Merge pull request #933 from erikwilson/bump-cri

Bump containerd, cri, & cri-tools
This commit is contained in:
Erik Wilson 2019-10-22 13:53:48 -07:00 committed by GitHub
commit f9888ca3bb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
29 changed files with 226 additions and 108 deletions

6
go.mod
View File

@ -7,7 +7,7 @@ replace (
github.com/containerd/btrfs => github.com/containerd/btrfs v0.0.0-20181101203652-af5082808c83
github.com/containerd/cgroups => github.com/containerd/cgroups v0.0.0-20190717030353-c4b9ac5c7601
github.com/containerd/console => github.com/containerd/console v0.0.0-20181022165439-0650fd9eeb50
github.com/containerd/containerd => github.com/rancher/containerd v1.3.0-k3s.1
github.com/containerd/containerd => github.com/rancher/containerd v1.3.0-k3s.2
github.com/containerd/continuity => github.com/containerd/continuity v0.0.0-20190815185530-f2a389ac0a02
github.com/containerd/fifo => github.com/containerd/fifo v0.0.0-20190816180239-bda0ff6ed73c
github.com/containerd/go-runc => github.com/containerd/go-runc v0.0.0-20190911050354-e029b79d8cda
@ -23,7 +23,7 @@ replace (
github.com/golangci/gosec => github.com/golangci/gosec v0.0.0-20190211064107-66fb7fc33547
github.com/golangci/ineffassign => github.com/golangci/ineffassign v0.0.0-20190609212857-42439a7714cc
github.com/golangci/lint-1 => github.com/golangci/lint-1 v0.0.0-20190420132249-ee948d087217
github.com/kubernetes-sigs/cri-tools => github.com/rancher/cri-tools v1.16.0-k3s.1
github.com/kubernetes-sigs/cri-tools => github.com/rancher/cri-tools v1.16.1-k3s.1
github.com/matryer/moq => github.com/rancher/moq v0.0.0-20190404221404-ee5226d43009
github.com/opencontainers/runtime-spec => github.com/opencontainers/runtime-spec v0.0.0-20180911193056-5684b8af48c1
github.com/prometheus/client_golang => github.com/prometheus/client_golang v0.9.2
@ -67,7 +67,7 @@ require (
github.com/containerd/cgroups v0.0.0-20190923161937-abd0b19954a6 // indirect
github.com/containerd/containerd v1.3.0-beta.2.0.20190828155532-0293cbd26c69
github.com/containerd/continuity v0.0.0-20190827140505-75bee3e2ccb6 // indirect
github.com/containerd/cri v1.11.1-0.20190909171321-f4d75d321c89
github.com/containerd/cri v1.11.1-0.20191009213552-1fb415d208be
github.com/containerd/fifo v0.0.0-20190816180239-bda0ff6ed73c // indirect
github.com/containerd/go-cni v0.0.0-20190904155053-d20b7eebc7ee // indirect
github.com/containerd/go-runc v0.0.0-20190923131748-a2952bc25f51 // indirect

12
go.sum
View File

@ -100,8 +100,8 @@ github.com/containerd/console v0.0.0-20181022165439-0650fd9eeb50 h1:WMpHmC6AxwWb
github.com/containerd/console v0.0.0-20181022165439-0650fd9eeb50/go.mod h1:Tj/on1eG8kiEhd0+fhSDzsPAFESxzBBvdyEgyryXffw=
github.com/containerd/continuity v0.0.0-20190815185530-f2a389ac0a02 h1:tN9D97v5A5QuKdcKHKt+UMKrkQ5YXUnD8iM7IAAjEfI=
github.com/containerd/continuity v0.0.0-20190815185530-f2a389ac0a02/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
github.com/containerd/cri v1.11.1-0.20190909171321-f4d75d321c89 h1:RIq5tp1MCjyzXik4Bh8S8nKkhrp/NoFAdND3FEQ+5H0=
github.com/containerd/cri v1.11.1-0.20190909171321-f4d75d321c89/go.mod h1:DavH5Qa8+6jOmeOMO3dhWoqksucZDe06LfuhBz/xPZs=
github.com/containerd/cri v1.11.1-0.20191009213552-1fb415d208be h1:KHWCXlSziZmCfhtrX1YuWzL/EJ7OBViYvUn4wJzHZ0E=
github.com/containerd/cri v1.11.1-0.20191009213552-1fb415d208be/go.mod h1:DavH5Qa8+6jOmeOMO3dhWoqksucZDe06LfuhBz/xPZs=
github.com/containerd/fifo v0.0.0-20190816180239-bda0ff6ed73c h1:KFbqHhDeaHM7IfFtXHfUHMDaUStpM2YwBR+iJCIOsKk=
github.com/containerd/fifo v0.0.0-20190816180239-bda0ff6ed73c/go.mod h1:ODA38xgv3Kuk8dQz2ZQXpnv/UZZUHUCL7pnLehbXgQI=
github.com/containerd/go-cni v0.0.0-20190904155053-d20b7eebc7ee h1:fV37ZKnYs79fSyI3mu/XZFJVezrVsXBLbfojcTPpdXM=
@ -559,10 +559,10 @@ github.com/quasilyte/go-consistent v0.0.0-20190521200055-c6f3937de18c/go.mod h1:
github.com/quobyte/api v0.1.2/go.mod h1:jL7lIHrmqQ7yh05OJ+eEEdHr0u/kmT1Ff9iHd+4H6VI=
github.com/rakelkar/gonetsh v0.0.0-20190719023240-501daadcadf8 h1:83l9gPhYtgxODlZKU0Odq4pQuDcMZEVgAh364+PV3OU=
github.com/rakelkar/gonetsh v0.0.0-20190719023240-501daadcadf8/go.mod h1:4XHkfaUj+URzGO9sohoAgt2V9Y8nIW7fugpu0E6gShk=
github.com/rancher/containerd v1.3.0-k3s.1 h1:8dz25shb4egTLl0nOXQdtllx20LEXsuOs4qJi/jnqqg=
github.com/rancher/containerd v1.3.0-k3s.1/go.mod h1:ZMfzmqce2Z+QSEqdHMfeJs1TZ/UeJ1aDrazjpQT4ehM=
github.com/rancher/cri-tools v1.16.0-k3s.1 h1:cv/iVFkfvDLfpSqGFwgyQbMKLGRzcXo8AALUsd8s5qE=
github.com/rancher/cri-tools v1.16.0-k3s.1/go.mod h1:TEKhKv2EJIZp+p9jnEy4C63g8CosJzsI4kyKKkHag+8=
github.com/rancher/containerd v1.3.0-k3s.2 h1:l3hHJRVNreflDuePWkJiONdSylPqNnNoqBkerqWUcFQ=
github.com/rancher/containerd v1.3.0-k3s.2/go.mod h1:ZMfzmqce2Z+QSEqdHMfeJs1TZ/UeJ1aDrazjpQT4ehM=
github.com/rancher/cri-tools v1.16.1-k3s.1 h1:iporgQ46noE6dtLzq6fWcIO2qjyPZy2m42d2P+UnGJg=
github.com/rancher/cri-tools v1.16.1-k3s.1/go.mod h1:TEKhKv2EJIZp+p9jnEy4C63g8CosJzsI4kyKKkHag+8=
github.com/rancher/dynamiclistener v0.1.1-0.20191010011134-8a2488bc860a h1:1bUYAv5U/Ky4YJ9o8gWxX+vNcjpIL3JWNBao70OlkFE=
github.com/rancher/dynamiclistener v0.1.1-0.20191010011134-8a2488bc860a/go.mod h1:8hbGf35mB7ormKEFqsAgjgeI5rLbj5N764jG41dNhps=
github.com/rancher/flannel v0.11.0-k3s.1 h1:mIwnfWDafjzQgFkZeJ1AkFrrAT3EdBaA1giE0eLJKo8=

View File

@ -77,6 +77,7 @@ script:
- go build -i .
- make check
- if [ "$GOOS" = "linux" ]; then make check-protos check-api-descriptors; fi
- if [ "$TRAVIS_GOOS" = "linux" ]; then make man ; fi
- make build
- make binaries
- if [ "$TRAVIS_GOOS" = "linux" ]; then sudo make install ; fi

View File

@ -203,11 +203,19 @@ man: mandir $(addprefix man/,$(MANPAGES))
mandir:
@mkdir -p man
genman: FORCE
go run cmd/gen-manpages/main.go man/
# Kept for backwards compatability
genman: man/containerd.1 man/ctr.1
man/containerd.1: FORCE
@echo "$(WHALE) $@"
go run cmd/gen-manpages/main.go containerd man/
man/ctr.1: FORCE
@echo "$(WHALE) $@"
go run cmd/gen-manpages/main.go ctr man/
man/%: docs/man/%.md FORCE
@echo "$(WHALE) $<"
@echo "$(WHALE) $@"
go-md2man -in "$<" -out "$@"
define installmanpage

View File

@ -1,7 +1,7 @@
[Unit]
Description=containerd container runtime
Documentation=https://containerd.io
After=network.target
After=network.target local-fs.target
[Service]
ExecStartPre=-/sbin/modprobe overlay

View File

@ -40,7 +40,9 @@ import (
var bufPool = sync.Pool{
New: func() interface{} {
buffer := make([]byte, 32<<10)
// setting to 4096 to align with PIPE_BUF
// http://man7.org/linux/man-pages/man7/pipe.7.html
buffer := make([]byte, 4096)
return &buffer
},
}

View File

@ -91,9 +91,12 @@ func (t *Task) PID() uint32 {
// Delete the task and return the exit status
func (t *Task) Delete(ctx context.Context) (*runtime.Exit, error) {
rsp, err := t.shim.Delete(ctx, empty)
if err != nil && !errdefs.IsNotFound(err) {
return nil, errdefs.FromGRPC(err)
rsp, shimErr := t.shim.Delete(ctx, empty)
if shimErr != nil {
shimErr = errdefs.FromGRPC(shimErr)
if !errdefs.IsNotFound(shimErr) {
return nil, shimErr
}
}
t.tasks.Delete(ctx, t.id)
if err := t.shim.KillShim(ctx); err != nil {
@ -102,6 +105,9 @@ func (t *Task) Delete(ctx context.Context) (*runtime.Exit, error) {
if err := t.bundle.Delete(); err != nil {
log.G(ctx).WithError(err).Error("failed to delete bundle")
}
if shimErr != nil {
return nil, shimErr
}
t.events.Publish(ctx, runtime.TaskDeleteEventTopic, &eventstypes.TaskDelete{
ContainerID: t.id,
ExitStatus: rsp.ExitStatus,

View File

@ -55,7 +55,7 @@ var (
empty = &ptypes.Empty{}
bufPool = sync.Pool{
New: func() interface{} {
buffer := make([]byte, 32<<10)
buffer := make([]byte, 4096)
return &buffer
},
}
@ -217,7 +217,7 @@ func (s *Service) Delete(ctx context.Context, r *ptypes.Empty) (*shimapi.DeleteR
return nil, err
}
if err := p.Delete(ctx); err != nil {
return nil, err
return nil, errdefs.ToGRPC(err)
}
s.mu.Lock()
delete(s.processes, s.id)
@ -240,7 +240,7 @@ func (s *Service) DeleteProcess(ctx context.Context, r *shimapi.DeleteProcessReq
return nil, err
}
if err := p.Delete(ctx); err != nil {
return nil, err
return nil, errdefs.ToGRPC(err)
}
s.mu.Lock()
delete(s.processes, r.ID)

View File

@ -55,6 +55,7 @@ func (p *linuxPlatform) CopyConsole(ctx context.Context, console console.Console
io.CopyBuffer(epollConsole, in, *bp)
// we need to shutdown epollConsole when pipe broken
epollConsole.Shutdown(p.epoller.CloseConsole)
epollConsole.Close()
}()
}
@ -73,9 +74,8 @@ func (p *linuxPlatform) CopyConsole(ctx context.Context, console console.Console
p := bufPool.Get().(*[]byte)
defer bufPool.Put(p)
io.CopyBuffer(outw, epollConsole, *p)
epollConsole.Close()
outr.Close()
outw.Close()
outr.Close()
wg.Done()
}()
cwg.Wait()

View File

@ -32,7 +32,9 @@ import (
var bufPool = sync.Pool{
New: func() interface{} {
buffer := make([]byte, 32<<10)
// setting to 4096 to align with PIPE_BUF
// http://man7.org/linux/man-pages/man7/pipe.7.html
buffer := make([]byte, 4096)
return &buffer
},
}
@ -77,6 +79,7 @@ func (p *linuxPlatform) CopyConsole(ctx context.Context, console console.Console
io.CopyBuffer(epollConsole, in, *bp)
// we need to shutdown epollConsole when pipe broken
epollConsole.Shutdown(p.epoller.CloseConsole)
epollConsole.Close()
}()
}
@ -95,9 +98,9 @@ func (p *linuxPlatform) CopyConsole(ctx context.Context, console console.Console
buf := bufPool.Get().(*[]byte)
defer bufPool.Put(buf)
io.CopyBuffer(outw, epollConsole, *buf)
epollConsole.Close()
outr.Close()
outw.Close()
outr.Close()
wg.Done()
}()
cwg.Wait()

View File

@ -222,11 +222,14 @@ func (s *shim) Close() error {
}
func (s *shim) Delete(ctx context.Context) (*runtime.Exit, error) {
response, err := s.task.Delete(ctx, &task.DeleteRequest{
response, shimErr := s.task.Delete(ctx, &task.DeleteRequest{
ID: s.ID(),
})
if err != nil && !errdefs.IsNotFound(err) {
return nil, errdefs.FromGRPC(err)
if shimErr != nil {
shimErr = errdefs.FromGRPC(shimErr)
if !errdefs.IsNotFound(shimErr) {
return nil, shimErr
}
}
// remove self from the runtime task list
// this seems dirty but it cleans up the API across runtimes, tasks, and the service
@ -238,6 +241,9 @@ func (s *shim) Delete(ctx context.Context) (*runtime.Exit, error) {
if err := s.bundle.Delete(); err != nil {
log.G(ctx).WithError(err).Error("failed to delete bundle")
}
if shimErr != nil {
return nil, shimErr
}
return &runtime.Exit{
Status: response.ExitStatus,
Timestamp: response.ExitedAt,

View File

@ -241,7 +241,7 @@ func (l *local) Delete(ctx context.Context, r *api.DeleteTaskRequest, _ ...grpc.
}
exit, err := t.Delete(ctx)
if err != nil {
return nil, err
return nil, errdefs.ToGRPC(err)
}
return &api.DeleteResponse{
ExitStatus: exit.Status,
@ -257,7 +257,7 @@ func (l *local) DeleteProcess(ctx context.Context, r *api.DeleteProcessRequest,
}
process, err := t.Process(ctx, r.ExecID)
if err != nil {
return nil, err
return nil, errdefs.ToGRPC(err)
}
exit, err := process.Delete(ctx)
if err != nil {

View File

@ -286,7 +286,15 @@ func (o *snapshotter) createSnapshot(ctx context.Context, kind snapshots.Kind, k
if td != "" {
if len(s.ParentIDs) > 0 {
parent := o.getSnapshotDir(s.ParentIDs[0])
if err := fs.CopyDir(td, parent); err != nil {
xattrErrorHandler := func(dst, src, xattrKey string, copyErr error) error {
// security.* xattr cannot be copied in most cases (moby/buildkit#1189)
log.G(ctx).WithError(copyErr).Debugf("failed to copy xattr %q", xattrKey)
return nil
}
copyDirOpts := []fs.CopyDirOpt{
fs.WithXAttrErrorHandler(xattrErrorHandler),
}
if err := fs.CopyDir(td, parent, copyDirOpts...); err != nil {
return nil, errors.Wrap(err, "copying of parent failed")
}
}

View File

@ -20,7 +20,7 @@ github.com/gogo/protobuf v1.2.1
github.com/gogo/googleapis v1.2.0
github.com/golang/protobuf v1.2.0
github.com/opencontainers/runtime-spec 29686dbc5559d93fb1ef402eeda3e35c38d75af4 # v1.0.1-59-g29686db
github.com/opencontainers/runc 3e425f80a8c931f88e6d94a8c831b9d5aa481657 # v1.0.0-rc8+ CVE-2019-16884
github.com/opencontainers/runc d736ef14f0288d6993a1845745d6756cfc9ddd5a # v1.0.0-rc9
github.com/konsorten/go-windows-terminal-sequences v1.0.1
github.com/sirupsen/logrus v1.4.1
github.com/urfave/cli v1.22.0

View File

@ -21,14 +21,14 @@ cache:
- "${HOME}/google-cloud-sdk/"
before_install:
# libseccomp in trusty is not new enough, need backports version.
- sudo sh -c "echo 'deb http://archive.ubuntu.com/ubuntu trusty-backports main restricted universe multiverse' > /etc/apt/sources.list.d/backports.list"
- sudo apt-get update
# Enable ipv6 for dualstack integration test.
- sudo sysctl net.ipv6.conf.all.disable_ipv6=0
install:
- sudo apt-get install btrfs-tools
- sudo apt-get install libseccomp2/trusty-backports
- sudo apt-get install libseccomp-dev/trusty-backports
- sudo apt-get install libseccomp2
- sudo apt-get install libseccomp-dev
- sudo apt-get install socat
before_script:

View File

@ -170,7 +170,10 @@ install.tools: .install.gitvalidation .install.golangci-lint .install.vndr ## in
.install.golangci-lint:
@echo "$(WHALE) $@"
$(GO) get -u github.com/golangci/golangci-lint/cmd/golangci-lint
$(GO) get -d github.com/golangci/golangci-lint/cmd/golangci-lint
@cd $(GOPATH)/src/github.com/golangci/golangci-lint/cmd/golangci-lint; \
git checkout v1.18.0; \
go install
.install.vndr:
@echo "$(WHALE) $@"

View File

@ -85,8 +85,9 @@ type CniConfig struct {
NetworkPluginMaxConfNum int `toml:"max_conf_num" json:"maxConfNum"`
// NetworkPluginConfTemplate is the file path of golang template used to generate
// cni config.
// When it is set, containerd will get cidr from kubelet to replace {{.PodCIDR}} in
// the template, and write the config into NetworkPluginConfDir.
// When it is set, containerd will get cidr(s) from kubelet to replace {{.PodCIDR}},
// {{.PodCIDRRanges}} or {{.Routes}} in the template, and write the config into
// NetworkPluginConfDir.
// Ideally the cni config should be placed by system admin or cni daemon like calico,
// weaveworks etc. However, there are still users using kubenet
// (https://kubernetes.io/docs/concepts/cluster-administration/network-plugins/#kubenet)

View File

@ -331,6 +331,7 @@ func (c *criService) generateContainerSpec(id string, sandboxID string, sandboxP
customopts.WithoutDefaultSecuritySettings,
customopts.WithRelativeRoot(relativeRootfsPath),
customopts.WithProcessArgs(config, imageConfig),
oci.WithDefaultPathEnv,
// this will be set based on the security context below
oci.WithNewPrivileges,
}

View File

@ -139,14 +139,13 @@ func (c *criService) RunPodSandbox(ctx context.Context, r *runtime.RunPodSandbox
// In this case however caching the IP will add a subtle performance enhancement by avoiding
// calls to network namespace of the pod to query the IP of the veth interface on every
// SandboxStatus request.
sandbox.IP, sandbox.CNIResult, err = c.setupPod(ctx, id, sandbox.NetNSPath, config)
if err != nil {
if err := c.setupPodNetwork(ctx, &sandbox); err != nil {
return nil, errors.Wrapf(err, "failed to setup network for sandbox %q", id)
}
defer func() {
if retErr != nil {
// Teardown network if an error is returned.
if err := c.teardownPod(ctx, id, sandbox.NetNSPath, config); err != nil {
if err := c.teardownPodNetwork(ctx, sandbox); err != nil {
log.G(ctx).WithError(err).Errorf("Failed to destroy network for sandbox %q", id)
}
}
@ -544,10 +543,15 @@ func (c *criService) unmountSandboxFiles(id string, config *runtime.PodSandboxCo
return nil
}
// setupPod setups up the network for a pod
func (c *criService) setupPod(ctx context.Context, id string, path string, config *runtime.PodSandboxConfig) (string, *cni.CNIResult, error) {
// setupPodNetwork setups up the network for a pod
func (c *criService) setupPodNetwork(ctx context.Context, sandbox *sandboxstore.Sandbox) error {
var (
id = sandbox.ID
config = sandbox.Config
path = sandbox.NetNSPath
)
if c.netPlugin == nil {
return "", nil, errors.New("cni config not initialized")
return errors.New("cni config not initialized")
}
labels := getPodCNILabels(id, config)
@ -556,7 +560,7 @@ func (c *criService) setupPod(ctx context.Context, id string, path string, confi
// or an unreasonable valure see validateBandwidthIsReasonable()
bandWidth, err := toCNIBandWidth(config.Annotations)
if err != nil {
return "", nil, errors.Wrap(err, "failed to get bandwidth info from annotations")
return errors.Wrap(err, "failed to get bandwidth info from annotations")
}
result, err := c.netPlugin.Setup(ctx, id,
@ -567,18 +571,20 @@ func (c *criService) setupPod(ctx context.Context, id string, path string, confi
)
if err != nil {
return "", nil, err
return err
}
logDebugCNIResult(ctx, id, result)
// Check if the default interface has IP config
if configs, ok := result.Interfaces[defaultIfName]; ok && len(configs.IPConfigs) > 0 {
return selectPodIP(configs.IPConfigs), result, nil
sandbox.IP, sandbox.AdditionalIPs = selectPodIPs(configs.IPConfigs)
sandbox.CNIResult = result
return nil
}
// If it comes here then the result was invalid so destroy the pod network and return error
if err := c.teardownPod(ctx, id, path, config); err != nil {
if err := c.teardownPodNetwork(ctx, *sandbox); err != nil {
log.G(ctx).WithError(err).Errorf("Failed to destroy network for sandbox %q", id)
}
return "", result, errors.Errorf("failed to find network info for sandbox %q", id)
return errors.Errorf("failed to find network info for sandbox %q", id)
}
// toCNIBandWidth converts CRI annotations to CNI bandwidth.
@ -623,14 +629,28 @@ func toCNIPortMappings(criPortMappings []*runtime.PortMapping) []cni.PortMapping
return portMappings
}
// selectPodIP select an ip from the ip list. It prefers ipv4 more than ipv6.
func selectPodIP(ipConfigs []*cni.IPConfig) string {
// selectPodIPs select an ip from the ip list. It prefers ipv4 more than ipv6
// and returns the additional ips
// TODO(random-liu): Revisit the ip order in the ipv6 beta stage. (cri#1278)
func selectPodIPs(ipConfigs []*cni.IPConfig) (string, []string) {
var (
additionalIPs []string
ip string
)
for _, c := range ipConfigs {
if c.IP.To4() != nil {
return c.IP.String()
if c.IP.To4() != nil && ip == "" {
ip = c.IP.String()
} else {
additionalIPs = append(additionalIPs, c.IP.String())
}
}
return ipConfigs[0].IP.String()
if ip != "" {
return ip, additionalIPs
}
if len(ipConfigs) == 1 {
return additionalIPs[0], nil
}
return additionalIPs[0], additionalIPs[1:]
}
// untrustedWorkload returns true if the sandbox contains untrusted workload.

View File

@ -37,11 +37,11 @@ func (c *criService) PodSandboxStatus(ctx context.Context, r *runtime.PodSandbox
return nil, errors.Wrap(err, "an error occurred when try to find sandbox")
}
ip, err := c.getIP(sandbox)
ip, additionalIPs, err := c.getIPs(sandbox)
if err != nil {
return nil, errors.Wrap(err, "failed to get sandbox ip")
}
status := toCRISandboxStatus(sandbox.Metadata, sandbox.Status.Get(), ip)
status := toCRISandboxStatus(sandbox.Metadata, sandbox.Status.Get(), ip, additionalIPs)
if status.GetCreatedAt() == 0 {
// CRI doesn't allow CreatedAt == 0.
info, err := sandbox.Container.Info(ctx)
@ -66,38 +66,45 @@ func (c *criService) PodSandboxStatus(ctx context.Context, r *runtime.PodSandbox
}, nil
}
func (c *criService) getIP(sandbox sandboxstore.Sandbox) (string, error) {
func (c *criService) getIPs(sandbox sandboxstore.Sandbox) (string, []string, error) {
config := sandbox.Config
if config.GetLinux().GetSecurityContext().GetNamespaceOptions().GetNetwork() == runtime.NamespaceMode_NODE {
// For sandboxes using the node network we are not
// responsible for reporting the IP.
return "", nil
return "", nil, nil
}
if closed, err := sandbox.NetNS.Closed(); err != nil {
return "", errors.Wrap(err, "check network namespace closed")
return "", nil, errors.Wrap(err, "check network namespace closed")
} else if closed {
return "", nil
return "", nil, nil
}
return sandbox.IP, nil
return sandbox.IP, sandbox.AdditionalIPs, nil
}
// toCRISandboxStatus converts sandbox metadata into CRI pod sandbox status.
func toCRISandboxStatus(meta sandboxstore.Metadata, status sandboxstore.Status, ip string) *runtime.PodSandboxStatus {
func toCRISandboxStatus(meta sandboxstore.Metadata, status sandboxstore.Status, ip string, additionalIPs []string) *runtime.PodSandboxStatus {
// Set sandbox state to NOTREADY by default.
state := runtime.PodSandboxState_SANDBOX_NOTREADY
if status.State == sandboxstore.StateReady {
state = runtime.PodSandboxState_SANDBOX_READY
}
nsOpts := meta.Config.GetLinux().GetSecurityContext().GetNamespaceOptions()
var ips []*runtime.PodIP
for _, additionalIP := range additionalIPs {
ips = append(ips, &runtime.PodIP{Ip: additionalIP})
}
return &runtime.PodSandboxStatus{
Id: meta.ID,
Metadata: meta.Config.GetMetadata(),
State: state,
CreatedAt: status.CreatedAt.UnixNano(),
Network: &runtime.PodSandboxNetworkStatus{Ip: ip},
Network: &runtime.PodSandboxNetworkStatus{
Ip: ip,
AdditionalIps: ips,
},
Linux: &runtime.LinuxPodSandboxStatus{
Namespaces: &runtime.Namespace{
Options: &runtime.NamespaceOption{

View File

@ -72,15 +72,14 @@ func (c *criService) StopPodSandbox(ctx context.Context, r *runtime.StopPodSandb
// Teardown network for sandbox.
if sandbox.NetNS != nil {
netNSPath := sandbox.NetNSPath
// Use empty netns path if netns is not available. This is defined in:
// https://github.com/containernetworking/cni/blob/v0.7.0-alpha1/SPEC.md
if closed, err := sandbox.NetNS.Closed(); err != nil {
return nil, errors.Wrap(err, "failed to check network namespace closed")
} else if closed {
netNSPath = ""
sandbox.NetNSPath = ""
}
if err := c.teardownPod(ctx, id, netNSPath, sandbox.Config); err != nil {
if err := c.teardownPodNetwork(ctx, sandbox); err != nil {
return nil, errors.Wrapf(err, "failed to destroy network for sandbox %q", id)
}
if err = sandbox.NetNS.Remove(); err != nil {
@ -156,12 +155,17 @@ func (c *criService) waitSandboxStop(ctx context.Context, sandbox sandboxstore.S
}
}
// teardownPod removes the network from the pod
func (c *criService) teardownPod(ctx context.Context, id string, path string, config *runtime.PodSandboxConfig) error {
// teardownPodNetwork removes the network from the pod
func (c *criService) teardownPodNetwork(ctx context.Context, sandbox sandboxstore.Sandbox) error {
if c.netPlugin == nil {
return errors.New("cni config not initialized")
}
var (
id = sandbox.ID
path = sandbox.NetNSPath
config = sandbox.Config
)
labels := getPodCNILabels(id, config)
return c.netPlugin.Remove(ctx, id,
path,

View File

@ -17,8 +17,10 @@ limitations under the License.
package server
import (
"net"
"os"
"path/filepath"
"strings"
"text/template"
"github.com/containerd/containerd/log"
@ -33,17 +35,36 @@ import (
type cniConfigTemplate struct {
// PodCIDR is the cidr for pods on the node.
PodCIDR string
// PodCIDRRanges is the cidr ranges for pods on the node.
PodCIDRRanges []string
// Routes is a list of routes configured.
Routes []string
}
// cniConfigFileName is the name of cni config file generated by containerd.
const cniConfigFileName = "10-containerd-net.conflist"
const (
// cniConfigFileName is the name of cni config file generated by containerd.
cniConfigFileName = "10-containerd-net.conflist"
// zeroCIDRv6 is the null route for IPv6.
zeroCIDRv6 = "::/0"
// zeroCIDRv4 is the null route for IPv4.
zeroCIDRv4 = "0.0.0.0/0"
)
// UpdateRuntimeConfig updates the runtime config. Currently only handles podCIDR updates.
func (c *criService) UpdateRuntimeConfig(ctx context.Context, r *runtime.UpdateRuntimeConfigRequest) (*runtime.UpdateRuntimeConfigResponse, error) {
podCIDR := r.GetRuntimeConfig().GetNetworkConfig().GetPodCidr()
if podCIDR == "" {
podCIDRs := r.GetRuntimeConfig().GetNetworkConfig().GetPodCidr()
if podCIDRs == "" {
return &runtime.UpdateRuntimeConfigResponse{}, nil
}
cidrs := strings.Split(podCIDRs, ",")
for i := range cidrs {
cidrs[i] = strings.TrimSpace(cidrs[i])
}
routes, err := getRoutes(cidrs)
if err != nil {
return nil, errors.Wrap(err, "get routes")
}
confTemplate := c.config.NetworkPluginConfTemplate
if confTemplate == "" {
log.G(ctx).Info("No cni config template is specified, wait for other system components to drop the config.")
@ -71,8 +92,38 @@ func (c *criService) UpdateRuntimeConfig(ctx context.Context, r *runtime.UpdateR
return nil, errors.Wrapf(err, "failed to open cni config file %q", confFile)
}
defer f.Close()
if err := t.Execute(f, cniConfigTemplate{PodCIDR: podCIDR}); err != nil {
if err := t.Execute(f, cniConfigTemplate{
PodCIDR: cidrs[0],
PodCIDRRanges: cidrs,
Routes: routes,
}); err != nil {
return nil, errors.Wrapf(err, "failed to generate cni config file %q", confFile)
}
return &runtime.UpdateRuntimeConfigResponse{}, nil
}
// getRoutes generates required routes for the passed in cidrs.
func getRoutes(cidrs []string) ([]string, error) {
var (
routes []string
hasV4, hasV6 bool
)
for _, c := range cidrs {
_, cidr, err := net.ParseCIDR(c)
if err != nil {
return nil, err
}
if cidr.IP.To4() != nil {
hasV4 = true
} else {
hasV6 = true
}
}
if hasV4 {
routes = append(routes, zeroCIDRv4)
}
if hasV6 {
routes = append(routes, zeroCIDRv6)
}
return routes, nil
}

View File

@ -55,6 +55,8 @@ type Metadata struct {
NetNSPath string
// IP of Pod if it is attached to non host network
IP string
// AdditionalIPs of the Pod if it is attached to non host network
AdditionalIPs []string
// RuntimeHandler is the runtime handler name of the pod.
RuntimeHandler string
// CNIresult resulting configuration for attached network namespace interfaces

View File

@ -36,41 +36,42 @@ github.com/docker/go-metrics 4ea375f7759c82740c893fc030bc37088d2ec098
github.com/docker/go-events 9461782956ad83b30282bf90e31fa6a70c255ba9
github.com/coreos/go-systemd v14
github.com/containerd/typeurl a93fcdb778cd272c6e9b3028b2f42d813e785d40
github.com/containerd/ttrpc 1fb3814edf44a76e0ccf503decf726d994919a9a
github.com/containerd/go-runc 9007c2405372fe28918845901a3276c0915689a1
github.com/containerd/fifo 3d5202aec260678c48179c56f40e6f38a095738c
github.com/containerd/continuity bd77b46c8352f74eb12c85bdc01f4b90f69d66b4
github.com/containerd/containerd a3a30635ef713b544ea7feff0d12a768fd1ed636
github.com/containerd/ttrpc 92c8520ef9f86600c650dd540266a007bf03670f
github.com/containerd/go-runc e029b79d8cda8374981c64eba71f28ec38e5526f
github.com/containerd/fifo bda0ff6ed73c67bfb5e62bc9c697f146b7fd7f13
github.com/containerd/continuity f2a389ac0a02ce21c09edd7344677a601970f41c
github.com/containerd/containerd d4802a64f9737f02db3426751f380d97fc878dec
github.com/containerd/console 0650fd9eeb50bab4fc99dceb9f2e14cf58f36e7f
github.com/containerd/cgroups c4b9ac5c7601384c965b9646fc515884e091ebb9
github.com/beorn7/perks 4c0e84591b9aa9e6dcfdf3e020114cd81f89d5f9
github.com/Microsoft/hcsshim 8abdbb8205e4192c68b5f84c31197156f31be517
github.com/Microsoft/hcsshim 9e921883ac929bbe515b39793ece99ce3a9d7706
github.com/Microsoft/go-winio v0.4.14
github.com/BurntSushi/toml v0.3.1
github.com/imdario/mergo v0.3.7
# kubernetes dependencies
sigs.k8s.io/yaml v1.1.0
k8s.io/utils c2654d5206da6b7b6ace12841e8f359bb89b443c
k8s.io/kubernetes v1.15.0
k8s.io/klog v0.3.1
k8s.io/cri-api kubernetes-1.15.0
k8s.io/client-go kubernetes-1.15.0
k8s.io/api kubernetes-1.15.0
k8s.io/apiserver kubernetes-1.15.0
k8s.io/apimachinery kubernetes-1.15.0
gopkg.in/yaml.v2 v2.2.1
k8s.io/kubernetes v1.16.0-rc.2
k8s.io/klog v0.4.0
k8s.io/cri-api kubernetes-1.16.0-rc.2
k8s.io/client-go kubernetes-1.16.0-rc.2
k8s.io/api kubernetes-1.16.0-rc.2
k8s.io/apiserver kubernetes-1.16.0-rc.2
k8s.io/apimachinery kubernetes-1.16.0-rc.2
gopkg.in/yaml.v2 v2.2.2
gopkg.in/inf.v0 v0.9.0
golang.org/x/time f51c12702a4d776e4c1fa9b0fabab841babae631
golang.org/x/oauth2 9f3314589c9a9136388751d9adae6b0ed400978a
golang.org/x/crypto 88737f569e3a9c7ab309cdc09a07fe7fc87233c3
github.com/stretchr/testify v1.2.2
golang.org/x/time 85acf8d2951cb2a3bde7632f9ff273ef0379bcbd
golang.org/x/oauth2 0f29369cfe4552d0e4bcddc57cc75f4d7e672a33
golang.org/x/crypto 5c40567a22f818bd14a1ea7245dad9f8ef0691aa
github.com/stretchr/testify v1.3.0
github.com/seccomp/libseccomp-golang v0.9.1
github.com/pmezard/go-difflib v1.0.0
github.com/modern-go/reflect2 1.0.1
github.com/modern-go/concurrent 1.0.3
github.com/json-iterator/go 1.1.5
github.com/google/gofuzz 24818f796faf91cd76ec7bddd72458fbced7a6c1
github.com/emicklei/go-restful v2.2.1
github.com/json-iterator/go v1.1.7
github.com/google/gofuzz v1.0.0
github.com/emicklei/go-restful v2.9.5
github.com/docker/spdystream 449fdfce4d962303d702fec724ef0ad181c92528
github.com/davecgh/go-spew v1.1.1

View File

@ -574,7 +574,7 @@ func CreateContainer(
// Try to pull the image before container creation
image := config.GetImage().GetImage()
if _, err := PullImage(iClient, image, auth); err != nil {
if _, err := PullImageWithSandbox(iClient, image, auth, podConfig); err != nil {
return "", err
}
}

View File

@ -478,12 +478,6 @@ func normalizeRepoDigest(repoDigests []string) (string, string) {
return repoDigestPair[0], repoDigestPair[1]
}
// PullImage sends a PullImageRequest to the server, and parses
// the returned PullImageResponse.
func PullImage(client pb.ImageServiceClient, image string, auth *pb.AuthConfig) (resp *pb.PullImageResponse, err error) {
return PullImageWithSandbox(client, image, auth, nil)
}
// PullImageWithSandbox sends a PullImageRequest to the server, and parses
// the returned PullImageResponse.
func PullImageWithSandbox(client pb.ImageServiceClient, image string, auth *pb.AuthConfig, sandbox *pb.PodSandboxConfig) (resp *pb.PullImageResponse, err error) {

View File

@ -92,7 +92,7 @@ var statsCommand = cli.Command{
defer closeConnection(context, runtimeConn)
id := context.String("id")
if id == "" && context.Args() != nil {
if id == "" && context.NArg() > 0 {
id = context.Args()[0]
}

View File

@ -210,7 +210,7 @@ func outputProtobufObjAsYAML(obj proto.Message) error {
func outputStatusInfo(status string, info map[string]string, format string) error {
// Sort all keys
keys := make([]string, len(info))
keys := []string{}
for k := range info {
keys = append(keys, k)
}
@ -267,7 +267,7 @@ func marshalMapInOrder(m map[string]interface{}, t interface{}) (string, error)
v := reflect.ValueOf(t)
for i := 0; i < v.Type().NumField(); i++ {
field := jsonFieldFromTag(v.Type().Field(i).Tag)
if field == "" {
if field == "" || field == "-" {
continue
}
value, err := json.Marshal(m[field])

6
vendor/modules.txt vendored
View File

@ -151,7 +151,7 @@ github.com/container-storage-interface/spec/lib/go/csi
github.com/containerd/cgroups
# github.com/containerd/console v0.0.0-20180822173158-c12b1e7919c1 => github.com/containerd/console v0.0.0-20181022165439-0650fd9eeb50
github.com/containerd/console
# github.com/containerd/containerd v1.3.0-beta.2.0.20190828155532-0293cbd26c69 => github.com/rancher/containerd v1.3.0-k3s.1
# github.com/containerd/containerd v1.3.0-beta.2.0.20190828155532-0293cbd26c69 => github.com/rancher/containerd v1.3.0-k3s.2
github.com/containerd/containerd
github.com/containerd/containerd/api/events
github.com/containerd/containerd/api/services/containers/v1
@ -288,7 +288,7 @@ github.com/containerd/continuity/pathdriver
github.com/containerd/continuity/proto
github.com/containerd/continuity/syscallx
github.com/containerd/continuity/sysx
# github.com/containerd/cri v1.11.1-0.20190909171321-f4d75d321c89
# github.com/containerd/cri v1.11.1-0.20191009213552-1fb415d208be
github.com/containerd/cri
github.com/containerd/cri/pkg/annotations
github.com/containerd/cri/pkg/api/runtimeoptions/v1
@ -619,7 +619,7 @@ github.com/juju/errors
github.com/karrick/godirwalk
# github.com/konsorten/go-windows-terminal-sequences v1.0.2
github.com/konsorten/go-windows-terminal-sequences
# github.com/kubernetes-sigs/cri-tools v0.0.0-00010101000000-000000000000 => github.com/rancher/cri-tools v1.16.0-k3s.1
# github.com/kubernetes-sigs/cri-tools v0.0.0-00010101000000-000000000000 => github.com/rancher/cri-tools v1.16.1-k3s.1
github.com/kubernetes-sigs/cri-tools/cmd/crictl
github.com/kubernetes-sigs/cri-tools/pkg/version
# github.com/lib/pq v1.1.1