Remove the rootfs bind dest and finally remove the created share
directory when stopping the container.
Fixes#2516
Signed-off-by: Li Yuxuan <liyuxuan04@baidu.com>
virtcontainers/pkg/cgroups contains functions and structures needed to deal
with cgroups and virtual containers
Signed-off-by: Julio Montes <julio.montes@intel.com>
rootless is used in katautils, cli and virtcontainers. It makes more sense
if it's part of virtcontainer, this way virtcontainers won't depend on other
runtime subpackages
Signed-off-by: Julio Montes <julio.montes@intel.com>
In Container#mountSharedDirMounts, if sandbox.storeSandboxDevices() returns error, we should detach the device.
Fixes#2301
Signed-off-by: Ted Yu yuzhihong@gmail.com
move `validCgroupPath` to `cgroups.go` since it's cgroups specific.
Now `validCgroupPath` supports systemd cgroup path and returns a cgroup path
ready to use, calls to `renameCgroupPath` are no longer needed.
Signed-off-by: Julio Montes <julio.montes@intel.com>
Keep old store restore functions for keeping backward compatibility, if
old store files are found from disk, restore them with old store first.
Signed-off-by: Wei Zhang <weizhang555.zw@gmail.com>
Otherwise if we fail to stop it, container state is set as StateStopped.
And future force stop will just be ignored. Then when we force delete
the container, we are deleting it without actually cleaning up container
resources especially the host shared mounts, which would be removed by
agent cleanup code and we endup removing container volume contents
unexpectedly.
Fixes: #2345
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
We can use map from Source to Mount as ignoredMounts representation.
Inner loop in kataAgent#removeIgnoredOCIMount is removed.
Fixes#2299
Signed-off-by: Ted Yu yuzhihong@gmail.com
GetOCISpec returns a patched version of the original OCI spec, it was modified
to support:
* capabilities
* Ephemeral storage
* k8s empty dir
In order to avoid consusions and make api clear, rename GetOCISpec
to GetPatchedOCISpec and ContainerConfig.Spec to ContainerConfig.CustomSpec
fixes#2252
Signed-off-by: Julio Montes <julio.montes@intel.com>
Currently kata-runtime saves the Container OCI Spec even when it's not needed
and a comment in `ContainerConfig struct` specifically indicates that
it won't be saved to disk.
Use '-' as json tag instead of '_' to indicates that `Spec` field shouldn't
be saved to disk.
fixes#2256
Signed-off-by: Julio Montes <julio.montes@intel.com>
We do not want to create cgroups in case of rootless.
Fix the logic to implement this.
Fixes#2177
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
container.config does not point to sandbox.config.Containers.ContainerConfig
which caused the ContainerConfig not sync.
Fixes: #2129
Signed-off-by: Wang Liang <wangliangzz@inspur.com>
Mount points, like `resolv.conf` and `hostname` are left in the
host when the cgroup creation fails.
Use `unmountHostMounts()` and `bindUnmountContainerRootfs()` in the rollback
function that is called when container's creation fails.
fixes#2108
Signed-off-by: Julio Montes <julio.montes@intel.com>
rootless execution does not yet support cgroups, so if running
rootlessly skip the cgroup creation and deletion.
Fixes: 1877
Signed-off-by: Gabi Beyer <gabrielle.n.beyer@intel.com>
Modify some path variables to be functions that return the path
with the rootless directory prefix if running rootlessly.
Fixes: #1827
Signed-off-by: Gabi Beyer <gabrielle.n.beyer@intel.com>
Fixes: #2023
We can get OCI spec config from bundle instead of annotations, so this
field isn't necessary.
Signed-off-by: Wei Zhang <weizhang555.zw@gmail.com>
The container store should be deleted when new/create is failed if the
store is newly created.
Fixes: #2013
Signed-off-by: Li Yuxuan <liyuxuan04@baidu.com>
No call cgroup operations for containers in host
if SandboxCgroupOnly is enabled.
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
The container CgroupsPath is optional acording to OCI.
If for some reason the runtime decide to not define one.
just skip cgroup operations.
This is going to be useful for upcoming, sandbox cgroup only
cgroup managment feature.
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Some errors propagate with printing showing a cgroup path.
If for some reason this is empty is difficult to know looking
at the logs.
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
prefix cgroup related methods with cgroups,
make easy to group together in auto-generated docs.
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
`virtcontainers.ensureDestinationExists` will create the bind
destination directory/file, which should be removed properly when
unmounting.
Fixes: #1974
Signed-off-by: Li Yuxuan <liyuxuan04@baidu.com>
For one thing, it is container specific resource so it should not
be cleaned up by the agent. For another thing, we can make container
stop to force cleanup these host mountpoints regardless of hypervisor
and agent liveness.
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
When force is true, ignore any guest related errors. This can
be used to stop a sandbox when hypervisor process is dead.
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
When a container is paused and something goes terribly
wrong, we still need to be able to clean thing up. A paused
container should be able to transit to stopped state as well
so that we can delete it properly.
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
When using experimental feature "newstore", we save and load devices
information from `persist.json` instead of `devices.json`, in such case,
file `devices.json` isn't needed anymore, so remove it.
Signed-off-by: Wei Zhang <zhangwei555@huawei.com>
This change updates the isSystemMount check for mountSharedDirMounts
when setting up shared directory mounts for the container and uses
the source of the mount instead of the destination for the check.
We want to exclude system mounts from the host side as they
shouldn't be mounted into the container.
We do however want to allow system mounts within the
container as denying them can prevent some containers from
running properly.
Fixes#1591
Signed-off-by: Alex Price <aprice@atlassian.com>
This reverts commit 196661bc0d.
Reverting because cri-o with devicemapper started
to fail after this commit was merged.
Fixes: #1574.
Signed-off-by: Salvador Fuentes <salvador.fuentes@intel.com>
We can use the same data structure to describe both of them.
So that we can handle them similarly.
Fixes: #1566
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
