Fixes: #2023
We can get OCI spec config from bundle instead of annotations, so this
field isn't necessary.
Signed-off-by: Wei Zhang <weizhang555.zw@gmail.com>
Fixes: #2023
CompatOCISpec is used to gurantee backward compatbility for old runtime
specs, after we convert CompatOCISpec to standard specs.Spec, we should
use specs.Spec instead of CompatOCISpec, and CompatOCISpec should be
useless from then.
Spread usage of CompatOCISpec can make code structure confusing and making
the runtime spec usage non-standard. Besides, this can be the very first
step of removing CompatOCISpec from config's Annotations field.
Signed-off-by: Wei Zhang <weizhang555.zw@gmail.com>
Refactor unit test so that podman can be used to run tests when docker
is not available.
Fixes: #2006
Signed-off-by: Marco Vedovati <mvedovati@suse.com>
When shimv2 was killed by accident, containerd would try to
launch a new shimv2 binarry to cleanup the container. In order
to avoid race condition, the cleanup should be done serialized
in a sandbox. Thus adding a new api to do this by locking the
sandbox.
Fixes:#1832
Signed-off-by: lifupan <lifupan@gmail.com>
If an exec is failed(such as executable file not found in $PATH), the
`execs.id` will be empty. This leads to all the container processes
being killed when calling `Kill` on such exec id.
Fixes: #2001
Signed-off-by: Li Yuxuan <liyuxuan04@baidu.com>
Fixes: #1929
in containerd-kata-v2, container can only be deleted in Delete
interface, or other shim operates(like kill/delete) all fails
since can not get container info.
Signed-off-by: Ace-Tang <aceapril@126.com>
When force is true, ignore any guest related errors. This can
be used to stop a sandbox when hypervisor process is dead.
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
This reverts:
- 590ed09 vendor: update gogo/protobuf, containerd and agent vendors
- eabfd99 shimv2: Improve shim shutdown logic
These introduce a regression for starting pods with k8s 1.14 + contaienr
1.2.6
Fixes: #1781
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
Fixes: #1659
our testing found that the client does not open
stdin with O_WRONLY, so the shim v2 was blocked forever
in open stdin with O_RDONLY. It's better to make it
opened with O_NONBLOCK, and do not block starting process
of container. and the containerd runc shim has done this
by bc1ff514 as well.
Signed-off-by: Yang, Wei <w90p710@gmail.com>
Signed-off-by: Yang, Wei <wei.yang1@linux.alibaba.com>
Latest shimv2 publishes an event to containerd used ttrpc instead
of using containerd binary, thus shimv2 shouldn't call `os.Exit` to
terminate the shim's life, but close the context on shutdown so that
events and other resources have hit the `defer`s.
Fixes:#1731
Signed-off-by: lifupan <lifupan@gmail.com>
Kubelet would cleanup the pod cgroup resources and kill the processes
in the pod cgroups when it detected all of the containers in a pod exited,
thus shimv2 should close the hypervisor process once the podsandbox container
exited, otherwise, the hypervisor process would be killed by kubelet and
made shimv2 failed to shutdown the sandbox.
Fixes:#1672
Signed-off-by: lifupan <lifupan@gmail.com>
```
//the network namespace created by cni plugin
netns, err = namespaces.NamespaceRequired(ctx)
if err != nil {
return nil, errors.Wrap(err, "create namespace")
}
```
the netns is a containerd namespace concept, it not netns, event a cni
set netns for this, this is a tricky way, so remove the logic.
Fixes: #1692
Signed-off-by: Ace-Tang <aceapril@126.com>
According to CRI specs, kubelet will call StopPodSandbox()
at least once before calling RemovePodSandbox, and this call
is idempotent, and must not return an error if all relevant
resources have already been reclaimed. And in that call it will
send a SIGKILL signal first to try to stop the container, thus
once the container has terminated, here should ignore this signal
and return directly.
Fixes:#1672
Signed-off-by: lifupan <lifupan@gmail.com>
This latest ttrpc vendor supports the feature of request timeout propgation.
this feature will do context cancel after a service call return, and this cancel
will propagated into kata sandbox's agent/hypervisor and resulted in the following
calls canceled. To fix this issue, pass the service's context instead of the service's
call's context to CreateSandbox(), and this context will live until the shim exited.
Fixes:#1627
Signed-off-by: lifupan <lifupan@gmail.com>
Latest containerd commit<c0f0b21314b93a1> had moved the
step of creating rootfs dir from creating bundle to container
creation; in order to support both of the old and latest
containerd, check the "rootfs" existed before creating it.
Fixes:#1652
Signed-off-by: lifupan <lifupan@gmail.com>
in wait function, should send msg to exit channel after task status has
updated, since shim.Wait() is running in another goroutine, when it
receive msg from exit channel, it will stop waiting and return, then
someone who hold this Wait() get return, it can delete task, if exit msg
is send first, the container status may still be running.
Fixes: #1600
Signed-off-by: Ace-Tang <aceapril@126.com>
This reverts commit 196661bc0d.
Reverting because cri-o with devicemapper started
to fail after this commit was merged.
Fixes: #1574.
Signed-off-by: Salvador Fuentes <salvador.fuentes@intel.com>
We can use the same data structure to describe both of them.
So that we can handle them similarly.
Fixes: #1566
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
containerd checks for the grpc error code to determine
correct recover action upon grpc errors. We need to provide
them properly.
Unfortunately ttrpc doesn't support grpc interceptor so we have
to modify every service function for it.
Fixes: #1527
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
There is no need to send another SIGKILL signal following
SIGTERM signal, otherwise, sending the SIGKILL signal would
get failed since the container process would has been terminated
by the previous SIGTERM signal.
Fixes:#1493
Signed-off-by: lifupan <lifupan@gmail.com>
When the container's rootfs is block storage backed such as devmapper,
shimv2 will not mount it on the host, instead it insert it into hypervisor
as a block device directly.
If kata's config set "disable_block_device_use" as true, it will mount
the rootfs onto host as before.
Fixes:#1158
Signed-off-by: lifupan <lifupan@gmail.com>
gometalinter is deprecated and will be archived April '19. The
suggestion is to switch to golangci-lint which is apparently 5x faster
than gometalinter.
Partially Fixes: #1377
Signed-off-by: Ganesh Maharaj Mahalingam <ganesh.mahalingam@intel.com>
containerd/cri's different runtime handlers can pass different
config files to shimv2 by a generic runtime options, by this kata
can launch the pods using different VMM for different runtime handlers.
Fixes:#1082
Signed-off-by: Fupan Li <lifupan@gmail.com>
Because the runtime v2 runs as a RPC server, the caller will at some
point use the Shutdown() API to shut down the server. Because this
will cause the server to exit, the caller cannot expect any valid
answer when calling this. That's why we cannot afford stopping and
deleting the sandbox from this function.
Instead, we move sandbox.Stop() and sandbox.Delete() to a more
appropriate API, the Delete() one.
Fixes#1150
Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
We can now remove all the sandbox shared types and convert the rest of
the code to using the new internal types package.
This commit includes virtcontainers, cli and containerd-shim changes in
one atomic change in order to not break bisect'ibility.
Fixes: #1095
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
If the env KATA_CONF_FILE was set, shimv2 will use it as the
kata configure file, otherwise, it will try to find it from
/etc and /usr/share directory.
Fixes: #1091
Signed-off-by: fupan <lifupan@gmail.com>
containerd would like to get the shim's socket
address from shimv2's stdout, thus it's better
to discard the log's output before shimv2 init
it's logger and at the same time add a hook to
log into syslog.
Fixes: #1035
Signed-off-by: Fupan Li <lifupan@gmail.com>
Add the Kill api support to send signal to a given
container process.
Signed-off-by: ZeroMagic <anthonyliu@zju.edu.cn>
Signed-off-by: fupan.li <lifupan@gmail.com>
