Hello community, here is the log from the commit of package cri-o for openSUSE:Factory checked in at 2018-03-06 10:47:36 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/cri-o (Old) and /work/SRC/openSUSE:Factory/.cri-o.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cri-o" Tue Mar 6 10:47:36 2018 rev:3 rq:582930 version:1.9.8 Changes: -------- --- /work/SRC/openSUSE:Factory/cri-o/cri-o.changes 2018-02-22 15:02:27.553975389 +0100 +++ /work/SRC/openSUSE:Factory/.cri-o.new/cri-o.changes 2018-03-06 10:47:37.327559846 +0100 @@ -1,0 +2,53 @@ +Mon Mar 5 12:50:03 UTC 2018 - [email protected] + +- crio.conf: update default socket to /var/run/crio/crio.sock as suggested + by upstream. + +------------------------------------------------------------------- +Mon Mar 5 10:10:16 UTC 2018 - [email protected] + +- Update cri-o to v1.9.8: + * system_containers: Update mounts + * execsync: Set terminal to true when we pass -t to conmon + * Make network namespace pinning optional + * Add context to net ns symlink removal errors + * Make the /opt/cni mount rw + * sandbox_stop: close/remove the netns _after_ stopping the containers + * sandbox net: set netns closed after actaully closing it + +------------------------------------------------------------------- +Mon Mar 5 10:07:54 UTC 2018 - [email protected] + +- Configuration files should generally be tagged as %config(noreplace) in order + to keep the modified config files and to avoid losing data when the package + is being updated. + +------------------------------------------------------------------- +Sat Mar 3 13:38:57 UTC 2018 - [email protected] + +- Remove empty filter rule from cri-o-rpmlintrc, which was mistakenly + masking a few warnings, some of which have been fixed, others need + to be filtered. conmon and pause are not compiled with -fpie anymore + to align with what upstream does; linking fails when done properly. + +------------------------------------------------------------------- +Fri Mar 2 18:12:59 UTC 2018 - [email protected] + +- Update minimum version of the Go compiler required + +------------------------------------------------------------------- +Fri Mar 2 18:07:54 UTC 2018 - [email protected] + +- Add missing runtime dependencies: socat, iptables, iproute + +------------------------------------------------------------------- +Wed Feb 28 11:35:27 UTC 2018 - [email protected] + +- Change the installation path of conmon and pause from + /usr/lib/crio to /usr/lib/crio/bin in order to align with upstream + requirements. + +- Update crio.conf to the reflect the new path of conmon and set the correct + path of CNI plugins (i.e., /usr/lib/cni). + +------------------------------------------------------------------- Old: ---- cri-o-1.9.6.tar.xz crio.sysconfig New: ---- cri-o-1.9.8.tar.xz sysconfig.crio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ cri-o.spec ++++++ --- /var/tmp/diff_new_pack.xIwUIM/_old 2018-03-06 10:47:39.851468672 +0100 +++ /var/tmp/diff_new_pack.xIwUIM/_new 2018-03-06 10:47:39.851468672 +0100 @@ -16,6 +16,11 @@ # +#Compat macro for new _fillupdir macro introduced in Nov 2017 +%if ! %{defined _fillupdir} + %define _fillupdir /var/adm/fillup-templates +%endif + %define project github.com/kubernetes-incubator/cri-o # Build with libostree-devel in Tumbleweed, Leap 15+ and SLES 15+ %if 0%{?suse_version} >= 1500 @@ -24,10 +29,10 @@ # Define macros for further referenced sources %define name_source1 crio.service %define name_source2 crio-shutdown.service -%define name_source3 crio +%define name_source3 sysconfig.crio %define name_source4 crio.conf Name: cri-o -Version: 1.9.6 +Version: 1.9.8 Release: 0 Summary: OCI-based implementation of Kubernetes Container Runtime Interface License: Apache-2.0 @@ -36,7 +41,7 @@ Source0: %{name}-%{version}.tar.xz Source1: %{name_source1} Source2: %{name_source2} -Source3: %{name_source3}.sysconfig +Source3: %{name_source3} Source4: %{name_source4} Source5: cri-o-rpmlintrc BuildRequires: device-mapper-devel @@ -51,11 +56,14 @@ BuildRequires: libbtrfs-devel BuildRequires: libgpgme-devel BuildRequires: libseccomp-devel -BuildRequires: golang(API) >= 1.7 +BuildRequires: golang(API) >= 1.8 +Requires: iproute2 +Requires: iptables Requires: libcontainers-common Requires: libcontainers-image Requires: libcontainers-storage Requires: runc >= 1.0.0~rc4 +Requires: socat # disable stripping of binaries %{go_nostrip} %if 0%{?with_libostree} @@ -93,10 +101,10 @@ %{project}/cmd/crio # Build conmon -CFLAGS="-fpie" make -C conmon +make conmon # Build pause -CFLAGS="-fpie" make -C pause +make pause # Build manpages make %{?_smp_mflags} docs @@ -115,24 +123,25 @@ go test -buildmode=pie -tags "$BUILDTAGS" $PKG_LIST %pre -%service_add_pre %{name_source1} +%service_add_pre %{name_source1} %{name_source2} %post -%service_add_post %{name_source1} +%service_add_post %{name_source1} %{name_source2} %preun -%service_del_preun %{name_source1} +%service_del_preun %{name_source1} %{name_source2} %postun -%service_del_postun %{name_source1} +%service_del_postun %{name_source1} %{name_source2} %install cd $HOME/go/src/%{project} # Binaries install -D -m 0755 bin/crio %{buildroot}/%{_bindir}/crio -install -D -m 0755 bin/conmon %{buildroot}/%{_libexecdir}/crio/conmon -install -D -m 0755 bin/pause %{buildroot}/%{_libexecdir}/crio/pause +install -d %{buildroot}/%{_libexecdir}/crio/bin +install -D -m 0755 bin/conmon %{buildroot}/%{_libexecdir}/crio/bin/conmon +install -D -m 0755 bin/pause %{buildroot}/%{_libexecdir}/crio/bin/pause # Manpages install -d %{buildroot}/%{_mandir}/man5 install -d %{buildroot}/%{_mandir}/man8 @@ -143,10 +152,14 @@ install -D -m 0644 seccomp.json %{buildroot}/%{_sysconfdir}/crio/seccomp.json install -D -m 0644 crio-umount.conf %{buildroot}/%{_datadir}/oci-umount/oci-umount.d/cri-umount.conf install -D -m 0644 crictl.yaml %{buildroot}/%{_sysconfdir}/crictl.yaml -install -D -m 0644 %{SOURCE3} %{buildroot}/%{_sysconfdir}/sysconfig/%{name_source3} +install -D -m 0644 %{SOURCE3} %{buildroot}%{_fillupdir}/%{name_source3} # Systemd install -D -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/%{name_source1} install -D -m 0644 %{SOURCE2} %{buildroot}%{_unitdir}/%{name_source2} +# Symlinks to rc files +install -d -m 0755 %{buildroot}%{_sbindir} +ln -sf service %{buildroot}%{_sbindir}/rccrio +ln -sf service %{buildroot}%{_sbindir}/rccrio-shutdown %fdupes %{buildroot}/%{_prefix} @@ -154,22 +167,25 @@ # Binaries %{_bindir}/crio %dir %{_libexecdir}/crio -%{_libexecdir}/crio/conmon -%{_libexecdir}/crio/pause +%dir %{_libexecdir}/crio/bin +%{_libexecdir}/crio/bin/conmon +%{_libexecdir}/crio/bin/pause # Manpages %{_mandir}/man5/crio.conf.5* %{_mandir}/man8/crio.8* # Configs %dir %{_sysconfdir}/crio -%config %{_sysconfdir}/crio/%{name_source4} +%config(noreplace) %{_sysconfdir}/crio/%{name_source4} %config %{_sysconfdir}/crio/seccomp.json %dir %{_datadir}/oci-umount %dir %{_datadir}/oci-umount/oci-umount.d -%config %{_datadir}/oci-umount/oci-umount.d/cri-umount.conf -%config %{_sysconfdir}/crictl.yaml -%{_sysconfdir}/sysconfig/%{name_source3} +%{_datadir}/oci-umount/oci-umount.d/cri-umount.conf +%config(noreplace) %{_sysconfdir}/crictl.yaml +%{_fillupdir}/%{name_source3} # Systemd %{_unitdir}/%{name_source1} %{_unitdir}/%{name_source2} +%{_sbindir}/rccrio +%{_sbindir}/rccrio-shutdown %changelog ++++++ _service ++++++ --- /var/tmp/diff_new_pack.xIwUIM/_old 2018-03-06 10:47:39.883467516 +0100 +++ /var/tmp/diff_new_pack.xIwUIM/_new 2018-03-06 10:47:39.883467516 +0100 @@ -2,8 +2,8 @@ <service name="tar_scm" mode="disabled"> <param name="url">https://github.com/kubernetes-incubator/cri-o</param> <param name="scm">git</param> -<param name="versionformat">1.9.6</param> -<param name="revision">v1.9.6</param> +<param name="versionformat">1.9.8</param> +<param name="revision">v1.9.8</param> </service> <service name="recompress" mode="disabled"> <param name="file">cri-o-*.tar</param> ++++++ cri-o-1.9.6.tar.xz -> cri-o-1.9.8.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cri-o-1.9.6/contrib/system_containers/centos/config.json.template new/cri-o-1.9.8/contrib/system_containers/centos/config.json.template --- old/cri-o-1.9.6/contrib/system_containers/centos/config.json.template 2018-02-20 10:50:14.000000000 +0100 +++ new/cri-o-1.9.8/contrib/system_containers/centos/config.json.template 2018-03-01 18:42:03.000000000 +0100 @@ -268,7 +268,7 @@ "destination": "/etc", "options": [ "rbind", - "rprivate", + "rslave", "rw", "mode=755" ], @@ -313,7 +313,7 @@ "options": [ "rbind", "rw", - "rprivate", + "rslave", "mode=755" ], "source": "/mnt", @@ -352,10 +352,20 @@ "type": "bind" }, { + "destination": "/var", + "options": [ + "rbind", + "rslave", + "rw" + ], + "source": "/var", + "type": "bind" + }, + { "destination": "/var/lib", "options": [ "rbind", - "rprivate", + "rslave", "rw" ], "source": "${STATE_DIRECTORY}", @@ -392,14 +402,14 @@ "type": "bind" }, { - "destination": "/opt/cni", + "destination": "/opt", "options": [ "rbind", - "rprivate", - "ro", + "rslave", + "rw", "mode=755" ], - "source": "${OPT_CNI}", + "source": "/opt", "type": "bind" }, { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cri-o-1.9.6/contrib/system_containers/centos/manifest.json new/cri-o-1.9.8/contrib/system_containers/centos/manifest.json --- old/cri-o-1.9.6/contrib/system_containers/centos/manifest.json 2018-02-20 10:50:14.000000000 +0100 +++ new/cri-o-1.9.8/contrib/system_containers/centos/manifest.json 2018-03-01 18:42:03.000000000 +0100 @@ -2,7 +2,6 @@ "version": "1.0", "defaultValues": { "LOG_LEVEL" : "info", - "OPT_CNI" : "/opt/cni", "VAR_LIB_CONTAINERS_STORAGE" : "/var/lib/containers/storage", "VAR_LIB_ORIGIN" : "/var/lib/origin", "VAR_LIB_KUBE" : "/var/lib/kubelet", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cri-o-1.9.6/contrib/system_containers/fedora/config.json.template new/cri-o-1.9.8/contrib/system_containers/fedora/config.json.template --- old/cri-o-1.9.6/contrib/system_containers/fedora/config.json.template 2018-02-20 10:50:14.000000000 +0100 +++ new/cri-o-1.9.8/contrib/system_containers/fedora/config.json.template 2018-03-01 18:42:03.000000000 +0100 @@ -273,7 +273,7 @@ "destination": "/etc", "options": [ "rbind", - "rprivate", + "rslave", "rw", "mode=755" ], @@ -318,7 +318,7 @@ "options": [ "rbind", "rw", - "rprivate", + "rslave", "mode=755" ], "source": "/mnt", @@ -357,10 +357,20 @@ "type": "bind" }, { + "destination": "/var", + "options": [ + "rbind", + "rslave", + "rw" + ], + "source": "/var", + "type": "bind" + }, + { "destination": "/var/lib", "options": [ "rbind", - "rprivate", + "rslave", "rw" ], "source": "${STATE_DIRECTORY}", @@ -397,14 +407,14 @@ "type": "bind" }, { - "destination": "/opt/cni", + "destination": "/opt", "options": [ "rbind", "rprivate", - "ro", + "rw", "mode=755" ], - "source": "${OPT_CNI}", + "source": "/opt", "type": "bind" }, { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cri-o-1.9.6/contrib/system_containers/fedora/manifest.json new/cri-o-1.9.8/contrib/system_containers/fedora/manifest.json --- old/cri-o-1.9.6/contrib/system_containers/fedora/manifest.json 2018-02-20 10:50:14.000000000 +0100 +++ new/cri-o-1.9.8/contrib/system_containers/fedora/manifest.json 2018-03-01 18:42:03.000000000 +0100 @@ -2,7 +2,6 @@ "version": "1.0", "defaultValues": { "LOG_LEVEL" : "info", - "OPT_CNI" : "/opt/cni", "VAR_LIB_CONTAINERS_STORAGE" : "/var/lib/containers/storage", "VAR_LIB_ORIGIN" : "/var/lib/origin", "VAR_LIB_KUBE" : "/var/lib/kubelet", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cri-o-1.9.6/contrib/system_containers/rhel/config.json.template new/cri-o-1.9.8/contrib/system_containers/rhel/config.json.template --- old/cri-o-1.9.6/contrib/system_containers/rhel/config.json.template 2018-02-20 10:50:14.000000000 +0100 +++ new/cri-o-1.9.8/contrib/system_containers/rhel/config.json.template 2018-03-01 18:42:03.000000000 +0100 @@ -263,7 +263,7 @@ "destination": "/etc", "options": [ "rbind", - "rprivate", + "rslave", "rw", "mode=755" ], @@ -308,7 +308,7 @@ "options": [ "rbind", "rw", - "rprivate", + "rslave", "mode=755" ], "source": "/mnt", @@ -347,10 +347,20 @@ "type": "bind" }, { + "destination": "/var", + "options": [ + "rbind", + "rslave", + "rw" + ], + "source": "/var", + "type": "bind" + }, + { "destination": "/var/lib", "options": [ "rbind", - "rprivate", + "rslave", "rw" ], "source": "${STATE_DIRECTORY}", @@ -387,14 +397,14 @@ "type": "bind" }, { - "destination": "/opt/cni", + "destination": "/opt", "options": [ "rbind", - "rprivate", - "ro", + "rslave", + "rw", "mode=755" ], - "source": "${OPT_CNI}", + "source": "/opt", "type": "bind" }, { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cri-o-1.9.6/contrib/system_containers/rhel/manifest.json new/cri-o-1.9.8/contrib/system_containers/rhel/manifest.json --- old/cri-o-1.9.6/contrib/system_containers/rhel/manifest.json 2018-02-20 10:50:14.000000000 +0100 +++ new/cri-o-1.9.8/contrib/system_containers/rhel/manifest.json 2018-03-01 18:42:03.000000000 +0100 @@ -2,7 +2,6 @@ "version": "1.0", "defaultValues": { "LOG_LEVEL": "info", - "OPT_CNI": "/opt/cni", "VAR_LIB_CONTAINERS_STORAGE": "/var/lib/containers/storage", "VAR_LIB_ORIGIN": "/var/lib/origin", "VAR_LIB_KUBE": "/var/lib/kubelet", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cri-o-1.9.6/lib/config.go new/cri-o-1.9.8/lib/config.go --- old/cri-o-1.9.6/lib/config.go 2018-02-20 10:50:14.000000000 +0100 +++ new/cri-o-1.9.8/lib/config.go 2018-03-01 18:42:03.000000000 +0100 @@ -168,6 +168,10 @@ // ContainerExitsDir is the directory in which container exit files are // written to by conmon. ContainerExitsDir string `toml:"container_exits_dir"` + + // ManageNetworkNSLifecycle determines whether we pin and remove network namespace + // and manage its lifecycle + ManageNetworkNSLifecycle bool `toml:"manage_network_ns_lifecycle"` } // ImageConfig represents the "crio.image" TOML config table. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cri-o-1.9.6/lib/container_server.go new/cri-o-1.9.8/lib/container_server.go --- old/cri-o-1.9.6/lib/container_server.go 2018-02-20 10:50:14.000000000 +0100 +++ new/cri-o-1.9.8/lib/container_server.go 2018-03-01 18:42:03.000000000 +0100 @@ -318,8 +318,6 @@ return err } - ip := m.Annotations[annotations.IP] - processLabel, mountLabel, err := label.InitLabels(label.DupSecOpt(m.Process.SelinuxLabel)) if err != nil { return err @@ -334,25 +332,27 @@ privileged := isTrue(m.Annotations[annotations.PrivilegedRuntime]) trusted := isTrue(m.Annotations[annotations.TrustedSandbox]) + hostNetwork := isTrue(m.Annotations[annotations.HostNetwork]) - sb, err := sandbox.New(id, m.Annotations[annotations.Namespace], name, m.Annotations[annotations.KubeName], filepath.Dir(m.Annotations[annotations.LogPath]), labels, kubeAnnotations, processLabel, mountLabel, &metadata, m.Annotations[annotations.ShmPath], m.Annotations[annotations.CgroupParent], privileged, trusted, m.Annotations[annotations.ResolvPath], m.Annotations[annotations.HostName], nil) + sb, err := sandbox.New(id, m.Annotations[annotations.Namespace], name, m.Annotations[annotations.KubeName], filepath.Dir(m.Annotations[annotations.LogPath]), labels, kubeAnnotations, processLabel, mountLabel, &metadata, m.Annotations[annotations.ShmPath], m.Annotations[annotations.CgroupParent], privileged, trusted, m.Annotations[annotations.ResolvPath], m.Annotations[annotations.HostName], nil, hostNetwork) if err != nil { return err } sb.AddHostnamePath(m.Annotations[annotations.HostnamePath]) - sb.AddIP(ip) sb.SetSeccompProfilePath(spp) // We add a netNS only if we can load a permanent one. // Otherwise, the sandbox will live in the host namespace. - netNsPath, err := configNetNsPath(m) - if err == nil { - nsErr := sb.NetNsJoin(netNsPath, sb.Name()) - // If we can't load the networking namespace - // because it's closed, we just set the sb netns - // pointer to nil. Otherwise we return an error. - if nsErr != nil && nsErr != sandbox.ErrClosedNetNS { - return nsErr + if c.config.ManageNetworkNSLifecycle { + netNsPath, err := configNetNsPath(m) + if err == nil { + nsErr := sb.NetNsJoin(netNsPath, sb.Name()) + // If we can't load the networking namespace + // because it's closed, we just set the sb netns + // pointer to nil. Otherwise we return an error. + if nsErr != nil && nsErr != sandbox.ErrClosedNetNS { + return nsErr + } } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cri-o-1.9.6/lib/sandbox/sandbox.go new/cri-o-1.9.8/lib/sandbox/sandbox.go --- old/cri-o-1.9.6/lib/sandbox/sandbox.go 2018-02-20 10:50:14.000000000 +0100 +++ new/cri-o-1.9.8/lib/sandbox/sandbox.go 2018-03-01 18:42:03.000000000 +0100 @@ -59,10 +59,14 @@ func (ns *NetNs) symlinkRemove() error { if err := ns.symlink.Close(); err != nil { - return err + return fmt.Errorf("failed to close net ns symlink: %v", err) + } + + if err := os.RemoveAll(ns.symlink.Name()); err != nil { + return fmt.Errorf("failed to remove net ns symlink: %v", err) } - return os.RemoveAll(ns.symlink.Name()) + return nil } func isSymbolicLink(path string) (bool, error) { @@ -151,6 +155,7 @@ cgroupParent string privileged bool trusted bool + hostNetwork bool resolvPath string hostnamePath string hostname string @@ -184,7 +189,7 @@ // New creates and populates a new pod sandbox // New sandboxes have no containers, no infra container, and no network namespaces associated with them // An infra container must be attached before the sandbox is added to the state -func New(id, namespace, name, kubeName, logDir string, labels, annotations map[string]string, processLabel, mountLabel string, metadata *pb.PodSandboxMetadata, shmPath, cgroupParent string, privileged, trusted bool, resolvPath, hostname string, portMappings []*hostport.PortMapping) (*Sandbox, error) { +func New(id, namespace, name, kubeName, logDir string, labels, annotations map[string]string, processLabel, mountLabel string, metadata *pb.PodSandboxMetadata, shmPath, cgroupParent string, privileged, trusted bool, resolvPath, hostname string, portMappings []*hostport.PortMapping, hostNetwork bool) (*Sandbox, error) { sb := new(Sandbox) sb.id = id sb.namespace = namespace @@ -205,6 +210,7 @@ sb.hostname = hostname sb.portMappings = portMappings sb.created = time.Now() + sb.hostNetwork = hostNetwork return sb, nil } @@ -311,6 +317,11 @@ return s.trusted } +// HostNetwork returns whether the sandbox runs in the host network namespace +func (s *Sandbox) HostNetwork() bool { + return s.hostNetwork +} + // ResolvPath returns the resolv path for the sandbox func (s *Sandbox) ResolvPath() string { return s.resolvPath @@ -384,6 +395,9 @@ // If the sandbox uses the host namespace, nil is returned func (s *Sandbox) NetNsPath() string { if s.netns == nil { + if s.infraContainer != nil { + return fmt.Sprintf("/proc/%v/ns/net", s.infraContainer.State().Pid) + } return "" } @@ -473,6 +487,8 @@ return err } + s.netns.closed = true + if s.netns.restored { // we got namespaces in the form of // /var/run/netns/cni-0d08effa-06eb-a963-f51a-e2b0eceffc5d @@ -493,6 +509,5 @@ } } - s.netns.closed = true return nil } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cri-o-1.9.6/oci/oci.go new/cri-o-1.9.8/oci/oci.go --- old/cri-o-1.9.6/oci/oci.go 2018-02-20 10:50:14.000000000 +0100 +++ new/cri-o-1.9.8/oci/oci.go 2018-03-01 18:42:03.000000000 +0100 @@ -438,7 +438,7 @@ args = append(args, "-l", logPath) args = append(args, "--socket-dir-path", ContainerAttachSocketDir) - processFile, err := PrepareProcessExec(c, command, false) + processFile, err := PrepareProcessExec(c, command, c.terminal) if err != nil { return nil, ExecSyncError{ ExitCode: -1, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cri-o-1.9.6/pkg/annotations/annotations.go new/cri-o-1.9.8/pkg/annotations/annotations.go --- old/cri-o-1.9.6/pkg/annotations/annotations.go 2018-02-20 10:50:14.000000000 +0100 +++ new/cri-o-1.9.8/pkg/annotations/annotations.go 2018-03-01 18:42:03.000000000 +0100 @@ -64,6 +64,9 @@ // HostnamePath is the path to /etc/hostname to bind mount annotation HostnamePath = "io.kubernetes.cri-o.HostnamePath" + // HostNetwork indicates whether the host network namespace is used or not + HostNetwork = "io.kubernetes.cri-o.HostNetwork" + // SandboxID is the sandbox ID annotation SandboxID = "io.kubernetes.cri-o.SandboxID" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cri-o-1.9.6/server/container_create.go new/cri-o-1.9.8/server/container_create.go --- old/cri-o-1.9.6/server/container_create.go 2018-02-20 10:50:14.000000000 +0100 +++ new/cri-o-1.9.8/server/container_create.go 2018-03-01 18:42:03.000000000 +0100 @@ -102,6 +102,7 @@ if mount.Readonly { options = []string{"ro"} } + options = append(options, "rbind") // mount propagation @@ -939,12 +940,6 @@ } netNsPath := sb.NetNsPath() - if netNsPath == "" { - // The sandbox does not have a permanent namespace, - // it's on the host one. - netNsPath = fmt.Sprintf("/proc/%d/ns/net", podInfraState.Pid) - } - if err := specgen.AddOrReplaceLinuxNamespace(string(rspec.NetworkNamespace), netNsPath); err != nil { return nil, err } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cri-o-1.9.6/server/sandbox_network.go new/cri-o-1.9.8/server/sandbox_network.go --- old/cri-o-1.9.6/server/sandbox_network.go 2018-02-20 10:50:14.000000000 +0100 +++ new/cri-o-1.9.8/server/sandbox_network.go 2018-03-01 18:42:03.000000000 +0100 @@ -11,8 +11,8 @@ // networkStart sets up the sandbox's network and returns the pod IP on success // or an error -func (s *Server) networkStart(hostNetwork bool, sb *sandbox.Sandbox) (string, error) { - if hostNetwork { +func (s *Server) networkStart(sb *sandbox.Sandbox) (string, error) { + if sb.HostNetwork() { return s.BindAddress(), nil } @@ -46,10 +46,25 @@ return ip, nil } +// GetSandboxIP retrieves the IP address for the sandbox +func (s *Server) GetSandboxIP(sb *sandbox.Sandbox) (string, error) { + if sb.HostNetwork() { + return s.BindAddress(), nil + } + + podNetwork := newPodNetwork(sb) + ip, err := s.netPlugin.GetPodNetworkStatus(podNetwork) + if err != nil { + return "", fmt.Errorf("failed to get network status for pod sandbox %s(%s): %v", sb.Name(), sb.ID(), err) + } + + return ip, nil +} + // networkStop cleans up and removes a pod's network. It is best-effort and // must call the network plugin even if the network namespace is already gone -func (s *Server) networkStop(hostNetwork bool, sb *sandbox.Sandbox) error { - if !hostNetwork { +func (s *Server) networkStop(sb *sandbox.Sandbox) error { + if !sb.HostNetwork() { if err := s.hostportManager.Remove(sb.ID(), &hostport.PodPortMapping{ Name: sb.Name(), PortMappings: sb.PortMappings(), diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cri-o-1.9.6/server/sandbox_run.go new/cri-o-1.9.8/server/sandbox_run.go --- old/cri-o-1.9.6/server/sandbox_run.go 2018-02-20 10:50:14.000000000 +0100 +++ new/cri-o-1.9.8/server/sandbox_run.go 2018-03-01 18:42:03.000000000 +0100 @@ -342,6 +342,7 @@ g.AddAnnotation(annotations.ShmPath, shmPath) g.AddAnnotation(annotations.PrivilegedRuntime, fmt.Sprintf("%v", privileged)) g.AddAnnotation(annotations.TrustedSandbox, fmt.Sprintf("%v", trusted)) + g.AddAnnotation(annotations.HostNetwork, fmt.Sprintf("%v", hostNetwork)) g.AddAnnotation(annotations.ResolvPath, resolvPath) g.AddAnnotation(annotations.HostName, hostname) g.AddAnnotation(annotations.KubeName, kubeName) @@ -378,7 +379,7 @@ } g.AddAnnotation(annotations.CgroupParent, cgroupParent) - sb, err := sandbox.New(id, namespace, name, kubeName, logDir, labels, kubeAnnotations, processLabel, mountLabel, metadata, shmPath, cgroupParent, privileged, trusted, resolvPath, hostname, portMappings) + sb, err := sandbox.New(id, namespace, name, kubeName, logDir, labels, kubeAnnotations, processLabel, mountLabel, metadata, shmPath, cgroupParent, privileged, trusted, resolvPath, hostname, portMappings, hostNetwork) if err != nil { return nil, err } @@ -427,25 +428,27 @@ return nil, err } } else { - // Create the sandbox network namespace - if err = sb.NetNsCreate(); err != nil { - return nil, err - } - - defer func() { - if err == nil { - return + if s.config.Config.ManageNetworkNSLifecycle { + // Create the sandbox network namespace + if err = sb.NetNsCreate(); err != nil { + return nil, err } - if netnsErr := sb.NetNsRemove(); netnsErr != nil { - logrus.Warnf("Failed to remove networking namespace: %v", netnsErr) - } - }() + defer func() { + if err == nil { + return + } + + if netnsErr := sb.NetNsRemove(); netnsErr != nil { + logrus.Warnf("Failed to remove networking namespace: %v", netnsErr) + } + }() - // Pass the created namespace path to the runtime - err = g.AddOrReplaceLinuxNamespace(string(runtimespec.NetworkNamespace), sb.NetNsPath()) - if err != nil { - return nil, err + // Pass the created namespace path to the runtime + err = g.AddOrReplaceLinuxNamespace(string(runtimespec.NetworkNamespace), sb.NetNsPath()) + if err != nil { + return nil, err + } } } @@ -496,18 +499,17 @@ sb.SetInfraContainer(container) var ip string - ip, err = s.networkStart(hostNetwork, sb) - if err != nil { - return nil, err - } - defer func() { + if s.config.Config.ManageNetworkNSLifecycle { + ip, err = s.networkStart(sb) if err != nil { - s.networkStop(hostNetwork, sb) + return nil, err } - }() - - g.AddAnnotation(annotations.IP, ip) - sb.AddIP(ip) + defer func() { + if err != nil { + s.networkStop(sb) + } + }() + } spp := req.GetConfig().GetLinux().GetSecurityContext().GetSeccompProfilePath() g.AddAnnotation(annotations.SeccompProfilePath, spp) @@ -534,6 +536,19 @@ s.ContainerStateToDisk(container) + if !s.config.Config.ManageNetworkNSLifecycle { + ip, err = s.networkStart(sb) + if err != nil { + return nil, err + } + defer func() { + if err != nil { + s.networkStop(sb) + } + }() + } + sb.AddIP(ip) + resp = &pb.RunPodSandboxResponse{PodSandboxId: id} logrus.Debugf("RunPodSandboxResponse: %+v", resp) return resp, nil diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cri-o-1.9.6/server/sandbox_stop.go new/cri-o-1.9.8/server/sandbox_stop.go --- old/cri-o-1.9.6/server/sandbox_stop.go 2018-02-20 10:50:14.000000000 +0100 +++ new/cri-o-1.9.8/server/sandbox_stop.go 2018-03-01 18:42:03.000000000 +0100 @@ -49,13 +49,6 @@ return resp, nil } - // Clean up sandbox networking and close its network namespace. - hostNetwork := sb.NetNsPath() == "" - s.networkStop(hostNetwork, sb) - if err := sb.NetNsRemove(); err != nil { - return nil, err - } - podInfraContainer := sb.InfraContainer() containers := sb.Containers().List() containers = append(containers, podInfraContainer) @@ -77,6 +70,14 @@ s.ContainerStateToDisk(c) } + // Clean up sandbox networking and close its network namespace. + s.networkStop(sb) + if s.config.Config.ManageNetworkNSLifecycle { + if err := sb.NetNsRemove(); err != nil { + return nil, err + } + } + if err := label.ReleaseLabel(sb.ProcessLabel()); err != nil { return nil, err } @@ -97,6 +98,7 @@ } } } + if err := s.StorageRuntimeServer().StopContainer(sb.ID()); err != nil && errors.Cause(err) != storage.ErrContainerUnknown { logrus.Warnf("failed to stop sandbox container in pod sandbox %s: %v", sb.ID(), err) } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cri-o-1.9.6/server/server.go new/cri-o-1.9.8/server/server.go --- old/cri-o-1.9.6/server/server.go 2018-02-20 10:50:14.000000000 +0100 +++ new/cri-o-1.9.8/server/server.go 2018-03-01 18:42:03.000000000 +0100 @@ -125,6 +125,14 @@ logrus.Warnf("could not restore container %s: %v", containerID, err) } } + // Restore sandbox IPs + for _, sb := range s.ListSandboxes() { + ip, err := s.GetSandboxIP(sb) + if err != nil { + logrus.Warnf("could not restore sandbox IP for %v: %v", sb.ID(), err) + } + sb.AddIP(ip) + } } // Update makes changes to the server's state (lists of pods and containers) to diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cri-o-1.9.6/version/version.go new/cri-o-1.9.8/version/version.go --- old/cri-o-1.9.6/version/version.go 2018-02-20 10:50:14.000000000 +0100 +++ new/cri-o-1.9.8/version/version.go 2018-03-01 18:42:03.000000000 +0100 @@ -1,4 +1,4 @@ package version // Version is the version of the build. -const Version = "1.9.6" +const Version = "1.9.8" ++++++ cri-o-rpmlintrc ++++++ --- /var/tmp/diff_new_pack.xIwUIM/_old 2018-03-06 10:47:41.511408708 +0100 +++ /var/tmp/diff_new_pack.xIwUIM/_new 2018-03-06 10:47:41.511408708 +0100 @@ -1,2 +1,6 @@ -addFilter ("") -addFilter ("cri-o.x86_64: W: statically-linked-binary /usr/lib/crio/pause") +addFilter (".* W: explicit-lib-dependency libcontainers-common") +addFilter (".* W: explicit-lib-dependency libcontainers-image") +addFilter (".* W: explicit-lib-dependency libcontainers-storage") +addFilter (".* W: statically-linked-binary /usr/lib/crio/bin/pause") +addFilter (".* W: position-independent-executable-suggested /usr/lib/crio/bin/conmon") +addFilter (".* W: position-independent-executable-suggested /usr/lib/crio/bin/pause") ++++++ crio.conf ++++++ --- /var/tmp/diff_new_pack.xIwUIM/_old 2018-03-06 10:47:41.563406829 +0100 +++ /var/tmp/diff_new_pack.xIwUIM/_new 2018-03-06 10:47:41.563406829 +0100 @@ -18,12 +18,11 @@ storage_option = [ ] -# The "crio.api" table contains settings for the kubelet/gRPC -# interface (which is also used by crioctl). +# The "crio.api" table contains settings for the kubelet/gRPC interface. [crio.api] # listen is the path to the AF_LOCAL socket on which crio will listen. -listen = "/var/run/crio.sock" +listen = "/var/run/crio/crio.sock" # stream_address is the IP address on which the stream server will listen stream_address = "" @@ -71,7 +70,7 @@ no_pivot = false # conmon is the path to conmon binary, used for managing the runtime. -conmon = "/usr/lib/crio/conmon" +conmon = "/usr/lib/crio/bin/conmon" # conmon_env is the environment variable list for conmon process, # used for passing necessary environment variable to conmon or runtime. @@ -157,4 +156,4 @@ network_dir = "/etc/cni/net.d/" # plugin_dir is is where CNI plugin binaries are stored. -plugin_dir = "/opt/cni/bin/" +plugin_dir = "/usr/lib/cni" ++++++ sysconfig.crio ++++++ ## Path : System/Management ## Description : Extra cli switches for crio daemon ## Type : string ## Default : "" ## ServiceRestart : crio # CRIO_OPTIONS=""
