From c474404621fa47923f814479439fd09e3e8b7ded Mon Sep 17 00:00:00 2001 From: Ruben Jenster Date: Tue, 27 Apr 2021 19:54:47 +0200 Subject: [PATCH 1/7] Update godoc. Signed-off-by: Ruben Jenster --- container.go | 12 ++++++++---- runtime.go | 9 +++++++-- 2 files changed, 15 insertions(+), 6 deletions(-) diff --git a/container.go b/container.go index 82070846..69219675 100644 --- a/container.go +++ b/container.go @@ -31,17 +31,21 @@ type ContainerConfig struct { // The ContainerID should match the following pattern `[a-z][a-z0-9-_]+` ContainerID string - BundlePath string + // BundlePath is the OCI bundle path. + BundlePath string + ConsoleSocket string `json:",omitempty"` - // PidFile is the absolute PID file path - // for the container monitor process (ExecStart) + // MonitorCgroupDir is the cgroup directory path + // for the liblxc monitor process `lxcri-start` + // relative to the cgroup root. MonitorCgroupDir string CgroupDir string // LogFile is the liblxc log file path LogFile string + // LogLevel is the liblxc log level LogLevel string @@ -59,7 +63,7 @@ func (c Container) syncFifoPath() string { } // RuntimePath returns the absolute path to the given sub path -// within the container root. +// within the container runtime directory. func (c Container) RuntimePath(subPath ...string) string { return filepath.Join(c.runtimeDir, filepath.Join(subPath...)) } diff --git a/runtime.go b/runtime.go index 85c976d1..1740c161 100644 --- a/runtime.go +++ b/runtime.go @@ -58,19 +58,24 @@ type RuntimeFeatures struct { type Runtime struct { // Log is the logger used by the runtime. Log zerolog.Logger `json:"-"` + // Root is the file path to the runtime directory. // Directories for containers created by the runtime // are created within this directory. Root string + // Use systemd encoded cgroup path (from crio-o/conmon) // is true if /etc/crio/crio.conf#cgroup_manager = "systemd" SystemdCgroup bool + // Path for lxc monitor cgroup (lxc specific feature). // This is the cgroup where the liblxc monitor process (lxcri-start) // will be placed in. It's similar to /etc/crio/crio.conf#conmon_cgroup MonitorCgroup string + // LibexecDir is the the directory that contains the runtime executables. LibexecDir string + // Featuress are runtime (security) features that apply to all containers // created by the runtime. Features RuntimeFeatures @@ -219,8 +224,8 @@ func (rt *Runtime) Load(containerID string) (*Container, error) { } // Start starts the given container. -// Start simply unblocks the container init process `lxcri-init`, -// which then executes the actuall container process. +// Start simply unblocks the init process `lxcri-init`, +// which then executes the container process. // The given container must have been created with Runtime.Create. func (rt *Runtime) Start(ctx context.Context, c *Container) error { rt.Log.Info().Msg("notify init to start container process") From a4dfea1566cb24be9de1530f8dfaf625286e7b20 Mon Sep 17 00:00:00 2001 From: Ruben Jenster Date: Tue, 27 Apr 2021 19:56:35 +0200 Subject: [PATCH 2/7] Cleanup cli doc. Remove environment variables from cli doc. The output of lxcri --help is preferable and is always up-to-date. Signed-off-by: Ruben Jenster --- doc/cli.md | 31 +++++++------------------------ 1 file changed, 7 insertions(+), 24 deletions(-) diff --git a/doc/cli.md b/doc/cli.md index b6a4b3f9..c2a717fb 100644 --- a/doc/cli.md +++ b/doc/cli.md @@ -22,42 +22,25 @@ The runtime evaluates the flag value in the following order (lower order takes p ### Environment variables Currently you have to compile to environment file yourself.
-To list all available variables: + +All environment variables are listed in the cmline help `lxcri --help` + +To compile a list of all available variables: ``` -grep EnvVars cmd/cli.go | grep -o LXCRI_[A-Za-z_]* | xargs -n1 -I'{}' echo "#{}=" +grep EnvVars cmd/lxcri/* | grep -o LXCRI_[A-Za-z_]* | xargs -I'{}' echo "#{}=" ``` ### Environment file The default path to the environment file is `/etc/defaults/lxcri`.
-It is loaded on every start of the `lxcri` binary, so changes take immediate effect.
+It is loaded on every start of the `lxcri` binary, so changes take immediate effect +for the next `lxcri` process started by `cri-o`.
Empty lines and those commented with a leading *#* are ignored.
A malformed environment will let the next runtime call fail.
In production it's recommended that you replace the environment file atomically.
-E.g the environment file `/etc/default/lxcri` could look like this: - -```sh -LXCRI_LOG_LEVEL=debug -LXCRI_CONTAINER_LOG_LEVEL=debug -#LXCRI_LOG_FILE= -#LXCRI_LOG_TIMESTAMP= -#LXCRI_MONITOR_CGROUP= -#LXCRI_LIBEXEC= -#LXCRI_APPARMOR= -#LXCRI_CAPABILITIES= -#LXCRI_CGROUP_DEVICES= -#LXCRI_SECCOMP= -#LXCRI_CREATE_TIMEOUT= -#LXCRI_CREATE_HOOK=/usr/local/bin/lxcri-backup.sh -#LXCRI_CREATE_HOOK_TIMEOUT= -#LXCRI_START_TIMEOUT= -#LXCRI_KILL_TIMEOUT= -#LXCRI_DELETE_TIMEOUT= -``` - ### Runtime (security) features All supported runtime security features are enabled by default.
From 15293bf60fde23058f7cd8a479a1785e68b57c39 Mon Sep 17 00:00:00 2001 From: Ruben Jenster Date: Tue, 27 Apr 2021 20:03:23 +0200 Subject: [PATCH 3/7] Make lxc *ConfigItem wrapper functions private. Don't encourage API users to mix the lxcri and go-lxc API. The user should only use the OCI specs.Spec to create the container if possible. The go-lxc Container is exported as Container.LinuxContainer and can be used to access the go-lxc API if there is really a need for it. Signed-off-by: Ruben Jenster --- cgroup.go | 34 +++++++++++++++++----------------- container.go | 14 +++++++------- create.go | 40 ++++++++++++++++++++-------------------- init.go | 16 ++++++++-------- mount.go | 4 ++-- namespaces.go | 4 ++-- runtime.go | 4 ++-- 7 files changed, 58 insertions(+), 58 deletions(-) diff --git a/cgroup.go b/cgroup.go index c9e5e6d0..fe6ac5db 100644 --- a/cgroup.go +++ b/cgroup.go @@ -97,7 +97,7 @@ func configureCgroup(rt *Runtime, c *Container) error { } if pids := c.Spec.Linux.Resources.Pids; pids != nil { - if err := c.SetConfigItem("lxc.cgroup2.pids.max", fmt.Sprintf("%d", pids.Limit)); err != nil { + if err := c.setConfigItem("lxc.cgroup2.pids.max", fmt.Sprintf("%d", pids.Limit)); err != nil { return err } } @@ -122,30 +122,30 @@ func configureCgroupPath(rt *Runtime, c *Container) error { c.CgroupDir = c.Spec.Linux.CgroupsPath } - if err := c.SetConfigItem("lxc.cgroup.relative", "0"); err != nil { + if err := c.setConfigItem("lxc.cgroup.relative", "0"); err != nil { return err } // @since lxc @a900cbaf257c6a7ee9aa73b09c6d3397581d38fb // checking for on of the config items shuld be enough, because they were introduced together ... // lxc.cgroup.dir.payload and lxc.cgroup.dir.monitor - splitCgroup := c.SupportsConfigItem("lxc.cgroup.dir.container", "lxc.cgroup.dir.monitor") + splitCgroup := c.supportsConfigItem("lxc.cgroup.dir.container", "lxc.cgroup.dir.monitor") if !splitCgroup || rt.MonitorCgroup == "" { - return c.SetConfigItem("lxc.cgroup.dir", c.CgroupDir) + return c.setConfigItem("lxc.cgroup.dir", c.CgroupDir) } c.MonitorCgroupDir = filepath.Join(rt.MonitorCgroup, c.ContainerID+".scope") - if err := c.SetConfigItem("lxc.cgroup.dir.container", c.CgroupDir); err != nil { + if err := c.setConfigItem("lxc.cgroup.dir.container", c.CgroupDir); err != nil { return err } - if err := c.SetConfigItem("lxc.cgroup.dir.monitor", c.MonitorCgroupDir); err != nil { + if err := c.setConfigItem("lxc.cgroup.dir.monitor", c.MonitorCgroupDir); err != nil { return err } - if c.SupportsConfigItem("lxc.cgroup.dir.monitor.pivot") { - if err := c.SetConfigItem("lxc.cgroup.dir.monitor.pivot", rt.MonitorCgroup); err != nil { + if c.supportsConfigItem("lxc.cgroup.dir.monitor.pivot") { + if err := c.setConfigItem("lxc.cgroup.dir.monitor.pivot", rt.MonitorCgroup); err != nil { return err } } @@ -191,16 +191,16 @@ func configureDeviceController(c *Container) error { } // decompose val := fmt.Sprintf("%s %s:%s %s", blockDevice, maj, min, dev.Access) - if err := c.SetConfigItem(key, val); err != nil { + if err := c.setConfigItem(key, val); err != nil { return err } val = fmt.Sprintf("%s %s:%s %s", charDevice, maj, min, dev.Access) - if err := c.SetConfigItem(key, val); err != nil { + if err := c.setConfigItem(key, val); err != nil { return err } case blockDevice, charDevice: val := fmt.Sprintf("%s %s:%s %s", dev.Type, maj, min, dev.Access) - if err := c.SetConfigItem(key, val); err != nil { + if err := c.setConfigItem(key, val); err != nil { return err } default: @@ -216,32 +216,32 @@ func configureCPUController(clxc *Runtime, slinux *specs.LinuxCPU) error { clxc.Log.Debug().Msg("TODO configure cgroup cpu controller") /* if cpu.Shares != nil && *cpu.Shares > 0 { - if err := clxc.SetConfigItem("lxc.cgroup2.cpu.shares", fmt.Sprintf("%d", *cpu.Shares)); err != nil { + if err := clxc.setConfigItem("lxc.cgroup2.cpu.shares", fmt.Sprintf("%d", *cpu.Shares)); err != nil { return err } } if cpu.Quota != nil && *cpu.Quota > 0 { - if err := clxc.SetConfigItem("lxc.cgroup2.cpu.cfs_quota_us", fmt.Sprintf("%d", *cpu.Quota)); err != nil { + if err := clxc.setConfigItem("lxc.cgroup2.cpu.cfs_quota_us", fmt.Sprintf("%d", *cpu.Quota)); err != nil { return err } } if cpu.Period != nil && *cpu.Period != 0 { - if err := clxc.SetConfigItem("lxc.cgroup2.cpu.cfs_period_us", fmt.Sprintf("%d", *cpu.Period)); err != nil { + if err := clxc.setConfigItem("lxc.cgroup2.cpu.cfs_period_us", fmt.Sprintf("%d", *cpu.Period)); err != nil { return err } } if cpu.Cpus != "" { - if err := clxc.SetConfigItem("lxc.cgroup2.cpuset.cpus", cpu.Cpus); err != nil { + if err := clxc.setConfigItem("lxc.cgroup2.cpuset.cpus", cpu.Cpus); err != nil { return err } } if cpu.RealtimePeriod != nil && *cpu.RealtimePeriod > 0 { - if err := clxc.SetConfigItem("lxc.cgroup2.cpu.rt_period_us", fmt.Sprintf("%d", *cpu.RealtimePeriod)); err != nil { + if err := clxc.setConfigItem("lxc.cgroup2.cpu.rt_period_us", fmt.Sprintf("%d", *cpu.RealtimePeriod)); err != nil { return err } } if cpu.RealtimeRuntime != nil && *cpu.RealtimeRuntime > 0 { - if err := clxc.SetConfigItem("lxc.cgroup2.cpu.rt_runtime_us", fmt.Sprintf("%d", *cpu.RealtimeRuntime)); err != nil { + if err := clxc.setConfigItem("lxc.cgroup2.cpu.rt_runtime_us", fmt.Sprintf("%d", *cpu.RealtimeRuntime)); err != nil { return err } } diff --git a/container.go b/container.go index 69219675..a9a81ece 100644 --- a/container.go +++ b/container.go @@ -312,9 +312,9 @@ func (c *Container) kill(ctx context.Context, signum unix.Signal) error { return nil } -// GetConfigItem is a wrapper function and returns the -// first value returned by *lxc.Container.ConfigItem -func (c *Container) GetConfigItem(key string) string { +// getConfigItem is a wrapper function and returns the +// first value returned by lxc.Container.ConfigItem +func (c *Container) getConfigItem(key string) string { vals := c.LinuxContainer.ConfigItem(key) if len(vals) > 0 { first := vals[0] @@ -327,9 +327,9 @@ func (c *Container) GetConfigItem(key string) string { return "" } -// SetConfigItem is a wrapper for *lxc.Container.SetConfigItem. +// setConfigItem is a wrapper for lxc.Container.setConfigItem. // and only adds additional logging. -func (c *Container) SetConfigItem(key, value string) error { +func (c *Container) setConfigItem(key, value string) error { err := c.LinuxContainer.SetConfigItem(key, value) if err != nil { return fmt.Errorf("failed to set config item '%s=%s': %w", key, value, err) @@ -338,8 +338,8 @@ func (c *Container) SetConfigItem(key, value string) error { return nil } -// SupportsConfigItem is a wrapper for *lxc.Container.IsSupportedConfig item. -func (c *Container) SupportsConfigItem(keys ...string) bool { +// supportsConfigItem is a wrapper for lxc.Container.IsSupportedConfig item. +func (c *Container) supportsConfigItem(keys ...string) bool { canCheck := lxc.VersionAtLeast(4, 0, 6) if !canCheck { c.Log.Warn().Msg("lxc.IsSupportedConfigItem is broken in liblxc < 4.0.6") diff --git a/create.go b/create.go index 9393dd3b..a18f1bad 100644 --- a/create.go +++ b/create.go @@ -97,13 +97,13 @@ func configureContainer(rt *Runtime, c *Container) error { } if c.Spec.Process.OOMScoreAdj != nil { - if err := c.SetConfigItem("lxc.proc.oom_score_adj", fmt.Sprintf("%d", *c.Spec.Process.OOMScoreAdj)); err != nil { + if err := c.setConfigItem("lxc.proc.oom_score_adj", fmt.Sprintf("%d", *c.Spec.Process.OOMScoreAdj)); err != nil { return err } } if c.Spec.Process.NoNewPrivileges { - if err := c.SetConfigItem("lxc.no_new_privs", "1"); err != nil { + if err := c.setConfigItem("lxc.no_new_privs", "1"); err != nil { return err } } @@ -122,7 +122,7 @@ func configureContainer(rt *Runtime, c *Container) error { if err := writeSeccompProfile(profilePath, c.Spec.Linux.Seccomp); err != nil { return err } - if err := c.SetConfigItem("lxc.seccomp.profile", profilePath); err != nil { + if err := c.setConfigItem("lxc.seccomp.profile", profilePath); err != nil { return err } } @@ -139,7 +139,7 @@ func configureContainer(rt *Runtime, c *Container) error { } // make sure autodev is disabled - if err := c.SetConfigItem("lxc.autodev", "0"); err != nil { + if err := c.setConfigItem("lxc.autodev", "0"); err != nil { return err } @@ -190,7 +190,7 @@ func configureContainer(rt *Runtime, c *Container) error { } for key, val := range c.Spec.Linux.Sysctl { - if err := c.SetConfigItem("lxc.sysctl."+key, val); err != nil { + if err := c.setConfigItem("lxc.sysctl."+key, val); err != nil { return err } } @@ -207,7 +207,7 @@ func configureContainer(rt *Runtime, c *Container) error { } seenLimits = append(seenLimits, name) val := fmt.Sprintf("%d:%d", limit.Soft, limit.Hard) - if err := c.SetConfigItem("lxc.prlimit."+name, val); err != nil { + if err := c.setConfigItem("lxc.prlimit."+name, val); err != nil { return err } } @@ -226,7 +226,7 @@ func configureHostname(rt *Runtime, c *Container) error { if c.Spec.Hostname == "" { return nil } - if err := c.SetConfigItem("lxc.uts.name", c.Spec.Hostname); err != nil { + if err := c.setConfigItem("lxc.uts.name", c.Spec.Hostname); err != nil { return err } @@ -256,20 +256,20 @@ func configureRootfs(rt *Runtime, c *Container) error { if !filepath.IsAbs(rootfs) { rootfs = filepath.Join(c.BundlePath, rootfs) } - if err := c.SetConfigItem("lxc.rootfs.path", rootfs); err != nil { + if err := c.setConfigItem("lxc.rootfs.path", rootfs); err != nil { return err } - if err := c.SetConfigItem("lxc.rootfs.mount", rootfs); err != nil { + if err := c.setConfigItem("lxc.rootfs.mount", rootfs); err != nil { return err } - if err := c.SetConfigItem("lxc.rootfs.managed", "0"); err != nil { + if err := c.setConfigItem("lxc.rootfs.managed", "0"); err != nil { return err } // Resources not created by the container runtime MUST NOT be deleted by it. - if err := c.SetConfigItem("lxc.ephemeral", "0"); err != nil { + if err := c.setConfigItem("lxc.ephemeral", "0"); err != nil { return err } @@ -280,20 +280,20 @@ func configureRootfs(rt *Runtime, c *Container) error { if c.Spec.Root.Readonly { rootfsOptions = append(rootfsOptions, "ro") } - if err := c.SetConfigItem("lxc.rootfs.options", strings.Join(rootfsOptions, ",")); err != nil { + if err := c.setConfigItem("lxc.rootfs.options", strings.Join(rootfsOptions, ",")); err != nil { return err } return nil } func configureReadonlyPaths(c *Container) error { - rootmnt := c.GetConfigItem("lxc.rootfs.mount") + rootmnt := c.getConfigItem("lxc.rootfs.mount") if rootmnt == "" { return fmt.Errorf("lxc.rootfs.mount unavailable") } for _, p := range c.Spec.Linux.ReadonlyPaths { mnt := fmt.Sprintf("%s %s %s %s", filepath.Join(rootmnt, p), strings.TrimPrefix(p, "/"), "bind", "bind,ro,optional") - if err := c.SetConfigItem("lxc.mount.entry", mnt); err != nil { + if err := c.setConfigItem("lxc.mount.entry", mnt); err != nil { return fmt.Errorf("failed to make path readonly: %w", err) } } @@ -306,7 +306,7 @@ func configureApparmor(c *Container) error { if aaprofile == "" { aaprofile = "unconfined" } - return c.SetConfigItem("lxc.apparmor.profile", aaprofile) + return c.setConfigItem("lxc.apparmor.profile", aaprofile) } // configureCapabilities configures the linux capabilities / privileges granted to the container processes. @@ -326,7 +326,7 @@ func configureCapabilities(c *Container) error { } } - return c.SetConfigItem("lxc.cap.keep", keepCaps) + return c.setConfigItem("lxc.cap.keep", keepCaps) } // NOTE keep in sync with cmd/lxcri-hook#ociHooksAndState @@ -359,22 +359,22 @@ func configureHooks(rt *Runtime, c *Container) error { c.Spec.Hooks = &hooks // pass context information as environment variables to hook scripts - if err := c.SetConfigItem("lxc.hook.version", "1"); err != nil { + if err := c.setConfigItem("lxc.hook.version", "1"); err != nil { return err } if len(c.Spec.Hooks.Prestart) > 0 || len(c.Spec.Hooks.CreateRuntime) > 0 { - if err := c.SetConfigItem("lxc.hook.pre-mount", rt.libexec(ExecHook)); err != nil { + if err := c.setConfigItem("lxc.hook.pre-mount", rt.libexec(ExecHook)); err != nil { return err } } if len(c.Spec.Hooks.CreateContainer) > 0 { - if err := c.SetConfigItem("lxc.hook.mount", rt.libexec(ExecHook)); err != nil { + if err := c.setConfigItem("lxc.hook.mount", rt.libexec(ExecHook)); err != nil { return err } } if len(c.Spec.Hooks.StartContainer) > 0 { - if err := c.SetConfigItem("lxc.hook.start", rt.libexec(ExecHook)); err != nil { + if err := c.setConfigItem("lxc.hook.start", rt.libexec(ExecHook)); err != nil { return err } } diff --git a/init.go b/init.go index bc8c1742..5ee1b327 100644 --- a/init.go +++ b/init.go @@ -43,7 +43,7 @@ func configureInit(rt *Runtime, c *Container) error { Options: []string{"bind", "ro", "nodev", "nosuid", "create=dir"}, }) - if err := c.SetConfigItem("lxc.init.cwd", initDir); err != nil { + if err := c.setConfigItem("lxc.init.cwd", initDir); err != nil { return err } @@ -74,7 +74,7 @@ func configureInit(rt *Runtime, c *Container) error { Type: "bind", Options: []string{"bind", "ro", "nosuid"}, }) - return c.SetConfigItem("lxc.init.cmd", initCmd) + return c.setConfigItem("lxc.init.cmd", initCmd) } func touchFile(filePath string, perm os.FileMode) error { @@ -90,25 +90,25 @@ func configureInitUser(c *Container) error { // TODO ensure that the user namespace is enabled // See `man lxc.container.conf` lxc.idmap. for _, m := range c.Spec.Linux.UIDMappings { - if err := c.SetConfigItem("lxc.idmap", fmt.Sprintf("u %d %d %d", m.ContainerID, m.HostID, m.Size)); err != nil { + if err := c.setConfigItem("lxc.idmap", fmt.Sprintf("u %d %d %d", m.ContainerID, m.HostID, m.Size)); err != nil { return err } } for _, m := range c.Spec.Linux.GIDMappings { - if err := c.SetConfigItem("lxc.idmap", fmt.Sprintf("g %d %d %d", m.ContainerID, m.HostID, m.Size)); err != nil { + if err := c.setConfigItem("lxc.idmap", fmt.Sprintf("g %d %d %d", m.ContainerID, m.HostID, m.Size)); err != nil { return err } } - if err := c.SetConfigItem("lxc.init.uid", fmt.Sprintf("%d", c.Spec.Process.User.UID)); err != nil { + if err := c.setConfigItem("lxc.init.uid", fmt.Sprintf("%d", c.Spec.Process.User.UID)); err != nil { return err } - if err := c.SetConfigItem("lxc.init.gid", fmt.Sprintf("%d", c.Spec.Process.User.GID)); err != nil { + if err := c.setConfigItem("lxc.init.gid", fmt.Sprintf("%d", c.Spec.Process.User.GID)); err != nil { return err } - if len(c.Spec.Process.User.AdditionalGids) > 0 && c.SupportsConfigItem("lxc.init.groups") { + if len(c.Spec.Process.User.AdditionalGids) > 0 && c.supportsConfigItem("lxc.init.groups") { var b strings.Builder for i, gid := range c.Spec.Process.User.AdditionalGids { if i > 0 { @@ -116,7 +116,7 @@ func configureInitUser(c *Container) error { } fmt.Fprintf(&b, "%d", gid) } - if err := c.SetConfigItem("lxc.init.groups", b.String()); err != nil { + if err := c.setConfigItem("lxc.init.groups", b.String()); err != nil { return err } } diff --git a/mount.go b/mount.go index ef0ef601..2018404e 100644 --- a/mount.go +++ b/mount.go @@ -44,7 +44,7 @@ func filterMountOptions(rt *Runtime, fs string, opts []string) []string { func configureMounts(rt *Runtime, c *Container) error { // excplicitly disable auto-mounting - if err := c.SetConfigItem("lxc.mount.auto", ""); err != nil { + if err := c.setConfigItem("lxc.mount.auto", ""); err != nil { return err } @@ -83,7 +83,7 @@ func configureMounts(rt *Runtime, c *Container) error { mnt := fmt.Sprintf("%s %s %s %s", ms.Source, ms.Destination, ms.Type, strings.Join(ms.Options, ",")) - if err := c.SetConfigItem("lxc.mount.entry", mnt); err != nil { + if err := c.setConfigItem("lxc.mount.entry", mnt); err != nil { return err } } diff --git a/namespaces.go b/namespaces.go index e7fc0c02..944ae7a6 100644 --- a/namespaces.go +++ b/namespaces.go @@ -73,12 +73,12 @@ func configureNamespaces(c *Container) error { } configKey := fmt.Sprintf("lxc.namespace.share.%s", n.Name) - if err := c.SetConfigItem(configKey, ns.Path); err != nil { + if err := c.setConfigItem(configKey, ns.Path); err != nil { return err } } - return c.SetConfigItem("lxc.namespace.clone", strings.Join(cloneNamespaces, " ")) + return c.setConfigItem("lxc.namespace.clone", strings.Join(cloneNamespaces, " ")) } func isNamespaceEnabled(spec *specs.Spec, nsType specs.LinuxNamespaceType) bool { diff --git a/runtime.go b/runtime.go index 1740c161..038ac0ea 100644 --- a/runtime.go +++ b/runtime.go @@ -262,7 +262,7 @@ func (rt *Runtime) runStartCmd(ctx context.Context, c *Container) (err error) { if c.ConsoleSocket == "" && !c.Spec.Process.Terminal { // Inherit stdio from calling process (conmon). // lxc.console.path must be set to 'none' or stdio of init process is replaced with a PTY by lxc - if err := c.SetConfigItem("lxc.console.path", "none"); err != nil { + if err := c.setConfigItem("lxc.console.path", "none"); err != nil { return err } cmd.Stdin = os.Stdin @@ -270,7 +270,7 @@ func (rt *Runtime) runStartCmd(ctx context.Context, c *Container) (err error) { cmd.Stderr = os.Stderr } - // NOTE any config change via clxc.SetConfigItem + // NOTE any config change via clxc.setConfigItem // must be done before calling SaveConfigFile err = c.LinuxContainer.SaveConfigFile(c.ConfigFilePath()) if err != nil { From c0071b19170158f559f2285332c218febc5b0f45 Mon Sep 17 00:00:00 2001 From: Ruben Jenster Date: Wed, 28 Apr 2021 10:01:57 +0200 Subject: [PATCH 4/7] Fix race waiting for container startup. It's not an error if the lxc monitor process exits, while waiting for container startup. It simply indicates that either the container process failed to execute in first place or is a short-lived process that has already returned. Signed-off-by: Ruben Jenster --- container.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/container.go b/container.go index a9a81ece..711c01a3 100644 --- a/container.go +++ b/container.go @@ -155,7 +155,7 @@ func (c *Container) isMonitorRunning() bool { } // if WNOHANG was specified and one or more child(ren) specified by pid exist, - // but have not yet changed state, then 0 is returned + // but have not yet exited, then 0 is returned if pid == 0 { return true } @@ -209,7 +209,7 @@ func (c *Container) waitStarted(ctx context.Context) error { return ctx.Err() default: if !c.isMonitorRunning() { - return fmt.Errorf("monitor already died") + return nil } initState, _ := c.getContainerInitState() if initState != specs.StateCreated { From 4a69f6cb400dd6d322707a0d891742c6f0484843 Mon Sep 17 00:00:00 2001 From: Ruben Jenster Date: Wed, 28 Apr 2021 14:58:15 +0200 Subject: [PATCH 5/7] install: Complete archlinux support. Signed-off-by: Ruben Jenster --- install.sh | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/install.sh b/install.sh index c70bf857..f0685220 100755 --- a/install.sh +++ b/install.sh @@ -26,15 +26,16 @@ case "$DISTRIBUTION" in PKGS="$PKGS $PKGS_RUNTIME" ;; "arch") + # NOTE official archlinux images are really large + # archlinux:latest unpacked image size is > 400MB (vs ubuntu:latest ~ 75MB) INSTALL_PKGS=pacman_install CLEAN_PKGS=pacman_clean - BUILD_PKGS="" - BUILD_PKGS="$PKGS_PKGS " + PKGS_BUILD="base-devel wget git libtool m4 automake autoconf" - PKGS_RUNTIME="" - PKGS="" - PKGS="$PKGS " + PKGS_RUNTIME="libseccomp apparmor btrfs-progs device-mapper libcap" + PKGS="conntrack-tools ethtool iproute2 ebtables iptables-nft socat" + PKGS="$PKGS ca-certificates glib2 systemd tzdata" PKGS="$PKGS $PKGS_RUNTIME" ;; "alpine") @@ -48,8 +49,6 @@ case "$DISTRIBUTION" in PKGS="conntrack-tools ebtables ethtool iproute2 iptables ip6tables socat" PKGS="$PKGS ca-certificates glib runit tzdata" PKGS="$PKGS $PKGS_RUNTIME" - - export MUSL_CC="cc" ;; *) echo "unsupported distribution '$DISTRIBUTION'" @@ -84,13 +83,16 @@ apt_clean() { } pacman_install() { - echo "not implemented" - exit 1 + pacman -Sy + # NOTE: the option '--ask 4' is undocumented but the only way to let pacman + # resolve conflicts (e.g iptables and iptables-nft) + # see https://unix.stackexchange.com/questions/274727/how-to-force-pacman-to-answer-yes-to-all-questions + pacman -S --noconfirm --needed $@ --ask 4 } pacman_clean() { - echo "not implemented" - exit 1 + pacman -R -ss --unneeded --noconfirm $@ + pacman -Scc } apk_install() { From f5fd39a0e11b03b8dc61c191ccbf29f5f677dcdb Mon Sep 17 00:00:00 2001 From: Ruben Jenster Date: Wed, 28 Apr 2021 15:00:23 +0200 Subject: [PATCH 6/7] Dockerfile: Upgrade package versions. * golang 1.16.2 -> 1.16.3 * cri-o: 1.20 -> 1.20.2 * kubernetes server binaries: 1.20.4 -> 1.20.6 Signed-off-by: Ruben Jenster --- Dockerfile | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/Dockerfile b/Dockerfile index 80a4aef5..14e04765 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,8 +3,8 @@ ARG installcmd=install_all #ENV PKGS="psmisc util-linux" -ENV GOLANG_SRC=https://golang.org/dl/go1.16.2.linux-amd64.tar.gz -ENV GOLANG_CHECKSUM=542e936b19542e62679766194364f45141fde55169db2d8d01046555ca9eb4b8 +ENV GOLANG_SRC=https://golang.org/dl/go1.16.3.linux-amd64.tar.gz +ENV GOLANG_CHECKSUM=951a3c7c6ce4e56ad883f97d9db74d3d6d80d5fec77455c6ada6c1f7ac4776d2 ENV CNI_PLUGINS_GIT_REPO=https://github.com/containernetworking/plugins.git ENV CNI_PLUGINS_GIT_VERSION=v0.9.1 @@ -13,14 +13,14 @@ ENV CONMON_GIT_REPO=https://github.com/containers/conmon.git ENV CONMON_GIT_VERSION=v2.0.27 ENV CRIO_GIT_REPO=https://github.com/cri-o/cri-o.git -ENV CRIO_GIT_VERSION=v1.20.1 +ENV CRIO_GIT_VERSION=v1.20.2 ENV CRICTL_CHECKSUM=44d5f550ef3f41f9b53155906e0229ffdbee4b19452b4df540265e29572b899c ENV CRICTL_URL="https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.20.0/crictl-v1.20.0-linux-amd64.tar.gz" # see https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.20.md -ENV K8S_CHECKSUM=37738bc8430b0832f32c6d13cdd68c376417270568cd9b31a1ff37e96cfebcc1e2970c72bed588f626e35ed8273671c77200f0d164e67809b5626a2a99e3c5f5 -ENV K8S_URL="https://dl.k8s.io/v1.20.4/kubernetes-server-linux-amd64.tar.gz" +ENV K8S_CHECKSUM=ac936e05aef7bb887a5fb57d50f8c384ee395b5f34c85e5c0effd8709db042359f63247d4a6ae2c0831fe019cd3029465377117e42fff1b00a8e4b7473b88db9 +ENV K8S_URL="https://dl.k8s.io/v1.20.6/kubernetes-server-linux-amd64.tar.gz" ## development ENV LXC_GIT_REPO=https://github.com/lxc/lxc.git From eee7558693b116f050de7849114fbfcf6e16ad52 Mon Sep 17 00:00:00 2001 From: Ruben Jenster Date: Wed, 28 Apr 2021 16:18:06 +0200 Subject: [PATCH 7/7] Dockerfile: Pin a recent liblxc version. Signed-off-by: Ruben Jenster --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 14e04765..39818c67 100644 --- a/Dockerfile +++ b/Dockerfile @@ -24,7 +24,7 @@ ENV K8S_URL="https://dl.k8s.io/v1.20.6/kubernetes-server-linux-amd64.tar.gz" ## development ENV LXC_GIT_REPO=https://github.com/lxc/lxc.git -ENV LXC_GIT_VERSION=master +ENV LXC_GIT_VERSION=b9f3cd48ecfed02e4218b55ea1b46273e429a083 ENV LXCRI_GIT_REPO=https://github.com/lxc/lxcri.git ENV LXCRI_GIT_VERSION=main