
|
||||
|
||||
func sortNamesByType(names []string) (bestName string, tags, digests []string) {
|
||||
for _, name := range names {
|
||||
if len(name) > 72 && name[len(name)-72:len(name)-64] == "@sha256:" {
|
||||
digests = append(digests, name)
|
||||
} else {
|
||||
tags = append(tags, name)
|
||||
}
|
||||
}
|
||||
if len(digests) > 0 {
|
||||
bestName = digests[0]
|
||||
}
|
||||
if len(tags) > 0 {
|
||||
bestName = tags[0]
|
||||
}
|
||||
return bestName, tags, digests
|
||||
}
|
||||
|
||||
func (svc *imageService) makeRepoDigests(knownRepoDigests, tags []string, imageID string) (imageDigest digest.Digest, repoDigests []string) {
|
||||
// Look up the image's digest.
|
||||
img, err := svc.store.Image(imageID)
|
||||
if err != nil {
|
||||
return "", knownRepoDigests
|
||||
}
|
||||
imageDigest = img.Digest
|
||||
if imageDigest == "" {
|
||||
imgDigest, err := svc.store.ImageBigDataDigest(imageID, storage.ImageDigestBigDataKey)
|
||||
if err != nil || imgDigest == "" {
|
||||
return "", knownRepoDigests
|
||||
}
|
||||
imageDigest = imgDigest
|
||||
}
|
||||
// If there are no names to convert to canonical references, we're done.
|
||||
if len(tags) == 0 {
|
||||
return imageDigest, knownRepoDigests
|
||||
}
|
||||
// We only want to supplement what's already explicitly in the list, so keep track of values
|
||||
// that we already know.
|
||||
digestMap := make(map[string]struct{})
|
||||
repoDigests = knownRepoDigests
|
||||
for _, repoDigest := range knownRepoDigests {
|
||||
digestMap[repoDigest] = struct{}{}
|
||||
}
|
||||
// For each tagged name, parse the name, and if we can extract a named reference, convert
|
||||
// it into a canonical reference using the digest and add it to the list.
|
||||
for _, tag := range tags {
|
||||
if ref, err2 := reference.ParseAnyReference(tag); err2 == nil {
|
||||
if name, ok := ref.(reference.Named); ok {
|
||||
trimmed := reference.TrimNamed(name)
|
||||
if imageRef, err3 := reference.WithDigest(trimmed, imageDigest); err3 == nil {
|
||||
if _, ok := digestMap[imageRef.String()]; !ok {
|
||||
repoDigests = append(repoDigests, imageRef.String())
|
||||
digestMap[imageRef.String()] = struct{}{}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
return imageDigest, repoDigests
|
||||
}
|
||||
|
||||
func (svc *imageService) ListImages(systemContext *types.SystemContext, filter string) ([]ImageResult, error) {
|
||||
results := []ImageResult{}
|
||||
if filter != "" {
|
||||
|
@ -96,16 +171,26 @@ func (svc *imageService) ListImages(systemContext *types.SystemContext, filter s
|
|||
return nil, err
|
||||
}
|
||||
if image, err := istorage.Transport.GetStoreImage(svc.store, ref); err == nil {
|
||||
img, err := ref.NewImage(systemContext)
|
||||
img, err := ref.NewImageSource(systemContext)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
size := imageSize(img)
|
||||
configDigest, err := imageConfigDigest(img, nil)
|
||||
img.Close()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
name, tags, digests := sortNamesByType(image.Names)
|
||||
imageDigest, repoDigests := svc.makeRepoDigests(digests, tags, image.ID)
|
||||
results = append(results, ImageResult{
|
||||
ID: image.ID,
|
||||
Names: image.Names,
|
||||
Size: size,
|
||||
ID: image.ID,
|
||||
Name: name,
|
||||
RepoTags: tags,
|
||||
RepoDigests: repoDigests,
|
||||
Size: size,
|
||||
Digest: imageDigest,
|
||||
ConfigDigest: configDigest,
|
||||
})
|
||||
}
|
||||
} else {
|
||||
|
@ -118,16 +203,26 @@ func (svc *imageService) ListImages(systemContext *types.SystemContext, filter s
|
|||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
img, err := ref.NewImage(systemContext)
|
||||
img, err := ref.NewImageSource(systemContext)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
size := imageSize(img)
|
||||
configDigest, err := imageConfigDigest(img, nil)
|
||||
img.Close()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
name, tags, digests := sortNamesByType(image.Names)
|
||||
imageDigest, repoDigests := svc.makeRepoDigests(digests, tags, image.ID)
|
||||
results = append(results, ImageResult{
|
||||
ID: image.ID,
|
||||
Names: image.Names,
|
||||
Size: size,
|
||||
ID: image.ID,
|
||||
Name: name,
|
||||
RepoTags: tags,
|
||||
RepoDigests: repoDigests,
|
||||
Size: size,
|
||||
Digest: imageDigest,
|
||||
ConfigDigest: configDigest,
|
||||
})
|
||||
}
|
||||
}
|
||||
|
@ -152,29 +247,54 @@ func (svc *imageService) ImageStatus(systemContext *types.SystemContext, nameOrI
|
|||
return nil, err
|
||||
}
|
||||
|
||||
img, err := ref.NewImage(systemContext)
|
||||
img, err := ref.NewImageSource(systemContext)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
defer img.Close()
|
||||
size := imageSize(img)
|
||||
configDigest, err := imageConfigDigest(img, nil)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return &ImageResult{
|
||||
name, tags, digests := sortNamesByType(image.Names)
|
||||
imageDigest, repoDigests := svc.makeRepoDigests(digests, tags, image.ID)
|
||||
result := ImageResult{
|
||||
ID: image.ID,
|
||||
Names: image.Names,
|
||||
Name: name,
|
||||
RepoTags: tags,
|
||||
RepoDigests: repoDigests,
|
||||
Size: size,
|
||||
ConfigDigest: img.ConfigInfo().Digest,
|
||||
}, nil
|
||||
Digest: imageDigest,
|
||||
ConfigDigest: configDigest,
|
||||
}
|
||||
|
||||
return &result, nil
|
||||
}
|
||||
|
||||
func imageSize(img types.Image) *uint64 {
|
||||
if sum, err := img.Size(); err == nil {
|
||||
usum := uint64(sum)
|
||||
return &usum
|
||||
func imageSize(img types.ImageSource) *uint64 {
|
||||
if s, ok := img.(sizer); ok {
|
||||
if sum, err := s.Size(); err == nil {
|
||||
usum := uint64(sum)
|
||||
return &usum
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func imageConfigDigest(img types.ImageSource, instanceDigest *digest.Digest) (digest.Digest, error) {
|
||||
manifestBytes, manifestType, err := img.GetManifest(instanceDigest)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
imgManifest, err := manifest.FromBlob(manifestBytes, manifestType)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
return imgManifest.ConfigInfo().Digest, nil
|
||||
}
|
||||
|
||||
func (svc *imageService) CanPull(imageName string, options *copy.Options) (bool, error) {
|
||||
srcRef, err := svc.prepareReference(imageName, options)
|
||||
if err != nil {
|
||||
|
@ -184,7 +304,11 @@ func (svc *imageService) CanPull(imageName string, options *copy.Options) (bool,
|
|||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
src, err := image.FromSource(rawSource)
|
||||
sourceCtx := &types.SystemContext{}
|
||||
if options.SourceCtx != nil {
|
||||
sourceCtx = options.SourceCtx
|
||||
}
|
||||
src, err := image.FromSource(sourceCtx, rawSource)
|
||||
if err != nil {
|
||||
rawSource.Close()
|
||||
return false, err
|
||||
|
@ -274,6 +398,57 @@ func (svc *imageService) PullImage(systemContext *types.SystemContext, imageName
|
|||
return destRef, nil
|
||||
}
|
||||
|
||||
func (svc *imageService) UntagImage(systemContext *types.SystemContext, nameOrID string) error {
|
||||
ref, err := alltransports.ParseImageName(nameOrID)
|
||||
if err != nil {
|
||||
ref2, err2 := istorage.Transport.ParseStoreReference(svc.store, "@"+nameOrID)
|
||||
if err2 != nil {
|
||||
ref3, err3 := istorage.Transport.ParseStoreReference(svc.store, nameOrID)
|
||||
if err3 != nil {
|
||||
return err
|
||||
}
|
||||
ref2 = ref3
|
||||
}
|
||||
ref = ref2
|
||||
}
|
||||
|
||||
img, err := istorage.Transport.GetStoreImage(svc.store, ref)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if !strings.HasPrefix(img.ID, nameOrID) {
|
||||
namedRef, err := svc.prepareReference(nameOrID, ©.Options{})
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
name := nameOrID
|
||||
if namedRef.DockerReference() != nil {
|
||||
name = namedRef.DockerReference().Name()
|
||||
if tagged, ok := namedRef.DockerReference().(reference.NamedTagged); ok {
|
||||
name = name + ":" + tagged.Tag()
|
||||
}
|
||||
if canonical, ok := namedRef.DockerReference().(reference.Canonical); ok {
|
||||
name = name + "@" + canonical.Digest().String()
|
||||
}
|
||||
}
|
||||
|
||||
prunedNames := make([]string, 0, len(img.Names))
|
||||
for _, imgName := range img.Names {
|
||||
if imgName != name && imgName != nameOrID {
|
||||
prunedNames = append(prunedNames, imgName)
|
||||
}
|
||||
}
|
||||
|
||||
if len(prunedNames) > 0 {
|
||||
return svc.store.SetNames(img.ID, prunedNames)
|
||||
}
|
||||
}
|
||||
|
||||
return ref.DeleteImage(systemContext)
|
||||
}
|
||||
|
||||
func (svc *imageService) RemoveImage(systemContext *types.SystemContext, nameOrID string) error {
|
||||
ref, err := alltransports.ParseImageName(nameOrID)
|
||||
if err != nil {
|
||||
|
@ -341,6 +516,14 @@ func splitDockerDomain(name string) (domain, remainder string) {
|
|||
}
|
||||
|
||||
func (svc *imageService) ResolveNames(imageName string) ([]string, error) {
|
||||
// _Maybe_ it's a truncated image ID. Don't prepend a registry name, then.
|
||||
if len(imageName) >= minimumTruncatedIDLength && svc.store != nil {
|
||||
if img, err := svc.store.Image(imageName); err == nil && img != nil && strings.HasPrefix(img.ID, imageName) {
|
||||
// It's a truncated version of the ID of an image that's present in local storage;
|
||||
// we need to expand it.
|
||||
return []string{img.ID}, nil
|
||||
}
|
||||
}
|
||||
// This to prevent any image ID to go through this routine
|
||||
_, err := reference.ParseNormalizedNamed(imageName)
|
||||
if err != nil {
|
||||
|
@ -368,7 +551,7 @@ func (svc *imageService) ResolveNames(imageName string) ([]string, error) {
|
|||
if r == "docker.io" && !strings.ContainsRune(remainder, '/') {
|
||||
rem = "library/" + rem
|
||||
}
|
||||
images = append(images, filepath.Join(r, rem))
|
||||
images = append(images, path.Join(r, rem))
|
||||
}
|
||||
return images, nil
|
||||
}
|
||||
|
|
|
@ -5,7 +5,7 @@ import (
|
|||
"io/ioutil"
|
||||
|
||||
"github.com/BurntSushi/toml"
|
||||
"github.com/kubernetes-incubator/cri-o/libkpod"
|
||||
"github.com/kubernetes-incubator/cri-o/lib"
|
||||
)
|
||||
|
||||
//CrioConfigPath is the default location for the conf file
|
||||
|
@ -14,7 +14,7 @@ const CrioConfigPath = "/etc/crio/crio.conf"
|
|||
// Config represents the entire set of configuration values that can be set for
|
||||
// the server. This is intended to be loaded from a toml-encoded config file.
|
||||
type Config struct {
|
||||
libkpod.Config
|
||||
lib.Config
|
||||
APIConfig
|
||||
}
|
||||
|
||||
|
@ -37,11 +37,11 @@ type APIConfig struct {
|
|||
// conversions.
|
||||
type tomlConfig struct {
|
||||
Crio struct {
|
||||
libkpod.RootConfig
|
||||
API struct{ APIConfig } `toml:"api"`
|
||||
Runtime struct{ libkpod.RuntimeConfig } `toml:"runtime"`
|
||||
Image struct{ libkpod.ImageConfig } `toml:"image"`
|
||||
Network struct{ libkpod.NetworkConfig } `toml:"network"`
|
||||
lib.RootConfig
|
||||
API struct{ APIConfig } `toml:"api"`
|
||||
Runtime struct{ lib.RuntimeConfig } `toml:"runtime"`
|
||||
Image struct{ lib.ImageConfig } `toml:"image"`
|
||||
Network struct{ lib.NetworkConfig } `toml:"network"`
|
||||
} `toml:"crio"`
|
||||
}
|
||||
|
||||
|
@ -102,7 +102,7 @@ func (c *Config) ToFile(path string) error {
|
|||
// DefaultConfig returns the default configuration for crio.
|
||||
func DefaultConfig() *Config {
|
||||
return &Config{
|
||||
Config: *libkpod.DefaultConfig(),
|
||||
Config: *lib.DefaultConfig(),
|
||||
APIConfig: APIConfig{
|
||||
Listen: "/var/run/crio/crio.sock",
|
||||
StreamAddress: "",
|
||||
|
|
|
@ -5,7 +5,7 @@ import (
|
|||
"os"
|
||||
"testing"
|
||||
|
||||
"github.com/kubernetes-incubator/cri-o/libkpod"
|
||||
"github.com/kubernetes-incubator/cri-o/lib"
|
||||
)
|
||||
|
||||
const fixturePath = "fixtures/crio.conf"
|
||||
|
@ -44,7 +44,7 @@ func assertAllFieldsEquality(t *testing.T, c Config) {
|
|||
{c.ImageConfig.PauseImage, "kubernetes/pause"},
|
||||
{c.ImageConfig.PauseCommand, "/pause"},
|
||||
{c.ImageConfig.SignaturePolicyPath, "/tmp"},
|
||||
{c.ImageConfig.ImageVolumes, libkpod.ImageVolumesType("mkdir")},
|
||||
{c.ImageConfig.ImageVolumes, lib.ImageVolumesType("mkdir")},
|
||||
{c.ImageConfig.InsecureRegistries[0], "insecure-registry:1234"},
|
||||
{c.ImageConfig.Registries[0], "registry:4321"},
|
||||
|
||||
|
|
|
@ -14,12 +14,11 @@ import (
|
|||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/docker/distribution/reference"
|
||||
dockermounts "github.com/docker/docker/pkg/mount"
|
||||
"github.com/docker/docker/pkg/stringid"
|
||||
"github.com/docker/docker/pkg/symlink"
|
||||
"github.com/kubernetes-incubator/cri-o/libkpod"
|
||||
"github.com/kubernetes-incubator/cri-o/libkpod/sandbox"
|
||||
"github.com/kubernetes-incubator/cri-o/lib"
|
||||
"github.com/kubernetes-incubator/cri-o/lib/sandbox"
|
||||
"github.com/kubernetes-incubator/cri-o/oci"
|
||||
"github.com/kubernetes-incubator/cri-o/pkg/annotations"
|
||||
"github.com/kubernetes-incubator/cri-o/pkg/storage"
|
||||
|
@ -234,11 +233,11 @@ func addImageVolumes(rootfs string, s *Server, containerInfo *storage.ContainerI
|
|||
return nil, err
|
||||
}
|
||||
switch s.config.ImageVolumes {
|
||||
case libkpod.ImageVolumesMkdir:
|
||||
case lib.ImageVolumesMkdir:
|
||||
if err1 := os.MkdirAll(fp, 0644); err1 != nil {
|
||||
return nil, err1
|
||||
}
|
||||
case libkpod.ImageVolumesBind:
|
||||
case lib.ImageVolumesBind:
|
||||
volumeDirName := stringid.GenerateNonCryptoID()
|
||||
src := filepath.Join(containerInfo.RunDir, "mounts", volumeDirName)
|
||||
if err1 := os.MkdirAll(src, 0644); err1 != nil {
|
||||
|
@ -258,7 +257,7 @@ func addImageVolumes(rootfs string, s *Server, containerInfo *storage.ContainerI
|
|||
Options: []string{"rw"},
|
||||
})
|
||||
|
||||
case libkpod.ImageVolumesIgnore:
|
||||
case lib.ImageVolumesIgnore:
|
||||
logrus.Debugf("Ignoring volume %v", dest)
|
||||
default:
|
||||
logrus.Fatalf("Unrecognized image volumes setting")
|
||||
|
@ -424,18 +423,21 @@ func buildOCIProcessArgs(containerKubeConfig *pb.ContainerConfig, imageOCIConfig
|
|||
}
|
||||
|
||||
// addOCIHook look for hooks programs installed in hooksDirPath and add them to spec
|
||||
func addOCIHook(specgen *generate.Generator, hook libkpod.HookParams) error {
|
||||
func addOCIHook(specgen *generate.Generator, hook lib.HookParams) error {
|
||||
logrus.Debugf("AddOCIHook", hook)
|
||||
for _, stage := range hook.Stage {
|
||||
h := rspec.Hook{
|
||||
Path: hook.Hook,
|
||||
Args: append([]string{hook.Hook}, hook.Arguments...),
|
||||
Env: []string{fmt.Sprintf("stage=%s", stage)},
|
||||
}
|
||||
switch stage {
|
||||
case "prestart":
|
||||
specgen.AddPreStartHook(hook.Hook, []string{hook.Hook, "prestart"})
|
||||
|
||||
specgen.AddPreStartHook(h)
|
||||
case "poststart":
|
||||
specgen.AddPostStartHook(hook.Hook, []string{hook.Hook, "poststart"})
|
||||
|
||||
specgen.AddPostStartHook(h)
|
||||
case "poststop":
|
||||
specgen.AddPostStopHook(hook.Hook, []string{hook.Hook, "poststop"})
|
||||
specgen.AddPostStopHook(h)
|
||||
}
|
||||
}
|
||||
return nil
|
||||
|
@ -488,6 +490,110 @@ func setupContainerUser(specgen *generate.Generator, rootfs string, sc *pb.Linux
|
|||
return nil
|
||||
}
|
||||
|
||||
// setupCapabilities sets process.capabilities in the OCI runtime config.
|
||||
func setupCapabilities(specgen *generate.Generator, capabilities *pb.Capability) error {
|
||||
if capabilities == nil {
|
||||
return nil
|
||||
}
|
||||
|
||||
toCAPPrefixed := func(cap string) string {
|
||||
if !strings.HasPrefix(strings.ToLower(cap), "cap_") {
|
||||
return "CAP_" + strings.ToUpper(cap)
|
||||
}
|
||||
return cap
|
||||
}
|
||||
|
||||
// Add/drop all capabilities if "all" is specified, so that
|
||||
// following individual add/drop could still work. E.g.
|
||||
// AddCapabilities: []string{"ALL"}, DropCapabilities: []string{"CHOWN"}
|
||||
// will be all capabilities without `CAP_CHOWN`.
|
||||
// see https://github.com/kubernetes/kubernetes/issues/51980
|
||||
if inStringSlice(capabilities.GetAddCapabilities(), "ALL") {
|
||||
for _, c := range getOCICapabilitiesList() {
|
||||
if err := specgen.AddProcessCapabilityAmbient(c); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := specgen.AddProcessCapabilityBounding(c); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := specgen.AddProcessCapabilityEffective(c); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := specgen.AddProcessCapabilityInheritable(c); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := specgen.AddProcessCapabilityPermitted(c); err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
}
|
||||
if inStringSlice(capabilities.GetDropCapabilities(), "ALL") {
|
||||
for _, c := range getOCICapabilitiesList() {
|
||||
if err := specgen.DropProcessCapabilityAmbient(c); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := specgen.DropProcessCapabilityBounding(c); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := specgen.DropProcessCapabilityEffective(c); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := specgen.DropProcessCapabilityInheritable(c); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := specgen.DropProcessCapabilityPermitted(c); err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
for _, cap := range capabilities.GetAddCapabilities() {
|
||||
if strings.ToUpper(cap) == "ALL" {
|
||||
continue
|
||||
}
|
||||
capPrefixed := toCAPPrefixed(cap)
|
||||
if err := specgen.AddProcessCapabilityAmbient(capPrefixed); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := specgen.AddProcessCapabilityBounding(capPrefixed); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := specgen.AddProcessCapabilityEffective(capPrefixed); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := specgen.AddProcessCapabilityInheritable(capPrefixed); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := specgen.AddProcessCapabilityPermitted(capPrefixed); err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
|
||||
for _, cap := range capabilities.GetDropCapabilities() {
|
||||
if strings.ToUpper(cap) == "ALL" {
|
||||
continue
|
||||
}
|
||||
capPrefixed := toCAPPrefixed(cap)
|
||||
if err := specgen.DropProcessCapabilityAmbient(capPrefixed); err != nil {
|
||||
return fmt.Errorf("failed to drop cap %s %v", capPrefixed, err)
|
||||
}
|
||||
if err := specgen.DropProcessCapabilityBounding(capPrefixed); err != nil {
|
||||
return fmt.Errorf("failed to drop cap %s %v", capPrefixed, err)
|
||||
}
|
||||
if err := specgen.DropProcessCapabilityEffective(capPrefixed); err != nil {
|
||||
return fmt.Errorf("failed to drop cap %s %v", capPrefixed, err)
|
||||
}
|
||||
if err := specgen.DropProcessCapabilityInheritable(capPrefixed); err != nil {
|
||||
return fmt.Errorf("failed to drop cap %s %v", capPrefixed, err)
|
||||
}
|
||||
if err := specgen.DropProcessCapabilityPermitted(capPrefixed); err != nil {
|
||||
return fmt.Errorf("failed to drop cap %s %v", capPrefixed, err)
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func hostNetwork(containerConfig *pb.ContainerConfig) bool {
|
||||
securityContext := containerConfig.GetLinux().GetSecurityContext()
|
||||
if securityContext == nil || securityContext.GetNamespaceOptions() == nil {
|
||||
|
@ -563,7 +669,11 @@ func (s *Server) CreateContainer(ctx context.Context, req *pb.CreateContainerReq
|
|||
return nil, fmt.Errorf("CreateContainerRequest.ContainerConfig is nil")
|
||||
}
|
||||
|
||||
name := containerConfig.GetMetadata().Name
|
||||
if containerConfig.GetMetadata() == nil {
|
||||
return nil, fmt.Errorf("CreateContainerRequest.ContainerConfig.Metadata is nil")
|
||||
}
|
||||
|
||||
name := containerConfig.GetMetadata().GetName()
|
||||
if name == "" {
|
||||
return nil, fmt.Errorf("CreateContainerRequest.ContainerConfig.Name is empty")
|
||||
}
|
||||
|
@ -616,7 +726,7 @@ func (s *Server) CreateContainer(ctx context.Context, req *pb.CreateContainerReq
|
|||
func (s *Server) setupOCIHooks(specgen *generate.Generator, sb *sandbox.Sandbox, containerConfig *pb.ContainerConfig, command string) error {
|
||||
mounts := containerConfig.GetMounts()
|
||||
addedHooks := map[string]struct{}{}
|
||||
addHook := func(hook libkpod.HookParams) error {
|
||||
addHook := func(hook lib.HookParams) error {
|
||||
// Only add a hook once
|
||||
if _, ok := addedHooks[hook.Hook]; !ok {
|
||||
if err := addOCIHook(specgen, hook); err != nil {
|
||||
|
@ -711,8 +821,14 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
|
|||
}
|
||||
specgen.AddAnnotation(annotations.Volumes, string(volumesJSON))
|
||||
|
||||
mnt := rspec.Mount{
|
||||
Destination: "/sys/fs/cgroup",
|
||||
Type: "cgroup",
|
||||
Source: "cgroup",
|
||||
Options: []string{"nosuid", "noexec", "nodev", "relatime", "ro"},
|
||||
}
|
||||
// Add cgroup mount so container process can introspect its own limits
|
||||
specgen.AddCgroupsMount("ro")
|
||||
specgen.AddMount(mnt)
|
||||
|
||||
if err := addDevices(sb, containerConfig, &specgen); err != nil {
|
||||
return nil, err
|
||||
|
@ -786,28 +902,13 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
|
|||
if linux != nil {
|
||||
resources := linux.GetResources()
|
||||
if resources != nil {
|
||||
cpuPeriod := resources.CpuPeriod
|
||||
if cpuPeriod != 0 {
|
||||
specgen.SetLinuxResourcesCPUPeriod(uint64(cpuPeriod))
|
||||
}
|
||||
|
||||
cpuQuota := resources.CpuQuota
|
||||
if cpuQuota != 0 {
|
||||
specgen.SetLinuxResourcesCPUQuota(cpuQuota)
|
||||
}
|
||||
|
||||
cpuShares := resources.CpuShares
|
||||
if cpuShares != 0 {
|
||||
specgen.SetLinuxResourcesCPUShares(uint64(cpuShares))
|
||||
}
|
||||
|
||||
memoryLimit := resources.MemoryLimitInBytes
|
||||
if memoryLimit != 0 {
|
||||
specgen.SetLinuxResourcesMemoryLimit(memoryLimit)
|
||||
}
|
||||
|
||||
oomScoreAdj := resources.OomScoreAdj
|
||||
specgen.SetProcessOOMScoreAdj(int(oomScoreAdj))
|
||||
specgen.SetLinuxResourcesCPUPeriod(uint64(resources.GetCpuPeriod()))
|
||||
specgen.SetLinuxResourcesCPUQuota(resources.GetCpuQuota())
|
||||
specgen.SetLinuxResourcesCPUShares(uint64(resources.GetCpuShares()))
|
||||
specgen.SetLinuxResourcesMemoryLimit(resources.GetMemoryLimitInBytes())
|
||||
specgen.SetProcessOOMScoreAdj(int(resources.GetOomScoreAdj()))
|
||||
specgen.SetLinuxResourcesCPUCpus(resources.GetCpusetCpus())
|
||||
specgen.SetLinuxResourcesCPUMems(resources.GetCpusetMems())
|
||||
}
|
||||
|
||||
var cgPath string
|
||||
|
@ -826,57 +927,13 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
|
|||
}
|
||||
specgen.SetLinuxCgroupsPath(cgPath)
|
||||
|
||||
capabilities := linux.GetSecurityContext().GetCapabilities()
|
||||
if privileged {
|
||||
// this is setting correct capabilities as well for privileged mode
|
||||
specgen.SetupPrivileged(true)
|
||||
setOCIBindMountsPrivileged(&specgen)
|
||||
} else {
|
||||
toCAPPrefixed := func(cap string) string {
|
||||
if !strings.HasPrefix(strings.ToLower(cap), "cap_") {
|
||||
return "CAP_" + strings.ToUpper(cap)
|
||||
}
|
||||
return cap
|
||||
}
|
||||
|
||||
// Add/drop all capabilities if "all" is specified, so that
|
||||
// following individual add/drop could still work. E.g.
|
||||
// AddCapabilities: []string{"ALL"}, DropCapabilities: []string{"CHOWN"}
|
||||
// will be all capabilities without `CAP_CHOWN`.
|
||||
// see https://github.com/kubernetes/kubernetes/issues/51980
|
||||
if inStringSlice(capabilities.GetAddCapabilities(), "ALL") {
|
||||
for _, c := range getOCICapabilitiesList() {
|
||||
if err := specgen.AddProcessCapability(c); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
}
|
||||
if inStringSlice(capabilities.GetDropCapabilities(), "ALL") {
|
||||
for _, c := range getOCICapabilitiesList() {
|
||||
if err := specgen.DropProcessCapability(c); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if capabilities != nil {
|
||||
for _, cap := range capabilities.GetAddCapabilities() {
|
||||
if strings.ToUpper(cap) == "ALL" {
|
||||
continue
|
||||
}
|
||||
if err := specgen.AddProcessCapability(toCAPPrefixed(cap)); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
|
||||
for _, cap := range capabilities.GetDropCapabilities() {
|
||||
if strings.ToUpper(cap) == "ALL" {
|
||||
continue
|
||||
}
|
||||
if err := specgen.DropProcessCapability(toCAPPrefixed(cap)); err != nil {
|
||||
return nil, fmt.Errorf("failed to drop cap %s %v", toCAPPrefixed(cap), err)
|
||||
}
|
||||
}
|
||||
err = setupCapabilities(&specgen, linux.GetSecurityContext().GetCapabilities())
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
specgen.SetProcessSelinuxLabel(processLabel)
|
||||
|
@ -963,46 +1020,31 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
|
|||
return nil, err
|
||||
}
|
||||
}
|
||||
image = images[0]
|
||||
|
||||
// Get imageName and imageRef that are requested in container status
|
||||
imageName := image
|
||||
status, err := s.StorageImageServer().ImageStatus(s.ImageContext(), image)
|
||||
// Get imageName and imageRef that are later requested in container status
|
||||
status, err := s.StorageImageServer().ImageStatus(s.ImageContext(), images[0])
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
imageName := status.Name
|
||||
imageRef := status.ID
|
||||
//
|
||||
// TODO: https://github.com/kubernetes-incubator/cri-o/issues/531
|
||||
//
|
||||
//for _, n := range status.Names {
|
||||
//r, err := reference.ParseNormalizedNamed(n)
|
||||
//if err != nil {
|
||||
//return nil, fmt.Errorf("failed to normalize image name for ImageRef: %v", err)
|
||||
//}
|
||||
//if digested, isDigested := r.(reference.Canonical); isDigested {
|
||||
//imageRef = reference.FamiliarString(digested)
|
||||
//break
|
||||
//}
|
||||
//}
|
||||
for _, n := range status.Names {
|
||||
r, err := reference.ParseNormalizedNamed(n)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to normalize image name for Image: %v", err)
|
||||
}
|
||||
if tagged, isTagged := r.(reference.Tagged); isTagged {
|
||||
imageName = reference.FamiliarString(tagged)
|
||||
break
|
||||
}
|
||||
if len(status.RepoDigests) > 0 {
|
||||
imageRef = status.RepoDigests[0]
|
||||
}
|
||||
|
||||
specgen.AddAnnotation(annotations.Image, image)
|
||||
specgen.AddAnnotation(annotations.ImageName, imageName)
|
||||
specgen.AddAnnotation(annotations.ImageRef, imageRef)
|
||||
specgen.AddAnnotation(annotations.IP, sb.IP())
|
||||
|
||||
mnt = rspec.Mount{
|
||||
Type: "bind",
|
||||
Source: sb.ShmPath(),
|
||||
Destination: "/etc/shm",
|
||||
Options: []string{"rw", "bind"},
|
||||
}
|
||||
// bind mount the pod shm
|
||||
specgen.AddBindMount(sb.ShmPath(), "/dev/shm", []string{"rw"})
|
||||
specgen.AddMount(mnt)
|
||||
|
||||
options := []string{"rw"}
|
||||
if readOnlyRootfs {
|
||||
|
@ -1013,8 +1055,14 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
|
|||
return nil, err
|
||||
}
|
||||
|
||||
mnt = rspec.Mount{
|
||||
Type: "bind",
|
||||
Source: sb.ResolvPath(),
|
||||
Destination: "/etc/resolv.conf",
|
||||
Options: append(options, "bind"),
|
||||
}
|
||||
// bind mount the pod resolver file
|
||||
specgen.AddBindMount(sb.ResolvPath(), "/etc/resolv.conf", options)
|
||||
specgen.AddMount(mnt)
|
||||
}
|
||||
|
||||
if sb.HostnamePath() != "" {
|
||||
|
@ -1022,12 +1070,24 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
|
|||
return nil, err
|
||||
}
|
||||
|
||||
specgen.AddBindMount(sb.HostnamePath(), "/etc/hostname", options)
|
||||
mnt = rspec.Mount{
|
||||
Type: "bind",
|
||||
Source: sb.HostnamePath(),
|
||||
Destination: "/etc/hostname",
|
||||
Options: append(options, "bind"),
|
||||
}
|
||||
specgen.AddMount(mnt)
|
||||
}
|
||||
|
||||
// Bind mount /etc/hosts for host networking containers
|
||||
if hostNetwork(containerConfig) {
|
||||
specgen.AddBindMount("/etc/hosts", "/etc/hosts", options)
|
||||
mnt = rspec.Mount{
|
||||
Type: "bind",
|
||||
Source: "/etc/hosts",
|
||||
Destination: "/etc/hosts",
|
||||
Options: append(options, "bind"),
|
||||
}
|
||||
specgen.AddMount(mnt)
|
||||
}
|
||||
|
||||
// Set hostname and add env for hostname
|
||||
|
@ -1043,7 +1103,6 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
|
|||
specgen.AddAnnotation(annotations.TTY, fmt.Sprintf("%v", containerConfig.Tty))
|
||||
specgen.AddAnnotation(annotations.Stdin, fmt.Sprintf("%v", containerConfig.Stdin))
|
||||
specgen.AddAnnotation(annotations.StdinOnce, fmt.Sprintf("%v", containerConfig.StdinOnce))
|
||||
specgen.AddAnnotation(annotations.Image, image)
|
||||
specgen.AddAnnotation(annotations.ResolvPath, sb.InfraContainer().CrioAnnotations()[annotations.ResolvPath])
|
||||
|
||||
created := time.Now()
|
||||
|
@ -1079,7 +1138,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
|
|||
attempt := metadata.Attempt
|
||||
containerInfo, err := s.StorageRuntimeServer().CreateContainer(s.ImageContext(),
|
||||
sb.Name(), sb.ID(),
|
||||
image, image,
|
||||
image, status.ID,
|
||||
containerName, containerID,
|
||||
metaname,
|
||||
attempt,
|
||||
|
@ -1088,6 +1147,14 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
|
|||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
defer func() {
|
||||
if err != nil {
|
||||
err2 := s.StorageRuntimeServer().DeleteContainer(containerInfo.ID)
|
||||
if err2 != nil {
|
||||
logrus.Warnf("Failed to cleanup container directory: %v", err2)
|
||||
}
|
||||
}
|
||||
}()
|
||||
|
||||
mountPoint, err := s.StorageRuntimeServer().StartContainer(containerID)
|
||||
if err != nil {
|
||||
|
@ -1097,7 +1164,8 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
|
|||
|
||||
containerImageConfig := containerInfo.Config
|
||||
if containerImageConfig == nil {
|
||||
return nil, fmt.Errorf("empty image config for %s", image)
|
||||
err = fmt.Errorf("empty image config for %s", image)
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if containerImageConfig.Config.StopSignal != "" {
|
||||
|
@ -1161,7 +1229,13 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
|
|||
sort.Sort(orderedMounts(mounts))
|
||||
|
||||
for _, m := range mounts {
|
||||
specgen.AddBindMount(m.Source, m.Destination, m.Options)
|
||||
mnt = rspec.Mount{
|
||||
Type: "bind",
|
||||
Source: m.Source,
|
||||
Destination: m.Destination,
|
||||
Options: append(m.Options, "bind"),
|
||||
}
|
||||
specgen.AddMount(mnt)
|
||||
}
|
||||
|
||||
if err := s.setupOCIHooks(&specgen, sb, containerConfig, processArgs[0]); err != nil {
|
||||
|
|
|
@ -1,10 +1,8 @@
|
|||
package server
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"io"
|
||||
"io/ioutil"
|
||||
"os"
|
||||
"os/exec"
|
||||
"time"
|
||||
|
@ -55,28 +53,14 @@ func (ss streamService) Exec(containerID string, cmd []string, stdin io.Reader,
|
|||
return fmt.Errorf("container is not created or running")
|
||||
}
|
||||
|
||||
f, err := ioutil.TempFile("", "exec-process")
|
||||
processFile, err := oci.PrepareProcessExec(c, cmd, tty)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
defer os.RemoveAll(f.Name())
|
||||
|
||||
pspec := c.Spec().Process
|
||||
pspec.Args = cmd
|
||||
processJSON, err := json.Marshal(pspec)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if err := ioutil.WriteFile(f.Name(), processJSON, 0644); err != nil {
|
||||
return err
|
||||
}
|
||||
defer os.RemoveAll(processFile.Name())
|
||||
|
||||
args := []string{"exec"}
|
||||
if tty {
|
||||
args = append(args, "-t")
|
||||
}
|
||||
args = append(args, "-p", f.Name())
|
||||
args = append(args, "--process", processFile.Name())
|
||||
args = append(args, c.ID())
|
||||
execCmd := exec.Command(ss.runtimeServer.Runtime().Path(c), args...)
|
||||
var cmdErr error
|
||||
|
|
|
@ -97,6 +97,7 @@ func (s *Server) ListContainers(ctx context.Context, req *pb.ListContainersReque
|
|||
Metadata: ctr.Metadata(),
|
||||
Annotations: ctr.Annotations(),
|
||||
Image: img,
|
||||
ImageRef: ctr.ImageRef(),
|
||||
}
|
||||
|
||||
switch cState.Status {
|
||||
|
|
|
@ -3,6 +3,7 @@ package server
|
|||
import (
|
||||
"time"
|
||||
|
||||
"github.com/containers/image/types"
|
||||
"github.com/kubernetes-incubator/cri-o/oci"
|
||||
"github.com/sirupsen/logrus"
|
||||
"golang.org/x/net/context"
|
||||
|
@ -38,7 +39,10 @@ func (s *Server) ContainerStatus(ctx context.Context, req *pb.ContainerStatusReq
|
|||
ImageRef: c.ImageRef(),
|
||||
},
|
||||
}
|
||||
resp.Status.Image = &pb.ImageSpec{Image: c.ImageName()}
|
||||
resp.Status.Image = &pb.ImageSpec{Image: c.Image()}
|
||||
if status, err := s.StorageImageServer().ImageStatus(&types.SystemContext{}, c.ImageRef()); err == nil {
|
||||
resp.Status.Image.Image = status.Name
|
||||
}
|
||||
|
||||
mounts := []*pb.Mount{}
|
||||
for _, cv := range c.Volumes() {
|
||||
|
|
|
@ -0,0 +1 @@
|
|||
secretDataA
|
|
@ -0,0 +1 @@
|
|||
secretDataB
|
|
@ -33,14 +33,16 @@ func (s *Server) ListImages(ctx context.Context, req *pb.ListImagesRequest) (res
|
|||
for _, result := range results {
|
||||
if result.Size != nil {
|
||||
resp.Images = append(resp.Images, &pb.Image{
|
||||
Id: result.ID,
|
||||
RepoTags: result.Names,
|
||||
Size_: *result.Size,
|
||||
Id: result.ID,
|
||||
RepoTags: result.RepoTags,
|
||||
RepoDigests: result.RepoDigests,
|
||||
Size_: *result.Size,
|
||||
})
|
||||
} else {
|
||||
resp.Images = append(resp.Images, &pb.Image{
|
||||
Id: result.ID,
|
||||
RepoTags: result.Names,
|
||||
Id: result.ID,
|
||||
RepoTags: result.RepoTags,
|
||||
RepoDigests: result.RepoDigests,
|
||||
})
|
||||
}
|
||||
}
|
||||
|
|
|
@ -104,8 +104,16 @@ func (s *Server) PullImage(ctx context.Context, req *pb.PullImageRequest) (resp
|
|||
if pulled == "" && err != nil {
|
||||
return nil, err
|
||||
}
|
||||
status, err := s.StorageImageServer().ImageStatus(s.ImageContext(), pulled)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
imageRef := status.ID
|
||||
if len(status.RepoDigests) > 0 {
|
||||
imageRef = status.RepoDigests[0]
|
||||
}
|
||||
resp = &pb.PullImageResponse{
|
||||
ImageRef: pulled,
|
||||
ImageRef: imageRef,
|
||||
}
|
||||
logrus.Debugf("PullImageResponse: %+v", resp)
|
||||
return resp, nil
|
||||
|
|
|
@ -40,7 +40,7 @@ func (s *Server) RemoveImage(ctx context.Context, req *pb.RemoveImageRequest) (r
|
|||
}
|
||||
}
|
||||
for _, img := range images {
|
||||
err = s.StorageImageServer().RemoveImage(s.ImageContext(), img)
|
||||
err = s.StorageImageServer().UntagImage(s.ImageContext(), img)
|
||||
if err != nil {
|
||||
logrus.Debugf("error deleting image %s: %v", img, err)
|
||||
continue
|
||||
|
|
|
@ -48,10 +48,10 @@ func (s *Server) ImageStatus(ctx context.Context, req *pb.ImageStatusRequest) (r
|
|||
}
|
||||
resp = &pb.ImageStatusResponse{
|
||||
Image: &pb.Image{
|
||||
Id: status.ID,
|
||||
RepoTags: status.Names,
|
||||
Size_: *status.Size,
|
||||
// TODO: https://github.com/kubernetes-incubator/cri-o/issues/531
|
||||
Id: status.ID,
|
||||
RepoTags: status.RepoTags,
|
||||
RepoDigests: status.RepoDigests,
|
||||
Size_: *status.Size,
|
||||
},
|
||||
}
|
||||
logrus.Debugf("ImageStatusResponse: %+v", resp)
|
||||
|
|
|
@ -6,8 +6,9 @@ import (
|
|||
"fmt"
|
||||
"net/http"
|
||||
|
||||
cimage "github.com/containers/image/types"
|
||||
"github.com/go-zoo/bone"
|
||||
"github.com/kubernetes-incubator/cri-o/libkpod/sandbox"
|
||||
"github.com/kubernetes-incubator/cri-o/lib/sandbox"
|
||||
"github.com/kubernetes-incubator/cri-o/oci"
|
||||
"github.com/kubernetes-incubator/cri-o/types"
|
||||
"github.com/sirupsen/logrus"
|
||||
|
@ -45,10 +46,17 @@ func (s *Server) getContainerInfo(id string, getContainerFunc func(id string) *o
|
|||
logrus.Debugf("can't find sandbox %s for container %s", ctr.Sandbox(), id)
|
||||
return types.ContainerInfo{}, errSandboxNotFound
|
||||
}
|
||||
image := ctr.Image()
|
||||
if s.ContainerServer != nil && s.ContainerServer.StorageImageServer() != nil {
|
||||
if status, err := s.ContainerServer.StorageImageServer().ImageStatus(&cimage.SystemContext{}, ctr.ImageRef()); err == nil {
|
||||
image = status.Name
|
||||
}
|
||||
}
|
||||
return types.ContainerInfo{
|
||||
Name: ctr.Name(),
|
||||
Pid: ctrState.Pid,
|
||||
Image: ctr.ImageName(),
|
||||
Image: image,
|
||||
ImageRef: ctr.ImageRef(),
|
||||
CreatedTime: ctrState.Created.UnixNano(),
|
||||
Labels: ctr.Labels(),
|
||||
Annotations: ctr.Annotations(),
|
||||
|
|
|
@ -7,14 +7,14 @@ import (
|
|||
"k8s.io/kubernetes/pkg/kubelet/apis/cri/v1alpha1/runtime"
|
||||
|
||||
"github.com/containernetworking/plugins/pkg/ns"
|
||||
"github.com/kubernetes-incubator/cri-o/libkpod"
|
||||
"github.com/kubernetes-incubator/cri-o/libkpod/sandbox"
|
||||
"github.com/kubernetes-incubator/cri-o/lib"
|
||||
"github.com/kubernetes-incubator/cri-o/lib/sandbox"
|
||||
"github.com/kubernetes-incubator/cri-o/oci"
|
||||
specs "github.com/opencontainers/runtime-spec/specs-go"
|
||||
)
|
||||
|
||||
func TestGetInfo(t *testing.T) {
|
||||
c := libkpod.DefaultConfig()
|
||||
c := lib.DefaultConfig()
|
||||
c.RootConfig.Storage = "afoobarstorage"
|
||||
c.RootConfig.Root = "afoobarroot"
|
||||
c.RuntimeConfig.CgroupManager = "systemd"
|
||||
|
@ -67,7 +67,7 @@ func TestGetContainerInfo(t *testing.T) {
|
|||
"io.kubernetes.test1": "value1",
|
||||
}
|
||||
getContainerFunc := func(id string) *oci.Container {
|
||||
container, err := oci.NewContainer("testid", "testname", "", "/container/logs", mockNetNS{}, labels, annotations, annotations, "imageName", "imageName", "imageRef", &runtime.ContainerMetadata{}, "testsandboxid", false, false, false, false, false, "/root/for/container", created, "SIGKILL")
|
||||
container, err := oci.NewContainer("testid", "testname", "", "/container/logs", mockNetNS{}, labels, annotations, annotations, "image", "imageName", "imageRef", &runtime.ContainerMetadata{}, "testsandboxid", false, false, false, false, false, "/root/for/container", created, "SIGKILL")
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
@ -101,8 +101,11 @@ func TestGetContainerInfo(t *testing.T) {
|
|||
if ci.Name != "testname" {
|
||||
t.Fatalf("expected name testname, got %s", ci.Name)
|
||||
}
|
||||
if ci.Image != "imageName" {
|
||||
t.Fatalf("expected image name imageName, got %s", ci.Image)
|
||||
if ci.Image != "image" {
|
||||
t.Fatalf("expected image name image, got %s", ci.Image)
|
||||
}
|
||||
if ci.ImageRef != "imageRef" {
|
||||
t.Fatalf("expected image ref imageRef, got %s", ci.ImageRef)
|
||||
}
|
||||
if ci.Root != "/var/foo/container" {
|
||||
t.Fatalf("expected root to be /var/foo/container, got %s", ci.Root)
|
||||
|
|
|
@ -3,7 +3,7 @@ package server
|
|||
import (
|
||||
"time"
|
||||
|
||||
"github.com/kubernetes-incubator/cri-o/libkpod/sandbox"
|
||||
"github.com/kubernetes-incubator/cri-o/lib/sandbox"
|
||||
"github.com/kubernetes-incubator/cri-o/oci"
|
||||
"github.com/sirupsen/logrus"
|
||||
"golang.org/x/net/context"
|
||||
|
|
|
@ -4,7 +4,7 @@ import (
|
|||
"fmt"
|
||||
"net"
|
||||
|
||||
"github.com/kubernetes-incubator/cri-o/libkpod/sandbox"
|
||||
"github.com/kubernetes-incubator/cri-o/lib/sandbox"
|
||||
"github.com/sirupsen/logrus"
|
||||
"k8s.io/kubernetes/pkg/kubelet/network/hostport"
|
||||
)
|
||||
|
|
|
@ -5,7 +5,7 @@ import (
|
|||
"time"
|
||||
|
||||
"github.com/containers/storage"
|
||||
"github.com/kubernetes-incubator/cri-o/libkpod/sandbox"
|
||||
"github.com/kubernetes-incubator/cri-o/lib/sandbox"
|
||||
"github.com/kubernetes-incubator/cri-o/oci"
|
||||
pkgstorage "github.com/kubernetes-incubator/cri-o/pkg/storage"
|
||||
"github.com/pkg/errors"
|
||||
|
|
|
@ -13,7 +13,7 @@ import (
|
|||
"time"
|
||||
|
||||
"github.com/containers/storage"
|
||||
"github.com/kubernetes-incubator/cri-o/libkpod/sandbox"
|
||||
"github.com/kubernetes-incubator/cri-o/lib/sandbox"
|
||||
"github.com/kubernetes-incubator/cri-o/oci"
|
||||
"github.com/kubernetes-incubator/cri-o/pkg/annotations"
|
||||
runtimespec "github.com/opencontainers/runtime-spec/specs-go"
|
||||
|
@ -101,16 +101,20 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
|
|||
s.updateLock.RLock()
|
||||
defer s.updateLock.RUnlock()
|
||||
|
||||
if req.GetConfig().GetMetadata() == nil {
|
||||
return nil, fmt.Errorf("CreateContainerRequest.ContainerConfig.Metadata is nil")
|
||||
}
|
||||
|
||||
logrus.Debugf("RunPodSandboxRequest %+v", req)
|
||||
var processLabel, mountLabel, resolvPath string
|
||||
// process req.Name
|
||||
kubeName := req.GetConfig().GetMetadata().Name
|
||||
kubeName := req.GetConfig().GetMetadata().GetName()
|
||||
if kubeName == "" {
|
||||
return nil, fmt.Errorf("PodSandboxConfig.Name should not be empty")
|
||||
}
|
||||
|
||||
namespace := req.GetConfig().GetMetadata().Namespace
|
||||
attempt := req.GetConfig().GetMetadata().Attempt
|
||||
namespace := req.GetConfig().GetMetadata().GetNamespace()
|
||||
attempt := req.GetConfig().GetMetadata().GetAttempt()
|
||||
|
||||
id, name, err := s.generatePodIDandName(req.GetConfig())
|
||||
if err != nil {
|
||||
|
@ -156,8 +160,8 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
|
|||
name, id,
|
||||
s.config.PauseImage, "",
|
||||
containerName,
|
||||
req.GetConfig().GetMetadata().Name,
|
||||
req.GetConfig().GetMetadata().Uid,
|
||||
req.GetConfig().GetMetadata().GetName(),
|
||||
req.GetConfig().GetMetadata().GetUid(),
|
||||
namespace,
|
||||
attempt,
|
||||
nil)
|
||||
|
@ -210,8 +214,13 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
|
|||
if err := label.Relabel(resolvPath, mountLabel, true); err != nil && err != unix.ENOTSUP {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
g.AddBindMount(resolvPath, "/etc/resolv.conf", []string{"ro"})
|
||||
mnt := runtimespec.Mount{
|
||||
Type: "bind",
|
||||
Source: resolvPath,
|
||||
Destination: "/etc/resolv.conf",
|
||||
Options: []string{"ro", "bind"},
|
||||
}
|
||||
g.AddMount(mnt)
|
||||
}
|
||||
|
||||
// add metadata
|
||||
|
@ -480,7 +489,13 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
|
|||
if err := label.Relabel(hostnamePath, mountLabel, true); err != nil && err != unix.ENOTSUP {
|
||||
return nil, err
|
||||
}
|
||||
g.AddBindMount(hostnamePath, "/etc/hostname", []string{"ro"})
|
||||
mnt := runtimespec.Mount{
|
||||
Type: "bind",
|
||||
Source: hostnamePath,
|
||||
Destination: "/etc/hostname",
|
||||
Options: []string{"ro", "bind"},
|
||||
}
|
||||
g.AddMount(mnt)
|
||||
g.AddAnnotation(annotations.HostnamePath, hostnamePath)
|
||||
sb.AddHostnamePath(hostnamePath)
|
||||
|
||||
|
|
|
@ -7,7 +7,7 @@ import (
|
|||
"github.com/containers/storage"
|
||||
"github.com/docker/docker/pkg/mount"
|
||||
"github.com/docker/docker/pkg/symlink"
|
||||
"github.com/kubernetes-incubator/cri-o/libkpod/sandbox"
|
||||
"github.com/kubernetes-incubator/cri-o/lib/sandbox"
|
||||
"github.com/kubernetes-incubator/cri-o/oci"
|
||||
"github.com/opencontainers/selinux/go-selinux/label"
|
||||
"github.com/pkg/errors"
|
||||
|
|
|
@ -0,0 +1,61 @@
|
|||
package server
|
||||
|
||||
import (
|
||||
"testing"
|
||||
)
|
||||
|
||||
const (
|
||||
defaultError = "unable to get host and container dir"
|
||||
secretDataPath = "fixtures/secret"
|
||||
emptyPath = "fixtures/secret/empty"
|
||||
)
|
||||
|
||||
func TestGetMountsMap(t *testing.T) {
|
||||
testCases := []struct {
|
||||
Path, HostDir, CtrDir string
|
||||
Error string
|
||||
}{
|
||||
{"", "", "", defaultError},
|
||||
{"/tmp:/home/crio", "/tmp", "/home/crio", ""},
|
||||
{"crio/logs:crio/logs", "crio/logs", "crio/logs", ""},
|
||||
{"/tmp", "", "", defaultError},
|
||||
}
|
||||
for _, c := range testCases {
|
||||
hostDir, ctrDir, err := getMountsMap(c.Path)
|
||||
if hostDir != c.HostDir || ctrDir != c.CtrDir || (err != nil && err.Error() != c.Error) {
|
||||
t.Errorf("expect: (%v, %v, %v) \n but got: (%v, %v, %v) \n",
|
||||
c.HostDir, c.CtrDir, c.Error, hostDir, ctrDir, err)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func TestGetHostSecretData(t *testing.T) {
|
||||
testCases := []struct {
|
||||
Path string
|
||||
Want []SecretData
|
||||
}{
|
||||
{
|
||||
"emptyPath",
|
||||
[]SecretData{},
|
||||
},
|
||||
{
|
||||
secretDataPath,
|
||||
[]SecretData{
|
||||
{"testDataA", []byte("secretDataA")},
|
||||
{"testDataB", []byte("secretDataB")},
|
||||
},
|
||||
},
|
||||
}
|
||||
for _, c := range testCases {
|
||||
if secretData, err := getHostSecretData(c.Path); err != nil {
|
||||
t.Error(err)
|
||||
} else {
|
||||
for index, data := range secretData {
|
||||
if data.Name != c.Want[index].Name || string(data.Data) != string(c.Want[index].Data) {
|
||||
t.Errorf("expect: (%v, %v) \n but got: (%v, %v) \n",
|
||||
c.Want[index].Name, string(c.Want[index].Data), data.Name, string(data.Data))
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
|
@ -15,8 +15,8 @@ import (
|
|||
|
||||
"github.com/cri-o/ocicni/pkg/ocicni"
|
||||
"github.com/fsnotify/fsnotify"
|
||||
"github.com/kubernetes-incubator/cri-o/libkpod"
|
||||
"github.com/kubernetes-incubator/cri-o/libkpod/sandbox"
|
||||
"github.com/kubernetes-incubator/cri-o/lib"
|
||||
"github.com/kubernetes-incubator/cri-o/lib/sandbox"
|
||||
"github.com/kubernetes-incubator/cri-o/oci"
|
||||
"github.com/kubernetes-incubator/cri-o/pkg/storage"
|
||||
"github.com/kubernetes-incubator/cri-o/server/apparmor"
|
||||
|
@ -53,7 +53,7 @@ type streamService struct {
|
|||
|
||||
// Server implements the RuntimeService and ImageService
|
||||
type Server struct {
|
||||
*libkpod.ContainerServer
|
||||
*lib.ContainerServer
|
||||
config Config
|
||||
|
||||
updateLock sync.RWMutex
|
||||
|
@ -190,7 +190,7 @@ func New(config *Config) (*Server, error) {
|
|||
if err := os.MkdirAll(config.ContainerExitsDir, 0755); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
containerServer, err := libkpod.New(&config.Config)
|
||||
containerServer, err := lib.New(&config.Config)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
|
|
@ -8,7 +8,7 @@ import (
|
|||
"time"
|
||||
|
||||
"github.com/cri-o/ocicni/pkg/ocicni"
|
||||
"github.com/kubernetes-incubator/cri-o/libkpod/sandbox"
|
||||
"github.com/kubernetes-incubator/cri-o/lib/sandbox"
|
||||
"github.com/kubernetes-incubator/cri-o/server/metrics"
|
||||
"github.com/opencontainers/image-spec/specs-go/v1"
|
||||
"github.com/opencontainers/runtime-tools/validate"
|
||||
|
|
|
@ -41,11 +41,12 @@ You will also need to install the [CNI](https://github.com/containernetworking/c
|
|||
the the default pod test template runs without host networking:
|
||||
|
||||
```
|
||||
$ go get github.com/containernetworking/cni
|
||||
$ cd "$GOPATH/src/github.com/containernetworking/cni"
|
||||
$ git checkout -q d4bbce1865270cd2d2be558d6a23e63d314fe769
|
||||
$ ./build.sh \
|
||||
$ mkdir -p /opt/cni/bin \
|
||||
$ cd "$GOPATH/src/github.com/containernetworking"
|
||||
$ git clone https://github.com/containernetworking/plugins.git
|
||||
$ cd plugins
|
||||
$ git checkout -q dcf7368eeab15e2affc6256f0bb1e84dd46a34de
|
||||
$ ./build.sh
|
||||
$ mkdir -p /opt/cni/bin
|
||||
$ cp bin/* /opt/cni/bin/
|
||||
```
|
||||
|
||||
|
@ -69,11 +70,11 @@ Tests on the host will run with `runc` as the default runtime.
|
|||
However you can select other OCI compatible runtimes by setting
|
||||
the `RUNTIME` environment variable.
|
||||
|
||||
For example one could use the [Clear Containers](https://github.com/01org/cc-oci-runtime/wiki/Installation)
|
||||
For example one could use the [Clear Containers](https://github.com/clearcontainers/runtime)
|
||||
runtime instead of `runc`:
|
||||
|
||||
```
|
||||
make localintegration RUNTIME=cc-oci-runtime
|
||||
make localintegration RUNTIME=cc-runtime
|
||||
```
|
||||
|
||||
## Writing integration tests
|
||||
|
|
|
@ -28,6 +28,7 @@ function teardown() {
|
|||
run crictl start "$ctr_id"
|
||||
echo "$output"
|
||||
[ "$status" -eq 0 ]
|
||||
run sleep 5
|
||||
run crictl inspect --output yaml "$ctr_id"
|
||||
echo "$output"
|
||||
[ "$status" -eq 0 ]
|
||||
|
@ -53,6 +54,7 @@ function teardown() {
|
|||
run crictl start "$ctr_id"
|
||||
echo "$output"
|
||||
[ "$status" -eq 0 ]
|
||||
run sleep 5
|
||||
run crictl inspect --output yaml "$ctr_id"
|
||||
echo "$output"
|
||||
[ "$status" -eq 0 ]
|
||||
|
@ -1059,3 +1061,31 @@ function teardown() {
|
|||
cleanup_pods
|
||||
stop_crio
|
||||
}
|
||||
|
||||
@test "ctr resources" {
|
||||
start_crio
|
||||
run crictl runs "$TESTDATA"/sandbox_config.json
|
||||
echo "$output"
|
||||
[ "$status" -eq 0 ]
|
||||
pod_id="$output"
|
||||
run crictl create "$pod_id" "$TESTDATA"/container_redis.json "$TESTDATA"/sandbox_config.json
|
||||
echo "$output"
|
||||
[ "$status" -eq 0 ]
|
||||
ctr_id="$output"
|
||||
run crictl start "$ctr_id"
|
||||
echo "$output"
|
||||
[ "$status" -eq 0 ]
|
||||
|
||||
run crictl exec --sync "$ctr_id" sh -c "cat /sys/fs/cgroup/cpuset/cpuset.cpus"
|
||||
echo "$output"
|
||||
[ "$status" -eq 0 ]
|
||||
[[ "$output" =~ "0-1" ]]
|
||||
run crictl exec --sync "$ctr_id" sh -c "cat /sys/fs/cgroup/cpuset/cpuset.mems"
|
||||
echo "$output"
|
||||
[ "$status" -eq 0 ]
|
||||
[[ "$output" =~ "0" ]]
|
||||
|
||||
cleanup_ctrs
|
||||
cleanup_pods
|
||||
stop_crio
|
||||
}
|
||||
|
|
|
@ -103,7 +103,7 @@ cp "$CONMON_BINARY" "$TESTDIR/conmon"
|
|||
|
||||
PATH=$PATH:$TESTDIR
|
||||
|
||||
# Make sure we have a copy of the redis:latest image.
|
||||
# Make sure we have a copy of the redis:alpine image.
|
||||
if ! [ -d "$ARTIFACTS_PATH"/redis-image ]; then
|
||||
mkdir -p "$ARTIFACTS_PATH"/redis-image
|
||||
if ! "$COPYIMG_BINARY" --import-from=docker://redis:alpine --export-to=dir:"$ARTIFACTS_PATH"/redis-image --signature-policy="$INTEGRATION_ROOT"/policy.json ; then
|
||||
|
@ -113,19 +113,6 @@ if ! [ -d "$ARTIFACTS_PATH"/redis-image ]; then
|
|||
fi
|
||||
fi
|
||||
|
||||
# TODO: remove the code below for redis digested image id when
|
||||
# https://github.com/kubernetes-incubator/cri-o/issues/531 is complete
|
||||
# as the digested reference will be auto-stored when pulling the tag
|
||||
# above
|
||||
if ! [ -d "$ARTIFACTS_PATH"/redis-image-digest ]; then
|
||||
mkdir -p "$ARTIFACTS_PATH"/redis-image-digest
|
||||
if ! "$COPYIMG_BINARY" --import-from=docker://redis@sha256:03789f402b2ecfb98184bf128d180f398f81c63364948ff1454583b02442f73b --export-to=dir:"$ARTIFACTS_PATH"/redis-image-digest --signature-policy="$INTEGRATION_ROOT"/policy.json ; then
|
||||
echo "Error pulling docker://redis@sha256:03789f402b2ecfb98184bf128d180f398f81c63364948ff1454583b02442f73b"
|
||||
rm -fr "$ARTIFACTS_PATH"/redis-image-digest
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
|
||||
# Make sure we have a copy of the runcom/stderr-test image.
|
||||
if ! [ -d "$ARTIFACTS_PATH"/stderr-test ]; then
|
||||
mkdir -p "$ARTIFACTS_PATH"/stderr-test
|
||||
|
@ -225,16 +212,11 @@ function start_crio() {
|
|||
if ! [ "$3" = "--no-pause-image" ] ; then
|
||||
"$BIN2IMG_BINARY" --root "$TESTDIR/crio" $STORAGE_OPTIONS --runroot "$TESTDIR/crio-run" --source-binary "$PAUSE_BINARY"
|
||||
fi
|
||||
"$COPYIMG_BINARY" --root "$TESTDIR/crio" $STORAGE_OPTIONS --runroot "$TESTDIR/crio-run" --image-name=redis:alpine --import-from=dir:"$ARTIFACTS_PATH"/redis-image --add-name=docker.io/library/redis:alpine --signature-policy="$INTEGRATION_ROOT"/policy.json
|
||||
# TODO: remove the code below for redis:alpine digested image id when
|
||||
# https://github.com/kubernetes-incubator/cri-o/issues/531 is complete
|
||||
# as the digested reference will be auto-stored when pulling the tag
|
||||
# above
|
||||
"$COPYIMG_BINARY" --root "$TESTDIR/crio" $STORAGE_OPTIONS --runroot "$TESTDIR/crio-run" --image-name=redis@sha256:03789f402b2ecfb98184bf128d180f398f81c63364948ff1454583b02442f73b --import-from=dir:"$ARTIFACTS_PATH"/redis-image-digest --add-name=docker.io/library/redis@sha256:03789f402b2ecfb98184bf128d180f398f81c63364948ff1454583b02442f73b --signature-policy="$INTEGRATION_ROOT"/policy.json
|
||||
"$COPYIMG_BINARY" --root "$TESTDIR/crio" $STORAGE_OPTIONS --runroot "$TESTDIR/crio-run" --image-name=mrunalp/oom --import-from=dir:"$ARTIFACTS_PATH"/oom-image --add-name=docker.io/library/mrunalp/oom --signature-policy="$INTEGRATION_ROOT"/policy.json
|
||||
"$COPYIMG_BINARY" --root "$TESTDIR/crio" $STORAGE_OPTIONS --runroot "$TESTDIR/crio-run" --image-name=mrunalp/image-volume-test --import-from=dir:"$ARTIFACTS_PATH"/image-volume-test-image --add-name=docker.io/library/mrunalp/image-volume-test --signature-policy="$INTEGRATION_ROOT"/policy.json
|
||||
"$COPYIMG_BINARY" --root "$TESTDIR/crio" $STORAGE_OPTIONS --runroot "$TESTDIR/crio-run" --image-name=busybox:latest --import-from=dir:"$ARTIFACTS_PATH"/busybox-image --add-name=docker.io/library/busybox:latest --signature-policy="$INTEGRATION_ROOT"/policy.json
|
||||
"$COPYIMG_BINARY" --root "$TESTDIR/crio" $STORAGE_OPTIONS --runroot "$TESTDIR/crio-run" --image-name=runcom/stderr-test:latest --import-from=dir:"$ARTIFACTS_PATH"/stderr-test --add-name=docker.io/runcom/stderr-test:latest --signature-policy="$INTEGRATION_ROOT"/policy.json
|
||||
"$COPYIMG_BINARY" --root "$TESTDIR/crio" $STORAGE_OPTIONS --runroot "$TESTDIR/crio-run" --image-name=docker.io/library/redis:alpine --import-from=dir:"$ARTIFACTS_PATH"/redis-image --signature-policy="$INTEGRATION_ROOT"/policy.json
|
||||
"$COPYIMG_BINARY" --root "$TESTDIR/crio" $STORAGE_OPTIONS --runroot "$TESTDIR/crio-run" --image-name=docker.io/mrunalp/oom:latest --import-from=dir:"$ARTIFACTS_PATH"/oom-image --signature-policy="$INTEGRATION_ROOT"/policy.json
|
||||
"$COPYIMG_BINARY" --root "$TESTDIR/crio" $STORAGE_OPTIONS --runroot "$TESTDIR/crio-run" --image-name=docker.io/mrunalp/image-volume-test:latest --import-from=dir:"$ARTIFACTS_PATH"/image-volume-test-image --signature-policy="$INTEGRATION_ROOT"/policy.json
|
||||
"$COPYIMG_BINARY" --root "$TESTDIR/crio" $STORAGE_OPTIONS --runroot "$TESTDIR/crio-run" --image-name=docker.io/library/busybox:latest --import-from=dir:"$ARTIFACTS_PATH"/busybox-image --signature-policy="$INTEGRATION_ROOT"/policy.json
|
||||
"$COPYIMG_BINARY" --root "$TESTDIR/crio" $STORAGE_OPTIONS --runroot "$TESTDIR/crio-run" --image-name=docker.io/runcom/stderr-test:latest --import-from=dir:"$ARTIFACTS_PATH"/stderr-test --signature-policy="$INTEGRATION_ROOT"/policy.json
|
||||
"$CRIO_BINARY" ${DEFAULT_MOUNTS_OPTS} ${HOOKS_OPTS} --conmon "$CONMON_BINARY" --listen "$CRIO_SOCKET" --cgroup-manager "$CGROUP_MANAGER" --registry "docker.io" --runtime "$RUNTIME_BINARY" --root "$TESTDIR/crio" --runroot "$TESTDIR/crio-run" $STORAGE_OPTIONS --seccomp-profile "$seccomp" --apparmor-profile "$apparmor" --cni-config-dir "$CRIO_CNI_CONFIG" --cni-plugin-dir "$CRIO_CNI_PLUGIN" --signature-policy "$INTEGRATION_ROOT"/policy.json --image-volumes "$IMAGE_VOLUMES" --pids-limit "$PIDS_LIMIT" --enable-shared-pid-namespace=${ENABLE_SHARED_PID_NAMESPACE} --log-size-max "$LOG_SIZE_MAX_LIMIT" --config /dev/null config >$CRIO_CONFIG
|
||||
|
||||
# Prepare the CNI configuration files, we're running with non host networking by default
|
||||
|
@ -252,44 +234,28 @@ function start_crio() {
|
|||
if [ "$status" -ne 0 ] ; then
|
||||
crictl pull redis:alpine
|
||||
fi
|
||||
REDIS_IMAGEID=$(crictl inspecti redis:alpine | head -1 | sed -e "s/ID: //g")
|
||||
REDIS_IMAGEID=$(crictl inspecti redis:alpine | grep ^ID: | head -n 1 | sed -e "s/ID: //g")
|
||||
REDIS_IMAGEREF=$(crictl inspecti redis:alpine | grep ^Digest: | head -n 1 | sed -e "s/Digest: //g")
|
||||
run crictl inspecti mrunalp/oom
|
||||
if [ "$status" -ne 0 ] ; then
|
||||
crictl pull mrunalp/oom
|
||||
fi
|
||||
#
|
||||
#
|
||||
#
|
||||
# TODO: remove the code below for redis digested image id when
|
||||
# https://github.com/kubernetes-incubator/cri-o/issues/531 is complete
|
||||
# as the digested reference will be auto-stored when pulling the tag
|
||||
# above
|
||||
#
|
||||
#
|
||||
#
|
||||
REDIS_IMAGEID_DIGESTED="redis@sha256:03789f402b2ecfb98184bf128d180f398f81c63364948ff1454583b02442f73b"
|
||||
run crictl inspecti $REDIS_IMAGEID_DIGESTED
|
||||
if [ "$status" -ne 0 ]; then
|
||||
crictl pull $REDIS_IMAGEID_DIGESTED
|
||||
fi
|
||||
#
|
||||
#
|
||||
#
|
||||
run crictl inspecti runcom/stderr-test
|
||||
OOM_IMAGEID=$(crictl inspecti mrunalp/oom | grep ^ID: | head -n 1 | sed -e "s/ID: //g")
|
||||
run crioctl image status --id=runcom/stderr-test
|
||||
if [ "$status" -ne 0 ] ; then
|
||||
crictl pull runcom/stderr-test:latest
|
||||
fi
|
||||
STDERR_IMAGEID=$(crictl inspecti runcom/stderr-test | head -1 | sed -e "s/ID: //g")
|
||||
STDERR_IMAGEID=$(crictl inspecti runcom/stderr-test | grep ^ID: | head -n 1 | sed -e "s/ID: //g")
|
||||
run crictl inspecti busybox
|
||||
if [ "$status" -ne 0 ] ; then
|
||||
crictl pull busybox:latest
|
||||
fi
|
||||
BUSYBOX_IMAGEID=$(crictl inspecti busybox | head -1 | sed -e "s/ID: //g")
|
||||
BUSYBOX_IMAGEID=$(crictl inspecti busybox | grep ^ID: | head -n 1 | sed -e "s/ID: //g")
|
||||
run crictl inspecti mrunalp/image-volume-test
|
||||
if [ "$status" -ne 0 ] ; then
|
||||
crictl pull mrunalp/image-volume-test:latest
|
||||
fi
|
||||
VOLUME_IMAGEID=$(crictl inspecti mrunalp/image-volume-test | head -1 | sed -e "s/ID: //g")
|
||||
VOLUME_IMAGEID=$(crictl inspecti mrunalp/image-volume-test | grep ^ID: | head -n 1 | sed -e "s/ID: //g")
|
||||
}
|
||||
|
||||
function cleanup_ctrs() {
|
||||
|
|
105
test/image.bats
105
test/image.bats
|
@ -20,12 +20,16 @@ function teardown() {
|
|||
run crictl create "$pod_id" "$TESTDIR"/ctr_by_imageid.json "$TESTDATA"/sandbox_config.json
|
||||
echo "$output"
|
||||
[ "$status" -eq 0 ]
|
||||
ctr_id="$output"
|
||||
run crictl start "$ctr_id"
|
||||
echo "$output"
|
||||
[ "$status" -eq 0 ]
|
||||
cleanup_ctrs
|
||||
cleanup_pods
|
||||
stop_crio
|
||||
}
|
||||
|
||||
@test "container status return image:tag if created by image ID" {
|
||||
@test "container status when created by image ID" {
|
||||
start_crio
|
||||
|
||||
run crictl runs "$TESTDATA"/sandbox_config.json
|
||||
|
@ -43,16 +47,15 @@ function teardown() {
|
|||
run crictl inspect "$ctr_id" --output yaml
|
||||
echo "$output"
|
||||
[ "$status" -eq 0 ]
|
||||
[[ "$output" =~ "image: redis:alpine" ]]
|
||||
[[ "$output" =~ "image: docker.io/library/redis:alpine" ]]
|
||||
[[ "$output" =~ "imageRef: $REDIS_IMAGEREF" ]]
|
||||
|
||||
cleanup_ctrs
|
||||
cleanup_pods
|
||||
stop_crio
|
||||
}
|
||||
|
||||
@test "container status return image@digest if created by image ID and digest available" {
|
||||
skip "depends on https://github.com/kubernetes-incubator/cri-o/issues/531"
|
||||
|
||||
@test "container status when created by image tagged reference" {
|
||||
start_crio
|
||||
|
||||
run crictl runs "$TESTDATA"/sandbox_config.json
|
||||
|
@ -60,9 +63,9 @@ function teardown() {
|
|||
[ "$status" -eq 0 ]
|
||||
pod_id="$output"
|
||||
|
||||
sed -e "s/%VALUE%/$REDIS_IMAGEID_DIGESTED/g" "$TESTDATA"/container_config_by_imageid.json > "$TESTDIR"/ctr_by_imageid.json
|
||||
sed -e "s/%VALUE%/redis:alpine/g" "$TESTDATA"/container_config_by_imageid.json > "$TESTDIR"/ctr_by_imagetag.json
|
||||
|
||||
run crictl create "$pod_id" "$TESTDIR"/ctr_by_imageid.json "$TESTDATA"/sandbox_config.json
|
||||
run crictl create "$pod_id" "$TESTDIR"/ctr_by_imagetag.json "$TESTDATA"/sandbox_config.json
|
||||
echo "$output"
|
||||
[ "$status" -eq 0 ]
|
||||
ctr_id="$output"
|
||||
|
@ -70,22 +73,64 @@ function teardown() {
|
|||
run crictl inspect "$ctr_id" --output yaml
|
||||
echo "$output"
|
||||
[ "$status" -eq 0 ]
|
||||
[[ "$output" =~ "image_ref: redis@sha256:03789f402b2ecfb98184bf128d180f398f81c63364948ff1454583b02442f73b" ]]
|
||||
[[ "$output" =~ "image: docker.io/library/redis:alpine" ]]
|
||||
[[ "$output" =~ "imageRef: $REDIS_IMAGEREF" ]]
|
||||
|
||||
cleanup_ctrs
|
||||
cleanup_pods
|
||||
stop_crio
|
||||
}
|
||||
|
||||
@test "image pull" {
|
||||
@test "container status when created by image canonical reference" {
|
||||
start_crio
|
||||
|
||||
run crictl runs "$TESTDATA"/sandbox_config.json
|
||||
echo "$output"
|
||||
[ "$status" -eq 0 ]
|
||||
pod_id="$output"
|
||||
|
||||
sed -e "s|%VALUE%|$REDIS_IMAGEREF|g" "$TESTDATA"/container_config_by_imageid.json > "$TESTDIR"/ctr_by_imageref.json
|
||||
|
||||
run crictl create "$pod_id" "$TESTDIR"/ctr_by_imageref.json "$TESTDATA"/sandbox_config.json
|
||||
echo "$output"
|
||||
[ "$status" -eq 0 ]
|
||||
ctr_id="$output"
|
||||
|
||||
run crictl start "$ctr_id"
|
||||
echo "$output"
|
||||
[ "$status" -eq 0 ]
|
||||
|
||||
run crictl inspect "$ctr_id" --output yaml
|
||||
echo "$output"
|
||||
[ "$status" -eq 0 ]
|
||||
[[ "$output" =~ "image: docker.io/library/redis:alpine" ]]
|
||||
[[ "$output" =~ "imageRef: $REDIS_IMAGEREF" ]]
|
||||
|
||||
cleanup_ctrs
|
||||
cleanup_pods
|
||||
stop_crio
|
||||
}
|
||||
|
||||
@test "image pull and list" {
|
||||
start_crio "" "" --no-pause-image
|
||||
run crictl pull "$IMAGE"
|
||||
echo "$output"
|
||||
[ "$status" -eq 0 ]
|
||||
run crictl inspecti "$IMAGE"
|
||||
|
||||
run crictl images --quiet "$IMAGE"
|
||||
[ "$status" -eq 0 ]
|
||||
echo "$output"
|
||||
[ "$output" != "" ]
|
||||
imageid="$output"
|
||||
|
||||
run crictl images @"$imageid"
|
||||
[ "$status" -eq 0 ]
|
||||
[[ "$output" =~ "$IMAGE" ]]
|
||||
|
||||
run crictl images --quiet "$imageid"
|
||||
[ "$status" -eq 0 ]
|
||||
echo "$output"
|
||||
[ "$output" != "" ]
|
||||
cleanup_images
|
||||
stop_crio
|
||||
}
|
||||
|
@ -108,7 +153,33 @@ function teardown() {
|
|||
stop_crio
|
||||
}
|
||||
|
||||
@test "image pull and list by digest" {
|
||||
@test "image pull and list by tag and ID" {
|
||||
start_crio "" "" --no-pause-image
|
||||
run crictl pull "$IMAGE:go"
|
||||
echo "$output"
|
||||
[ "$status" -eq 0 ]
|
||||
|
||||
run crictl images --quiet "$IMAGE:go"
|
||||
[ "$status" -eq 0 ]
|
||||
echo "$output"
|
||||
[ "$output" != "" ]
|
||||
imageid="$output"
|
||||
|
||||
run crictl images --quiet @"$imageid"
|
||||
[ "$status" -eq 0 ]
|
||||
echo "$output"
|
||||
[ "$output" != "" ]
|
||||
|
||||
run crictl images --quiet "$imageid"
|
||||
[ "$status" -eq 0 ]
|
||||
echo "$output"
|
||||
[ "$output" != "" ]
|
||||
|
||||
cleanup_images
|
||||
stop_crio
|
||||
}
|
||||
|
||||
@test "image pull and list by digest and ID" {
|
||||
start_crio "" "" --no-pause-image
|
||||
run crictl pull nginx@sha256:33eb1ed1e802d4f71e52421f56af028cdf12bb3bfff5affeaf5bf0e328ffa1bc
|
||||
echo "$output"
|
||||
|
@ -118,18 +189,14 @@ function teardown() {
|
|||
[ "$status" -eq 0 ]
|
||||
echo "$output"
|
||||
[ "$output" != "" ]
|
||||
imageid="$output"
|
||||
|
||||
run crictl images --quiet nginx@33eb1ed1e802d4f71e52421f56af028cdf12bb3bfff5affeaf5bf0e328ffa1bc
|
||||
run crictl images --quiet @"$imageid"
|
||||
[ "$status" -eq 0 ]
|
||||
echo "$output"
|
||||
[ "$output" != "" ]
|
||||
|
||||
run crictl images --quiet @33eb1ed1e802d4f71e52421f56af028cdf12bb3bfff5affeaf5bf0e328ffa1bc
|
||||
[ "$status" -eq 0 ]
|
||||
echo "$output"
|
||||
[ "$output" != "" ]
|
||||
|
||||
run crictl images --quiet 33eb1ed1e802d4f71e52421f56af028cdf12bb3bfff5affeaf5bf0e328ffa1bc
|
||||
run crictl images --quiet "$imageid"
|
||||
[ "$status" -eq 0 ]
|
||||
echo "$output"
|
||||
[ "$output" != "" ]
|
||||
|
@ -198,7 +265,7 @@ function teardown() {
|
|||
[ "$status" -eq 0 ]
|
||||
[ "$output" != "" ]
|
||||
printf '%s\n' "$output" | while IFS= read -r id; do
|
||||
run crictl inspecti "$id"
|
||||
run crictl images -v "$id"
|
||||
echo "$output"
|
||||
[ "$status" -eq 0 ]
|
||||
[ "$output" != "" ]
|
||||
|
|
|
@ -0,0 +1,75 @@
|
|||
#!/usr/bin/env bats
|
||||
|
||||
load helpers
|
||||
|
||||
IMAGE=docker.io/kubernetes/pause
|
||||
|
||||
function teardown() {
|
||||
cleanup_test
|
||||
}
|
||||
|
||||
@test "image remove with multiple names, by name" {
|
||||
start_crio "" "" --no-pause-image
|
||||
# Pull the image, giving it one name.
|
||||
run crictl pull "$IMAGE"
|
||||
echo "$output"
|
||||
[ "$status" -eq 0 ]
|
||||
# Add a second name to the image.
|
||||
run "$COPYIMG_BINARY" --root "$TESTDIR/crio" $STORAGE_OPTIONS --runroot "$TESTDIR/crio-run" --image-name="$IMAGE":latest --add-name="$IMAGE":othertag --signature-policy="$INTEGRATION_ROOT"/policy.json
|
||||
echo "$output"
|
||||
[ "$status" -eq 0 ]
|
||||
# Get the list of image names and IDs.
|
||||
run crictl images -v
|
||||
echo "$output"
|
||||
[ "$status" -eq 0 ]
|
||||
[ "$output" != "" ]
|
||||
# Cycle through each name, removing it by name. The image that we assigned a second
|
||||
# name to should still be around when we get to removing its second name.
|
||||
grep ^RepoTags: <<< "$output" | while read -r header tag ignored ; do
|
||||
run crictl rmi "$tag"
|
||||
echo "$output"
|
||||
[ "$status" -eq 0 ]
|
||||
done
|
||||
# List all images and their names. There should be none now.
|
||||
run crictl images --quiet
|
||||
echo "$output"
|
||||
[ "$status" -eq 0 ]
|
||||
[ "$output" = "" ]
|
||||
printf '%s\n' "$output" | while IFS= read -r id; do
|
||||
echo "$id"
|
||||
done
|
||||
# All done.
|
||||
cleanup_images
|
||||
stop_crio
|
||||
}
|
||||
|
||||
@test "image remove with multiple names, by ID" {
|
||||
start_crio "" "" --no-pause-image
|
||||
# Pull the image, giving it one name.
|
||||
run crictl pull "$IMAGE"
|
||||
echo "$output"
|
||||
[ "$status" -eq 0 ]
|
||||
# Add a second name to the image.
|
||||
run "$COPYIMG_BINARY" --root "$TESTDIR/crio" $STORAGE_OPTIONS --runroot "$TESTDIR/crio-run" --image-name="$IMAGE":latest --add-name="$IMAGE":othertag --signature-policy="$INTEGRATION_ROOT"/policy.json
|
||||
echo "$output"
|
||||
[ "$status" -eq 0 ]
|
||||
# Get the list of the image's names and its ID.
|
||||
run crictl images -v "$IMAGE":latest
|
||||
echo "$output"
|
||||
[ "$status" -eq 0 ]
|
||||
[ "$output" != "" ]
|
||||
# Try to remove the image using its ID. That should succeed.
|
||||
grep ^ID: <<< "$output" | while read -r header id ; do
|
||||
run crictl rmi "$id"
|
||||
echo "$output"
|
||||
[ "$status" -eq 0 ]
|
||||
done
|
||||
# The image should be gone now.
|
||||
run crictl images -v "$IMAGE"
|
||||
echo "$output"
|
||||
[ "$status" -eq 0 ]
|
||||
[ "$output" = "" ]
|
||||
# All done.
|
||||
cleanup_images
|
||||
stop_crio
|
||||
}
|
|
@ -55,7 +55,7 @@ function teardown() {
|
|||
run crictl exec --sync "$ctr_id" touch /imagevolume/test_file
|
||||
echo "$output"
|
||||
[ "$status" -eq 0 ]
|
||||
|
||||
[ "$output" = "" ]
|
||||
run crictl stops "$pod_id"
|
||||
echo "$output"
|
||||
[ "$status" -eq 0 ]
|
||||
|
|
|
@ -30,13 +30,15 @@ function teardown() {
|
|||
out=`echo -e "GET /containers/$ctr_id HTTP/1.1\r\nHost: crio\r\n" | socat - UNIX-CONNECT:$CRIO_SOCKET`
|
||||
echo "$out"
|
||||
[[ "$out" =~ "\"sandbox\":\"$pod_id\"" ]]
|
||||
[[ "$out" =~ "\"image\":\"redis:alpine\"" ]]
|
||||
[[ "$out" =~ "\"image\":\"docker.io/library/redis:alpine\"" ]]
|
||||
[[ "$out" =~ "\"image_ref\":\"$REDIS_IMAGEREF\"" ]]
|
||||
|
||||
run crictl inspect --output json "$ctr_id"
|
||||
echo "$output"
|
||||
[ "$status" -eq 0 ]
|
||||
[[ "$output" =~ "\"id\": \"$ctr_id\"" ]]
|
||||
[[ "$output" =~ "\"image\": \"redis:alpine\"" ]]
|
||||
[[ "$output" =~ "\"image\": \"docker.io/library/redis:alpine\"" ]]
|
||||
[[ "$output" =~ "\"imageRef\": \"$REDIS_IMAGEREF\"" ]]
|
||||
|
||||
run crictl inspects --output json "$pod_id"
|
||||
echo "$output"
|
||||
|
|
|
@ -6,8 +6,8 @@ function teardown() {
|
|||
cleanup_test
|
||||
}
|
||||
|
||||
@test "pod disable shared pid namespace" {
|
||||
ENABLE_SHARED_PID_NAMESPACE="false" start_crio
|
||||
function pid_namespace_test() {
|
||||
start_crio
|
||||
|
||||
run crictl runs "$TESTDATA"/sandbox_config.json
|
||||
echo "$output"
|
||||
|
@ -23,7 +23,7 @@ function teardown() {
|
|||
run crictl exec --sync "$ctr_id" cat /proc/1/cmdline
|
||||
echo "$output"
|
||||
[ "$status" -eq 0 ]
|
||||
[[ "$output" =~ "redis" ]]
|
||||
[[ "$output" =~ "${EXPECTED_INIT:-redis}" ]]
|
||||
|
||||
run crictl stops "$pod_id"
|
||||
echo "$output"
|
||||
|
@ -36,32 +36,10 @@ function teardown() {
|
|||
stop_crio
|
||||
}
|
||||
|
||||
@test "pod disable shared pid namespace" {
|
||||
ENABLE_SHARED_PID_NAMESPACE=false pid_namespace_test
|
||||
}
|
||||
|
||||
@test "pod enable shared pid namespace" {
|
||||
ENABLE_SHARED_PID_NAMESPACE="true" start_crio
|
||||
|
||||
run crictl runs "$TESTDATA"/sandbox_config.json
|
||||
echo "$output"
|
||||
[ "$status" -eq 0 ]
|
||||
pod_id="$output"
|
||||
run crictl create "$pod_id" "$TESTDATA"/container_redis.json "$TESTDATA"/sandbox_config.json
|
||||
echo "$output"
|
||||
[ "$status" -eq 0 ]
|
||||
ctr_id="$output"
|
||||
run crictl start "$ctr_id"
|
||||
[ "$status" -eq 0 ]
|
||||
|
||||
run crictl exec --sync "$ctr_id" cat /proc/1/cmdline
|
||||
echo "$output"
|
||||
[ "$status" -eq 0 ]
|
||||
[[ "$output" =~ "pause" ]]
|
||||
|
||||
run crictl stops "$pod_id"
|
||||
echo "$output"
|
||||
[ "$status" -eq 0 ]
|
||||
run crictl rms "$pod_id"
|
||||
echo "$output"
|
||||
[ "$status" -eq 0 ]
|
||||
cleanup_ctrs
|
||||
cleanup_pods
|
||||
stop_crio
|
||||
ENABLE_SHARED_PID_NAMESPACE=true EXPECTED_INIT=pause pid_namespace_test
|
||||
}
|
||||
|
|
|
@ -49,7 +49,9 @@
|
|||
"cpu_period": 10000,
|
||||
"cpu_quota": 20000,
|
||||
"cpu_shares": 512,
|
||||
"oom_score_adj": 30
|
||||
"oom_score_adj": 30,
|
||||
"cpuset_cpus": "0-1",
|
||||
"cpuset_mems": "0"
|
||||
},
|
||||
"security_context": {
|
||||
"capabilities": {
|
||||
|
|
62
tutorial.md
62
tutorial.md
|
@ -66,16 +66,16 @@ The `crio` project does not ship binary releases so you'll need to build it from
|
|||
|
||||
#### Install the Go runtime and tool chain
|
||||
|
||||
Download the Go 1.7.4 binary release:
|
||||
Download the Go 1.8.5 binary release:
|
||||
|
||||
```
|
||||
wget https://storage.googleapis.com/golang/go1.7.4.linux-amd64.tar.gz
|
||||
wget https://storage.googleapis.com/golang/go1.8.5.linux-amd64.tar.gz
|
||||
```
|
||||
|
||||
Install Go 1.7.4:
|
||||
Install Go 1.8.5:
|
||||
|
||||
```
|
||||
sudo tar -xvf go1.7.4.linux-amd64.tar.gz -C /usr/local/
|
||||
sudo tar -xvf go1.8.5.linux-amd64.tar.gz -C /usr/local/
|
||||
```
|
||||
|
||||
```
|
||||
|
@ -90,14 +90,14 @@ export GOPATH=$HOME/go
|
|||
export PATH=$PATH:/usr/local/go/bin:$GOPATH/bin
|
||||
```
|
||||
|
||||
At this point the Go 1.7.4 tool chain should be installed:
|
||||
At this point the Go 1.8.5 tool chain should be installed:
|
||||
|
||||
```
|
||||
go version
|
||||
```
|
||||
|
||||
```
|
||||
go version go1.7.4 linux/amd64
|
||||
go version go1.8.5 linux/amd64
|
||||
```
|
||||
|
||||
#### Get crictl
|
||||
|
@ -109,7 +109,13 @@ go get github.com/kubernetes-incubator/cri-tools/cmd/crictl
|
|||
#### Build crio from source
|
||||
|
||||
```
|
||||
sudo apt-get install -y libglib2.0-dev libseccomp-dev libapparmor-dev
|
||||
sudo apt-get update && apt-get install -y libglib2.0-dev \
|
||||
libseccomp-dev \
|
||||
libapparmor-dev \
|
||||
libgpgme11-dev \
|
||||
libdevmapper-dev \
|
||||
make \
|
||||
git
|
||||
```
|
||||
|
||||
```
|
||||
|
@ -132,32 +138,12 @@ make
|
|||
sudo make install
|
||||
```
|
||||
|
||||
Output:
|
||||
|
||||
```
|
||||
install -D -m 755 crio /usr/local/bin/crio
|
||||
install -D -m 755 conmon/conmon /usr/local/libexec/crio/conmon
|
||||
install -D -m 755 pause/pause /usr/local/libexec/crio/pause
|
||||
install -d -m 755 /usr/local/share/man/man{1,5,8}
|
||||
install -m 644 docs/crio.conf.5 -t /usr/local/share/man/man5
|
||||
install -m 644 docs/crio.8 -t /usr/local/share/man/man8
|
||||
install -D -m 644 crio.conf /etc/crio/crio.conf
|
||||
install -D -m 644 seccomp.json /etc/crio/seccomp.json
|
||||
```
|
||||
|
||||
If you are installing for the first time, generate config as follows:
|
||||
If you are installing for the first time, generate and install configuration files with:
|
||||
|
||||
```
|
||||
sudo make install.config
|
||||
```
|
||||
|
||||
Output:
|
||||
|
||||
```
|
||||
install -D -m 644 crio.conf /etc/crio/crio.conf
|
||||
install -D -m 644 seccomp.json /etc/crio/seccomp.json
|
||||
```
|
||||
|
||||
#### Start the crio system daemon
|
||||
|
||||
```
|
||||
|
@ -283,6 +269,20 @@ sudo sh -c 'cat >/etc/cni/net.d/99-loopback.conf <<-EOF
|
|||
EOF'
|
||||
```
|
||||
|
||||
Install `skopeo-containers` package from `ppa:projectatomic/ppa`
|
||||
|
||||
```
|
||||
sudo add-apt-repository ppa:projectatomic/ppa
|
||||
sudo apt-get update
|
||||
sudo apt-get install skopeo-containers -y
|
||||
```
|
||||
|
||||
Restart crio in order to apply CNI config
|
||||
|
||||
```
|
||||
systemctl restart crio
|
||||
```
|
||||
|
||||
At this point `CNI` is installed and configured to allocation IP address to containers from the `10.88.0.0/16` subnet.
|
||||
|
||||
## Pod Tutorial
|
||||
|
@ -300,15 +300,15 @@ cd $GOPATH/src/github.com/kubernetes-incubator/cri-o
|
|||
Next create the Pod and capture the Pod ID for later use:
|
||||
|
||||
```
|
||||
POD_ID=$(sudo crictl runs test/testdata/sandbox_config.json)
|
||||
POD_ID=$(sudo crictl runp test/testdata/sandbox_config.json)
|
||||
```
|
||||
|
||||
> sudo crictl runs test/testdata/sandbox_config.json
|
||||
> sudo crictl runp test/testdata/sandbox_config.json
|
||||
|
||||
Use the `crictl` command to get the status of the Pod:
|
||||
|
||||
```
|
||||
sudo crictl inspects --output table $POD_ID
|
||||
sudo crictl inspectp --output table $POD_ID
|
||||
```
|
||||
|
||||
Output:
|
||||
|
|
|
@ -5,6 +5,7 @@ type ContainerInfo struct {
|
|||
Name string `json:"name"`
|
||||
Pid int `json:"pid"`
|
||||
Image string `json:"image"`
|
||||
ImageRef string `json:"image_ref"`
|
||||
CreatedTime int64 `json:"created_time"`
|
||||
Labels map[string]string `json:"labels"`
|
||||
Annotations map[string]string `json:"annotations"`
|
||||
|
|
13
vendor.conf
13
vendor.conf
|
@ -1,10 +1,10 @@
|
|||
k8s.io/kubernetes v1.9.0-alpha.2 https://github.com/kubernetes/kubernetes
|
||||
k8s.io/kubernetes a48f11c2257d84b0bec89864025508b0ef626b4f https://github.com/kubernetes/kubernetes
|
||||
k8s.io/client-go master https://github.com/kubernetes/client-go
|
||||
k8s.io/apimachinery master https://github.com/kubernetes/apimachinery
|
||||
k8s.io/apiserver master https://github.com/kubernetes/apiserver
|
||||
k8s.io/utils 4fe312863be2155a7b68acd2aff1c9221b24e68c https://github.com/kubernetes/utils
|
||||
k8s.io/api master https://github.com/kubernetes/api
|
||||
k8s.io/kube-openapi abfc5fbe1cf87ee697db107fdfd24c32fe4397a8 https://github.com/kubernetes/kube-openapi
|
||||
k8s.io/kube-openapi 39a7bf85c140f972372c2a0d1ee40adbf0c8bfe1 https://github.com/kubernetes/kube-openapi
|
||||
k8s.io/apiextensions-apiserver master https://github.com/kubernetes/apiextensions-apiserver
|
||||
#
|
||||
github.com/googleapis/gnostic 0c5108395e2debce0d731cf0287ddf7242066aba
|
||||
|
@ -12,15 +12,15 @@ github.com/gregjones/httpcache 787624de3eb7bd915c329cba748687a3b22666a6
|
|||
github.com/json-iterator/go 1.0.0
|
||||
github.com/peterbourgon/diskv v2.0.1
|
||||
github.com/sirupsen/logrus v1.0.0
|
||||
github.com/containers/image 57b257d128d6075ea3287991ee408d24c7bd2758
|
||||
github.com/containers/image 3d0304a02154dddc8f97cc833aa0861cea5e9ade
|
||||
github.com/docker/docker-credential-helpers d68f9aeca33f5fd3f08eeae5e9d175edf4e731d1
|
||||
github.com/ostreedev/ostree-go master
|
||||
github.com/containers/storage d7921c6facc516358070a1306689eda18adaa20a
|
||||
github.com/containers/storage 0d32dfce498e06c132c60dac945081bf44c22464
|
||||
github.com/containernetworking/cni v0.4.0
|
||||
google.golang.org/grpc v1.0.4 https://github.com/grpc/grpc-go
|
||||
github.com/opencontainers/selinux b29023b86e4a69d1b46b7e7b4e2b6fda03f0b9cd
|
||||
github.com/opencontainers/go-digest v1.0.0-rc0
|
||||
github.com/opencontainers/runtime-tools d3f7e9e9e631c7e87552d67dc7c86de33c3fb68a
|
||||
github.com/opencontainers/runtime-tools 625e2322645b151a7cbb93a8b42920933e72167f
|
||||
github.com/opencontainers/runc 45bde006ca8c90e089894508708bcf0e2cdf9e13
|
||||
github.com/mrunalp/fileutils master
|
||||
github.com/vishvananda/netlink master
|
||||
|
@ -113,3 +113,6 @@ github.com/hashicorp/errwrap 7554cd9344cec97297fa6649b055a8c98c2a1e55
|
|||
github.com/pquerna/ffjson d49c2bc1aa135aad0c6f4fc2056623ec78f5d5ac
|
||||
github.com/stretchr/testify 4d4bfba8f1d1027c4fdbe371823030df51419987
|
||||
github.com/pmezard/go-difflib v1.0.0
|
||||
github.com/xeipuuv/gojsonreference master
|
||||
github.com/xeipuuv/gojsonschema master
|
||||
github.com/xeipuuv/gojsonpointer master
|
||||
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue